Exam Essentials 163
Summary
By now, I’m sure you can see that CBAC offers you way tighter security than you can hope to get through the use of ACLs. It can operate like a stateful firewall, keeping track of sessions and dynamically changing access lists to allow the passage of appropriate traffic.
The six steps that Cisco has defined to help you configure CBAC are:
1.Set audit trails and alerts.
2.Set global timeouts and thresholds.
3.Define Port-to-Application Mapping (PAM).
4.Define inspection rules.
5.Apply inspection rules and ACLs to interfaces.
6.Test and verify CBAC.
By using these steps as outlined in this chapter, you can create and maintain a secure and cost-effective internetwork.
Because CBAC is so versatile, it can also be used to prevent certain types of DoS attacks, and it offers you many fine-tuning options, as well as lots of settings for values and timeouts to use to determine appropriate thresholds for your networks. Typically, you’d have to buy more hardware to provide these services, but not with CBAC.
Another example of CBAC’s versatility is Port-to-Application Mapping (PAM), which allows you to modify the default values of well-known ports and teach CBAC how to recognize these applications.
And if you need it to, CBAC can generate real-time alerts and audit trails through the use of a Syslog server. This allows you to monitor all enterprise alerts and audit trails at a single, centralized location.
To test and verify the operation of CBAC, use the command show ip inspect config to enable the session audit trail and the command show ip inspect interfaces to see the CBAC interface configuration.
Exam Essentials
Make sure you know the six steps for configuring CBAC. Cisco has outlined six steps for CBAC configuration:
1.Set audit trails and alerts.
2.Set global timeouts and thresholds.
3.Define Port-to-Application Mapping (PAM).
4.Define inspection rules.
5.Apply inspection rules and ACLs to interfaces.
6.Test and verify CBAC.
Copyright ©2003 SYBEX Inc., 1151 Marina Village Parkway, Alameda, CA 94501. |
www.sybex.com |
164 Chapter 5 Context-Based Access Control Configuration
Be sure to know the global timeouts and thresholds and the commands for changing them.
You need to know the commands for changing the global timeouts and thresholds, as well as the default values. Refer to Table 5.1 for a listing of all global timeouts and thresholds and how to change them.
Make sure to know the rules for applying ACLs in conjunction with CBAC. Know that CBAC needs an extended ACL to modify for return traffic. Here is what else you must know:
On the interface where traffic initiates (in the corporate network example, the dirty DMZ), apply an ACL inward that permits only wanted traffic and apply the CBAC inspection rule in the inward direction that inspects wanted traffic.
On all other interfaces, apply an ACL in the inward direction that denies all other traffic except for traffic types not inspected by CBAC such as ICMP.
Be sure to review the commands to test CBAC, and know the command to disable it. There are three show ip inspect commands:
The show ip inspect config command displays information about the entire global timeouts and thresholds configuration for CBAC as well as the inspection rule configuration, excluding interface information.
The show ip inspect interfaces command displays information about the interface configuration.
The show ip inspect name command displays information about the inspection rule configuration.
The no ip inspect command in global configuration mode disables all CBAC.
Key Terms
Before you take the exam, be certain you are familiar with the following terms:
access control lists (ACLs) |
Intrusion Detection System (IDS) |
Cisco IOS Firewall |
Port-to-Application Mapping (PAM) |
Context-Based Access Control (CBAC) |
signatures |
Copyright ©2003 SYBEX Inc., 1151 Marina Village Parkway, Alameda, CA 94501. |
www.sybex.com |
Written Lab |
165 |
Commands Used in This Chapter
Here is the list of commands used in this chapter:
Command |
Meaning |
(config)#logging on |
Enables logging. |
(config)#logging ip_address |
Logs to the listed IP address. |
(config)#ip inspect audit-trail |
Enables the audit trail. |
(config)#no ip inspect alert-off |
Enables the alerts. |
(config)#ip inspect tcp synwait-time |
Sets how long CBAC will wait for a TCP |
time |
session to be established before dropping |
|
the session. The default is 30 seconds. |
(config)#ip port-map http port port_ |
Modifies the default port-mapping |
number |
of HTTP. |
#show ip port-map |
Displays the current PAM settings. |
(config)#ip inspect name |
Creates an inspection rule. The inspection |
|
rule defines the applications and traffic |
|
types to be inspected. |
#show ip inspect config |
Displays the inspection rule configuration. |
#show ip inspect interfaces |
Displays the inspection rule interface |
|
configuration. |
#show ip inspect name name |
Provides audit-trail timers for the |
|
specified name. |
Written Lab
This section asks you 10 write-in-the-answer questions to help you understand the technology that you need to know in order to pass the SECUR exam.
1.When CBAC starts deleting half-open connections, how many must there be per minute before it stops?
2.Which command disables all auditing?
3.Which commands are valid monitoring commands for CBAC?
Copyright ©2003 SYBEX Inc., 1151 Marina Village Parkway, Alameda, CA 94501. |
www.sybex.com |
166 Chapter 5 Context-Based Access Control Configuration
4.Which command do you use to disable all CBAC functions on the router?
5.Which types of ACLs can CBAC dynamically modify?
6.Which command would you use if you needed to check and see which port(s) CBAC thinks HTTP is running on?
7.True or False: When configuring inspection rules, you can inspect application protocols, generic TCP, and generic UDP all together.
8._____ provides stateful inspection, can effectively respond to DoS attacks, and adapts to user requests and network conditions. It is neither free with IOS, nor is it static.
9.What type of server do you need to have if you want to enable alerts and audit trails?
10.What are the six steps recommended by Cisco to configure CBAC (in order)?
Copyright ©2003 SYBEX Inc., 1151 Marina Village Parkway, Alameda, CA 94501. |
www.sybex.com |