Context Based Access Control (CBAC) | (CCIE Notes)


Context Based Access Control

  • Performs protocol specific inspection using port-numbers or port-map table.
  • Only performs inspection for the protocols that are specified in the inspection rule. This enables the IOS firewall to temporarily open dynamic entries to allow the return traffic and bypass the interface ACL configured on the opposite direction (where the return traffic is expected).
  • Supports TCP/UDP/ICMP and many other application level protocols.
  • If you do not specify a protcol for inspection, the existing interface ACLs will determine how that protocol is filtered.
  • For traffic to be inspected, it first has to per permitted by the interfaces ACLs. If packet is denied by an interface ACL, CBAC does not inspect the traffic.
  • Threshold against DoS attack;
    • Total number of half-open TCP/UDP session
    • Total number of half-open sessions based upon time.
    • Total number of half-open TCP session per host.
  • (Originating traffic) Internal interface Inbound ACL and External interface Outbound ACL can either be extended/standard ACL.
  • (Return traffic) External interface Inbound ACL and Internal interface Outbound ACL should be extended ACL only.
  • Application layer protocol that is inspected will take precedence over the TCP/UDP packet inspection. Example, FTP inspection will be preferred over TCP if both the inspections are configured.
  • no ip inspect removes all CBAC configuration and resets all CBAC global timeout and threshold to default value. 

Cisco Doc Link:

http://www.cisco.com/en/US/docs/ios-xml/ios/sec_data_cbac_fw/configuration/15-mt/config-cbac-fw.html

Configuration:

  • Threshold is configured for half-open connections globally and per host basis.
ip inspect max-incomplete low 200
ip inspect max-incomplete high 175
ip inspect tcp max-incomplete host 80 block-time 0
  • Inside to DMZ/Outside TCP UDP and ICMP are inspected.
ip inspect name in_in tcp timeout 60
ip inspect name in_in udp timeout 60
ip inspect name in_in icmp timeout 60
  • Outside to DMZ HTTP and ICMP is inspected.
ip inspect name out_in http alert on audit-trail on timeout 5
ip inspect name out_in icmp
  • ACLs are in place to make sure the originating traffic is being allowed at the interface level and the return traffic is allowed to come back in irrespective of the ACLs blocking the return traffic on the DMZ/Outside interface.
ip access-list extended dmz_in
 deny ip any any log
!
ip access-list extended out_in
 permit eigrp any any
 permit icmp any host 10.0.0.100
 permit tcp any host 10.0.0.100 eq www
 deny ip any any log
  • ACLs and Inspection rules are applied to the interfaces
interface FastEthernet0/0
 ip inspect in_in in
!
interface FastEthernet0/1
 ip access-group out_in in
 ip inspect out_in in
!
interface FastEthernet1/0
 ip access-group dmz_in in

Bookmark to follow my CCIE Security v4 journey -> https://networkology.net/tag/CCIE

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s