Cisco CBAC  The Poor Mans Firewall

Sponsored by:

Telepresence and Holography / Holograms - November 2008

Editor’s viewpoint on their differences, likenesses and future...

We all just recently viewed an historic CNN holographic interview on an historic Election Night. CNN stated this type of imaging has never been done before on National TV and I believe that. I haven’t seen anything like it. The live interview caught me by surprise and sure had the “wow” factor attached to it didn’t it? Here’s a link to the actual interview.

CNN Hologram Video

The question now has to be asked. Is it Telepresence?

I’m no expert on the subject but I’m going to throw my hat into the ring, go out on a limb and say yes, I believe it is. Although I know many video conferencing purists are rolling their eyes and grabbing their guns right about now with my statement.

While I do know that Telepresence still hasn’t been universally defined (Houston, we have a problem), here’s how I see it…. Broken down to its simplest form - “tele” (through electronic means) and “presence” (present). This is how I’m justifying my opinion by lumping holography and Telepresence together. Just as Telepresence is surely an offshoot of video conferencing, holographic imaging (like we viewed on CNN) surely has to be considered an offshoot of Telepresence. The interviewer was “telepresent” from Chicago and beamed into the CNN Election Headquarters. She was most assuredly - “telepresent”. There was negligible latency, the imaging was fantastic and both interviewers were rehearsed on what they would say. I’ve just recently read that CNN actually “downgraded” the experience to make it “movie” quality and not as good as it could have been. Maybe they thought us mere mortals would be shocked if they showed their complete hand. I have a feeling it was so big to them, they didn’t want it to get upstaged by the historic election. I’m willing to bet we’ll see the “true” power of this technology in the upcoming weeks and months when they can put the pedal to the medal and show it off without having it sidetracked.

What an amazing time for this technology (all differences and opinions aside). Telepresence Doctors, nurses, teachers, schools and healthcare (healthpresence) will benefit from the recent gains in this state-of-the-art industry whether holograms, Telepresence or holography. Airlines also have to see the threat to a portion of their business travel. Hell, who wants go through security and fly to Miami for a two-hour conference when you can look them in the eye via Telepresence?

Beam me up Scotty! Simply amazing…!

Visit the free Telepresence Forum for more information and discussion

Your Editor and Administrator - L II
"Ride on the Next Plane of Existence" TM

CBAC Overview The Cisco IOS Firewall Feature Set is a module that can be added to the existing IOS to provide firewall functionality without the need for hardware upgrades. There are two components to the Cisco IOS Firewall Feature Set in Intrusion Detection (which is an optional bolt-on) and Context-Based Access Control (CBAC). CBAC maintains a state table for all of the outbound connections on a Cisco router by inspecting tcp and udp connections at layer seven of the OSI model and populating the table accordingly. When return traffic is received on the external interface it is compared against the state table to see if the connection was originally established from within the internal network, and then either permitted or denied. Although basic this is a very effective mechanism to prevent unauthorized access to the internal network from external sources such as the internet.

CBAC Application-specific support

Cisco have also built in some additional functionality into CBAC in terms of application-specific inspection that enables the router to recognize and identify application specific data flows such as HTTP, SMTP, TFTP, and FTP. Understanding these applications and their data flows empowers the router to identify malformed packets or suspect application data flows and permit or deny accordingly. CBAC also provides the flexibility of downloading Java code from trusted sites, but it denying untrusted sites.

CBAC and Denial of Service (DOS) Attacks

Denial-Of-Service (DOS) attack protection is also in-built with real-time logging of alerts as well as pro-active responses to mitigate the threat. To do this CBAC can be configured to manage half-open TCP connections which are used in TCP SYN flood attacks to overload a targets resources resulting in a denial of service to legitimate users. To do this CBAC uses timeouts and thresholds, which are configurable, to determine how long state information for each connection should be kept for sessions and when to drop them. Note that UDP and ICMP require that an idle-timer limit is used to determine when a connection should be terminated. A very useful command to identify a DOS attack is ip inspect audit-trail which logs all DOS connections including source and destination IP address and TCP or UDP ports allowing you to pin-point the exact source and destination of the attack.

Configuring CBAC

There are five steps to configuring CBAC on a Cisco router in order for it to function correctly. These are as follows: 1. Choose an interface to which inspection will be applied. This can be an internal or external interface as CBAC is only concerned with the direction of the first packet initiating the connection which is identified when applying CBAC to an interface. 2. Configure an IP access list in the correct direction on the selected interface to allow traffic through for CBAC to inspect. 3. Configure global timeouts and thresholds for established connections or sessions. 4. Define an inspection rule specifying exactly which protocols will be inspected by CBAC. 5. Apply the inspection rule to the interface in the correct direction.

Nicholas Evra is a Senior IT Consultant for a Professional Services IT Organisation based in London, UK. As well as designing and developing network and security solutions for clients, Nicholas also regularly contributes technical tips and articles on Networkblue.net. Networkblue.net is a technical resource for novices and experts alike providing free articles and tips on numerous cisco topics such as Ciscos CBAC and other network security topics. For more visit http://www.networkblue.net and http://www.networkblue.net/cisco/security

Custom Search

To learn more about Telepresence, the revolutionary new style of immersive video conferencing; visit these websites:

Telepresence - "Ride on the Next Plane of Existence" - Telepresence
Telepresence Web Portal - Telepresence Internet web portal
Telepresence Report - 24/7 breaking Telepresence related news and information
Via Telepresence - Video conferencing via Telepresence
Telepresence Forum - Free user discussion forum for everything Telepresence related
Telepresence Today - Telepresence information and editor qualified headline news
Telepresence Resource Directory - Telepresence web resource directory
Telepresence Tube - Telepresence videos, pictures and more