Team LiB
Previous Section Next Section

CBAC

The Cisco IOS Firewall CBAC engine provides secure, per-application access control across network perimeters. CBAC allows administrators to implement firewall intelligence as part of an integrated, single-box solution.

CBAC works to provide network protection on multiple levels using the following functions:

  • Traffic filtering CBAC intelligently filters TCP and UDP packets based on information of the application-layer protocol session. Using CBAC, Java blocking can be configured to filter HTTP traffic based on server address or to completely deny access to Java applets.

  • Traffic inspection CBAC inspects traffic that travels through the firewall to discover and manage state information for the TCP and UDP sessions. This state information is used to create temporary openings in the firewall's access lists to allow return traffic and additional data connections for permissible sessions. Inspecting packets at the application layer and maintaining TCP and UDP session information provide CBAC with the ability to detect and prevent certain types of network attacks, such as SYN-flooding.

  • Alerts and audit trials CBAC also generates real-time alerts and audit trails. Using CBAC inspection rules, you are able to configure alerts and audit trails on a per-application protocol basis.

CBAC does not provide intelligent filtering for all protocols. It works only for the protocols that you specify. If you do not specify a certain protocol for CBAC, the existing access lists determine how that protocol is filtered. No temporary openings are created for protocols not specified for CBAC inspection.

To configure CBAC, the following tasks are required:

  • Pick an interfaceinternal or external.

  • Configure an IP access list on that interface.

  • Configure global timeouts and thresholds.

  • Define an inspection rule.

  • Apply the inspection rule to an interface.

  • Configure logging and audit trail.

Picking an interface means that you will have to decide whether you configure CBAC on the internal or external interface of your firewall. Internal refers to the side where sessions must originate. External is the side where sessions cannot originate. Sessions originating from the external side are blocked. If you want to configure CBAC in two directions, you have to configure it in one direction first. When you configure it in the other direction, the interface designations are swapped. In Figure 8-3, you can see a simple topology in which CBAC is configured on the external interface. In Figure 8-4, CBAC is configured for the internal interface.

Figure 8-3. CBAC at the External Interface


Figure 8-4. CBAC at the Internal Interface


CBAC uses timeouts and thresholds to determine how long to manage state information for a session and when to drop sessions that do not become fully established. These timeouts and thresholds apply globally to all sessions.

Table 8-8 describes the different inspect commands that are available on a Cisco router.

Table 8-8. inspect Command

Command

Description

ip inspect tcp synwait-time seconds

The length of time the software waits for a TCP session to reach the established state before dropping the session (default 30).

ip inspect tcp finwait-time seconds

The length of time a TCP session is still managed after the firewall detects a FIN-Exchange (default 5).

ip inspect tcp idle-time seconds

The length of time a TCP session is still managed after no activity occurs (default 3600).

ip inspect udp idle-time seconds

The length of time a UDP session is still managed after no activity occurs (default 30).

ip inspect dns-timeout seconds

The length of time a DNS name lookup session is still managed after no activity occurs (default 5).

ip inspect max-incomplete high number

The number of existing half-open sessions that cause the software to start deleting half-open sessions (default 500 existing half-open sessions).

ip inspect max-incomplete low number

The number of existing half-open sessions that cause the software to stop deleting half-open sessions (default 400 existing half-open sessions).

ip inspect one-minute high number

The rate of new sessions that causes the software to start deleting half-open sessions (default 500 half-open sessions per minute).

ip inspect one-minute low number

The rate of new sessions that causes the software to stop deleting half-open sessions (default 400 half-open sessions per minute).

ip inspect tcp max-incomplete host number block-time minutes

The number of existing half-open sessions with the same destination host address that cause the software to start dropping half-open sessions to the same destination host address (default 50 existing half-open TCP sessions).


After you configure global timeouts and thresholds, you have to define an inspection rule. This rule specifies what IP traffic is inspected by CBAC at the interface. To configure inspection for an application-layer protocol, use the following command in global configuration mode:

[View full width]

ip inspect name inspection-name protocol [alert {on | off}] [audit-trail {on | off}]
 [timeout seconds]

For the protocol, you can use one of the keywords in Table 8-9.

Table 8-9. Protocols That Can Be Inspected

Application Protocol

Protocol Keyword

CU-SeeMe

cuseeme

Fragment

IP fragment inspection

FTP

ftp

H323

h323

http

HTTP Protocol

Microsoft NetShow

netshow

UNIX R commands

rcmd

RealAudio

realaudio

SMTP

smtp

SQL*Net

sqlnet

StreamWorks

streamworks

tcp

Transmission Control Protocol

TFTP

tftp

udp

User Datagram Protocol

VDOLive

Vdolive


Example 8-10 should make everything a bit more clear. This example looks at each of the components. CBAC is being configured to inspect HTTP protocol traffic inbound. Interface1/0 is the protected network, and interface 1/1 is the unprotected network.

Example 8-10. Example of an Inspection for an Application-Layer Protocol
Tokyo(config)#ip inspect name users http

Tokyo(config)#interface Ethernet1/1
Tokyo(config-if)# ip access-group 100 in
Tokyo(config)#interface Ethernet1/0
Tokyo(config-if)#ip inspect users in


Tokyo(config)#access-list 100 deny tcp any any
Tokyo(config)#access-list 100 deny udp any any
Tokyo(config)#access-list 100 permit icmp any any echo-reply
Tokyo(config)#access-list 100 permit icmp any any time-exceeded
Tokyo(config)#access-list 100 permit icmp any any packet-too-big
Tokyo(config)#access-list 100 permit icmp any any traceroute
Tokyo(config)#access-list 100 permit icmp any any unreachable
Tokyo(config)#access-list 100 deny ip any any

Access list 100 denies TCP and UDP traffic from any source or destination while permitting specific ICMP protocol traffic. This access list is applied inbound on interface Ethernet1/1 to block all access from the untrusted network.

    Team LiB
    Previous Section Next Section