|
Context-based access control (CBAC) is a
comprehensive set of security tools that includes stateful packet
filtering. CBAC's method of stateful packet filtering goes beyond
just Layer 3 and Layer 4 header examination; CBAC actually examines
a packet's data content. In the previous section, you saw that
reflexive access lists could not effectively handle sophisticated
application protocols that change TCP or UDP port numbers during a
session. In contrast, CBAC has been specifically designed to
recognize popular application protocols, such as FTP, and to
accommodate outside hosts that want to continue conversations on
another port.
As traffic leaves the protected
network, CBAC tracks the "state" of the TCP or UDP
connection, which includes port numbers and IP addresses for both
the destination and the source. These connection states are kept in
a table. When traffic from an outside network tries to enter the
protected network, CBAC checks the traffic against the state table
to ensure that each packet is part of an invited session. CBAC also
looks beyond port numbers and IP addresses to inspect the type of
data being exchanged. CBAC examines the payload of a packet to
determine what application layer protocol is used. Because CBAC is
aware of how certain applications work, it recognizes and permits
invited traffic, even if the outside host has responded using a port
number that is not yet in the state table. These supported
applications include Real Audio and Microsoft's NetShow. Thus, CBAC
supports protocols that involve multiple channels, or ports. Most
multimedia streaming protocols, as well as some other protocols
(such as FTP, RPC, and SQL*Net), use multiple channels.
Note: CBAC is part of the
Cisco IOS Firewall feature set and was first available with
Release 11.2. A significant number of commands and features were
added to CBAC in Release 12.0.5(T). Note that the Firewall feature
set is not available for all router platforms.
CBAC is more than just an improved
access list command; it is a set of security tools that includes
traffic filtering, Java blocking, traffic inspection, alerts and
audit trails, and intrusion detection. A comprehensive discussion of
how all these features work is beyond the scope of this chapter.
The following sections present an
overview of CBAC operation, when and where to configure CBAC, and
basic CBAC configuration guidelines. Moreover, these sections will
look at CBAC inspection rules, applying rules to an interface, and
verifying CBAC operation.
|