Overview of IOS Firewall (CBAC)
Because you can filter traffic using an access control list (ACL) on the router, you may wonder why CBAC is necessary. What shortcoming is CBAC addressing for the traditional ACL? That deserves an answer before we proceed any further with the CBAC discussion.
ACL has many limitations that keep it from being an effective firewall mechanism. The most important limitation is that ACL is a packet filtering mechanism based on Open System Interconnection (OSI) network and transport layer information. On the other hand, CBAC is a stateful firewall just like Private Internet Exchange (PIX), which filters traffic based on state information rather than just on network or transport layer information.
For example, assume there is an inside and outside network with a dotted line as the perimeter, and there is a firewall router with an Ethernet 0 interface going to the protected network (inside) and an interface Serial 0 going to the unprotected network (Internet) as shown in Figure 5-1.
Figure 5-1. Limitation of Static ACL
For the router to protect the inside network, two conditions must be met:
-
Allow connections to initiate from the protected (inside) network.
-
Deny connections initiated from the Internet (unsafe) network from entering the inside network.
To fulfill the second requirement, configure an ACL 101 on the serial 0 interface that denies all traffic from outside. This effectively sets up a wall to block outside traffic. Then, take a look at the first requirement, that is, to allow traffic from the protected network to the Internet. As shown in Figure 5-2, when Telnet is initiated from the inside to the outside, being a Transmission Control Protocol (TCP), the synchronize (SYN) packet from the inside makes it to the outside. This is because there is no access list applied in this example on the inside interface towards the direction of the initial packet. It is a good security practice, however, to configure ACL on the inside interface facing towards the protected network to stop anti-spoofing. You should, however, watch carefully that the reply SYN-ACK packet from outside is blocked by the ACL that you have applied on the serial 0 interface and the connection fails to set up. The result will be the same for the User Datagram Protocol (UDP) reply packet. So, as you can see with the static ACL, if this connection needs to be successful, you need to create an Access Control Entry (ACE) entry on ACL 101 that is applied earlier on the serial 0 interface with a source port 23 and destination port greater than 1023. Doing so opens up several holes to your network, because anyone from outside can also initiate connections using those ports). This is where CBAC plays an important role.