10.5 Context-Based Access Control
10.5.5 Defining CBAC inspection rules
CBAC inspection rules specify which application layer protocols of the IP traffic will be inspected by CBAC at an interface. Normally, you define only one inspection rule. The only exception might occur if you want to enable CBAC in two directions, as described earlier in this chapter. For CBAC configured in both directions at a single firewall interface, you should configure two rules, one for each direction.

An inspection rule should specify each desired application layer protocol as well as generic TCP or generic UDP, if desired. The inspection rule consists of a series of statements, each listing a protocol and specifying the same inspection rule name. Inspection rules include options for controlling alert and audit trail messages and for checking IP packet fragmentation. The following sections describe how to define an inspection rule.

Configuring Application Layer Protocol Inspection
To configure CBAC inspection for an application layer protocol (except for RPC and Java), use the following command syntax (Figure ):

Router(config)#ip inspect name inspection-name protocol [timeout seconds]

The protocol option can be any one of several possible arguments, listed in Figure . Repeat this command for each desired protocol. Use the same inspection-name to create a single inspection rule, as shown:

RTA(config)#ip inspect name FIREWALL http
RTA(config)#ip inspect name FIREWALL ftp
RTA(config)#ip inspect name FIREWALL udp
RTA(config)#interface s0
RTA(config-if)#ip inspect FIREWALL out

These commands create a CBAC inspect list named FIREWALL that is applied to outbound traffic exiting interface S0. RTA will inspect outbound traffic and create dynamic access list entries to allow inbound traffic through the firewall, if it is part of the session started by an internal host.

How is this CBAC configuration different from a reflexive access list? In the above, CBAC is configured to inspect FTP, which was challenging in a reflexive access list. Also, UDP conversations that use multiple ports are fully supported by CBAC, while reflexive access lists cannot handle an IP conversation when the outside host changes ports.

The syntax for configuring a CBAC inspection for Java is as follows :

Router(config-if)#ip inspect name inspection-name http [java-list access-list] [timeout seconds]

Java applets can represent a security risk because unaware users can download them into your network and then run malicious code behind your firewall. You can configure CBAC to filter Java applets at the firewall, which enables users to download only applets residing within the firewall and trusted applets from outside the firewall.

Java applet filtering distinguishes between trusted and untrusted applets by relying on a list of external sites that you designate as "friendly." If an applet is from a friendly site, the firewall allows the applet through. If the applet is not from a friendly site, the applet is blocked. (Alternately, you could permit applets from all external sites except for those that you specifically designate as hostile.)

To block Java applets from sites known to be a risk, but to permit all others, you can use a configuration similar to this:

RTA(config)#access-list 24 deny 200.100.50.0 0.0.0.255
RTA(config)#access-list 24 deny 169.199.0.0 0.0.255.255
RTA(config)#access-list 24 permit any
RTA(config)#ip inspect name FIREWALL http java-list 24
RTA(config)#ip inspect name FIREWALL tcp
RTA(config)#interface s0
RTA(config-if)#ip inspect FIREWALL out

If RTA is configured accordingly, it will inspect traffic for Java and match it according to access list 24. Holes will not be opened in the firewall for Java traffic originating from the explicitly defined networks. Of course, the permit any statement makes this configuration extremely vulnerable to the thousands of other sites that may infect your network with malicious Java code. If you want to sacrifice functionality and end-user freedom, you can use an access list to explicitly permit Java code from friendly networks, and deny code from all others. The result will be a secure but highly restrictive configuration.

Note: CBAC does not detect or block encapsulated Java applets. Therefore, Java applets that are wrapped or encapsulated, such as applets in .zip or .jar format, are not blocked at the firewall. CBAC also does not detect or block applets loaded from FTP, gopher, HTTP on a nonstandard port, and certain other applications.

Configuring Generic TCP and UDP Inspection
You can configure TCP and UDP inspection to permit TCP and UDP packets to enter the internal network through the firewall, even if the application layer protocol is not configured to be inspected . However, TCP and UDP inspection do not recognize application-specific commands and therefore might not permit all return packets for an application. This particularly true if the return packets have a different port number than the previous exiting packet.

Any application layer protocol that is inspected will take precedence over the TCP or UDP packet inspection. For example, if inspection is configured for FTP, all control channel information will be recorded in the state table. In addition, if the control channel information is valid for the state of the FTP session, all FTP traffic will be permitted back through the firewall. The fact that TCP inspection is configured is irrelevant to the FTP state information.

With TCP and UDP inspection, packets entering the network must exactly match the corresponding packet that previously exited the network. The entering packets must have the same source/destination addresses and source/destination port numbers as the exiting packet (but reversed). Otherwise, the entering packets will be blocked at the interface.

With UDP inspection configured, replies will be permitted back in through the firewall only if they are received within a configurable time after the last request was sent out. (This time is configured with the ip inspect udp idle-time command.) To configure CBAC inspection for TCP or UDP packets, use the following commands:

RTA(config)#ip inspect name FIREWALL tcp
RTA(config)#ip inspect name FIREWALL udp

Applying the Inspection Rule to an Interface
After you define an inspection rule, you apply that rule to an interface. Normally, you apply only one inspection rule to one interface. The only exception might occur if you want to enable CBAC in two directions. For CBAC configured in both directions at a single firewall interface, you should apply two rules, one for each direction.

To apply an inspection rule to an interface, use the following syntax :

router(config-if)#ip inspect inspection-name in | out

The following example shows the commands needed to configure RTA to use the inspection list, FIREWALL, on traffic traveling out E0 into a protected network.

RTA(config)#interface ethernet 0
RTA(config-if)#ip inspect FIREWALL out