CBAC - Cisco IOS Firewall Feature Set Foundations

With the commercial firewall market dominated by expensive firewall products such as those from Checkpoint, Nokia and Cisco (PIX Firewall), many smaller organizations rely on packet filtering technologies and Access-Control Lists (ACLs) on perimeter routers to provide basic firewall features or perimeter defences. Since IOS 11.2(P), Cisco has enhanced the ability of its perimeter routers to perform a basic firewall function with the introduction of the Cisco IOS Firewall feature set. Although not suitable for all situations the Firewall feature set is a substantial improvement over ACL based filters. Based on the Context-Based Access Control (CBAC) feature, which delivers stateful inspection of TCP and UDP packets and dynamic modification of Access Control Lists (ACL's), the Cisco IOS Firewall Feature set provides a middle ground between a fully functional firewall solution, such as the PIX and Checkpoint solutions, and a hardened Cisco IOS based router with ACL's. Although limited, CBAC and other features of the Cisco IOS Firewall feature set allow significant flexibility in managing a perimeter Cisco router when compared to a router running the standard version of the Cisco IOS. This paper will concentrate on the operation and configuration of CBAC.