Cisco IOS Firewall (CBAC-Context Based Access Control)

38 slides
0.12 MB

Similar Presentations

Presentation Transcript


Cisco IOS Firewall (CBAC-Context Based Access Control)


Cisco IOS Firewall (CBAC-Context Base Access Control)


IntroductionBasic Definition


Benefits Monitor Traffic (NAT)


Methods of AttackPort Scans, ping sweeps Packet Sniffers IP spoofing Application Level Attacks Denial of Service Attacks


Types of Firewalls Basic Router Security Packet Filtering Firewalls Stateful Inspection Firewalls


Cisco IOS Feature SetSecurity specific option for IOS software. Version of the Cisco IOS with an add-on feature set that can be run on several router platforms. Affordability


Router Requirements Cisco IOS software release IOS 11.2(11)P and above. Generally requires more memory, both in terms of flash and RAM.


Secure Cisco RouterAbility to configure a Cisco router in a fairly secure fashion using plain old ACLs ACLs provide granular packet filtering at layers 2, 3, and 4 only. IOS firewall provides this level of traffic filtering and more.


What CBAC Does Traffic Filtering Traffic Inspection Alerts and Audit Trails Intrusion detection


Traffic FilteringContext-Based Access Control intelligently filters TCP and UDP packets. Without CBAC, traffic filtering is limited to access-list iplementations that examine packets at the network layer. CBAC examines not only network and transport layer info, but also examines appication layer protocol info, such as FTP connection info.


Traffic InpsectionCBAC inspects traffic that travels through the firewall to discover and manage state information for TCP and UDP sessions. This creates temporary openings in the firewall ACLs to allow return traffic originating from within the internal network. Prevents SYN-flood and DoS attacks.


Alerts and Audit TrailsGenerates real-time alerts and audit trails on events tracked by the firewall. Uses SYSLOG to track all network transactions


Intrusion Detection Cisco IOS IDS identifies 59 of the most common attacks using signatures to detect patterns of misuse in network traffic.


CBAC Opens Temporary Holes in Firewall Access Lists


Configuring CBACA common setup is to configure ACLs and CBAC inbound on the external interface of an internet router to protect a private network from harmful traffic initiated from the internet. You’re main concern is to allow in only return traffic from sessions initiated internally.


Cont. ConfigRouter (config)# Access-list 105 deny tcp any any Router (config)# Access-list 105 deny udp any any Router (config)# Interface serial 0/0 Router (config)# Ip address-group 105 in


The previous statements block all TCP and UDP traffic when applied inbound on the external interface. This provides a blanket form of inspection across all TCP and UDP traffic. By applying access list 105 to the external interface, we ensured that Internet traffic was intercepted as soon as it reached the Internet router. we could also exercise a more granular level of control by specifying certain application protocols, as this example demonstrates: Router (config)# Access-list 105 deny tcp any any eq smtp This statement blocks all SMTP traffic to the internal network. It would need to occur in the access list before the previous TCP blanket statements or it would have little effect.


The next step in this process is to define the timeout and threshold values for CBAC to use when tracking sessions. You can configure several values to enhance CBAC’s ability to defend against network attacks. Most of the timeout and threshold settings have default values that will generally suffice in a startup scenario. Many of the timeouts and thresholds control how the router responds to DoS attacks. (we’ll save a more in-depth discussion of timer/threshold configuration for another time.)


Keep in mind that CBAC does not inspect ICMP, only TCP and UDP. Accordingly, you’ll need to add inbound ACL entries for appropriate ICMP restrictions. Consider adding these ICMP entries to your ACL. They’ll make it possible for those inside your network to ping hosts on the Internet, as well as allow your router to respond to proper ICMP traffic.


Up to this point, we’ve shown you how to configure entries for the extended access list and apply that configuration to the inbound traffic on the external interface. The ACL has entries to block all the traffic we want to inspect with CBAC. Rather than modify the timeout and threshold settings, we went with the defaults. we recommend starting with the defaults and tuning these as you go. It’s not a good idea to make changes to these settings if you don’t understand how those changes will affect firewall operation. Next, we defined the actual inspection rule that governs which application layer protocols are examined.


Inspection rule command structure ip inspect name inspection-name protocol [alert {on | off}] [audit-trail {on | off}] [timeout seconds] This is a global config mode command. It requires that you specify a name, protocol, alert setting, auditing, and the timeout value in seconds


Applying the inspect command Router (config)# ip inspect name myfw tcp alert on audit-trail on


We’ve named the rule myfw, specified TCP as the protocol to inspect, and activated the alert and auditing options. Notice the alert and audit-trail options. This requires a Syslog system to send the information to. Although that configuration is beyond the scope of this article, I do recommend using auditing for logging all firewall activity. At this point, I’ll apply the rule to the external interface, Serial0, with the following: Router (config)# Interface serial0/0 Router (config-if)# ip inspect myfw out


Notice that we have applied the inspection rule outbound on the external interface. It will track sessions started internally and heading out through the external interface, bound for the Internet or some other external network.


If you have difficulty during CBAC configuration, you can disable and reset all related settings using the following global mode command. This won’t remove your extended access list configured on the outside interface. If you turn off inspection, keep in mind that it will most likely halt all traffic entering your private network because the access list is filtering most, if not all, inbound traffic at the external interface. Turning off inspection is as simple as: Router (config)# no ip inspect

Browse More Presentations

Last Updated: 8th March 2018

Recommended PPTs