Select the Interface
When implementing CBAC, deciding whether to configure CBAC
on an internal or an external interface of your firewall is necessary. In
firewall terminology, internal refers to the interface(s)
where sessions must originate for the traffic to be permitted through the
firewall. External refers to the interface(s) where
sessions can’t originate. Sessions originating from the external side will be
blocked.
Figure 6-2 shows a simple topology common on
perimeter routers or networks without a protected DMZ. CBAC would be configured
on the external interface—Serial 0—to prevent unwanted traffic from entering the
firewall and the internal network.
Figure 6-3 shows a common topology that includes a
protected DMZ for shared servers. CBAC is configured for the internal
interface—Ethernet 1—allowing external traffic free access to the DMZ. At the
same time, external traffic is prevented from entering the internal network,
unless it’s part of a session initiated from within the internal network.
To provide firewall security between two departments or two
partner networks, configure CBAC in two directions. CBAC can be configured in
two directions at one or more interfaces. First, configure CBAC in one direction
using the appropriate internal and external interface designations. Then,
configure CBAC in the other direction with the interface designations
swapped.
CBAC on an External Interface
Create an outbound standard or extended IP access list and
apply it to the external interface. This ACL permits all packets to be allowed
to exit the network, including any packets you want inspected by CBAC.
Create an inbound extended IP access list and apply it to the
external interface. This ACL denies any traffic to be inspected by CBAC. When an
outbound packet triggers CBAC, a temporary opening is created in this inbound
ACL to permit only traffic from a valid existing session. If the inbound ACL is
configured to permit the desired traffic, then CBAC creates unnecessary openings
in the firewall for packets that would be allowed anyway.
CBAC on an Internal Interface
Create an inbound standard or extended IP access list and
apply it to the internal interface. This ACL permits all packets to be allowed
to exit the protected network, including any packets you want inspected by
CBAC.
Create an outbound extended IP access list and apply it to
the internal interface. This ACL denies any traffic to be inspected by CBAC.
When an inbound packet triggers CBAC, a temporary opening is created in this
outbound ACL to permit only traffic from a valid existing
session.
Sections
Comments (0 posted)
Syndication
