CBAC

August 7, 2008 at 3:35 pm | Posted in Security | Leave a comment

What CBAC Does?

Traffic Filtering

Without CBAC, traffic filtering is limited to access list implementations that examine packets at the network layer, or at most, the transport layer. However, CBAC examines not only network layer and transport layer information but also examines the application-layer protocol information (such as FTP connection information) to learn about the state of the session. This allows support of protocols that involve multiple channels created as a result of negotiations in the control channel. Most of the multimedia protocols as well as some other protocols (such as FTP, RPC, and SQL*Net) involve multiple channels.

Traffic Inspection

CBAC inspects traffic that travels through the firewall to discover and manage state information for TCP and UDP sessions. This state information is used to create temporary openings in the firewall’s access lists to allow return traffic and additional data connections for permissible sessions.

Alerts and Audit Trails

Intrusion Prevention

Doc CD Navigration

  • Cisco IOS Security Configuration Guide, Release 12.4
  • Configuring Context-Based Access Control

Configuration examples:

R4#sh run | in inspec|inter|access-|permit|deny

ip inspect name INSPECT ftp
ip inspect name INSPECT tcp router-traffic
ip inspect name INSPECT icmp router-traffic

interface Serial0/0.1 point-to-point
ip access-group INBOUND in
ip inspect INSPECT out
frame-relay interface-dlci 405
interface Serial0/1
ip inspect INSPECT out

ip nat inside source list INSIDE_NETWORK interface Loopback0 overload
ip access-list standard INSIDE_NETWORK
permit 10.0.0.0 0.0.0.255
ip access-list extended INBOUND
permit ospf any any
deny   ip any any log

R4#sh ip inspect config
Session audit trail is disabled
Session alert is enabled
one-minute (sampling period) thresholds are [unlimited : unlimited] connections
max-incomplete sessions thresholds are [unlimited : unlimited]
max-incomplete tcp connections per host is unlimited. Block-time 0 minute.
tcp synwait-time is 30 sec — tcp finwait-time is 5 sec
tcp idle-time is 3600 sec — udp idle-time is 30 sec
dns-timeout is 5 sec
Inspection Rule Configuration
Inspection name INSPECT
ftp alert is on audit-trail is off timeout 3600
tcp alert is on audit-trail is off timeout 3600
inspection of router local traffic is enabled
icmp alert is on audit-trail is off timeout 10
inspection of router local traffic is enabled

R4#sh ip inspect session
Established Sessions
Session 843CB2A0 (10.0.0.1:43890)=>(150.1.5.5:23) tcp SIS_OPEN

Advertisements

Leave a Comment »

RSS feed for comments on this post. TrackBack URI

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Create a free website or blog at WordPress.com.
Entries and comments feeds.

%d bloggers like this: