Professional Documents
Culture Documents
IOS Firewalls
IOS Firewalls
IOS Firewalls
• CBAC
• IOS Firewall Features
• Case studies
http://sce.uhcl.edu/yang/teaching/ 2
.../IOS Firewalls.ppt
CBAC
(Context-Based Access Control)
• Implement packet filtering on a Cisco router
(similar to ASA on Cisco PIX)
• Three basic functionalities:
1. Dynamic modification of the extended access lists
– To allow connections initiated from the inside
2. Inspection of the application/transport level protocols
~= multimedia support in PIX
3. Control of the number/length of sessions
http://sce.uhcl.edu/yang/teaching/ 3
.../IOS Firewalls.ppt
CBAC Functionality
http://sce.uhcl.edu/yang/teaching/ 4
.../IOS Firewalls.ppt
How does IOS maintain session state
information?
• State Information Structure (SIS)
– A SIS is created for each logical session.
– The SIS uniquely identifies a connection using the IP and the
port#).
– When necessary, other info such as TCP connection state,
TCP sequence number, etc. are also maintained.
– The SIS is deleted when the associated session/connection is
terminated.
http://sce.uhcl.edu/yang/teaching/ 5
.../IOS Firewalls.ppt
Other CBAC functionality
• Out-of-sequence TCP packets are dropped.
• TCP packets with invalid sequence numbers are dropped.
• The reassembly of IP packets is not supported (as in PIX firewall).
• Does not inspect packets originated by the IOS Firewall router.
• ICMP packets are not inspected. (They are manually managed using
static ACLs).
• ICMP unreachable packets are ignored.
• To protect against a flooding attack or unusual consumption of
memory due to a large number of SISs:
– when the number of SISs in the half-open state reaches a threshold, half-
open SISs are deleted to accommodate a new session.
– If the rate of new TCP connection requests is higher than a maximum
value, half-open SISs are deleted for every new connection request.
http://sce.uhcl.edu/yang/teaching/ 6
.../IOS Firewalls.ppt
Features of IOS Firewall
• Transport Layer Inspection
• Application Layer Inspection
• Filtering for Invalid Commands
• Java Blocking
• Safeguarding against DOS attacks
• Fragment handling
http://sce.uhcl.edu/yang/teaching/ 7
.../IOS Firewalls.ppt
Case Study
http://sce.uhcl.edu/yang/teaching/ 8
.../IOS Firewalls.ppt