This
section describes a sample sequence of events that occurs when CBAC
is configured at an external interface that connects to an external
network such as the Internet. In this example, a TCP packet exits
the internal network through the external interface of the firewall.
The TCP packet is the first packet of a Telnet session, and TCP is
configured for CBAC inspection.
- The packet reaches the external interface of the firewall.
- The packet is evaluated against the existing outbound access
list of the interface, and the packet is permitted. (A denied
packet would simply be dropped at this point.)
- The packet is inspected by CBAC to determine and record
information about the state of the packet connection. This
information is recorded in a new state table entry created for
the new connection.
- (If the packet application --- Telnet --- was not configured
for CBAC inspection, the packet would simply be forwarded out
the interface at this point without being inspected by CBAC. See
the section "Define an Inspection Rule" for
configuring CBAC inspection information.)
- Based on the obtained state information, CBAC creates a
temporary access-list entry that is inserted at the beginning of
the external interface inbound extended access list. This
temporary access-list entry is designed to permit inbound
packets that are part of the same connection as the outbound
packet just inspected.
- The outbound packet is forwarded out the interface.
- Later, an inbound packet reaches the interface. This packet is
part of the same Telnet connection previously established with
the outbound packet. The inbound packet is evaluated against the
inbound access list, and it is permitted because of the
temporary access list entry previously created.
- The permitted inbound packet is inspected by CBAC, and the
connection state table entry is updated as necessary. Based on
the updated state information, the inbound extended access list
temporary entries might be modified in order to permit only
packets that are valid for the current state of the connection.
- Any additional inbound or outbound packets that belong to the
connection are inspected to update the state table entry and to
modify the temporary inbound access list entries as required,
and they are forwarded through the interface.
- When the connection terminates or times out, the connection
state table entry is deleted, and the connection temporary
inbound access-list entries are deleted.
In the sample process just described, the firewall access lists
are configured as follows:
- An outbound IP access list (standard or extended) is applied
to the external interface. This access list permits all packets
that you want to allow to exit the network, including packets
you want to be inspected by CBAC. In this case, Telnet packets
are permitted.
- An inbound extended IP access list is applied to the external
interface. This access list denies any traffic to be inspected
by CBAC --- including Telnet packets. When CBAC is triggered with
an outbound packet, CBAC creates a temporary opening in the
inbound access list to permit only traffic that is part of a
valid, existing session.
If the inbound access list had be configured to permit all
traffic, CBAC would be creating pointless openings in the firewall
for packets that would be permitted anyway.
Supported Protocols
You can configure CBAC to inspect the following types of
sessions:
- All TCP sessions, regardless of the application-layer protocol
(sometimes called "single-channel" or
"generic" TCP inspection)
- All UDP sessions, regardless of the application-layer protocol
(sometimes called "single-channel" or
"generic" UDP inspection)
You can also configure CBAC to specifically inspect certain
application-layer protocols. The following application-layer
protocols can all be configured for CBAC:
- CU-SeeMe (only the White Pine version)
- FTP
- H.323 (such as NetMeeting, ProShare)
- HTTP (Java blocking)
- Java
- Microsoft NetShow
- UNIX R-commands (such as rlogin, rexec, and rsh)
- RealAudio
- RPC (Sun RPC, not DCE RPC)
- Microsoft RPC
- Simple Mail Transfer Protocol (SMTP)
- SQL*Net
- StreamWorks
- Trivial File Transfer Protocol (TFTP)
- VDOLive
When a protocol is configured for CBAC, that protocol traffic is
inspected, state information is maintained, and in general, packets
are allowed back through the firewall only if they belong to a
permissible session.
Benefits
CBAC provides the following features:
- Stateful packet filtering --- This feature provides
sophisticated security and policy enforcement for connections
within an organization (intranet) and between an organization
and its partner networks, as well as between the organization
and the Internet.
- Denial-of-service detection and prevention --- CBAC defends
and protects router resources against common attacks, checking
packet headers and dropping suspicious packets.
- Real-time alerts and audit trail information --- This
information is configurable on a per-application basis to track
connection information for traffic through the firewall,
providing detailed usage information and reporting on suspicious
activity.
- Seamless interoperability --- This interoperability integrates
the firewall solution with other Cisco IOS software features,
optimizing WAN utilization, providing robust, scalable routing,
and interoperating with existing Cisco IOS software-based
networks (such as the Internet).
- VPN support --- Using Cisco IOS Firewall with other Cisco IOS
encryption and quality of service (QoS) features enables secure,
low-cost transmission over public networks, reduces
implementation and management total cost of ownership for remote
branch offices and extranets, and ensures mission-critical
application traffic receives high-priority delivery.
- Scalable deployment --- Available for a wide variety of router
platforms, the Cisco IOS Firewall scales to meet the bandwidth
and performance requirements of any network.
- Java blocking --- This feature protects against unidentified,
malicious Java applets.
Restrictions
CBAC is available only for IP protocol traffic. Only TCP and UDP
packets are inspected. (Other IP traffic, such as ICMP, cannot be
inspected with CBAC and should be filtered with basic access lists
instead.)
If you reconfigure your access lists when you configure CBAC, be
aware that if your access lists block TFTP traffic into an
interface, you will not be able to netboot over that interface.
(This is not a CBAC-specific limitation, but is part of existing
access list functionality.)
- Packets with the firewall as the source or destination address
are not inspected by CBAC or evaluated by access lists.
- CBAC ignores ICMP Unreachable messages.
- With FTP, CBAC does not allow third-party connections
(three-way FTP transfer).
- When CBAC inspects FTP traffic, it allows only data channels
with the destination port in the range of 1024 to 65535.
- CBAC will not open a data channel if the FTP client/server
authentication fails.
- Cisco Encryption Technology (CET) and CBAC compatibility
- If encrypted traffic is exchanged between two routers, and the
firewall is in between the two routers, CBAC might not work as
anticipated. This is because the packet payloads are encrypted,
so CBAC cannot accurately inspect the payloads.
- Also, if both encryption and CBAC are configured at the same
firewall, CBAC will not work for certain protocols. In this
case, CBAC will work with single-channel TCP and UDP, except for
Java and SMTP. But CBAC will not work with multichannel
protocols, except for StreamWorks and CU-SeeMe, so if you
configure encryption at the firewall, you should configure CBAC
for only the following protocols: Generic TCP, Generic UDP, CU-SeeMe,
StreamWorks.
- IPSec and CBAC compatibility
- When CBAC and IPSec are enabled on the same router, and the
firewall router is an endpoint for IPSec for the particular
flow, then IP Security (IPSec) is compatible with CBAC (that
is, CBAC can do its normal inspection processing on the flow).
- If the router is not an IPSec endpoint, but the packet is an
IPSec packet, then CBAC will not inspect the packets because
the protocol number in the IP header of the IPSec packet is
not TCP or UDP. CBAC inspects only TCP and UDP packets.
Supported Platforms
The Cisco IOS Firewall feature set is supported on the following
platforms:
- Cisco 800 series
- Cisco uBR900 universal broadband router series
- Cisco 1600 series
- Cisco 1700 series
- Cisco 2500 series
- Cisco 2600 series
- Cisco 3600 series
- Cisco 7100 series
- Cisco 7200 series
|
|