CABC and creates a dynamic ACL - this scenario (curriculum)

I am aware how CBAC does work , please look at the figure below (step 2) :

img484.imageshack.us/img484/7679/cabcib1.jpg

In step 2, he says: " CBAC creates a dynamic ACL allowing return traffic back through the firewall "

Does he mean by: " CBAC creates a dynamic ACL,,,,etc ", the command line underneath it ? :
Access-list 102 permit TCP host 172.30.1.50 eq 23 host 10.0.0.3 eq 2447

I think its trying to say that it will dynamically create the line you have indicated. If you think about, you would normally create your own ACL that would allow traffic from any port to port 23. Then its saying the CBAC will then dynamically create a rule to allow the return traffic back out to the host.

Its very similar to a statful firewall, pretty much the same function as a pix for example, you specify a rule to allow traffic out and the return traffic is allowed back in.

Thats what it looks like to me

cheers

Its very similar to a statful firewall, pretty much the same function as a pix for example, you specify a rule to allow traffic out and the return traffic is allowed back in.

Yes this the behavior for stateful firewall.

I think its trying to say that it will dynamically create the line you have indicated.

That means we do not need to create the ACL that is mentioned manually, it will be created automatically. That means he mentioned it in the slide only for explanation purpose ?

Second , why does CBAC create that specific ACL (i.e eq 23) only ? Can't it create other (eq 80, eq 21, etc) ?

Third why does "TCP" word in the command line come in the upper case (as we know cisco convention with keyword is lower case not upper case,,,,,,upper case for naming) ? Is it typo ?

That means we do not need to create the ACL that is mentioned manually, it will be created automatically. That means he mentioned it in the slide only for explanation purpose ?

Thats what i beleive, yes. You need to allow some form of traffic however the return traffic will be automatically allowed to return since CBAC will handle this as it knows its part of the communications.

Second , why does CBAC create that specific ACL (i.e eq 23) only ? Can't it create other (eq 80, eq 21, etc) ?

It can if you allow a rule to allow traffic in the first place. I think its only used as an example and you will need to ensure that the port 23 traffic is allowed first before the return traffic will be allowed to travel back. Without this manual rule, the dynamic rules will not be created.

Third why does "TCP" word in the command line come in the upper case (as we know cisco convention with keyword is lower case not upper case,,,,,,upper case for naming) ? Is it typo ?

I think this is an exception. Not done much with CBAC however from configs i have seen, they have been in uppercase. I'm sure someone who does this in their day to day job can confirm

Thanks smurf for your sharing and your effort

for more clarification and sharing knowledge, this is what I have been advised :

What he means is this.

the host 10.0.0.3 creates a telnet session (port 23) to the server 172.30.1.50. This is allowed out through the router.

On the router interface that connects to the 172.30.1.50 network there is an access-list that looks like

access-list 102 deny ip any any

and this access-list is applied in an inbound direction.

This will stop all inbound connections from outside.

What happens when the inside host telnets out is that a line is dynamically added to access-list 102. So now your access-list looks like this

access-list 102 permit tcp host 172.30.1.50 eq 23 host 10.0.0.3 eq 2447
access-list 102 deny ip any any,,,,or any other number

When the telnet session is finished the dynamically added line will disappear and your access-list will be

access-list 102 deny ip any any

That means our configuration looks like this :
Assume interface fastethernet0/1 (right hand side of the picture) is connected to the server

Router(config)#interface fastethernet0/1
Router(config-if)#ip access-group 102 in
Router(config-if)#ip inspect FWRULE out
Router(config-if)#no shutdown
Router(config-if)#exit

CBAC will automatically add its command before any statically configured lines that we have typed in ,so the dynamic lines will always be at the top of the access-list.

Thats correct, however to secure things more you would generally have an access-list restricting the outgoing traffic. In this you would therefore need to then create the rule to allow the telnet traffic out in the first place. Then the CBAC will automatically generate the 102 access rule to allow the return traffic while the session is active.

Doesn't seem very secure if you do not restrict the outgoing traffic since it leaves your company open to abuse from inside the network. Remember, you are responsible for the link so if a massive DDoS attack happened that was sourced from within your network, you would be help responsible.

Thats why i generally create rules to restrict incoming traffic from the internet (that goes without saying) but also i restrict all outgoin traffic fall inline with our security policies.

Cheers