|
Like reflexive access lists, CBAC
creates temporary openings at firewall interfaces. These openings
are created when specified traffic exits your internal network
through the firewall. The openings allow returning traffic (that
would normally be blocked) and additional data channels (TCP
ports and UDP ports) to enter your internal network back through the
firewall. The traffic is allowed back through the firewall only if
it is part of the same session as the original traffic that
triggered CBAC when exiting through the firewall.
In the figure, the inbound access
lists at S0 and S1 are configured to block Telnet traffic, and there
is no outbound access list configured at E0. When the connection
request for User 1's Telnet session passes through the firewall,
CBAC creates a temporary opening in the inbound access list at S0 to
permit returning Telnet traffic for User 1's Telnet session. (If the
same access list is applied to both S0 and S1, the same opening
would appear at both interfaces.) If necessary, CBAC would also have
created a similar opening in an outbound access list at E0 to permit
return traffic.
With CBAC, you specify which
protocols you want to be inspected. You also specify an interface
and direction (in or out) where inspection originates.
For these protocols, packets flowing
through the firewall in any direction are inspected, as long as they
flow through the interface where inspection is configured. Only the
protocols that you explicitly specify will be inspected by CBAC.
Packets entering the firewall are
inspected by CBAC only if they first pass the inbound access list at
the interface. If a packet is denied by the access list, the packet
is simply dropped and is not inspected by CBAC.
Only the control channels of
connections are inspected and monitored by CBAC; the data channels
are not inspected. For example, during FTP sessions, both the
control (typically port 21) and data channels (typically port 20)
are monitored for state changes, but only the control channel is
inspected.
CBAC inspection recognizes
application-specific commands in the control channel, and detects
and prevents certain application-level attacks such as SYN-flooding.
A SYN-flood attack occurs when a network attacker floods a server
with a barrage of requests for connection and does not complete the
connection. The resulting volume of half-open connections can
overwhelm the server, causing it to deny service to valid requests.
Network attacks that deny access to a network device are called
denial-of-service (DoS) attacks.
CBAC inspection helps to protect
against DoS attacks in other ways. CBAC inspects packet sequence
numbers in TCP connections to see if they are within expected ranges
-- CBAC drops any suspicious packets. You can also configure CBAC to
drop half-open connections, which require firewall processing and
memory resources to maintain. Additionally, CBAC can detect
unusually high rates of new connections and issue alert messages.
With UDP, a connectionless service,
there are no actual sessions. CBAC approximates sessions by
examining the information in the packet and determining whether the
packet is similar to other UDP packets. For example, similar
source/destination addresses and port numbers. It then determines
whether the packet was detected soon after another similar UDP
packet. "Soon" is a configurable UDP idle timeout period.
Warning: CBAC protects against
certain types of attacks, but not every type of attack. CBAC should
not be considered a perfect, impenetrable defense. Determined,
skilled attackers might be able to launch effective attacks.
Although there is no such thing as a perfect defense, CBAC detects
and prevents most of the popular attacks on your network.
|