10.8 Context-Based Access Control
10.8.3 The CBAC process
This section describes a sample sequence of events that occurs when CBAC is configured at an external interface that connects to an external network such as the Internet. In this example, a TCP packet exits the internal network through the external interface of the firewall. The TCP packet is the first packet of a Telnet session, and TCP is configured for CBAC inspection.
  1. The packet reaches the external interface of the firewall.
  2. The packet is evaluated against the existing outbound access list of the interface, and the packet is permitted. (A denied packet would simply be dropped at this point.)
  3. The packet is inspected by CBAC to determine and record information about the state of the packet connection. This information is recorded in a new state table entry created for the new connection.
  4. (If the packet application --- Telnet --- was not configured for CBAC inspection, the packet would simply be forwarded out the interface at this point without being inspected by CBAC. See the section "Define an Inspection Rule" for configuring CBAC inspection information.)
  5. Based on the obtained state information, CBAC creates a temporary access-list entry that is inserted at the beginning of the external interface inbound extended access list. This temporary access-list entry is designed to permit inbound packets that are part of the same connection as the outbound packet just inspected.
  6. The outbound packet is forwarded out the interface.
  7. Later, an inbound packet reaches the interface. This packet is part of the same Telnet connection previously established with the outbound packet. The inbound packet is evaluated against the inbound access list, and it is permitted because of the temporary access list entry previously created.
  8. The permitted inbound packet is inspected by CBAC, and the connection state table entry is updated as necessary. Based on the updated state information, the inbound extended access list temporary entries might be modified in order to permit only packets that are valid for the current state of the connection.
  9. Any additional inbound or outbound packets that belong to the connection are inspected to update the state table entry and to modify the temporary inbound access list entries as required, and they are forwarded through the interface.
  10. When the connection terminates or times out, the connection state table entry is deleted, and the connection temporary inbound access-list entries are deleted.

In the sample process just described, the firewall access lists are configured as follows:

  • An outbound IP access list (standard or extended) is applied to the external interface. This access list permits all packets that you want to allow to exit the network, including packets you want to be inspected by CBAC. In this case, Telnet packets are permitted.
  • An inbound extended IP access list is applied to the external interface. This access list denies any traffic to be inspected by CBAC --- including Telnet packets. When CBAC is triggered with an outbound packet, CBAC creates a temporary opening in the inbound access list to permit only traffic that is part of a valid, existing session.

If the inbound access list had be configured to permit all traffic, CBAC would be creating pointless openings in the firewall for packets that would be permitted anyway.

Supported Protocols

You can configure CBAC to inspect the following types of sessions:

  • All TCP sessions, regardless of the application-layer protocol (sometimes called "single-channel" or "generic" TCP inspection)
  • All UDP sessions, regardless of the application-layer protocol (sometimes called "single-channel" or "generic" UDP inspection)

You can also configure CBAC to specifically inspect certain application-layer protocols. The following application-layer protocols can all be configured for CBAC:

  • CU-SeeMe (only the White Pine version)
  • FTP
  • H.323 (such as NetMeeting, ProShare)
  • HTTP (Java blocking)
  • Java
  • Microsoft NetShow
  • UNIX R-commands (such as rlogin, rexec, and rsh)
  • RealAudio
  • RPC (Sun RPC, not DCE RPC)
  • Microsoft RPC
  • Simple Mail Transfer Protocol (SMTP)
  • SQL*Net
  • StreamWorks
  • Trivial File Transfer Protocol (TFTP)
  • VDOLive

When a protocol is configured for CBAC, that protocol traffic is inspected, state information is maintained, and in general, packets are allowed back through the firewall only if they belong to a permissible session.

Benefits

CBAC provides the following features:

  • Stateful packet filtering --- This feature provides sophisticated security and policy enforcement for connections within an organization (intranet) and between an organization and its partner networks, as well as between the organization and the Internet.
  • Denial-of-service detection and prevention --- CBAC defends and protects router resources against common attacks, checking packet headers and dropping suspicious packets.
  • Real-time alerts and audit trail information --- This information is configurable on a per-application basis to track connection information for traffic through the firewall, providing detailed usage information and reporting on suspicious activity.
  • Seamless interoperability --- This interoperability integrates the firewall solution with other Cisco IOS software features, optimizing WAN utilization, providing robust, scalable routing, and interoperating with existing Cisco IOS software-based networks (such as the Internet).
  • VPN support --- Using Cisco IOS Firewall with other Cisco IOS encryption and quality of service (QoS) features enables secure, low-cost transmission over public networks, reduces implementation and management total cost of ownership for remote branch offices and extranets, and ensures mission-critical application traffic receives high-priority delivery.
  • Scalable deployment --- Available for a wide variety of router platforms, the Cisco IOS Firewall scales to meet the bandwidth and performance requirements of any network.
  • Java blocking --- This feature protects against unidentified, malicious Java applets.

Restrictions

CBAC is available only for IP protocol traffic. Only TCP and UDP packets are inspected. (Other IP traffic, such as ICMP, cannot be inspected with CBAC and should be filtered with basic access lists instead.)

If you reconfigure your access lists when you configure CBAC, be aware that if your access lists block TFTP traffic into an interface, you will not be able to netboot over that interface. (This is not a CBAC-specific limitation, but is part of existing access list functionality.)

  • Packets with the firewall as the source or destination address are not inspected by CBAC or evaluated by access lists.
  • CBAC ignores ICMP Unreachable messages.
  • With FTP, CBAC does not allow third-party connections (three-way FTP transfer).
  • When CBAC inspects FTP traffic, it allows only data channels with the destination port in the range of 1024 to 65535.
  • CBAC will not open a data channel if the FTP client/server authentication fails.
  • Cisco Encryption Technology (CET) and CBAC compatibility
  • If encrypted traffic is exchanged between two routers, and the firewall is in between the two routers, CBAC might not work as anticipated. This is because the packet payloads are encrypted, so CBAC cannot accurately inspect the payloads.
  • Also, if both encryption and CBAC are configured at the same firewall, CBAC will not work for certain protocols. In this case, CBAC will work with single-channel TCP and UDP, except for Java and SMTP. But CBAC will not work with multichannel protocols, except for StreamWorks and CU-SeeMe, so if you configure encryption at the firewall, you should configure CBAC for only the following protocols: Generic TCP, Generic UDP, CU-SeeMe, StreamWorks.
  • IPSec and CBAC compatibility
  • When CBAC and IPSec are enabled on the same router, and the firewall router is an endpoint for IPSec for the particular flow, then IP Security (IPSec) is compatible with CBAC (that is, CBAC can do its normal inspection processing on the flow).
  • If the router is not an IPSec endpoint, but the packet is an IPSec packet, then CBAC will not inspect the packets because the protocol number in the IP header of the IPSec packet is not TCP or UDP. CBAC inspects only TCP and UDP packets.

Supported Platforms

The Cisco IOS Firewall feature set is supported on the following platforms:

  • Cisco 800 series
  • Cisco uBR900 universal broadband router series
  • Cisco 1600 series
  • Cisco 1700 series
  • Cisco 2500 series
  • Cisco 2600 series
  • Cisco 3600 series
  • Cisco 7100 series
  • Cisco 7200 series