Context-Based Access Control (CBAC)

CBAC Overview

Context-Based Access Control (CBAC) is both a stateful and an application firewall that can filter traffic at the network layer (IP addresses and protocols), the transport layer (ports, TCP and UDP sessions), the session layer (the state of the conversation), and the application layer (protocols for specific applications, as well as multi-channel applications like FTP). By working across multiple layers and working with Syslog as well, Context-Based Access Control (CBAC) provides: traffic filtering, traffic inspection, intrusion detection, and generation of audits and alerts. Compared to earlier Cisco implementations of stateful firewalls CBAC is a more advanced stateful firewall because it can inspect other protocols like UDP, and ICMP, as well as examining services like DNS, SMTP and protocols that rely on application layer controls:

1. TCP established ACLs – inspects TCP control flags (ACK, SYN, RST, FIN etc.)
2. Reflexive ACLs – inspects TCP control flags (ACK,SYN, RST, FIN, etc.)
inspects source and destination addresses,
inspects source and destination ports,
creates temporary ACLs (ACEs)
3. CBAC (Context-based Access Control) – inspects and monitors:
TCP connection setup,
UDP session information,
TCP sequence numbers,
DNS queries and replies,
ICMP message types,
Applications that rely on multiple connections (tftp, ftp, multimedia),
Embedded addresses (NAT, PAT),
Application Layer information

 Sample CBAC Network Topology

How to Configure CBAC

To configure CBAC you need an inside ACL and an outside ACL. Both ACLs should be extended ACLs and should be applied to the router interfaces inbound. Remember, that for ACLs to function they need to be applied to an interface (like fa0/0 or s0/0) either inbound or outbound, relative to the perspective from within the router (inbound coming into the router’s interface and outbound leaving the router’s interface). In addition to the two ACLs you will need to configure an Inspection list of the protocols and services to be inspected by the router and apply it to the inside interface in the inbound direction (leaving the local network). The inspection list is important because it dictates which outgoing packets, and protocols will be inspected, and will generate temporary dynamic ACLs permitting the returning data from the outside interface.

Inside extended access-list should permit traffic to leave the network:
R1(config)# access-list 100 permit tcp 192.168.1.0 0.0.0.255 any
R1(config)# access-list 100 permit udp 192.168.1.0 0.0.0.255 any
R1(config)# access-list 100 permit icmp 192.168.1.0 0.0.0.255 any
R1(config)# access-list 100 deny ip any any

Inside access-list applied to the inside interface in the inbound direction:
R1(config)# interface Fa0/1
R1(config-if)# ip access-group 100 in

Outside extended access-list should deny most traffic from entering the network:
R1(config)# access-list 101 permit eigrp any any
R1(config)# access-list 101 permit icmp any any echo-reply
R1(config)# access-list 101 permit icmp any any unreachable
R1(config)# access-list 101 permit icmp any any time-exceeded
R1(config)# access-list 101 deny ip any any

Outside access-list applied to the outside interface in the inbound direction:
R1(config)# interface S0/0/0
R1(config-if)# ip access-group 101 in

The named inspection list of protocols and services to be inspected:
R1(config)# ip inspect name CBAC-FW tcp
R1(config)# ip inspect name CBAC-FW udp
R1(config)# ip inspect name CBAC-FW tftp

The named inspection list applied to the inside interface in the inbound direction:
R1(config)# interface Fa0/1
R1(config-if)# ip inspect CBAC-FW in

Video Tutorials

In this series of tutorials, I configure and troubleshoot a CBAC firewall on a Cisco router using a Netlab remote network.

 In part 1, I discuss the concept of the CBAC stateful firewall and outline the sample network topology

In part 2, I explain the CLI commands used to create the inside and outside ACLs and the Inspect list

In part 3, I configure, test and troubleshoot the CBAC stateful firewall

Author: Dan

Dan teaches computer networking and security classes at Central Oregon Community College.

Leave a Reply

Your email address will not be published. Required fields are marked *