Dark Mode
Image

Misc

Context based Access Control (CBAC)

Access-lists (ACL) have recently been used for packet filtering and protection. ACL operates using the administrator's list of rules in order. The regulations include a number of permit and deny requirements. The only drawback of ACL is that it only filters traffic at the transport layer.

Therefore, a Cisco router with the appropriate IOS version is used for low-cost firewall functionality. There are two ways to implement an IOS-based firewall:

  • Features of Context Based Access Control (CBAC).
  • Firewall based on zones.

Context access based control (CBAC) -

In contrast to how ACLs protect and filter traffic at the transport layer, CBAC extends that protection to the application layer. The router can function as a firewall with CBAC configuration.

Working -

While CBAC only functions as a reflexive Access-list, it also keeps a state table where the sessions are stored in memory. A dynamic entry is added to the state table and outbound (going out) traffic is permitted to pass through the router when a session is started by a device within the network (IoS based firewall). As the router (an IoS-based firewall) has an entry for traffic initiated within the network, it can pass the reply of outbound traffic with the aid of this entry. The IoS-based firewall CBAC mechanism accomplishes this by temporarily opening gaps in the access list (applied to the inbound traffic) to let reply packets through.

ACLs are a set of rules for regulating network traffic and minimising network attacks. Using a set of rules specified for the network's incoming or outgoing traffic, ACLs are used to filter traffic.

Features -

The CBAC has some features, including:

  • Examining traffic: CBAC keeps track of the TCP/UDP information required for more thorough packet payload inspection.
  • Traffic filtering: CBAC only permits replies if they have an entry in the state table. It filters traffic that originates from trusted networks and leaves the firewall. It is capable of layer 7 intelligent traffic filtering.
  • Intrusion detection: To identify attacks like Dos attacks and TCP syn attacks, the CBAC looks at the speed at which the connection was established. Based on this, the CBAC mechanism has the ability to either drop or reestablish a connection in response to malicious packets.
  • Creating alerts and audits: The router's CBAC mechanism records data about connections made, the amount of data sent, and the IP addresses of the source and destination.

Configuration -

Context based Access Control (CBAC)

There are three routers: router1 (10.1.1.1/24 on fa0/0), router2 (10.1.1.2/24 on fa0/0 and 10.1.2.1/24 on fa0/1) and router3 (10.1.2.2/24). To enable pinging between routers, we will first assign routes via EIGRP to every router.

Following that, we will configure router 3 as an ssh server, and router 2 (on which CBAC will be running) will only permit traffic after it has been examined by router 2.

Setting up EIGRP on router 1 initially:

  1. router1(config)#router eigrp 100  
  2. router1(config-router)#network 10.1.1.0  
  3. router1(config-router)#no auto-summary   

Next, set up EIGRP on router 2 to connect to other networks:

  1. router2(config)#router eigrp 100  
  2. router2(config-router)#network 10.1.1.0  
  3. router2(config-router)#network 10.1.2.0  
  4. router2(config-router)#no auto-summary  

Now, configuring eigrp on router3:

  1. router3(config)#router eigrp 100  
  2. router3(config-router)#network 10.1.2.0  
  3. router3(config-router)#no auto-summary  

We will now set up SSH on router 3:

  1. router3(config)#ip domain name GeeksforGeeks.com  
  2. router3(config)#username saurabh password cisco  
  3. router3(config)#line vty 0 4  
  4. router3(config-line)#transport input ssh  
  5. router3(config-line)#login local   
  6. router3(config)#crypto key generate rsa label Cisco.com modulus 1024  

On router 2, we will now create an Access-list through which we will block all traffic aside from EIGRP because EIGRP ensures that all routers can still communicate with one another.

  1. router2(config)#ip Access-list extended 100  
  2. router2(config-ext-nacl)#permit eigrp any any   
  3. router2(config-ext-nacl)#deny ip any any  

Applying it now to the user interface:

  1. router2(config)#int fa0/1  
  2. router2(config-if)#ip access-group 100 in  

Now that we have applied access-list, which will only accept Eigrp packets and deny all other packets, router1 will no longer be able to ssh router3.

Now, set up CBAC on router 2 to examine ssh traffic (Only traffic that will be examined by the IoS router operating CBAC will be permitted.)

  1. router2(config)#!cbac  
  2. router2(config)#ip inspect name Cisco ssh  

While the second command will examine the ssh traffic, the first command (!cbac) will enable the cbac feature.

Now, examining the interface through inspection

  1. router2(config)#int fa0/1  
  2. router2(config-if)#ip inspect cisco out  

Now that the ssh packet has been examined by router2 before leaving the outbound (fa0/1) interface, router1 will be able to ssh router3 (as we have configured).

This is corroborated by:

  1. router2#show ip inspect all  

Note: Because we only want traffic coming from outside the network that was started by the inside network, Access-list has been applied inbound and CBAC has been applied out (10.1.1.1). To temporarily allow return packets to pass through the Access-list applied to the interface (into fa0/1) when CBAC is applied outbound, temporary holes are created on the ACL.

Limitations -

Some of the cbac mechanisms' drawbacks include:

  • Because it requires in-depth knowledge of the protocols and operations we want to carry out, CBAC is not easy to understand.
  • The CBAC mechanism is unable to inspect traffic that originates from the router (on which CBAC has been configured).
  • No support for stateful table fail over. As a CBAC firewall, another redundant router can be used if one fails, but because the state table cannot be duplicated, it must be rebuilt, which requires rebuilding some connections.
  • Unlike IPsec, it does not inspect encrypted packets.

Comment / Reply From