The Router

1. C;n-ii ■::! ¡go rAquOïl íflr ma ejSÍH '.i TE LNÇ.T SeSÜOft(UÍMa lINaufití PIG mu!»

[View full size image]

Z. The TELNET iisstmiflrifliiiaiinijlnsm il* Hlüdl mierlAûe it üffiieJ

FaftlQ

Client CBWCwiWkM m ¡nspm^l cíinlrcJIrsflk;

dytiùrïi'cally f;snes ana rem&iiï ACLí •ii'(-jiMíH Liv Me apdujaiiü11 Wten mo application tcmlriatfls-flf liirflioiit. CBAC floras all Uynaniie AOLs im Ifial íssíop

FiCfl

Ihe «ibound access lu si lad/1 to pertm Ihe retu'ri:ng TELNET iralfc lar Ine user's TELNET WEion i

Server

In Figure 15-2, the inbound ACL at Fa0/1 is configured to block Telnet traffic, and no outbound ACL is configured at Fa0/0. When the connection request for User1's Telnet session passes through the Cisco IOS Firewall, CBAC creates a temporary opening in the inbound ACL at Fa0/1 to permit returning Telnet traffic for User1's Telnet session.

CBAC inspects and monitors only the control channels of connections, not the data channels. For example, during FTP sessions, both the control and data channels, which are created when a data file is transferred, are monitored for state changes. However, only the control channel is inspected.

CBAC inspection recognizes application-specific commands in the control channel, and detects and prevents certain application-level attacks.

Whenever a packet is inspected, a state table is updated to include information about the state of the packet's connection. The traffic permitted back through the Cisco IOS Firewall is composed of packets that have a permissible session from the state table.

The following is an example of CBAC inspection process of passive FTP:

1. FTP client sends out a synchronize start (SYN) packet on the control channel: Client —■-SYN—■-—> Server

2. The firewall validates the rule set for permitting the connection and creates a hole in the ACL: Client <-----SYN ACK—- Server

3. TCP handshake is completed: Client —-ACK—-—> Server

4. When the ls command is entered, the FTP client sends PASV and LIST commands to the server:

Client i-----Address/port info— Server

On seeing the address/port in the reply to the PASV command, the firewall creates a pregenerated session and ACL holes. The holes point from the client to the server because the client will try to connect the server to create the data channel as per Passive FTP specifications.

5. The FTP client sends the SYN for this data connection: Client -—SYN DAT-——* Server

6. On seeing the SYN packet, the firewall creates holes that allow a synchronize acknowledge (SYN ACK) reply from the server:

The holes can take from 5 to 10 seconds to create. At least three packets are exchanged between the client and the server when the user sends the ls command:

0 0

Post a comment