Context-Based Access Control (CBAC) is a feature of firewall that actively inspects the activity behind a firewall. CBAC specifies what traffic needs to be let in and what traffic needs to be let out by using access lists. CBAC access lists include IP inspect statements that allow the inspection of the protocol to make sure that it is not tampered with before the protocol goes to the systems behind the firewall. CBAC provides internal users with secure access control for each application and for all traffic across network perimeters. CBAC enhances security by scrutinizing both source and destination addresses and by tracking each application's connection status. For instance, CBAC can be configured to track connections that originate within the local network. This session information is kept in a state table by CBAC. CBAC will open temporary holes in the firewall to allow those connections to come back in to the local network.
This ability allows CBAC to both monitor and prevent DoS and other network attacks. If CBAC detects an attack, it can be configured to either drop the session (plus block the source), or sent an alert message indicating an attack is occurring.
To configure CBAC, we must accomplish the following:
• Configuring Auditing
• Set timeouts and thresholds
• Identify the type of traffic we want to inspect, such as HTTP, FTP, SMTPetc.
• Apply CBAC to an interface
Timeouts and thresholds help CBAC determine when a DoS or network attack is occurring. These thresholds include:
• Total number of half-opened TCP/UDP sessions
• Number of half-opened sessions over a given time period
• Number of half-opened session from a specific host
A half-opened TCP session indicates that the three-way handshake has not
yet completed. A half-opened UDP session indicates that no return UDP
traffic has been sent. A large number of half-opened sessions on a router will
chew up resources, while preventing legitimate connections from being
established.
No comments:
Post a Comment