Home   | CCNA Certification  |   CCNP Training   | CompTIA |  Boot Camps  |  Free Tutorials   | MS Vista | About Me

 

The Bryant Advantage Bulldog Blog

Chris Bryant's Facebook Fan Page

Join Me On Twitter For CCNA and CCNP Updates!

Over 500,000 Views On Our Video Training Channel!

Subscribe To My RSS Feed!

Network With Me On Linkedin!

 
  More Testimonials >
Visit my blog for free daily Cisco CCNA and CCNP certification questions, my latest free articles and tutorials, and more!


 

 

CCNA Security Certificatio Tutorial:

The Cisco IOS Firewall Set (Part 3)

The IP Inspect Command And CBAC

Chris Bryant, CCIE #12933

 

In the first and second installments of this CCNA Security exam tutorial, we compared stateless and stateful filtering and reviewed our ACL options.

I mentioned CBAC briefly at the end of Part 2 - so let's pick up there!

The "ip inspect" Command And CBAC

I often say that Cisco features have "the name is the recipe" names, and that's true of CBAC - Context-Based Access Control.

The name tells us it's some form of access control, and it is, but it's the "context-based" part that makes CBAC so powerful.   Here are just some of CBAC's features:

Filtering incoming TCP and UDP packets, allowing them to enter the trusted network only if the connection was initiated by an inside host, which in turn helps to prevent TCP SYN attacks.

CBAC keeps track of TCP sequence numbers, dropping packets with numbers indicating that the packet is not part of an established connection.

Prevention downloading of malicious Java applets through Java Blocking.

CBAC will punch a temporary hole in the firewall that will allow appropriate replies to traffic leaving the trusted network. 

For example, if a user opens a Telnet connection from the trusted network, CBAC would record that information in its session table and would allow return Telnet traffic from the particular destination specified by the inside host.  Telnet traffic from the outside that is not part of that particular connection would be dropped.

How CBAC Defends Against TCP SYN Attacks

CBAC can monitor any or all of the following values to detect potential TCP SYN attacks:

Overall total of incomplete TCP sessions

Number of incomplete TCP sessions in a certain amount of time

Number of incomplete TCP sessions on a per-host basis

When any of these thresholds are reached, CBAC can be configured to take one of two actions:

Block all incoming SYN packets for a certain period of time

Transmit a RST (Reset) to both parties in the oldest incomplete session

Which Works First - The ACL or the Inspection Rule?

We reviews ACL syntax in Part 2 for a reason - we use ACLs regularly in security-related configurations. If we have an ACL and an inspection rule in effect, the router has a decision to make.

If we have an ACL and an inspection rule configured on an interface and configured to operate in the same direction, one of them has to go first.  In this case, it's the ACL. 

The packet is matched against the ACL, and if the packet is permitted, the inspection rule is then put into action.  Naturally, if the packet is denied by the ACL, there's no need to inspect it!

We'll take an illustrated look at this process after this brief and important message!

 

I'm Paying It Forward Bigger Than Before.

My Famous CCNA Study Package Is Now $25.

CCNA Exam Study Package CCNA Boot Camp On-Demand

 

 

Let's put that decision in context by taking a look at the overall CBAC operation.  We'll assume that we're inspecting FTP packets with CBAC - there are no default CBAC inspections, each one must be manually configured - and take a look at each decision and action along the way.

CBAC Inbound Packet

The packet is received on E0 and is ready to be transmitted by the router via S0, but there are two questions to be answered first:

Does the ACL on the external interface allow the traffic to exit?

If so, what action should the inspection rule take?

Assuming the ACL allows the packet, the packet is now inspected.   The router will make an entry in its state table, recording all pertinent information so that reply packets from an outside source can be permitted to enter the inside network. (Naturally, if the packet were denied by the ACL, that would be the end of the discussion!)

CBAC Outbound Packet

If the ACL permits the packet but inspection rules have not been defined for FTP, the packet would be permitted to exit the router without inspection.

Those reply packets will be allowed thanks to the creation of a temporary ACL entry (a "hole in the firewall"), and that entry is made at the very top of the untrusted interface's extended inbound ACL.

When the reply to the FTP packet comes back in, that temporary ACL entry will allow the packet to enter.  Handling FTP connections appropriately is a major benefit of stateful filtering over stateless filtering.

CBAC Dynamic ACL Entry Made

As this connection's incoming and outgoing packets continue to be forwarded, the state table on the router is continually updated. 

When the connection is ended or a timeout value is reached, the state table entry for this connection is removed, as is the temporary entry in the untrusted interface's inbound extended ACL.

I mentioned "untrusted interface's inbound extended ACL" twice for a reason.   While you can use a standard or extended ACL on the untrusted interface for outbound traffic, we need to use an extended ACL on the outside interface for inbound traffic to have the entire inspection process work correctly.  Those  temporary ACL entries I mentioned can only be inserted into an extended ACL.

Extended ACL With CBAC

 

With that particular topology, you may choose to have traffic inspected as it arrives on the inside (trusted) interface or as it exits the outside (untrusted) interface.

There's another possibility we have to consider - what about traffic that's actually generated on that local router rather that arriving on an interface?

If you're going to inspect traffic that is actually generated on the router, you need to include the router-traffic option at the end of that particular ip inspect statement. 

 

R4(config)#ip inspect name FROMROUTER tcp ?
  alert           Turn on/off alert
  audit-trail     Turn on/off audit trail
router-traffic  Enable inspection of sessions to/from the router
  timeout         Specify the inactivity timeout time
  <cr>

R4(config)#ip inspect name FROMROUTER tcp router-traffic
R4(config)#ip inspect name FROMROUTER udp router-traffic
R4(config)#ip inspect name FROMROUTER icmp router-traffic

When it comes to traffic inspection, we have an option to use generic inspection - and we'll tackle that topic along with getting started with SDM on our CCNA Security tutorial page!

 

No Gimmicks -- Just Results.

Get CCNA Security Certified Today For $20.

CCNA Security Study Package

 

Chris Bryant

CCIE #12999

"The Computer Certification Bulldog"

chris@thebryantadvantage.com

 

CCNP ISCW Study PackageCCNP Certification Exam Study Bundle

 

 

The Ultimate CCNA Study Package | The Ultimate CCNA Study Guide

Binary Math And Subnetting Mastery

Cisco Rack Rentals

CCNP BSCI Exam Study Package

CCNP BCMSN Exam Study Package

CCNP BCRAN Exam Study Package

CCNP CIT Exam Study Package | CCNP BSCI Exam Study Guide

CCNA CBT Video Boot Camp | CCNP BSCI Video Boot Camp

Cisco Training Tutorials And Cisco Certification Articles

CCNP CBT BCMSN Video Boot Camp | CCNP CBT BCRAN Video Boot Camp

CompTIA Network+ Exam Study Package

CompTIA Security+ Exam Study Package

CompTIA A + Certification Exam Study Package

CCNA Training Store | CCNP Certification Training Store

CompTIA Certification Training Store

Cisco Lab Router And Switch Home Lab Help

Site Map | Home Page | Testimonials

Microsoft Windows Vista Certification Updates And News

The Bryant Advantage Blog | About Chris Bryant, CCIE #12933