• CBAC adds true stateful inspection to IOS
• Performs protocol-specific inspection
– Protocols matched based on port-number
– Port-map table defined with ip port-map
• Inspection rule defines protocols to inspect
– ip inspect name <NAME>
– Applies to an interface inbound or outbound
– Opens hole in ACL applied in opposite direction.
Context Based Access Control
CBAC TCP Intercept
• TCP Intercept is always on with CBAC inspection
– Only Watch Mode supported
• Configurable options:
– ip inspect max-incomplete {high|low}
– ip inspect one-minute {high|low}
– ip inspect tcp max-incomplete host (perhost
limit)
– ip inspect tcp synwait-time (watch timeout).
CBAC Scenarios.
• Users protection
– CBAC inspects users’ traffic
– Only specific protocols inspected, e.g. HTTP/DNS
– All incoming traffic blocked, returning sessions allowed
• Server protection
– CBAC inspects traffic to server
– Only selected traffic allowed from server.
– TCP Intercept + Protocol Enforcement.
• Performs protocol-specific inspection
– Protocols matched based on port-number
– Port-map table defined with ip port-map
• Inspection rule defines protocols to inspect
– ip inspect name <NAME>
– Applies to an interface inbound or outbound
– Opens hole in ACL applied in opposite direction.
Context Based Access Control
CBAC TCP Intercept
• TCP Intercept is always on with CBAC inspection
– Only Watch Mode supported
• Configurable options:
– ip inspect max-incomplete {high|low}
– ip inspect one-minute {high|low}
– ip inspect tcp max-incomplete host (perhost
limit)
– ip inspect tcp synwait-time (watch timeout).
CBAC Scenarios.
• Users protection
– CBAC inspects users’ traffic
– Only specific protocols inspected, e.g. HTTP/DNS
– All incoming traffic blocked, returning sessions allowed
• Server protection
– CBAC inspects traffic to server
– Only selected traffic allowed from server.
– TCP Intercept + Protocol Enforcement.
No comments:
Post a Comment