Cisco CBAC � The Poor Mans Firewall
CBAC Overview The Cisco IOS Firewall Feature Set is a module that can be added to the existing IOS to provide firewall functionality without the need for hardware upgrades. There are two components to the Cisco IOS Firewall Feature Set in Intrusion Detection (which is an optional bolt-on) and Context-Based Access Control (CBAC). CBAC maintains a state table for all of the outbound connections on a Cisco router by inspecting tcp and udp connections at layer seven of the OSI model and populating the table accordingly. When return traffic is received on the external interface it is compared against the state table to see if the connection was originally established from within the internal network, and then either permitted or denied. Although basic this is a very effective mechanism to prevent unauthorized access to the internal network from external sources such as the internet.
CBAC Application-specific support
Cisco have also built in some additional functionality into CBAC in terms of application-specific inspection that enables the router to recognize and identify application specific data flows such as HTTP, SMTP, TFTP, and FTP. Understanding these applications and their data flows empowers the router to identify malformed packets or suspect application data flows and permit or deny accordingly. CBAC also provides the flexibility of downloading Java code from trusted sites, but it denying untrusted sites.
CBAC and Denial of Service (DOS) Attacks
Denial-Of-Service (DOS) attack protection is also in-built with real-time logging of alerts as well as pro-active responses to mitigate the threat. To do this CBAC can be configured to manage half-open TCP connections which are used in TCP SYN flood attacks to overload a targets resources resulting in a denial of service to legitimate users. To do this CBAC uses timeouts and thresholds, which are configurable, to determine how long state information for each connection should be kept for sessions and when to drop them. Note that UDP and ICMP require that an idle-timer limit is used to determine when a connection should be terminated. A very useful command to identify a DOS attack is �ip inspect audit-trail� which logs all DOS connections including source and destination IP address and TCP or UDP ports allowing you to pin-point the exact source and destination of the attack.
Configuring CBAC
There are five steps to configuring CBAC on a Cisco router in order for it to function correctly. These are as follows: 1. Choose an interface to which inspection will be applied. This can be an internal or external interface as CBAC is only concerned with the direction of the first packet initiating the connection which is identified when applying CBAC to an interface. 2. Configure an IP access list in the correct direction on the selected interface to allow traffic through for CBAC to inspect. 3. Configure global timeouts and thresholds for established connections or sessions. 4. Define an inspection rule specifying exactly which protocols will be inspected by CBAC. 5. Apply the inspection rule to the interface in the correct direction.
Nicholas Evra is a Senior IT Consultant for a Professional Services IT Organisation based in London, UK. As well as designing and developing network and security solutions for clients, Nicholas also regularly contributes technical tips and articles on Networkblue.net. Networkblue.net is a technical resource for novices and expert�s alike providing free articles and tips on numerous cisco topics such as Cisco�s CBAC and other network security topics. For more visit http://www.networkblue.net and http://www.networkblue.net/cisco/security
Site Map |
Home
open source project
This Domain Is For Sale
Make your offer here!
virtual nameserver
virtual web server
go WLAN
Lieberman Software Randomizes Remote Access Account Passwords on Cisco Routers and Firewalls
Random Password Manager Adds Support for Cisco IOS Devices
ImageStream Ships Enhanced R1 and TransPort Routers
At LinuxWorld Conference & Expo today, ImageStream announced the company is shipping updated versions of its R1? and TransPort? routers. Both routers now offer quadruple the performance of previous versions. The new high-performance CPUs make it possible for both routers to forward 100 Mb ethernet at wire speed, and to support Asterisk for VoIP gateway and SoftPBX applications.
The Tolly Group Awards First & Foremost Certification to Adtran Multiservices router for Offering Unified Wired/Wireless Access Router
NetVanta 1335 integrates access router, wireless access point, Layer 2/3 PoE switch, firewall, and VPN in a single platform.
ImageStream Announces New Router Features at Interop
At Interop in New York this past week, ImageStream announced that it will offer a wide range of new features for its routers in upcoming releases of ImageStream Linux. Some of these new features include SoftPBX/VoIP gateway, VoIP capture and analysis, Web caching, Web filtering, intrusion detection, and Web-based management.
Point of Entry: Difference Between Hub & Router
For someone who needs a quick clarification on the matter, a hub combines all linked computers or workstations into a network, while router links two separate and distinct networks to each other Hubs generally operate at layer 1 of the open system interconnection (OSI) reference model as compared to the layer 3 of the routers
How to Reset your LinkSys Router�s Password
All LinkSys router passwords are normally set up at the same time as the initial router setup but may be changed at any time. For security purposes the default password �admin� should be updated. It is important to reset the password in order to avoid unauthorized users from accessing the router�s web page. Updating the password from the default password is also an important step in enabling the remote management option. Again, the Linksys router�s default password is �admin�. All Linksys routers have a built-in web-based setup page where users may customize settings and set up advanced properties. Password details are included in these setting options.
What Is A Broadband Router?
A broadband router is a basic device to set up a wired or wireless network. Broadband routers ensure that all the computers on a network can send and receive data to each other and across the Internet. These routers are of both wired and wireless but their features are very similar.
Configuring Internal Cisco Router Security
Network security is a hot topic today, and will only increase in importance in the months and years ahead.While most of the attention is paid to exterior threats, there are some steps you can take to prevent unwanted Cisco router access from within your organization.
Router Tables That Make The Cut
It?s all about the bit. That?s right, a router table is defined by the bits you use in creating some of the most impressive and beautiful shapes that give like to a plain piece of wood. Router tables have long been a staple to the professional woodworker?s shop and are quickly finding a niche in the handy-man?s garage as well. As more people are interested in adding the distinctive touches of trims and mouldings to their homes and furnishings, they are finding that they can do it themselves by learning to guide wood through a router.
Configuring Your Own Adsl Router
Configuring an ASDL router with a local area network is no longer the exclusive domain of computer savvy network administrators and technicians. Routers are becoming increasingly easier to set up according to anyone?s specific needs. Many of these network devices offer an online feature that allows the user to do the configuring in a graphical interface setting after logging in.