By Mike Mullins
Let's look at how you can enhance reflexive ACLs using content-based access control (CBAC).
Originally introduced in Cisco IOS Release 11.2P, CBAC designates a special firewall feature set. CBAC is capable of managing multichannel applications, such as FTP and H.323 sessions.
In addition, CBAC can inspect content and application layer commands, such as Simple Mail Transfer Protocol (SMTP) and several other popular application layer protocols. CBAC can also block Java applets embedded in HTTP traffic and provide denial of service (DoS) attack prevention and detection.
How CBAC works
When implementing CBAC, your first step is to determine which router interface to apply it to. You should configure CBAC on the interface closest to the originating host or closest to the destination host.
The most common method is to use CBAC on the external interface to inspect inbound traffic and allow it to dynamically open temporary access lists on other interfaces to manage, inspect, and direct that traffic.
The second step is to create an access control list. Create one list that allows the external network to connect to your organization's Web, FTP, mail, and DNS servers as well as any other public application servers you have on the network.
Next, create an internal access control list that allows the internal network to connect to external servers. After you've applied this inbound to your external interface, it allows the world to connect to your organization's Web server and send e-mails.
Here's an example:
ip access-list 101 permit any host myweb.server.ip.address eq http
ip access-list 101 permit any host mymail.server.ip.address eq smtp
After you've applied the internal ACL inbound to your internal interface, it allows users on the network to browse the Web and use FTP to retrieve documents. In addition, it allows your organization's mail server to send mail to any mail server on the Internet.
Here's another example:
ip access-list 102 permit your.network.ip.address any eq http
ip access-list 102 permit your.network.ip.address any eq https
ip access-list 102 permit host your.mail.server.ip.address any eq smtp
ip access-list 102 permit your.network.ip.address any eq ftp
Since CBAC also helps prevent DoS attacks, your third step is to configure global timeouts and threshold values. This allows CBAC to determine how long to manage session state and when to drop half-open connections.
In the following example, the configuration tells CBAC to maintain session state information on an idle connection for 30 seconds.
ip inspect udp idle-time 30
ip inspect tcp idle-time 30
Your fourth step is to define an inspection rule. This rule defines which application layer protocol CBAC will inspect. Here are some of the supported protocols:
In the following example, the inspection rule forces CBAC to manage FTP traffic for opening random inbound ports on the interface closest to the FTP server.
ip inspect name firewall ftp
If you want to audit and log any CBAC traffic, append the following to the end of your inspection rule.
alert on and/or audit-trail on
While CBAC is an enhancement to your network security, keep in mind that it isn't a replacement for your firewall. Its content filtering is limited to the application layer protocols mentioned above. It won't protect your Web server from vulnerability exploits.
Mike Mullins has served as a database administrator and assistant network administrator for the U.S. Secret Service. He is a Network Security Administrator for the Defense Information Systems Agency.