Internal refers to the trusted/protected side where sessions must originate for traffic to be permitted
through the firewall.
External refers to the untrusted/unprotected side where sessions cannot originate. Sessions originating
from the external side will be blocked.
Figure 5-2. Internal Versus External Interface
Although CBAC is recommended to be configured in one direction per interface, it can be configured in two
directions (also known as bidirectional CBAC) at one or more interfaces when the networks on both sides of the
firewall require protection, such as with extranet or intranet configurations, and for protection against DoS
attacks.
Step 2??ā€¯Configure an IP Access List
For CBAC to work, an IP access list is configured to create temporary openings through the firewall to allow
return traffic. It is important to remember that the access list must be an extended access list.
There is no basic template for configuring the access list. Configuration depends on the security policy of an
organization. The access list should be kept simple, starting with a basic initial configuration. Making the access
list complex and cluttered could unintentionally introduce security risks by allowing unwanted traffic through the
firewall, thereby putting the protected network at risk.
Pages:
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225