CBAC acts as an intelligent traffic filter by monitoring the session states based on network, transport, and application layer information.
CBAC supports inspection of the following protocols: TCP sessions, UDP sessions, CU-SeeMe (White Pine), FTP, H.323, HTTP (Java blocking), Microsoft NetShow, UNIX remote commands (rlogin, rexec, rsh, and so forth), RealAudio, RTSP, Sun RPC, SMTP, SQL*Net, StreamWorks, TFTP, and VDOLive.
Outbound traffic is generally permitted through the router. CBAC creates temporary access list entries as certain outbound traffic is inspected. Return inbound traffic is permitted by these temporary entries.
CBAC can perform intrusion detection based on SMTP traffic, sending SYSLOG messages during an attack.
Choose a router interface where CBAC will operate .
A router performing CBAC is considered a firewall, with an "inside" interface (the protected network side) and an "outside" interface (the unprotected network side). CBAC inspection can be configured on either the inside or outside interfaceeither is acceptable. However, you should choose the interface that gives you the greatest coverage of the network you want to protect.
Also, you will be configuring two access lists to work with CBAC: one for outbound traffic (from the protected network) and one for inbound traffic (from the unprotected network). The access list configurations are straightforward. Pay close attention to how the access lists are applied, though. For example, if you choose to implement CBAC on an "outside" interface, be sure that the outbound traffic access list is applied going out and the inbound access list is applied in. If CBAC is used on an "inside" interface, the directions are reversed : the outbound traffic list is applied in, and the inbound traffic list is applied out. Picture yourself standing in the middle of the router, and think of the direction in which the outbound and inbound traffic travels as it arrives at or leaves the interface.
(Optional) Tune CBAC operation.
Set the time to wait for an established connection:
(global) ip inspect tcp synwait-time seconds
CBAC waits seconds (greater than 0; the default is 30) for a TCP connection to be established after the SYN. After that, CBAC drops the connection.
Set the time to manage a closed connection:
(global) ip inspect tcp finwait-time seconds
CBAC continues managing a TCP connection for seconds (greater than 0; the default is 5) after the FIN handshake closes the session.
Set the connection idle times:
(global) ip inspect { tcp udp } idle-time seconds
CBAC continues managing a TCP session ( tcp ) for seconds (greater than 0; the default is 3600 seconds or 1 hour ) and a UDP "session" ( udp ) for seconds (greater than 0; the default is 30) after no activity is detected .
Set the DNS idle timeout:
(global) ip inspect dns-timeout seconds
CBAC manages a DNS name lookup session for seconds (greater than 0; the default is 5) after no activity is detected.
Set the connection thresholds for aggressive mode:
(global) ip inspect max-incomplete { high low } number
Aggressive mode is triggered when the number of incomplete or half- open TCP or UDP connections rises above high number (the default is 500 connections). Aggressive mode ends when the number of incomplete connections falls below low number (the default is 400 connections). Half-open TCP connections are not yet established, and half-open UDP connections have traffic in only one direction.
Set the connection rates for aggressive mode:
(global) ip inspect one-minute { high low } number
Aggressive mode is triggered when the number of incomplete or half-open connections within the last minute rises above high number (the default is 500 connections). Aggressive mode ends when the number of incomplete connections per minute falls below low number (the default is 400 connections).
Set the thresholds for TCP connections to the same host:
(global) ip inspect tcp max-incomplete host number block-time minutes
If CBAC detects more than number (1 to 250; the default is 50 connections) of half-open TCP connections to the same host, it begins deleting the half-open connections. The block-time keyword is used to define how new connections are deleted. If minutes is 0 (the default), the oldest half-open connection is deleted for every new connection request received. If minutes is greater than 0, all half-open connections are deleted, and all new connections are blocked for minutes.
Use access lists to manage CBAC traffic inspection.
(Optional) Permit outbound traffic (from a protected network):
(global) access-list acc-list-number permit protocol source source-mask destination destination-mask [ operator port ]
If outbound traffic is to be filtered or limited, an access list numbered acc-list-number (100 to 199) can be used. You should permit all traffic that will be inspected by CBAC. If all traffic is to be permitted and inspected, the access list can be omitted, because all traffic is normally allowed to pass through an interface.
Filter inbound traffic (from an unprotected network).
Permit certain types of inbound ICMP traffic:
(global) access-list acc-list-number permit icmp any any echo-reply (global) access-list acc-list-number permit icmp any internal-network mask time-exceeded (global) access-list acc-list-number permit icmp any internal-network mask packet-too-big (global) access-list acc-list-number permit icmp any internal-network mask traceroute (global) access-list acc-list-number permit icmp any internal-network mask unreachable
CBAC doesn't inspect ICMP packets at all. Therefore, you should allow only certain types of ICMP messages into your protected network: ping replies ( echo-reply ), TTL exceeded ( time-exceeded ), path MTU discovery ( packet-too-big ), traceroute, and unreachable. All other types are implicitly denied at the end of the access list.
Deny spoofed IP addresses:
(global) access-list acc-list-number deny ip internal-network mask any
Spoofed IP addresses are used on inbound packets from the outside, using source addresses from the inside of your network. If allowed in, the packets can reach an internal target, but replies never find the original source.
In addition, inbound packets can have source addresses corresponding to the RFC 1918 routes or other illegal values: 10.0.0.0 (private class A network), 127.0.0.0 (reserved for loopback), 169.254.0.0 (used by Microsoft for failed DHCP), 172.16.0.0 to 172.31.0.0 (private class B networks), 192.168.0.0 (private class C networks), and 224.0.0.0 (multicast; never used as a source address). For these, additional commands should be added to the access list:
(global) access-list acc-list-number deny ip 10.0.0.0 0.255.255.255 any (global) access-list acc-list-number deny ip 127.0.0.0 0.255.255.255 any (global) access-list acc-list-number deny ip 169.254.0.0 0.0.255.255 any (global) access-list acc-list-number deny ip 172.16.0.0 0.15.255.255 any (global) access-list acc-list-number deny ip 192.168.0.0 0.0.255.255 any (global) access-list acc-list-number deny ip 224.0.0.0 31.255.255.255 any
Deny a broadcast source address:
(global) access-list acc-list-number deny ip host 255.255.255.255 any
Permit specific traffic not inspected by CBAC:
(global) access-list acc-list-number permit protocol source source-mask destination dest-mask [ operator port ]
For traffic that you don't intend CBAC to inspect, such as inbound routing updates, Web browsing, and so forth, be sure to define permit commands to allow it.
Deny everything else:
(global) access-list acc-list-number deny ip any any
The "deny everything" command is implicit as the last statement in any access list, although it is not shown in the configuration. You can enter it manually, if desired, as a reminder of the final rule.
Define a CBAC inspection rule with one or more types.
Inspect supported application-layer protocols:
(global) ip inspect name inspection-name protocol [ alert { on off }] [ audit-trail { on off }] [ timeout seconds ]
An inspection rule named inspection-name is defined to inspect the protocol: TCP ( tcp ), UDP ( udp ), CU-SeeMe ( cuseeme ), FTP ( ftp ), H.323 ( h323 ), Microsoft NetShow ( netshow ), UNIX remote commands ( rcmd ), RealAudio ( realaudio ), SMTP ( smtp ), SQL*Net ( sqlnet ), StreamWorks ( streamworks ), TFTP ( tftp ), or VDOLive ( vdolive ).
SYSLOG alert messages ( alert ) can be turned on or off to alert someone about a detected condition in real time. SYSLOG audit trail messages ( audit-trail ) can also be turned on or off to provide details about inspected sessions. The timeout keyword can be used to override the global TCP or UDP idle timeouts.
NOTE
The inspection of NetMeeting 2.0 traffic requires both h323 and tcp inspection. The smtp inspection drops any command except DATA, EXPN, HELO, HELP, MAIL, NOOP, QUIT, RCPT, RSET, SAML, SEND, SOML, and VRFY.
Inspect Sun RPC:
(global) ip inspect name inspection-name rpc program-number number [ wait-time minutes ] [ alert { on off }] [ audit-trail { on off }] [ timeout seconds ]
An inspection rule named inspection-name is defined to inspect the Sun RPC program number given by number. The wait-time keyword can be used to keep the temporary CBAC entry in effect for subsequent connections between the same hosts for minutes (the default is 0).
SYSLOG alert messages ( alert ) can be turned on or off to alert someone about a detected condition in real time. SYSLOG audit trail messages ( audit-trail ) can also be turned on or off to provide details about inspected sessions. The timeout keyword can be used to override the global TCP or UDP idle timeouts.
Inspect fragments :
(global) ip inspect name inspection-name fragment [ max number ] [ timeout seconds ]
An inspection rule named inspection-name is defined to inspect fragmented packets. Unless the initial fragmented packet passes through CBAC, all noninitial fragmented packets are dropped. The maximum number of unassembled packets kept by CBAC can be set with max number (50 to 10000; the default is 256 packets). The timeout keyword sets the amount of time that a fragmented packet is kept by CBAC in seconds (the default is 1 second).
Block Java applets.
(Optional) Specify "friendly" Java sites:
(global) access-list acc-list-number permit ip-address
The standard IP access list numbered acc-list-number (100 to 199) permits the IP address of a trusted or friendly HTTP site with Java applets. A named standard IP access list is also acceptable for this purpose.
Define Java blocking:
(global) ip inspect name inspection-name http [ java-list access-list ] [ alert { on off }] [ audit-trail { on off }] [ timeout seconds ]
An inspection rule named inspection-name is defined to inspect and block Java applets. The java-list keyword defines a standard IP access-list (named or numbered) that is used to identify HTTP sites with acceptable Java applets. If the java-list keyword is omitted, all Java applets are blocked.
NOTE
Only unencapsulated (not in .zip or .jar format) Java applets can be inspected and blocked. Applets loaded by FTP or gopher, as well as applets from a nonstandard HTTP port (including HTTPS or port 443), cannot be inspected.
Configure CBAC inspection on an interface:
(interface) ip inspect inspection-name { in out }
The CBAC inspection rule named inspection-name is used on the interface to inspect traffic in either the in or out direction (relative to the interface).
Perform logging and audit trail functions.
Set up logging:
(global) service timestamps log datetime (global) logging ip-address (global) logging facility facility (global) logging trap level
SYSLOG service is enabled on the router to the host at ip-address. SYSLOG messages are sent at facility, and traps are sent at level. See Section 1-5 for more information.
Enable the CBAC audit trail:
(global) ip inspect audit-trail
CBAC is configured as a firewall on a router. Ethernet 0 is connected to the "inside" protected network, and Ethernet 1 is on the "outside." Access list 102 is used to filter inbound traffic from the outside network. ICMP is not inspected by CBAC, so only certain types of ICMP messages are permitted to come in. The access list also denies source addresses that are spoofed. WWW traffic is permitted inbound to the 192.168.17.0 network, because it is initiated from the outside. All other traffic is denied.
CBAC inspection is configured for inbound traffic on the inside interface, which is actually traffic destined for the outside network. As soon as CBAC inspects outgoing connections, it adds temporary entries to access list 102 that permit return traffic for those sessions. CBAC is configured to inspect FTP, RealAudio, SMTP, TCP, and UDP.
Notice that CBAC goes above and beyond the capabilities of extended IP access lists. Both TCP and UDP sessions can be tracked, allowing traffic from sessions that were initiated on the inside to return. Extended access lists are limited to detecting only whether the ACK and RST bits are set in the TCP headers of session traffic (using the "established" keyword). In addition, they cannot monitor the return traffic of UDP sessions at all.
ip inspect name filter ftp ip inspect name filter realaudio ip inspect name filter smtp ip inspect name filter tcp ip inspect name filter udp interface Ethernet0 description Internal LAN (inside) ip address 192.168.17.3 255.255.255.0 ip inspect filter in interface Ethernet1 description External LAN (outside) ip address 4.3.51.130 255.255.255.252 ip access-group 102 in access-list 102 permit icmp any any echo-reply access-list 102 permit icmp any 192.168.17.0 0.0.0.255 time-exceeded access-list 102 permit icmp any 192.168.17.0 0.0.0.255 packet-too-big access-list 102 permit icmp any 192.168.17.0 0.0.0.255 traceroute access-list 102 permit icmp any 192.168.17.0 0.0.0.255 unreachable access-list 102 deny ip 192.168.17.0 0.0.0.255 any access-list 102 deny ip 10.0.0.0 0.255.255.255 any access-list 102 deny ip 127.0.0.0 0.255.255.255 any access-list 102 deny ip 169.254.0.0 0.0.255.255 any access-list 102 deny ip 172.16.0.0 0.15.255.255 any access-list 102 deny ip 192.168.0.0 0.0.255.255 any access-list 102 deny ip 224.0.0.0 31.255.255.255 any access-list 102 deny ip host 255.255.255.255 any access-list 102 permit tcp any 192.168.17.0 0.0.0.255 eq www access-list 102 deny ip any any