Content Based Access Control “CBAC”
In the beginning God created heaven and earth, and then he created routers, so packets could flow from one part of the earth to the other. As he rested he looked down on his creation and smiled for all was good. Packets were flowing from one interface to another. Then as he beheld his creation he watches as some pad packets decided to flow where they didn’t belong! So God created access-lists and again everything was as it should be, packets only flowed to areas where they belonged. After some time naughty packets found out that they could sneak by God�s great protectors of the network by setting the ACK bit in their headers.
The access-list thought that these packets were part of an ongoing conversation and allowed them to sneak past. To fix this problem God shook heaven and earth and created reflexive access-lists. With these new and improved protectors of Gods interfaces packets were only allowed through if they matched a rule created for traffic flowing in the other direction. With this new method, return packets would only be allowed through if they matched a dynamic rule created by the original outgoing packet. God set back and looked at his creation and all was as it should be. Then one day applications were created that used dynamic ports for return traffic. For instance a person connects to a server on port 80, and the server responds with a packet on a random port between 45000 and 62000. Since the return packets did not match the originating packets the return packets would be dropped.
To fix this new problem God created CBAC or Content Based Access Control. With this new enhanced type of security found in the Firewall Feature set, traffic is inspected at layer 4 on the way out, and a dynamic access-list is created inbound on the interface to allow the traffic to return. Since CBAC inspects traffic on a higher level of the OSI model it can understand protocols that use dynamic port assignment, it can glean useful information from upper layer protocols that will help it make intelligent state full firewalling decisions and improve security while reducing false positives. You can see how over the years the security that we use has become ever more sophisticated to combat the ever clever internet hacker.
Below I will show you how to use CBAC on your router, Keep in mind that CBAC is part of the firewall feature set so may require additional licensing if your organization has to upgrade the ios. Ip inspect is configured in two areas. The first thing you have to do is create an inspection rule, and define what higher layer protocols you want to inspect. The next thing you have to do is apply the rule in the outbound direction on the interface you want to protect. You must also have either an access-list applied in the inbound direction; the access-list can be blank. When configuring the inspection rule you can choose from a number of protocols to look at. For ip inspect to work and to fix the issue with reflexive access-lists you only have to inspect layer 4 protocols such as tcp and udp. However CBAC supports many higher level protocols such as http, SMTP, real-audio, and other session and presentation, layer protocols.
Here is a config that shows some of the many possible protocols that can be inspected with CBAC. I have listed the two main ones at the top. Another tip, if you have sip phones with private nat’d addresses behind this router and you want them to connect outside you need the ip inspect sip command to translate that properly through nat.
ip inspect name cbac-example tcp
ip inspect name cbac-example udp
ip inspect name cbac-example vdolive
ip inspect name cbac-example smtp
ip inspect name cbac-example http
ip inspect name cbac-example rtsp
ip inspect name cbac-example sip
ip inspect name cbac-example skinny
ip inspect name cbac-example tftp
ip inspect name cbac-example ftp
ip audit po max-events 100
!
!
!
!
!
interface FastEthernet0/0
ip address 192.168.1.254 255.255.255.0
ip access-group from_internet in
ip inspect cbac-example out
duplex auto
speed auto