02-23-2010 02:57 AM - edited 02-25-2010 12:59 PM
I'm using pair of SSG550 to form a site-to-site IPSEC tunnel.
both SSGs are behind Cisco 2801 routers,acting as a main ISP gateways for their eth0/2 ifaces.
now, during recent penetration tests I found that both Cisco gear is vulnerable to even most primitive SYN flood type of attack.
in order to increase the level of protection I'm looking into implementing Cisco's CBAC/TCP Inspection features,
to be able to defeat DoS/DDoS type of attacks and guard the Cisco.
now, the question is the interop between Juniper's IPSEC/IKE/ESP type of traffic and Cisco's CBAC feature.
lets have this topology as an example of functional model:
SSG_A represents LAN_A and SSG550_B LAN_B, and both LANs can see each oter via IPSEC VPN tunnel.
now, with CBAC on Cisco_A:
if I send an intial IPSEC/ESP/IKE/whatever handshake request from SSG_A, CBAC on Cisco_A will record this flow as valid outbound flow,and will pass it thru.
but what will happen with return/inbound traffic [IPSEC response/keys from SSG_B] ?
will this one pass thru Ciscoi_A and form the tunnel?
or the CBAC on Cisco_A will drop the flow?
many thanks for ANY suggestions.
comment added 25-02-2010:
anybody from Juniper fellows with some advice? I can't believe there's nobody unable to answer
or I'm I in wrong forum?