There are many differences between ACLs and CBAC, but at a high level, the main distinctions are that CBAC is stateful, dynamic, and can look farther into packets.
In addition, CBAC is application aware—ACLs aren’t. In terms of OSI, this means that whereas ACLs make their decisions based on layers 3 and 4 data, CBAC can look at Application-layer infor-mation. This capability makes it possible for CBAC to detect problems such as illegal or inappro-priate Simple Mail Transfer Protocol (SMTP) commands, whereas an ACL can only permit or block the Transport-layer port.
4422c05.fm Page 103 Thursday, December 23, 2004 5:07 PM
104 Chapter 5 Context-Based Access Control Configuration
CBAC keeps state tables where session information is stored and can dynamically create and modify ACLs to control traffic. It can also recognize and help prevent certain types of DoS attacks.
To begin, let’s look at how an ACL works:
1. A packet arrives at an interface with an inbound ACL configured on the router.
2. The packet is compared to successive lines of the ACL, starting with the first line, until a match is made.
3. If a match is made, the packet is acted upon based on the action defined by that line of the ACL.
4. If a match isn’t made, the packet is dropped.
If we were discussing ACLs, we could stop here. But if we did, you’d miss an important distinction between a firewall and a router. So, let’s continue with the next packet:
5. Another packet arrives at an interface with an inbound ACL configured on the router.
6. The packet is compared to successive lines of the ACL, starting with the first line, until a match is made.
7. If a match is made, the packet is acted upon based on the action defined by that line of the ACL.
8. If a match isn’t made, the packet is dropped.
CBAC in Action
The Internet can be the ultimate source of grief, pain, and destruction, but don’t assume that CBAC doesn’t have applications that can protect you elsewhere as well.
Lots of organizations need internal security and controls as much as they need external secu-rity (well, almost as much). You can apply CBAC anywhere you could use a firewall, internally or externally.
For instance, let’s say your company needs a cheap and easy alternative to purchasing and maintaining a firewall. CBAC can come to the rescue because it’s part of the package when you purchase the Cisco IOS Firewall set.
Instead of buying separate hardware for individual security problems, the Cisco IOS Firewall provides great value for an all-in-one product. This can give you flexibility in your multiprotocol networks, as well as perimeter security, intrusion detection, and VPN connections, including IP Security (IPSec), Layer 2 Tunneling Protocol (L2TP), and quality of service (QoS).
Because the Cisco IOS is always being maintained and updated, the CBAC configuration that can be used with a Cisco router will provide many years of investment protection.
4422c05.fm Page 104 Thursday, December 23, 2004 5:07 PM
Context-Based Access Control 105
Okay, this sounds familiar to our understanding of access lists. Let’s continue with one more packet:
9. Another packet arrives at an interface with an inbound ACL configured on the router.
10. The packet is compared to successive lines of the ACL, starting with the first line, until a match is made.
11. If a match is made, the packet is acted upon based on the action defined by that line of the ACL.
12. If a match isn’t made, the packet is dropped.
What’s up with this? Why we are doing this redundant review of how an ACL works?
The answer—and a key distinction between a firewall (CBAC) and a simple ACL—lies in this question: What effect does the first packet through the ACL have on the third packet through the ACL? The answer clarifies why CBAC is a much more powerful guardian for your network.
When a router runs with ACLs, every packet arrives fresh at the router: Each packet is subject to the exact same set of rules. A traditional ACL is static—that is, every packet is treated equally, regardless of any other packets that have preceded it through the router. That’s the point I was making with the preceding steps—each packet arrives individually at the ACL, and each packet is evaluated and either permitted or denied without any regard to any packet that preceded it.
Not so with CBAC; CBAC is smarter than that.
With CBAC, the rules for packets passing through the router can change depending on what has already happened; the fate of a packet can depend on what previous packets have done. This is what I mean when I say that CBAC is stateful. Think state-dependent if it helps.
CBAC monitors the state of network connections and traffic by keeping a state table of all inspected traffic; CBAC changes the access rules based on this data. An ACL can evaluate only one packet at a time, whereas a firewall (or CBAC) can evaluate trends of packets and respond appropriately to the type of trend it has identified. So with CBAC, what happens to the third packet through the router depends on what the two preceding packets did.
Clearly, this means that CBAC can identify and respond to problems that ACLs could never hope to—such as DoS attacks. An ACL can permit or deny TCP SYN requests, but CBAC can count the number of half-open TCP connections and make decisions about any new SYN requests dynamically. Plus, CBAC can evaluate Application-layer information by monitoring control channels and Application-layer conversations, so it can detect inappro-priate commands. It literally parses the Application-layer header to extract this information.
ACLs can’t do that.
All this discussion isn’t intended to make you think that ACLs are useless and that if you use them, you might as well put your data out on a public FTP server. I’m not telling you this to con-vince you to dump your ACLs; I’m just explaining how very different a stateful firewall is from an ACL. ACLs certainly have their place—they’re included in standard IOS. CBAC will definitely cost you more for IOS images.
4422c05.fm Page 105 Thursday, December 23, 2004 5:07 PM
106 Chapter 5 Context-Based Access Control Configuration