Cisco CBAC - The Poor Mans Firewall

By: Nicholas Evra
Submitted: 2008-06-23 17:22:31
Print this article | Tell a friend | For publisher | Social Bookmarking
Rating:
 

CBAC Overview

The Cisco IOS Firewall Feature Set is a module that can be added to the existing IOS to provide firewall functionality without the need for hardware upgrades. There are two components to the Cisco IOS Firewall Feature Set in Intrusion Detection (which is an optional bolt-on) and Context-Based Access Control (CBAC). CBAC maintains a state table for all of the outbound connections on a Cisco router by inspecting tcp and udp connections at layer seven of the OSI model and populating the table accordingly. When return traffic is received on the external interface it is compared against the state table to see if the connection was originally established from within the internal network, and then either permitted or denied. Although basic this is a very effective mechanism to prevent unauthorized access to the internal network from external sources such as the internet.

CBAC Application-specific support

Cisco have also built in some additional functionality into CBAC in terms of application-specific inspection that enables the router to recognize and identify application specific data flows such as HTTP, SMTP, TFTP, and FTP. Understanding these applications and their data flows empowers the router to identify malformed packets or suspect application data flows and permit or deny accordingly. CBAC also provides the flexibility of downloading Java code from trusted sites, but it denying untrusted sites.

CBAC and Denial of Service (DOS) Attacks

Denial-Of-Service (DOS) attack protection is also in-built with real-time logging of alerts as well as pro-active responses to mitigate the threat. To do this CBAC can be configured to manage half-open TCP connections which are used in TCP SYN flood attacks to overload a targets resources resulting in a denial of service to legitimate users. To do this CBAC uses timeouts and thresholds, which are configurable, to determine how long state information for each connection should be kept for sessions and when to drop them. Note that UDP and ICMP require that an idle-timer limit is used to determine when a connection should be terminated. A very useful command to identify a DOS attack is ‘ip inspect audit-trail’ which logs all DOS connections including source and destination IP address and TCP or UDP ports allowing you to pin-point the exact source and destination of the attack.

Configuring CBAC

There are five steps to configuring CBAC on a Cisco router in order for it to function correctly. These are as follows:

1. Choose an interface to which inspection will be applied. This can be an internal or external interface as CBAC is only concerned with the direction of the first packet initiating the connection which is identified when applying CBAC to an interface.
2. Configure an IP access list in the correct direction on the selected interface to allow traffic through for CBAC to inspect.
3. Configure global timeouts and thresholds for established connections or sessions.
4. Define an inspection rule specifying exactly which protocols will be inspected by CBAC.
5. Apply the inspection rule to the interface in the correct direction.

Nicholas Evra is a Senior IT Consultant for a Professional Services IT Organisation based in London, UK. As well as designing and developing network and security solutions for clients, Nicholas also regularly contributes technical tips and articles on Networkblue.net. Networkblue.net is a technical resource for novices and expert's alike providing free articles and tips on numerous cisco topics such as Cisco's CBAC and other network security topics.

Article source: Expert Articles

Most Recent Articles in Security category

  • 3 Reasons Why Corporate Messenger Software is Safer than Free Messenger - By: Nikolai Fokin
    What's the best solution in working environments, free messengers or corporate messenger software? This article argues in favor of corporate messengers, with an emphasis on security aspects.
  • Spam Mail - By: David Done
    Spam Mail - Spam Soap provides hosted email security solutions including Inbound & Outbound Filtering, Disaster Recovery & Message Continuity, and Compliant Message Archiving.
  • How Can You Protect Your Ebooks And Software From Being Stolen? - By: Amit Kumar
    There are many systems that can lock your software or document, allowing you to control access to that file. But the problem arises with assuming that this will stop all theft. A well thought out, thorough protection system can deter theft, but it cannot stop it 100%.
  • Start up Guide to Become an Information Security Consultant - By: Nirmalya Jain
    Information security consultants are much in demand these days and so is the demand for authentic courses offering IT security curricula. This article discusses how one can become an IT security expert.
  • Locking your Computer's Doors - By: Sandra Prior
    Firewalls can detect and stop probes into your system. If your system is properly secured, any probes will have no effect at all, so all the firewall is doing is telling you about them. It's better to spend time checking your computer's security rather than spend money on a firewall.
  • How Safe is it to be Online? - By: Sandra Prior
    There are plenty of sites with misleading security information, or others trying to sell you protection software based on promises that simply cannot be true. Picking fact from fiction can be difficult, so what should you do?
  • Encryption Keeps Your Personal Data Private - By: Sandra Prior
    When something is stored on your computer or sent by email, it means others can get their hands on it. While few of us store secret blueprints for atom bombs on our PCs, we've still got information we'd rather keep away from prying eyes.
  • Four Basic Flash Learning Activities For e-Learning Development (2) - By: Dana Fine
    In our first article, we looked at developing a 'circle answer conditional' learning activity and discussed some variations relating to various types of scenarios. In this example, the learning activity is "conditional" because the user has a choice of answers and the learning activity will respond a certain way, depending upon the answer that the student selects. Today, we will examine the 'drag and drop, many to one correspondence' learning activity and provide some variations, so you can see how this learning activity may be used in various learning scenarios.
  • Cisco CBAC - The Poor Mans Firewall - By: Nicholas Evra
    The Cisco CBAC may be fairly simplistic but is a very powerful threat mitigation component of the Cisco IOS protecting against intruders and DOS attacks whilst allowing legitimate users and applications function transparently. Understanding its features and the steps required to configure it are essential to implementing a secure IOS firewall solution.
  • Abaca Has Developed a New Paradigm that Spammers Cannot Defeat. - By: Nallai Wickreman
    Abaca Technology Corporation, an innovator in email protection and messaging security, announced today that a new white paper by Osterman Research, a leading analyst firm that specializes in topics related to messaging and collaboration, is now available on the Abaca Web site.