How CBAC Works

(J) Control traffic is inspected by the CBAC rule.

ip inspect name FWRULE tcp

© CBAC creates a dynamic ACL allowing return traffic back.

access-list 102 permit TCP host 172.30.1.50 eq 23 host 10.0.0.3 eq 2447

(J) Control traffic is inspected by the CBAC rule.

ip inspect name FWRULE tcp

© CBAC creates a dynamic ACL allowing return traffic back.

access-list 102 permit TCP host 172.30.1.50 eq 23 host 10.0.0.3 eq 2447

(©CBAC continues to inspect control traffic and dynamically creates and removes ACLs as required by the application. It also monitors and protects against application-specific attacks.

© CBAC detects when an application terminates or times out and removes all dynamic ACLs for that session.

(©CBAC continues to inspect control traffic and dynamically creates and removes ACLs as required by the application. It also monitors and protects against application-specific attacks.

© CBAC detects when an application terminates or times out and removes all dynamic ACLs for that session.

©2000, Cisco Systems, Inc.

CSPFA 1.01-8-10

With CBAC, you specify which protocols you want to be inspected, and you specify an interface and interface direction (in or out) where inspection originates. Only specified protocols will be inspected by CBAC. For these protocols, packets flowing through the firewall in any direction are inspected, as long as they flow through the interface where inspection is configured. Packets entering the firewall are inspected by CBAC only if they first pass the inbound access list at the interface. If a packet is denied by the ACL, the packet is simply dropped and not inspected by CBAC.

CBAC inspects and monitors only the control channels of connections; the data channels are not inspected. For example, during FTP sessions both the control and data channels (which are created when a data file is transferred) are monitored for state changes, but only the control channel is inspected (that is, the CBAC software parses the FTP commands and responses).

CBAC inspection recognizes application-specific commands in the control channel, and detects and prevents certain application-level attacks. CBAC inspection tracks sequence numbers in all TCP packets, and drops those packets with sequence numbers that are not within expected ranges. CBAC inspection recognizes application-specific commands (such as illegal Simple Mail Transfer Protocol [SMTP] commands) in the control channel, and detects and prevents certain application-level attacks. When CBAC suspects an attack, the DoS feature can take several actions:

■ Generate alert messages

■ Protect system resources that could impede performance

■ Block packets from suspected attackers

CBAC uses timeout and threshold values to manage session state information, helping to determine when to drop sessions that do not become fully established.

Setting timeout values for network sessions helps prevent DoS attacks by freeing up system resources, dropping sessions after a specified amount of time. Setting threshold values for network sessions helps prevent DoS attacks by controlling the number of half-open sessions, which limits the amount of system resources applied to half-open sessions. When a session is dropped, CBAC sends a reset message to the devices at both endpoints (source and destination) of the session. When the system under DoS attack receives a reset command, it releases, or frees up, processes and resources related to that incomplete session.

CBAC provides three thresholds against DoS attacks:

■ The total number of half-open TCP or UDP sessions

■ The number of half-open sessions based on time

■ The number of half-open TCP-only sessions per host If a threshold is exceeded, CBAC has two options:

■ Send a reset message to the endpoints of the oldest half-open session, making resources available to service newly arriving SYN packets.

■ In the case of half-open TCP-only sessions, CBAC blocks all SYN packets temporarily for the duration configured by the threshold value. When the router blocks a SYN packet, the TCP three-way handshake is never initiated, which prevents the router from using memory and processing resources needed for valid connections.

DoS detection and prevention requires that you create a CBAC inspection rule and apply that rule on an interface. The inspection rule must include the protocols that you want to monitor against DoS attacks. For example, if you have TCP inspection enabled on the inspection rule, then CBAC can track all TCP connections to watch for DoS attacks. If the inspection rule includes FTP protocol inspection but not TCP inspection, CBAC tracks only FTP connections for DoS attacks.

A state table maintains session state information. Whenever a packet is inspected, a state table is updated to include information about the state of the packet's connection. Return traffic will only be permitted back through the firewall if the state table contains information indicating that the packet belongs to a permissible session. Inspection controls the traffic that belongs to a valid session and forwards the traffic it does not know. When return traffic is inspected, the state table information is updated as necessary.

UDP sessions are approximated. With UDP there are no actual sessions, so the software approximates sessions by examining the information in the packet and determining if the packet is similar to other UDP packets (for example, similar source or destination addresses and port numbers), and if the packet was detected soon after another, similar UDP packet. Soon means within the configurable UDP idle timeout period.

Access list entries are dynamically created and deleted. CBAC dynamically creates and deletes access list entries at the firewall interfaces, according to the information maintained in the state tables. These access list entries are applied to the interfaces to examine traffic flowing back into the internal network. These entries create temporary openings in the firewall to permit only traffic that is part of a permissible session. The temporary access list entries are never saved to nonvolatile RAM (NVRAM.)

0 0

Post a comment