Chapter 12 Configuring Security Features

Configuring a CBAC Firewall

Access Groups

A sequence of access list definitions bound together with a common name or number is called an access group. An access group is enabled for an interface during interface configuration with the following command:

ip access-group number name [in out]

where in out refers to the direction of travel of the packets being filtered.

Guidelines for Creating Access Groups

Use the following guidelines when creating access groups.

The order of access list definitions is significant. A packet is compared against the first access list in the sequence. If there is no match (that is, if neither a permit nor a deny occurs), the packet is compared with the next access list, and so on.

All parameters must match the access list before the packet is permitted or denied.

There is an implicit “deny all” at the end of all sequences.

For more complete information on creating access lists, see the “Access Control Lists: Overview and Guidelines” section of the Cisco IOS Release 12.3 Security Configuration Guide.

Configuring a CBAC Firewall

Context-Based Access Control (CBAC) lets you configure a stateful firewall where packets are inspected internally and the state of network connections is monitored. This is superior to static access lists, because access lists can only permit or deny traffic based on individual packets, not streams of packets. Also, because CBAC inspects the packets, decisions to permit or deny traffic can be made by examining application layer data, something static access lists cannot do.

To configure a CBAC firewall, specify which protocols to examine by using the following command in interface configuration mode:

ip inspect name inspection-name protocol timeout seconds

When inspection detects that the specified protocol is passing through the firewall, a dynamic access list is created to allow the passage of return traffic. The timeout parameter specifies the length of time the dynamic access list remains active without return traffic passing through the router. When the timeout value is reached, the dynamic access list is removed, and subsequent packets (possibly valid ones) are not permitted.

Use the same inspection name in multiple statements to group them into one set of rules. This set of rules can be activated elsewhere in the configuration by using the ip inspect inspection-namein out command when you configure an interface at the firewall.

See Chapter 8, “Configuring a Simple Firewall,” for a sample configuration. For additional information about configuring a CBAC firewall, see the “Configuring Context-Based Access Control” section of the Cisco IOS Release 12.3 Security Configuration Guide.

Cisco 1800 Series Integrated Services Routers (Fixed) Software Configuration Guide

 

OL-6426-02

12-3

 

 

 

Page 123
Image 123
Cisco Systems OL-6426-02 manual Configuring a Cbac Firewall, Guidelines for Creating Access Groups, 12-3