Will Robinson

Will Robinson

Will is a senior sales engineer & DevOps specialist who loves talking about cloud, automation and cybersecurity

In my previous post I mentioned the Cisco IOS firewall feature known as CBAC (Context-Based Access Control). Today I will describe it in more detail and explain how you can use it to increase the security of your network.

As you may know, a firewall is used to protect your network from the outside world and all of the nasty hackers out there. With each passing day hackers’ intrusion techniques are become more advanced and highly complex, and unfortunately basic ACLs are simply not good enough to protect you anymore. Thankfully CBAC (more commonly known to the wider I.T community as Stateful Packet Inspection, (SPI)) has come to the rescue.

CBAC, with the help of NBAR, reads the packets coming in to and going out of your network and creates dynamic ACL entries that will either permit or deny these traffic flows.

For example, if you want to allow ICMP and HTTP traffic (pings and internet browsing) out of your network, you would have to create an “outbound” access list on your internet facing interface. Then, to allow the returning traffic to re enter your network you would have to create an “inbound” access list, however, this is where your potential troubles start. This is because unless your “inbound” access list specifies all of the IP addresses that you intend to ping to or surf to, you are going to have to allow all ICMP and HTTP traffic in to your network, regardless of the source,which is not very secure.

Fortunately, as mentioned above CBAC has come to the rescue. With its dynamic ACL creations all you have to do is create the “outbound” access list which specifies what your users can and cannot do and CBAC does the rest. This is because CBAC watches the traffic that leaves your network and then creates a dynamic ACL to allow the returning traffic (and only the returning traffic) back in to the network.

See my CBAC in Action, Part 1 and CBAC in Action, Part 2 posts to see a real life example of how you can configure CBAC in your network.

As always, if you have any questions or have a topic that you would like me to discuss, please feel free to post a comment at the bottom of this blog entry, e-mail at will@oznetnerd.com, or drop me a message on Reddit (OzNetNerd).

Note: The opinions expressed in this blog are my own and not those of my employer.

Leave a comment

You may also enjoy

Lambda packaging the right way

November 11, 2020

Simplicity One of the beautiful things about Lambda is its simplicity. You write code, test it and then you deploy it. If it works on your machine, you can ...

Architecting on AWS: ALB

October 26, 2020

This post is a part of the “Architecting on AWS” series Picking up from where we left off, we need eliminate the single point(s) of failure in our architect...

Architecting on AWS: EC2

October 21, 2020

This post is a part of the “Architecting on AWS” series Picking up from where we left off, the the devs’ requirements were as follows: They need a web s...