I'd like some help understanding an aspect of firewalling. I have CBAC configured on an ISR. The WAN (outside) interface is configured with an ACL that will not allow traffic to come in. CBAC's job is to allow temporary openings in this ACL for connections initiated on the LAN (inside) interface and close them when the transmission ends. So, in this case I would be configuring inspection ("ip inspect X in") on the inside interface so that traffic leaving the LAN is checked, correct?
My question is, what exactly is being inspected? I know that the inspection is happening at the application layer, but beyond that I'm not sure what the firewall is looking for. So, let's assume a telnet session is initiated inside the network to a host outside. A temporary port is opened on the external interface's ACL to allow the transmission. Now the inspection is looking at the telnet session's traffic as it enters the inside interface. What is it looking for exactly?
As far as your question on how CBAC tracks the telnet session initiated from the inside to outside and creates a temporary ACL for the return traffic the function is the same as the stateful firewall. For the telnet session the router keeps tracks of source IP, destination IP, source port and destination port and creates a temporary ACL entry to permit the return traffic on the outside interface.
Here's a small example that I hope helps.
Inside --> Outside
Outside --> Inside (temporary ACL entry created for this)
Thanks for writing. I understand all of this, but the part that trumps me is that I have the impression that CBAC is doing something else with the packets before passing them on, not just layer 3 and 4 stuff but layer 7 inspecting. An earlier post in this thread suggested reading the CBAC documentation, which I already had before posting. I'm just not sure I understand what happens besides trying to detect syn-flood attacks.
The TCP flags eg SYN, ACK, FIN, WAIT etc. are important because this is what makes a firewall stateful eg it knows if it receives a packet with the syn/ack flags but it has no corresponding syn packet to drop that packet.
So all TCP traffic going through a stateful firewall is treated as above and the same information is extracted.
In addtion to this stateful tracking CBAC, in common with many stateful firewalls, has some more application specific code to deal with some of the more commonly used aapplications that don't behave the standard way. Sundar's example of FTP is one of them. With these applications CBAC does a bit more work and examines more than just the standard IP, port and flags. How much more work is dependant on the application ie. for FTP the extra work involved is to look into the packets to find the dynamic port that has been negotiated.
We are pleased to announce availability of Beta software for 16.6.3.
16.6.3 will be the second rebuild on the 16.6 release train targeted
towards Catalyst 9500/9400/9300/3850/3650 switching platforms. We are
looking for early feedback from customers befor...
Introduction Featured Speakers Luis Espejel is the Telecommunications
Manager of IENova, an Oil & Gas company. Currently he works with Cisco
IOS® and Cisco IOS XE platforms, and NX to some extent. He has also
worked as a Senior Engineer with the Routing P...
In this session you can learn more about Layer 3 multicast and the best
practices to identify possible threats and take security measures. It
provides an overview of basic multicast, the best security practices for
use of this technology, and recommendati...