CBAC Configuration Task List

Configuring CBAC requires the following tasks:

• Picking an interface: internal or external

• Configuring IP access lists at the interface

• Configuring global timeouts and thresholds

• Defining an inspection rule

• Applying the inspection rule to an interface

• Configuring logging and audit trail

• Other guidelines for configuring a firewall

• Verifying CBAC (Optional)

Example 7-5 shows a router named R1 with two Ethernet interfaces, one defined as the inside interface (EthernetO) and one as the outside interface (Ethernetl). For this example, CBAC is being configured to inspect RTSP and H.323 protocol traffic inbound from the protected network on a router with two Ethernet interfaces. Interface EthernetO is the protected network, and interface Ethernet1 is the unprotected network. The security policy for the protected site uses access control lists (ACLs) to inspect TCP/UDP protocol traffic. Inbound access for specific protocol traffic is provided through dynamic access lists, which are generated according to CBAC inspection rules.

ACL 199 permits TCP and UDP traffic from any source or destination, while denying specific ICMP protocol traffic and permitting ICMP trace route and unreachable messages. The final deny statement is not required but is included for explicitness—the final entry in any ACL is an implicit denial of all IP protocol traffic. Example 7-5 defines the Access-list 199 on Router Rl, which has two Ethernet interfaces: EthernetO and ethernetl.

Example 7-5 Access-list Definition

R1(config)#

access-

list

199

permit tcp any any eq telnet

R1(config)#

access-

list

199

deny udp any any eq syslog

R1(config)#

access-

list

199

deny any any echo-reply

R1(config)#

access-

list

199

deny any any echo

R1(config)#

access-

list

199

deny any any time-exceeded

R1(config)#

access-

list

199

deny any any packet-too-big

R1(config)#

access-

list

199

permit any any traceroute

R1(config)#

access-

list

199

permit any any unreachable

R1(config)#

access-

list

199

permit deny ip any any

ACL 199 is applied inbound at interface Ethernet 1 to block all access from the unprotected network to the protected network. Example 7-6 configures the inbound ACL on Rl.

Example 7-6 R1 ACL Inbound Configuration

R1(config)#interface ethernetl R1(config-if)# ip access-group 199 in

An inspection rule is created for "users" that covers two protocols: RTSP and H.323. Example 7-7 configures R1 to inspect RTSP and H.323 traffic.

Example 7-7 Inspected Traffic

R1(config)#

ip

inspect name users

rtsp

R1(config)#

ip

inspect name users

h323

The inspection rule is applied inbound at interface Ethernetl to inspect traffic from users on the protected network. When CBAC detects multimedia traffic from the protected network, CBAC creates dynamic entries in Access-list 199 to allow return traffic for multimedia sessions. Example 7-8 configures the R1 unprotected network to inspect traffic on interface ethernetl.

Example 7-8 Inspects Traffic on R1 Protected Interface

R1(config)# interface Ethernetl R1(config-if)# ip inspect users in

You can view the CBAC logs by three methods:

• Debugging output (refer to the Cisco Documentation CD for full details)

• Syslog messages (show logging)

• Console messages (system messages)

After you complete the inspection of traffic, you can turn off CBAC with the global IOS command no ip inspect. The Cisco Systems IOS feature set also supports AAA, TACACS+, and Kerberos authentication protocols.

NOTE

Active audit and content filters are used with NetRanger and NetSonar products to allow administrators to decipher or reply to networks when an intruder has accessed the network. CBAC is just another useful tool in IOS that allows a quick audit of an IP network.

0 0

Post a comment