Cisco IOS Firewall: simple configuration of CBAC (1)

This article describes in detail how to configure CBAC from the basic concepts of CBAC, the services that can be provided, and the intercommunication between hosts. It also introduces the CBAC configuration skills.

CBAC: an advanced firewall module in the Cisco IOS Firewall feature set: (context-based access control) is context-based access control, which is different from ACL (access control List ), it cannot be used to filter every TCP/IP protocol, but it is used to run TCP, UDP applications or some multimedia applications (such as Microsoft's NetShow or Real Audio) network is a good security solution. In addition, CBAC is superior in traffic filtering, traffic detection, warning and auditing, and intrusion detection. In most cases, you only need to configure CBAC in one direction of a single interface to allow data streams belonging to an existing session to enter the internal network. It can be said that ACL and CBAC are complementary, and their combination can maximize network security.

The access-list of the CISCO router can only check packets at the network layer or transport layer, while CBAC can intelligently filter TCP and UDP sessions based on application layer such as FTP connection information; CBAC can open a temporary channel in firewall access-list to allow external connections originating from the internal network and check sessions in both internal and external directions.

CBAC provides the following services: 1) status package filtering: provides complete security and mandatory policies for the enterprise's internal network, enterprise-to-partner interconnection, and enterprise-to-internet connection. 2) Dos Detection and Defense: CBAC prevents and protects routers from attacks by checking data headers and discarding suspicious data packets. 3) Real-time alarm and tracking: You can configure connections based on the application layer to track data packets passing through the firewall, provide detailed process information, and report suspicious behavior.

First, create a 1 topology and make it accessible to each other. Configure the vro as follows:

Router (config) # access-list 101 permit tcp any host 192.168.0.1 eq www defines that anyone can access the Intranet web service

Router (config) # access-list 101 deny ip any rejects communication from other IP addresses

Router (config) # int f0/0

Router (config-if) # apply ip access-group 101 out to port F0/0, which is the outbound direction relative to ACL

Router (config-if) # exit

The CBAC detection rules can specify all protocols at or above the network layer. data packets checked through ACL are checked by CBAC to record the packet connection status information. This information is recorded in a new status list.

Router (config) # ip inspect name asha http

Router (config) # ip inspect name asha icmp

Router (config) # ip inspect name asha tcp

Router (config) # ip inspect name asha udp

Router (config) # int f0/0

Router (config-if) # Apply ip inspect asha in to the direction corresponding to CBAC

Router (config-if) # exit

CBAC uses the timeout value and threshold value to determine the session Status and duration. It can clear incomplete sessions and idle sessions for Dos detection and protection.

Router (config) # ip inspect max-incomplete high 500 when the number of half-open sessions exceeds 500

Router (config) # ip inspect max-incomplete low 400 stop deleting when the number of half-open sessions is less than 400

Router (config) # ip inspect one-minute high 500 sets the rate of sessions received when the number of half-open sessions is deleted.

Router (config) # ip inspect one-minute low 400 sets the rate of sessions received when the number of half-open sessions is stopped and deleted.