Open In App

Context Based Access Control (CBAC)

Last Updated : 11 Feb, 2024
Improve
Improve
Like Article
Like
Save
Share
Report

In a dynamic network security environment, CBAC remains an important technology for securing and protecting the network from unauthorized access and malicious activity It enables granular control of network policies, maximizing security while maintaining flexibility and functionality.

In recent times, Access (ACL) has been used for packet filtering and protection. ACL works on the sequence of rules provided by the administrator. The rules consist of various permit and deny conditions. However the disadvantage of ACL is that it filters the traffic up to the transport layer only. 

CBAC is a sophisticated security protocol used at the network layer to control traffic flow based on contextual parameters. Unlike traditional access control methods that rely solely on static rules and fixed conditions, CBAC analyzes access in real time by considering a wide range of contextual factors to make informed access decisions

Therefore, for low-budget firewall functionality, a Cisco router with the proper IOS version is used. We can implement IOS based firewall by 2 methods: 

  • Context-Based Access Control (CBAC) features 
  • Zone-based firewall  

Context Access-Based Control (CBAC)

The ACLs provide traffic filtering and protection to the transport layer while on the other hand, CBAC provides the same function up to the application layer. With the help of CBAC configuration, the router can act as a firewall. The Cisco IOS Firewall functionality Set’s Context-Based Access Control (CBAC) functionality continually monitors activity occurring behind a firewall. With the use of access lists, CBAC determines what traffic must be allowed in and what must be let out. CBAC access lists, on the other hand, contain ip inspect statements that enable protocol inspection to ensure it hasn’t been altered with before the protocol reaches the computers behind the firewall.

Working of CBAC

CBAC just works like a reflexive Access-list but in addition to it, it maintains a state table in which the sessions are maintained in memory. When a session is initiated by the device within the network, a dynamic entry is put in the state table and the outbound (going out) traffic is allowed to pass through the router(IoS based firewall). By the help of this entry, the reply of outbound traffic can pass the router (IoS based firewall) as it has an entry for the traffic initiated within the network. This is achieved by IoS based firewall CBAC mechanism as it opens temporary holes on access list (applied to the inbound traffic) to allow reply packets . 

Features of CBAC

  • Inspecting Traffic – CBAC maintains TCP /UDP information which is needed to perform deeper inspection in packet payload. 
  • Filtering Traffic – CBAC filters the traffic which is originated from a trusted network and goes out through the firewall and allows replies only if it has an entry in the state table. It has the ability to filter the traffic intelligently upto layer 7. 
  • Detecting Intrusion – CBAC examines the rate at which the connection has been established by which it can detect attacks like Dos attack, TCP syn attack etc. On the basis of this, CBAC mechanism can cause a connection to reestablish or drop malicious packets. 
  • Generating Alerts and Audits – The router operating CBAC mechanism log information about connections established, number of bytes sent, source and destination IP address. 
     

Configuration

CBAC [ Context Based Access Control ]

There are 3 routers namely router1 (ip address – 10.1.1.1/24 on fa0/0), router2 (ip address-10.1.1.2/24 on fa0/0 and 10.1.2.1/24 on fa0/1) and router3 (ip address – 10.1.2.2/24). First, we will give routes, through EIGRP, to all the routers so that routers will be able to ping each other. 
After that We will make router3 as ssh server and router2(on which CBAC will be operating) will allow the traffic only if the traffic has been inspected by router2. 

First configuring EIGRP on router1: 

router1(config)#router eigrp 100
router1(config-router)#network 10.1.1.0
router1(config-router)#no auto-summary

Now, configuring EIGRP on router2 to reach other networks: 

router2(config)#router eigrp 100
router2(config-router)#network 10.1.1.0
router2(config-router)#network 10.1.2.0
router2(config-router)#no auto-summary

Now, configuring eigrp on router3: 

router3(config)#router eigrp 100
router3(config-router)#network 10.1.2.0
router3(config-router)#no auto-summary

Now, we will configure ssh on router3: 

router3(config)#ip domain name GeeksforGeeks.com
router3(config)#username saurabh password cisco
router3(config)#line vty 0 4
router3(config-line)#transport input ssh
router3(config-line)#login local 
router3(config)#crypto key generate rsa label Cisco.com modulus 1024

Now, we will make an Access-list on router2 by which we will deny all the traffic except EIGRP because EIGRP will maintain the reachability to all the routers. 

router2(config)#ip Access-list extended 100
router2(config-ext-nacl)#permit eigrp any any 
router2(config-ext-nacl)#deny ip any any

Now, applying it to the interface: 

router2(config)#int fa0/1
router2(config-if)#ip access-group 100 in

Now, router1 will not able to ssh router3 as we have applied access-list which will accept Eigrp packets only and deny all other packets. 
Now, configure CBAC on router2 to inspect the ssh traffic (Only that traffic will be allowed which will be inspected by the IoS router operating CBAC. 

router2(config)#!cbac
router2(config)#ip inspect name Cisco ssh

The first command (!cbac) will enable cbac feature while the second command will inspect the ssh traffic. 
Now, applying inspection to the interface: 

router2(config)#int fa0/1
router2(config-if)#ip inspect cisco out

Now, router1 will able to ssh router3 as the ssh packet is first inspected by the router2 when it leaves the outbound (fa0/1) interface (as we have configured). 
This can be verified by: 

router2#show ip inspect all

Note –  Here, Access-list has been applied inbound and CBAC has been applied out because we want only that traffic to come from outside the network which has been initiated by the inside network (10.1.1.1). CBAC which is applied outbound to the interface (into fa0/1) create temporary holes on the Access-list applied inbound to the interface to allow return packets through the ACL.

Advantages of CBAC

  • Prevention and detection of denial-of-service attacks.
  • Alarms and audit trails in real time.
  • With CBAC, you can accept less traffic than you would with static access lists in order to obtain comparable functionality.
  • CBAC takes action to stop some frequent ways that protocols are abused.

Drawbacks of CBAC

  • CBAC is not simple to understand i.e it requires detailed knowledge of protocols and operations we want to perform. 
  • CBAC mechanism cannot inspect traffic originated from the router (on which we have configured CBAC) itself. 
  • No stateful table fail over support. Another redundant router can be utilised as a CBAC firewall in the event that the first router fails, but since the state table will not be duplicated, certain connections will need to be recreated.
  • It does not inspect encrypted packets such as IPsec.  

Conclusion

  • Context Based Access Control, or CBAC for short, is a component of the Cisco IOS that serves as a stateful firewall and application filtering at various OSI model layers.
  • The CBAC is responsible for traffic filtering, traffic examination, intrusion prevention, alarm and audit features.
  • The only distinction between CBAC and the reflexive Access-list is that the former also maintains the state table.
  • The Enhanced Interior Gateway Routing Protocol (EIGRP) is originally used by all of the routers in the CBAC configuration to obtain their routes, allowing the routers to ping one another.
  • It can be challenging to comprehend CBAC because it requires a thorough comprehension of the procedures and intricate protocols.

Frequently Asked Question on Context Based Access Control – FAQs

What is CBAC?

Firewall software includes a feature called context-based access control (CBAC) that uses application layer protocol session information to intelligently filter TCP and UDP packets. It is applicable to the internet, extranets, and intranets.

How does CBAC handle stateful packet inspection?

CBAC looks at Application layer to maintain its stateful firewall. Additionally, by cutting connections once a predetermined threshold is reached, it can stop SYN flood attacks. – identifying intrusions: preventing DoS attacks, limiting phishing attempts.

What is the primary purpose of CBAC?

CBAC determines what traffic must be allowed in and what must be let out.

What types of traffic can CBAC inspect and control?

A wide range of traffic, including TCP, UDP, ICMP, and other IP protocols, can be inspected and managed by CBAC



Like Article
Suggest improvement
Previous
Overview of Personal Area Network (PAN)
Next
Reflexive Access-List
Share your thoughts in the comments

Similar Reads

Role-based Access Control
Difference between Flow Control and Congestion Control
Difference between Flow Control and Error Control
Difference between Control Structure and Control Statement
Access Control Tactics in Computer Networks
What is Network Access Control?
How to Prevent Broken Access Control?
Access Control in Computer Network
Time based Access-List
Parser View (Role based CLI access)
author
saurabhsharma56
Article Tags :
We use cookies to ensure you have the best browsing experience on our website. By using our site, you acknowledge that you have read and understood our Cookie Policy & Privacy Policy
Lightbox