10.5 Context-Based Access Control
10.5.2 CBAC operation
Like reflexive access lists, CBAC creates temporary openings at firewall interfaces. These openings are created when specified traffic exits your internal network through the firewall. The openings allow returning traffic (that would normally be blocked) and additional data channels (TCP ports and UDP ports) to enter your internal network back through the firewall. The traffic is allowed back through the firewall only if it is part of the same session as the original traffic that triggered CBAC when exiting through the firewall.

In the figure, the inbound access lists at S0 and S1 are configured to block Telnet traffic, and there is no outbound access list configured at E0. When the connection request for User 1's Telnet session passes through the firewall, CBAC creates a temporary opening in the inbound access list at S0 to permit returning Telnet traffic for User 1's Telnet session. (If the same access list is applied to both S0 and S1, the same opening would appear at both interfaces.) If necessary, CBAC would also have created a similar opening in an outbound access list at E0 to permit return traffic.

With CBAC, you specify which protocols you want to be inspected. You also specify an interface and direction (in or out) where inspection originates.

For these protocols, packets flowing through the firewall in any direction are inspected, as long as they flow through the interface where inspection is configured. Only the protocols that you explicitly specify will be inspected by CBAC.

Packets entering the firewall are inspected by CBAC only if they first pass the inbound access list at the interface. If a packet is denied by the access list, the packet is simply dropped and is not inspected by CBAC.

Only the control channels of connections are inspected and monitored by CBAC; the data channels are not inspected. For example, during FTP sessions, both the control (typically port 21) and data channels (typically port 20) are monitored for state changes, but only the control channel is inspected.

CBAC inspection recognizes application-specific commands in the control channel, and detects and prevents certain application-level attacks such as SYN-flooding. A SYN-flood attack occurs when a network attacker floods a server with a barrage of requests for connection and does not complete the connection. The resulting volume of half-open connections can overwhelm the server, causing it to deny service to valid requests. Network attacks that deny access to a network device are called denial-of-service (DoS) attacks.

CBAC inspection helps to protect against DoS attacks in other ways. CBAC inspects packet sequence numbers in TCP connections to see if they are within expected ranges -- CBAC drops any suspicious packets. You can also configure CBAC to drop half-open connections, which require firewall processing and memory resources to maintain. Additionally, CBAC can detect unusually high rates of new connections and issue alert messages.

With UDP, a connectionless service, there are no actual sessions. CBAC approximates sessions by examining the information in the packet and determining whether the packet is similar to other UDP packets. For example, similar source/destination addresses and port numbers. It then determines whether the packet was detected soon after another similar UDP packet. "Soon" is a configurable UDP idle timeout period.

Warning: CBAC protects against certain types of attacks, but not every type of attack. CBAC should not be considered a perfect, impenetrable defense. Determined, skilled attackers might be able to launch effective attacks. Although there is no such thing as a perfect defense, CBAC detects and prevents most of the popular attacks on your network.