---

---

UNCLASSIFIED Advanced Security Services Version 1.0g  UNCLASSIFIED 187   Central# versus South# show ip inspect all Session audit trail is disabled Session alert is enabled .   . South# Step 2. Determine the Application Services to  Support Decide which application-layer protocols to permit using CBAC.  Best practice on a router is deny all protocols except those identified as needed.  CBAC in IOS 12.0 supports about a dozen application service types; the most commonly used ones are listed below. Service Definition Remarks Basic TCP Protocols  Generic connected TCP protocols, such as HTTP, POP3, Telnet, SSL, etc. CBAC will support any of these; select ones to support by permitting them through the access list set up in Step 3. Other UDP Generic UDP services, such as DNS, NTP, TFTP, IKE, SNMP, etc.   CBAC will support any of these; select ones to support by permitting them through the access list set up in Step 3. FTP Control connection on TCP port 21, data on TCP port >1024. CBAC has special support for FTP, and watches the FTP authentication exchange.  It also prevents use of non-standard ports for FTP data. Mail (SMTP) Connect TCP protocol on port 25. CBAC permits only standard SMTP commands. H.323 (NetMeeting) H.323 video conference protocol over UDP. Because NetMeeting uses additional non-standard ports, generic UDP must also be configured to use it. RealAudio (RTSP) Real-Time Streaming Protocol over UDP or TCP. CBAC automatically tracks the RealAudio port assignments. For web traffic (HTTP), CBAC has some ability to block Java applets.  Because the Java blocking capability is very weak, it is not typically employed. For example, a reasonable list of desired services for many installations is: DNS, NTP, HTTP, FTP, and Telnet, plus SMTP and POP3 to the mail server only.