Solved

NBAR + Policy Routing?

Posted on 2003-11-24
1
430 Views
Last Modified: 2008-01-16
Here's the scenario:

A site in <faraway country> is connected to our headquarters via frame relay, and is supposed to use our Internet access due to the security requirements of having a full-blown DMZ, content blocking system, etc.  These standards are non-negotiable and would cost far too much to deploy at this remote location.  However, they have a few business-related sites (banks, mainly) that are located in the same country that they need to access regularly.  Since Internet traffic is currently going across the ocean several times, it's causing their sessions to time out, which is obviously not good.
 
So, given a (NAT-ed) link to a local ISP (on an interface running IOS firewall and generally locked down as much as possible, it seems that I have two options:

1. Figure out all the IPs/subnets involved with the bank sites and statically route them out the local ISP port.
2. Use NBAR to identify the relevant traffic and policy route it out the local ISP port.

Option 1 is obviously simpler in a way, but seems like it could end up being a hassle and possibly be hard to maintain since the banks are under no obligation to keep their IPs static.  So my question is, how feasible would Option 2 be?  I've worked with policy routing before, but not for this kind of problem, and I've never used NBAR at all.  Besides the "can this work" question, I'm wondering how badly this is going to kill a low-to-mid-range router to do the extra work involved.
0
Comment
Question by:MaxQ
1 Comment
 
LVL 18

Accepted Solution

by:
chicagoan earned 500 total points
ID: 9812891
I think option 1 is reasonable, large institutions rarely change netblocks, though this doesn't protect you alone, there's no guarantee they don't have problems, but combined with PAT, sensible filters (IOS firewall features?) and syslog inspection, ought to be adequate and defensible in terms of due dilligence.

while NBAR is supported on 1700's and up last i looked, it seems like overkill here and I believe will be a lot more labor if you don't need traffic shaping, etc. whether it would be a drag on resources depends on the policies and traffic. On a 3600 and a T1 you'd probably be OK
0

Featured Post

Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
EIGRP on point-to-point vlan 14 65
Allowing Multicast in the firewall 2 42
No RSTP between switches 3 46
Router assigned IP addresses 18 69
#Citrix #Citrix Netscaler #HTTP Compression #Load Balance
Join Greg Farro and Ethan Banks from Packet Pushers (http://packetpushers.net/podcast/podcasts/pq-show-93-smart-network-monitoring-paessler-sponsored/) and Greg Ross from Paessler (https://www.paessler.com/prtg) for a discussion about smart network …
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…

911 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

22 Experts available now in Live!

Get 1:1 Help Now