O CBAC permite fazer inspeção das sessões (com base no tipo de protocolo inspecionado) de forma a garantir o retorno do tráfego facilitando assim a implementação de ACLs em ambos os sentidos.
Sintaxe:
ip inspect name inspection-name [parameter max-sessions number] protocol [alert {on | off}] [audit-trail {on | off}] [timeoutseconds]
interface interface-id
ip inspect rule-name {in | out}
Notas:
O trafego ICMP nao e inspecionado pelo CBAC, sendo necessario permitir este trafego (na ACL IN) com origem na interface OUTSIDE. Caso contrario o ping/traceroute serao filtrados
Permite criar medidas contra DDoS, contabilizando o n de sessoes por host/num periodo de tempo e bloqueando caso necessario
Caso o protocolo nao seja conhecido, e possivel fazer inspection atraves das assinaturas genericas do TC/UDP. Neste caso todas as sessoes serao analisadas.
Mensagens ICMP a permitir:
echo reply – Outgoing ping commands require echo-reply messages to come back.
time-exceeded – Outgoing traceroute commands require time-exceeded messages to come back.
traceroute – Allow an incoming traceroute.
unreachable – Permit all “unreachable” messages to come back. If a router cannot forward or deliver a datagram, it sends an ICMP unreachable message back to the source and drops the datagram.
Exemplo:
Ligações:
R1-s2/0-R2-f0/1—–f0/0-R3
R2(config)#
ip access-list extended BLOCK_CBAC
deny ip any any
interface Serial2/0
ip address 192.168.2.2 255.255.255.0
ip access-group BLOCK_CBAC in
ip inspect CBAC out
!Logging da informação gerada pela sessão
ip inspect name CBAC icmp audit-trail on
ip inspect name CBAC telnet audit-trail on
!Efectua inspeccao ao trafego originado no router
ip inspect name CBAC icmp router-traffic
R3(config-if)#do tracer 192.168.10.1
Type escape sequence to abort.
Tracing the route to 192.168.10.1
1 192.168.20.2 40 msec 40 msec 28 msec
2 *
R2(config)#
!Permitir o retorno do trafego para o traceroute
ip access-list extended BLOCK_CBAC
1 permit icmp any any host-unreachable
2 permit icmp any any port-unreachable
R3(config-if)#do tracer 192.168.10.1
Type escape sequence to abort.
Tracing the route to 192.168.10.1
1 192.168.20.2 36 msec 32 msec 32 msec
2 192.168.2.1 64 msec 64 msec 56 msec
R2(config)#do sh ip inspe all
Session audit trail is disabled
Session alert is enabled
one-minute (sampling period) thresholds are [unlimited : unlimited] connections
max-incomplete sessions thresholds are [unlimited : unlimited]
max-incomplete tcp connections per host is unlimited. Block-time 0 minute.
tcp synwait-time is 30 sec — tcp finwait-time is 5 sec
tcp idle-time is 3600 sec — udp idle-time is 30 sec
tcp reassembly queue length 16; timeout 5 sec; memory-limit 1024 kilo bytes
dns-timeout is 5 sec
Inspection Rule Configuration
Inspection name CBAC
icmp alert is on audit-trail is on timeout 10
telnet alert is on audit-trail is on timeout 3600
Interface Configuration
Interface Serial2/0
Inbound inspection rule is not set
Outgoing inspection rule is CBAC
icmp alert is on audit-trail is on timeout 10
telnet alert is on audit-trail is on timeout 3600
Inbound access list is BLOCK_CBAC
Outgoing access list is not set
Established Sessions
Session 670378D8 (192.168.20.1:8)=>(192.168.10.1:0) icmp SIS_OPEN
Session 670378D8 (192.168.20.1:43496)=>(192.168.10.1:23) telnet SIS_OPEN
R2#
*Mar 1 14:07:06.260: %FW-6-SESS_AUDIT_TRAIL: Stop telnet session: initiator (192.168.20.1:38877) sent 42 bytes — responder (192.168.10.1:23) sent 162 bytes