Cisco Systems OL-6426-02 Benutzerhandbuch
12-3
Cisco 1800 Series Integrated Services Routers (Fixed) Software Configuration Guide
OL-6426-02
Chapter 12 Configuring Security Features
Configuring a CBAC Firewall
Access Groups
A sequence of access list definitions bound together with a common name or number is called an access
group. An access group is enabled for an interface during interface configuration with the following
command:
group. An access group is enabled for an interface during interface configuration with the following
command:
ip access-group number | name [in | out]
where in | out refers to the direction of travel of the packets being filtered.
Guidelines for Creating Access Groups
Use the following guidelines when creating access groups.
•
The order of access list definitions is significant. A packet is compared against the first access list
in the sequence. If there is no match (that is, if neither a permit nor a deny occurs), the packet is
compared with the next access list, and so on.
in the sequence. If there is no match (that is, if neither a permit nor a deny occurs), the packet is
compared with the next access list, and so on.
•
All parameters must match the access list before the packet is permitted or denied.
•
There is an implicit “deny all” at the end of all sequences.
For more complete information on creating access lists, see the “
” section of the Cisco IOS Release 12.3 Security Configuration Guide.
Configuring a CBAC Firewall
Context-Based Access Control (CBAC) lets you configure a stateful firewall where packets are inspected
internally and the state of network connections is monitored. This is superior to static access lists,
because access lists can only permit or deny traffic based on individual packets, not streams of packets.
Also, because CBAC inspects the packets, decisions to permit or deny traffic can be made by examining
application layer data, something static access lists cannot do.
internally and the state of network connections is monitored. This is superior to static access lists,
because access lists can only permit or deny traffic based on individual packets, not streams of packets.
Also, because CBAC inspects the packets, decisions to permit or deny traffic can be made by examining
application layer data, something static access lists cannot do.
To configure a CBAC firewall, specify which protocols to examine by using the following command in
interface configuration mode:
interface configuration mode:
ip inspect name inspection-name protocol timeout seconds
When inspection detects that the specified protocol is passing through the firewall, a dynamic access list
is created to allow the passage of return traffic. The timeout parameter specifies the length of time the
dynamic access list remains active without return traffic passing through the router. When the timeout
value is reached, the dynamic access list is removed, and subsequent packets (possibly valid ones) are
not permitted.
is created to allow the passage of return traffic. The timeout parameter specifies the length of time the
dynamic access list remains active without return traffic passing through the router. When the timeout
value is reached, the dynamic access list is removed, and subsequent packets (possibly valid ones) are
not permitted.
Use the same inspection name in multiple statements to group them into one set of rules. This set of rules
can be activated elsewhere in the configuration by using the ip inspect inspection-name in | out
command when you configure an interface at the firewall.
can be activated elsewhere in the configuration by using the ip inspect inspection-name in | out
command when you configure an interface at the firewall.
See
for a sample configuration. For additional information
about configuring a CBAC firewall, see the “
” section of the
Cisco IOS Release 12.3 Security Configuration Guide.