- Training
- Training Live Events
- Training Without Travel
- SANS Courses
- Certified Instructors
- Career Roadmap
- Training Calendars
- SANS @Home
- SANS OnDemand
- Community SANS
- SANS Mentor Program
- SANS Onsite
- SANS SelfStudy
- SANS Partnership Series
- SANS Workshop Series
- Webcasts
- Work Study
- Events Archive
- DoD 8570
- Voucher Credit Program
- group discounts
- Certification
- Resources
- Vendor
- Portal
- Storm Center
- College
- Developer
- About
the most trusted source for computer security training, certification and research
CBAC - Cisco IOS Firewall Feature Set Foundations
- Abstract
- With the commercial firewall market dominated by expensive firewall products such as those from Checkpoint, Nokia and Cisco (PIX Firewall), many smaller organizations rely on packet filtering technologies and Access-Control Lists (ACLs) on perimeter routers to provide basic firewall features or perimeter defences. Since IOS 11.2(P), Cisco has enhanced the ability of its perimeter routers to perform a basic firewall function with the introduction of the Cisco IOS Firewall feature set. Although not suitable for all situations the Firewall feature set is a substantial improvement over ACL based filters. Based on the Context-Based Access Control (CBAC) feature, which delivers stateful inspection of TCP and UDP packets and dynamic modification of Access Control Lists (ACL's), the Cisco IOS Firewall Feature set provides a middle ground between a fully functional firewall solution, such as the PIX and Checkpoint solutions, and a hardened Cisco IOS based router with ACL's. Although limited, CBAC and other features of the Cisco IOS Firewall feature set allow significant flexibility in managing a perimeter Cisco router when compared to a router running the standard version of the Cisco IOS. This paper will concentrate on the operation and configuration of CBAC.