10.5 Context-Based Access Control
10.5.4 Choosing an interface
The first step in configuring traffic filtering is to decide whether to configure CBAC on an internal or external interface of the firewall. In this case, "internal" refers to the side where sessions must originate for their traffic to be permitted through the firewall. "External" refers to the side where sessions cannot originate (sessions originating from the external side will be blocked).

If you will be configuring CBAC in two directions, you should configure CBAC in one direction first, using the appropriate internal and external interface designations. When you configure CBAC in the other direction, the interface designations will be swapped.

CBAC is most commonly used with one of two basic network topologies. Determining which of these topologies is most like your own can help you decide whether to configure CBAC on an internal interface or on an external interface.

Figure shows the first network topology. In this simple topology, CBAC is configured for the external interface Serial 0. This prevents specified protocol traffic from entering the firewall router and the internal network, unless the traffic is part of a session initiated from within the internal network.

In this topology, a Demilitarized Zone (DMZ) is defined and accessed through interface Ethernet 1. A DMZ is a region where public services such as DNS, Mail and Web can be reached without passing any security filter. In this example CBAC is configured for the internal interface Ethernet 0, allowing external traffic to access the public services in the DMZ, but preventing specified protocol traffic from entering your internal network -- unless the traffic is part of a session initiated from within the internal network.

The key difference between these two topologies is that the first topology does not allow outside traffic into the router without passing through the filter. The second topology allows outside traffic to enter the router so that it can reach public servers on the DMZ without passing through the filter.

Using these two sample topologies, you can decide whether your network should have CBAC on an internal or external interface.

Note: If your firewall has only two connections, one to the internal network and one to the external network, using all inbound access lists works well because packets are stopped before they get a chance to affect the router itself.

Following are some tips for configuring CBAC on an external interface:

  • If you have an outbound IP access list at the external interface, the access list can be a standard or an extended access list. This outbound access list should permit traffic that you want to be inspected by CBAC. If traffic is not permitted, it will not be inspected by CBAC and will simply be dropped.
  • The inbound IP access list at the external interface must be an extended access list. This inbound access list should deny traffic that you want to be inspected by CBAC. (CBAC will create temporary openings in this inbound access list as appropriate to permit only return traffic that is part of a valid, existing session.)

The following are some tips for your access lists when you are configuring CBAC on an internal interface:

  • If you have an inbound IP access list at the internal interface or an outbound IP access list at a external interface or interfaces, these access lists can be either standard or extended access lists. These access lists should permit traffic that you want to be inspected by CBAC. If traffic is not permitted, it will not be inspected by CBAC but will be simply dropped.
  • The outbound IP access list at the internal interface and the inbound IP access list at the external interface must be extended access lists. These outbound access lists should deny traffic that you want to be inspected by CBAC. (CBAC will create temporary openings in these outbound access lists as appropriate to permit only return traffic that is part of a valid, existing session.) You do not necessarily need to configure an extended access list at both the outbound internal interface and the inbound external interface, but at least one is necessary to restrict traffic flowing through the firewall into the internal protected network.