Cisco’s Context-Based Access Control (CBAC) is a component of the IOS firewall feature set. Similar to reflexive ACLs, CBAC enables dynamic. CBAC (Context Based Access Control) is a firewall for Cisco IOS routers that offers some more features than a simple access-list. CBAC is able. SANS Institute ,. As part of the Information Security Reading Room. Author retains full rights. CBAC – Cisco IOS Firewall Feature Set foundations. By.
|Published (Last):||28 January 2009|
|PDF File Size:||5.24 Mb|
|ePub File Size:||14.56 Mb|
|Price:||Free* [*Free Regsitration Required]|
Each example has four basic configuration components:. You need to configure many other things to secure the router in this example; however, these examples focus on only the previous four core elements in setting up stateful filtering.
Cisco CBAC Configuration Example |
Ethernet0 is the external interface, where the external ACL is applied inbound and the inspection rules are applied outbound. To illustrate this further, imagine that an internal user Example shows the verification on the router of this process.
Example shows cosco display of the ACL information. Figure illustrates how to use CBAC in a router that has two interfaces.
This example is the same one cisoc in Chapter 8, “Reflexive Access Lists. In this example, the network has two policies: To accomplish this, you need an ACL configuration, such as the following:.
All other traffic, by default, is denied. As you can see from this example, the configuration is straightforward. Figure illustrates how to use CBAC in a router that has three interfaces. This is the same three-interface example used in the last chapter, where RACLs were used to implement a stateful firewall filtering function.
Here is a review of the policies discussed in the last chapter for this network:. The internal e-mail server should be capable of accessing only the DMZ e-mail server, nothing else.
The DMZ e-mail server should be capable of accessing the internal e-mail server to forward mail. Internal users should not be able to access the DMZ e-mail server or any external e-mail servers. You need three ACLs: You need a minimum of one, and possibly three, inspection rules, depending on what must be inspected from which interface. The following is an explanation of Examplewith reference to the numbering on the right side of the example:. This statement forces the internal clients to send e-mail through the internal e-mail server.
In addition, the statement following this one prevents all e-mail connections, minus the e-mail connection listed in the first statement. This statement prevents the internal e-mail server from accessing any other device. In this example, the administrator has determined the protocols that internal people use and has configured the appropriate inspection statements. Notice that the audit trail function has been enabled for SMTP inspection.
This is done to provide more information about SMTP connections and possible attacks. By default, only two connections are allowed. In this first statement, the DMZ e-mail server is allowed to send e-mail cisoc any e-mail server, including the internal e-mail server and Internet e-mail servers.
Notice that the number of inspection statements is smaller because the applications running on the DMZ are limited.
This third ACL is used to filter traffic from the Internet that is trying to access internal resources. The third set of CBAC inspection rules allows returning traffic that originally exited the Internet interface. Actually, you could have used the same inspection rule set that I did for the internal interface.
However, this adds overhead because some of the traffic is internal to the DMZ, and you do not want these temporary ACL entries to show up on the external interface. The last set of three statements changes the default idle timeout for connections.
The first statement reduces the TCP setup time from 30 to 15 seconds. The second statement reduces the TCP idle timeout from to seconds 2 minutes.
In the third statement, the UDP idle timer is reduced from 30 to 20 seconds. If you compare this example to the three-interface example in Chapter 8, this example is much cleaner and easier to implement. I originally started building packet-filtering firewalls in the early to mids.
These could filter only on basic Layers 3 and 4 information in a packet. One huge limitation of these filters is that they are good for filtering traffic in one direction but are horrible at filtering traffic in two or more directions.
Unfortunately, you had to be a guru in converting your policies to ACLs, especially if you needed to filter traffic among more than two interfaces, as ciaco saw in my three-interface example in Chapter 8, “Reflexive Access Lists. However, with the introduction of CBAC, this issue has been reduced greatly.
Along with CBAC, the Cisco IOS Firewall feature cbad offers many features that enable you to harden your perimeter router and provide a tough defense against a determined hacker. Teaming the Cisco IOS Firewall feature set with other security products, you easily can create a scalable, secure perimeter defense.
Home Networking Router firewall security. Each example has four basic configuration components: Defining an extended ACL s to filter traffic Applying the extended ACL s on the appropriate interface s Defining an inspection rule s to allow returning traffic Applying the inspection rule s to the appropriate interface s You need to configure many cbqc things to secure the router in this example; however, these examples focus on only the previous four core elements in setting up stateful filtering.
All other access from the internal segment to other devices is allowed. Security Overview and Firewalls. Causes of Security Problems. Types of Security Threats. Managing Access to Routers. Authentication, Authorization, and Accounting.
CBAC Context-Based Access Control | CCIE, the beginning!
Stateful and Advanced Filtering Technologies. Overview of Reflexive ACLs. Filtering Web and Application Traffic.
Address Translation and Firewalls. How Address Translation Works. Address Translation and Redundancy. Traffic Distribution with Server Load Balancing. Managing Access Through Routers. Verifying and Troubleshooting AP. Static cisxo Black Hole Routing. Interior Gateway Protocol Security. Reverse-Path Forwarding Unicast Traffic. Detecting and Preventing Attacks.