index_185
UNCLASSIFIED
Advanced Security Services
Version 1.0g
UNCLASSIFIED
185
Figure 5-1: A Simple Router Firewall
CBAC examines not only network layer and transport layer information, but also
examines the application-layer protocol information (such as FTP information) to
learn about the state of TCP and UDP connections. CBAC maintains connection state
information for individual connections. The heart of CBAC is the ability to inspect
outgoing IP traffic in real-time, maintain state information, and use the state
information to make access decisions. The access decisions are enacted when CBAC
dynamically adds rules to interface access lists to pass permitted traffic. The figure
below illustrates this. Because CBAC works by modifying access lists, there must be
at least one access list in place on the path from the untrusted network to the trusted
network, either an inbound list on the outside interface, or an outbound list on the
inside interface.
Figure 5-2: CBAC Overview
Note that CBAC handles only TCP and UDP protocols. It also includes some special
case handling for multi-port application protocols, like H.323 and FTP. Other IP
1. Host initiates a web connection to
web server 7.1.6.20 (port 80) on the
untrusted network.
2. CBAC inspects the initial TCP
packet of the connection, and adds a
rule to the inbound access list,
permitting data from 7.1.6.20 port 80.
3. Response comes back from the web
server, passes access list.
Router
Outbound
request
CBAC
inspect
access
list
adjust
Inbound
response
untrusted network
trusted network
Host
outside interface
inside interface
1.
2.
3.
Router
Trusted Network
14.2.10.0/24
Untrusted Network
User Host
14.2.10.6
14.2.10.64
14.2.9.64
User Host
14.2.10.7