Context based Access Control (CBAC)

Access-lists (ACL) have recently been used for packet filtering and protection. ACL operates using the administrator's list of rules in order. The regulations include a number of permit and deny requirements. The only drawback of ACL is that it only filters traffic at the transport layer.

Therefore, a Cisco router with the appropriate IOS version is used for low-cost firewall functionality. There are two ways to implement an IOS-based firewall:

Features of Context Based Access Control (CBAC).
Firewall based on zones.

Context access based control (CBAC) -

In contrast to how ACLs protect and filter traffic at the transport layer, CBAC extends that protection to the application layer. The router can function as a firewall with CBAC configuration.

Working -

While CBAC only functions as a reflexive Access-list, it also keeps a state table where the sessions are stored in memory. A dynamic entry is added to the state table and outbound (going out) traffic is permitted to pass through the router when a session is started by a device within the network (IoS based firewall). As the router (an IoS-based firewall) has an entry for traffic initiated within the network, it can pass the reply of outbound traffic with the aid of this entry. The IoS-based firewall CBAC mechanism accomplishes this by temporarily opening gaps in the access list (applied to the inbound traffic) to let reply packets through.

ACLs are a set of rules for regulating network traffic and minimising network attacks. Using a set of rules specified for the network's incoming or outgoing traffic, ACLs are used to filter traffic.

Features -

The CBAC has some features, including:

Examining traffic: CBAC keeps track of the TCP/UDP information required for more thorough packet payload inspection.
Traffic filtering: CBAC only permits replies if they have an entry in the state table. It filters traffic that originates from trusted networks and leaves the firewall. It is capable of layer 7 intelligent traffic filtering.
Intrusion detection: To identify attacks like Dos attacks and TCP syn attacks, the CBAC looks at the speed at which the connection was established. Based on this, the CBAC mechanism has the ability to either drop or reestablish a connection in response to malicious packets.
Creating alerts and audits: The router's CBAC mechanism records data about connections made, the amount of data sent, and the IP addresses of the source and destination.

Configuration -

There are three routers: router1 (10.1.1.1/24 on fa0/0), router2 (10.1.1.2/24 on fa0/0 and 10.1.2.1/24 on fa0/1) and router3 (10.1.2.2/24). To enable pinging between routers, we will first assign routes via EIGRP to every router.

Following that, we will configure router 3 as an ssh server, and router 2 (on which CBAC will be running) will only permit traffic after it has been examined by router 2.

Setting up EIGRP on router 1 initially:

router1(config)#router eigrp 100
router1(config-router)#network 10.1.1.0
router1(config-router)#no auto-summary 

Next, set up EIGRP on router 2 to connect to other networks:

router2(config)#router eigrp 100
router2(config-router)#network 10.1.1.0
router2(config-router)#network 10.1.2.0
router2(config-router)#no auto-summary

Now, configuring eigrp on router3:

router3(config)#router eigrp 100
router3(config-router)#network 10.1.2.0
router3(config-router)#no auto-summary

We will now set up SSH on router 3:

router3(config)#ip domain name GeeksforGeeks.com
router3(config)#username saurabh password cisco
router3(config)#line vty 0 4
router3(config-line)#transport input ssh
router3(config-line)#login local 
router3(config)#crypto key generate rsa label Cisco.com modulus 1024

On router 2, we will now create an Access-list through which we will block all traffic aside from EIGRP because EIGRP ensures that all routers can still communicate with one another.

router2(config)#ip Access-list extended 100
router2(config-ext-nacl)#permit eigrp any any 
router2(config-ext-nacl)#deny ip any any

Applying it now to the user interface:

router2(config)#int fa0/1
router2(config-if)#ip access-group 100 in

Now that we have applied access-list, which will only accept Eigrp packets and deny all other packets, router1 will no longer be able to ssh router3.

Now, set up CBAC on router 2 to examine ssh traffic (Only traffic that will be examined by the IoS router operating CBAC will be permitted.)

router2(config)#!cbac
router2(config)#ip inspect name Cisco ssh

While the second command will examine the ssh traffic, the first command (!cbac) will enable the cbac feature.

Now, examining the interface through inspection

router2(config)#int fa0/1
router2(config-if)#ip inspect cisco out

Now that the ssh packet has been examined by router2 before leaving the outbound (fa0/1) interface, router1 will be able to ssh router3 (as we have configured).

This is corroborated by:

Note: Because we only want traffic coming from outside the network that was started by the inside network, Access-list has been applied inbound and CBAC has been applied out (10.1.1.1). To temporarily allow return packets to pass through the Access-list applied to the interface (into fa0/1) when CBAC is applied outbound, temporary holes are created on the ACL.

Limitations -

Some of the cbac mechanisms' drawbacks include:

Because it requires in-depth knowledge of the protocols and operations we want to carry out, CBAC is not easy to understand.
The CBAC mechanism is unable to inspect traffic that originates from the router (on which CBAC has been configured).
No support for stateful table fail over. As a CBAC firewall, another redundant router can be used if one fails, but because the state table cannot be duplicated, it must be rebuilt, which requires rebuilding some connections.
Unlike IPsec, it does not inspect encrypted packets.

Next TopicCristian's Algorithm

← prev next →