|
|
This chapter describes Context-based Access Control (CBAC) commands.
CBAC intelligently filters TCP and UDP packets based on application-layer protocol session information and can be used for intranets, extranets and internets. Without CBAC, traffic filtering is limited to access list implementations that examine packets at the network layer, or at most, the transport layer. CBAC inspects traffic that travels through the firewall to discover and manage state information for TCP and UDP sessions. This state information is used to create temporary openings in the firewall's access lists to allow return traffic and additional data connections for permissible sessions (sessions that originated from within the protected internal network).
Refer to the Command Reference Master Index or search online to find complete descriptions of other commands used when configuring CBAC.
For configuration information, refer to the chapter "Configuring Context-Based Access Control" in the Security Configuration Guide.
This command has no arguments or keywords.
Audit trail messages are not displayed.
Global configuration
This command first appeared in Cisco IOS Release 11.2 P.
The following example turns on CBAC audit trail messages:
ip inspect audit trail
Afterwards, audit trail messages such as the following are displayed.
%FW-6-SESS_AUDIT_TRAIL: tcp session initiator (192.168.1.13:33192) sent 22 bytes -- responder (192.168.129.11:25) sent 208 bytes %FW-6-SESS_AUDIT_TRAIL: ftp session initiator 192.168.1.13:33194) sent 336 bytes -- responder (192.168.129.11:21) sent 325 bytes
These messages are examples of audit trail messages. To determine which protocol was inspected, refer to the responder's port number. The port number follows the responder's IP address.
seconds | Specifies the length of time a DNS name lookup session will still be managed after no activity. |
5 seconds
Global configuration
This command first appeared in Cisco IOS Release 11.2 P.
When the software detects a valid UDP packet for a new DNS name lookup session, if Context-based Access Control (CBAC) inspection is configured for UDP, the software establishes state information for the new DNS session.
If the software detects no packets for the DNS session for a time period defined by the DNS idle timeout, the software will not continue to manage state information for the session.
The DNS idle timeout applies to all DNS name lookup sessions inspected by CBAC.
The DNS idle timeout value overrides the global UDP timeout. The DNS idle timeout value also enters aggressive mode and overrides any timeouts specified for specific interfaces when you define a set of inspection rules with the ip inspect name (global configuration) command.
The following example sets the DNS idle timeout to 30 seconds:
ip inspect dns-timeout 30
The following example sets the DNS idle timeout back to the default (5 seconds):
no ip inspect dns-timeout
To apply a set of inspection rules to an interface, use the ip inspect interface configuration command. Use the no form of this command to remove the set of rules from the interface.
ip inspect inspection-name {in | out}
inspection-name | Identifies which set of inspection rules to apply. |
in | Applies the inspection rules to inbound traffic. |
out | Applies the inspection rules to outbound traffic. |
If no set of inspection rules is applied to an interface, no traffic will be inspected by CBAC.
Interface configuration
This command first appeared in Cisco IOS Release 11.2 P.
Use this command to apply a set of inspection rules to an interface.
Typically, if the interface connects to the external network, you apply the inspection rules to outbound traffic; alternately, if the interface connects to the internal network, you apply the inspection rules to inbound traffic.
If you apply the rules to outbound traffic, then return inbound packets will be permitted if they belong to a valid connection with existing state information. This connection must be initiated with an outbound packet.
If you apply the rules to inbound traffic, then return outbound packets will be permitted if they belong to a valid connection with existing state information. This connection must be initiated with an inbound packet.
interface serial0 ip inspect outboundrules out
You can use the master indexes or search online to find documentation of related commands.
ip inspect name (global configuration)
number | Specifies the number of existing half-open sessions that will cause the software to start deleting half-open sessions. |
500 half-open sessions
Global configuration
This command first appeared in Cisco IOS Release 11.2 P.
An unusually high number of half-open sessions (either absolute or measured as the arrival rate) could indicate that a denial-of-service attack is occurring. For TCP, "half-open" means that the session has not reached the established state. For UDP, "half-open" means that the firewall has detected traffic from one direction only.
Context-based Access Control (CBAC) measures both the total number of existing half-open sessions and the rate of session establishment attempts. Both TCP and UDP half-open sessions are counted in the total number and rate measurements. Measurements are made once a minute.
When the number of existing half-open sessions rises above a threshold (the max-incomplete high number), the software will delete half-open sessions as required to accommodate new connection requests. The software will continue to delete half-open requests as necessary, until the number of existing half-open sessions drops below another threshold (the max-incomplete low number).
The global value specified for this threshold applies to all TCP and UDP connections inspected by CBAC.
ip inspect max-incomplete high 900 ip inspect max-incomplete low 800
You can use the master indexes or search online to find documentation of related commands.
ip inspect max-incomplete low
ip inspect one-minute high
ip inspect one-minute low
ip inspect tcp max-incomplete host
number | Specifies the number of existing half-open sessions that will cause the software to stop deleting half-open sessions. |
400 half-open sessions
Global configuration
This command first appeared in Cisco IOS Release 11.2 P.
An unusually high number of half-open sessions (either absolute or measured as the arrival rate) could indicate that a denial-of-service attack is occurring. For TCP, "half-open" means that the session has not reached the established state. For UDP, "half-open" means that the firewall has detected traffic from one direction only.
Context-based Access Control (CBAC) measures both the total number of existing half-open sessions and the rate of session establishment attempts. Both TCP and UDP half-open sessions are counted in the total number and rate measurements. Measurements are made once a minute.
When the number of existing half-open sessions rises above a threshold (the max-incomplete high number), the software will delete half-open sessions as required to accommodate new connection requests. The software will continue to delete half-open requests as necessary, until the number of existing half-open sessions drops below another threshold (the max-incomplete low number).
The global value specified for this threshold applies to all TCP and UDP connections inspected by CBAC.
ip inspect max-incomplete high 900 ip inspect max-incomplete low 800
You can use the master indexes or search online to find documentation of related commands.
ip inspect max-incomplete high
ip inspect one-minute high
ip inspect one-minute low
ip inspect tcp max-incomplete host
inspection-name | Names the set of inspection rules. If you want to add a protocol to an existing set of rules, use the same inspection-name as the existing set of rules. |
protocol | A protocol keyword listed in Table 19. |
timeout seconds | (Optional) To override the global TCP or UDP idle timeouts for the specified protocol, specify the number of seconds for a different idle timeout. This timeout overrides the global TCP and UPD timeouts but will not override the global DNS timeout. |
java-list access-list | (Optional) Specifies the access list (name or number) to use to determine "friendly" sites. This keyword is available only for the HTTP protocol, for Java applet blocking. Java blocking only works with standard access lists. |
rpc program-number number | Specifies the program number to permit. This keyword is available only for the RPC protocol. |
wait-time minutes | (Optional) Specifies the number of minutes to keep a small hole in the firewall to allow subsequent connections from the same source address and to the same destination address and port. The default wait-time is zero minutes. This keyword is available only for the RPC protocol. |
| Protocol | protocol Keyword |
|---|---|
Transport-Layer Protocols |
|
TCP | tcp |
UDP | udp |
Application-Layer Protocols |
|
CU-SeeMe | cuseeme |
FTP | ftp |
Java (see the section "Java Inspection," following) | http |
H.323 (see the section "H.323 Inspection," following) | h323 |
UNIX R commands (rlogin, rexec, rsh) | rcmd |
RealAudio | realaudio |
RPC (see the section "RPC Inspection," following) | rpc |
SMTP (see the section "SMTP Inspection," following) | smtp |
SQL*Net | sqlnet |
StreamWorks | streamworks |
TFTP | tftp |
VDOLive | vdolive |
No inspection rules are defined until you define them using this command.
Global configuration
This command first appeared in Cisco IOS Release 11.2 P.
To define a set of inspection rules, enter this command for each protocol that you want Context-based Access Control (CBAC) to inspect, using the same inspection-name. Give each set of inspection rules a unique inspection-name. Define either one or two sets of rules per interface---you can define one set to examine both inbound and outbound traffic; or you can define two sets: one for outbound traffic and one for inbound traffic.
To define a single set of inspection rules, configure inspection for all the desired application-layer protocols, and for TCP or UDP as desired. This combination of TCP, UDP, and application-layer protocols join together to form a single set of inspection rules with a unique name.
In general, when inspection is configured for a protocol, return traffic entering the internal network will be permitted only if the packets are part of a valid, existing session for which state information is being maintained.
Any application-layer protocol that is inspected will take precedence over the TCP or UDP packet inspection. For example, if inspection is configured for FTP, all control channel information will be recorded in the state table, and all FTP traffic will be permitted back through the firewall if the control channel information is valid for the state of the FTP session. The fact that TCP inspection is configured is irrelevant.
With TCP and UDP inspection, packets entering the network must exactly match the corresponding packet that previously exited the network: the entering packets must have the same source/destination addresses and source/destination port numbers as the exiting packet (but reversed). Otherwise, the entering packets will be blocked at the interface. Also, all TCP packets with a sequence number outside of the window are dropped.
Java, H.323, RPC, and SMTP, and SQL*Net inspection have additional information, described in the next three sections.
Java inspection enables Java applet filtering at the firewall. Java applet filtering distinguishes between trusted and untrusted applets by relying on a list of external sites that you designate as "friendly." If an applet is from a friendly site, the firewall allows the applet through. If the applet is not from a friendly site, the applet will be blocked. Alternately, you could permit applets from all sites except for sites specifically designated as "hostile."
If the protocol is TCP or a TCP application-layer protocol, the timeout will override the global TCP idle timeout. If the protocol is UDP or a UDP application-layer protocol, the timeout will override the global UDP idle timeout.
If you do not specify a timeout for a protocol, the timeout value applied to a new session of that protocol will be taken from the corresponding TCP or UDP global timeout value valid at the time of session creation.
ip inspect name myrules tcp ip inspect name myrules udp ip inspect name myrules cuseeme ip inspect name myrules ftp timeout 120 ip inspect name myrules rpc program-number 100003 ip inspect name myrules rpc program-number 100005 ip inspect name myrules rpc program-number 100021
You can use the master indexes or search online to find documentation of related commands.
ip inspect (interface configuration)
number | Specifies the rate of new unestablished TCP sessions that will cause the software to start deleting half-open sessions. |
500 half-open sessions
Global configuration
This command first appeared in Cisco IOS Release 11.2 P.
An unusually high number of half-open sessions (either absolute or measured as the arrival rate) could indicate that a denial-of-service attack is occurring. For TCP, "half-open" means that the session has not reached the established state. For UDP, "half-open" means that the firewall has detected traffic from one direction only.
Context-based Access Control (CBAC) measures both the total number of existing half-open sessions and the rate of session establishment attempts. Both TCP and UDP half-open sessions are included in the total number and rate measurements. Measurements are made once a minute.
When the rate of new connection attempts rises above a threshold (the one-minute high number), the software will delete half-open sessions as required to accommodate new connection attempts. The software will continue to delete half-open sessions as necessary, until the rate of new connection attempts drops below another threshold (the one-minute low number). The rate thresholds are measured as the number of new session connection attempts detected in the last one-minute sample period. (The rate is calculated as an exponentially-decayed rate.)
The global value specified for this threshold applies to all TCP and UDP connections inspected by CBAC.
ip inspect one-minute high 1000 ip inspect one-minute low 950
You can use the master indexes or search online to find documentation of related commands.
ip inspect one-minute low
ip inspect max-incomplete high
ip inspect max-incomplete low
ip inspect tcp max-incomplete host
number | Specifies the rate of new unestablished TCP sessions that will cause the software to stop deleting half-open sessions. |
400 half-open sessions
Global configuration
This command first appeared in Cisco IOS Release 11.2 P.
An unusually high number of half-open sessions (either absolute or measured as the arrival rate) could indicate that a denial-of-service attack is occurring. For TCP, "half-open" means that the session has not reached the established state. For UDP, "half-open" means that the firewall has detected traffic from one direction only.
Context-based Access Control (CBAC) measures both the total number of existing half-open sessions and the rate of session establishment attempts. Both TCP and UDP half-open sessions are included in the total number and rate measurements. Measurements are made once a minute.
When the rate of new connection attempts rises above a threshold (the one-minute high number), the software will delete half-open sessions as required to accommodate new connection attempts. The software will continue to delete half-open sessions as necessary, until the rate of new connection attempts drops below another threshold (the one-minute low number). The rate thresholds are measured as the number of new session connection attempts detected in the last one-minute sample period. (The rate is calculated as an exponentially-decayed rate.)
The global value specified for this threshold applies to all TCP and UDP connections inspected by CBAC.
ip inspect one-minute high 1000 ip inspect one-minute low 950
You can use the master indexes or search online to find documentation of related commands.
ip inspect one-minute high
ip inspect max-incomplete high
ip inspect max-incomplete low
ip inspect tcp max-incomplete host
seconds | Specifies how long a TCP session will be managed after the firewall detects a FIN-exchange. |
5 seconds
Global configuration
This command first appeared in Cisco IOS Release 11.2 P.
When the software detects a valid TCP packet that is the first in a session, if Context-based Access Control (CBAC) inspection is configured for the packet's protocol, the software establishes state information for the new session.
Use this command to define how long TCP session state information will be maintained after the firewall detects a FIN-exchange for the session. The FIN-exchange occurs when the TCP session is ready to close.
The global value specified for this timeout applies to all TCP sessions inspected by CBAC.
The timeout set with this command is referred to as the "finwait" timeout.
The following example changes the "finwait" timeout to 10 seconds:
ip inspect tcp finwait-time 10
The following example changes the "finwait" timeout back to the default (5 seconds):
no ip inspect tcp finwait-time
seconds | Specifies the length of time a TCP session will still be managed after no activity. |
3600 seconds (1 hour)
Global configuration
This command first appeared in Cisco IOS Release 11.2 P.
When the software detects a valid TCP packet that is the first in a session, if Context-based Access Control (CBAC) inspection is configured for the packet's protocol, the software establishes state information for the new session.
If the software detects no packets for the session for a time period defined by the TCP idle timeout, the software will not continue to manage state information for the session.
The global value specified for this timeout applies to all TCP sessions inspected by CBAC. This global value can be overridden for specific interfaces when you define a set of inspection rules with the ip inspect name (global configuration) command.
The following example sets the global TCP idle timeout to 1800 seconds (30 minutes):
ip inspect tcp idle-time 1800
The following example sets the global TCP idle timeout back to the default of 3600 seconds (one hour):
no ip inspect tcp idle-time
number | Specifies how many half-open TCP sessions with the same host destination address can exist at a time, before the software starts deleting half-open sessions to the host. Use a number from 1 to 250. |
seconds | Specifies how long the software will continue to delete new connection requests to the host. |
50 half-open sessions and 0 seconds
Global configuration
This command first appeared in Cisco IOS Release 11.2 P.
An unusually high number of half-open sessions with the same destination host address could indicate that a denial-of-service attack is being launched against the host. For TCP, "half-open" means that the session has not reached the established state.
Whenever the number of half-open sessions with the same destination host address rises above a threshold (the max-incomplete host number), the software will delete half-open sessions according to one of the following methods:
The software also sends syslog messages whenever the max-incomplete host number is exceeded, and when blocking of connection initiations to a host starts or ends.
The global values specified for the threshold and blocking time apply to all TCP connections inspected by CBAC.
ip inspect tcp max-incomplete host 40 block-time 120
The following example resets the defaults (50 half-open sessions and 0 seconds):
no ip inspect tcp max-incomplete host
You can use the master indexes or search online to find documentation of related commands.
ip inspect max-incomplete high
ip inspect max-incomplete low
ip inspect one-minute high
ip inspect one-minute low
seconds | Specifies how long the software will wait for a TCP session to reach the established state before dropping the session. |
30 seconds
Global configuration
This command first appeared in Cisco IOS Release 11.2 P.
Use this command to define how long software will wait for a TCP session to reach the established state before dropping the session. The session is considered to have reached the established state after the session's first SYN bit is detected.
The global value specified for this timeout applies to all TCP sessions inspected by Context-based Access Control (CBAC).
The following example changes the "synwait" timeout to 20 seconds:
ip inspect tcp synwait-time 20
The following example changes the "synwait" timeout back to the default (30 seconds):
no ip inspect tcp synwait-time
seconds | Specifies the length of time a UDP "session" will still be managed after no activity. |
30 seconds
Global configuration
This command first appeared in Cisco IOS Release 11.2 P.
When the software detects a valid UDP packet, if Context-based Access Control (CBAC) inspection is configured for the packet's protocol, the software establishes state information for a new UDP "session." Because UDP is a connectionless service, there are no actual sessions, so the software approximates sessions by examining the information in the packet and determining if the packet is similar to other UDP packets (for example, similar source/destination addresses) and if the packet was detected soon after another similar UDP packet.
If the software detects no UDP packets for the UDP session for the a period of time defined by the UDP idle timeout, the software will not continue to manage state information for the session.
The global value specified for this timeout applies to all UDP sessions inspected by CBAC. This global value can be overridden for specific interfaces when you define a set of inspection rules with the ip inspect name (global configuration) command.
The following example sets the global UDP idle timeout to 120 seconds (2 minutes):
ip inspect udp idle-time 120
The following example sets the global UDP idle timeout back to the default of 30 seconds:
no ip inspect udp idle-time
This command has no arguments or keywords.
Global configuration
This command first appeared in Cisco IOS Release 11.2 P.
Turn off CBAC with the no ip inspect global configuration command.
The following example turns off CBAC at a firewall:
no ip inspect
To view CBAC configuration and session information, use the show ip inspect privileged EXEC command.
show ip inspect {name inspection-name | config | interfaces | session [detail] | all}
name inspection-name | Shows the configured inspection rule with the name inspection-name. |
config | Shows the complete CBAC inspection configuration. |
interfaces | Shows interface configuration with respect to applied inspection rules and access lists. |
session [detail] | Shows existing sessions that are currently being tracked and inspected by CBAC. The optional detail keyword causes additional details about these sessions to be shown. |
all | Shows all CBAC configuration and all existing sessions that are currently being tracked and inspected by CBAC. |
Privileged EXEC
This command first appeared in Cisco IOS Release 11.2 P.
Inspection Rule Configuration
Inspection name myinspectionrule
tcp timeout 3600
udp timeout 30
ftp timeout 3600
The output shows the protocols that should be inspected by CBAC and the corresponding idle timeouts for each protocol.
The following is sample output for show ip inspect config:
Session audit trail is disabled
one-minute (sampling period) thresholds are [400:500] connections
max-incomplete sessions thresholds are [400:500]
max-incomplete tcp connections per host is 50. Block-time 0 minute.
tcp synwait-time is 30 sec -- tcp finwait-time is 5 sec
tcp idle-time is 3600 sec -- udp idle-time is 30 sec
dns-timeout is 5 sec
Inspection Rule Configuration
Inspection name myinspectionrule
tcp timeout 3600
udp timeout 30
ftp timeout 3600
The output shows CBAC configuration, including global timeouts, thresholds, and inspection rules.
The following is sample output for show ip inspect interfaces:
Interface Configuration
Interface Ethernet0
Inbound inspection rule is myinspectionrule
tcp timeout 3600
udp timeout 30
ftp timeout 3600
Outgoing inspection rule is not set
Inbound access list is not set
Outgoing access list is not set
The following is sample output for show ip inspect sessions:
Established Sessions Session 25A3318 (10.0.0.1:20)=>(10.1.0.1:46068) ftp-data SIS_OPEN Session 25A6E1C (10.1.0.1:46065)=>(10.0.0.1:21) ftp SIS_OPEN
The output shows the source and destination addresses and port numbers (separated by colons), and it indicates that the session is an FTP session.
The following is sample output for show ip inspect sessions detail:
Established Sessions Session 25A335C (40.0.0.1:20)=>(30.0.0.1:46069) ftp-data SIS_OPEN Created 00:00:07, Last heard 00:00:00 Bytes sent (initiator:responder) [0:3416064] acl created 1 Inbound access-list 111 applied to interface Ethernet1 Session 25A6E1C (30.0.0.1:46065)=>(40.0.0.1:21) ftp SIS_OPEN Created 00:01:34, Last heard 00:00:07 Bytes sent (initiator:responder) [196:616] acl created 1 Inbound access-list 111 applied to interface Ethernet1
The output includes times, number of bytes sent, and which access list is applied.
The following is sample output for show ip inspect all:
Session audit trail is disabled
one-minute (sampling period) thresholds are [400:500] connections
max-incomplete sessions thresholds are [400:500]
max-incomplete tcp connections per host is 50. Block-time 0 minute.
tcp synwait-time is 30 sec -- tcp finwait-time is 5 sec
tcp idle-time is 3600 sec -- udp idle-time is 30 sec
dns-timeout is 5 sec
Inspection Rule Configuration
Inspection name all
tcp timeout 3600
udp timeout 30
ftp timeout 3600
Interface Configuration
Interface Ethernet0
Inbound inspection rule is all
tcp timeout 3600
udp timeout 30
ftp timeout 3600
Outgoing inspection rule is not set
Inbound access list is not set
Outgoing access list is not set
Established Sessions
Session 25A6E1C (30.0.0.1:46065)=>(40.0.0.1:21) ftp SIS_OPEN
Session 25A34A0 (40.0.0.1:20)=>(30.0.0.1:46072) ftp-data SIS_OPEN
|
|