Question about CBAC

Unanswered Question
Aug 2nd, 2007

I'd like some help understanding an aspect of firewalling. I have CBAC configured on an ISR. The WAN (outside) interface is configured with an ACL that will not allow traffic to come in. CBAC's job is to allow temporary openings in this ACL for connections initiated on the LAN (inside) interface and close them when the transmission ends. So, in this case I would be configuring inspection ("ip inspect X in") on the inside interface so that traffic leaving the LAN is checked, correct?

My question is, what exactly is being inspected? I know that the inspection is happening at the application layer, but beyond that I'm not sure what the firewall is looking for. So, let's assume a telnet session is initiated inside the network to a host outside. A temporary port is opened on the external interface's ACL to allow the transmission. Now the inspection is looking at the telnet session's traffic as it enters the inside interface. What is it looking for exactly?

-Shikamaru

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
sundar.palaniappan Thu, 08/02/2007 - 14:14

Shikamaru,

Your understanding of how CBAC works is correct.

As far as your question on how CBAC tracks the telnet session initiated from the inside to outside and creates a temporary ACL for the return traffic the function is the same as the stateful firewall. For the telnet session the router keeps tracks of source IP, destination IP, source port and destination port and creates a temporary ACL entry to permit the return traffic on the outside interface.

Here's a small example that I hope helps.

Inside --> Outside

source:10.1.1.1

destination:192.168.1.1

source port:17850

destination port:23

Outside --> Inside (temporary ACL entry created for this)

source 192.168.1.1

source:10.1.1.1

source port: 23

destinatin port:17850

HTH

Sundar

shikamarunara Thu, 08/02/2007 - 14:19

Sundar,

Thanks for writing. I understand all of this, but the part that trumps me is that I have the impression that CBAC is doing something else with the packets before passing them on, not just layer 3 and 4 stuff but layer 7 inspecting. An earlier post in this thread suggested reading the CBAC documentation, which I already had before posting. I'm just not sure I understand what happens besides trying to detect syn-flood attacks.

-Shikamaru

Jon Marshall Thu, 08/02/2007 - 21:05

Shikamaru

In addtion to Sundar's very good explanantion.

CBAC is a stateful firewall in the same way the pix/ASA is a stateful firewall. This means that for most TCP applications it looks at the following inormation in the packets

source IP , destination IP, source port, destination port, TCP FLAGS.

The TCP flags eg SYN, ACK, FIN, WAIT etc. are important because this is what makes a firewall stateful eg it knows if it receives a packet with the syn/ack flags but it has no corresponding syn packet to drop that packet.

So all TCP traffic going through a stateful firewall is treated as above and the same information is extracted.

In addtion to this stateful tracking CBAC, in common with many stateful firewalls, has some more application specific code to deal with some of the more commonly used aapplications that don't behave the standard way. Sundar's example of FTP is one of them. With these applications CBAC does a bit more work and examines more than just the standard IP, port and flags. How much more work is dependant on the application ie. for FTP the extra work involved is to look into the packets to find the dynamic port that has been negotiated.

HTH

Jon

Actions

This Discussion