Context Based Access Control, generally referred to as CBAC (pronounced see-BACK) is a stateful deep packet inspection implementation for Cisco IOS. It's provided as part of the Firewall Feature Set for version 12.1 and later of IOS, allowing a CBAC-equipped router or layer 3 switch to act as an intelligent packet-filtering firewall.

Originally, Cisco's extended IP access lists allowed rules to be specified by source IP address, source port, destination address, destination port and layer-4 protocol (like TCP, UDP or OSPF), but provided no way to permit reply traffic. Later, Cisco added the 'established' keyword, but this was only a partial solution: it supported only TCP traffic, and did only the most basic state checking, namely making sure that the TCP ACK flag was set.

Reflexive access lists were the next attempt to shore up this situation. These allowed the router to automagically generate rules to permit in reply traffic, strictly specifying the IP addresses and ports for the reply traffic, and it wasn't TCP specific. This is a lot better, but not quite enough to be truly stateful. One problem is that they don't do any state validation on incoming traffic. This isn't a huge problem normally, since only traffic from the same IP address that was initially contacted will be permitted, and then only sourced from the original destination port, destined to the machine that initially made the request (and destined to the port that the request was initially sourced from), but if an attacker can figure out these parameters, the session can be hijacked or a new session can be established. The latter is especially troublesome for DNS implementations that source queries from port 53 (the same port that a DNS server listens on). Also, it doesn't handle cases like FTP or H.323 cleanly, requiring nasty kluges like permitting wide swaths of ports for inbound connections, which can severely undermine the strength of a firewall.

CBAC attempts to correct this situation by adding proper statefulness and layer-7 inspection to existing Cisco ACL functionality. It will now do properly firewall-like checks on outbound and return traffic, verifying TCP sequence numbers and ensuring that an outbound connection has in fact been established before allowing inbound traffic. It can also dynamically add inbound or outbound permit rules to handle ugly cases like FTP for H.323. Later incarnations can do even more protocol enforcement, like blocking Java in HTTP, or validating that traffic on UDP port 53 is in fact DNS and not something else. It can even filter HTTP and ESMTP traffic for certain regex patterns, allowing it to perform similar functions to Apache's mod_security.

The actual implementation uses a new configuration command, ip inspect, which is separate from extended ACL configuration. This is a bit clunky, but not overly difficult to understand. You will still need extended ACLs to establish what traffic is and is not permitted on a given interface, but CBAC takes care of allowing the replies and enforcing protocol.

The more CBAC features you use, the greater the load on the router, so CBAC should not be used on backbone routers or LAN routers that handle large numbers of packets or very high throughput. It should be used on routers that sit at security perimeters, such as the entry and exit point for a given network.

Log in or register to write something here or to contact authors.