CBAC Context-Based Access Control
June 13, 2008 Leave a comment
CBAC is a Cisco Router security tool used to provide more sophisticated way of perimeter security than simple access control lists to mitigate threats from unprotected networks; it provides dynamic inspection of a specific traffic as it traverse the IOS FW.
This lab provides basic configuration guideline and general recommendations for CBAC deployment and shows how it can prevent some attacks like SYN flood.
Figure1 : CBAC Lab topology
I) CBAC Configuration guideline:
- Select interfaces controlled by CBAC:
CBAC router:
Remember that the inspection rule is applied to a particular interface in a particular direction, therefore CBAC will control, by either dynamical allowing or denying, the traffic entering interfaces in the direction opposed to the inspection rule.
– Fa0/0: Internal interface– from where any sessions can be originated to any destination, CBAC will decide whether to allow traffic entering Fa1/0 and Fa2/0 (that would normally be blocked) if it the returning traffic of the one originated from Fa0/0 (That would normally be allowed by ACL).
– Fa1/0: DMZ interface – traffic generated from other areas toward DMZ servers should be inspected from one point Fa1/0. Only servers are supposed to reside in the DMZ not hosts.
CBAC will decide whether to allow traffic back from DMZ (that would normally be blocked).
- Configure Access Control Lists:
- Identify the applications that need to be inspected and make sure that the outgoing traffic, from the protected zone, is not blocked by any ACL.
- Set ACLs to block traffic from unprotected interfaces, CBAC will take care of dynamically allowing holes in the ACL to permit legitimate returning traffic.
- Packets entering the IOS FW are inspected by CBAC only if they first pass the inbound ACL at the interface.
- One Blocking ACL should be bound to the outside interface Fa2/0 inbound and another to the DMZ interface, also inbound, therefore blocking illegitimate traffic before entering the IOS FW.
- In production environment you have to take into account address space filtering according to RFC2827, in other words blocking private addresses from outside, broadcast, bogons and ip spoofing addresses etc.
- Don’t forget the implicit “deny ip any any” in ACLs.
Table1 : Access control lists
ACL name |
Permit/ deny |
Protocol |
Source |
Src port |
Destination |
Dst port |
||
Ip |
Mask |
Ip |
mask |
|||||
FROM_DMZ |
deny |
Ip |
Any |
– |
– |
Any |
– |
– |
FROM_INSIDE |
permit |
Ip |
192.168.11.0 |
24 |
– |
Any |
– |
– |
FROM_OUTSIDE |
Permit |
tcp |
any |
– |
– |
10.10.10.1 |
32 |
www |
permit |
tcp |
any |
– |
– |
10.10.10.1 |
32 |
telnet |
|
permit |
tcp |
any |
– |
– |
10.10.10.1 |
32 |
ssh |
|
permit |
tcp |
any |
– |
– |
10.10.10.1 |
32 |
smtp |
|
permit |
tcp |
any |
– |
– |
10.10.10.1 |
32 |
ftp |
|
permit |
icmp |
any |
– |
– |
10.10.10.1 |
32 |
echo* |
|
permit |
icmp |
any |
– |
– |
192.168.11.0 |
24 |
echo* |
|
permit |
icmp |
any |
– |
– |
192.168.11.0 |
24 |
time-exceeded* |
|
permit |
icmp |
any |
– |
– |
192.168.11.0 |
24 |
unreachable* |
|
deny |
Ip |
any |
– |
– |
any |
– |
– |
*For ICMP traffic the ICMP type is filled in the column “dst port”
ip access-list extended FROM_DMZ deny ip any any ip access-list extended FROM_INSIDE permit ip 192.168.11.0 0.0.0.255 any ip access-list extended FROM_OUTSIDE permit tcp any host 10.10.10.1 eq www permit tcp any host 10.10.10.1 eq 22 permit tcp any host 10.10.10.1 eq telnet permit tcp any host 10.10.10.1 eq smtp deny ip any any |
- Set global timeouts and thresholds:
Table3 : Generic protocol timeouts and thresholds (default values)
protocol | Timeout and thresholds | value | ||
TCP | One-minute | Low |
400 ½ opened sessions |
|
High |
500 ½ opened sessions |
|||
Max-incomplete | Low |
400 ½ opened sessions |
||
High |
500 ½ opened sessions |
|||
Per host | ½ opened sessions |
50 |
||
Block-time |
0 min |
|||
Synwait-time |
30 s |
|||
Finwait-time |
5 s |
|||
Idle-time |
3600 s |
|||
UDP | Idle-time |
30 s |
- Define the inspection rule:
For the purpose of this lab a standard inspection rule is defined for general TCP and UDP application.
Each protected Zone will have its own Inspection rule.
ip inspect name MyGENERIC_inside tcp ip inspect name MyGENERIC_inside udp ip inspect name MyGENERIC_inside http ip inspect name MyGENERIC_inside icmp ip inspect name MyGENERIC_inside ftp ip inspect name MyGENERIC_dmz tcp ip inspect name MyGENERIC_dmz udp |
- Apply inspection rules to interfaces:
Inspection rule is applied to interfaces where the traffic should be inspected.
GENERIC applied to fa 0/0 inbound GENERIC applied to fa 1/0 outbound interface FastEthernet0/0 ip access-group FROM_INSIDE in ip inspect MyGENERIC_inside in
interface FastEthernet1/0 ip access-group FROM_DMZ in ip inspect MyGENERIC_dmz out
interface FastEthernet2/0 ip access-group FROM_OUTSIDE in |
Connectivity check:
To lessen the clutter of troubleshooting CBAC it is highly recommended to check the connectivity between all devices before beginning to apply the inspections rules and access.
From DMZ, after applying CBAC & associated ACL:
DMZ hosts cannot initiate any connection to neither outside nor inside.
DMZ#192.168.40.105 Trying 192.168.40.105 … % Destination unreachable; gateway or host down DMZ#192.168.11.105 Trying 192.168.11.105 … % Destination unreachable; gateway or host down DMZ# |
From outside, after applying CBAC and associated ACL:
OUTSIDE can initiate connections only to predefined DMZ services in the inspection rules and allowed by an ACL, not to inside hosts.
outside#192.168.11.105 Trying 192.168.11.105 … % Destination unreachable; gateway or host down outside#10.10.10.1 Trying 10.10.10.1 … Open User Access Verification Username: Password:
DMZ# |
Monitoring from CBAC router:
- The following is a summary of CBAC configuration from the output of “show ip inspect all”:
CBAC(config-if)#do sh ip inspect all Session audit trail is disabled Session alert is enabled one-minute (sampling period) thresholds are [400:500] connections max-incomplete sessions thresholds are [400:500] max-incomplete tcp connections per host is 50. Block-time 0 minute. tcp synwait-time is 30 sec — tcp finwait-time is 5 sec tcp idle-time is 3600 sec — udp idle-time is 30 sec dns-timeout is 5 sec Inspection Rule Configuration Inspection name MyGENERIC_inside tcp alert is on audit-trail is off timeout 3600 udp alert is on audit-trail is off timeout 30 http alert is on audit-trail is off timeout 3600 icmp alert is on audit-trail is off timeout 10 ftp alert is on audit-trail is off timeout 3600 Inspection name MyGENERIC_dmz tcp alert is on audit-trail is off timeout 3600 udp alert is on audit-trail is off timeout 30
Interface Configuration
tcp alert is on audit-trail is off timeout 3600 udp alert is on audit-trail is off timeout 30 http alert is on audit-trail is off timeout 3600 icmp alert is on audit-trail is off timeout 10 ftp alert is on audit-trail is off timeout 3600 Outgoing inspection rule is not set
Outgoing access list is not set
Inbound inspection rule is not set Outgoing inspection rule is MyGENERIC_dmz tcp alert is on audit-trail is off timeout 3600 udp alert is on audit-trail is off timeout 30
Outgoing access list is not set
Established Sessions Session 6509A4A8 (192.168.10.2:63377)=>(10.10.10.1:23) tcp SIS_OPEN Session 6509A230 (192.168.40.105:4916)=>(10.10.10.1:23) tcp SIS_OPEN CBAC(config-if)# |
CBAC#sh ip inspect statistics Packet inspection statistics [process switch:fast switch] tcp packets: [3:181] Interfaces configured for inspection 2 Session creations since subsystem startup or last reset 3 Current session counts (estab/half-open/terminating) [2:0:0] Maxever session counts (estab/half-open/terminating) [2:1:1] Last session created 00:01:31 Last statistic reset never Last session creation rate 0 Last half-open session total 0
CBAC# |
- telnet connections from inside to DMZ zone
CBAC#debug ip inspect detailed INSPECT Detailed Debug debugging is on CBAC# *Mar 1 02:18:23.023: CBAC: Finding pregen session for src_tableid:0, src_addr:192.168.10.2, src_port:24819, dst_tableid:0, dst_addr:10.10.10.1, dst_port:23 CBAC# CBAC#
inside#192.168.40.105 Trying 192.168.40.105 … Open Welcome to Microsoft Telnet Service
login: <adminlogin> password:
*=============================================================== Welcome to Microsoft Telnet Server. *=============================================================== C:\Documents and Settings\<adminlogin>.MNGMNT.001>
CBAC# *Mar 1 02:22:52.315: CBAC: Finding pregen session for src_tableid:0, src_addr:192.168.10.2, src_port:29067, dst_tableid:0, dst_addr:192.168.40.105, dst_port:23 CBAC# |
- the IOS FW router can detect and refuse replayed packets according to its records in its inspection table
CBAC# *Mar 1 02:35:03.503: CBAC: Finding pregen session for src_tableid:0, src_addr:192.168.40.105, src_port:4946, dst_tableid:0, dst_addr:10.10.10.1, dst_port:23 *Mar 1 02:35:13.547: CBAC: Finding pregen session for src_tableid:0, src_addr:192.168.40.105, src_port:4946, dst_tableid:0, dst_addr:10.10.10.1, dst_port:23 *Mar 1 02:35:23.567: CBAC: Finding pregen session for src_tableid:0, src_addr:192.168.40.105, src_port:4946, dst_tableid:0, dst_addr:10.10.10.1, dst_port:23 |
CBAC#sh ip inspect sessions Established Sessions Session 65099FB8 (192.168.10.2:29067)=>(192.168.40.105:23) tcp SIS_OPEN Session 6509A4A8 (192.168.10.2:63377)=>(10.10.10.1:23) tcp SIS_OPEN CBAC#clear |
- The IOS router react as expected to SYN flood attack (100 packet every 10ms) by blocking ½ half opened sessions that exceed the configured value.
CBAC# *Mar 1 04:11:43.562: %FW-4-HOST_TCP_ALERT_ON: Max tcp half-open connections (50) exceeded for host 10.10.10.1. CBAC# CBAC#sh ip inspect stat Packet inspection statistics [process switch:fast switch] tcp packets: [2884:12563] Interfaces configured for inspection 2 Session creations since subsystem startup or last reset 409 Current session counts (estab/half-open/terminating) [0:0:0] Maxever session counts (estab/half-open/terminating) [3:51:1] Last session created 00:00:50 Last statistic reset never Last session creation rate 76 Last half-open session total 0 CBAC# |
- With an aggressive attack (more than 500 ½ sessions per minute) the IOS FW react by dropping sessions.
*Mar 1 04:14:44.530: %FW-4-ALERT_ON: getting aggressive, count (51/500) current 1-min rate: 501 CBAC# |
- As soon as the number of ½ opened sessions drop below the low threshold of 400 sessions per minutes, the IOS stop dropping sessions
CBAC# *Mar 1 04:16:38.294: %FW-4-ALERT_OFF: calming down, count (0/400) current 1-min rate: 0 CBAC# |
- This can cause Denial Of Service of the router if no protections against such type of attacks in a production environment.
CBAC#sh proc cpu CPU utilization for five seconds: 3%/0%; one minute: 3%; five minutes: 8% … CBAC#sh proc cpu CPU utilization for five seconds: 41%/56%; one minute: 6%; five minutes: 8% … CBAC#sh proc cpu CPU utilization for five seconds: 18%/100%; one minute: 9%; five minutes: 9% … CBAC#sh proc cpu CPU utilization for five seconds: 17%/100%; one minute: 15%; five minutes: 11% … |
II) Conclusion:
A successful deployment of CBAC rely on the understanding of application traffic that traverses the IOS Firewall as well as where to apply ACL and inspection rules and over all make sure that everything works fine before applying CBAC.