It is essential to understand and verify the access list
before applying it in a production environment.
Follow these general guidelines to create an access list:
Explicitly block all network traffic that originates from the unprotected zone and moves to the protected
zone, unless required. For example, when hosting a web server in the protected zone, it is explicitly
required to permit HTTP (TCP port 80) that originates from the unprotected zone.
Step 3??”Define an Inspection Rule
CBAC requires defining an inspection rule to specify which IP traffic (application-layer protocols) will be
inspected by the firewall engine.
An inspection rule should specify each desired application-layer protocol as well as the generic TCP or UDP if
required. The inspection rule consists of a series of statements, each listing a protocol that specifies the same
inspection rule name, as shown in Example 5-5. Inspection rule statements can include other options, such as
controlling alert and audit trail messages and checking IP packet fragmentation.
Use the ip inspect name global configuration command to create a CBAC inspection rule set for the required
application-layer protocol. Example 5-5 shows how to enable inspection for HTTP, FTP, SMTP, and generic TCP
and UDP protocols.
Pages:
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226