Context-Based Access Control

Reference
Cisco IOS Firewall Feature Set Frequently Asked Questions

* CBAC can impact the efficiency of your router, you should used CBAC only when you need to.

* CBAC does not protect against attacks originating from within the protected network. CBAC only detects and protects against attacks that travel through the Cisco IOS Firewall.

CBAC Restrictions
CBAC is available only for IP traffic.
Only TCP, UDP and ICMP common type packets are inspected.
Other IP traffic, such as routing protocols, cannot be inspected with CBAC and should be filtered with basic ACLs instead.

We cannot use Inspect UDP, TCP for all protocol.
Basic
Define the inspection set:
ip inspect name myfw tcp
ip inspect name myfw udp
ip inspect name myfw icmp

Certain applications that use a secondary data channel, such as voice applications or streaming
media applications, may require that you configure the protocol-specific inspection for that particular service, such as “inspect ftp”, “inspect skinny”,
or “inspect h.323”.

CBAC with ACL
Traffic is Inspected after passing ACLs
Packets entering the Cisco Router are inspected by Cisco IOS Firewall CBAC only if they first pass the inbound ACL at the interfaces. If a packet is denied by the ACL, the packet is just dropped and not inspect by CBAC.

The different between CBAC and ACL
Unlike ACL, which are limited to the examination of packets at the network level, CBAC examines not only network layer and transport layer but also examines the application layer protocol information to learn about the state of the TCP or UDP session.

Half-open Sessions
A half-open sessions is a session open in only one direction. For TCP traffic, this might mean that the session did not complete the three-way handshake. For UDP traffic, this means that return traffic was not detected.
CBAC can measure the rate and the active number of half-open sessions serveral times per minute. If the number of sessions or the rate of the new connection attempts increases above the threshold, the software deletes the half-open sessions. This deletion process continues until the rate drops below the threshold.

ACL Bypass
Prior to this feature, a packet could go through as many as three redundant searches, one input ACL search, one output ACL search, and one inspection session search.
When return traffic finds a matching entry in the session table, it is shunted past the ACLs in the packet path.

Alerts and Audit Trails
Audit Trail features use syslog to track all network transaction recording time stamps, source host, destination host, ports used, and the total number of transmitted bytes for advanced, session-based reporting.
Real-time Alerts send syslog error messages to central management consoles upon detecting suspicious activity.


How CBAC Works
CBAC creates temporary openings in ACLs at Cisco IOS Firewall interfaces. These openings are created when specified traffic exits your internal network through the Cisco IOS Firewall. The openings allow returning traffic that would normally be blocked. The traffic is allowed back through the Cisco IOS Firewall only if it is part of the same session as the original traffic that triggered CBAC when exiting through the Cisco IOS Firewall.

CBAC with UDP
CBAC uses source/desitnation addresses and port numbers and whether the packet was detected soon after another similar UDP packet to determine whether the packet belongs to that particular session. "Soon" means within the configurable UDP idle timeout period.