This
section describes the CBAC feature. It includes information on the
benefits of the feature, supported platforms, configuration tasks,
and so forth. CBAC provides advanced traffic filtering functionality
and serves as an integral part of your network firewall. The
information in this document updates the information in the Cisco
IOS Release 12.0 Security Configuration Guide with the latest
feature enhancements:
- Application support for Microsoft NetShow
- IP packet fragmentation attack detection and prevention
- Configurable audit trail and alert messages for CBAC-inspected
protocols
- Support for the Cisco IOS Intrusion Detection System (IDS)
CBAC works to provide network protection on multiple levels using
the following functions:
Traffic Filtering
CBAC intelligently filters TCP and UDP packets based on
application-layer protocol session information. You can configure
CBAC to permit specified TCP and UDP traffic through a firewall only
when the connection is initiated from within the network you want to
protect. CBAC can inspect traffic for sessions that originate from
either side of the firewall. CBAC can be used for intranet,
extranet, and Internet perimeters of your network. In Cisco IOS
Release 12.0(5)T, CBAC provides support for Microsoft's NetShow
protocol.
Without CBAC, traffic filtering is limited to access list
implementations that examine packets at the network layer, or
at most, the transport layer. However, CBAC examines not only
network layer and transport layer information but also
examines the application-layer protocol information (such as FTP
connection information) to learn about the state of the TCP or UDP
session. This allows support of protocols that involve multiple
channels created as a result of negotiations in the control channel.
Most of the multimedia protocols as well as some other protocols
(such as FTP, RPC, and SQL*Net) involve multiple channels.
Using CBAC, Java blocking can be configured to filter traffic
based on the server address or to completely deny access to Java
applets that are not embedded in an archived or compressed file.
With Java, you must protect against the risk of users inadvertently
downloading destructive applets into your network. To protect
against this risk, you could require all users to disable Java in
their browser. If this is not an acceptable solution, you can create
a CBAC inspection rule to filter Java applets at the firewall,
allowing users to download only applets residing within the firewall
and trusted applets from outside the firewall. For extensive content
filtering of Java, Active-X, or virus scanning, you might want to
consider purchasing a dedicated content filtering product.
Traffic Inspection
CBAC inspects traffic that travels through the firewall to
discover and manage state information for TCP and UDP sessions. This
state information is used to create temporary openings in the
firewall access lists to allow return traffic and additional data
connections for permissible sessions (sessions that originated from
within the protected internal network).
Inspecting packets at the application layer and maintaining TCP
and UDP session information provides CBAC with the ability to detect
and prevent certain types of network attacks such as SYN-flooding. A
SYN-flood attack occurs when a network attacker floods a server with
a barrage of requests for connection and does not complete the
connection. The resulting volume of half-open connections can
overwhelm the server, causing it to deny service to valid requests.
Network attacks that deny access to a network device are called
denial-of-service (DoS) attacks.
CBAC inspection helps to protect against DoS attacks in other
ways. CBAC inspects packet sequence numbers in TCP connections to
see if they are within expected ranges --- CBAC drops any suspicious
packets. You can also configure CBAC to drop half-open connections,
which require firewall processing and memory resources to maintain.
Additionally, CBAC can detect unusually high rates of new
connections and issue alert messages.
CBAC inspection can help protect against certain DoS attacks
involving fragmented IP packets. Even though the firewall prevents
an attacker from making actual connections to a given host, the
attacker can disrupt services provided by that host. This is done by
sending many noninitial IP fragments or by sending complete
fragmented packets through a router with an access control list (ACL)
that filters the first fragment of a fragmented packet. These
fragments can tie up resources on the target host as it tries to
reassemble the incomplete packets.
Alerts and Audit Trails
CBAC also generates real-time alerts and audit trails based on
events tracked by the firewall. Enhanced audit trail features use
syslog to track all network transactions; recording time stamps,
source host, destination host, ports used, and the total number of
transmitted bytes, for advanced, session-based reporting. Real-time
alerts send syslog error messages to central management consoles
upon detecting suspicious activity. Using CBAC inspection rules, you
can configure alerts and audit trail information on a
per-application protocol basis. For example, if you want to generate
audit trail information for Hypertext Transfer Protocol (HTTP)
traffic, you can specify that in the CBAC rule covering HTTP
inspection.
Intrusion Detection
The Cisco IOS Firewall now offers intrusion detection technology
for midrange and high-end router platforms with firewall support. It
is ideal for any network perimeter, and especially for locations in
which a router is being deployed and additional security between
network segments is required. It also can protect intranet and
extranet connections where additional security is mandated, and
branch-office sites connecting to the corporate office or Internet.
The Cisco IOS Firewall Intrusion Detection System (Cisco IOS IDS)
identifies 59 of the most common attacks using signatures to detect
patterns of misuse in network traffic. The intrusion-detection
signatures available in the new release of the Cisco IOS Firewall
were chosen from a broad cross-section of intrusion-detection
signatures. The signatures represent severe breaches of security and
the most common network attacks and information-gathering scans.
What CBAC Does Not Do
CBAC does not provide intelligent filtering for all protocols; it
works only for the protocols that you specify. If you do not specify
a certain protocol for CBAC, the existing access lists will
determine how that protocol is filtered. No temporary openings will
be created for protocols not specified for CBAC inspection.
CBAC does not protect against attacks originating from within the
protected network unless that traffic travels through a router that
has the Cisco IOS Firewall deployed on it. CBAC detects and protects
against only attacks that travel through the firewall. This is a
scenario in which you might want to deploy CBAC on an intranet-based
router.
CBAC protects against certain types of attacks, but not every
type of attack. CBAC should not be considered a perfect,
impenetrable defense. Determined, skilled attackers might be able to
launch effective attacks. Although there is no such thing as a
perfect defense, CBAC detects and prevents most of the popular
attacks on your network.