Hardware Archives

Nicholas Evra asked:

CBAC Overview

The Cisco IOS Firewall Feature Set is a module that can be added to the existing IOS to provide firewall functionality without the need for hardware upgrades. There are two components to the Cisco IOS Firewall Feature Set in Intrusion Detection (which is an optional bolt-on) and Context-Based Access Control (CBAC). CBAC maintains a state table for all of the outbound connections on a Cisco router by inspecting tcp and udp connections at layer seven of the OSI model and populating the table accordingly. When return traffic is received on the external interface it is compared against the state table to see if the connection was originally established from within the internal network, and then either permitted or denied. Although basic this is a very effective mechanism to prevent unauthorized access to the internal network from external sources such as the internet.

CBAC Application-specific support

Cisco have also built in some additional functionality into CBAC in terms of application-specific inspection that enables the router to recognize and identify application specific data flows such as HTTP, SMTP, TFTP, and FTP. Understanding these applications and their data flows empowers the router to identify malformed packets or suspect application data flows and permit or deny accordingly. CBAC also provides the flexibility of downloading Java code from trusted sites, but it denying untrusted sites.

CBAC and Denial of Service (DOS) Attacks

Denial-Of-Service (DOS) attack protection is also in-built with real-time logging of alerts as well as pro-active responses to mitigate the threat. To do this CBAC can be configured to manage half-open TCP connections which are used in TCP SYN flood attacks to overload a targets resources resulting in a denial of service to legitimate users. To do this CBAC uses timeouts and thresholds, which are configurable, to determine how long state information for each connection should be kept for sessions and when to drop them. Note that UDP and ICMP require that an idle-timer limit is used to determine when a connection should be terminated. A very useful command to identify a DOS attack is ‘ip inspect audit-trail’ which logs all DOS connections including source and destination IP address and TCP or UDP ports allowing you to pin-point the exact source and destination of the attack.

Configuring CBAC

There are five steps to configuring CBAC on a Cisco router in order for it to function correctly. These are as follows:

1. Choose an interface to which inspection will be applied. This can be an internal or external interface as CBAC is only concerned with the direction of the first packet initiating the connection which is identified when applying CBAC to an interface.

2. Configure an IP access list in the correct direction on the selected interface to allow traffic through for CBAC to inspect.

3. Configure global timeouts and thresholds for established connections or sessions.

4. Define an inspection rule specifying exactly which protocols will be inspected by CBAC.

5. Apply the inspection rule to the interface in the correct direction.

Web Services

Razvan Jr asked:

San Francisco, California, 17 January 2006: If you EN of New York, you ever sauntered is familiarly with geschäftst

os geek asked:

For the last few years, in dell'unit? processing, the trend is slowly moving from a single high CPU hertz of the unit? multiconduttori processing. Intel Xeon center and double? managed to paste these two integrated circuits to demonstrate what it called the center of the square, AMD still has only dual-CPU Opteron and center? likely release next year, the integrated circuit of the square-natal center. There are other more? Azul small players like that have much more support? centers in a CPU but the real players? only four of them, the two remaining that are IBM and Sun Microsystems. IBM worked with members to design the splinter cell ma? un'unit? processing for a particular purpose, not for general computing. Sun surprised last year with all its unit? Niagara processing of the eight-center also known as the UltraSparc T1. Not only had eight in a single integrated circuit, but the possibility to run 4 simultaneous threads of fasteners in each of them giving an impression all'OS working on a car of the 32 CPU. Sun is going to follow him with Niagara 2 avr? twice the number of threads in each center, cos? Virtual threads 64 centers in eight! While Niagara has un'unit? Virgule of mobile (FPU) shared by all 8 centers, so that slow down? the provision of mobile Virgule, Niagara 2 avr? an FPU for each center. It 'll also the work with a pi? high clock rate. What? sar? an assistant-at-a-chip exits when complete next year. Seems to be the unit? Processing pi? interesting. Pi? Niagara at about 1: Acehardware http://www.aceshardware.com/read_news.jsp?id=80000603about Niagara 2: Document official Sun: the unit? Processing Info atOffician of IBM http://www.opensparc.net/publications/presentations/niagara-2-a-highly-threaded-server-on-a-chip.htmlandNews.comhttp://news.com. com / Suns Niagara +2 + + doubles + down + with + the + + twice threads/210-41006_3-6108880.htmlCell links: http://www.research.ibm.com/cellarticle source: http:// osgeek.blogspot.com/2006/12/trends-in-cpu-design_11.html

Domain Name Registration