Cisco Support Community



Context-based Access Control (CBAC)

Context-Based Access Control (CBAC) is a per-application control mechanism that adds advanced traffic filtering functionality to firewalls that isn’t limited, as are access lists, to examining packets at the network or transport layer. While CBAC examines both of these layers, it also examines the application-layer protocol data to monitor the state of a given TCP or UDP session. This means, as multiple channels are created or used by applications such as SQL*Net, FTP, and RPC, CBAC can respond by creating temporary openings in the firewall access lists to allow return traffic and additional data connections for specified sessions that originated from within the protected network. This application-layer awareness and capability to evolve with the traffic is beyond the capabilities of access list technologies.

Quick Access List Review:

Before continuing with CBAC, it’s important to be clear about how standard and extended ACLs work?

Standard ACLs filter only on source network addresses and are, therefore, limited to Layer 3 capabilities.

Extended ACLs  are able to filter on port numbers extending their reach into Layer 4.

In both cases, any ACL allowing traffic to enter a network is, in fact, a hole in the firewall or perimeter security that can possibly be exploited by others.

We also have reflexive ACLs Temporary ACL statements can be created for inbound traffic based on outbound traffic reducing risk of exploitation. Unfortunately, reflexive ACLs are limited to Layer 4 filters, like any other extended ACL. Furthermore, reflexive ACLs can’t deal with changes in port designations by the outside host, such as FTP. The outbound address/port combinations for the source and destination are “mirrored” to create the inbound openings. Another limitation of reflexive ACLs is that they’re limited to single channel applications.

Advantages of CBAC:

CBAC can be configured to inspect and filter the following IP sessions and application-layer protocols:

  • All TCP sessions, regardless of the application-layer protocol (sometimes called single-channel or generic TCP inspection).
  • All UDP sessions, regardless of the application-layer protocol (sometimes called single-channel or generic UDP inspection).
  • CU-SeeMe (White Pine version only), an Internet videoconferencing program developed as freeware by Cornell University. WhitePine, Inc., sells an enhanced commercial version.
  • FTP doesn’t support third-party connections (three-way FTP transfer). Allows data channels with the destination ports 1024 to 65535. CBAC won’t open a data channel if the FTP client-server authentication fails.
  • HTTP (Java blocking).
  • Microsoft NetShow.
  • UNIX R-commands, such as rlogin, rexec, and rsh.
  • RealAudio.
  • H.323, such as NetMeeting and ProShare
  • Real-Time Streaming Protocol (RTSP):
  • SQL*Net
  • StreamWorks
  • TFTP

Disadvantages of CBAC:

  • Only IP TCP and UDP traffic is inspected by CBAC, so ICMP traffic and any other Layer 3 protocols need to be filtered using extended ACLs.
  • Any traffic where the router is the source or destination won’t be inspected. CBAC will filter traffic passing through, but not traffic originating or terminating on that device.
  • Because CBAC only detects and protects against attacks that travel through the firewall, it doesn’t normally protect against attacks originating from within the protected network. Deploying CBAC on an intranet-based router is possible.
  • CBAC can’t inspect in-transit IPSec traffic. Because the IPSec traffic is encrypted, CBAC can’t interpret it and, therefore, drops it. CBAC and IPSec can only work together at tunnel endpoint by applying IPSec to the external interface and CBAC on the internal interface.