A little while back, I wrote about the basic application of extended IP Access-lists. There are a couple of points that I hope everyone fully grasped the significance of. The first point is that nearly all traffic is bidirectional in nature. Thus two-way communication is almost always required. The second point is that when access-lists are applied, each packet is compared and evaluated. This creates a bit of dilemma when we try to create a firewall using an IOS based router. If we want to block all traffic coming into our network, a “deny ip any any” will do the trick. However, when we consider the implications we soon realize that return will be blocked. Let’s take a look.
Using the above image as a reference, let’s assume that the IOS Router is going to be our firewall. Our task is to permit all outbound communication, but deny all inbound communication. ip access-list extended OUTBOUND permit ip any any ip access-list extended INBOUND deny ip any any interface serial0/0/0 ip access-group OUTBOUND out ip access-group INBOUND in From this we can see that the OUTBOUND access-list is really not doing anything. However, it is a good way for us to keep our goal of permitting all outbound traffic in mind. The INBOUND access-list is blocking everything. This includes return traffic from the server back to the client. So as this configuration stands, almost nothing will work properly. The exception might be something that is connectionless at the transport and above layers of the OSI model. For example, something internally could send a syslog message to an outside syslog server. The solution to this problem is in IOS is something Cisco calls Context-Based Access Control, or CBAC. CBAC accomplishes a few goals. The first thing it does is “inspects” traffic. When this traffic is inspected, various items can be checked depending on the protocol. For example, a TCP connection should start with a “SYN” flag only. CBAC could be configured to enforce that. After CBAC has blessed the start of a traffic flow, it will build a table that tracks the status of connections going through the IOS Firewall. Traffic returning, that is part of a previously established flow, will be permitted regardless of the access-list configuration. Basically, the returning traffic is allowed to bypass the access-list configuration. Let’s look at the image once again and make our configuration work.
CBAC Definition ip inspect name FWOUT tcp Outbound access-list ip access-list extended OUTBOUND permit ip any any Inbound access-list ip access-list extended INBOUND deny ip any any interface serial0/0/0 ip inspect FWOUT out ip access-group OUTBOUND out ip access-group INBOUND in Notice that we defined a CBAC policy to inspect only TCP. We applied this to interface Serial 0/0/0 in an outbound direction. So if the client attempts to communicate with any TCP service on the Server, it should work. TCP traffic that is a response to traffic that exits or egresses Serial 0/0/0 will be allowed to bypass the INBOUND acl. This would not, however, permit a DNS request. Simple DNS request use the UDP protocol. In order to allow UDP and ICMP (Ping) to work, we can extend our CBAC definition as follows. CBAC Definition ip inspect name FWOUT tcp ip inspect name FWOUT udp ip inspect name FWOUT icmp Seems pretty complete doesn’t it? With this simple configuration, most things will work. Earlier, I said that all TCP services would work. That is mostly true, but we’ll soon see an exception to this. If we look at the context sensitive help for ip inspect name FWOUT, we see several other protocols listed. Skip List c1841(config)#ip inspect name FWOUT ? 802-11-iapp IEEE 802.11 WLANs WG IAPP ace-svr ACE Server/Propagation appfw Application Firewall appleqtc Apple QuickTime bgp Border Gateway Protocol bliff Bliff mail notification bootpc Bootstrap Protocol Client bootps Bootstrap Protocol Server cddbp CD Database Protocol cifs CIFS cisco-fna Cisco FNATIVE cisco-net-mgmt cisco-net-mgmt cisco-svcs cisco license/perf/GDP/X.25/ident svcs cisco-sys Cisco SYSMAINT cisco-tdp Cisco TDP cisco-tna Cisco TNATIVE citrix Citrix IMA/ADMIN/RTMP citriximaclient Citrix IMA Client clp Cisco Line Protocol creativepartnr Creative Partnr creativeserver Creative Server cuseeme CUSeeMe Protocol daytime Daytime (RFC 867) dbase dBASE Unix dbcontrol_agent Oracle dbControl Agent po ddns-v3 Dynamic DNS Version 3 dhcp-failover DHCP Failover discard Discard port dns Domain Name Server dnsix DNSIX Securit Attribute Token Map echo Echo port entrust-svc-handler Entrust KM/Admin Service Handler entrust-svcs Entrust sps/aaas/aams esmtp Extended SMTP exec Remote Process Execution fcip-port FCIP finger Finger fragment IP fragment inspection ftp File Transfer Protocol ftps FTP over TLS/SSL gdoi GDOI giop Oracle GIOP/SSL gopher Gopher gtpv0 GPRS Tunneling Protocol Version 0 gtpv1 GPRS Tunneling Protocol Version 1 h323 H.323 Protocol (e.g, MS NetMeeting, Intel Video h323callsigalt h323 Call Signal Alternate h323gatestat h323gatestat hp-alarm-mgr HP Performance data alarm manager hp-collector HP Performance data collector hp-managed-node HP Performance data managed node hsrp Hot Standby Router Protocol http HTTP Protocol https Secure Hypertext Transfer Protocol ica ica (Citrix) icabrowser icabrowser (Citrix) icmp ICMP Protocol ident Authentication Service igmpv3lite IGMP over UDP for SSM imap IMAP Protocol imap3 Interactive Mail Access Protocol 3 imaps IMAP over TLS/SSL ipass IPASS ipsec-msft Microsoft IPsec NAT-T ipx IPX irc Internet Relay Chat Protocol irc-serv IRC-SERV ircs IRC over TLS/SSL ircu IRCU isakmp ISAKMP iscsi iSCSI iscsi-target iSCSI port kazaa KAZAA kerberos Kerberos kermit kermit l2tp L2TP/L2F ldap Lightweight Directory Access Protocol ldap-admin LDAP admin server port ldaps LDAP over TLS/SSL login Remote login lotusmtap Lotus Mail Tracking Agent Protocol lotusnote Lotus Note microsoft-ds Microsoft-DS ms-cluster-net MS Cluster Net ms-dotnetster Microsoft .NETster Port ms-sna Microsoft SNA Server/Base ms-sql Microsoft SQL ms-sql-m Microsoft SQL Monitor msexch-routing Microsoft Exchange Routing mysql MySQL n2h2server N2H2 Filter Service Port ncp-tcp NCP (Novell) net8-cman Oracle Net8 Cman/Admin netbios-dgm NETBIOS Datagram Service netbios-ns NETBIOS Name Service netbios-ssn NETBIOS Session Service netshow Microsoft NetShow Protocol netstat Variant of systat nfs Network File System nntp Network News Transport Protocol ntp Network Time Protocol oem-agent OEM Agent (Oracle) oracle Oracle oracle-em-vp Oracle EM/VP oraclenames Oracle Names orasrv Oracle SQL*Net v1/v2 parameter Specify inspection parameters pcanywheredata pcANYWHEREdata pcanywherestat pcANYWHEREstat pop3 POP3 Protocol pop3s POP3 over TLS/SSL pptp PPTP pwdgen Password Generator Protocol qmtp-tcp Quick Mail Transfer Protocol r-winsock remote-winsock radius RADIUS & Accounting rcmd R commands (r-exec, r-login, r-sh) rdb-dbs-disp Oracle RDB realaudio Real Audio Protocol realsecure ISS Real Secure Console Service Port router Local Routing Process rpc Remote Prodedure Call Protocol rsvd-tcp RSVD rsvp-encap RSVP ENCAPSULATION-1/2 rsvp_tunnel RSVP Tunnel rtc-pm-port Oracle RTC-PM port rtelnet Remote Telnet Service rtsp Real Time Streaming Protocol send-tcp SEND shell Remote command sip SIP Protocol sip-tls SIP-TLS skinny Skinny Client Control Protocol sms SMS RCINFO/XFER/CHAT smtp Simple Mail Transfer Protocol snmp Simple Network Management Protocol snmptrap SNMP Trap socks Socks sqlnet SQL Net Protocol sqlserv SQL Services sqlsrv SQL Service ssh SSH Remote Login Protocol sshell SSLshell ssp State Sync Protocol streamworks StreamWorks Protocol stun cisco STUN syslog SysLog Service syslog-conn Reliable Syslog Service tacacs Login Host Protocol (TACACS) tacacs-ds TACACS-Database Service tarantella Tarantella tcp Transmission Control Protocol telnet Telnet telnets Telnet over TLS/SSL tftp TFTP Protocol time Time timed Time server tr-rsrb cisco RSRB ttc Oracle TTC/SSL udp User Datagram Protocol uucp UUCPD/UUCP-RLOGIN vdolive VDOLive Protocol vqp VQP webster Network Disctionary who Who's service wins Microsoft WINS x11 X Window System xdmcp XDM Control Protocol Why would we need these other protocols? For example, FTP and SMTP are TCP, right? The answer is like all good things in technology, it depends. When the router looks at specific upper layer protocols, there are more parameters that can be loaded into that state table. These can be used for dropping misused connections, or for more intelligently allowing traffic around an access-list. For example, consider our sample network one more time.
Let’s assume that the client is accessing the FTP services on the server. Will it work as configured? The answer is it can, but it depends on the type of FTP connection that is being formed. FTP has a passive and an active mode. In both modes, there are two communications streams to be found. One is for control and the other is for data transfer. With passive mode both of these communication streams are outbound. Below is a simple diagram of Passive Mode FTP. This mode will work with our current configuration. 
Active mode, on the other hand, has a data transfer stream that is established from the server to the client. Notice in the diagram below that with active FTP, there is a DATA channel that is opened from the server to the client. With our example, the server is on the outside. Since this is a separate TCP session, the IOS Firewall does not realize that it should bypass the ACL. Therefore, the OUTSIDE acl will deny the DATA session. 
In order to resolve this issue, we can expand our CBAC definition to include intelligent inspection of FTP -- CBAC Definition ip inspect name FWOUT tcp ip inspect name FWOUT udp ip inspect name FWOUT icmp ip inspect name FWOUT ftp This will tell our IOS firewall to properly inspect and handle ftp traffic. In other words, this adds the some specific protocol intelligence that is required to handle ftp. What about other protocols, like SMTP? Shouldn’t that work since there are no secondary channels? The answer is yes, but by specifying the protocol, it enhances the inspection capabilities. For example, without SMTP inspection specified in our configuration, any TCP traffic could flow on TCP port 25. With SMTP specified, the IOS Firewall expects to see SMTP commands in TCP traffic destined to port 25. Additionally, it may only permit certain SMTP commands that are deemed safe. Each protocol that can be specified and is above the OSI transport layer, simply adds to the router’s inspection capabilities. However, there are no blanket statements that can describe how each one enhances these capabilities. Each protocol has specific characteristics and challenges. Depending on traffic load some protocol inspections can cause performance issues. CBAC, or Context-Based Access Control, is the Cisco terminology for allowing a router to behave like a firewall. With CBAC, an IOS Router can truly be a Stateful Firewall. A key requirement for a stateful firewall is to safely build a state table and allow properly qualified return traffic to bypass the interface access-list. Without this ability, an IOS Router would have to allow nearly all traffic in order to permit network applications to function properly. There have been other technologies along the way that attempted to solve these problems. However, CBAC is really the first attempt at creating this state table and validating the protocol simultaneously. With CBAC, return traffic is implicitly permitted. Therefore, the proper validation of the initiating traffic is crucial to protecting the network and networked applications. If you found this document useful, please share it with your friends. If you have anything to add, please comment below.
|
