IP INSPECT question

I have tried to read up on the IP INSPECT capabilties in IOS.

I can see its usefulness for FTP since it has the smarts to "open new ports" in the ACLs to allow FTP data transfers between two random ports.

I had been lead to belive that it had intrusion detection capabilities, (such as blocking an IP for some time after X unsuccesful login attempts. But I read nothing about it.

Can anyone confirm that it does not have the ability to detect unsuccesful login attempts and then block that IP for a random amount of time ?

And if the job falls on the server to detect the invalid login attempts, would the server then tell the router to block a certain IP address ? What is the best method to do this ? SNMP ? Or just have a telnet script that goes in and adds an entry in an ACL ?

Reply to
JF Mezei
Loading thread data ...

Cisco router's ip inspect (CBAC firewall feature) gives router application firewall capabilities such as letting tcp:25 communication only if it contains valid SMTP or ESMTP commands or detecting tunneling, instant messaging, etc. trough port 80, etc etc. Cisco router can detect unsuccessful authentication attempts to itself and block offending IP address and also to provide authentication proxy services for remote hosts. For example you can tell your router to require user to authenticate them self (trough web browser or telnet) to the router first and if authentication is successful the router will allow direct communication with protected server from user's IP address. This can go a little bit further so you may also authorize users. For example you can put special downloadable access-lists on your RADIUS server and map those access-lists to user group (also on RADIUS). Then router can check if the user exists (authentication) and if exists what access-list to apply for the group that user belongs. Router will swap source 'any' keyword with user's host IP address in access-list automatically. Of course this will not offer you single sign-on on user experience. For something like this you should use true proxy servers such as Microsoft ISA (TMG) or for example Blue Coat.

Regards, Igor

Reply to
Igor Mamuzić a

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.