CCNA Security – Chapter 4 (Context-Based Access Control – CBAC)

Context-based access control (CBAC) is a solution available within the Cisco IOS Firewall. CBAC intelligently filters TCP and UDP packets based on Application Layer protocol session information. It provides stateful Application Layer filtering, including protocols that are specific to unique applications, as well as multimedia applications and protocols that require multiple channels for communication, such as FTP and H.323.
!
!
CBAC can also examine supported connections for embedded NAT and PAT information and perform the necessary address translations. CBAC can block peer-to-peer (P2P) connections, such as those used by the Gnutella and KaZaA applications. Instant messaging traffic, such as Yahoo!, AOL, and MSN, can be blocked.
!
!
Monitors TCP connection setup
Tracks TCP sequence numbers
Monitors UDP session information
Inspects DNS queries and replies
Inspects common ICMP message types
Supports applications that rely on multiple connections
Inspects embedded addresses
Inspects Application Layer information
!
!
It is important to note that CBAC only provides filtering for those protocols that are specified by an administrator. If a protocol is not specified, the existing ACLs determine how that protocol is filtered, and no temporary opening is created.
!
TCP Connections not setup within 30 seconds after receipt of the first SYN segment, result in the IOS removing the entry from the state table and ACL.
Once the FIN flag is set, indicating a connection is ending, the IOS removes the entry from the state table and ACL.
If a TCP session is idle longer than 1 hour, the IOS removes the entry.
If sequence numbers do not fall within an expected range, the packets are dropped.
!
DNS queries and replies are also inspected. When an internal device generates a DNS query, CBAC expects the remote DNS server to respond with a DNS reply within 5 seconds, otherwise the dynamic ACL entry is removed to prevent spoofing.
CBAC expects replies to the supported ICMP message types within 10 seconds, otherwise the ICMP connection is removed from the state table and the dynamic ACL entry is removed.
!
CBAC expects replies to the supported ICMP message types within 10 seconds, otherwise the ICMP connection is removed from the state table and the dynamic ACL entry is removed.
!
if NAT/PAT is enable, it changes IP addresses or port number based on information in the address translation table.
!
If stateful support is provided for other protocols, the support is usually similar to the support for UDP. When a protocol flow is initially permitted, all packets matching the flow are permitted until an idle timer expires.
The interface in which sessions can be initiated must be selected as the internal interface.
!
Normally, it is only necessary to define one inspection rule. The only exception occurs if it is necessary to enable the firewall engine in two directions at a single firewall interface.
!
Cisco IOS Firewall provides three thresholds against TCP-based DoS attacks:
!!!!
Total number of half-opened TCP sessions
Number of half-opened sessions in a time interval
Number of half-opened TCP sessions per host
!
!
Step 1. Pick an interface – internal or external.
Step 2. Configure IP ACLs at the interface.
Step 3. Define inspection rules.
Step 4. Apply an inspection rule to an interface.
!
!
ip inspect name FWRULE smtp alert on audit-trail on timeout 300
ip inspect name FWRULE ftp alert on audit-trail on timeout 300
ip inspect alert-off
no ip inspect alert-off
no ip inspect audit-trail
ip inspect audit-trail
Alerts display messages concerning CBAC operation, such as insufficient router resources, DoS attacks, and other threats.
Alerts are enabled by default and automatically display on the console line of the router.
!
Auditing keeps track of the connections that CBAC inspects, including valid and invalid access attempts.
Auditing is disabled by default, but can be enabled
!
!
ip inspect name PERMIT_JAVA http java-list 10
access-list 10 permit 10.224.10.0 0.0.0.255
!
!
ip inspect name FWRULE telnet
access-list 101 permit tcp any any eq 23
interface fa0/0
description INSIDE
ip access-group 101 in
ip inspect FWRULE in
exit
!
access-list 102 deny ip nay any
interface s0/0
description OUTSIDE
ip access-group 102 in
exit
!
no ip inspect
!
!
show ip inspect name
show ip inspect sessions
show ip inspect sessions detail
show ip inspect config
show ip inspect interfaces
!
!
debug ip inspect protocol
debug ip inspect timers
!
Beginning with Cisco IOS Release 12.4(20)T, the debug policy-firewall command replaces the debug ip inspect command.
!
!

Responder

Introduce tus datos o haz clic en un icono para iniciar sesión:

Logo de WordPress.com

Estás comentando usando tu cuenta de WordPress.com. Cerrar sesión / Cambiar )

Imagen de Twitter

Estás comentando usando tu cuenta de Twitter. Cerrar sesión / Cambiar )

Foto de Facebook

Estás comentando usando tu cuenta de Facebook. Cerrar sesión / Cambiar )

Google+ photo

Estás comentando usando tu cuenta de Google+. Cerrar sesión / Cambiar )

Conectando a %s