RE: [fw-wiz] Automatic ACL update on Cisco boxes

From: Ahmed, Balal (balal.ahmed_at_cgey.com)
Date: 06/12/03

  • Next message: SimonChan_at_lifeisgreat.com.sg: "[fw-wiz] VA vs PT tool"
    To: "'bonnetain@acm.org'" <bonnetain@acm.org>, firewall-wizards@icsalabs.com
    Date: Thu, 12 Jun 2003 10:58:15 +0100
    
    

    You can do this using downloadable access lists. This is a feature in Cisco
    TACACS+ servers. The access lists are held on the tacacs+ server and are
    downloaded to The access control point device when the user authenticates.

    There is a 90 day evaluation version available from cisco

    -----Original Message-----
    From: Pierre-Yves Bonnetain [mailto:bonnetain@acm.org]
    Sent: 11 June 2003 13:42
    To: firewall-wizards@icsalabs.com
    Subject: [fw-wiz] Automatic ACL update on Cisco boxes

    Hello,

    We are currently setting up some filtering router (CISCO, IOS 12) for a
    customer. We are looking for some tool (or pack of tools, or magical
    stuff, whatever) that will enable us to dynamically add or remove ACLs
    on the router, depending on some external events.

    Our idea is the following : roaming user Alice connects to a VPN box,
    use as an entry point to our internal network. After authentication, she
    gets an IP address (say, 192.168.1.1) from the box.

    We would then like to update another router's configuration (VPN zone to
    internal net) do add a few 'permit' ACLs for her temporary address, so
    that she will have access to the systems she needs to use (the list is
    hardcoded somewhere, _not_ on her laptop) and those ACLs will be removed
    as soon as she disconnect from the VPN. This way, we do not have
    permanent ACLs, when noone uses the VPN the router has _no_ permits at
    all (well, maybe a few for the Radius stuff and admin tasks -:).

    Do you have any idea/product names doing this kind of stuff ?
    Tia,

    -- 
    Pierre-Yves Bonnetain
    B&A Consultants - Networks and Computers Security
    Phone : +33 (0) 563 277 241 - Fax : +33 (0) 563 277 245
    _______________________________________________
    firewall-wizards mailing list
    firewall-wizards@honor.icsalabs.com
    http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
    ********************************************************************************************
    " This message contains information that may be privileged or confidential and 
    is the property of the Cap Gemini Ernst & Young Group. It is intended only for 
    the person to whom it is addressed. If you are not the intended recipient, you 
    are not authorized to read, print, retain, copy, disseminate, distribute, or use 
    this message or any part thereof. If you receive this message in error, please 
    notify the sender immediately and delete all copies of this message ".
    ********************************************************************************************
    _______________________________________________
    firewall-wizards mailing list
    firewall-wizards@honor.icsalabs.com
    http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
    

  • Next message: SimonChan_at_lifeisgreat.com.sg: "[fw-wiz] VA vs PT tool"

    Relevant Pages

    • Re: OT - Regression: Cisco VPN module hangs 2.6.30-rcX
      ... I tried with regards to Cisco proprietary cisco_ipsec.ko module. ... loads and the VPN connection is created. ... Yes, I tried very hard, digging in forums, lists and so on. ...
      (Linux-Kernel)
    • [NEWS] Vulnerabilities in H.323 Message Processing
      ... Multiple Cisco products contain vulnerabilities in the processing of H.323 ... Release 11.3T and all later Cisco IOS releases are affected ... IOS Network Address Translation (NAT) ... lists on interfaces that should not accept H.323 traffic and putting ...
      (Securiteam)
    • [NEWS] Vulnerability in Cisco IOS Embedded Call Processing Solutions
      ... 12.2T, 12.3 and 12.3T, when configured for the Cisco IOS Telephony Service ... IOS code that supports, and is configured for ITS, CME or SRST. ... control IP Phones using the Skinny Call Control Protocol. ... Using Access Lists ...
      (Securiteam)
    • [NEWS] Security Vulnerability in Ciscos IOS Firewall Feature Set
      ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... The IOS Firewall Feature set, also known as Cisco Secure Integrated ... should be denied by the dynamic access control lists. ...
      (Securiteam)
    • [NEWS] Cisco 7920 Wireless IP Phone Privileges Escalation and Information Disclosure
      ... Get your security news from a reliable source. ... The first vulnerability in Cisco 7920 Wireless IP Phone is an SNMP service ... Cisco 7920 Wireless IP Phone is an open VxWorks Remote Debugger on UDP ... Access Control Lists can be used to deny traffic to the affected ...
      (Securiteam)