Previous Page Next Page

How CBAC Works

The following sections highlight the fundamental concepts of how CBAC inspects packets and maintains state information for all the connections, thereby providing intelligent filtering.

Packet Inspection

CBAC performs per-protocol inspection. Each protocol that requires inspection is individually enabled, and an interface and interface direction (in or out) is specified where inspection originates. Only the specified protocols will be inspected by CBAC. All other protocols continue uninterrupted, subject to other router processes—for example, NAT, routing, and ACL.

Packets entering the firewall are subject to inspection only if they first pass the inbound access list at the input interface and outbound access list at the output interface. If a packet is denied by the access list, the packet is simply dropped without CBAC inspection performed.

For TCP protocol inspection, CBAC keeps track of sequence numbers in all TCP packets. Packets with sequence numbers that are not within the expected ranges are dropped.

Timeout and Threshold Values

CBAC uses several timeout and threshold values to manage session state information. These values help determine when to drop sessions that do not become fully established. This also helps to free up system resources, dropping sessions after a specified amount of idle time. CBAC sends a reset message for all dropped sessions to both sides (source and destination) of the session. The system receiving the reset message releases the incomplete connection from its process, thereby clearing the resource allocation table.

CBAC monitors the thresholds in the following three ways:

The Session State Table

CBAC maintains a session state table with connection information, such as the source/destination IP addresses, source/destination port numbers, and the application protocol information. For every incoming packet that CBAC inspects, the state table is updated with all the information. This information is used to punch a dynamic hole in the firewall access list for the return traffic. Return traffic will be permitted back through the firewall only if an entry in the state table indicates that the packet belongs to a permissible session. Example 5-1 shows sample session state table information, and Example 5-2 shows the dynamic ACL entry that corresponds to the information in this state table.

Example 5-1. Connection Information in the State Table

Router# show ip inspect session
Established Sessions                                         
 Session 25A4E53 (10.1.1.1:11006)=>(20.1.1.1:23) tcp SIS_OPEN

UDP Connections

UDP is a connectionless transport-layer protocol; hence, there is no state information available to track the flow of the connections. CBAC deals with UDP sessions by examining the information in the packet and determining whether the packet is similar to the UDP packet exited earlier. Returning UDP packets are checked within the idle timeout period to ensure that they have the corresponding source/destination IP addresses and port numbers.

Dynamic ACL Entries

As discussed earlier, CBAC uses the connection information from the session table to open dynamic holes in the firewall access list for the returning traffic (that would normally be blocked). CBAC dynamically adds and removes access list entries at the firewall interfaces. These temporary openings are created in accordance with the state table for all inspected traffic that originates from an internal (protected) network outbound toward the unprotected zone through the firewall. The purpose of these access list entries is to examine traffic flowing back into the internal network. These entries create temporary openings in the firewall to permit only traffic that is part of a permissible session. Example 5-2 shows a dynamic ACL entry (corresponding to Example 5-1) that permits returning Telnet traffic initiated by a host from the internal network.

Example 5-2. Dynamic ACL Entry Corresponding to the State Table

Router# show ip access-lists
Extended IP access list 101
    permit tcp host 20.1.1.1 eq telnet host 10.1.1.1 eq 11006 (16 matches)
    permit tcp any host WebServer eq http
    deny ip any any (12 matches)

Note

The dynamically created access list entries that allow returning traffic are temporary and are not saved to the nonvolatile random-access memory (NVRAM).


Embryonic (Half-Open) Sessions

CBAC provides DoS detection and prevention. An excessive number of half-open sessions (either absolute or measured as the arrival rate) could indicate the possible occurrence of a denial-of-service attack. Traffic patterns can be established for a TCP SYN-flood type attack. TCP is a connection-oriented transport protocol that requires completing a three-way handshake mechanism. Incomplete (half-open) connections mean that the session has not completed the TCP three-way handshake; hence, the session is not established. Because UDP is a connectionless protocol, there is no handshake mechanism; incomplete sessions (half-open) in UDP context indicate that the firewall has detected no return traffic.

CBAC monitors the total number of half-open connections and the rate of session establishment attempts for both TCP and UDP half-open connections. CBAC monitors these values several times per minute. Adjusting threshold values for network connections helps prevent DoS attacks by controlling the number of half-open sessions, thereby freeing up system resources occupied by half-open sessions.

Example 5-3 shows a CBAC session table with few half-open (incomplete) TCP connections.

Example 5-3. Sample Half-Open Connections

Router# show ip inspect session
Half-open Sessions                                                 
 Session 63938D28 (10.1.1.2:11000)=>(20.1.1.2:23) tcp SIS_OPENING
 Session 63938EB8 (10.1.1.2:11001)=>(20.1.1.2:25) tcp SIS_OPENING
 Session 639C2343 (10.1.1.20:11012)=>(20.0.0.20:23) tcp SIS_OPENING
 Session 63976A22 (10.1.1.20:11013)=>(20.0.0.20:80) tcp SIS_OPENING

When the number of half-open connections exceeds the specified threshold (using the ip inspect max-incomplete high or ip inspect one-minute high number), CBAC will delete subsequent half-open sessions as required to accommodate new incoming connections. CBAC continues to delete the half-open connection requests as required until the number of existing half-open sessions drops below another specified threshold (using the ip inspect max-incomplete low or ip inspect one-minute low number). See Table 5-1 for more details on these commands and threshold values.

Table 5-1. Global Timeout and Threshold Values
Timeout or Threshold ValuesCommandDefault
The length of time the software waits for a TCP session to reach the established state before dropping the sessionip inspect tcp synwait-time seconds30 seconds
The length of time a TCP session will still be managed after the firewall detects a FIN-exchangeip inspect tcp finwait-time seconds5 seconds
The length of time a TCP session will still be managed after no activity (the TCP idle timeout)ip inspect tcp idle-time seconds3600 seconds (1 hour)
The length of time a UDP session will still be managed after no activity (the UDP idle timeout)ip inspect udp idle-time seconds30 seconds
The length of time a DNS name lookup session will still be managed after no activityip inspect dns-timeout seconds5 seconds
The number of existing half-open sessions that will cause the software to start deleting half-open sessionsip inspect max-incomplete high number500 existing half-open sessions
The number of existing half-open sessions that will cause the software to stop deleting half-open sessionsip inspect max-incomplete low number400 existing half-open sessions
The rate of new unestablished sessions in 1-minute intervals that will cause the software to start deleting half-open sessionsip inspect one-minute high number500 half-open sessions per minute
The rate of new unestablished sessions in 1-minute intervals that will cause the software to stop deleting half-open sessionsip inspect one-minute low number400 half-open sessions per minute
The number of existing half-open TCP sessions with the same destination host address that will cause the software to start dropping half-open sessions to the same destination host addressip inspect tcp max-incomplete host number block-time minutes50 existing half-open TCP sessions; 0 minutes
The information in Table 5-1 is taken from "Configuring Context-Based Access Control" at http://www.cisco.com/en/US/docs/ios/12_0/security/configuration/guide/sccbac.html#wp4154.


Per-Host DoS Prevention

CBAC provides a more aggressive TCP-based host-specific DoS prevention. CBAC monitors the total number of half-open connections initiated to the same destination host address. When the number of incomplete (half-open) TCP connections exceeds the configured threshold, CBAC blocks all subsequent connections to the host for the specified block-time, thereby preventing the flood. To configure per-host CBAC monitoring, use the ip inspect tcp max-incomplete host command. Refer to Table 5-1 for more details on this command.

Example 5-4 shows how to change the max-incomplete host to 100 half-open sessions, with block-time timeout to 5 minutes.

Example 5-4. Per-Host CBAC Monitoring for DoS Prevention

Router(config)# ip inspect tcp max-incomplete host 100 block-time 5

Previous Page Next Page