Posts Tagged ‘cbac’

Content Based Access Control “CBAC”

Tuesday, October 21st, 2008

In the beginning God created heaven and earth, and then he created routers, so packets could flow from one part of the earth to the other. As he rested he looked down on his creation and smiled for all was good. Packets were flowing from one interface to another. Then as he beheld his creation he watches as some pad packets decided to flow where they didn’t belong! So God created access-lists and again everything was as it should be, packets only flowed to areas where they belonged. After some time naughty packets found out that they could sneak by God’s great protectors of the network by setting the ACK bit in their headers.


Introduction to access-lists part 2

Thursday, October 16th, 2008

In the second installment of our guide to access-lists we are going to talk a little about named access-lists, how they work, what the benefits are, and how using them allows us to create reflexive access-lists. Named access-lists are exactly what they sound like, they are an extended access-list that has a name instead of a number. One of the nice features of named access-lists is that each line of the access-list has a number. this way you can delete just one line in an access-list without removing the whole access-list. You can create a named access list by using the following command.


An overview of CISCO IOS Security features as related to packet filtering.

Tuesday, January 29th, 2008

 The Cisco IOS has many powerful security features that enable network engineers to protect their internal network. The Cisco IOS is capable of intrusion detection, deep packet inspection, and stateful firewall features. Setting up IPS allows the admin to push intrusion detection to the network edge. The Cisco IPS feature set can scan for spyware, viruses, worms, Trojans, and network intrusions by receiving updated signature files from Cisco. If a packet or series of packets matches a particular signature the router can, send an alert, drop the packet, or reset the connection of the offending user. In this way the network engineer can better protect the network by acting on suspicious packets before they can pose a risk to the network infrastructure, another advantage of pushing IPS duties to the network edge is it allows offending packets to be dropped before they take up finite network resources.  In large networks as much as 10 percent of network resources could be consumed by packets that ultimately will be dropped for security reasons deeper in the network. (more…)

Support Our site