For CBAC to work properly, IP access lists must be configured appropriately
at the interface. Follow the three general rules shown in Figure
when evaluating
IP access lists at the firewall.
 |
NOTE:
If the firewall only has two connections, one to the internal network
and one to the external network, using all inbound access lists works well
because packets are stopped before they get a chance to affect the router
itself.
|
Basic Configuration
When CBAC is configured for the first
time, it is helpful to start with a basic access list configuration that makes
the operation of the firewall easy to understand without compromising security.
The basic configuration allows all network traffic from the protected networks
access to the unprotected networks, while blocking all network traffic, with
some exceptions, from the unprotected networks to the protected networks.
Use the guidelines shown in Figure
for
configuring the initial firewall access lists.
External
Interface
The following guidelines apply to access lists when CBAC is
configured on an external interface:
- If there is an outbound IP access list configured at the external
interface, the access list can be a standard or extended access list. This
outbound access list should permit traffic that is to be inspected by CBAC. If
traffic is not permitted, it will not be inspected by CBAC, and will be
dropped.
- The inbound IP access list at the external interface must be an extended
access list. This inbound access list should deny traffic that is to be
inspected by CBAC. CBAC will create temporary openings in this inbound access
list as appropriate to permit only return traffic that is part of a valid,
existing session.
Internal Interface
The following guidelines apply to access
lists when CBAC is configured on an internal interface:
- If there is an inbound IP access list at the internal interface or an
outbound IP access list at external interfaces, these access lists can be
either standard or extended access lists. These access lists should permit
traffic that is to be inspected by CBAC. If traffic is not permitted, it will
not be inspected by CBAC, and will be dropped.
- The outbound IP access list at the internal interface and the inbound IP
access list at the external interface must be extended access lists. These
outbound access lists should deny traffic that is to be inspected by CBAC. CBAC
will create temporary openings in these outbound access lists as appropriate to
permit only return traffic that is part of a valid, existing session. It is not
necessary to configure an extended access list at both the outbound internal
interface and the inbound external interface, but at least one is necessary to
restrict traffic flowing through the firewall into the internal protected
network.