cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
252
Views
0
Helpful
4
Replies

IOS firewall CBAC inspection

admin_2
Level 3
Level 3

I'm working on a project were the customers current security policy permits most everything inbound from the Internet. This is due to dozens of autonomous entities that make up this customer set and the resulting difficulty of determining what should be blocked inbound from the Internet. If I apply IP inspection for TCP and UDP inbound on the firewall's external interface, understanding that the interface's inbound ACL permits Internet sourced traffic anyway, will CBAC's inspection capabilities have any beneficial security effect at all?

4 Replies 4

gfullage
Cisco Employee
Cisco Employee

Hmmm, not really, unless you have an ACL that doesn't allow traffic outbound from the internal network TO the Internet (which is unlikely). As I'm sure you're aware the benefit of CBAC is to open holes in a fairly restrictive ACL to allow return traffic. If most of their traffic originates from the Internet, then CBAC is of limited use to you.

Not applicable

Thanks. What's confusing from the CBAC documentation are comments about traffic has to be permitted through the ACL first before CBAC will inspect it. This makes me wonder if CBAC packet inspection for malformed or suspicious packets occurs seperately from the creation of dynamic acl entries for temporary traffic permits. If CBAC just looks at the packet, matches it to the state table to see if it's going to create a dynamic acl permit entry, then I would agree on it's unapplicability with such a security policy. Can you clarify between CBAC's inspection and CBAC's creation of dynamic ACL entries?

gfullage
Cisco Employee
Cisco Employee

Are you referring to the statement "Permit CBAC traffic to leave the network through the firewall."

If so, then I agree this is confusing. What they're really saying is permit traffic that you want to be inspected by CBAC to go through the router. This basically means "allow all outbound traffic from your internal network into the router", since unless you allow it through the router first, CBAC won't inspect it and open up a hole in your return ACL as that traffic leaves.

Further this statement "All access lists that evaluate traffic leaving the protected network should permit traffic that will be inspected by CBAC" makes it a little clearer. Again, this really just means you have an ACL allowing the traffic that you want to be inspected later on, to go through the router, otherwise CBAC will never see it and a hole will never be opened up.

Not applicable

My remaining question is whether CBAC is just ACL "hole" management. Given that CBAC ip inspect TCP and UDP are on; If a packet comes in from the Internet and an ACL entry of permit ip any any exists instead of a CBAC created ACL hole, under what conditions will CBAC drop this packet?

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: