Cisco CBAC: - The Poor Mans Firewall | A Computer And Technology Article

"Computer And Technology" Article
Article Directory Home

Cisco CBAC: - The Poor Mans Firewall By Expert Author: Nicholas Evra \| View Article Summary
Word Count: 491 words \| Views: 1084 view(s)

CBAC Overview

The Cisco IOS Firewall Feature Set is a module that can be added to the existing IOS to provide firewall functionality without the need for hardware upgrades. There are two components to the Cisco IOS Firewall Feature Set in Intrusion Detection (which is an optional bolt-on) and Context-Based Access Control (CBAC). CBAC maintains a state table for all of the outbound connections on a Cisco router by inspecting tcp and udp connections at layer seven of the OSI model and populating the table accordingly. When return traffic is received on the external interface it is compared against the state table to see if the connection was originally established from within the internal network, and then either permitted or denied. Although basic this is a very effective mechanism to prevent unauthorized access to the internal network from external sources such as the internet.

CBAC Application-specific support

Cisco have also built in some additional functionality into CBAC in terms of application-specific inspection that enables the router to recognize and identify application specific data flows such as HTTP, SMTP, TFTP, and FTP. Understanding these applications and their data flows empowers the router to identify malformed packets or suspect application data flows and permit or deny accordingly. CBAC also provides the flexibility of downloading Java code from trusted sites, but it denying untrusted sites.

CBAC and Denial of Service (DOS) Attacks

Denial-Of-Service (DOS) attack protection is also in-built with real-time logging of alerts as well as pro-active responses to mitigate the threat. To do this CBAC can be configured to manage half-open TCP connections which are used in TCP SYN flood attacks to overload a targets resources resulting in a denial of service to legitimate users. To do this CBAC uses timeouts and thresholds, which are configurable, to determine how long state information for each connection should be kept for sessions and when to drop them. Note that UDP and ICMP require that an idle-timer limit is used to determine when a connection should be terminated. A very useful command to identify a DOS attack is ‘ip inspect audit-trail’ which logs all DOS connections including source and destination IP address and TCP or UDP ports allowing you to pin-point the exact source and destination of the attack.

Configuring CBAC

There are five steps to configuring CBAC on a Cisco router in order for it to function correctly. These are as follows:

1. Choose an interface to which inspection will be applied. This can be an internal or external interface as CBAC is only concerned with the direction of the first packet initiating the connection which is identified when applying CBAC to an interface.

2. Configure an IP access list in the correct direction on the selected interface to allow traffic through for CBAC to inspect.

3. Configure global timeouts and thresholds for established connections or sessions.

4. Define an inspection rule specifying exactly which protocols will be inspected by CBAC.

5. Apply the inspection rule to the interface in the correct direction.

About the Author/Author Bio

Nicholas Evra is a Senior IT Consultant for a Professional Services IT Organisation based in London, UK. As well as designing and developing network and security solutions for clients, Nicholas also regularly contributes technical tips and articles on Networkblue.net. Networkblue.net is a technical resource for novices and expert’s alike providing free articles and tips on numerous cisco topics such as Cisco’s CBAC and other network security topics.

Article Source: http://www.articlesphere.com/Article/Cisco-CBAC----The-Poor-Mans-Firewall/148924

Article Tags: computer and technology, cisco ios firewall feature set, cisco context based access control, cbac, cisco firewall, cisco security

Article Submitted: 2008-06-21 | This Article has been viewed 1084 times.

Comments on this Article

More "Computer And Technology" Related Articles

Listed below are more articles related to the above article from the "Computer And Technology" article category.

People interested in the above article "Cisco CBAC: - The Poor Mans Firewall" are also interested in the related articles listed below:

Engineering Marvel of Data Acquisition Systems

In short data acquisition systems are also referred to as DAS or DAQ which generally includes acquisition of signals and waveforms and then interpretation of signals to obtain desired information. These different properties which are analyzed through data acquisition are facts such as temperature, pressure, density, viscosity etc.

What Is A IP Camera And Why Should Everyone Have One?

“We foresee Network IP cameras being in every home or workplace within the next 5 years or so” said a spokesman from PC Recovery. “They are an invaluable tool that is going to drastically reduce crime and will add peace of mind to elderly and vulnerable people.”

Sat Navs in Ambulances

In a bid to speed up the time it takes for ambulances to arrive at their destinations, many ambulances are now being fitted with some of the latest satellite navigation technology on the market. This new scheme is set to cost around 10 million pounds and will see all of the ambulances in Wales finally fitted with their own Sat Navs. Currently it is only the Welsh Ambulance Service that does not have this technology installed and many drivers have been using their own personal Sat Navs from home.

A Crash Course in Bluetooth Printing

In recent years, Bluetooth technology has become increasingly popular. With the ability to transmit data using radio signals, Bluetooth devices can detect and interact with one another as far as 100 meters away. Although most people have heard of this new technology, not everyone is familiar with how it works. In this guide, we’ll go over some of the basic elements of Bluetooth printing, including the advantages and disadvantages of this wireless communication technology.

The Advantages of Online Computer Training

A recent national poll indicated that only about 60 per cent of Americans thought that young people should be encouraged to work hard and study diligently. One writer commenting on this finding attempted to portray it in a positive way by disclosing that the figure was lower than 40 per cent in Europe. Of course, there is one group of people today where support for hard work and hard study is nearly unanimous. This is the group of people who have decided to learn computers through online training.

Speed Up Torrent Downloads

Torrent download and uploading is a peer to peer technology that allows millions of users from all over the world to share files. In simpler terms, it is a peer to peer file sharing technology. You can use this technology to share all kinds of files on the Internet, even without the use of a browser. Here is a quick introduction of how the technology works.

Bring That Slow PC Back To Life

Isn't it great to be working on a brand new computer? Everything is super fast and super responsive. You feel like the efficiency of your work is ten fold. Well the exact opposite can be true after computing on it for even a few months. The registry can get corrupted, unused programs and files clutter the hard drive, temporary internet files start adding up, spyware gets installed under the radar, the list goes on. So many things can add up and before you know it your brand new machine is locking up. A few simple tips can keep that computer flying like new.

Print Article

Comment on Article

Favorite Article

Email to Friend

Republish Article

Article Directory Home

All Categories

Computer And Technology

Can't find what you're looking for? Try Google Search!

(We serve worldwide - Locations updated as at Saturday, 04 July 2009 06:48 pm , Singapore)

United States of America, USA . United Kingdom, UK (England, Scotland, Wales, Northern Ireland) . Canada . Afghanistan . Albania . Algeria . American Samoa . Andorra . Angola . Anguilla . Antarctica . Antigua & Barbuda . Argentina . Armenia . Aruba . Australia . Austria . Azerbaijan . Bahamas . Bahrain . Bangladesh . Barbados . Belarus . Belgium . Belize . Benin . Bermuda . Bhutan . Bolivia . Bonaire . Bosnia-Herzegovina . Botswana . Brazil . British Virgin Islands . Brunei Darrusalam . Bulgaria . Burkina Faso . Burundi . Cambodia . Cameroon . Cape Verde . Cayman Islands . Central African Republic . Chad . Channel Islands . Chile . China . Christmas Island . Colombia . Comoros . Congo . Congo (Dem. Rep.) . Cook Islands . Costa Rica . Cote d'Ivoire . Croatia . Cuba . Curacao . Cyprus . Czech Republic . Denmark . Djibouti . Dominica . Dominican Republic . East Timor . Ecuador . Egypt . El Salvador . Equatorial Guinea . Eritrea . Estonia . Ethiopia . Falkland Islands and Dependencies . Faroe Islands . Fiji . Finland . France . French Guiana . French Polynesia . Gabon . Gambia . Gaza . Georgia . Germany . Ghana . Gibraltar . Greece . Greenland . Grenada . Guadeloupe . Guam . Guatemala . Guinea . Guinea-Bissau . Guyana . Haiti . Hawaiian Islands . Honduras . Hong Kong . Hungary . Iceland . India . Indonesia . Iran . Iraq . Isle Of Man . Israel . Italy . Ivory Coast . Jamaica . Japan . Johnston Atoll . Jordan . Kazakhstan . Kenya . Kiribati . Korea (North) . Korea (South) . Kuwait . Kyrgyzstan . Laos . Latvia . Lebanon . Leeward Islands . Lesotho . Liberia . Libya . Liechtenstein . Lithuania . Luxembourg . Macau . Macedonia . Madagascar . Malawi . Malaysia . Maldives . Mali . Malta . Marshall Islands . Martinique . Mauritania . Mauritius . Mexico . Micronesia (Federated States) . Midway Islands . Moldova . Monaco . Mongolia . Montserrat . Morocco . Mosquito Coast . Mozambique . Myanmar (Burma) . Namibia . Nauru . Navassa Island . Nepal . Netherlands . Netherlands Antilles . New Caledonia . New Zealand . Nicaragua . Niger . Nigeria . Niue . Norfolk Island . Northern Mariana Islands . Norway . Oman . Pakistan . Palau . Palestine . Panama . Papua New Guinea . Paracel Islands . Paraguay . Peru . Philippines . Pitcairn Islands . Poland . Portugal . Puerto Rico . Qatar . Reunion . Romania . Russia . Rwanda . Ryukyu Islands . Saint Helena . Saint Kitts and Nevis . Saint Lucia . Saint Pierre & Miquelon . Saint Vincent & The Grenadines . Samoa . San Marino . Sao Tome & Principe . Saudi Arabia . Senegal . Serbia . Seychelles . Sierra Leone . Singapore . Slovakia . Slovenia . Solomon Islands . Somalia . South Africa . Spain . Sri Lanka . Sudan . Suriname . Swaziland . Sweden . Switzerland . Syria . Taiwan . Tajikistan . Tanzania . Thailand . Togo . Tonga . Transkei . Trinidad & Tobago . Tunisia . Turkey . Turkmenistan . Turks and Caicos Islands . Tuvalu . US Virgin Islands . Uganda . Ukraine . United Arab Emirates . Upper Volta . Uruguay . Uzbekistan . Vanuatu . Vatican City (Holy See) . Venezuela . Vietnam . Wake Island . Windward Islands . Yemen . Yugoslavia . Zaire . Zambia . Zimbabwe

Copyright © 2005 - by Larry Lim, Singapore - Article Search Engine Directory at ArticleSphere.com™
All Rights Reserved Worldwide. All Trademarks and Servicemarks are the property of the respective owners.