Context-Based Access Control (CBAC) is a per-application control mechanism that adds advanced traffic filtering functionality to firewalls that isn’t limited, as are access lists, to examining packets at the network or transport layer. While CBAC examines both of these layers, it also examines the application-layer protocol data to monitor the state of a given TCP or UDP session. This means, as multiple channels are created or used by applications such as SQL*Net, FTP, and RPC, CBAC can respond by creating temporary openings in the firewall access lists to allow return traffic and additional data connections for specified sessions that originated from within the protected network. This application-layer awareness and capability to evolve with the traffic is beyond the capabilities of access list technologies.
Quick Access List Review:
Before continuing with CBAC, it’s important to be clear about how standard and extended ACLs work?
Standard ACLs filter only on source network addresses and are, therefore, limited to Layer 3 capabilities.
Extended ACLs are able to filter on port numbers extending their reach into Layer 4.
In both cases, any ACL allowing traffic to enter a network is, in fact, a hole in the firewall or perimeter security that can possibly be exploited by others.
We also have reflexive ACLs Temporary ACL statements can be created for inbound traffic based on outbound traffic reducing risk of exploitation. Unfortunately, reflexive ACLs are limited to Layer 4 filters, like any other extended ACL. Furthermore, reflexive ACLs can’t deal with changes in port designations by the outside host, such as FTP. The outbound address/port combinations for the source and destination are “mirrored” to create the inbound openings. Another limitation of reflexive ACLs is that they’re limited to single channel applications.
Advantages of CBAC:
CBAC can be configured to inspect and filter the following IP sessions and application-layer protocols:
All TCP sessions, regardless of the application-layer protocol (sometimes called single-channel or generic TCP inspection).
All UDP sessions, regardless of the application-layer protocol (sometimes called single-channel or generic UDP inspection).
CU-SeeMe (White Pine version only), an Internet videoconferencing program developed as freeware by Cornell University. WhitePine, Inc., sells an enhanced commercial version.
FTP doesn’t support third-party connections (three-way FTP transfer). Allows data channels with the destination ports 1024 to 65535. CBAC won’t open a data channel if the FTP client-server authentication fails.
HTTP (Java blocking).
UNIX R-commands, such as rlogin, rexec, and rsh.
H.323, such as NetMeeting and ProShare
Real-Time Streaming Protocol (RTSP):
Disadvantages of CBAC:
Only IP TCP and UDP traffic is inspected by CBAC, so ICMP traffic and any other Layer 3 protocols need to be filtered using extended ACLs.
Any traffic where the router is the source or destination won’t be inspected. CBAC will filter traffic passing through, but not traffic originating or terminating on that device.
Because CBAC only detects and protects against attacks that travel through the firewall, it doesn’t normally protect against attacks originating from within the protected network. Deploying CBAC on an intranet-based router is possible.
CBAC can’t inspect in-transit IPSec traffic. Because the IPSec traffic is encrypted, CBAC can’t interpret it and, therefore, drops it. CBAC and IPSec can only work together at tunnel endpoint by applying IPSec to the external interface and CBAC on the internal interface.
Hi,I set up DVTI in EVE with 2 routers. HUB------SPOKE.Virtual-template is not showing up/down. Instead of up/up.Checked Phase1 and Phase2 parameters but not sure where I made a mistake.Attached diagram and configuration.Please take a look.
I tested using both Cisco ISE 2.4 (patch 9) and Cisco ISE 2.6 (patch 1). I have a user who successfully authenticated via RADIUS against ISE. Under ISE, Operations > Live Logs (and Live sessions), I see the user authenticated. After the accounting requ...
Hello,I would like to download ESA software for C695. But I cannot find any versions for this model.https://software.cisco.com/download/home/282509130Does anyone know how to find it and download it? Thank you!SH SHAO
Hello everyone, So I have a Cisco Firepower 2110 firewall with ASA version 9.8.2 and I'm using ASDM 7.8(2) to configure it. I have a strange dilemma that when I try to configure my interfaces is does not let me alter the ports media type from rj45 to...