The purpose of these access list entries is to examine traffic flowing back
into the internal network. These entries create temporary openings in the firewall to permit only traffic that is
part of a permissible session. Example 5-2 shows a dynamic ACL entry (corresponding to Example 5-1) that
permits returning Telnet traffic initiated by a host from the internal network.
Example 5-2. Dynamic ACL Entry Corresponding to the State Table
Router# show ip access-lists
Extended IP access list 101
permit tcp host 20.1.1.1 eq telnet host 10.1.1.1 eq 11006 (16 matches)
permit tcp any host WebServer eq http
deny ip any any (12 matches)
Note
The dynamically created access list entries that allow returning traffic are temporary and are not saved
to the nonvolatile random-access memory (NVRAM).
Embryonic (Half-Open) Sessions
CBAC provides DoS detection and prevention. An excessive number of half-open sessions (either absolute or
measured as the arrival rate) could indicate the possible occurrence of a denial-of-service attack. Traffic
patterns can be established for a TCP SYN-flood type attack. TCP is a connection-oriented transport protocol
that requires completing a three-way handshake mechanism.
Pages:
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220