CBAC specifies which protocols are to be inspected, the interface, interface
direction either in or out, and where the inspection originates
. Only specified
protocols will be inspected by CBAC. For these protocols, packets flowing
through the firewall in any direction are inspected, as long as they flow
through the interface where inspection is configured. Packets entering the
firewall are inspected by CBAC only if they first pass the inbound ACL at the
interface. If a packet is denied by the ACL, the packet is simply dropped and
not inspected by CBAC.
CBAC inspects and monitors only the control
channels of connections. The data channels are not inspected. CBAC software
analyzes the FTP commands and responses. For example, during FTP sessions both
the control and data channels, which are created when a data file is
transferred, are monitored for state changes. CBAC only inspects the control
channel.
CBAC inspection recognizes application-specific commands in the
control channel. CBAC tracks the sequence numbers in all TCP packets, and drops
the packets with sequence numbers that are not within expected ranges. CBAC
inspection recognizes application-specific commands such as illegal Simple Mail
Transfer Protocol in the control channel. CBAC inspection also detects and
prevents certain application-level attacks. When CBAC suspects an attack, the
DoS feature can take the following actions:
- Generate alert messages
- Protect system resources that could impede performance
- Block packets from suspected attackers
CBAC uses timeout and threshold values to manage session state
information. It uses this information to help determine when to drop sessions
that do not become fully established. Setting timeout values for network
sessions helps prevent DoS attacks by freeing system resources. They accomplish
this by dropping sessions after a specified amount of time. Setting threshold
values for network sessions helps prevent DoS attacks by controlling the number
of half-open sessions, which limits the amount of system resources applied to
half-open sessions. When a session is dropped, CBAC sends a reset message to
the devices at both endpoints, source and destination, of the session. When the
system under DoS attack receives a reset command, it releases or frees
processes, and resources related to that incomplete session.
CBAC
provides three thresholds against DoS attacks:
- The total number of half-open TCP or UDP sessions
- The number of half-open sessions based on time
- The number of half-open TCP-only sessions per host
If a threshold is exceeded, CBAC has two options:
- Send a reset message to the endpoints of the oldest half-open session,
making resources available to service newly arriving SYN packets.
- In the case of half-open TCP-only sessions, CBAC blocks all SYN packets
temporarily for the duration configured by the threshold value. When the router
blocks a SYN packet, the TCP three-way handshake is never initiated. This
prevents the router from using memory and processing resources needed for valid
connections.
DoS detection and prevention requires the creation of a CBAC inspection
rule, which is applied to an interface. The inspection rule must include the
protocols that will be monitored against DoS attacks. For example, if TCP
inspection is enabled on the inspection rule, then CBAC can track all TCP
connections to watch for DoS attacks. If the inspection rule includes FTP
protocol inspection but not TCP inspection, CBAC tracks only FTP connections
for DoS attacks.
A state table maintains session state information.
Whenever a packet is inspected, a state table is updated to include information
about the state of the packet connection. Return traffic will only be permitted
back through the firewall if the state table contains information indicating
that the packet belongs to a permissible session. Inspection controls the
traffic that belongs to a valid session and forwards the traffic it does not
recognize. When return traffic is inspected, the state table information is
updated as necessary.
UDP sessions are approximated. With UDP there are
no actual sessions. The software approximates sessions by examining the
information in the packet and determining if the packet is similar to other UDP
packets, such as having similar source or destination addresses and port
numbers. The software also checks if the packet is within the configurable UDP
idle timeout period.
ACL entries are dynamically created and deleted.
CBAC dynamically creates and deletes ACL entries at the firewall interfaces,
according to the information maintained in the state tables. These ACL entries
are applied to the interfaces to examine traffic flowing back into the internal
network. These entries create temporary openings in the firewall to permit only
traffic that is part of a permissible session
. The
temporary ACL entries are never saved to nonvolatile RAM (NVRAM).