|
CBAC cannot be used to filter every
TCP/IP protocol, but it is an appropriate security solution for
networks that are running TCP or UDP applications or certain
multimedia applications, such as Microsoft's NetShow, or Real Audio.
In many cases, you will configure CBAC in one direction only at a
single interface, causing traffic to be permitted back into the
internal network only if the traffic is part of an existing session.
You can also configure CBAC in two
directions at one or more interfaces. CBAC is configured in two
directions when the networks on both sides of the firewall should be
protected, such as with extranet or intranet configurations, and to
protect against DoS attacks. For example, if the firewall is
situated between two partner companies' networks, you might want to
restrict traffic in one direction for certain applications, and
restrict traffic in the opposite direction for other applications.
So, what protocols does CBAC support?
Like reflexive access lists, CBAC can filter all TCP and UDP
sessions, without inspecting the application layer protocols.
However, CBAC can also be configured to effectively handle the multichannel (multiport)
application layer protocols listed in the figure.
CBAC is available only for IP
protocol traffic. Only TCP and UDP packets are inspected. (Other IP
traffic, such as ICMP, cannot be inspected with CBAC and should be
filtered with basic access lists instead.)
To configure CBAC properly, you must
be able to decide which interface should receive the appropriate
CBAC configuration, as discussed in the next section.
|