module 8: configure filtering on a router - modified
DESCRIPTION
TRANSCRIPT
© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—3-1111© 2003, Cisco Systems, Inc. All rights reserved.
© 2003 Cisco Systems, Inc. All rights reserved. FNS 1.0—3-2
Configure Filtering on a Router
Joanne Wagner,
CCNP, CCAI, Cisco Firewall Specialist, Security+
© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—3-3
Overview
This module will discuss, in greater detail, how routers are utilized to secure a network through the use of Access Control Lists (ACLs) and Context-based Access Control (CBAC).
© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—3-4
Key terms
• CBAC
• Turbo ACLs
• Lock and Key ACLs
• Authentication Proxy
• PAM
© 2003 Cisco Systems, Inc. All rights reserved. FNS 1.0—3-5
Filtering Basics: Filtering Technologies
© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—3-6
Overview of Filtering Technologies
• Packet Filtering
• Proxy Server
• Stateful Packet Filtering
© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—3-7
Packet Filtering
• Packet Filtering uses ACLs to accept or deny access based on header information.
•Packet-filtering firewalls do not keep track of the state of a connection, which takes place in a stateful firewall.
• Packet filtering is the first generation firewall.
© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—3-8
Problems with Packet Filtering
• Arbitrary but undesirable packets can be sent that fit the ACL criteria and, therefore, pass through the filter.
• Packets can pass through the filter by being fragmented.
• Complex ACLs are difficult to implement and maintain correctly.
• Some services cannot be filtered.
© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—3-9
Proxy Servers
• A proxy server is a device that examines packets at higher levels, Layers 4 through 7.
• A proxy stands between a trusted and untrusted network and makes the connection, each way, on behalf of the source.
• A proxy firewall breaks the communication channel – there is no direct connection to internal computers.
•Proxy Servers are second generation firewalls.
© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—3-10
Problems with Proxy
• They create single points of failure, which means that if the entrance to the network is compromised, then the entire network is compromised.
• They make it difficult to add new services to the firewall.
• They are CPU intensive and often perform slower under stress.
© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—3-11
Stateful Packet Filtering
• This technology maintains the complete session state.• Each time a TCP or UDP connection is established for
inbound or outbound connections, the information is logged in a stateful session flow table. This table contains the source and destination address, port numbers, TCP sequencing information, and additional flags for each TCP or UDP connection associated with a given session.
• This requires that the firewall maintain a state table, which is like a score sheet of who said what to whom.
• The stateful firewall will only allow packets in that the internal hosts requested.
© 2003 Cisco Systems, Inc. All rights reserved. FNS 1.0—3-12
Filtering Basics: Filtering Inbound and Outbound Traffic
© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—3-13
Ingress and Egress Filtering
© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—3-14
Inbound Traffic on the Perimeter
• Filter packets that have an internal address as their source. RFC-2827
• Filter packets with private addresses as their source. RFC-1918
• Filter BOOTP, TFTP and traceroute packets
• Allow TCP connections only if they are initiated from the internal network
• Allow al other incoming connections to access the DMZ servers only
© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—3-15
Outbound Traffic on the Perimeter
• Allow only packets with a source address from the internal network to access the Internet
• Filter any IP addresses that are not allowed to leave the network as defined by the security policy
© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—3-16
General Rules
• Disable unused services, ports, or protocols
• Limit access to services, ports, or protocols (using ACLs
© 2003 Cisco Systems, Inc. All rights reserved. FNS 1.0—3-17
Case Study
© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—3-18
Traffic Filtering – Case Study
© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—3-19
IP Address Spoof Mitigation - Inbound
© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—3-20
IP Address Spoof Mitigation - Outbound
© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—3-21
DoS SYN-flooding Attack
© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—3-22
DoS TCP SYN Attack Mitigation-Using TCP Intercept
© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—3-23
DoS Land Attack Mitigation
© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—3-24
DoS Smurf Attack Mitigation
© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—3-25
Filtering ICMP - Inbound
© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—3-26
Filtering ICMP Messages - Outbound
© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—3-27
© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—3-28
Links
http://www.cisco.com/univercd/cc/td/doc/product/software/ios120/12cgcr/secur_c/scprt6/scrpf.htm - Unicast RFChttp://www.cymru.com/Bogons/ - The Team Cymru Bogon Reference Page with many links to informative information.http://www.iana.org/assignments/ipv4-address-space - allocated address spacehttp://www.faqs.org/rfcs/rfc1918.html - RFC 1918http://www.faqs.org/rfcs/rfc2827.html - RFC 2827 http://www.dslreports.com/forum/remark,13764380?hilite=attack+land – sample configuration with secure configuration which includes explanations.
© 2003 Cisco Systems, Inc. All rights reserved. FNS 1.0—3-29
Types of IP ACLs
© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—3-30
Types of Access Control Lists (ACLs)
© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—3-31
Identifying Access Lists
• Access list number (All IOS versions)—The number of the access list determines what protocol it is filtering:– (1-99) and (1300-1999)—Standard IP access lists.
– (100-199) and (2000-2699)—Extended IP access lists.
– (800-899)—Standard IPX access lists.
• Access list name (IOS versions > 11.2)—You provide the name of the access list:– Names contain alphanumeric characters.
– Names cannot contain spaces or punctuation and must begin with a alphabetic character.
Cisco routers can identify access lists using two methods:
© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—3-32
Identifying Numbered ACLs
© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—3-33
Basic Types of IP Access Lists
• Standard—Filter IP packets based on the source address only.
• Extended—Filter IP packets based on several attributes, including:– Protocol type.
– Source and destination IP addresses.
– Source and destination TCP/UDP ports.
– ICMP and IGMP message types.
Cisco routers support two basic types of IP access lists:
© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—3-34
Standard Numbered Access List Format
Austin2(config)# access-list 2 permit 36.48.0.3Austin2(config)# access-list 2 deny 36.48.0.0 0.0.255.255Austin2(config)# access-list 2 permit 36.0.0.0 0.255.255.255Austin2(config)# interface e0/1Austin2(config-if)# ip access-group 2 in
Router(config)#
access-list access-list-number {deny | permit} source [source-wildcard]
© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—3-35
Standard Named Access List Format
Austin2(config)# ip access-list standard protect Austin2(config-std-nacl)# deny 36.48.0.0 0.0.255.255Austin2(config-std-nacl)# permit 36.0.0.0 0.255.255.255Austin2(config)# exit
Router(config)#
ip access-list standard access-list-name
Router(config-std-nacl)#
{deny | permit} source [source-wildcard]
© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—3-36
Extended Numbered Access List Format
Miami(config)# access-list 103 permit tcp any 128.88.0.0 0.0.255.255 establishedMiami(config)# access-list 103 permit tcp any host
128.88.1.2 eq smtpMiami(config)# interface e0/0Miami(config-if)# ip access-group 103 in
Router(config)#
access-list access-list-number {deny | permit} {protocol-number | protocol-keyword}{source source-wildcard | any | host} {source-port} {destination destination-wildcard | any | host} {destination-port} [established][log | log-input]
Internet
Miami
e0/0
128.88.1.2
128.88.1.0
128.88.3.0
SMTPhost
© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—3-37
Extended Named Access List Format
Miami(config)# ip access-list extended mailblock Miami(config-ext-nacl)# permit tcp any 128.88.0.0 0.0.255.255 established Miami(config-ext-nacl)# permit tcp any host 128.88.1.2 eq smtpMiami(config-ext-nacl)# exit
Router(config)#
ip access-list extended access-list-name
Router(config-ext-nacl)#
{deny | permit} {protocol-number | protocol-keyword} {source source-wildcard | any | host} {source-port} {destination destination-wildcard | any | host} {destination-port} [established][log | log-input]
© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—3-38
Commenting IP Access-List Entries
Miami(config)# access-list 102 remark Allow traffic to file serverMiami(config)# access-list 102 permit ip any host 128.88.1.6
Router(config)#
remark message
© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—3-39
Basic Rules for Developing Access Lists
• Rule #1—Write it out!– Get a piece of paper and write out what you want this access list to accomplish.
– This is the time to think about potential problems.
• Rule #2—Setup a development system.– Allows you to copy and paste statements easily.
– Allows you to develop a library of access lists.
– Store the files as ASCII text files.
• Rule #3—Apply access list to a router and test.– If at all possible, run your access lists in a test environment before placing
them into production.
Here are some basic rules you should follow when developing access lists:
© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—3-40
Access List Directional Filtering
Austin1s0/0 e0/0
e0/1
Internet
Inbound Outbound
• Inbound—Data flows toward router interface.
• Outbound—Data flows away from router interface.
© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—3-41
Applying Access Lists to Interfaces
Tulsa(config)# interface e0/1Tulsa(config-if)# ip access-group 2 in Tulsa(config-if)# exitTulsa(config)# interface e0/2Tulsa(config-if)# ip access-group mailblock out
Router(config)#
ip access-group {access-list-number | access-list-name} {in | out}
© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—3-42
Displaying Access Lists
Miami# show access-lists
Extended IP access list 102 permit ip any host 128.88.1.6
Extended IP access list mailblock permit tcp any 128.88.0.0 0.0.255.255 established
Miami#
Router#
show access-lists {access-list-number | access-list-name}
© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—3-43
Enhanced Access Lists
• Dynamic (Lock and Key)—Create dynamic entries.
• Time-Based—Access lists whose statements become active based upon the time of day and/or day of the week.
• Reflexive—Create dynamic openings on the untrusted side of a router based on sessions originating from a trusted side of the router.
• Context-Based Access Control (CBAC)—Allows for secure handling of multi-channel connections based on upper layer information.
Cisco routers support several enhanced types of access lists:
© 2003 Cisco Systems, Inc. All rights reserved. FNS 1.0—3-44
Lock-and-Key
© 2003 Cisco Systems, Inc. All rights reserved. FNS 1.0—3-45
Lock-and-Key
© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—3-46
Lock-and-Key
© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—3-47
Lock-and-Key Example
routerP(config)# access-list 101 permit tcp host 10.0.P.12 host 10.0.P.2 eq telnetrouterP(config)# access-list 101 permit eigrp any anyrouterP(config)# access-list 101 dynamic ALLOWWEB timeout 90 permit tcp 10.0.P.0 0.0.0.255 host 172.26.26.50 eq wwwrouterP(config)# username cisco password studentrouterP(config)# interface fa 0/0routerP(config-if)# ip access-group 101 inrouterP(config)# line vty 0 4routerP(config-line)# login localrouterP(config-line)# autocommand access-enable host timeout 2
© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—3-48
Lock-and-Key Process
Router% telnet corporateTrying 172.21.52.1 ...Connected to corporate.abc.com.Escape character is `^]'.User Access VerificationPassword:Connection closed by foreign host.
© 2003 Cisco Systems, Inc. All rights reserved. FNS 1.0—3-49
Reflexive Access Lists
© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—3-50
Reflexive Access List
© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—3-51
Reflexive Access List Exceptions
© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—3-52
External Interface Configuration ExampleThis example has reflexive access lists configured for an external interface.This configuration example permits both inbound and outbound TCP traffic at interface Serial 1, but only if the first packet (in a given session) originated from inside your network. The interface Serial 1 connects to the Internet.
Extended IP access list inboundfilters permit bgp any any (2 matches) permit eigrp any any deny icmp any any evaluate tcptrafficExtended IP access list outboundfilters permit tcp any any reflect tcptraffic
© 2003 Cisco Systems, Inc. All rights reserved. FNS 1.0—3-53
Time-Based Access Lists
© 2003 Cisco Systems, Inc. All rights reserved. FNS 1.0—3-54
Authentication Proxy
© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—3-55
Authentication Proxy
© 2003 Cisco Systems, Inc. All rights reserved. FNS 1.0—3-56
Turbo Acls
© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—3-57
Turbo ACLs
© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—3-58
Enable Turbo ACLs
e0/016.1.1.2
e0/116.2.1.1
R2
Remote access LAN 16.2.1.0/24
R2(config)# access-list compiledR2(config)# exitR2# show access-list compiled
Router(config)#
access-list compiledRouter#
show access-list compiled
© 2003 Cisco Systems, Inc. All rights reserved. FNS 1.0—3-59
Context-based Access Control (CBAC)
© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—3-60
Cisco IOS ACLs
• Provide traffic filtering by
– Source and destination IP addresses.
– Source and destination ports.
• Can be used to implement a filtering firewall
– Ports are opened permanently to allow traffic, creating a security vulnerability.
– Do not work with applications that negotiate ports dynamically.
© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—3-61
IOS and CBAC – Working Together
© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—3-62
TCP
UDP
CBAC
• Packets are inspected entering the firewall by CBAC if they are not specifically denied by an ACL.
• CBAC permits or denies specified TCP and UDP traffic through a firewall.
• A state table is maintained with session information.
• ACLs are dynamically created or deleted.
• CBAC protects against DoS attacks.
Internet
© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—3-63
How CBAC Works
© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—3-64
Supported Protocols
• TCP (single channel)
• UDP (single channel)
• RPC
• FTP
• TFTP
• UNIX R-commands (such as rlogin, rexec, and rsh)
• SMTP
• HTTP (Java blocking)
• Java
• SQL*Net
• RTSP (such as RealNetworks)
• H.323 (such as NetMeeting, ProShare, CUSeeMe)
• Other multimedia
– Microsoft NetShow
– StreamWorks
– VDOLive
© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—3-65
CBAC Features
• CBAC inspection recognizes application-specific commands in the control channel.
• CBAC tracks the sequence numbers in all TCP packets, and drops the packets with sequence numbers that are not within expected ranges
• When CBAC suspects an attack, the DoS feature can issue an alert and block the packets of the intuder.
© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—3-66
Alerts and Audit Trails
• CBAC generates real-time alerts and audit trails.
• Audit trail features use Syslog to track all network transactions.
• With CBAC inspection rules, you can configure alerts and audit trail information on a per-application protocol basis.
© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—3-67
CBAC Configuration
• Set audit trails and alerts.
• Set global timeouts and thresholds.
• Define Port-to-Application Mapping (PAM).
• Define inspection rules.
• Apply inspection rules and ACLs to interfaces.
• Test and verify.
© 2003 Cisco Systems, Inc. All rights reserved. FNS 1.0—3-68
Configure CBAC(Task 1 and 2)
© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—3-69
Router(config)# logging onRouter(config)# logging 10.0.0.3Router(config)# ip inspect audit-trail
• Enables the Syslog server and turns on logging
[no] ip inspect alert-off• Alert can be turned off
Enable Audit Trail and Alert
ip inspect audit-trail
Router(config)#
Router(config)#
© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—3-70
Types of Timeouts and Thresholds
CBAC uses timeouts and thresholds to determine how long to manage state information for a session and to determine when to drop sessions:• TCP- SYN and FIN Wait Times
• TCP, UDP, and DNS Idle Times
• Global Half-Open Connection Limits
• Half-Open Connection Limits by Host
© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—3-71
ip inspect tcp synwait-time seconds
(default is 30 seconds)
ip inspect tcp finwait-time seconds
(default is 5 seconds)
• Specifies the time the Cisco IOS Firewall waits for a TCP session to reach the established state before dropping the session.
• Specifies the time the Cisco IOS Firewall waits for a FIN exchange to complete before quitting the session.
TCP - SYN, and FIN Wait Times
Router(config)#
Router(config)#
© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—3-72
ip inspect dns-timeout seconds
(default is 5 seconds)
ip inspect tcp idle-time seconds (default is 1 hour)
ip inspect udp idle-time seconds
(default is 30 seconds)
• Specifies the time allowed for a TCP or UDP session with no activity.
• Specifies the time allowed for a DNS session with no activity.
TCP - UDP, and DNS Idle Times
Router(config)#
Router(config)#
© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—3-73
ip inspect max-incomplete high number
ip inspect max-incomplete low number
• Defines the number of existing half-opened sessions that cause the software to start deleting half-opened sessions (aggressive mode).
• Defines the number of existing half-opened sessions that cause the software to stop deleting half-opened sessions.
Global Half-Opened Connection Limits
Router(config)#
Router(config)#
© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—3-74
ip inspect one-minute high number
ip inspect one-minute low number
• Defines the number of new half-opened sessions per minute at which they start being deleted.
• Defines the number of new half-opened sessions per minute at which they stop being deleted.
Global Half-Opened Connection Limits (cont.)
Router(config)#
Router(config)#
© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—3-75
ip inspect tcp max-incomplete host number block-time seconds
Half-Opened Connection Limits by Host
• Defines the number of half-opened TCP sessions with the same host destination address that can exist at a time before the Cisco IOS Firewall starts deleting half-open sessions to the host.
• After the number of half-opened connections is exceeded to a given host, the software deletes half-open sessions on that host in the following manner:
– If block-time is 0, the oldest half-opened session is deleted, per new connection request, to allow new connections.
– If block-time is greater than 0, all half-opened sessions are deleted, and new connections to the host are not allowed during the specified block time.
Router(config)#
© 2003 Cisco Systems, Inc. All rights reserved. FNS 1.0—3-76
Port-to-Application Mapping(Task 3)
© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—3-77
Port-to-Application Mapping
• Ability to configure any port number for an application protocol.
• CBAC uses PAM to determine the application configured for a port.
© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—3-78
ip port-map appl_name port port_num• Maps a port number to an application.
access-list permit acl_num ip_addr
ip port-map appl_name port port_num list acl_num• Maps a port number to an application for a given host.
access-list permit acl_num ip_addr wildcard_mask
ip port-map appl_name port port_num list acl_num• Maps a port number to an application for a given network.
User-Defined Port Mapping
Router(config)#
Router(config)#
Router(config)#
© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—3-79
show ip port-map • Shows all port mapping information.
show ip port-map appl_name• Shows port mapping information for a given application.
show ip port-map port port_num• Shows port mapping information for a given application on a
given port.
Display PAM Configuration
Router#
Router#
Router#
Router# sh ip port-map ftpDefault mapping: ftp port 21 system definedHost specific: ftp port 1000 in list 10 user
© 2003 Cisco Systems, Inc. All rights reserved. FNS 1.0—3-80
Define Inspection Rules(Task 4)
© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—3-81
ip inspect name inspection-name protocol [alert {on|off}] [audit-trail {on|off}] [timeout seconds]
Inspection Rules for Application Protocols
• Defines the application protocols to inspect.
• Will be applied to an interface
– Available protocols: tcp, udp, cuseeme, ftp, http, h323, netshow, rcmd, realaudio, rpc, smtp, sqlnet, streamworks, tftp, and vdolive.
– alert, audit-trail, and timeout are configurable per protocol and override global settings.
Router(config)#
Router(config)# ip inspect name FWRULE smtp alert on audit-trail on timeout 300
Router(config)# ip inspect name FWRULE ftp alert on audit-trail on timeout 300
© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—3-82
Router(config)# ip inspect name FWRULE http java-list 10 alert on audit-trail on timeout 300
Router(config)# ip access-list 10 deny 172.26.26.0 0.0.0.255
Router(config)# ip access-list 10 permit 172.27.27.0 0.0.0.255
• Controls java blocking with a standard ACL.
Inspection Rules for Java
ip inspect name inspection-name http java-list acl-num [alert {on|off}] [audit-trail {on|off}] [timeout seconds]
Router(config)#
© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—3-83
Router(config)# ip inspect name FWRULE rpc program-number 100022 wait-time 0 alert off audit-trail on
• Allows given RPC program numbers—wait-time keeps the connection open for a specified number of minutes.
Inspection Rules for RPC Applications
ip inspect name inspection-name rpcprogram-number number [wait-time minutes] [alert {on|off}] [audit-trail {on|off}] [timeout seconds]
Router(config)#
© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—3-84
Router(config)# ip inspect name FWRULE smtp
• Allows only the following legal commands in SMTP applications: DATA, EXPN, HELO, HELP, MAIL, NOOP, QUIT, RCPT, RSET, SAML, SEND, SOML, and VRFY.
• If disabled, all SMTP commands are allowed through the firewall, and potential mail server vulnerabilities are exposed.
Inspection Rules for SMTP Applications
ip inspect name inspection-name smtp [alert {on|off}] [audit-trail {on|off}] [timeout seconds]
Router(config)#
© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—3-85
Router(config)# ip inspect name FWRULE fragment max 254 timeout 4
• Protects hosts from certain DoS attacks involving fragmented IP packets
– max—number of unassembled fragmented IP packets.
– timeout—seconds when the unassembled fragmented IP packets begin to be discarded.
Inspection Rules for IP Packet Fragmentation
ip inspect name inspection-name fragment max number timeout seconds
Router(config)#
© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—3-86
URL Filtering
Websense or N2H2
© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—3-87
ICMP Packet Types Supported by CBAC (IOS 12.2(15)T)
© 2003 Cisco Systems, Inc. All rights reserved. FNS 1.0—3-88
Inspection Rules and ACLs Applied to Router Interfaces
(Task 5)
© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—3-89
ip inspect inspection-name {in | out}
Apply an Inspection Rule to an Interface
• Applies the named inspection rule to an interface.
Router (config-if)#
Router(config)# interface e0/0Router(config-if)# ip inspect FWRULE in
• Applies the inspection rule to interface e0/0 in inward direction.
© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—3-90
Example—Two Interface Firewall
© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—3-70
General Rules for Applying Inspection Rules and ACLs
• Interface where traffic initiates
– Apply ACL on the inward direction that permits only wanted traffic.
– Apply rule on the inward direction that inspects wanted traffic.
• All other interfaces
– Apply ACL on the inward direction that denies all unwanted traffic.
© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—3-91
• Apply an ACL and inspection rule to the inside interface in an inward direction.
• Permit inside-initiated traffic from the 10.0.0.0 network.
Router(config)# interface e0/0Router(config-if)# ip inspect OUTBOUND inRouter(config-if)# ip access-group 101 in
Router(config)# access-list 101 permit ip 10.0.0.0 0.0.0.255 any
Router(config)# access-list 101 deny ip any any
Router(config)# ip inspect name OUTBOUND tcpRouter(config)# ip inspect name OUTBOUND udp
• Configure CBAC to inspect TCP and UDP traffic.
Outbound Traffic
© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—3-92
Router(config)# interface e0/1Router(config-if)# ip access-group 102 in
Router(config)# access-list 102 permit icmp any host 10.0.0.3
Router(config)# access-list 102 permit tcp any host 10.0.0.3 eq www
Router(config)# access-list 102 deny ip any any
• Apply an ACL and inspection rule to outside interface in inward direction.
• Permit outside-initiated ICMP and HTTP traffic to host 10.0.0.3.
Inbound Traffic
© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—3-93
Example—Three-Interface Firewall
© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—3-94
• Apply an ACL and inspection rule to the inside interface in an inward direction.
• Permit inside-initiated traffic from 10.0.0.0 network.
Router(config)# interface e0/0Router(config-if)# ip inspect OUTBOUND inRouter(config-if)# ip access-group 101 in
Router(config)# access-list 101 permit ip 10.0.0.0 0.0.0.255 any
Router(config)# access-list 101 deny ip any any
Router(config)# ip inspect name OUTBOUND tcpRouter(config)# ip inspect name OUTBOUND udp
• Configure CBAC to inspect TCP and UDP traffic.
Outbound Traffic
© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—3-95
• Apply an ACL and inspection rule to the outside interface in an inward direction.
• Permit outside-initiated ICMP and HTTP traffic to host 172.16.0.2.
Router(config)# interface e0/1Router(config-if)# ip inspect INBOUND inRouter(config-if)# ip access-group 102 in
Router(config)# access-list 102 permit icmp any host 172.16.0.2
Router(config)# access-list 102 permit tcp any host 172.16.0.2 eq www
Router(config)# access-list 102 deny ip any any
Inbound Traffic
Router(config)# ip inspect name INBOUND tcp
• Configure CBAC to inspect TCP traffic.
© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—3-96
Router(config)# interface e1/0Router(config-if)# ip access-group 103 inRouter(config-if)# ip access-group 104 out
Router(config)# access-list 103 permit icmp host 172.16.0.2 anyRouter(config)# access-list 103 deny ip any any
Router(config)# access-list 104 permit icmp any host 172.16.0.2Router(config)# access-list 104 permit tcp any host 172.16.0.2 eq www
Router(config)# access-list 104 deny ip any any
• Permit only ICMP traffic initiated in the DMZ.
• Permit only outward ICMP and HTTP traffic to host 172.16.0.2.
DMZ-Bound Traffic
• Apply proper access lists and an inspection rule to the interface.
© 2003 Cisco Systems, Inc. All rights reserved. FNS 1.0—3-97
Test and Verify(Task 6)
© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—3-98
show ip inspect name inspection-nameshow ip inspect configshow ip inspect interfacesshow ip inspect session [detail]show ip inspect all
• Displays CBAC configurations, interface configurations, and sessions.
show Commands
Router#
Router# sh ip inspect sessionEstablished Sessions Session 6155930C (10.0.0.3:35009)=>(172.30.0.50:34233) tcp SIS_OPEN
Session 6156F0CC (10.0.0.3:35011)=>(172.30.0.50:34234) tcp SIS_OPEN
Session 6156AF74 (10.0.0.3:35010)=>(172.30.0.50:5002) tcp SIS_OPEN
© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—3-99
debug ip inspect function-tracedebug ip inspect object-creationdebug ip inspect object-deletiondebug ip inspect eventsdebug ip inspect timers
• General debug commands.
debug Commands
Router#
debug ip inspect protocol• Protocol-specific debug.
Router(config)#
© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—3-100
no ip inspect
• Removes entire CBAC configuration.
• Resets all global timeouts and thresholds to the defaults.
• Deletes all existing sessions.
• Removes all associated dynamic ACLs.
Remove CBAC Configuration
Router(config)#
© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—3-101
Configuring Null Interface
© 2003 Cisco Systems, Inc. All rights reserved. FNS 1.0—3-102
Summary
© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—3-103
Summary
• ACLs are used to filter and secure network traffic.
• While ACLs filter network traffic by controlling whether routed or switched packets are forwarded or blocked at the interface, CBAC is used to create temporary openings in the firewall access lists.
• The student should understand the six steps required for configuring CBAC:
– Set audit trails and alerts
– Set global timeouts and thresholds
– Define PAM
– Define inspection rules
– Apply inspection rules and ACLs to interfaces
– Test and verify
104104104© 2003, Cisco Systems, Inc. All rights reserved.