|
The first step in configuring traffic
filtering is to decide whether to configure CBAC on an internal or
external interface of the firewall. In this case,
"internal" refers to the side where sessions must
originate for their traffic to be permitted through the firewall.
"External" refers to the side where sessions cannot
originate (sessions originating from the external side will be
blocked).
If you will be configuring CBAC in
two directions, you should configure CBAC in one direction first,
using the appropriate internal and external interface designations.
When you configure CBAC in the other direction, the interface
designations will be swapped.
CBAC is most commonly used with one
of two basic network topologies. Determining which of these
topologies is most like your own can help you decide whether to
configure CBAC on an internal interface or on an external interface.
Figure
shows the first network topology. In this simple topology, CBAC is
configured for the external interface Serial 0. This prevents specified
protocol traffic from entering the firewall router and the internal
network, unless the traffic is part of a session initiated from
within the internal network.
In this topology, a Demilitarized Zone (DMZ) is
defined and accessed through interface Ethernet 1. A DMZ is a region where
public services such as DNS, Mail and Web can be reached without
passing any security filter. In this example CBAC is configured for
the internal interface Ethernet 0, allowing external traffic to access the
public services in the DMZ, but preventing specified protocol
traffic from entering your internal network -- unless the traffic is
part of a session initiated from within the internal network.
The key difference between these two
topologies is that the first topology
does not allow outside traffic into the router without passing
through the filter. The second topology
allows outside traffic to enter the router so that it can reach
public servers on the DMZ without passing through the filter.
Using these two sample topologies,
you can decide whether your network should have CBAC on an internal
or external interface.
Note: If your firewall has
only two connections, one to the internal network and one to the
external network, using all inbound access lists works well
because packets are stopped before they get a chance to affect the
router itself.
Following are some tips for
configuring CBAC on an external interface:
- If you have an outbound IP access
list at the external interface, the access list can be a
standard or an extended access list. This outbound access list
should permit traffic that you want to be inspected by CBAC. If
traffic is not permitted, it will not be inspected by CBAC and will simply
be dropped.
- The inbound IP access list at the
external interface must be an extended access list. This inbound
access list should deny traffic that you want to be inspected by
CBAC. (CBAC will create temporary openings in this inbound
access list as appropriate to permit only return traffic that is
part of a valid, existing session.)
The following are some tips for your
access lists when you are configuring CBAC on an internal
interface:
- If you have an inbound IP access
list at the internal interface or an outbound IP access list at
a external interface or interfaces, these access lists can be
either standard or extended access lists. These access lists
should permit traffic that you want to be inspected by CBAC. If
traffic is not permitted, it will not be inspected by CBAC but
will be simply dropped.
- The outbound IP access list at
the internal interface and the inbound IP access list at the
external interface must be extended access lists. These outbound
access lists should deny traffic that you want to be inspected
by CBAC. (CBAC will create temporary openings in these outbound
access lists as appropriate to permit only return traffic that
is part of a valid, existing session.) You do not necessarily
need to configure an extended access list at both the outbound
internal interface and the inbound external interface, but at
least one is necessary to restrict traffic flowing through the
firewall into the internal protected network.
|