Secure the SRB Network

Secure the SRB Network

This section describes how to configure three features that are used primarily to provide network security: NetBIOS access filters, administrative filters, and access expressions that can be combined with administrative filters. In addition, these features can be used to increase network performance because they reduce the number of packets that traverse the backbone network.

Configure NetBIOS Access Filters

NetBIOS packets can be filtered when transmitted across a Token Ring bridge. Two types of filters can be configured:

Host access list

Used for source and destination station names

Byte offset access list

Used for arbitrary byte patterns in the packet itself.

As you configure NetBIOS access filters, keep the following issues in mind:

The access lists that apply filters to an interface are scanned in the order they are entered.

There is no way to put a new access list entry in the middle of an access list. All new additions to existing NetBIOS access lists are placed at the end of the existing list.

Access list arguments are case sensitive. The software makes a literal translation, so that a lowercase “a” is different from an uppercase “A.” (Most nodes are named in uppercase letters.)

A host NetBIOS access list and byte NetBIOS access list can each use the same name. The two lists are identified as unique and bear no relationship to each other.

The station names included in the access lists are compared with the source name field for NetBIOS commands 00 and 01 (ADD_GROUP_NAME_QUERY and ADD_NAME_QUERY), as well as the destination name field for NetBIOS commands 08, 0A, and 0E (DATAGRAM, NAME_QUERY, and NAME_RECOGNIZED).

If an access list does not contain a particular station name, the default action is to deny the access to that station.

To minimize any performance degradation, NetBIOS access filters do not examine all packets. Rather, they examine certain packets that are used to establish and maintain NetBIOS client/server connections, thereby effectively stopping new access and load across the router. However, applying a new access filter does not terminate existing sessions immediately. All new sessions will be filtered, but existing sessions could continue for some time.

There are two ways you can configure NetBIOS access filters:

Configure NetBIOS Access Filters Using Station Names

Configure NetBIOS Access Filters Using a Byte Offset

Configure NetBIOS Access Filters Using Station Names

To configure access filters using station names, you must do the following:

Step 1 Assign the station access list name.

Step 2 Specify the direction of the message to be filtered on the interface.

Configuring Source-Route Bridging BC-133

Page 25
Image 25
Cisco Systems BC-109 manual Secure the SRB Network, Configure NetBIOS Access Filters