cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1151
Views
5
Helpful
5
Replies

inspect statement with established

Ricky S
Level 3
Level 3

Hi all, is there a difference between using inspect statements for stateful packet inspection of each packet and an ACL with "established" keyword for TCP connections? For example if you look at the below two config examples, aren't they both serving the same purpose?

ip inspect name myinspect http

!

int gig0/0

ip add 1.1.1.1 255.255.255.0

ip inspect myinspect out

*******************

ip access-list extended internet

permit tcp any eq 80 any established

!

int gig0/0

ip add 1.1.1.1 255.255.255.0

ip access-group internet in

2 Accepted Solutions

Accepted Solutions

John Blakley
VIP Alumni
VIP Alumni

Ricky,

CBAC (inspection) creates a session table to keep track of what connections were allowed out/in depending on the direction of the inspect. The established keyword only checks to see if there is an ACK or RST flag set in the traffic coming in. In reality, you can get around the ACK and RST flags fairly easily from the outside even if you haven't had an established connection, so CBAC is much more secure. From strictly a working perspective, these would allow the same thing.

HTH,

John

HTH, John *** Please rate all useful posts ***

View solution in original post

Joseph W. Doherty
Hall of Fame
Hall of Fame

Disclaimer

The   Author of this posting offers the information contained within this   posting without consideration and with the reader's understanding that   there's no implied or expressed suitability or fitness for any purpose.   Information provided is for informational purposes only and should not   be construed as rendering professional advice of any kind. Usage of  this  posting's information is solely at reader's own risk.

Liability Disclaimer

In   no event shall Author be liable for any damages whatsoever (including,   without limitation, damages for loss of use, data or profit) arising  out  of the use or inability to use the posting's information even if  Author  has been advised of the possibility of such damage.

Posting

Another difference, besides what John already described, your TCP/80 established applies to any TCP traffic that matches your ACL, CBAC though is applied to HTTP.  Although HTTP, by default uses port 80, it doesn't have to, nor are other protocols unable to use port 80.  See the subtle difference?

Also, CBAC might also being doing actual HTTP protocol inspection, e.g. GET/PUT commands, the ACL doesn't.  So even if HTTP is using port 80, CBAC can insure it's actually legitimate HTTP protocol.

So the two approaches are not really serving the same purpose, but depending on you security needs, in practice, TCP/80 established might be "good enough".

View solution in original post

5 Replies 5

John Blakley
VIP Alumni
VIP Alumni

Ricky,

CBAC (inspection) creates a session table to keep track of what connections were allowed out/in depending on the direction of the inspect. The established keyword only checks to see if there is an ACK or RST flag set in the traffic coming in. In reality, you can get around the ACK and RST flags fairly easily from the outside even if you haven't had an established connection, so CBAC is much more secure. From strictly a working perspective, these would allow the same thing.

HTH,

John

HTH, John *** Please rate all useful posts ***

Ah that makes sense. Thanks John for the detailed explanation and helpful advices as always .

Joseph W. Doherty
Hall of Fame
Hall of Fame

Disclaimer

The   Author of this posting offers the information contained within this   posting without consideration and with the reader's understanding that   there's no implied or expressed suitability or fitness for any purpose.   Information provided is for informational purposes only and should not   be construed as rendering professional advice of any kind. Usage of  this  posting's information is solely at reader's own risk.

Liability Disclaimer

In   no event shall Author be liable for any damages whatsoever (including,   without limitation, damages for loss of use, data or profit) arising  out  of the use or inability to use the posting's information even if  Author  has been advised of the possibility of such damage.

Posting

Another difference, besides what John already described, your TCP/80 established applies to any TCP traffic that matches your ACL, CBAC though is applied to HTTP.  Although HTTP, by default uses port 80, it doesn't have to, nor are other protocols unable to use port 80.  See the subtle difference?

Also, CBAC might also being doing actual HTTP protocol inspection, e.g. GET/PUT commands, the ACL doesn't.  So even if HTTP is using port 80, CBAC can insure it's actually legitimate HTTP protocol.

So the two approaches are not really serving the same purpose, but depending on you security needs, in practice, TCP/80 established might be "good enough".

Thank you.

Disclaimer

The Author of this posting offers the information contained within this posting without consideration and with the reader's understanding that there's no implied or expressed suitability or fitness for any purpose. Information provided is for informational purposes only and should not be construed as rendering professional advice of any kind. Usage of this posting's information is solely at reader's own risk.

Liability Disclaimer

In no event shall Author be liable for any damages whatsoever (including, without limitation, damages for loss of use, data or profit) arising out of the use or inability to use the posting's information even if Author has been advised of the possibility of such damage.

Posting

You're welcome.

PS:

Forgot to mention another difference, CBAC should be stateful and TCP established is not.  Stateful inspection makes it impossible to use more than one device for egress/ingress unless they share state information.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco