|
Note: If
you try to configure CBAC but do not have a good understanding of
how CBAC works, you might inadvertently introduce security risks to
the firewall and to the protected network. Be sure you understand
what CBAC does before you configure CBAC.
Picking an Interface: Internal or External
You must decide whether to configure CBAC on an internal or
external interface of your firewall.
"Internal" refers to the side where sessions must
originate for their traffic to be permitted through the firewall.
"External" refers to the side where sessions cannot
originate (sessions originating from the external side will be
blocked).
If you will be configuring CBAC in two directions, you should
configure CBAC in one direction first, using the appropriate
"internal" and "external" interface
designations. When you configure CBAC in the other direction, the
interface designations will be swapped. (CBAC can be configured in
two directions at one or more interfaces. Configure CBAC in two
directions when the networks on both sides of the firewall require
protection, such as with extranet or intranet configurations, and
for protection against DoS attacks.)
The firewall is most commonly used with one of two basic network
topologies. Determining which of these topologies is most like your
own can help you decide whether to configure CBAC on an internal
interface or on an external interface.
Figure shows the first network topology. In this simple topology, CBAC is
configured for the external interface Serial 1. This prevents
specified protocol traffic from entering the firewall and the
internal network, unless the traffic is part of a session initiated
from within the internal network.
Figure shows the second network topology. In this topology, CBAC is
configured for the internal interface Ethernet 0,
allowing external traffic to access the services in the DMZ, such as
DNS services, but prevents specified protocol traffic from entering
your internal network --- unless the traffic is part of a session
initiated from within the internal network.
Using these two sample topologies, decide whether to configure
CBAC on an internal or external interface.
Configuring IP Access Lists at the Interface
For CBAC to work properly, you need to make sure that you have IP
access lists configured appropriately at the interface. Follow these
three general rules when evaluating your IP access lists at the
firewall:
-
Start with a basic configuration.
If you try to configure access lists without a good
understanding of how access lists work, you might inadvertently
introduce security risks to the firewall and to the protected
network. You should be sure you understand what access lists do
before you configure your firewall. For more information about
access control lists, refer to the
A basic initial configuration allows all network traffic to
flow from the protected networks to the unprotected networks,
while blocking network traffic from any unprotected networks.
-
Permit CBAC traffic to leave the network through the firewall.
All access lists that evaluate traffic leaving the protected
network should permit traffic that will be inspected by CBAC. For
example, if Telnet will be inspected by CBAC, then Telnet traffic
should be permitted on all access lists that apply to traffic
leaving the network.
-
Use extended access lists to deny CBAC return traffic entering
the network through the firewall.
For temporary openings to be created in an access list, the
access list must be an extended access list. So wherever you have
access lists that will be applied to returning traffic, you must
use extended access lists. The access lists should deny CBAC
return traffic because CBAC will open up temporary holes in the
access lists. (You want traffic to be normally blocked when it
enters your network.)
Note: If your firewall has only two connections, one to
the internal network and one to the external network, using all
inbound access lists works well because packets are stopped before
they get a chance to affect the router itself.
|