What Is CBAC?

CBAC is the IOS Firewall service that most resembles the functions performed by the PIX Firewall. CBAC performs stateful packet inspection of packets that pass through the CBAC-enabled router. When it inspects a packet, CBAC creates a state table entry. The state table tracks information contained in the packets of a session, and then based on the state table, CBAC decides whether to allow return traffic, for that session, back into the protected network. CBAC allows the return traffic back through the IOS Firewall by creating temporary openings in ACLs through the use of dynamic ACEs. Figure 4.1 shows an overview of how traffic flows through the IOS Firewall. In the figure, CBAC inspection is applied inbound on the internal interface of the router. CBAC dynamically creates an ACL inbound for the return traffic on the outside interface of the router.

CBAC decides whether return traffic should be permitted back into the protected network based on the state table.

The creation of a state table is straightforward if the protocol that is being tracked is a connection-oriented protocol such as TCP. The reason that TCP is easy to track is that it contains session information such as sequence numbers .

CBAC drops a TCP packet if the packet's sequence numbers are not within an expected range.

However, User Datagram Protocol (UDP) does not contain session information because UDP is a connectionless protocol.

CBAC must approximate UDP session information that is used to populate the state table because UDP is a connectionless protocol.