Context-Based Access Control (CBAC): Enhancing Network Security with Dynamic Filtering

Learn how Context-Based Access Control (CBAC) improves network security by extending traditional Access Control Lists (ACLs) to the application layer. Understand its dynamic filtering capabilities, session state management, and reflexive access list functionality.

Context-based Access Control (CBAC)

Context-based Access Control (CBAC) extends the functionality of Access Control Lists (ACLs) by filtering traffic not just at the transport layer, but also at the application layer. It enhances firewall protection and inspection by examining traffic in more detail and controlling session states dynamically. CBAC operates as a reflexive Access-list and stores session details in a state table.

How CBAC Works

CBAC allows outbound traffic to pass through the router by dynamically adding entries to the state table when a session is initiated. This enables the router to permit reply traffic for sessions that originated within the network. The firewall temporarily opens gaps in the ACL for reply packets, ensuring they are not blocked while still protecting the inbound traffic.

CBAC Features

• Traffic Examination: CBAC keeps track of TCP/UDP information for deeper packet inspection.
• Traffic Filtering: Only replies with entries in the state table are allowed, ensuring that traffic from trusted networks is filtered based on application-layer analysis.
• Intrusion Detection: CBAC identifies attacks such as DoS and TCP SYN attacks by analyzing connection speed and the establishment of sessions. It can drop or reestablish connections if malicious packets are detected.
• Alert and Audit Creation: CBAC logs details about the connections, including the data sent, source and destination IPs, and other relevant connection data.

CBAC Configuration Example

The following steps illustrate how CBAC is configured in a network with three routers: router1, router2, and router3.

Step 1: Configure EIGRP on Router 1

router1(config)#router eigrp 100
router1(config-router)#network 10.1.1.0
router1(config-router)#no auto-summary

Step 2: Configure EIGRP on Router 2

router2(config)#router eigrp 100
router2(config-router)#network 10.1.1.0
router2(config-router)#network 10.1.2.0
router2(config-router)#no auto-summary

Step 3: Configure EIGRP on Router 3

router3(config)#router eigrp 100
router3(config-router)#network 10.1.2.0
router3(config-router)#no auto-summary

Step 4: Configure SSH on Router 3

router3(config)#ip domain name GeeksforGeeks.com
router3(config)#username saurabh password cisco
router3(config)#line vty 0 4
router3(config-line)#transport input ssh
router3(config-line)#login local
router3(config)#crypto key generate rsa label Cisco.com modulus 1024

Step 5: Create ACL on Router 2

router2(config)#ip access-list extended 100
router2(config-ext-nacl)#permit eigrp any any
router2(config-ext-nacl)#deny ip any any

Step 6: Apply ACL on Interface

router2(config)#int fa0/1
router2(config-if)#ip access-group 100 in

Step 7: Enable CBAC on Router 2

router2(config)#ip inspect name Cisco ssh
router2(config)#int fa0/1
router2(config-if)#ip inspect cisco out

After this configuration, Router 2 will examine the SSH traffic before it leaves the outbound interface (fa0/1), allowing Router 1 to successfully SSH into Router 3.

CBAC Limitations

• Complex Configuration: CBAC requires a deep understanding of the protocols and operations it inspects.
• Limited Traffic Inspection: It cannot inspect traffic that originates from the router on which CBAC is configured.
• No Stateful Failover Support: CBAC does not support the duplication of state tables, which means if the router fails, the state table must be rebuilt, leading to some connection resets.
• Encrypted Traffic: CBAC does not inspect encrypted packets, unlike IPsec.