Tag Archives: CBAC

Notas Context-Based Access Control (CBAC)

O CBAC permite fazer inspeção das sessões (com base no tipo de protocolo inspecionado) de forma a garantir o retorno do tráfego facilitando assim a implementação de ACLs em ambos os sentidos.

Sintaxe:

ip inspect name inspection-name [parameter max-sessions number] protocol [alert {on | off}] [audit-trail {on | off}] [timeoutseconds]

interface interface-id
ip inspect rule-name {in | out}

Notas:
O trafego ICMP nao e inspecionado pelo CBAC, sendo necessario permitir este trafego (na ACL IN) com origem na interface OUTSIDE. Caso contrario o ping/traceroute serao filtrados
Permite criar medidas contra DDoS, contabilizando o n de sessoes por host/num periodo de tempo e bloqueando caso necessario
Caso o protocolo nao seja conhecido, e possivel fazer inspection atraves das assinaturas genericas do TC/UDP. Neste caso todas as sessoes serao analisadas.

Mensagens ICMP a permitir:
echo reply – Outgoing ping commands require echo-reply messages to come back.
time-exceeded – Outgoing traceroute commands require time-exceeded messages to come back.
traceroute – Allow an incoming traceroute.
unreachable – Permit all “unreachable” messages to come back. If a router cannot forward or deliver a datagram, it sends an ICMP unreachable message back to the source and drops the datagram.

Exemplo:

Ligações:

R1-s2/0-R2-f0/1—–f0/0-R3

R2(config)#

ip access-list extended BLOCK_CBAC
deny   ip any any

interface Serial2/0
ip address 192.168.2.2 255.255.255.0
ip access-group BLOCK_CBAC in
ip inspect CBAC out

!Logging da informação gerada pela sessão
ip inspect name CBAC icmp audit-trail on
ip inspect name CBAC telnet audit-trail on

!Efectua inspeccao ao trafego originado no router
ip inspect name CBAC icmp router-traffic

R3(config-if)#do tracer 192.168.10.1
Type escape sequence to abort.
Tracing the route to 192.168.10.1

  1 192.168.20.2 40 msec 40 msec 28 msec
  2  *

R2(config)#
!Permitir o retorno do trafego para o traceroute
ip access-list extended BLOCK_CBAC
1 permit icmp any any host-unreachable
2 permit icmp any any port-unreachable

R3(config-if)#do tracer 192.168.10.1
Type escape sequence to abort.
Tracing the route to 192.168.10.1

  1 192.168.20.2 36 msec 32 msec 32 msec
  2 192.168.2.1 64 msec 64 msec 56 msec

R2(config)#do sh ip inspe all
Session audit trail is disabled
Session alert is enabled
one-minute (sampling period) thresholds are [unlimited : unlimited] connections
max-incomplete sessions thresholds are [unlimited : unlimited]
max-incomplete tcp connections per host is unlimited. Block-time 0 minute.
tcp synwait-time is 30 sec — tcp finwait-time is 5 sec
tcp idle-time is 3600 sec — udp idle-time is 30 sec
tcp reassembly queue length 16; timeout 5 sec; memory-limit 1024 kilo bytes
dns-timeout is 5 sec
Inspection Rule Configuration
 Inspection name CBAC
    icmp alert is on audit-trail is on timeout 10
    telnet alert is on audit-trail is on timeout 3600

Interface Configuration
Interface Serial2/0
Inbound inspection rule is not set
Outgoing inspection rule is CBAC
icmp alert is on audit-trail is on timeout 10
telnet alert is on audit-trail is on timeout 3600
  Inbound access list is BLOCK_CBAC
Outgoing access list is not set

Established Sessions
 Session 670378D8 (192.168.20.1:8)=>(192.168.10.1:0) icmp SIS_OPEN
 Session 670378D8 (192.168.20.1:43496)=>(192.168.10.1:23) telnet SIS_OPEN

R2#
*Mar  1 14:07:06.260: %FW-6-SESS_AUDIT_TRAIL: Stop telnet session: initiator (192.168.20.1:38877) sent 42 bytes — responder (192.168.10.1:23) sent 162 bytes