Hello friends
Context-Based Access Control (CBAC) feature is very useful in cisco IOS, i
would like to implement the same in my network. Can any one put some more
light on the implementation how it is being implemented by you & how you did
that.
> I found that Context-Based Access Control (CBAC) feature in Cisco IOS
> has variety of options for in providing security.
> Here please find some more useful information about CBAC & reply if we can
> use this feature for our network.
>
> Service Providers offering managed network services to customers can
> enable security features in the Cisco IOS� software-based access routers
> that they install on their customers' premises. These capabilities help
> protect end customers against Denial of Service (DoS) attacks, intruders,
> and viruses. Service Providers, in effect, then, can layer a security
> component on top of their managed network services to help keep customers'
> internal information resources from being compromised - and their Web
> servers from falling prey to DoS attacks, which render them unavailable to
> users.
> TECHNOLOGY BACKGROUND
> One security feature in Cisco IOS software is Context-Based Access Control
> (CBAC). CBAC, a component of the Cisco IOS Firewall feature set, filters
> packets based on application-layer information, such as what kinds of
> commands are being executed within the session. For example, if a command
> that is not supported is discovered in a session, the packet can be denied
> access.
> The CBAC component of the Cisco IOS Firewall enhances security for TCP and
> User Datagram Protocol (UDP) applications that use well-known ports, such
> as port 80 for HTTP or port 443 for Secure Sockets Layer (SSL). It does
> this by scrutinizing source and destination addresses. Without CBAC,
> administrators can permit advanced application traffic only by writing
> permanent access control lists (ACLs). This approach leaves firewall doors
> open, so most administrators have tended to deny all such application
> traffic. With CBAC enabled, however, they can securely permit multimedia
> and other application traffic by opening the firewall as needed and
> closing it all other times.
> The Cisco IOS Firewall feature set can also be configured to block Java
> applets from unknown or untrusted sources to protect against attacks in
> the form of malicious commands or the introduction of viruses. A Java
> executable file can steal passwords or otherwise wreak havoc with a
> system. Filtering applets at the firewall centralizes the filtering
> function for end customers. This eases administration, because it is no
> longer necessary to disable Javascript on all Web browsers within an
> organization to protect against Java attacks.
> CONFIGURATION CONSIDERATIONS
> The Cisco IOS Firewall features, including CBAC and Java filtering, are
> available in version 11.2(11)P. However, additional protection and
> protocol support is added continually, so customers are encouraged to
> implement the latest version of the feature set. For example, security
> features that are new in Cisco IOS Release 12.0(5)T include the following:
>
> * Dynamic intrusion detection
> * LAN-based, dynamic, per-user authentication and authorization via
> TACACS+ and RADIUS authentication servers.
> * Ability to configure audit trails, alerts, and Java blocking on a
> per-application basis.
>
> These and other Cisco IOS Firewall features are available on the Cisco
> 800, 1600, 1700, 2500, 2600, 3600, 7100, 7200, RSM, and RSP7500 router
> platforms.
> BENEFITS SUMMARY
> Cisco IOS Firewall filtering capabilities enable a Service Provider to
> offer a managed network service with integrated security, which can be a
> point of differentiation for the provider. Bundling the security features
> into the customer's access router enables a Service Provider's customer to
> turn an existing Cisco router into a firewall without having to purchase
> additional devices. This is a convenient and cost-effective option for end
> customers.
> To learn more about Cisco IOS Firewall, CBAC, and Java blocking
> capabilities, visit the following URLs:
> http://www.cisco.com/univercd/cc/td/doc/product/software/ios121/121cgcr/se
> cur_c/scprt3/scdcbac.htm
> http://www.cisco.com/univercd/cc/td/doc/pcat/iofwfts1.htm#xtocid165423
>
> Regards
> Dinesh
