Cisco has introduced several extremely useful security features for IOS, particularly in the Firewall feature set. Many of the features discussed in this chapter are only available in the Firewall IOS feature set.
We covered Access Control Lists (ACLs) in general in Chapter 19. Most ACLs are relatively simple objects that just filter traffic based on Layer 2, 3, or 4 information. However, Class-Based Access Control (CBAC) is a special kind of access-list that creates a state table and reacts to application layer information. A typical CBAC ACL is able to monitor HTTP traffic. When an internal user connects to a particular external web site, CBAC creates a table entry for this user, allowing return traffic for this TCP session to return.
This is a relatively simple example, though, that doesn’t require any Layer 7 information. However, some applications such as Java and other HTTP extension often do require monitoring Layer 7 information to ensure that the inbound packets are treated properly.
Passive FTP is perhaps the most common example of a protocol that requires the firewall to monitor Layer 7 information. Passive FTP is the default for many popular web browsers. In this application, the user’s software requests an inbound FTP connection on a specified TCP port from a remote server. CBAC is able to listen to these packets and learn which TCP port to allow in, permitting this legitimate traffic. It then removes the rule automatically when the session terminates. ...