Daren Matthews

Context-Based Access Control (CBAC) intelligently filters TCP and UDP packets based on application layer protocol session information and can be used for intranets, extranets and internets.  CBAC can be configured to permit specified TCP and UDP traffic through a firewall only when the connection is initiated from within the network needing protection.

CBAC can inspect traffic for sessions that originate from either side of the firewall. This is the basic function of a stateful inspection firewall.

CBAC allows network administrators to implement firewall intelligence as part of an integrated, single-box solution.

For example, sessions with an extranet partner involving Internet applications, multimedia applications, or Oracle databases would no longer necessitate opening a network doorway accessible via weaknesses in the partner`s network.

CBAC lets tightly-secured networks run today`s basic application traffic plus advanced applications such as multimedia and video conferencing securely through a router.

CBAC is a per-application control mechanism for IP traffic including standard TCP and UDP Internet applications, multimedia applications (including H.323 and other video applications), and Oracle databases.

• Before CBAC, administrators could permit advanced application traffic only by writing permanent ACLs that essentially left firewall doors open, so most administrators opted to deny all such application traffic.
• Now with CBAC, they can securely permit multimedia and other application traffic by opening the firewall as needed, and closing it all other times.

For example, if CBAC is configured to allow Microsoft NetMeeting, when an internal user initiates a connection, the firewall permits return traffic. However, if an external NetMeeting source initiates a connection with an internal user, CBAC denies entry and drops the packets.

Configuration:

A basic template for an internet-facing Cisco 1841 with an inside LAN of 192.168.150.0/24  (For an advanced template for an internet router, see here).

For CBAC configuration testing, I have a Quick Practice Lab)

!
username [a user] password [a password]
!
aaa new-model
aaa authentication login default local
ip inspect name my_firewall ftp timeout 3600
ip inspect name my_firewall smtp timeout 3600
ip inspect name my_firewall udp timeout 15
ip inspect name my_firewall tcp timeout 3600
!
interface FastEthernet0/0
description Inside of Network
ip address 192.168.150.1 255.255.255.0
!
interface FastEthernet0/1
description Outside of network
ip address <outside IP> <subnet mask>
ip access-group OUTSIDE_IN in
ip inspect name my_firewall out
!
ip nat inside source list NAT interface FastEthernet0/1 overload
!
ip classless
!
ip route 0.0.0.0 0.0.0.0 <default gateway>
!
no ip http server
no ip http secure-server
!
line con 0
logging sync
line vty 0 15
trans input ssh
logging sync
!
ip access-list extended NAT
permit ip 192.168.150.0 0.0.0.255 any
!
ip access-list extended OUTSIDE_IN
deny   ip host 0.0.0.0 any
deny   ip 127.0.0.0 0.255.255.255 any
deny   ip 192.0.2.0 0.0.0.255 any
deny   ip 224.0.0.0 31.255.255.255 any
deny   ip 10.0.0.0 0.255.255.255 any
deny   ip 172.16.0.0 0.15.255.255 any
deny   ip 192.168.0.0 0.0.255.255 any
permit icmp any any echo-reply
permit icmp any any time-exceeded
deny   ip any any
!
crypto key gen rsa general-keys mod 1024

To see how CBAC works refer to this Quick Practice Lab