CBAC Limitations

Even with all of its features and enhancements, CBAC is not an ultimate firewall solution. In other words, it has limitations and cannot protect you from all kinds of attacks. Actually, this is true of any firewall product. Understanding the limitations of CBAC and the Cisco IOS Firewall feature set will help you better understand whether this solution is a better fit for you network, whether this solution will complement the security solution in your network, and whether a different product would be better for your network.

Here are some of the limitations of CBAC:

  • It inspects only the traffic that you specify. This is both an advantage and disadvantage. It enables you to control the overhead that CBAC places on your router, as well as the traffic that is allowed to return. To make it an all-encompassing product, however, you need to configure many inspect statements to fully cover all connection types.

  • CBAC is not simple to understand and implement: it requires detailed knowledge of protocols and applications, as well as their operation.

  • As with ACLs, the Cisco IOS cannot use CBAC to inspect traffic that the router itself originates.

  • CBAC does not inspect packets sent to the router itself. Traffic must flow from one interface to another for inspection to occur.

  • CBAC cannot inspect encrypted packets, such as IPSec. However, if the VPN connection terminates on the router, it can inspect traffic entering and leaving the VPN-encrypted tunnel.

  • CBAC cannot inspect FTP three-way transfers: it can inspect only passive or standard two-way transfers.

  • CBAC does not support inspection for all applications. For certain applications, you need to disable inspection for them to function correctly.

  • CBAC supports only process, fast, flow, and CEF switching.

  • CBAC ignores ICMP destination unreachable messages.

  • The Cisco IOS does not support a stateful failover feature for the state table, as the Cisco PIX does. If a router fails, you can have a redundant router, but the state table is not duplicated between the two. In this instance, the state table must be rebuilt on the second router, causing some connections to fail and requiring users to rebuild those connections.