Sunday, April 13, 2014

General overview of Context-Based Access Control (CBAC).

On the Cisco IOS you can enable state-full firewall and enable protocols which should be inspected. There are many general settings like audit, logging and some settings per named inspection. Each named inspection has to be applied on the interface with proper direction (in/out).

ip inspect name CBAC ftp timeout 30
ip inspect name CBAC tcp
int gig0/0 
inspect CBAC out
There is no implicit deny for non-inspected protocols after the inspection (like for ZBPF) and to protect your network you have to add the access list with the deny statement:

ip access-list extended OUT
deny ip any any
int gig0/0
ip access-group OUT in 

No comments:

Post a Comment