|
You should understand the material in
this section before you configure CBAC. If you do not understand how
CBAC works, you might inadvertently introduce security risks by
configuring CBAC inappropriately. CBAC creates temporary openings in
access lists at firewall interfaces. These openings are created when
specified traffic exits your internal network through the firewall.
The openings allow returning traffic (that would normally be
blocked) and additional data channels to enter your internal network
back through the firewall. The traffic is allowed back through the
firewall only if it is part of the same session as the original
traffic that triggered CBAC when exiting through the firewall.
In the main figure, the
inbound access lists at S0 and S1 are configured to block Telnet
traffic, and there is no outbound access list configured at E0. When
the connection request for User1's Telnet session passes through the
firewall, CBAC creates a temporary opening in the inbound access
list at S0 to permit returning Telnet traffic for User1's Telnet
session. (If the same access list is applied to both S0 and S1, the
same opening would appear at both interfaces.) If necessary, CBAC
would also have created a similar opening in an outbound access list
at E0 to permit return traffic. This section describes how CBAC
inspects packets and maintains state information about sessions to
provide intelligent filtering.
|
|
Lab
Activity |
| |
In
this lab, you will learn the usage of
Contend Based Access Control. |
|
|
|
|
|
Lab
Activity |
| |
In
this lab, you will learn the usage of
Contend Based Access Control. |
|
|
|
Packets Are Inspected
With CBAC, you specify which protocols you want to be inspected,
and you specify an interface and interface direction (in or out)
where inspection originates. Only specified protocols will be
inspected by CBAC. For these protocols, packets flowing through the
firewall in any direction are inspected, as long as they flow
through the interface where inspection is configured.
Packets entering the firewall are inspected by CBAC only if they
first pass the inbound access list at the interface. If a packet is
denied by the access list, the packet is simply dropped and not
inspected by CBAC.
CBAC inspects and monitors only the control channels of
connections; the data channels are not inspected. For example,
during FTP sessions both the control and data channels (which are
created when a data file is transferred) are monitored for state
changes, but only the control channel is inspected (that is, the
CBAC software parses the FTP commands and responses). CBAC
inspection recognizes application-specific commands in the control
channel, and detects and prevents certain application-level attacks.
CBAC inspection tracks sequence numbers in all TCP packets, and
drops those packets with sequence numbers that are not within
expected ranges. CBAC inspection recognizes application-specific
commands (such as illegal SMTP commands) in the control channel, and
detects and prevents certain application-level attacks. When CBAC
suspects an attack, the DoS feature can take several actions:
- Generate alert messages
- Protect system resources that could impede performance
- Block packets from suspected attackers
CBAC uses timeout and threshold values to manage session state
information, helping to determine when to drop sessions that do not
become fully established. Setting timeout values for network
sessions helps prevent DoS attacks by freeing system resources,
dropping sessions after a specified amount of time. Setting
threshold values for network sessions helps prevent DoS attacks by
controlling the number of half-open sessions, limiting the amount of
system resources applied to half-open sessions. When a session is
dropped, CBAC sends a reset message to the devices at both end
points (source and destination) of the session. When the system
under DoS attack receives a reset command, it releases, or frees,
processes and resources related to that incomplete session.
CBAC provides three thresholds against DoS attacks:
- The total number of half-open TCP or UDP sessions
- The number of half-open sessions based upon time
- The number of half-open TCP-only sessions per host
If a threshold is exceeded, CBAC has two options:
- Send a reset message to the endpoints of the oldest half-open
session, making resources available to service newly arriving
SYN packets.
- In the case of half open TCP only sessions, CBAC blocks all
SYN packets temporarily for the duration configured by the
threshold value. When the router blocks a SYN packet, the TCP
three-way handshake is never initiated, preventing the router
from using memory and processing resources needed for valid
connections.
DoS detection and prevention requires that you create a CBAC
inspection rule and apply that rule on an interface. The inspection
rule must include the protocols that you want to monitor against DoS
attacks. For example, if you have TCP inspection enabled on the
inspection rule, then CBAC can track all TCP connections to watch
for DoS attacks. If the inspection rule includes FTP protocol
inspection but not TCP inspection, CBAC tracks only FTP connections
for DoS attacks.
A State Table Maintains Session-State Information
Whenever a packet is inspected, a state table is updated to
include information about the state of the packet connection. Return
traffic will be permitted back through the firewall only if the
state table contains information indicating that the packet belongs
to a permissible session. Inspection controls the traffic that
belongs to a valid session and forwards the traffic it does not
know. When return traffic is inspected, the state table information
is updated as necessary.
UDP "Sessions" Are Approximated
With UDP --- a connectionless service --- there are no actual
sessions, so the software approximates sessions by examining the
information in the packet and determining if the packet is similar
to other UDP packets (for example, similar source/destination
addresses and port numbers) and if the packet was detected soon
after another similar UDP packet. "Soon" means within the
configurable UDP idle timeout period.
Access List Entries Are Dynamically Created and Deleted
CBAC dynamically creates and deletes access list entries at the
firewall interfaces, according to the information maintained in the
state tables. These access-list entries are applied to the
interfaces to examine traffic flowing back into the internal
network. These entries create temporary openings in the firewall to
permit only traffic that is part of a permissible session. The
temporary access list entries are never saved to NVRAM.
When and Where to Configure CBAC
Configure CBAC at firewalls protecting internal networks. Use CBAC when the firewall will be passing traffic such as:
- Standard TCP and UDP Internet applications
- Multimedia applications
- Oracle support
Use CBAC for these applications if you want the application
traffic to be permitted through the firewall only when the traffic
session is initiated from a particular side of the firewall (usually
from the protected internal network).
In many cases, you will configure CBAC in one direction only at a
single interface, causing traffic to be permitted back into the
internal network only if the traffic is part of a permissible
(valid, existing) session. This is a typical configuration for
protecting your internal networks from traffic that originates on
the Internet.
You can also configure CBAC in two directions at one or more
interfaces. CBAC is configured in two directions when the networks
on both sides of the firewall should be protected, such as with
extranet or intranet configurations, and to protect against DoS
attacks. For example, if the firewall is situated between two
partner companies' networks, you might wish to restrict traffic in
one direction for certain applications, and restrict traffic in the
opposite direction for other applications.
|