Thursday, 10 May 2012

Context-Based Access Control


Context-Based Access Control

WHAT IS CBAC?

Cisco's Context-Based Access Control (CBAC) is a component of the IOS firewall feature set. Similar to reflexive ACLs, CBAC enables dynamic modification of access lists to allow certain incoming flows by first inspecting and recording flows initiated from the protected internal network. However, whereas reflexive ACLs act solely on L2-L4 protocol attributes, CBAC is able to inspect all the way to the application layer, taking into consideration characteristics of a flow on a per-protocol basis (or context).









From the conceptual illustration, we see that there are four logical points (marked in blue) at which the router can inspect traffic:
  1. Inbound on the internal interface
  2. Outbound on the external interface
  3. Inbound on the external interface
  4. Outbound on the internal interface
While we can deploy independent, static ACLs at one, some, or all of these points simultaneously, CBAC is configured and operates per interface, dynamically modifying ACL entries facing one direction based on the traffic it sees flowing in the opposite direction.
For example, let's assume we first want to allow by default all traffic traversing the router from the internal LAN (192.168.0.0/24) toward the Internet (for our purposes, 10.0.0.0/8). This is already the case, as the router will of course forward all routable traffic when no access restrictions have been applied. We also want to deny by default all traffic flowing from the Internet toward the LAN; to accomplish this we can use a simple ACL to deny all IP traffic. We'll apply it to the external interface in the inbound direction (versus the internal interface outbound) so that the router itself is protected from untrusted traffic as well.
Reference:
R1(config)# ip access-list extended DENY_ALL
R1(config-ext-nacl)# deny ip any any
R1(config-ext-nacl)# exit
R1(config)# interface f0/0
R1(config-if)# ip access-group DENY_ALL in
Posted by at

1 comment:

  1. Jeremy Goh12 May 2012 at 08:43

    Thank you Jasper for sharing on this topic on Context-based access control. After reading your post on Context-based access control,CBAC, I am able to have a better understanding on this topic compared to the past. Now, I know what Context-based access control is, what is its purpose and also how is context-based access control being implemented to enforce network security. As a side note, I find your logical diagram on context-based access control interesting, as it is capable of making me understand what CBAC is about better, and I also find the metaphor of the internet and LAN as big and scary & safe and cozy, quite funny yet true.

    ReplyDelete

Subscribe to: Post Comments (Atom)