The Cisco IOS Firewall CBAC engine provides secure, per-application access control across network perimeters. CBAC allows administrators to implement firewall intelligence as part of an integrated, single-box solution.
CBAC works to provide network protection on multiple levels using the following functions:
Traffic filtering CBAC intelligently filters TCP and UDP packets based on information of the application-layer protocol session. Using CBAC, Java blocking can be configured to filter HTTP traffic based on server address or to completely deny access to Java applets.
Traffic inspection CBAC inspects traffic that travels through the firewall to discover and manage state information for the TCP and UDP sessions. This state information is used to create temporary openings in the firewall's access lists to allow return traffic and additional data connections for permissible sessions. Inspecting packets at the application layer and maintaining TCP and UDP session information provide CBAC with the ability to detect and prevent certain types of network attacks, such as SYN-flooding.
Alerts and audit trials CBAC also generates real-time alerts and audit trails. Using CBAC inspection rules, you are able to configure alerts and audit trails on a per-application protocol basis.
CBAC does not provide intelligent filtering for all protocols. It works only for the protocols that you specify. If you do not specify a certain protocol for CBAC, the existing access lists determine how that protocol is filtered. No temporary openings are created for protocols not specified for CBAC inspection.
To configure CBAC, the following tasks are required:
Pick an interfaceinternal or external.
Configure an IP access list on that interface.
Configure global timeouts and thresholds.
Define an inspection rule.
Apply the inspection rule to an interface.
Configure logging and audit trail.
Picking an interface means that you will have to decide whether you configure CBAC on the internal or external interface of your firewall.
Internal refers to the side where sessions must originate.
External is the side where sessions cannot originate. Sessions originating from the external side are blocked. If you want to configure CBAC in two directions, you have to configure it in one direction first. When you configure it in the other direction, the interface designations are swapped. In Figure 8-3, you can see a simple topology in which CBAC is configured on the external interface. In Figure 8-4, CBAC is configured for the internal interface.
CBAC uses timeouts and thresholds to determine how long to manage state information for a session and when to drop sessions that do not become fully established. These timeouts and thresholds apply globally to all sessions.[View full width]
ip inspect name
inspection-name protocol [
alert {
on |
off }] [
audit-trail {
on |
off }]
timeout
seconds ]
For the protocol, you can use one of the keywords in Table 8-9.
Application Protocol | Protocol Keyword |
|---|---|
CU-SeeMe | cuseeme |
Fragment | IP fragment inspection |
FTP | ftp |
H323 | h323 |
http | HTTP Protocol |
Microsoft NetShow | netshow |
UNIX R commands | rcmd |
RealAudio | realaudio |
SMTP | smtp |
SQL*Net | sqlnet |
StreamWorks | streamworks |
tcp | Transmission Control Protocol |
TFTP | tftp |
udp | User Datagram Protocol |
VDOLive | Vdolive |
Example 8-10 should make everything a bit more clear. This example looks at each of the components. CBAC is being configured to inspect HTTP protocol traffic inbound. Interface1/0 is the protected network, and interface 1/1 is the unprotected network.
Tokyo(config)#ip inspect name users http Tokyo(config)#interface Ethernet1/1 Tokyo(config-if)# ip access-group 100 in Tokyo(config)#interface Ethernet1/0 Tokyo(config-if)#ip inspect users in Tokyo(config)#access-list 100 deny tcp any any Tokyo(config)#access-list 100 deny udp any any Tokyo(config)#access-list 100 permit icmp any any echo-reply Tokyo(config)#access-list 100 permit icmp any any time-exceeded Tokyo(config)#access-list 100 permit icmp any any packet-too-big Tokyo(config)#access-list 100 permit icmp any any traceroute Tokyo(config)#access-list 100 permit icmp any any unreachable Tokyo(config)#access-list 100 deny ip any any
Access list 100 denies TCP and UDP traffic from any source or destination while permitting specific ICMP protocol traffic. This access list is applied inbound on interface Ethernet1/1 to block all access from the untrusted network.