CBAC Context-Based Access Control


 CBAC is a Cisco Router security tool used to provide more sophisticated way of perimeter security than simple access control lists to mitigate threats from unprotected networks; it provides dynamic inspection of a specific traffic as it traverse the IOS FW.

This lab provides basic configuration guideline and general recommendations for CBAC deployment and shows how it can prevent some attacks like SYN flood.

 

Figure1 : CBAC Lab topology

I) CBAC Configuration guideline:

  1. Select interfaces controlled by CBAC:

CBAC router:

Remember that the inspection rule is applied to a particular interface in a particular direction, therefore CBAC will control, by either dynamical allowing or denying, the traffic entering interfaces in the direction opposed to the inspection rule.

Fa0/0: Internal interface– from where any sessions can be originated to any destination, CBAC will decide whether to allow traffic entering Fa1/0 and Fa2/0 (that would normally be blocked) if it the returning traffic of the one originated from Fa0/0 (That would normally be allowed by ACL).

Fa1/0: DMZ interface – traffic generated from other areas toward DMZ servers should be inspected from one point Fa1/0. Only servers are supposed to reside in the DMZ not hosts.

CBAC will decide whether to allow traffic back from DMZ (that would normally be blocked).

 

  1. Configure Access Control Lists:
  • Identify the applications that need to be inspected and make sure that the outgoing traffic, from the protected zone, is not blocked by any ACL.
  • Set ACLs to block traffic from unprotected interfaces, CBAC will take care of dynamically allowing holes in the ACL to permit legitimate returning traffic.
  • Packets entering the IOS FW are inspected by CBAC only if they first pass the inbound ACL at the interface.
  • One Blocking ACL should be bound to the outside interface Fa2/0 inbound and another to the DMZ interface, also inbound, therefore blocking illegitimate traffic before entering the IOS FW.
  • In production environment you have to take into account address space filtering according to RFC2827, in other words blocking private addresses from outside, broadcast, bogons and ip spoofing addresses etc.
  • Don’t forget the implicit “deny ip any any” in ACLs.

 

Table1 : Access control lists

ACL name 

Permit/

deny 

Protocol 

Source 

Src port 

Destination 

Dst

port

Ip 

Mask 

Ip 

mask 

FROM_DMZ 

deny 

Ip 

Any 

 

 

Any 

 

 

FROM_INSIDE 

permit 

Ip 

192.168.11.0 

24 

 

Any 

 

 

FROM_OUTSIDE 

Permit 

tcp 

any 

 

 

10.10.10.1 

32 

www

permit 

tcp 

any 

 

 

10.10.10.1 

32 

telnet

permit 

tcp 

any 

 

 

10.10.10.1 

32 

ssh

permit

tcp

any

10.10.10.1

32

smtp

permit 

tcp 

any 

 

 

10.10.10.1 

32 

ftp 

permit 

icmp 

any 

 

 

10.10.10.1 

32 

echo* 

permit 

icmp 

any 

 

 

192.168.11.0 

24 

echo* 

permit 

icmp 

any 

 

192.168.11.0 

24 

time-exceeded* 

permit 

icmp 

any 

 

 

192.168.11.0 

24 

unreachable* 

deny 

Ip 

any 

 

 

any 

 

 

*For ICMP traffic the ICMP type is filled in the column “dst port”

ip access-list extended FROM_DMZ
deny ip any any
ip access-list extended FROM_INSIDE
permit ip 192.168.11.0 0.0.0.255 any
ip access-list extended FROM_OUTSIDE

permit tcp any host 10.10.10.1 eq www

permit tcp any host 10.10.10.1 eq 22

permit tcp any host 10.10.10.1 eq telnet

permit tcp any host 10.10.10.1 eq smtp

deny ip any any

 

  1. Set global timeouts and thresholds:

Table3 : Generic protocol timeouts and thresholds (default values)

protocol  Timeout and thresholds  value 
TCP  One-minute  Low 

400 ½ opened sessions 

  High 

500 ½ opened sessions 

Max-incomplete  Low 

400 ½ opened sessions

High 

500 ½ opened sessions 

Per host  ½ opened sessions 

50 

Block-time 

0 min 

Synwait-time   

30 s 

Finwait-time   

5 s 

Idle-time   

3600 s 

UDP  Idle-time   

30 s 

 

  1. Define the inspection rule:

For the purpose of this lab a standard inspection rule is defined for general TCP and UDP application.

Each protected Zone will have its own Inspection rule.

ip inspect name MyGENERIC_inside tcp
ip inspect name MyGENERIC_inside udp
ip inspect name MyGENERIC_inside http
ip inspect name MyGENERIC_inside icmp
ip inspect name MyGENERIC_inside ftp

ip inspect name MyGENERIC_dmz tcp

ip inspect name MyGENERIC_dmz udp

 

  1. Apply inspection rules to interfaces:

Inspection rule is applied to interfaces where the traffic should be inspected.

GENERIC applied to fa 0/0 inbound
GENERIC applied to fa 1/0 outbound
 interface FastEthernet0/0
ip access-group FROM_INSIDE in

ip inspect MyGENERIC_inside in

 

interface FastEthernet1/0

ip access-group FROM_DMZ in

ip inspect MyGENERIC_dmz out

 

interface FastEthernet2/0

ip access-group FROM_OUTSIDE in

 

Connectivity check:

To lessen the clutter of troubleshooting CBAC it is highly recommended to check the connectivity between all devices before beginning to apply the inspections rules and access.

From DMZ, after applying CBAC & associated ACL:

DMZ hosts cannot initiate any connection to neither outside nor inside.

DMZ#192.168.40.105
Trying 192.168.40.105 …

% Destination unreachable; gateway or host down

DMZ#192.168.11.105

Trying 192.168.11.105 …

% Destination unreachable; gateway or host down

DMZ#

 

From outside, after applying CBAC and associated ACL:

OUTSIDE can initiate connections only to predefined DMZ services in the inspection rules and allowed by an ACL, not to inside hosts.

outside#192.168.11.105
Trying 192.168.11.105 …

% Destination unreachable; gateway or host down

outside#10.10.10.1

Trying 10.10.10.1 … Open

User Access Verification

Username:

Password:

 

DMZ#

 

Monitoring from CBAC router:

  • The following is a summary of CBAC configuration from the output of “show ip inspect all”:
CBAC(config-if)#do sh ip inspect all
Session audit trail is disabled
Session alert is enabled
one-minute (sampling period) thresholds are [400:500] connections
max-incomplete sessions thresholds are [400:500]

max-incomplete tcp connections per host is 50. Block-time 0 minute.

tcp synwait-time is 30 sec — tcp finwait-time is 5 sec

tcp idle-time is 3600 sec — udp idle-time is 30 sec

dns-timeout is 5 sec

Inspection Rule Configuration

Inspection name MyGENERIC_inside

tcp alert is on audit-trail is off timeout 3600

udp alert is on audit-trail is off timeout 30

http alert is on audit-trail is off timeout 3600

icmp alert is on audit-trail is off timeout 10

ftp alert is on audit-trail is off timeout 3600

Inspection name MyGENERIC_dmz

tcp alert is on audit-trail is off timeout 3600

udp alert is on audit-trail is off timeout 30

 

Interface Configuration


Interface FastEthernet0/0


Inbound inspection rule is MyGENERIC_inside

tcp alert is on audit-trail is off timeout 3600

udp alert is on audit-trail is off timeout 30

http alert is on audit-trail is off timeout 3600

icmp alert is on audit-trail is off timeout 10

ftp alert is on audit-trail is off timeout 3600

Outgoing inspection rule is not set


Inbound access list is FROM_INSIDE

Outgoing access list is not set


Interface FastEthernet1/0

Inbound inspection rule is not set

Outgoing inspection rule is MyGENERIC_dmz

tcp alert is on audit-trail is off timeout 3600

udp alert is on audit-trail is off timeout 30


Inbound access list is FROM_DMZ

Outgoing access list is not set

 

Established Sessions

Session 6509A4A8 (192.168.10.2:63377)=>(10.10.10.1:23) tcp SIS_OPEN

Session 6509A230 (192.168.40.105:4916)=>(10.10.10.1:23) tcp SIS_OPEN

CBAC(config-if)#

 

CBAC#sh ip inspect statistics
Packet inspection statistics [process switch:fast switch]
tcp packets: [3:181]
Interfaces configured for inspection 2
Session creations since subsystem startup or last reset 3

Current session counts (estab/half-open/terminating) [2:0:0]

Maxever session counts (estab/half-open/terminating) [2:1:1]

Last session created 00:01:31

Last statistic reset never

Last session creation rate 0

Last half-open session total 0

 

CBAC#

 

  • telnet connections from inside to DMZ zone
CBAC#debug ip inspect detailed
INSPECT Detailed Debug debugging is on
CBAC#

*Mar 1 02:18:23.023: CBAC: Finding pregen session for src_tableid:0, src_addr:192.168.10.2, src_port:24819, dst_tableid:0, dst_addr:10.10.10.1, dst_port:23

CBAC#

CBAC#

  • telnet from inside to outside

inside#192.168.40.105

Trying 192.168.40.105 … Open

Welcome to Microsoft Telnet Service

 

login: <adminlogin>

password:

 

*===============================================================

Welcome to Microsoft Telnet Server.

*===============================================================

C:\Documents and Settings\<adminlogin>.MNGMNT.001>

 

CBAC#

*Mar 1 02:22:52.315: CBAC: Finding pregen session for src_tableid:0, src_addr:192.168.10.2, src_port:29067, dst_tableid:0, dst_addr:192.168.40.105, dst_port:23

CBAC#

 

  • the IOS FW router can detect and refuse replayed packets according to its records in its inspection table
CBAC#
*Mar 1 02:35:03.503: CBAC: Finding pregen session for src_tableid:0, src_addr:192.168.40.105, src_port:4946, dst_tableid:0, dst_addr:10.10.10.1, dst_port:23
*Mar 1 02:35:13.547: CBAC: Finding pregen session for src_tableid:0, src_addr:192.168.40.105, src_port:4946, dst_tableid:0, dst_addr:10.10.10.1, dst_port:23
*Mar 1 02:35:23.567: CBAC: Finding pregen session for src_tableid:0, src_addr:192.168.40.105, src_port:4946, dst_tableid:0, dst_addr:10.10.10.1, dst_port:23

 

CBAC#sh ip inspect sessions
Established Sessions
Session 65099FB8 (192.168.10.2:29067)=>(192.168.40.105:23) tcp SIS_OPEN
Session 6509A4A8 (192.168.10.2:63377)=>(10.10.10.1:23) tcp SIS_OPEN
CBAC#clear

 

  • The IOS router react as expected to SYN flood attack (100 packet every 10ms) by blocking ½ half opened sessions that exceed the configured value.
CBAC#
*Mar 1 04:11:43.562: %FW-4-HOST_TCP_ALERT_ON: Max tcp half-open connections (50) exceeded for host 10.10.10.1.
CBAC#
CBAC#sh ip inspect stat
Packet inspection statistics [process switch:fast switch]

tcp packets: [2884:12563]

Interfaces configured for inspection 2

Session creations since subsystem startup or last reset 409

Current session counts (estab/half-open/terminating) [0:0:0]

Maxever session counts (estab/half-open/terminating) [3:51:1]

Last session created 00:00:50

Last statistic reset never

Last session creation rate 76

Last half-open session total 0

CBAC#

 

  • With an aggressive attack (more than 500 ½ sessions per minute) the IOS FW react by dropping sessions.
*Mar 1 04:14:44.530: %FW-4-ALERT_ON: getting aggressive, count (51/500) current 1-min rate: 501
CBAC#

 

  • As soon as the number of ½ opened sessions drop below the low threshold of 400 sessions per minutes, the IOS stop dropping sessions
CBAC#
*Mar 1 04:16:38.294: %FW-4-ALERT_OFF: calming down, count (0/400) current 1-min rate: 0
CBAC#

 

  • This can cause Denial Of Service of the router if no protections against such type of attacks in a production environment.
CBAC#sh proc cpu
CPU utilization for five seconds: 3%/0%; one minute: 3%; five minutes: 8%

CBAC#sh proc cpu
CPU utilization for five seconds: 41%/56%; one minute: 6%; five minutes: 8%


CBAC#sh proc cpu

CPU utilization for five seconds: 18%/100%; one minute: 9%; five minutes: 9%


CBAC#sh proc cpu

CPU utilization for five seconds: 17%/100%; one minute: 15%; five minutes: 11%

II) Conclusion:

A successful deployment of CBAC rely on the understanding of application traffic that traverses the IOS Firewall as well as where to apply ACL and inspection rules and over all make sure that everything works fine before applying CBAC.

 

 

Advertisements
%d bloggers like this: