Category:Cisco Systems -> Security
CBAC (Context-Based Access List) is a simplified ZBF (Zone-Based Firewall) function which is run on Cisco routers. With a handful commands one can easily configure the data to go outside from the campus network, e.g., to the Internet and let the return traffic back in but prevent any traffic originating outside of the perimeter to get in.
To get a better understanding of the process, imagine a visitor of a night club who has the mark on his hand or a ticket allowing him to get in and out and then back in through the entrance door freely but preventing any strangers from the street to enter without paying or without satisfying to a certain dress code.
Example of implementation:
ip inspect name CBAC cuseeme
ip inspect name CBAC ftp
ip inspect name CBAC h323
ip inspect name CBAC http
ip inspect name CBAC rcmd
ip inspect name CBAC realaudio
ip inspect name CBAC smtp
ip inspect name CBAC sqlnet
ip inspect name CBAC streamworks
ip inspect name CBAC tcp
ip inspect name CBAC tftp
ip inspect name CBAC udp
ip inspect name CBAC vdolive
ip access-list extended 100
10 permit ip 192.168.1.0 0.0.0.255 any
20 permit icmp 192.168.1.0 0.0.0.255
30 deny ip any any log
ip access-list extended 101
10 permit icmp any 192.168.1.0 0.0.0.255 unreachable
20 permit icmp any 192.168.1.0 0.0.0.255 echo-reply
30 permit icmp any 192.168.1.0 0.0.0.255 packet-too-big
40 permit icmp any 192.168.1.0 0.0.0.255 time-exceeded
50 permit icmp any 192.168.1.0 0.0.0.255 traceroute
60 permit icmp any 192.168.1.0 0.0.0.255 administratively-prohibited
70 permit icmp any 192.168.1.0 0.0.0.255 echo
80 permit tcp any 192.168.1.0 0.0.0.255 eq 22
90 deny ip any any log
interface FastEthernet0/0
description -=Internal Interface=-
ip address 192.168.1.254 255.255.255.0
ip access-group 100 in
ip inspect CBAC in
interface FastEthernet0/1
description -=External Interface=-
ip access-group 101 in
Modify the configuration to conform to your internal security policy.
According to SRND it is said to apply CBAC policy as closer to the source as possible.
Here is a list of some other protocols allowed for inspection:
802-11-iapp — IEEE 802.11 WLANs WG IAPP
ace-svr — ACE Server/Propagation
aol — America-Online
appfw — Application Firewall
appleqtc — Apple QuickTime
bgp — Border Gateway Protocol
biff — Biff mail notification
bootpc — Bootstrap Protocol Client
bootps — Bootstrap Protocol Server
cddbp — CD Database Protocol
cifs — CIFS
cisco-fna — Cisco FNATIVE
cisco-net-mgmt — cisco-net-mgmt
cisco-svcs — cisco license/perf/GDP/X.25/ident svcs
cisco-sys — Cisco SYSMAINT
cisco-tdp — Cisco TDP
cisco-tna — Cisco TNATIVE
citrix — Citrix IMA/ADMIN/RTMP
citriximaclient — Citrix IMA Client
clp — Cisco Line Protocol
creativepartnr — Creative Partnr
creativeserver — Creative Server
cuseeme — CUSeeMe Protocol
daytime — Daytime (RFC 867)
dbase — dBASE Unix
dbcontrol_agent — Oracle dbControl Agent po
ddns-v3 — Dynamic DNS Version 3
dhcp-failover — DHCP Failover
discard — Discard port
dns — Domain Name Server
dnsix — DNSIX Securit Attribute Token Map
echo — Echo port
entrust-svc-hdlr — Entrust KM/Admin Service Handler
entrust-svcs — Entrust sps/aaas/aams
esmtp — Extended SMTP
exec — Remote Process Execution
fcip-port — FCIP
finger — Finger
fragment — IP fragment inspection
ftp — File Transfer Protocol
ftps — FTP over TLS/SSL
gdoi — GDOI
giop — Oracle GIOP/SSL
gopher — Gopher
gtpv0 — GPRS Tunneling Protocol Version 0
gtpv1 — GPRS Tunneling Protocol Version 1
h323 — H.323 Protocol (e.g, MS NetMeeting, Intel Video Phone)
h323callsigalt — h323 Call Signal Alternate
h323gatestat — h323gatestat
hp-alarm-mgr — HP Performance data alarm manager
hp-collector — HP Performance data collector
hp-managed-node — HP Performance data managed node
hsrp — Hot Standby Router Protocol
http — HTTP Protocol
https — Secure Hypertext Transfer Protocol
ica — ica (Citrix)
icabrowser — icabrowser (Citrix)
icmp — ICMP Protocol
ident — Authentication Service
igmpv3lite — IGMP over UDP for SSM
imap — IMAP Protocol
imap3 — Interactive Mail Access Protocol 3
imaps — IMAP over TLS/SSL
ipass — IPASS
ipsec-msft — Microsoft IPsec NAT-T
ipx — IPX
irc — Internet Relay Chat Protocol
irc-serv — IRC-SERV
ircs — IRC over TLS/SSL
ircu — IRCU
isakmp — ISAKMP
iscsi — iSCSI
iscsi-target — iSCSI port
kazaa — KAZAA
kerberos — Kerberos
kermit — kermit
l2tp — L2TP/L2F
ldap — Lightweight Directory Access Protocol
ldap-admin — LDAP admin server port
ldaps — LDAP over TLS/SSL
login — Remote login
lotusmtap — Lotus Mail Tracking Agent Protocol
lotusnote — Lotus Note
microsoft-ds — Microsoft-DS
ms-cluster-net — MS Cluster Net
ms-dotnetster — Microsoft .NETster Port
ms-sna — Microsoft SNA Server/Base
ms-sql — Microsoft SQL
ms-sql-m — Microsoft SQL Monitor
msexch-routing — Microsoft Exchange Routing
mysql — MySQL
n2h2server — N2H2 Filter Service Port
ncp — NCP (Novell)
net8-cman — Oracle Net8 Cman/Admin
netbios-dgm — NETBIOS Datagram Service
netbios-ns — NETBIOS Name Service
netbios-ssn — NETBIOS Session Service
netshow — Microsoft NetShow Protocol
netstat — Variant of systat
nfs — Network File System
nntp — Network News Transport Protocol
ntp — Network Time Protocol
oem-agent — OEM Agent (Oracle)
oracle — Oracle
oracle-em-vp — Oracle EM/VP
oraclenames — Oracle Names
orasrv — Oracle SQL*Net v1/v2
parameter — Specify inspection parameters
pcanywheredata — pcANYWHEREdata
pcanywherestat — pcANYWHEREstat
pop3 — POP3 Protocol
pop3s — POP3 over TLS/SSL
pptp — PPTP
pwdgen — Password Generator Protocol
qmtp — Quick Mail Transfer Protocol
r-winsock — remote-winsock
radius — RADIUS & Accounting
rcmd — R commands (r-exec, r-login, r-sh)
rdb-dbs-disp — Oracle RDB
realaudio — Real Audio Protocol
realsecure — ISS Real Secure Console Service Port
router — Local Routing Process
rpc — Remote Prodedure Call Protocol
rsvd — RSVD
rsvp-encap — RSVP ENCAPSULATION-1/2
rsvp_tunnel — RSVP Tunnel
rtc-pm-port — Oracle RTC-PM port
rtelnet — Remote Telnet Service
rtsp — Real Time Streaming Protocol
send — SEND
shell — Remote command
sip — SIP Protocol
sip-tls — SIP-TLS
skinny — Skinny Client Control Protocol
sms — SMS RCINFO/XFER/CHAT
smtp — Simple Mail Transfer Protocol
snmp — Simple Network Management Protocol
snmptrap — SNMP Trap
socks — Socks
sqlnet — SQL Net Protocol
sqlserv — SQL Services
sqlsrv — SQL Service
ssh — SSH Remote Login Protocol
sshell — SSLshell
ssp — State Sync Protocol
streamworks — StreamWork Protocol
stun — cisco STUN
syslog — SysLog Service
syslog-conn — Reliable Syslog Service
tacacs — Login Host Protocol (TACACS)
tacacs-ds — TACACS-Database Service
tarantella — Tarantella
tcp — Transmission Control Protocol
telnet — Telnet
telnets — Telnet over TLS/SSL
tftp — TFTP Protocol
time — Time
timed — Time server
tr-rsrb — cisco RSRB
ttc — Oracle TTC/SSL
udp — User Datagram Protocol
uucp — UUCPD/UUCP-RLOGIN
vdolive — VDOLive Protocol
vqp — VQP
webster — Network Disctionary
who — Who’s service
wins — Microsoft WINS
x11 — X Window System
xdmcp — XDM Control Protocol
