The access-list thought that these packets were part of an ongoing conversation and allowed them to sneak past. To fix this problem God shook heaven and earth and created reflexive access-lists. With these new and improved protectors of Gods interfaces packets were only allowed through if they matched a rule created for traffic flowing in the other direction. With this new method, return packets would only be allowed through if they matched a dynamic rule created by the original outgoing packet. God set back and looked at his creation and all was as it should be. Then one day applications were created that used dynamic ports for return traffic. For instance a person connects to a server on port 80, and the server responds with a packet on a random port between 45000 and 62000. Since the return packets did not match the originating packets the return packets would be dropped.

To fix this new problem God created CBAC or Content Based Access Control. With this new enhanced type of security found in the Firewall Feature set, traffic is inspected at layer 4 on the way out, and a dynamic access-list is created inbound on the interface to allow the traffic to return. Since CBAC inspects traffic on a higher level of the OSI model it can understand protocols that use dynamic port assignment, it can glean useful information from upper layer protocols that will help it make intelligent state full firewalling decisions and improve security while reducing false positives. You can see how over the years the security that we use has become ever more sophisticated to combat the ever clever internet hacker.

Below I will show you how to use CBAC on your router, Keep in mind that CBAC is part of the firewall feature set so may require additional licensing if your organization has to upgrade the ios. Ip inspect is configured in two areas. The first thing you have to do is create an inspection rule, and define what higher layer protocols you want to inspect. The next thing you have to do is apply the rule in the outbound direction on the interface you want to protect. You must also have either an access-list applied in the inbound direction; the access-list can be blank. When configuring the inspection rule you can choose from a number of protocols to look at. For ip inspect to work and to fix the issue with reflexive access-lists you only have to inspect layer 4 protocols such as tcp and udp. However CBAC supports many higher level protocols such as http, SMTP, real-audio, and other session and presentation, layer protocols.

Here is a config that shows some of the many possible protocols that can be inspected with CBAC. I have listed the two main ones at the top. Another tip, if you have sip phones with private nat’d addresses behind this router and you want them to connect outside you need the ip inspect sip command to translate that properly through nat.

!
ip inspect name cbac-example tcp
ip inspect name cbac-example udp
ip inspect name cbac-example vdolive
ip inspect name cbac-example smtp
ip inspect name cbac-example http
ip inspect name cbac-example rtsp
ip inspect name cbac-example sip
ip inspect name cbac-example skinny
ip inspect name cbac-example tftp
ip inspect name cbac-example ftp
ip audit po max-events 100
!
!
!
!
!
interface FastEthernet0/0
 ip address 192.168.1.254 255.255.255.0
 ip access-group from_internet in
 ip inspect cbac-example out
 duplex auto
 speed auto
!

Here is a related article on ACL’s.

#ip access-list extended  (name goes here)

The neat thing about named access-lists is that when you do a show access-list command you see number s next to the lines in the acl. This allows you to add or remove lines without deleting the whole access-list.

test#sh ip access-list

extended ip access-list example
	10 permit ip any any
	20 deny tcp any any eq 80
	30 permit udp any any eq 53

Reflexive access-lists allow you to filter connections based on session. Reflexive ACL’s are part of the ip plus feature set and was the first attempt to create a statefull inspection firewall on routers. Before the invention of reflexive access-lists the only way we had to allow stateful return traffic from the internet was by using the establish keyword. The problem with the established keyword is that the router only checks for the ack bit on the packets. The ack bit is set on packets once the 3 way handshake has been completed. the problem with this is that it does not do anything for udp packets since those connections are stateless, and it is very easy for hackers to set the ack bit. To get around this problem Cisco invented the reflexive access-list.

permit tcp any any eq 80 established

Reflexive access-lists are very easy. I have added the code for the access-list below. Basically reflexive access-list are made up of two parts. The first part, is the access-list that filters outbound traffic. This access-list is made up of statements that allow outbound traffic. thekey part here is the reflect statement. What this means is that you want to reflect that packet in another access list.

In my example below I reflected the statements in an access-list called dynamic. Now I created two access-lists. I created an inbound access-list to allow static inbound traffic to my webserver. I created an outbound access-list to allow traffic from my lan to the internet. I told my inbound access-list to check the reflexive entries before blocking traffic using the evaluate command. This is all there is too it. With these simple commands you can commands you can configure a statefull firewall to protect your network from harm. As good as this is though it isn’t perfect. It doesn’t work for application which use dynamic port numbers for return traffic. To solve this problem cisco added layer 4 inspection and refined reflexive access-lists in what they call Content Based Access Control or CBAC. However CBAC is part of the ios fw feature set and is a topic for another time.

interface FastEthernet0/0
 description WAN Interface
 ip address 192.168.0.1 255.255.255.0
 ip access-group internet_in in
 ip access-group lan_out out
 duplex auto
 speed auto
!
!
ip access-list extended internet_in
 remark Internet---->lan traffic
 permit tcp any any eq 80
 permit tcp any any eq 443
 evaluate dynamic
!
!
ip access-list extended lan_out
 remark inside----->internet traffic
 permit tcp any any eq www reflect dynamic
 permit tcp any any eq 443 reflect dynamic
 permit tcp any any eq 22 reflect dynamic
 permit tcp any any eq ftp reflect dynamic
 permit tcp any any eq telnet reflect dynamic
 permit tcp any any eq pop3 reflect dynamic
 permit tcp any any eq nntp reflect dynamic
 permit tcp any any eq smtp reflect dynamic
!
!

A lot of engineers prefer to use dedicated systems for network security such as Pix and ASA devices. However the Cisco recommended methodology is to filter packets as close to the egress point as possible thus saving network resources and enhancing security. In times past it was considered better to apply security features on dedicated devices deeper in the network while putting as few strains on the edge routers as possible. This methodology used to be a necessity as routers typically had much less horse power and a significant amount of CPU cycles and memory was used just routing and switching packets, add to that the wide spread use of Port address translation which requires a large amount of CPU cycles and memory to maintain the port translation state table and the situation was dire. It was not uncommon to see a branch office level router such as a 2500, or 2600 series overloaded by P2P programs which open up thousands of ports for connections. In these situations a single user could easily destabilize the network and cause the router to drop packets from the load. Cisco realizing the changing world of networking and the relative cheapness of CPU power released the XM series routers as a stopgap measure until the new integrated services platform routers were available such as the 2800 and 3800 series routers. These new routers are more powerful than ever and allow IPS, stateful firewall features, and deep packet inspection to be performed at the network edge thus enhancing security and availability of network resources.

Besides the IPS features the Cisco routers can also perform CBAC or Content Based Access Control. With CBAC the router can inspect TCP, UDP, and ICMP packets for fragments and irregularities. The IOS can also inspect sever layer 7 protocols, and with the latest 12.4 IOS and current generation of routers this list has expanded to many many layer 7 protocols. When using CBAC the router monitors the outgoing packets on an interface, and dynamically creates holes in the inbound access list to allow only packets that match up to the outgoing request. This means that CBAC enables the IOS to perform true stateful Firewalling.  In the 12.4 IOS CBAC uses deep packet inspection to determine the true protocol of the packet and better protect the network from intrusion. With deep packet inspection the router will recognize an FTP packet and scan it for known issues even if the packet arrives on a port other than the standard FTP control port. The IOS also uses access lists to secure interfaces and drop unwanted traffic at the network edge which will prevent network resources from being wasted.

I hope this brief overview of the Cisco IOS security methodology as it relates to packet filtering was informative. I will follow up later with a more technical article on how to configure CBAC stateful firewalling, and IPS signatures on the Cisco router.