Classic IOS Firewall using CBACs 2012 Cisco and/or its affiliates. All rights reserved. 1
Although CBAC serves as a good foundation for understanding the revolutionary path toward modern zone based firewalls, detailed knowledge of the configuration, monitoring and troubleshooting of this technology is no longer part of the certification exam. This CBAC presentation has been included for instructors who wish to provide background information for students. 2012 Cisco and/or its affiliates. All rights reserved. 2
Context-based access control (CBAC) is a Cisco IOS Firewall solution. CBAC intelligently filters TCP and UDP packets based on Application Layer protocol session information. CBAC can also examine NAT and PAT translations. Provides stateful Application Layer filtering for protocols that are specific to unique applications, as well as applications and protocols that require multiple ports, such as FTP and H.323. CBAC can block peer-to-peer (P2P) connections and instant messaging traffic. 2012 Cisco and/or its affiliates. All rights reserved. 3
Introduced in 1997, CBAC was a dramatic improvement over the TCP established and reflexive ACL firewall options: Monitors TCP connection setup Tracks TCP sequence numbers Inspects DNS queries and replies Inspects common ICMP message types Supports applications that rely on multiple connections Inspects embedded NAT/PAT addresses Inspects Application Layer information 2012 Cisco and/or its affiliates. All rights reserved. 4
Without CBAC, traffic filtering is limited to ACL implementations. ACLs can only examine Layer 3 and some Layer 4 packets. CBAC provides four main functions: Traffic filtering Traffic inspection Intrusion detection Generation of audits and alerts 2012 Cisco and/or its affiliates. All rights reserved. 5
Permit specified TCP and UDP return traffic through a firewall. It creates temporary openings in an ACL that would otherwise deny the traffic. Inspect traffic that originate from either side of the firewall. Can be used for intranet, extranet, and Internet perimeters. Examines Layer 3, Layer 4 and Layer 7 protocols. 2012 Cisco and/or its affiliates. All rights reserved. 6
Inspect layer 7 packets and maintains TCP and UDP session information, it can detect and prevent certain types of network attacks such as SYN-flooding. Inspect packet sequence numbers in TCP connections to see if they are within expected ranges and drops any suspicious packets. Drop half-open connections, which require firewall processing and memory resources to maintain. 2012 Cisco and/or its affiliates. All rights reserved. 7
Provide a limited amount of intrusion detection to protect against specific SMTP attacks. With intrusion detection, syslog messages are reviewed and monitored for specific attack signatures. Reset the offending connections and sends syslog information. CBACs can identify certain types of network attacks because they have specific characteristic or signatures. 2012 Cisco and/or its affiliates. All rights reserved. 8
Provide real-time alerts: Send syslog error messages to central management consoles upon detecting suspicious activity. Provide enhanced audit trail features: Uses syslog to track all network transactions and record timestamps to record: source and destination hosts ports used total number of transmitted bytes for advanced session-based reporting. 2012 Cisco and/or its affiliates. All rights reserved. 9
CBAC relies on a stateful packet filter that is application-aware. The state table tracks the sessions and inspects all packets that pass through the stateful packet filter firewall. CBAC then uses the state table to build dynamic ACL entries that permit returning traffic through the perimeter router or firewall. 2012 Cisco and/or its affiliates. All rights reserved. 10
2012 Cisco and/or its affiliates. All rights reserved. 11
2012 Cisco and/or its affiliates. All rights reserved. 14