As with most IOS commands, a set of show and debug commands lets you test and verify the operation of CBAC. You can use the following commands to display CBAC operation.
The show ip inspect config command displays information about the entire global timeouts and thresholds configuration for CBAC as well as the inspection rule configuration, excluding interface information:
Lab_B#show ip inspect config Session audit trail is enabled
118 Chapter 5 Context-Based Access Control Configuration
Session alert is enabled
one-minute (sampling period) thresholds are [400:500] connections max-incomplete sessions thresholds are [400:500]
max-incomplete tcp connections per host is 50. Block-time 0 minute.
tcp synwait-time is 30 sec -- tcp finwait-time is 5 sec tcp idle-time is 3600 sec -- udp idle-time is 30 sec dns-timeout is 5 sec
Inspection Rule Configuration Inspection name IOSFW
ftp alert is on audit-trail is on timeout 3600 h323 alert is on audit-trail is on timeout 3600
http java-list 10 alert is on audit-trail is on timeout 3600 tcp alert is on audit-trail is on timeout 3600
udp alert is on audit-trail is on timeout 30
The show ip inspect interfaces command displays information about the interface configuration:
Lab_B#show ip inspect interfaces Interface Configuration
Interface FastEthernet0/0
Inbound inspection rule is IOSFW
ftp alert is on audit-trail is on timeout 3600 h323 alert is on audit-trail is on timeout 3600
http java-list 10 alert is on audit-trail is on timeout 3600 tcp alert is on audit-trail is on timeout 3600
udp alert is on audit-trail is on timeout 30 Outgoing inspection rule is not set
Inbound access list is 150 Outgoing access list is not set
The show ip inspect name command displays information about the inspection rule configuration:
Lab_B#show ip inspect name IOSFW Inspection name IOSFW
ftp alert is on audit-trail is on timeout 3600 h323 alert is on audit-trail is on timeout 3600
http java-list 10 alert is on audit-trail is on timeout 3600 tcp alert is on audit-trail is on timeout 3600
udp alert is on audit-trail is on timeout 30 Lab_B#
Summary 119
And you can remove any and all CBAC by doing the following:
Lab_B#conf t
Lab_B(config)#no ip inspect Lab_B(config)#^Z
Lab_B#show ip inspect interfaces Lab_B#
If you do this, you’ll wipe out all dynamic ACLs, reset all global timeouts, and delete all existing sessions—so be careful!
Summary
By now, I’m sure you can see that CBAC offers you much tighter security than you can hope to get through the use of ACLs. It can operate like a stateful firewall, keeping track of sessions and dynamically changing access lists to allow the passage of appropriate traffic.
The six steps that Cisco has defined to help you configure CBAC are as follows:
1. Set audit trails and alerts.
2. Set global timeouts and thresholds.
3. Define Port-to-Application Mapping (PAM).
4. Define inspection rules.
5. Apply inspection rules and ACLs to interfaces.
6. Test and verify CBAC.
By using these steps as outlined in this chapter, you can create and maintain a secure and cost-effective internetwork.
Because CBAC is so versatile, it can also be used to prevent certain types of DoS attacks, and it offers you many fine-tuning options, as well as lots of settings for values and timeouts to use to determine appropriate thresholds for your networks. Typically, you’d have to buy more hard-ware to provide these services, but not with CBAC.
Another example of CBAC’s versatility is Port-to-Application Mapping (PAM), which allows you to modify the default values of well-known ports and teach CBAC how to recognize these applications.
And if you need it to, CBAC can generate real-time alerts and audit trails through the use of a Syslog server. This lets you monitor all enterprise alerts and audit trails at a single, centralized location.
To test and verify the operation of CBAC, use the command show ip inspect config to enable the session audit trail and the command show ip inspect interfaces to see the CBAC interface configuration.
120 Chapter 5 Context-Based Access Control Configuration
Exam Essentials
Make sure you know the six steps for configuring CBAC. Cisco has outlined six steps for CBAC configuration:
1. Set audit trails and alerts.
2. Set global timeouts and thresholds.
3. Define Port-to-Application Mapping (PAM).
4. Define inspection rules.
5. Apply inspection rules and ACLs to interfaces.
6. Test and verify CBAC.
Be sure you know the global timeouts and thresholds and the commands for changing them.
You need to know the commands for changing the global timeouts and thresholds, as well as the default values. Refer to Table 5.1 for a listing of all global timeouts and thresholds and how to change them.
Make sure you know the rules for applying ACLs in conjunction with CBAC. Know that CBAC needs an extended ACL to modify for return traffic. Here is what else you must know:
On the interface where traffic initiates (in the corporate network example, the dirty DMZ), apply inward an ACL that permits only wanted traffic, and apply inward the CBAC inspection rule that inspects wanted traffic.
On all other interfaces, apply inward an ACL that denies all other traffic except traffic types not inspected by CBAC (such as ICMP).
Be sure to review the commands to test CBAC, and know the command to disable it. There are three show ip inspect commands:
The show ip inspect config command displays information about the entire global timeouts and thresholds configuration for CBAC as well as the inspection rule configu-ration, excluding interface information.
The show ip inspect interfaces command displays information about the interface configuration.
The show ip inspect name command displays information about the inspection rule configuration.
The no ip inspect command in global configuration mode disables all CBAC.