CBAC Limitations
As with all things that seem too good to be true, some
limitations must be recognized and worked around:
-
Only IP TCP and UDP traffic is inspected by CBAC, so ICMP
traffic and any other Layer 3 protocols need to be filtered using extended
ACLs.
-
Any traffic where the router is the source or destination
won’t be inspected. CBAC will filter traffic passing through, but not traffic
originating or terminating on that device.
-
Because CBAC only detects and protects against attacks that
travel through the firewall, it doesn’t normally protect against attacks
originating from within the protected network. Deploying CBAC on an
intranet-based router is possible.
-
CBAC can’t inspect in-transit IPSec traffic. Because the
IPSec traffic is encrypted, CBAC can’t interpret it and, therefore, drops it.
CBAC and IPSec can only work together at tunnel endpoint
by applying IPSec to the external interface and CBAC on the internal
interface.
Memory and Performance Issues
You need to consider two issues when determining which model
of router to use for CBAC and how much memory to install.
-
CBAC uses about 600 bytes of memory per connection
established.
-
A slight amount of additional CPU processing is used to
inspect packets. While evaluating long access lists can negatively impact
performance, CBAC mitigates this by hashing ACLs, and then evaluates the
hash.
260 times read
|
|
|
Did you enjoy this article?
(total 0 votes)
|
Sections
Comments (0 posted)
Syndication
