index_187
UNCLASSIFIED
Advanced Security Services
Version 1.0g
UNCLASSIFIED
187
Central#
versus
South# show ip inspect all
Session audit trail is disabled
Session alert is enabled
.
.
South#
Step 2. Determine the Application Services to Support
Decide which application-layer protocols to permit using CBAC. Best practice on a
router is deny all protocols except those identified as needed. CBAC in IOS 12.0
supports about a dozen application service types; the most commonly used ones are
listed below.
Service
Definition
Remarks
Basic TCP
Protocols
Generic connected TCP
protocols, such as HTTP,
POP3, Telnet, SSL, etc.
CBAC will support any of these;
select ones to support by permitting
them through the access list set up
in Step 3.
Other UDP
Generic UDP services, such
as DNS, NTP, TFTP, IKE,
SNMP, etc.
CBAC will support any of these;
select ones to support by permitting
them through the access list set up
in Step 3.
FTP
Control connection on TCP
port 21, data on TCP port
>1024.
CBAC has special support for FTP,
and watches the FTP authentication
exchange. It also prevents use of
non-standard ports for FTP data.
Mail (SMTP)
Connect TCP protocol on
port 25.
CBAC permits only standard SMTP
commands.
H.323
(NetMeeting)
H.323 video conference
protocol over UDP.
Because NetMeeting uses additional
non-standard ports, generic UDP
must also be configured to use it.
RealAudio
(RTSP)
Real-Time Streaming
Protocol over UDP or TCP.
CBAC automatically tracks the
RealAudio port assignments.
For web traffic (HTTP), CBAC has some ability to block Java applets. Because the
Java blocking capability is very weak, it is not typically employed.
For example, a reasonable list of desired services for many installations is: DNS,
NTP, HTTP, FTP, and Telnet, plus SMTP and POP3 to the mail server only.