Features of CBAC
- Inspecting Traffic – CBAC maintains TCP /UDP information which is needed to perform deeper inspection in packet payload.
- Filtering Traffic – CBAC filters the traffic which is originated from a trusted network and goes out through the firewall and allows replies only if it has an entry in the state table. It has the ability to filter the traffic intelligently upto layer 7.
- Detecting Intrusion – CBAC examines the rate at which the connection has been established by which it can detect attacks like Dos attack, TCP syn attack etc. On the basis of this, CBAC mechanism can cause a connection to reestablish or drop malicious packets.
- Generating Alerts and Audits – The router operating CBAC mechanism log information about connections established, number of bytes sent, source and destination IP address.
Configuration
There are 3 routers namely router1 (ip address – 10.1.1.1/24 on fa0/0), router2 (ip address-10.1.1.2/24 on fa0/0 and 10.1.2.1/24 on fa0/1) and router3 (ip address – 10.1.2.2/24). First, we will give routes, through EIGRP, to all the routers so that routers will be able to ping each other.
After that We will make router3 as ssh server and router2(on which CBAC will be operating) will allow the traffic only if the traffic has been inspected by router2.
First configuring EIGRP on router1:
router1(config)#router eigrp 100
router1(config-router)#network 10.1.1.0
router1(config-router)#no auto-summary
Now, configuring EIGRP on router2 to reach other networks:
router2(config)#router eigrp 100
router2(config-router)#network 10.1.1.0
router2(config-router)#network 10.1.2.0
router2(config-router)#no auto-summary
Now, configuring eigrp on router3:
router3(config)#router eigrp 100
router3(config-router)#network 10.1.2.0
router3(config-router)#no auto-summary
Now, we will configure ssh on router3:
router3(config)#ip domain name w3wiki.com
router3(config)#username saurabh password cisco
router3(config)#line vty 0 4
router3(config-line)#transport input ssh
router3(config-line)#login local
router3(config)#crypto key generate rsa label Cisco.com modulus 1024
Now, we will make an Access-list on router2 by which we will deny all the traffic except EIGRP because EIGRP will maintain the reachability to all the routers.
router2(config)#ip Access-list extended 100
router2(config-ext-nacl)#permit eigrp any any
router2(config-ext-nacl)#deny ip any any
Now, applying it to the interface:
router2(config)#int fa0/1
router2(config-if)#ip access-group 100 in
Now, router1 will not able to ssh router3 as we have applied access-list which will accept Eigrp packets only and deny all other packets.
Now, configure CBAC on router2 to inspect the ssh traffic (Only that traffic will be allowed which will be inspected by the IoS router operating CBAC.
router2(config)#!cbac
router2(config)#ip inspect name Cisco ssh
The first command (!cbac) will enable cbac feature while the second command will inspect the ssh traffic.
Now, applying inspection to the interface:
router2(config)#int fa0/1
router2(config-if)#ip inspect cisco out
Now, router1 will able to ssh router3 as the ssh packet is first inspected by the router2 when it leaves the outbound (fa0/1) interface (as we have configured).
This can be verified by:
router2#show ip inspect all
Note – Here, Access-list has been applied inbound and CBAC has been applied out because we want only that traffic to come from outside the network which has been initiated by the inside network (10.1.1.1). CBAC which is applied outbound to the interface (into fa0/1) create temporary holes on the Access-list applied inbound to the interface to allow return packets through the ACL.
Context Based Access Control (CBAC)
In a dynamic network security environment, CBAC remains an important technology for securing and protecting the network from unauthorized access and malicious activity It enables granular control of network policies, maximizing security while maintaining flexibility and functionality.
In recent times, Access (ACL) has been used for packet filtering and protection. ACL works on the sequence of rules provided by the administrator. The rules consist of various permit and deny conditions. However the disadvantage of ACL is that it filters the traffic up to the transport layer only.
CBAC is a sophisticated security protocol used at the network layer to control traffic flow based on contextual parameters. Unlike traditional access control methods that rely solely on static rules and fixed conditions, CBAC analyzes access in real time by considering a wide range of contextual factors to make informed access decisions
Therefore, for low-budget firewall functionality, a Cisco router with the proper IOS version is used. We can implement IOS based firewall by 2 methods:
- Context-Based Access Control (CBAC) features
- Zone-based firewall