ScreenOS Firewalls (NOT SRX)
Reply
Contributor
rootless_rooter
Posts: 23
Registered: ‎08-07-2008
0

Cisco with CBAC/TCP Inspect and site-t0-site VPN

[ Edited ]

hi forum,

 

 

I'm using pair of SSG550 to form a site-to-site IPSEC tunnel.

both SSGs are behind Cisco 2801 routers,acting as a main ISP gateways for their eth0/2 ifaces.

now, during recent penetration tests I found that both Cisco gear is vulnerable to even most primitive SYN flood type of attack.

in order to increase the level of protection I'm looking into implementing Cisco's CBAC/TCP Inspection features,

to be able to defeat DoS/DDoS type of attacks and guard the Cisco.

 

now, the question is the interop between Juniper's IPSEC/IKE/ESP type of traffic and Cisco's CBAC feature.

lets have this topology as an example of functional model:

 

SSG550_A<--->[Cisco_A]<-------VPN_TUNNEL------>[Cisco_B]<----->SSG550_B

 

SSG_A represents LAN_A and SSG550_B LAN_B, and both LANs can see each oter via IPSEC VPN tunnel.

now, with CBAC on Cisco_A:

if I send an intial IPSEC/ESP/IKE/whatever handshake request from SSG_A, CBAC on Cisco_A will record this flow as valid outbound flow,and will pass it thru.

but what will happen with return/inbound traffic [IPSEC response/keys from SSG_B] ?

 

 

will this one pass thru Ciscoi_A and form the tunnel?

or the CBAC on Cisco_A will drop the flow?

 

many thanks for ANY suggestions.

 

rootless rooter

 

 

 

comment added 25-02-2010:

 

anybody from Juniper fellows with some advice? I can't believe there's nobody unable to answer

or I'm I in wrong forum?

 

rooter

 

 

 

 

 

 

 

 

Copyright© 1999-2013 Juniper Networks, Inc. All rights reserved.