Context Based Access-Lists

How CBAC works

Context Based Access-Lists (CBAC) open temporary openings into ACLs on a firewall interface. Those openings will be created if defined traffic from the internal network passes the router. The openings allow the backwards traffic to enter the network, which will normally be blocked by the existing ACLs on the router. The packets will only get accepted when they belong to the same sessions which opened the temporary opening. The ACLs and the ip inspect command have do be configured depending on which interface CBAC is to be set on. Basically there are two types of interfaces, the external and internal interface. External interfaces are the ones that point to the unsecured external network (such as the Internet) while the internal interfaces connect to the protected internal network.

Supported protocols

CBAC supports the following protocols (IOS Version 12.4(19)):

  • 802-11-iapp — IEEE 802.11 WLANs WG IAPP
  • ace-svr — ACE Server/Propagation
  • aol — America-Online
  • appfw — Application Firewall
  • appleqtc — Apple QuickTime
  • bgp — Border Gateway Protocol
  • biff — Biff mail notification
  • bootpc — Bootstrap Protocol Client
  • bootps — Bootstrap Protocol Server
  • cddbp — CD Database Protocol
  • cifs — CIFS
  • cisco-fna — Cisco FNATIVE
  • cisco-net-mgmt — cisco-net-mgmt
  • cisco-svcs — cisco license/perf/GDP/X.25/ident svcs
  • cisco-sys — Cisco SYSMAINT
  • cisco-tdp — Cisco TDP
  • cisco-tna — Cisco TNATIVE
  • citrix — Citrix IMA/ADMIN/RTMP
  • citriximaclient — Citrix IMA Client
  • clp — Cisco Line Protocol
  • creativepartnr — Creative Partnr
  • creativeserver — Creative Server
  • cuseeme — CUSeeMe Protocol
  • daytime — Daytime (RFC 867)
  • dbase — dBASE Unix
  • dbcontrol_agent — Oracle dbControl Agent po
  • ddns-v3 — Dynamic DNS Version 3
  • dhcp-failover — DHCP Failover
  • discard — Discard port
  • dns — Domain Name Server
  • dnsix — DNSIX Securit Attribute Token Map
  • echo — Echo port
  • entrust-svc-hdlr — Entrust KM/Admin Service Handler
  • entrust-svcs — Entrust sps/aaas/aams
  • esmtp — Extended SMTP
  • exec — Remote Process Execution
  • fcip-port — FCIP
  • finger — Finger
  • fragment — IP fragment inspection
  • ftp — File Transfer Protocol
  • ftps — FTP over TLS/SSL
  • gdoi — GDOI
  • giop — Oracle GIOP/SSL
  • gopher — Gopher
  • gtpv0 — GPRS Tunneling Protocol Version 0
  • gtpv1 — GPRS Tunneling Protocol Version 1
  • h323 — H.323 Protocol (e.g, MS NetMeeting, Intel Video Phone)
  • h323callsigalt — h323 Call Signal Alternate
  • h323gatestat — h323gatestat
  • hp-alarm-mgr — HP Performance data alarm manager
  • hp-collector — HP Performance data collector
  • hp-managed-node — HP Performance data managed node
  • hsrp — Hot Standby Router Protocol
  • http — HTTP Protocol
  • https — Secure Hypertext Transfer Protocol
  • ica — ica (Citrix)
  • icabrowser — icabrowser (Citrix)
  • icmp — ICMP Protocol
  • ident — Authentication Service
  • igmpv3lite — IGMP over UDP for SSM
  • imap — IMAP Protocol
  • imap3 — Interactive Mail Access Protocol 3
  • imaps — IMAP over TLS/SSL
  • ipass — IPASS
  • ipsec-msft — Microsoft IPsec NAT-T
  • ipx — IPX
  • irc — Internet Relay Chat Protocol
  • irc-serv — IRC-SERV
  • ircs — IRC over TLS/SSL
  • ircu — IRCU
  • isakmp — ISAKMP
  • iscsi — iSCSI
  • iscsi-target — iSCSI port
  • kazaa — KAZAA
  • kerberos — Kerberos
  • kermit — kermit
  • l2tp — L2TP/L2F
  • ldap — Lightweight Directory Access Protocol
  • ldap-admin — LDAP admin server port
  • ldaps — LDAP over TLS/SSL
  • login — Remote login
  • lotusmtap — Lotus Mail Tracking Agent Protocol
  • lotusnote — Lotus Note
  • microsoft-ds — Microsoft-DS
  • ms-cluster-net — MS Cluster Net
  • ms-dotnetster — Microsoft .NETster Port
  • ms-sna — Microsoft SNA Server/Base
  • ms-sql — Microsoft SQL
  • ms-sql-m — Microsoft SQL Monitor
  • msexch-routing — Microsoft Exchange Routing
  • mysql — MySQL
  • n2h2server — N2H2 Filter Service Port
  • ncp — NCP (Novell)
  • net8-cman — Oracle Net8 Cman/Admin
  • netbios-dgm — NETBIOS Datagram Service
  • netbios-ns — NETBIOS Name Service
  • netbios-ssn — NETBIOS Session Service
  • netshow — Microsoft NetShow Protocol
  • netstat — Variant of systat
  • nfs — Network File System
  • nntp — Network News Transport Protocol
  • ntp — Network Time Protocol
  • oem-agent — OEM Agent (Oracle)
  • oracle — Oracle
  • oracle-em-vp — Oracle EM/VP
  • oraclenames — Oracle Names
  • orasrv — Oracle SQL*Net v1/v2
  • parameter — Specify inspection parameters
  • pcanywheredata — pcANYWHEREdata
  • pcanywherestat — pcANYWHEREstat
  • pop3 — POP3 Protocol
  • pop3s — POP3 over TLS/SSL
  • pptp — PPTP
  • pwdgen — Password Generator Protocol
  • qmtp — Quick Mail Transfer Protocol
  • r-winsock — remote-winsock
  • radius — RADIUS & Accounting
  • rcmd — R commands (r-exec, r-login, r-sh)
  • rdb-dbs-disp — Oracle RDB
  • realaudio — Real Audio Protocol
  • realsecure — ISS Real Secure Console Service Port
  • router — Local Routing Process
  • rpc — Remote Prodedure Call Protocol
  • rsvd — RSVD
  • rsvp-encap — RSVP ENCAPSULATION-1/2
  • rsvp_tunnel — RSVP Tunnel
  • rtc-pm-port — Oracle RTC-PM port
  • rtelnet — Remote Telnet Service
  • rtsp — Real Time Streaming Protocol
  • send — SEND
  • shell — Remote command
  • sip — SIP Protocol
  • sip-tls — SIP-TLS
  • skinny — Skinny Client Control Protocol
  • sms — SMS RCINFO/XFER/CHAT
  • smtp — Simple Mail Transfer Protocol
  • snmp — Simple Network Management Protocol
  • snmptrap — SNMP Trap
  • socks — Socks
  • sqlnet — SQL Net Protocol
  • sqlserv — SQL Services
  • sqlsrv — SQL Service
  • ssh — SSH Remote Login Protocol
  • sshell — SSLshell
  • ssp — State Sync Protocol
  • streamworks — StreamWork Protocol
  • stun — cisco STUN
  • syslog — SysLog Service
  • syslog-conn — Reliable Syslog Service
  • tacacs — Login Host Protocol (TACACS)
  • tacacs-ds — TACACS-Database Service
  • tarantella — Tarantella
  • tcp — Transmission Control Protocol
  • telnet — Telnet
  • telnets — Telnet over TLS/SSL
  • tftp — TFTP Protocol
  • time — Time
  • timed — Time server
  • tr-rsrb — cisco RSRB
  • ttc — Oracle TTC/SSL
  • udp — User Datagram Protocol
  • uucp — UUCPD/UUCP-RLOGIN
  • vdolive — VDOLive Protocol
  • vqp — VQP
  • webster — Network Disctionary
  • who — Who’s service
  • wins — Microsoft WINS
  • x11 — X Window System
  • xdmcp — XDM Control Protocol

After one of these protocols was configured, CBAC will inspect the traffic of that protocol, maintain the state table and all backwards traffic that belongs to the same session will be granted.

CBAC performance impact

CBAC uses less then 600 Bytes memory for each session therefore CBAC should only be used if its really needed. CBAC can furthermore lead to a marginal higher cpu load when packets have to be inspected. Sometimes CBAC has to process long ACLs which can lead to a negative impact on performance. This impact will normally be avoided since CBAC uses the accelerated method to process ACLs, which means that it hashes the ACLs and only processes the hashes.

CBAC on external interfaces

Guidelines for ACLs when CBAC is configured on the external interface:

  • If there is an outbound ACLs on the external interface a standard or extended ACL can be used. This outbound ACL has to permit the traffic which gets inspected by CBAC otherwise CBAC will not inspect the traffic and the packets will be dropped.
  • The inbound ACL on the external interface has to be an extended ACL. This ACL has to deny all traffic that gets inspected by CBAC. CBAC will open temporary sessions into this ACL so allow validated ingress traffic.

CBAC on internal interfaces

Guidelines for ACLs when CBAC is configured on the internal interface:

  • If there is an inbound ACL on the internal interface or an outbound ACL on the external interface a standard or extended ACL can be used. This ACL has to permit the traffic which gets inspected by CBAC otherwise CBAC will not inspect the traffic and the packets will be dropped.
  • The outbound ACL on the internal interface or the inbound ACL on the external interface has to be an extended ACL. This ACL has to deny all traffic that gets inspected by CBAC. CBAC will open temporary sessions into this ACL so allow validated ingress traffic.

CBAC Konfiguration

Networklayout

The whole configurations for CBAC will be done according to the diagram below. CBAC will be configured only on R2

CBAC on an internal interface

CBAC is configured for ICMP and Telnet on the internal interface:

ip inspect name INSPECT icmp
ip inspect name INSPECT telnet
!
interface FastEthernet0/0
ip address 116.1.12.2 255.255.255.0
ip inspect INSPECT in
duplex auto
speed auto
!
interface FastEthernet0/1
ip address 116.1.23.2 255.255.255.0
ip access-group INBOUND in
duplex auto
speed auto
!
ip access-list extended INBOUND
permit ospf any any
deny ip any any

As written in the guidelines the inbound ACL on the external interface denies all traffic which CBAC inspects. The ip inspect command is configured inbound on the internal interface. If R1 opens a Telnet or ICMP session to R3, CBAC will open a temporary hole.

R2#sh ip inspect sessions
Established Sessions
Session 65492924 (116.1.12.1:8)=>(99.1.3.3:0) icmp SIS_OPEN
Session 654926A4 (116.1.12.1:42897)=>(99.1.3.3:23) telnet SIS_OPEN

R1 now opened a telnet session to R3s loopback interface and issued a ping to the same interface. R2 allowed both sessions and keeps them open as long as the sessions are active.
The command show ip inspect config displays the CBAC configuration:

R2#sh ip inspect config
Session audit trail is disabled
Session alert is enabled
one-minute (sampling period) thresholds are [unlimited : unlimited] connections
max-incomplete sessions thresholds are [unlimited : unlimited]
max-incomplete tcp connections per host is unlimited. Block-time 0 minute.
tcp synwait-time is 30 sec — tcp finwait-time is 5 sec
tcp idle-time is 3600 sec — udp idle-time is 30 sec
dns-timeout is 5 sec
Inspection Rule Configuration
Inspection name INSPECT
icmp alert is on audit-trail is off timeout 10
telnet alert is on audit-trail is off timeout 3600

CBAC with local router traffic

The main part for CBAC with local router traffic is the keyword router-traffic at the end of the ip inspect definition that tells the router to also inspect router generated traffic. The keyword is not available with all protocols listed above. Furthermore the ip inspect command has to be configured outbound on the external interface since router generated traffic can only exit an interface and not enter one if its own interfaces.

ip inspect name INSPECT icmp router-traffic
ip inspect name INSPECT tcp router-traffic
!
Interface FastEthernet0/0
ip address 116.1.12.2 255.255.255.0
duplex auto
speed auto
!
interface FastEthernet0/1
ip address 116.1.23.2 255.255.255.0
ip access-group INBOUND in
ip inspect INSPECT out
duplex auto
speed auto
!
ip access-list extended INBOUND
permit ospf any any
deny ip any any

TCP has been configured instead of telnet since CBAC does not support telnet with the keyword router-traffic. CBAC now works for router generated traffic and still for traffic from R1 but since TCP has been configured, all TCP Sessions will get inspected and permitted by R2. To create an outbound ACL on the external interface which drops all other traffic but telnet and icmp is an option to avoid this behaviour_

Interface FastEthernet0/1
ip address 116.1.23.2 255.255.255.0
ip access-group INBOUND in
ip access-group OUTBOUND out
ip inspect INSPECT out
duplex auto
speed auto
!
ip access-list extended INBOUND
permit ospf any any
deny ip any any
ip access-list extended OUTBOUND
permit ospf any any
permit icmp any any
deny ip any any log

The ip inspect commands stay the same but I configured a new outbound ACL at the external interface which now only permits OSPF, ICMP everything else gets denied. I did not permit telnet to show how the new configuration behaves. R1 can still ping R3 but cannot open a telnet session anymore.

R1#ping 99.1.3.3
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 99.1.3.3, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 32/40/68 ms
R1#telnet 99.1.3.3
Trying 99.1.3.3 …
% Destination unreachable; gateway or host down

R2
*Mar 1 00:56:14.471: %SEC-6-IPACCESSLOGP: list OUTBOUND denied tcp 116.1.12.1(0) -> 99.1.3.3(0), 1 packet

R2 is still able to ping and open telnet sessions to R3 since the outbound ACL does not deny any router generated traffic.

CBAC with local policy

Note: At the time this article is written only IOS Versions until 12.4(17b) work. The IOS Versions 12.4(18 ) – 12.4(19) do not allow to set a loopback as next interface in a route-map any more. The router will deny it with the message:
% route-map:can not set interface.
% Use P2P interfaces for set interface clause

One way to ship around the problem written above is to use a local Policy which passes the router generated traffic first over a loopback interface and afterwards out a physical interface.

ip inspect name INSPECT icmp
ip inspect name INSPECT telnet
!
interface Loopback0
ip address 99.1.2.2 255.255.255.0
!
interface FastEthernet0/0
ip address 116.1.12.2 255.255.255.0
duplex auto
speed auto
!
interface FastEthernet0/1
ip address 116.1.23.2 255.255.255.0
ip access-group INBOUND in
ip access-group OUTBOUND out
ip inspect INSPECT out
duplex auto
speed auto
!
ip local policy route-map LOCAL
!
ip access-list extended INBOUND
permit ospf any any
deny ip any any
ip access-list extended LOCAL
permit icmp any any
permit tcp any any eq telnet
ip access-list extended OUTBOUND
permit ospf any any
permit icmp any any
deny ip any any log
!
route-map LOCAL permit 10
match ip address LOCAL
set interface Loopback0

The main part in this configuration is the local policy and the corresponding route-map. The command ip local policy route-map is used to match router generated traffic and process it in the route-map. Normally router generated traffic does not get processed by policy based routing. The route-map LOCAL matches over the ip access-list LOCAL on all ICMP and telnet traffic generated by R2 and redirects it to the loopback 0 interface. At this point the ACL OUTBOUND on the interface fa0/1 gets into action with that traffic and only allows ICMP traffic from R1 and R2 telnet traffic from both routers is dropped.

R1#ping 99.1.3.3
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 99.1.3.3, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 32/34/44 ms
R1#telnet 99.1.3.3
Trying 99.1.3.3 …
% Destination unreachable; gateway or host down
R2#
*Mar 1 00:20:06.819: %SEC-6-IPACCESSLOGP: list OUTBOUND denied tcp 116.1.12.1(0) -> 99.1.3.3(0), 1 packet


R2#ping 99.1.3.3
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 99.1.3.3, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 8/10/12 ms
R2#telnet 99.1.3.3
Trying 99.1.3.3 …
% Destination unreachable; gateway or host down
R2#
*Mar 1 00:20:59.259: %SEC-6-IPACCESSLOGP: list OUTBOUND denied tcp 116.1.23.2(0) -> 99.1.3.3(0), 1 packet

Advertisements

3 comments

  1. emontene

    Just wondering if ip local-policy route-map command for a telnet ACL entry could apply for telnet generated from the admin who accessed to the router by console port or it is just for telnet sessions generated from previous telnet session to this router first.

    Thanks in advance

  2. pashtuk

    Hi Emontene
    Im not sure if I really get what you want to try. Do you want to apply an ACL to the console to prevent access to it or from the console to somewhere else?

  3. Adam

    Hi emontene,

    AFAIK all locally generated packets are subject to local policy routing so the answer to your question is yes, this config will also affect outbound telnet sessions that are opened from a console (or from any other local exec session like another vty). If you want this not to be the case you can e.g. specify “ip telnet source” in your config to tie the session source to a specific interface and then be more specific in your ip policy route-map / acl to exclude this address.

    HTH
    Adam

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s