Context based Access Control (CBAC)
In recent times, Access-list (ACL) were used for packet filtering and protection. ACL works on the sequence of rules provided by the administrator. The rules consist of various permit and deny conditions. But disadvantage of ACL is that it filters the traffic upto transport layer only.
Therefore, for a low budget firewall functionality, a Cisco router with the proper IOS version is used. We can implement IOS based firewall by 2 methods:
- Context Based Access Control (CBAC) features
- Zone based firewall
Context access based control (CBAC) –
The ACLs provide traffic filtering and protection to the transport layer while on the other hand, CBAC provides the same function upto the application layer. With the help of CBAC configuration, the router can act as a firewall.
CBAC just works like a reflexive Access-list but in addition to it, it maintains a state table in which the sessions are maintained in memory. When a session is initiated by the device within the network, a dynamic entry is put in the state table and the outbound (going out) traffic is allowed to pass through the router(IoS based firewall). By the help of this entry, the reply of outbound traffic can pass the router (IoS based firewall) as it has an entry for the traffic initiated within the network. This is achieved by IoS based firewall CBAC mechanism as it opens temporary holes on access list (applied to the inbound traffic) to allow reply packets .
Features – Some of the features of CBAC are:
- Inspecting traffic – CBAC maintains TCP /UDP information which is needed to perform deeper inspection in packet payload.
- Filtering traffic – CBAC filters the traffic which is originated from a trusted network and goes out through the firewall and allows replies only if it has an entry in the state table. It has the ability to filter the traffic intelligently upto layer 7.
- Detecting intrusion – CBAC examines the rate at which the connection has been established by which it can detect attacks like Dos attack, TCP syn attack etc. On the basis of this, CBAC mechanism can cause a connection to reestablish or drop malicious packets.
- Generating alerts and audits – The router operating CBAC mechanism log information about connections established, number of bytes sent, source and destination IP address.
There are 3 routers namely router1 (ip address – 10.1.1.1/24 on fa0/0), router2 (ip address-10.1.1.2/24 on fa0/0 and 10.1.2.1/24 on fa0/1) and router3 (ip address – 10.1.2.2/24). First, we will give routes, through EIGRP, to all the routers so that routers will be able to ping each other.
After that We will make router3 as ssh server and router2(on which CBAC will be operating) will allow the traffic only if the traffic has been inspected by router2.
First configuring EIGRP on router1:
router1(config)#router eigrp 100 router1(config-router)#network 10.1.1.0 router1(config-router)#no auto-summary
Now, configuring EIGRP on router2 to reach other networks:
router2(config)#router eigrp 100 router2(config-router)#network 10.1.1.0 router2(config-router)#network 10.1.2.0 router2(config-router)#no auto-summary
Now, configuring eigrp on router3:
router3(config)#router eigrp 100 router3(config-router)#network 10.1.2.0 router3(config-router)#no auto-summary
Now, we will configure ssh on router3:
router3(config)#ip domain name GeeksforGeeks.com router3(config)#username saurabh password cisco router3(config)#line vty 0 4 router3(config-line)#transport input ssh router3(config-line)#login local router3(config)#crypto key generate rsa label Cisco.com modulus 1024
Now, we will make an Access-list on router2 by which we will deny all the traffic except EIGRP because EIGRP will maintain the reachability to all the routers.
router2(config)#ip Access-list extended 100 router2(config-ext-nacl)#permit eigrp any any router2(config-ext-nacl)#deny ip any any
Now, applying it to the interface:
router2(config)#int fa0/1 router2(config-if)#ip access-group 100 in
Now, router1 will not able to ssh router3 as we have applied access-list which will accept Eigrp packets only and deny all other packets.
Now, configure CBAC on router2 to inspect the ssh traffic (Only that traffic will be allowed which will be inspected by the IoS router operating CBAC.
router2(config)#!cbac router2(config)#ip inspect name Cisco ssh
The first command (!cbac) will enable cbac feature while the second command will inspect the ssh traffic.
Now, applying inspection to the interface:
router2(config)#int fa0/1 router2(config-if)#ip inspect cisco out
Now, router1 will able to ssh router3 as the ssh packet is first inspected by the router2 when it leaves the outbound (fa0/1) interface (as we have configured).
This can be verified by:
router2#show ip inspect all
Here, Access-list has been applied inbound and CBAC has been applied out because we want only that traffic to come from outside the network which has been initiated by the inside network (10.1.1.1). CBAC which is applied outbound to the interface (into fa0/1) create temporary holes on the Access-list applied inbound to the interface to allow return packets through the ACL.
Limitations – Some of the limitations of cbac mechanisms are:
- CBAC is not simple to understand i.e it requires detailed knowledge of protocols and operations we want to perform.
- CBAC mechanism cannot inspect traffic originated from the router (on which we have configured CBAC) itself.
- No stateful table fail over support. If one router fails then another redundant router can be used as a CBAC firewall but the state table will not get duplicated therefore state table has to be rebuild causing some connection to be rebuilt.
- It does not inspect encrypted packets such as IPsec.