Configuring CBAC
For CBAC to function properly, it is essential that the access list be configured appropriately on the interfaces. An extended access list must be used for the creation of temporary openings.
The five steps involved in configuring CBAC are as follows:
Choose an interface. CBAC can identify any interface as an internal or external interface. Unlike Firewall, CBAC has no concept of inside or outside; instead, it is concerned with the direction of the first packet initiating the conversation. Sessions originating from the external side are not permitted. For example, when user X in ABC Company tries to connect to the Internet, the direction of the conversation is from the ABC Company to the Internet. The router interface that connects to user X is considered internal, and the interface connected to the Internet is considered external.
Configure IP access list at the interface. CBAC permits less traffic than necessary to get similar functionality with static access lists. When configuring an access list on the internal interface, the inbound access list (at the internal interface) or outbound (at the external interface) can be standard or extended. These access lists permit the CBAC to inspect the traffic. The outbound access list (on internal interface) and the inbound access list (at the external interface), on the other hand, should always be extended.
On the external interface, the outbound access list can be standard or extended, but the inbound access list must be an extended list. The inbound access list will deny the traffic to be inspected by CBAC. This denied traffic would be permitted in by the temporary openings created by the CBAC.
Configure global timeouts and thresholds. Global timeouts are used to configure the duration for which a hole in the firewall is maintained to allow in the return traffic. Thresholds are configured to shield the network from denial-of-service (DoS) attacks. The sessions that are not established under the configured parameters are dropped.
For example, the ip inspect tcp synwait-time 30 command says to drop all the TCP sessions that are not established in 30 seconds. Similar timeouts can be set up for FIN-exchange, TCP or UDP idle timeouts, and DNS timeouts.
Define an inspection rule. An inspection rule defines which application-layer protocol will be inspected by the CBAC. After configuring the inspection rule for an application-layer protocol, all the packets for that protocol are permitted out and are allowed back in. Each protocol packet is inspected to maintain the session information; the same session information is used to determine whether the packet is the part of valid session.
ip inspect name inspection-name protocol [timeout seconds] is a global command used to configure the inspection rule. Protocol keywords can be tcp, udp, ftp-cmd, or http. timeout refers to the period of protocol inactivity before dropping the connection.
Apply the inspection rule to the interface. The ip inspect inspection-name {in | out} command is used to apply the inspection rule to an interface. The keyword in is used for inbound traffic when the CBAC is applied on the internal interface. The keyword out is used for outbound traffic when the CBAC is applied on the external interface.
Also referred to as a "poor man's firewall," the Cisco IOS Firewall Feature Set offers most of the functionality of the firewall to secure the perimeter of a company. An intelligent implementation of CBAC can bring security to the network and a sense of relief to the network administrators. For more information on the Cisco IOS Firewall Feature Set, refer to http://www.cisco.com/univercd/cc/td/doc/pcat/iofwfts1.htm.