Creating an ACL (Access Control List) on a Cisco router is a common data filtering and network security protection for administrators, but the limitations of ACL are very obvious because it can only detect data information at the network layer and transport layer. It is powerless for malicious information encapsulated in IP packets. Therefore,ACL is not reliable and requires the cooperation of CBAC (Context-Based Access Control), so network security will be greatly improved. This article will discuss with you the color=#0000ff> technical details of the deployment of CBAC on Cisco routers and related techniques. SPOTO will introduce the CBAC configuration.
I. CBAC Brief
CBAC (context-based access control) is a context-based access control. It is not used for ACLs (access control lists) and cannot be used to filter every TCP/IP protocol, but it is used to run TCP, UDP applications or some multimedia applications. A network such as Microsoft's NetShow or Real Audio is a better security solution. In addition, CBAC excels in traffic filtering, traffic inspection, warning and auditing, and intrusion detection. In most cases, we only need to configure CBAC in one direction of a single interface to allow only data flow belonging to an existing session to enter the internal network. It can be said that ACL and CBAC are complementary, and their combination can maximize network security.
Second, the reasonable allocation of CBAC
1. Evaluation before CBAC configuration
Before performing a CBAC configuration, you need to evaluate the security standards and application requirements of the network and then configure them accordingly. Typically, users can configure CBAC in two directions on one or more interfaces. If the networks at both ends of the firewall need to be protected, such as in an extranet or intranet configuration, you can configure CBAC in two directions. If the firewall is placed in the middle of two partner company networks, it may be desirable to limit the flow of data in one direction for some applications and to restrict the flow of data in the opposite direction for other applications.
It is important to note that CBAC can only be used for IP data streams. Only TCP and UDP packets can be checked, other IP streams
(such as ICMP) cannot be checked by CBAC and can only be filtered using the basic access control list. CBAC can filter all TCP and UDP sessions, like reflexive access control lists, without an application layer protocol review. But CBAC can also be configured to efficiently handle multi-channel (multi-port) application layer protocols: CU-SeeMe (white pine version only), FTP, H.323 (such as NetMeeting and ProShare), HTTP (Java Block), Java, MicrosftNetshow, UNIX r series commands (such as rlogin, rexec, and rsh); RealAudio, RPC (SunRPc, non-DCERPC) Microsoft RPC, SMTP, SQL.Net, StreamWorks, TFTP, VDOLive.
2. Select the Configuration Interface
In order to properly configure CBAC, you must first determine which interface to configure CBAC on. The differences between the internal and external interfaces are described below.
The first step in configuring data flow filtering is to decide whether to configure CBAC on an internal or external interface of the firewall. In this context, the term "internal" refers to the side that the session must actively initiate to allow its data flow to be allowed to pass through the firewall; "external" refers to the side that the session cannot actively initiate (the session initiated from the outside is prohibited). If you want to configure CBAC in two directions, you should first configure CBAC in one direction with the appropriate "Internal" and "External" interfaces. When configuring CBAC in the other direction, change the interface indication to another.
CBAC is often used in one of two basic network topologies. Determining which topology best matches the user's own can help the user decide whether CBAC should be configured on an internal interface or on an external interface.
The article gives the first network topology. In this simple topology, the CBAC is configured on the external interface S0. This prevents specified protocol traffic from entering the firewall router and internal network unless the data is part of a session initiated by the internal network.