1. Home
  2. Networking
  3. Router firewall security

CBAC Limitations

Even with all of its features and enhancements, CBAC is not an ultimate firewall solution. In other words, it has limitations and cannot protect you from all kinds of attacks. Actually, this is true of any firewall product. Understanding the limitations of CBAC and the Cisco IOS Firewall feature set will help you better understand whether this solution is a better fit for you network, whether this solution will complement the security solution in your network, and whether a different product would be better for your network.

Here are some of the limitations of CBAC:

  • It inspects only the traffic that you specify. This is both an advantage and disadvantage. It enables you to control the overhead that CBAC places on your router, as well as the traffic that is allowed to return. To make it an all-encompassing product, however, you need to configure many inspect statements to fully cover all connection types.

  • CBAC is not simple to understand and implement: it requires detailed knowledge of protocols and applications, as well as their operation.

  • As with ACLs, the Cisco IOS cannot use CBAC to inspect traffic that the router itself originates.

  • CBAC does not inspect packets sent to the router itself. Traffic must flow from one interface to another for inspection to occur.

  • CBAC cannot inspect encrypted packets, such as IPSec. However, if the VPN connection terminates on the router, it can inspect traffic entering and leaving the VPN-encrypted tunnel.

  • CBAC cannot inspect FTP three-way transfers: it can inspect only passive or standard two-way transfers.

  • CBAC does not support inspection for all applications. For certain applications, you need to disable inspection for them to function correctly.

  • CBAC supports only process, fast, flow, and CEF switching.

  • CBAC ignores ICMP destination unreachable messages.

  • The Cisco IOS does not support a stateful failover feature for the state table, as the Cisco PIX does. If a router fails, you can have a redundant router, but the state table is not duplicated between the two. In this instance, the state table must be rebuilt on the second router, causing some connections to fail and requiring users to rebuild those connections.



    		Part I: Security Overview and Firewalls
    		Part II: Managing Access to Routers
    		Part III: Nonstateful Filtering Technologies
    		Part IV: Stateful and Advanced Filtering Technologies
    		Chapter 8. Reflexive Access Lists
    		Chapter 9. Context-Based Access Control
    		Cisco IOS Firewall Features
    		CBAC Functions
    		Operation of CBAC
    		Supported Protocols for CBAC
    		CBAC Performance
    		CBAC Limitations
    		CBAC Configuration
    		CBAC Examples
    		Summary
    		Chapter 10. Filtering Web and Application Traffic
    		Part V: Address Translation and Firewalls
    		Part VI: Managing Access Through Routers
    		Part VII: Detecting and Preventing Attacks
    		Part VIII: Virtual Private Networks
    		Part IX: Case Study