This module will discuss, in greater detail, how routers are utilized to
secure a network through the use the Context-based Access Control (CBAC)
component of the Cisco IOS Firewall feature set.
ACLs are used to filter
and secure network traffic. ACLs filter network traffic by controlling whether
routed or switched packets are forwarded or blocked at the interface. Each
packet is examined to determine how that packet should be handled based on the
criteria specified within the ACL. One particular type of ACL implementation,
CBAC, is discussed in great detail. CBAC provides a greater level of security
among the ACLs by inspecting traffic at Layers 3 and higher. Information
gathered by CBAC is used to create temporary openings in the firewall access
lists. The student will learn the steps required to create and establish
CBAC:
- Pick an interface – internal or external.
- Configure IP access lists at the interface.
- Set audit trails and alerts.
- Set global timeouts and thresholds.
- Define port-to-application mapping (PAM).
- Define inspection rules.
- Apply inspection rules and ACLs to interfaces.
- Test and verify.
In addition to applied ACLs, CBAC has several other uses. Packets
entering the firewall are only inspected by CBAC if they first pass the inbound
ACL at the interface. If a packet is denied by the ACL, the packet is simply
dropped and not inspected by CBAC.
PIX Security Appliance Command Reference
Cisco IOS Security Command Reference
 |
NOTE:
It is required that the student study the commands covered in the
chapter using the labs and the Command Reference. Not all required commands are
covered in sufficient detail in the text alone. Successful completion of this
course requires a thorough knowledge of command syntax and application.
|