Context Based Access Control

* Packets are inspected entering the firewall by CBAC if not specifically denied by an ACL

* CBAC permits or denies specified TCP and UDP traffic through a firewall

* A state table is maintained with session information

* ACLs are dynamically created or deleted

* CBAC protects against DoS attacks


é fe


©2000, Cisco Systems, Inc.

©2000, Cisco Systems, Inc.

CSPFA 1.01-8-5

CBAC intelligently filters TCP and UDP packets based on application-layer protocol session information. It can inspect traffic for sessions that originate on any interface of the router. CBAC inspects traffic that travels through the firewall to discover and manage state information for TCP and UDP sessions. This state information is used to create temporary openings in the firewall's access lists to allow return traffic and additional data connections for permissible sessions.

Inspecting packets at the application layer, and maintaining TCP and UDP session information, provides CBAC with the ability to detect and prevent certain types of network attacks such as SYN flooding. CBAC also inspects packet sequence numbers in TCP connections to see if they are within expected ranges—CBAC drops any suspicious packets. Additionally, CBAC can detect unusually high rates of new connections and issue alert messages. CBAC inspection can help protect against certain Denial of Service (DoS) attacks involving fragmented IP packets. Even though the firewall prevents an attacker from making actual connections to a given host, the attacker can disrupt services provided by that host. This is done by sending many non-initial IP fragments or by sending complete fragmented packets through a router with an access control list (ACL) that filters the first fragment of a fragmented packet. These fragments can tie up resources on the target host as it tries to reassemble the incomplete packets.

0 0

Post a comment