Overview

This module will discuss, in greater detail, how routers are utilized to secure a network through the use the Context-based Access Control (CBAC) component of the Cisco IOS Firewall feature set.

ACLs are used to filter and secure network traffic. ACLs filter network traffic by controlling whether routed or switched packets are forwarded or blocked at the interface. Each packet is examined to determine how that packet should be handled based on the criteria specified within the ACL. One particular type of ACL implementation, CBAC, is discussed in great detail. CBAC provides a greater level of security among the ACLs by inspecting traffic at Layers 3 and higher. Information gathered by CBAC is used to create temporary openings in the firewall access lists. The student will learn the steps required to create and establish CBAC:

  1. Pick an interface – internal or external.
  2. Configure IP access lists at the interface.
  3. Set audit trails and alerts.
  4. Set global timeouts and thresholds.
  5. Define port-to-application mapping (PAM).
  6. Define inspection rules.
  7. Apply inspection rules and ACLs to interfaces.
  8. Test and verify.

In addition to applied ACLs, CBAC has several other uses. Packets entering the firewall are only inspected by CBAC if they first pass the inbound ACL at the interface. If a packet is denied by the ACL, the packet is simply dropped and not inspected by CBAC.

PIX Security Appliance Command Reference

Cisco IOS Security Command Reference

NOTE:

It is required that the student study the commands covered in the chapter using the labs and the Command Reference. Not all required commands are covered in sufficient detail in the text alone. Successful completion of this course requires a thorough knowledge of command syntax and application.