Configuring Context-Based Access Control

20 Mar

Immediate Solutions
Configuring Context−Based Access Control
Many steps must be followed to configure CBAC to function properly. The first major step is to decide whether to configure CBAC on the inside or outside interface of your firewall router. The inside interface is the interface that originates the sessions and allows traffic back through the firewall. The outside interface refers to the interface where sessions cannot originate. This step is a mental step and requires no configuration command at this point. To configure CBAC, perform the tasks described in the following steps:

Use the following command to define an extended access list and the parameters that CBAC will use to inspect traffic or deny traffic:

access−list <access−list−number> <deny | permit> <protocol> −
<source source−wildcard> <destination destination−wildcard>

Use the following command to configure CBAC for generic TCP or UDP packet inspection:

ip inspect name <inspection−name> <tcp | udp> <alert on | off> −
<audit−trail on | off> <timeout seconds>

Use the following command to define an inspection rule on a per−Application−layer−traffic basis:

ip inspect name <inspection−name> <protocol> <alert on | off> −
<audit−trail <on | off> <timeout seconds>

This command can be used for all CBAC inspection protocols except for RPC and Java.
Per−protocol inspection takes precedence over generic TCP or UDP inspection.

Use the following command to enable CBAC for RPC inspection:

ip inspect name <inspection−name> <rpc program−number number> −
<wait−time minutes> <alert on | off> <audit−trail on |
off> <timeout seconds>

Use of this command is optional, but it must be used to support blocking of RPC protocols.
Use the following command to enable CBAC for Java applet blocking:

ip inspect name <inspection−name> http <java−list access− list> −
<alert on | off> <audit−trail on | off> <timeout seconds>

This command specifies the use of the HTTP protocol and a standard numbered access list to use to determine if a site’s Java applets should be allowed. Use of this command is optional; however, it must be used to support blocking of Java applets.
Use the following command to configure the router for inspection of fragmented packets:

ip inspect name <inspection−name> <fragment −
max number> <timeout seconds>

Use of this command is optional, but it is always recommended because it specifies the maximum number of packets that can arrive at the router interface before the initial packet for a session, for which state information is allocated.

Use the ip inspect audit−trail command to turn on audit trail logging for CBAC messages. Use of this command is optional.

The next few steps configure the timeouts and thresholds that CBAC uses to determine how long to manage the state information for each session and to determine when to drop a session if the session does not become established. The timeouts and thresholds apply globally to all sessions, and the default timeout and threshold values may be used or you can change them to the values that are determined by the enterprise’s security policy. To configure specific CBAC timeout and threshold values, use the commands in the following steps:

Use this command to determine the length of time the software waits for a TCP session to reach the established state before dropping the session:

ip inspect tcp synwait−time seconds

The session has reached the established state after the session’s first SYN bit is detected.

Use this command to determine the length of time a TCP session will still be managed after the firewall detects a FIN−exchange, which determines that a session is about to close:

ip inspect tcp finwait−time seconds

Use the following command to determine the length of time a TCP session will still be managed after no activity:

ip inspect tcp idle−time seconds

CBAC will not continue to maintain state information for a session that violates the idle time.

Use this command to determine the length of time a UDP session will still be managed after no activity:

ip inspect udp idle−time seconds

Because UDP is a connectionless service, there are no actual sessions, so CBAC will approximate sessions by examining the information in the packet and determining if the
packet is similar to other UDP packets and if the packet was detected soon after another similar UDP packet. CBAC will not continue to maintain state information for a session that violates the idle time.

Use this command to determine the length of time a DNS name lookup session will still be managed after no activity:

ip inspect dns−timeout seconds

CBAC applies the DNS timeout to all DNS name lookup sessions, and the DNS timeout overrides the timeout value specified by the UDP timeout.

Because CBAC measures both the total number of existing half−open sessions and the rate of session establishment attempts for both TDP and UDP, use this command to determine the number of existing half−open sessions that will cause the software to start deleting them:

ip inspect max−incomplete high number

A high number of half−open sessions could indicate a denial−of−service attack.

If the total max−incomplete high session threshold is reached, CBAC will begin dropping half−open sessions and continue to do so until the total number of half−open sessions falls below the value configured using this command:

ip inspect max−incomplete low number

Use this command to set the rate of thresholds that are measured as the number of new session connection attempts are detected in the last one−minute sample period:

ip inspect one−minute high number

When new connection attempts rise above the configured threshold within the sample period, CBAC will begin to drop new connection requests.

If the total one−minute high session threshold is reached, CBAC will begin dropping half−open sessions and continue to do so until the total number of half−open sessions fall below the value configured using this command:

ip inspect one−minute low number

Use the following command to set the number of existing half−open TCP sessions with the same destination host address that will cause the software to start dropping half−open sessions to the same destination host address:

ip inspect tcp max−incomplete host number block−time minutes

Some very important rules relate to Step 1, configuring the access lists for CBAC operation on the internal and external interfaces. These rules will be referred to over and over again within this section, and it is highly recommended that you refer back to these rules for clarity if you are planning to implement CBAC within your organization, and you are having trouble implementing CBAC within your network. If you are configuring CBAC on the internal interface, follow these rules:

If an inbound IP access list is configured on the internal interface, the access list can be either a standard or extended access list. The access lists should permit traffic that should be inspected by CBAC. If traffic is not permitted, it will not be inspected by CBAC and will be dropped.

An outbound IP access list at the internal interface must be an extended access list. The outbound access list should deny traffic that you want to be inspected by CBAC. CBAC will create temporary openings in the outbound access list as needed to permit only return traffic that is part of an existing session.

If you are configuring CBAC on the external interface, follow these rules:

If an outbound IP access list is configured on the external interface, the access list can be a standard or extended access list. The access list should permit traffic that should be inspected by CBAC. If traffic is not permitted, it will not be inspected by CBAC and will be dropped.

If an inbound IP access list is configured on the external interface, the access list must be an extended access list. The inbound access list should deny traffic that should be inspected by CBAC. CBAC will create temporary openings in the inbound access list as needed to permit only return traffic that is part of an existing session.

Note If you are planning to implement CBAC within your organization, refer to the access list rules listed above for help in understanding how to configure your access lists to define your rules of inspection.

Well, think about it; are there enough commands for CBAC? At first glance the configuration for CBAC may seem overwhelming, but I shall take a slow approach into explaining the configuration power that CBAC provides. I will start with a simple network that is shown in Figure 4.2. In this network, Router 3 has two interfaces and is the router that provides CBAC functionality for the inside trusted network. Router 3’s inside trusted network uses address space within the private 192.168.10.0 address space. Router 3 is also connected to the outside untrusted network using its Serial interface and using the public address space 192.168.20.0.

The 192.168.20.0 network is actually private address space as allocated from RFC 1918, which can be found at
http://www.ietf.org/rfc/rfc1918.txt?number=1918. It is only used here for the benefit of protecting the innocent.
In Figure 4.2, you can see that Router 3 is connected to an inside and outside network. The security administrators for Router 3 want to provide CBAC security for the hosts displayed in Figure 4.2. The first host is a mail server, at IP address 192.168.10.10, which needs to have the Simple Mail Transport Protocol opened for its use. The other host is a host on the network, at IP address 192.168.10.20; the security administrators have decided it would also benefit from the security functionality that CBAC provides.

CBAC actively inspects the activity behind a firewall. CBAC specifies what traffic should be let in and what traffic should be let out by using access lists. However, CBAC access lists include ip inspect statements that allow the inspection of the protocol to make sure that it has not been tampered with before the protocol goes to the systems behind the firewall. Listing 4.1 displays Router 3’s configuration for CBAC, which meets the security requirements of the network displayed in Figure 4.2.

Random Posts

No comments yet

Leave a Reply

You must be logged in to post a comment.