The following sections highlight the fundamental concepts of how CBAC inspects packets and maintains state information for all the connections, thereby providing intelligent filtering.
CBAC performs per-protocol inspection. Each protocol that requires inspection is individually enabled, and an interface and interface direction (in or out) is specified where inspection originates. Only the specified protocols will be inspected by CBAC. All other protocols continue uninterrupted, subject to other router processes—for example, NAT, routing, and ACL.
Packets entering the firewall are subject to inspection only if they first pass the inbound access list at the input interface and outbound access list at the output interface. If a packet is denied by the access list, the packet is simply dropped without CBAC inspection performed.
For TCP protocol inspection, CBAC keeps track of sequence numbers in all TCP packets. Packets with sequence numbers that are not within the expected ranges are dropped.
CBAC uses several timeout and threshold values to manage session state information. These values help determine when to drop sessions that do not become fully established. This also helps to free up system resources, dropping sessions after a specified amount of idle time. CBAC sends a reset message for all dropped sessions to both sides (source and destination) of the session. The system receiving the reset message releases the incomplete connection from its process, thereby clearing the resource allocation table.
CBAC monitors the thresholds in the following three ways:
The total number of half-open TCP or UDP sessions
The number of half-open sessions based on time
The number of per-host half-open TCP sessions
CBAC maintains a session state table with connection information, such as the source/destination IP addresses, source/destination port numbers, and the application protocol information. For every incoming packet that CBAC inspects, the state table is updated with all the information. This information is used to punch a dynamic hole in the firewall access list for the return traffic. Return traffic will be permitted back through the firewall only if an entry in the state table indicates that the packet belongs to a permissible session. Example 5-1 shows sample session state table information, and Example 5-2 shows the dynamic ACL entry that corresponds to the information in this state table.
Router# show ip inspect session Established Sessions Session 25A4E53 (10.1.1.1:11006)=>(20.1.1.1:23) tcp SIS_OPEN |
UDP is a connectionless transport-layer protocol; hence, there is no state information available to track the flow of the connections. CBAC deals with UDP sessions by examining the information in the packet and determining whether the packet is similar to the UDP packet exited earlier. Returning UDP packets are checked within the idle timeout period to ensure that they have the corresponding source/destination IP addresses and port numbers.
As discussed earlier, CBAC uses the connection information from the session table to open dynamic holes in the firewall access list for the returning traffic (that would normally be blocked). CBAC dynamically adds and removes access list entries at the firewall interfaces. These temporary openings are created in accordance with the state table for all inspected traffic that originates from an internal (protected) network outbound toward the unprotected zone through the firewall. The purpose of these access list entries is to examine traffic flowing back into the internal network. These entries create temporary openings in the firewall to permit only traffic that is part of a permissible session. Example 5-2 shows a dynamic ACL entry (corresponding to Example 5-1) that permits returning Telnet traffic initiated by a host from the internal network.
Router# show ip access-lists Extended IP access list 101 permit tcp host 20.1.1.1 eq telnet host 10.1.1.1 eq 11006 (16 matches) permit tcp any host WebServer eq http deny ip any any (12 matches) |
Note
The dynamically created access list entries that allow returning traffic are temporary and are not saved to the nonvolatile random-access memory (NVRAM).
CBAC provides DoS detection and prevention. An excessive number of half-open sessions (either absolute or measured as the arrival rate) could indicate the possible occurrence of a denial-of-service attack. Traffic patterns can be established for a TCP SYN-flood type attack. TCP is a connection-oriented transport protocol that requires completing a three-way handshake mechanism. Incomplete (half-open) connections mean that the session has not completed the TCP three-way handshake; hence, the session is not established. Because UDP is a connectionless protocol, there is no handshake mechanism; incomplete sessions (half-open) in UDP context indicate that the firewall has detected no return traffic.
CBAC monitors the total number of half-open connections and the rate of session establishment attempts for both TCP and UDP half-open connections. CBAC monitors these values several times per minute. Adjusting threshold values for network connections helps prevent DoS attacks by controlling the number of half-open sessions, thereby freeing up system resources occupied by half-open sessions.
Example 5-3 shows a CBAC session table with few half-open (incomplete) TCP connections.
Router# show ip inspect session Half-open Sessions Session 63938D28 (10.1.1.2:11000)=>(20.1.1.2:23) tcp SIS_OPENING Session 63938EB8 (10.1.1.2:11001)=>(20.1.1.2:25) tcp SIS_OPENING Session 639C2343 (10.1.1.20:11012)=>(20.0.0.20:23) tcp SIS_OPENING Session 63976A22 (10.1.1.20:11013)=>(20.0.0.20:80) tcp SIS_OPENING |
When the number of half-open connections exceeds the specified threshold (using the ip inspect max-incomplete high or ip inspect one-minute high number), CBAC will delete subsequent half-open sessions as required to accommodate new incoming connections. CBAC continues to delete the half-open connection requests as required until the number of existing half-open sessions drops below another specified threshold (using the ip inspect max-incomplete low or ip inspect one-minute low number). See Table 5-1 for more details on these commands and threshold values.
Timeout or Threshold Values | Command | Default |
---|---|---|
The length of time the software waits for a TCP session to reach the established state before dropping the session | ip inspect tcp synwait-time seconds | 30 seconds |
The length of time a TCP session will still be managed after the firewall detects a FIN-exchange | ip inspect tcp finwait-time seconds | 5 seconds |
The length of time a TCP session will still be managed after no activity (the TCP idle timeout) | ip inspect tcp idle-time seconds | 3600 seconds (1 hour) |
The length of time a UDP session will still be managed after no activity (the UDP idle timeout) | ip inspect udp idle-time seconds | 30 seconds |
The length of time a DNS name lookup session will still be managed after no activity | ip inspect dns-timeout seconds | 5 seconds |
The number of existing half-open sessions that will cause the software to start deleting half-open sessions | ip inspect max-incomplete high number | 500 existing half-open sessions |
The number of existing half-open sessions that will cause the software to stop deleting half-open sessions | ip inspect max-incomplete low number | 400 existing half-open sessions |
The rate of new unestablished sessions in 1-minute intervals that will cause the software to start deleting half-open sessions | ip inspect one-minute high number | 500 half-open sessions per minute |
The rate of new unestablished sessions in 1-minute intervals that will cause the software to stop deleting half-open sessions | ip inspect one-minute low number | 400 half-open sessions per minute |
The number of existing half-open TCP sessions with the same destination host address that will cause the software to start dropping half-open sessions to the same destination host address | ip inspect tcp max-incomplete host number block-time minutes | 50 existing half-open TCP sessions; 0 minutes |
The information in Table 5-1 is taken from "Configuring Context-Based Access Control" at http://www.cisco.com/en/US/docs/ios/12_0/security/configuration/guide/sccbac.html#wp4154. |
CBAC provides a more aggressive TCP-based host-specific DoS prevention. CBAC monitors the total number of half-open connections initiated to the same destination host address. When the number of incomplete (half-open) TCP connections exceeds the configured threshold, CBAC blocks all subsequent connections to the host for the specified block-time, thereby preventing the flood. To configure per-host CBAC monitoring, use the ip inspect tcp max-incomplete host command. Refer to Table 5-1 for more details on this command.
Example 5-4 shows how to change the max-incomplete host to 100 half-open sessions, with block-time timeout to 5 minutes.
Router(config)# ip inspect tcp max-incomplete host 100 block-time 5 |