Differences
This shows you the differences between two versions of the page.
|
sred:laborator_2._cbac_and_zbf [2021/11/05 18:55] horia.stoenescu [Stateful firewall implementations] |
sred:laborator_2._cbac_and_zbf [2022/10/30 20:53] (current) horia.stoenescu Added pointers for exercises |
||
|---|---|---|---|
| Line 5: | Line 5: | ||
| === Story === | === Story === | ||
| In our basic topology scenario, due to small budget our company still uses the old Cisco equipment for routing and filtering, but this time the second branch closed and added instead a visitor network (may be used by people that come at interview). After seeing some attacks done in our internal network like DoS, we decided to test different approaches: started with TCP intercept, continuing with CBAC and in the end implemented successfully a better security solution - zone based firewall (ZBF). | In our basic topology scenario, due to small budget our company still uses the old Cisco equipment for routing and filtering, but this time the second branch closed and added instead a visitor network (may be used by people that come at interview). After seeing some attacks done in our internal network like DoS, we decided to test different approaches: started with TCP intercept, continuing with CBAC and in the end implemented successfully a better security solution - zone based firewall (ZBF). | ||
| + | |||
| + | <note tip> | ||
| + | [[https://curs.upb.ro/2022/pluginfile.php/346995/mod_resource/content/1/sred_lab2_stateful_firewall_updated.pdf|Here]] you can find the presentation for lab2. There are made comparisons between each feature and what is the road from simple ACLs to a basic firewall solution. | ||
| + | </note> | ||
| === Local host prerequisites === | === Local host prerequisites === | ||
| Line 164: | Line 168: | ||
| <note> | <note> | ||
| Check [[http://www.employees.org/univercd/Feb-1998/CiscoCD/cc/td/doc/product/software/ios112/intercpt.htm#xtocid2436922|here]] for a full documentation regarding TCP intercept. | Check [[http://www.employees.org/univercd/Feb-1998/CiscoCD/cc/td/doc/product/software/ios112/intercpt.htm#xtocid2436922|here]] for a full documentation regarding TCP intercept. | ||
| + | </note> | ||
| + | |||
| + | <note important> | ||
| + | Before continuing with CBAC and ZBF, head to [[https://ocw.cs.pub.ro/courses/sred/laborator_2._cbac_and_zbf#exercies|exercises]] section and solve e1 and e2. | ||
| </note> | </note> | ||
| === t2. CBAC === | === t2. CBAC === | ||
| <note important> | <note important> | ||
| - | Before continuing with CBAC, make sure to delete old tcp intercept configuration: | + | Before starting with CBAC, make sure to delete old tcp intercept configuration: |
| <code> | <code> | ||
| cisco_7200(config)#no ip tcp intercept list | cisco_7200(config)#no ip tcp intercept list | ||
| Line 249: | Line 257: | ||
| <note> | <note> | ||
| If you want to learn more about CBAC, I recommend you this [[http://etutorials.org/Networking/Router+firewall+security/Part+IV+Stateful+and+Advanced+Filtering+Technologies/Chapter+9.+Context-Based+Access+Control/|documentation]]. | If you want to learn more about CBAC, I recommend you this [[http://etutorials.org/Networking/Router+firewall+security/Part+IV+Stateful+and+Advanced+Filtering+Technologies/Chapter+9.+Context-Based+Access+Control/|documentation]]. | ||
| + | </note> | ||
| + | |||
| + | <note important> | ||
| + | Before continuing with the last feature, ZBF, head to [[https://ocw.cs.pub.ro/courses/sred/laborator_2._cbac_and_zbf#exercies|exercises]] section and solve e3 and e4. | ||
| </note> | </note> | ||
