HostedDB - Dedicated UNIX Servers

index_185
UNCLASSIFIED Advanced Security Services  Version 1.0g  UNCLASSIFIED 185   Figure 5-1: A Simple Router Firewall CBAC examines not only network layer and transport layer information, but also examines the application-layer protocol information (such as FTP information) to learn about the state of TCP and UDP connections. CBAC maintains connection state information for individual connections. The heart of CBAC is the ability to inspect outgoing IP traffic in real-time, maintain state information, and use the state information to make access decisions.  The access decisions are enacted when CBAC dynamically adds rules to interface access lists to pass permitted traffic. The figure below illustrates this.  Because CBAC works by modifying access lists, there must be at least one access list in place on the path from the untrusted network to the trusted network, either an inbound list on the outside interface, or an outbound list on the inside interface. Figure 5-2: CBAC Overview Note that CBAC handles only TCP and UDP protocols.  It also includes some special case handling for multi-port application protocols, like H.323 and FTP. Other IP 1. Host initiates a web connection to     web server 7.1.6.20 (port 80) on the     untrusted network. 2. CBAC inspects the initial TCP     packet of the connection, and adds a     rule to the inbound access list,     permitting data from 7.1.6.20 port 80. 3. Response comes back from the web     server, passes access list. Router Outbound request CBAC inspect access list adjust Inbound response untrusted network trusted network Host outside interface inside interface 1. 2. 3. Router Trusted Network 14.2.10.0/24 Untrusted Network User Host 14.2.10.6 14.2.10.64 14.2.9.64 User Host 14.2.10.7