NBAR + Policy Routing?
Posted on 2003-11-24
Here's the scenario:
A site in <faraway country> is connected to our headquarters via frame relay, and is supposed to use our Internet access due to the security requirements of having a full-blown DMZ, content blocking system, etc. These standards are non-negotiable and would cost far too much to deploy at this remote location. However, they have a few business-related sites (banks, mainly) that are located in the same country that they need to access regularly. Since Internet traffic is currently going across the ocean several times, it's causing their sessions to time out, which is obviously not good.
So, given a (NAT-ed) link to a local ISP (on an interface running IOS firewall and generally locked down as much as possible, it seems that I have two options:
1. Figure out all the IPs/subnets involved with the bank sites and statically route them out the local ISP port.
2. Use NBAR to identify the relevant traffic and policy route it out the local ISP port.
Option 1 is obviously simpler in a way, but seems like it could end up being a hassle and possibly be hard to maintain since the banks are under no obligation to keep their IPs static. So my question is, how feasible would Option 2 be? I've worked with policy routing before, but not for this kind of problem, and I've never used NBAR at all. Besides the "can this work" question, I'm wondering how badly this is going to kill a low-to-mid-range router to do the extra work involved.