لطفا منتظر باشید ...
CBAC
The Cisco IOS Firewall CBAC engine provides secure, per-application access control across network perimeters. CBAC allows administrators to implement firewall intelligence as part of an integrated, single-box solution.CBAC works to provide network protection on multiple levels using the following functions:
- Traffic filtering
CBAC intelligently filters TCP and UDP packets based on information of the application-layer protocol session. Using CBAC, Java blocking can be configured to filter HTTP traffic based on server address or to completely deny access to Java applets. - Traffic inspection
CBAC inspects traffic that travels through the firewall to discover and manage state information for the TCP and UDP sessions. This state information is used to create temporary openings in the firewall's access lists to allow return traffic and additional data connections for permissible sessions. Inspecting packets at the application layer and maintaining TCP and UDP session information provide CBAC with the ability to detect and prevent certain types of network attacks, such as SYN-flooding. - Alerts and audit trials
CBAC also generates real-time alerts and audit trails. Using CBAC inspection rules, you are able to configure alerts and audit trails on a per-application protocol basis.
CBAC does not provide intelligent filtering for all protocols. It works only for the protocols that you specify. If you do not specify a certain protocol for CBAC, the existing access lists determine how that protocol is filtered. No temporary openings are created for protocols not specified for CBAC inspection.To configure CBAC, the following tasks are required:
- Pick an interfaceinternal or external.
- Configure an IP access list on that interface.
- Configure global timeouts and thresholds.
- Define an inspection rule.
- Apply the inspection rule to an interface.
- Configure logging and audit trail.
Picking an interface means that you will have to decide whether you configure CBAC on the internal or external interface of your firewall. Internal refers to the side where sessions must originate. External is the side where sessions cannot originate. Sessions originating from the external side are blocked. If you want to configure CBAC in two directions, you have to configure it in one direction first. When you configure it in the other direction, the interface designations are swapped. In Figure 8-3, you can see a simple topology in which CBAC is configured on the external interface. In Figure 8-4, CBAC is configured for the internal interface.
Figure 8-3. CBAC at the External Interface
Figure 8-4. CBAC at the Internal Interface
[timeout seconds ]For the protocol, you can use one of the keywords in Table 8-9.
| Application Protocol | Protocol Keyword |
|---|---|
| CU-SeeMe | cuseeme |
| Fragment | IP fragment inspection |
| FTP | ftp |
| H323 | h323 |
| http | HTTP Protocol |
| Microsoft NetShow | netshow |
| UNIX R commands | rcmd |
| RealAudio | realaudio |
| SMTP | smtp |
| SQL*Net | sqlnet |
| StreamWorks | streamworks |
| tcp | Transmission Control Protocol |
| TFTP | tftp |
| udp | User Datagram Protocol |
| VDOLive | Vdolive |
Example 8-10. Example of an Inspection for an Application-Layer Protocol
Access list 100 denies TCP and UDP traffic from any source or destination while permitting specific ICMP protocol traffic. This access list is applied inbound on interface Ethernet1/1 to block all access from the untrusted network.
Tokyo(config)#ip inspect name users http
Tokyo(config)#interface Ethernet1/1
Tokyo(config-if)# ip access-group 100 in
Tokyo(config)#interface Ethernet1/0
Tokyo(config-if)#ip inspect users in
Tokyo(config)#access-list 100 deny tcp any any
Tokyo(config)#access-list 100 deny udp any any
Tokyo(config)#access-list 100 permit icmp any any echo-reply
Tokyo(config)#access-list 100 permit icmp any any time-exceeded
Tokyo(config)#access-list 100 permit icmp any any packet-too-big
Tokyo(config)#access-list 100 permit icmp any any traceroute
Tokyo(config)#access-list 100 permit icmp any any unreachable
Tokyo(config)#access-list 100 deny ip any any
