Context-Based Access Control (CBAC) is a per-application control mechanism that adds advanced traffic filtering functionality to firewalls that isn’t limited, as are access lists, to examining packets at the network or transport layer. While CBAC examines both of these layers, it also examines the application-layer protocol data to monitor the state of a given TCP or UDP session. This means, as multiple channels are created or used by applications such as SQL*Net, FTP, and RPC, CBAC can respond by creating temporary openings in the firewall access lists to allow return traffic and additional data connections for specified sessions that originated from within the protected network. This application-layer awareness and capability to evolve with the traffic is beyond the capabilities of access list technologies.
Quick Access List Review:
Before continuing with CBAC, it’s important to be clear about how standard and extended ACLs work?
Standard ACLs filter only on source network addresses and are, therefore, limited to Layer 3 capabilities.
Extended ACLs are able to filter on port numbers extending their reach into Layer 4.
In both cases, any ACL allowing traffic to enter a network is, in fact, a hole in the firewall or perimeter security that can possibly be exploited by others.
We also have reflexive ACLs Temporary ACL statements can be created for inbound traffic based on outbound traffic reducing risk of exploitation. Unfortunately, reflexive ACLs are limited to Layer 4 filters, like any other extended ACL. Furthermore, reflexive ACLs can’t deal with changes in port designations by the outside host, such as FTP. The outbound address/port combinations for the source and destination are “mirrored” to create the inbound openings. Another limitation of reflexive ACLs is that they’re limited to single channel applications.
Advantages of CBAC:
CBAC can be configured to inspect and filter the following IP sessions and application-layer protocols:
All TCP sessions, regardless of the application-layer protocol (sometimes called single-channel or generic TCP inspection).
All UDP sessions, regardless of the application-layer protocol (sometimes called single-channel or generic UDP inspection).
CU-SeeMe (White Pine version only), an Internet videoconferencing program developed as freeware by Cornell University. WhitePine, Inc., sells an enhanced commercial version.
FTP doesn’t support third-party connections (three-way FTP transfer). Allows data channels with the destination ports 1024 to 65535. CBAC won’t open a data channel if the FTP client-server authentication fails.
HTTP (Java blocking).
UNIX R-commands, such as rlogin, rexec, and rsh.
H.323, such as NetMeeting and ProShare
Real-Time Streaming Protocol (RTSP):
Disadvantages of CBAC:
Only IP TCP and UDP traffic is inspected by CBAC, so ICMP traffic and any other Layer 3 protocols need to be filtered using extended ACLs.
Any traffic where the router is the source or destination won’t be inspected. CBAC will filter traffic passing through, but not traffic originating or terminating on that device.
Because CBAC only detects and protects against attacks that travel through the firewall, it doesn’t normally protect against attacks originating from within the protected network. Deploying CBAC on an intranet-based router is possible.
CBAC can’t inspect in-transit IPSec traffic. Because the IPSec traffic is encrypted, CBAC can’t interpret it and, therefore, drops it. CBAC and IPSec can only work together at tunnel endpoint by applying IPSec to the external interface and CBAC on the internal interface.
Hi ALL!To better understand my question I first describe what I doing. I migrate from FMC 6.0.1(old where my Firepower Service on ASA is register) to FMC 126.96.36.199 (new virtual machine where I want to migrate my Firepower Service on ASA). I have a ques...
Hi there, We are about to upgrade our ISE nodes to 2.7 soon.And before upgrading, we wanted to make sure that our nodes were ready for upgrade,so we used the URT tool, which went successfully. But we had this warning during the process :% Warnin...
Hello, i need to setup RADIUS authentication for wireless users (secured netwok)on Cisco ISE. Now we use ACS for that. Do i need to remove ACS from wireless controler setup, or there is a possibility to have two Radius AAA servers on controler ( ISE ...
Hello everyone, how can I make a VPN Site 2 Site with following date: Site A:ISP IP GW 188.8.131.52/29FTD Outside Int1/0 184.108.40.206/29FTD Inside Int1/1 192.168.1.1 Site B:ISP IP 220.127.116.11Modem ISP Lan1 192.168.11.1...