Context Based Access Control (CBAC)

Context Based Access Control or CBAC, is a feature of Cisco routers that allows you control traffic using application layer inspection. It works by modifying the access-list temporarily to allow access. Though it may sound similar to reflexive access-lists, there’s a major difference: CBAC can inspect upto the application layer, however reflexive access-lists can’t go beyond Layer 4.

Let’s get straight into configuration, I’ll talk more about CBAC features throughout this post:

Here’s the topology for the configuration:

CBAC

Scenario:

1. PC1 is in the trusted part of the network and PC2 is in the untrusted part of the network.

2. All traffic coming into the network from outside is denied.

3. Inside users should be allowed to ping outside hosts using CBAC.

Configuration

Step 1: Define an access-list for traffic from inside to outside

CBAC

Step 2: Define an access-list for traffic from outside to inside

CBAC

In this example, I’ve denied all traffic from outside to make the example easier.

The deny ip any any statement will deny any return traffic originating from inside. We’ll use CBAC to allow this return traffic.

Step 3: Configure CBAC to inspect the protocol of your choice

CBAC

Here I’ve created an inspection rule named IN-TO-OUT that inspects the ICMP protocol. You can configure inspection for more protocols using the same inspection rule name. Like ip inpsect name IN-TO-OUT http.

Step 4: Apply the access-lists to the interface

CBAC

 

CBAC

Now before we configure CBAC, lets see what happens when we try to ping from PC1 / 10.1.1.2 (host on the trusted side) to PC2 / 20.1.1.2 (host on the untrusted side)

CBAC

CBAC

As expected, the return traffic gets blocked by the deny ip any any rule.

Step 5: Apply the CBAC inspection rule on the interface

CBAC

Fa0/0 is the interface facing the trusted part of the network, and since we want all return ICMP traffic originating from the trusted network(i.e. entering into fa0/0) to be allowed, I’ve applied it inbound on fa0/0. Be sure to consider the interface and direction of CBAC configuration.

Now lets test again:

CBAC

CBAC

The command show ip inspect sessions shows that the session was created to allow return ICMP traffic.

Use the command ip inspect audit-trail to receive syslog messages whenever a new session is opened or an existing session is closed. The messages would be like the one below:

Jun 21 13:44:18.407: %FW-6-SESS_AUDIT_TRAIL_START: Start icmp session: initiator (10.1.1.2:8) — responder (20.1.1.2:0)
Jun 21 13:44:34.103: %FW-6-SESS_AUDIT_TRAIL: Stop icmp session: initiator (10.1.1.2:8) sent 120 bytes — responder (20.1.1.2:0) sent 120 bytes

 

Some more interesting CBAC commands:

CERTVIDEOS(config)# ip inspect alert-off

The command ip inspect alert-off turns off the alert messages displayed on the console.

CERTVIDEOS(config)# ip inspect dns-timeout 10

The above command configures the DNS session timeout (in the absence of any activity) to 10 seconds.

CERTVIDEOS(config)# ip inspect log drop-pkt

The above command will cause all the dropped packets to be logged.

CERTVIDEOS(config)# ip inspect max-incomplete high 1500
CERTVIDEOS(config)# ip inspect max-incomplete low 500

A very high number of half-open sessions could indicate the possibility of a Denial-of-Service attack. Use the command ip inspect max-incomplete high to define the maximum number of half-open sessions that can exist on the router firewall. Once this value is crossed, CBAC will start deleting the half-open sessions until it drops below the value that has been configured with the command ip inspect max-incomplete low, in this case it is 500.

CERTVIDEOS(config)# ip inspect one-minute high 500
CERTVIDEOS(config)# ip inspect one-minute low 200

These two commands are similar to the one mentioned above, but these specify the maximum  and minimum values for a one minute interval.

CERTVIDEOS(config)# ip inspect tcp block-non-session

This command would block the packets that do not belong to an existing session through the firewall. At first it may sound that this will block all new packets. But here’s how it works: The command ip inspect tcp block-non-session first looks for the SYN bit in the packet. If there isn’t one (which means this isn’t a connection initiating packet), it will look for any existing session, if it doesn’t find one the packet would get dropped. However, if CBAC does find a SYN bit in the packet (which means this is a connection initiating packet), it would be subjected to other rules that apply for a new session creation, example – access lists.

CERTVIDEOS(config)# ip inspect tcp synwait-time 5

This command defines the number of seconds CBAC waits for the session to be established after the SYN bit has been sent. By default this is 30 seconds, which is way too high and should be reduced in a production environment to avoid wastage of router resources.

CERTVIDEOS(config)# ip inspect tcp finwait-time 2

This command defines the number of seconds CBAC waits for a FIN-exchange to complete. The default is 5 seconds, which is a bit high for closing a session.

CERTVIDEOS(config)# ip inspect tcp idle-time 1800

This command defines the number of seconds for which an idle session will be kept alive before being discarded. The default is 3600 seconds. The idle-time value should be carefully considered, setting it too low would mean that applications that send traffic only once in a while would get timed out, and setting it too high would mean idle sessions holding up important router resources.

CERTVIDEOS(config)# ip inspect tcp max-incomplete host 30
CERTVIDEOS(config)# ip inspect tcp max-incomplete host 30 block-time 1

This command defines the number of half-open sessions that can be opened to a host. If the block-time is not configured (which means it has the default value of 0), for every new connection request, the one that is oldest in the table will be deleted. Hence the number of half-open sessions will never exceed what you’ve configured.
If the block-time has been configured (e.g. 1 minute in the command above), once the threshold is exceeded, all half-open sessions will be deleted and no new connection attempts will be allowed until the block-time expires (1 minute in this case). A block-time of 0 is recommended.

CERTVIDEOS(config)# ip inspect udp idle-time 1800

UDP is a connection-less protocol, hence a session is never established. The only value that can be configured is the idle-time. The default is 30 seconds.

2 Comments

Add a Comment

Your email address will not be published. Required fields are marked *