Will Robinson

Will Robinson

Will is a senior sales engineer & DevOps specialist who loves talking about cloud, automation and cybersecurity

NBAR, also known as Network Based Application Recognition is an invaluable tool that many people do not know exists or simply just don’t use it enough.

As the name suggests, NBAR reads packets that flow through a router and “recognises” the types of applications that are sending the packets. Examples of applications that can be recognised include:

  • FTP
  • Kazaa
  • HTTP URL Addresses
  • Bit Torrent
  • Many, many more!

And the good news is that this handy little feature can be put to use in many different ways, some of which I have discussed below.

NBAR & Access Control

Before NBAR came along, one of the techniques Network Administrators woulduse to stop users from getting up to mischief was blocking “bad” ports. However, with a little bit of know how it is very easy to change ports thereby making the “bad” traffic look like legitimate traffic. By using NBAR you don’t need to specify port numbers, you just specify the application that you would like to block, apply it to an interface and you’re done. Because NBAR reads the packets (up to, and including Layer 7 information), it is still able to block the traffic even if the users change their port numbers.

Note: NBAR can be used in conjunction with Context-Based Access Control (CBAC) to create an extremely effective firewall on a Cisco router.

NBAR & URL Filtering

NBAR can also be used to block URLs. This can be a great little feature if you have a small office setup and do not have the time or the resources to set up a proxy server.

The filtering also allows you to use wildcard masks so blocking websites with multiple sub-domains (such as YouTube) can be done just as easily as blocking a single domain.

NBAR & QoS

Another application for NBAR is with QoS policies. Rather than specifying port numbers for different traffic types, NBAR will automatically identify the port numbers for you. This is a small gain I know, but it makes life a little easier. It also makes your config somewhat more readable in that instead of creating a class-map and ACL that specifies TCP port 80 and 23, you can use NBAR to match “HTTP” traffic and “Telnet” instead.

As always, if you have any questions or have a topic that you would like me to discuss, please feel free to post a comment at the bottom of this blog entry, e-mail at will@oznetnerd.com, or drop me a message on Reddit (OzNetNerd).

Note: The opinions expressed in this blog are my own and not those of my employer.

Leave a comment

You may also enjoy

Lambda packaging the right way

November 11, 2020

Simplicity One of the beautiful things about Lambda is its simplicity. You write code, test it and then you deploy it. If it works on your machine, you can ...

Architecting on AWS: ALB

October 26, 2020

This post is a part of the “Architecting on AWS” series Picking up from where we left off, we need eliminate the single point(s) of failure in our architect...

Architecting on AWS: EC2

October 21, 2020

This post is a part of the “Architecting on AWS” series Picking up from where we left off, the the devs’ requirements were as follows: They need a web s...