Context-BasedAccessControl (CBAC) Context-based Access Control

CBAC is a context-based access control protocol. It checks the traffic of the firewall to find the session status information for managing TCP and UDP. These status information is used to create a temporary channel in the firewall access list. Configure the ipinspect list in one direction to allow the returned traffic. Permitted sessions refer to protected internal sources.

CBAC is a context-based access control protocol. It checks the traffic of the firewall to find the session status information for managing TCP and UDP. These status information is used to create a temporary channel in the firewall access list. Configure the ip inspect list in one direction to allow the returned traffic. Permitted sessions refer to protected internal sources.

CBACBased onContextOfAccessControlBy checking the traffic of the firewall to find the session status information of TCP and UDP management. These status information is used in the firewallAccessList to create a temporary channel.By configuring traffic in one directionIp inspectList to allow the returned traffic. A permitted session is a protected internal network session. It cannot be used to filter every TCP/IP protocol. cisco ios supports the following protocols:

Keyword Name	Protocol
Cuseeme	CUSeeMe Protocol
Ftp	File Transfer Protocol
H323	H.323 Protocol (for example Microsoft NetMeeting or Intel Video Phone)
Http	HTTP Protocol
Rcmd	R commands (r-exec, r-login, r-sh)
Realaudio	Real Audio Protocol
Rpc	Remote Procedure Call Protocol
Smtp	Simple Mail Transfer Protocol
Sqlnet	SQL Net Protocol
Streamworks	StreamWorks Protocol
Tcp	Transmission Control Protocol
Tftp	TFTP Protocol
Udp	User datasync Protocol
Vdolive	VDOLive Protocol

Sometimes we need to allow data streams for some applications in one direction and only allow the returned data streams of these applications to pass through. In this case, we only need to configure CBAC in one direction of a single interface, you can only allow data streams belonging to existing sessions to enter the internal network. You can configure CBAC in two directions of one or more interfaces.

The first step in configuring data flow filtering is to determine whether to configure CBAC on an internal or external interface of the firewall. In this environment, the so-called "internal" means that the session must be actively initiated to allow its data flow to pass through the firewall side; "External" refers to the side where the session cannot be actively initiated (the session initiated from outside is forbidden ). If you want to configure CBAC in two directions, you should first use the appropriate "Internal" and "External" interfaces in one direction to indicate the configuration of CBAC. When CBAC is configured in another direction, this interface indicator is replaced with another one. It can be said that ACL and CBAC are complementary, and a reasonable combination of the two can make the network more secure.

Note that CBAC can only be used for IP data streams. Only TCP and UDP data packets can be checked, and other IP data streams (such as ICMP) cannot be checked by CBAC.AccessControlList. When no application-layer protocol review is performedAccessControlSimilar to the list, CBAC can filter all TCP and UDP sessions. Only connectedControlThe channel will be reviewed and monitored by CBAC, and the data channel will not be reviewed. For example, in an FTP session,ControlThe status changes of the channel (usually TCP port 21) and Data Channel (usually TCP port 20) will be monitored, but onlyControlThe channel will be reviewed.

CBAC provides advancedBased onThe content filtering function at the application layer includes:

1. Traffic Filtering: CBAC canBased onThe Application Layer intelligently filters TCP/UDP packets, and even filtered connections can be initiated from the protected network. therefore, CBAC can detect traffic initiated by any side of the firewall. if CBAC is not available, traffic filtering can only stay at the network layer and below (Common ACL). It can be at most a transport layer (self-inverse list ). CBAC not only detects information at the network layer and application layer, but also identifies the session status by detecting information at the application layer (such as FTP connection information, RPC, and SQL * net. CBAC can be used to prevent normal malicious JAVA programs from intruding into the network. Through configuration, users can only run internal JAVA scripts or external trusted scripts.
2. Traffic Detection: CBAC checks outbound traffic to establish a temporary session table to allow packets to pass back. By detecting the application layer and maintaining TCP/UDP session information, CBAC can prevent some network attacks such as just SYN-flooding.SYN-flooding is a DoS attack. by sending a large number of connection requests to the server that cannot establish a full connection, hackers will exhaust server resources and crash and fail to provide normal services. CBAC checks whether the TCP connection serial number of the packet is within a reasonable range to decide whether to discard the suspicious packet. you can configure CBAC to discard a semi-connection. moreover, CBAC can detect abnormal connections and generate alarms. CBAC can also prevent DOS attacks on some segment IP packets. because hackers can send many non-initial IP segments or complete segment packages through the vro, which is permitted by the vroacl ACL, when such a package arrives at the server or host, it will take time to try the incomplete package.
3. Alert and audit: CBAC generates real-time alerts and audit information. the enhanced audit information uses SYSLOG to track all network traffic. you can audit only the information generated by an application.
4. Intrusion Detection: CBAC provides only limited Intrusion Detection for SMTP, and provides specialized IDS on medium or high-end routers. This allows the vro to be deployed on the border more securely.