Tuesday, March 25, 2014

Context-based access control (CBAC)

Ok...so we have a couple of spokes with context-based access control configured.  Just to make sure I can come back here and put my mind at ease when it happens to fall out of my head.

This resource proved to drive the point home..so I'm going off it!

https://www.youtube.com/watch?v=VfX0lA4BLIU

Concept:

Given this sort of setup..


We have user X on the inside attempting to get out to the internet.  While we want to allow the user to get out to whatever they wish, in doing so also means that the "bad people" on the internet will be able to get in.


What can we do to limit access from the outside world?  Well, we can drop an inbound ACL on Fa0/1 of R2 to stop certain addresses from entering the network.  Unfortunately, if we were to drop a "deny any any" on the outside interface of Fa0/1, that would block any return traffic...malicious or not.

Context-based access control is essentially like a hand-stamp.  Just like when you're leaving an event that hand-stamps your hand, CBACs essentially stamps traffic (statefully inspects) either inbound or outbound (depending on interface).  By doing so, this creates a stateful database on the configured router to remember everyone who initiated sessions from the inside going out.  If the return traffic's IP address and ports match a session in the stateful database, it gets to bypass the inbound ACL.

Implementation:

The first thing we need to do is create an ACL.

I'm going to create an ACL and drop it on the "outside" interface of R2

config t
ip access-list block
deny any any
!
interface fa0/1
ip access-group block in

By configuring an inbound ACL...this will block all traffic from the internet.  

Next, we need to configure the named inspection list.  This will be configured on the inside interface.  Remember, it could have been configured outbound on fa0/1 as well.



ip inspect name POLICE http
ip inspect name POLICE ftp
ip inspect name POLICE dns
!
interface fa0/0
ip inspect POLICE in

We have just told all traffic coming into fa0/0 that matches dns/ftp/http to get stored in the stateful database. When return traffic hits the "block" ACL...it is permitted, as the ports are stored in the stateful database.  Without the CBAC, the requests would have been otherwise denied.