CBAC Process

The following steps describe the sequence of events for CBAC configured on an external interface connected to the Internet. The example starts with an outbound packet, which is the first of a new TCP session configured for CBAC inspection.

The outbound packet reaches the firewall’s external interface.

The packet is checked against the interface’s existing outbound ACL, and the packet is permitted. A denied packet would be discarded at this point and couldn’t be evaluated by CBAC to allow inbound traffic. With no outbound traffic, there shouldn’t be returning traffic.

If the packet’s application is configured for CBAC inspection, CBAC inspects the packet to determine and record the state information of the connection. As a new session, a new state table entry is created for the new connection. If the application isn’t configured for CBAC inspection, it would go directly to Step 5.

Using the state information, CBAC creates a temporary entry inserted at the beginning interface’s inbound extended ACL. This temporary entry is designed to allow inbound packets that are part of the same session.

The outbound packet is forwarded out the interface.

When an inbound packet from the just-established session reaches the interface, it’s evaluated against the inbound ACL and permitted by the temporary entry created in Step 4.

The packet permitted in Step 6 is then inspected by CBAC, and the connection’s state table entry is updated as necessary. Based on this updated state information, the inbound extended ACL temporary entries can be modified to permit only packets that are valid for the current state of the connection.

Additional inbound and outbound packets from the connection are inspected to update the state table and the temporary inbound ACL entries as needed. The packets are forwarded through the interface.

When the connection terminates or times out, the related entries in the state table and the inbound ACL are deleted.

CBAC Process

admin