CBAC Functions

CBAC provides four main functions:

  • Filtering traffic

  • Inspecting traffic

  • Detecting intrusions

  • Generating alerts and audits

Filtering Traffic

One of the main functions of CBAC is to filter traffic intelligently, specifically for TCP, UDP, and, recently, ICMP connections. As with RACLs, one of its functions is to allow returning traffic into your network; however, it can be used to filter traffic that originates on either side of your router?internal or external.

Unlike extended ACLs, which can filter only on Layers 3 and 4, and RACLs, which can filter on Layer 5 (session layer) information, CBAC supports application inspection, meaning that it can examine the contents of certain kinds of packets when making its filtering decision. For example, it can examine SMTP commands in an SMTP connection. It also can examine a connection's messages to determine the state of a connection. For example, FTP uses two connections, a control and a data connection. CBAC can examine the control connection, determine that a data connection is being created, and add this connection to its state table. CBAC supports many multimedia, as well as other applications, that perform this function. Likewise, CBAC can examine HTTP connections for Java applets and filter them, if so desired.

Inspecting Traffic

Actually, I already mentioned this feature in the last section: CBAC can inspect application layer information and use this to maintain its stateful firewall function, even for applications that open multiple connections or embed NATed addressing or port information in applications.

This inspection process not only allows returning traffic back into your network, but it also can be used to prevent TCP SYN flood attacks: CBAC can examine the rate at which connections are being made to a service and can shut down these connections if a specified threshold is reached. It also can examine TCP connections to make sure that sequence numbers fall within a certain range, dropping any suspicious packets. Besides examining TCP connections, it can examine traffic for DoS fragment attacks.

Detecting Intrusions

As I mentioned in the last section, CBAC can inspect traffic to implement a stateful firewall, but it also can use this feature to detect certain kinds of DoS attacks. CBAC even can provide protection against SMTP e-mail attacks, limiting the type of SMTP commands that can be sent to your internal e-mail servers. All of these kinds of attacks can cause CBAC to generate logging information about the attack, as well as optionally resetting TCP connections or dropping malicious packets.

Generating Alerts and Audits

CBAC can generate real-time alerts of problems and detected attacks, as well as provide a detailed audit trail of connection requests. For example, you can log all network connection requests, including the IP addresses of the source and destination, the ports used in the connection, the number of bytes sent, and at what time the connection started and ended.