13-7 Intelligent Filtering with Context-Based Access Control (CBAC)

Previous page
Table of content
Next page

13-7 Intelligent Filtering with Context-Based Access Control (CBAC)

  • CBAC acts as an intelligent traffic filter by monitoring the session states based on network, transport, and application layer information.

  • CBAC supports inspection of the following protocols: TCP sessions, UDP sessions, CU-SeeMe (White Pine), FTP, H.323, HTTP (Java blocking), Microsoft NetShow, UNIX remote commands (rlogin, rexec, rsh, and so forth), RealAudio, RTSP, Sun RPC, SMTP, SQL*Net, StreamWorks, TFTP, and VDOLive.

  • Outbound traffic is generally permitted through the router. CBAC creates temporary access list entries as certain outbound traffic is inspected. Return inbound traffic is permitted by these temporary entries.

  • CBAC can perform intrusion detection based on SMTP traffic, sending SYSLOG messages during an attack.

Configuration

  1. Choose a router interface where CBAC will operate .

    A router performing CBAC is considered a firewall, with an "inside" interface (the protected network side) and an "outside" interface (the unprotected network side). CBAC inspection can be configured on either the inside or outside interfaceeither is acceptable. However, you should choose the interface that gives you the greatest coverage of the network you want to protect.

    Also, you will be configuring two access lists to work with CBAC: one for outbound traffic (from the protected network) and one for inbound traffic (from the unprotected network). The access list configurations are straightforward. Pay close attention to how the access lists are applied, though. For example, if you choose to implement CBAC on an "outside" interface, be sure that the outbound traffic access list is applied going out and the inbound access list is applied in. If CBAC is used on an "inside" interface, the directions are reversed : the outbound traffic list is applied in, and the inbound traffic list is applied out. Picture yourself standing in the middle of the router, and think of the direction in which the outbound and inbound traffic travels as it arrives at or leaves the interface.

  2. (Optional) Tune CBAC operation.

    1. Set the time to wait for an established connection: 

       (global)  ip inspect tcp synwait-time   seconds

      CBAC waits seconds (greater than 0; the default is 30) for a TCP connection to be established after the SYN. After that, CBAC drops the connection.

    2. Set the time to manage a closed connection: 

       (global)  ip inspect tcp finwait-time   seconds

      CBAC continues managing a TCP connection for seconds (greater than 0; the default is 5) after the FIN handshake closes the session.

    3. Set the connection idle times: 

       (global)  ip inspect  {  tcp   udp  }  idle-time   seconds

      CBAC continues managing a TCP session ( tcp ) for seconds (greater than 0; the default is 3600 seconds or 1 hour ) and a UDP "session" ( udp ) for seconds (greater than 0; the default is 30) after no activity is detected .

    4. Set the DNS idle timeout: 

       (global)  ip inspect dns-timeout   seconds

      CBAC manages a DNS name lookup session for seconds (greater than 0; the default is 5) after no activity is detected.

    5. Set the connection thresholds for aggressive mode: 

       (global)  ip inspect max-incomplete  {  high   low  }  number

      Aggressive mode is triggered when the number of incomplete or half- open TCP or UDP connections rises above high number (the default is 500 connections). Aggressive mode ends when the number of incomplete connections falls below low number (the default is 400 connections). Half-open TCP connections are not yet established, and half-open UDP connections have traffic in only one direction.

    6. Set the connection rates for aggressive mode: 

       (global)  ip inspect one-minute  {  high   low  }  number

      Aggressive mode is triggered when the number of incomplete or half-open connections within the last minute rises above high number (the default is 500 connections). Aggressive mode ends when the number of incomplete connections per minute falls below low number (the default is 400 connections).

    7. Set the thresholds for TCP connections to the same host: 

       (global)  ip inspect tcp max-incomplete host   number   block-time   minutes

      If CBAC detects more than number (1 to 250; the default is 50 connections) of half-open TCP connections to the same host, it begins deleting the half-open connections. The block-time keyword is used to define how new connections are deleted. If minutes is 0 (the default), the oldest half-open connection is deleted for every new connection request received. If minutes is greater than 0, all half-open connections are deleted, and all new connections are blocked for minutes.

  3. Use access lists to manage CBAC traffic inspection.

    1. (Optional) Permit outbound traffic (from a protected network): 

       (global)  access-list   acc-list-number   permit   protocol source source-mask   destination destination-mask  [  operator port  ]

      If outbound traffic is to be filtered or limited, an access list numbered acc-list-number (100 to 199) can be used. You should permit all traffic that will be inspected by CBAC. If all traffic is to be permitted and inspected, the access list can be omitted, because all traffic is normally allowed to pass through an interface.

    2. Filter inbound traffic (from an unprotected network).

      • Permit certain types of inbound ICMP traffic: 

         (global)  access-list   acc-list-number   permit icmp any any echo-reply  (global)  access-list   acc-list-number   permit icmp any   internal-network   mask   time-exceeded  (global)  access-list   acc-list-number   permit icmp any   internal-network   mask   packet-too-big  (global)  access-list   acc-list-number   permit icmp any   internal-network   mask   traceroute  (global)  access-list   acc-list-number   permit icmp any   internal-network   mask   unreachable

        CBAC doesn't inspect ICMP packets at all. Therefore, you should allow only certain types of ICMP messages into your protected network: ping replies ( echo-reply ), TTL exceeded ( time-exceeded ), path MTU discovery ( packet-too-big ), traceroute, and unreachable. All other types are implicitly denied at the end of the access list.

      • Deny spoofed IP addresses: 

         (global)  access-list   acc-list-number   deny ip   internal-network mask   any

        Spoofed IP addresses are used on inbound packets from the outside, using source addresses from the inside of your network. If allowed in, the packets can reach an internal target, but replies never find the original source.

        In addition, inbound packets can have source addresses corresponding to the RFC 1918 routes or other illegal values: 10.0.0.0 (private class A network), 127.0.0.0 (reserved for loopback), 169.254.0.0 (used by Microsoft for failed DHCP), 172.16.0.0 to 172.31.0.0 (private class B networks), 192.168.0.0 (private class C networks), and 224.0.0.0 (multicast; never used as a source address). For these, additional commands should be added to the access list: 

         (global)  access-list   acc-list-number   deny ip 10.0.0.0 0.255.255.255 any  (global)  access-list   acc-list-number   deny ip 127.0.0.0 0.255.255.255   any  (global)  access-list   acc-list-number   deny ip 169.254.0.0 0.0.255.255   any  (global)  access-list   acc-list-number   deny ip 172.16.0.0 0.15.255.255   any  (global)  access-list   acc-list-number   deny ip 192.168.0.0 0.0.255.255   any  (global)  access-list   acc-list-number   deny ip 224.0.0.0 31.255.255.255   any

      • Deny a broadcast source address: 

         (global)  access-list   acc-list-number   deny ip host 255.255.255.255 any

      • Permit specific traffic not inspected by CBAC: 

         (global)  access-list   acc-list-number   permit   protocol source source-mask   destination dest-mask  [  operator port  ]

        For traffic that you don't intend CBAC to inspect, such as inbound routing updates, Web browsing, and so forth, be sure to define permit commands to allow it.

      • Deny everything else: 

         (global)  access-list   acc-list-number   deny ip any any

        The "deny everything" command is implicit as the last statement in any access list, although it is not shown in the configuration. You can enter it manually, if desired, as a reminder of the final rule.

  4. Define a CBAC inspection rule with one or more types.

    1. Inspect supported application-layer protocols: 

       (global)  ip inspect name   inspection-name protocol  [  alert  {  on   off  }]   [  audit-trail  {  on   off  }] [  timeout   seconds  ]

      An inspection rule named inspection-name is defined to inspect the protocol: TCP ( tcp ), UDP ( udp ), CU-SeeMe ( cuseeme ), FTP ( ftp ), H.323 ( h323 ), Microsoft NetShow ( netshow ), UNIX remote commands ( rcmd ), RealAudio ( realaudio ), SMTP ( smtp ), SQL*Net ( sqlnet ), StreamWorks ( streamworks ), TFTP ( tftp ), or VDOLive ( vdolive ).

      SYSLOG alert messages ( alert ) can be turned on or off to alert someone about a detected condition in real time. SYSLOG audit trail messages ( audit-trail ) can also be turned on or off to provide details about inspected sessions. The timeout keyword can be used to override the global TCP or UDP idle timeouts.

      NOTE

      The inspection of NetMeeting 2.0 traffic requires both h323 and tcp inspection. The smtp inspection drops any command except DATA, EXPN, HELO, HELP, MAIL, NOOP, QUIT, RCPT, RSET, SAML, SEND, SOML, and VRFY.

    2. Inspect Sun RPC: 

       (global)  ip inspect name   inspection-name   rpc program-number   number  [  wait-time   minutes  ] [  alert  {  on   off  }] [  audit-trail  {  on   off  }]   [  timeout   seconds  ]

      An inspection rule named inspection-name is defined to inspect the Sun RPC program number given by number. The wait-time keyword can be used to keep the temporary CBAC entry in effect for subsequent connections between the same hosts for minutes (the default is 0).

      SYSLOG alert messages ( alert ) can be turned on or off to alert someone about a detected condition in real time. SYSLOG audit trail messages ( audit-trail ) can also be turned on or off to provide details about inspected sessions. The timeout keyword can be used to override the global TCP or UDP idle timeouts.

    3. Inspect fragments : 

       (global)  ip inspect name   inspection-name   fragment  [  max   number  ] [  timeout   seconds  ]

      An inspection rule named inspection-name is defined to inspect fragmented packets. Unless the initial fragmented packet passes through CBAC, all noninitial fragmented packets are dropped. The maximum number of unassembled packets kept by CBAC can be set with max number (50 to 10000; the default is 256 packets). The timeout keyword sets the amount of time that a fragmented packet is kept by CBAC in seconds (the default is 1 second).

    4. Block Java applets.

      • (Optional) Specify "friendly" Java sites: 

         (global)  access-list   acc-list-number   permit   ip-address

        The standard IP access list numbered acc-list-number (100 to 199) permits the IP address of a trusted or friendly HTTP site with Java applets. A named standard IP access list is also acceptable for this purpose.

      • Define Java blocking: 

         (global)  ip inspect name   inspection-name   http  [  java-list   access-list  ]   [  alert  {  on   off  }] [  audit-trail  {  on   off  }] [  timeout   seconds  ]

        An inspection rule named inspection-name is defined to inspect and block Java applets. The java-list keyword defines a standard IP access-list (named or numbered) that is used to identify HTTP sites with acceptable Java applets. If the java-list keyword is omitted, all Java applets are blocked.

      NOTE

      Only unencapsulated (not in .zip or .jar format) Java applets can be inspected and blocked. Applets loaded by FTP or gopher, as well as applets from a nonstandard HTTP port (including HTTPS or port 443), cannot be inspected.

  5. Configure CBAC inspection on an interface: 

     (interface)  ip inspect   inspection-name  {  in   out  }

    The CBAC inspection rule named inspection-name is used on the interface to inspect traffic in either the in or out direction (relative to the interface).

  6. Perform logging and audit trail functions.

    1. Set up logging: 

       (global)  service timestamps log datetime  (global)  logging   ip-address  (global)  logging facility   facility  (global)  logging trap   level

      SYSLOG service is enabled on the router to the host at ip-address. SYSLOG messages are sent at facility, and traps are sent at level. See Section 1-5 for more information.

    2. Enable the CBAC audit trail: 

       (global)  ip inspect audit-trail

Example

CBAC is configured as a firewall on a router. Ethernet 0 is connected to the "inside" protected network, and Ethernet 1 is on the "outside." Access list 102 is used to filter inbound traffic from the outside network. ICMP is not inspected by CBAC, so only certain types of ICMP messages are permitted to come in. The access list also denies source addresses that are spoofed. WWW traffic is permitted inbound to the 192.168.17.0 network, because it is initiated from the outside. All other traffic is denied.

CBAC inspection is configured for inbound traffic on the inside interface, which is actually traffic destined for the outside network. As soon as CBAC inspects outgoing connections, it adds temporary entries to access list 102 that permit return traffic for those sessions. CBAC is configured to inspect FTP, RealAudio, SMTP, TCP, and UDP.

Notice that CBAC goes above and beyond the capabilities of extended IP access lists. Both TCP and UDP sessions can be tracked, allowing traffic from sessions that were initiated on the inside to return. Extended access lists are limited to detecting only whether the ACK and RST bits are set in the TCP headers of session traffic (using the "established" keyword). In addition, they cannot monitor the return traffic of UDP sessions at all. 

  ip inspect name filter ftp   ip inspect name filter realaudio   ip inspect name filter smtp   ip inspect name filter tcp   ip inspect name filter udp   interface Ethernet0   description Internal LAN (inside)       ip address 192.168.17.3 255.255.255.0   ip inspect filter in   interface Ethernet1   description External LAN (outside)   ip address 4.3.51.130 255.255.255.252   ip access-group 102 in   access-list 102 permit icmp any any echo-reply   access-list 102 permit icmp any 192.168.17.0 0.0.0.255 time-exceeded   access-list 102 permit icmp any 192.168.17.0 0.0.0.255 packet-too-big   access-list 102 permit icmp any 192.168.17.0 0.0.0.255 traceroute   access-list 102 permit icmp any 192.168.17.0 0.0.0.255 unreachable   access-list 102 deny ip 192.168.17.0 0.0.0.255 any   access-list 102 deny ip 10.0.0.0 0.255.255.255 any   access-list 102 deny ip 127.0.0.0 0.255.255.255 any   access-list 102 deny ip 169.254.0.0 0.0.255.255 any   access-list 102 deny ip 172.16.0.0 0.15.255.255 any   access-list 102 deny ip 192.168.0.0 0.0.255.255 any   access-list 102 deny ip 224.0.0.0 31.255.255.255 any   access-list 102 deny ip host 255.255.255.255 any   access-list 102 permit tcp any 192.168.17.0 0.0.0.255 eq www   access-list 102 deny ip any any

Previous page
Table of content
Next page
Cisco Field Manual[c] Router Configuration
Cisco Field Manual[c] Router Configuration
ISBN: 1587050242
EAN: N/A
Year: 2005
Pages: 185
BUY ON AMAZON
Absolute Beginner[ap]s Guide to Project Management
C++ How to Program (5th Edition)
Java How to Program (6th Edition) (How to Program (Deitel))
Visual C# 2005 How to Program (2nd Edition)
Persuasive Technology: Using Computers to Change What We Think and Do (Interactive Technologies)
Java All-In-One Desk Reference For Dummies
flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net
Privacy policy