1 © 2005 Cisco Systems, Inc. All rights reserved. 111 © 2004, Cisco Systems, Inc. All rights...

1© 2005 Cisco Systems, Inc. All rights reserved. 111© 2004, Cisco Systems, Inc. All rights reserved.

CNIT 221 Security 1 ver.2Module 8

City College of San FranciscoSpring 2007

2© 2005 Cisco Systems, Inc. All rights reserved.

Network Security 1

Module 8 – Configure Filtering on a Router


Learning Objectives

• 8.1 Filtering Technologies

• 8.2 Cisco IOS Firewall Context-Based Access Control

• 8.3 Configure Cisco IOS Firewall Context-Based Access Control



8.2 Cisco IOS Firewall Context-Based Access Control


Cisco IOS Firewall CBAC

– Packets are inspected upon entering the firewall by CBAC if they are not specifically denied by an ACL.

– CBAC permits or denies specified TCP and UDP traffic through a firewall.

– A state table is maintained with session information.

– ACLs are dynamically created or deleted.

TCP

UDPInternet


Cisco IOS ACLs

• Provide traffic filtering by:

– Source and destination IP addresses

– Source and destination ports

• Can be used to implement a filtering firewall

– Ports are opened permanently to allow traffic, creating a security vulnerability.

– Do not work with applications that negotiate ports dynamically.


How CBAC Works


How CBAC Works (Cont)


CBAC Supported Protocols

– TCP (single channel)

– UDP (single channel)

– RPC

– FTP

– TFTP

– UNIX R-commands (such as rlogin, rexec, and rsh)

– SMTP

– HTTP (Java blocking)

– Java

– SQL*Net

– RTSP (such as RealNetworks)

– H.323 (such as NetMeeting, ProShare, CUSeeMe)

– Other multimedia

Microsoft NetShow

StreamWorks

VDOLive


Alerts and Audit Trails

• CBAC generates real-time alerts and audit trails.

• Audit trail features use Syslog to track all network transactions.

• With CBAC inspection rules, you can configure alerts and audit trail information on a per-application protocol basis.


Access Control List (ACL) Review


Identifying Access Lists

• Access list number (All IOS versions)—The number of the access list determines what protocol it is filtering:

– (1-99) and (1300-1399)—Standard IP access lists.

– (100-199) and (2000-2699)—Extended IP access lists.

– (800-899)—Standard IPX access lists.

• Access list name (IOS versions > 11.2)—You provide the name of the access list:

– Names contain alphanumeric characters.

– Names cannot contain spaces or punctuation and must begin with a alphabetic character.

Cisco routers can identify access lists using two methods:


Basic Types of IP Access Lists

• Standard—Filter IP packets based on the source address only.

• Extended—Filter IP packets based on several attributes, including:

– Protocol type.

– Source and destination IP addresses.

– Source and destination TCP/UDP ports.

– ICMP and IGMP message types.

Cisco routers support two basic types of IP access lists:


Standard Numbered Access List Format

Austin2(config)# access-list 2 permit 36.48.0.3Austin2(config)# access-list 2 deny 36.48.0.0 0.0.255.255Austin2(config)# access-list 2 permit 36.0.0.0 0.255.255.255Austin2(config)# interface e0/1Austin2(config-if)# ip access-group 2 in

Router(config)#

access-list access-list-number {deny | permit} source [source-wildcard]


Standard Named Access List Format

Austin2(config)# ip access-list standard protect Austin2(config-std-nacl)# deny 36.48.0.0 0.0.255.255Austin2(config-std-nacl)# permit 36.0.0.0 0.255.255.255Austin2(config)# exit

Router(config)#

ip access-list standard access-list-name

Router(config-std-nacl)#

{deny | permit} source [source-wildcard]


Extended Numbered Access List Format

Miami(config)# access-list 103 permit tcp any 128.88.0.0 0.0.255.255 establishedMiami(config)# access-list 103 permit tcp any host

128.88.1.2 eq smtpMiami(config)# interface e0/0Miami(config-if)# ip access-group 103 in

Router(config)#

access-list access-list-number {deny | permit} {protocol-number | protocol-keyword}{source source-wildcard | any | host} {source-port} {destination destination-wildcard | any | host} {destination-port} [established][log | log-input]

Internet

Miami

e0/0

128.88.1.2

128.88.1.0

128.88.3.0

SMTPhost


Extended Named Access List Format

Miami(config)# ip access-list extended mailblock Miami(config-ext-nacl)# permit tcp any 128.88.0.0 0.0.255.255 established Miami(config-ext-nacl)# permit tcp any host 128.88.1.2 eq smtpMiami(config-ext-nacl)# exit

Router(config)#

ip access-list extended access-list-name

Router(config-ext-nacl)#

{deny | permit} {protocol-number | protocol-keyword} {source source-wildcard | any | host} {source-port} {destination destination-wildcard | any | host} {destination-port} [established][log | log-input]


Commenting IP Access-List Entries

Miami(config)# access-list 102 remark Allow traffic to file serverMiami(config)# access-list 102 permit ip any host 128.88.1.6

Router(config)#

remark message


Basic Rules for Developing Access Lists

• Rule #1—Write it out! – Just use Notepad

– Get a piece of paper and write out what you want this access list to accomplish.

– This is the time to think about potential problems.

• Rule #2—Setup a development system.

– Allows you to copy and paste statements easily.

– Allows you to develop a library of access lists.

– Store the files as ASCII text files.

• Rule #3—Apply access list to a router and test.

– If at all possible, run your access lists in a test environment before placing them into production.

Here are some basic rules you should follow when developing access lists:


Access List Directional Filtering

Austin1s0/0 e0/0

e0/1

Internet

Inbound Outbound

• Inbound—Data flows toward router interface.

• Outbound—Data flows away from router interface.


Applying Access Lists to Interfaces

Tulsa(config)# interface e0/1Tulsa(config-if)# ip access-group 2 in Tulsa(config-if)# exitTulsa(config)# interface e0/2Tulsa(config-if)# ip access-group mailblock out

Router(config)#

ip access-group {access-list-number | access-list-name} {in | out}


Displaying Access Lists

Miami# show access-lists

Extended IP access list 102 10 permit ip any host 128.88.1.6

Extended IP access list mailblock 10 permit tcp any 128.88.0.0 0.0.255.255 established

Miami#

Router#

show access-lists {access-list-number | access-list-name}



8.3 Configure Cisco IOS Firewall Context-Based Access Control


CBAC Configuration

–Pick an Interface – Internal or External.

–Configure IP Access Lists at the interface

–Set audit trails and alerts.

–Set global timeouts and thresholds.

–Define PAM.

–Define inspection rules.

–Apply inspection rules and ACLs to interfaces.

–Test and verify.


Enable Audit Trails and Alerts

Router(config)# logging onRouter(config)# logging 10.0.0.3Router(config)# ip inspect audit-trailRouter(config)# no ip inspect alert-off

• Enables the delivery of audit trail messages using Syslog

ip inspect audit-trail

Router(config)#

• Enables real-time alerts

no ip inspect alert-off

Router(config)#


ip inspect max-incomplete high number

ip inspect max-incomplete low number

• Defines the number of existing half-opened sessions that cause the software to start deleting half-opened sessions (aggressive mode)

• Defines the number of existing half-opened sessions that cause the software to stop deleting half-opened sessions

Global Half-Opened Connection Limits

Router(config)#

Router(config)#


ip inspect one-minute high number

ip inspect one-minute low number

• Defines the number of new half-opened sessions per minute at which they start being deleted

• Defines the number of new half-opened sessions per minute at which they stop being deleted

Router(config)#

Router(config)#

Global Half-Opened Connection Limits


Port-to-Application Mapping Overview

• Ability to configure any port number for an application protocol.

• CBAC uses PAM to determine the application configured for a port.


ip port-map appl_name port port_num

Router(config)#ip port-map http port tcp 8080

• Maps a port number to an application.

access-list permit acl_num ip_addr

ip port-map appl_name port port_num list acl_num

Router(config)#ip port-map http port tcp 8000 list 99Router(config)#access-list 99 permit host 192.168.1.11

• Maps a port number to an application for a given host.access-list permit acl_num ip_addr wildcard_mask

ip port-map appl_name port port_num list acl_num

• Maps a port number to an application for a given network.

User-Defined Port Mapping – port forwarding

Router(config)#

Router(config)#

Router(config)#


show ip port-map • Shows all port mapping information.

show ip port-map appl_name• Shows port mapping information for a given application.

show ip port-map port port_num• Shows port mapping information for a given application on a

given port.

Display PAM Configuration

Router#

Router#

Router#

Router# sh ip port-map ftpDefault mapping: ftp port 21 system definedHost specific: ftp port 1000 in list 10 user


ip inspect name inspection-name protocol [alert {on|off}] [audit-trail {on|off}] [timeout seconds]

Inspection Rules for Application Protocols

–Defines the application protocols to inspect.

–Will be applied to an interface

Available protocols: tcp, udp, cuseeme, ftp, http, h323, netshow, rcmd, realaudio, rpc, smtp, sqlnet, streamworks, tftp, and vdolive.

alert, audit-trail, and timeout are configurable per protocol and override global settings.

Router(config)#

Router(config)# ip inspect name FWRULE smtp alert on audit-trail on timeout 300

Router(config)# ip inspect name FWRULE ftp alert on audit-trail on timeout 300


Router(config)# ip inspect name FWRULE http java-list 10 alert on audit-trail on timeout 300

Router(config)# ip access-list 10 deny 172.26.26.0 0.0.0.255

Router(config)# ip access-list 10 permit 172.27.27.0 0.0.0.255

• Controls java blocking with a standard ACL.

Inspection Rules for Java

ip inspect name inspection-name http java-list acl-num [alert {on|off}] [audit-trail {on|off}] [timeout seconds]

Router(config)#


Router(config)# ip inspect name FWRULE rpc program-number 100022 wait-time 0 alert off audit-trail on

• Allows given RPC program numbers—wait-time keeps the connection open for a specified number of minutes.

Inspection Rules for RPC Applications

ip inspect name inspection-name rpcprogram-number number [wait-time minutes] [alert {on|off}] [audit-trail {on|off}] [timeout seconds]

Router(config)#


Router(config)# ip inspect name FWRULE smtp

• Allows only the following legal commands in SMTP applications: DATA, EXPN, HELO, HELP, MAIL, NOOP, QUIT, RCPT, RSET, SAML, SEND, SOML, and VRFY.

• If disabled, all SMTP commands are allowed through the firewall, and potential mail server vulnerabilities are exposed.

Inspection Rules for SMTP Applications

ip inspect name inspection-name smtp [alert {on|off}] [audit-trail {on|off}] [timeout seconds]

Router(config)#


Router(config)# ip inspect name FWRULE fragment max 254 timeout 4

• Protects hosts from certain DoS attacks involving fragmented IP packets

– max—number of unassembled fragmented IP packets.

– timeout—seconds when the unassembled fragmented IP packets begin to be discarded.

Inspection Rules for IP Packet Fragmentation

ip inspect name inspection-name fragment max number timeout seconds

Router(config)#


ip inspect inspection-name {in | out}

Applying Inspection Rules and ACLs

–Applies the named inspection rule to an interface.

Router (config-if)#

Router(config)# interface e0/0Router(config-if)# ip inspect FWRULE in

• Applies the inspection rule to interface e0/0 in inward direction.


General Rules for Applying Inspection Rules and ACLs

• Interface where traffic initiates– Apply ACL on the inward direction that permits only

wanted traffic.

– Apply rule on the inward direction that inspects wanted traffic.

• All other interfaces– Apply ACL on the inward direction that denies all

unwanted traffic.


Example—Two Interface Firewall


• Apply an ACL and inspection rule to the inside interface in an inward direction.

• Permit inside-initiated traffic from the 10.0.0.0 network.

Router(config)# interface e0/0Router(config-if)# ip inspect OUTBOUND inRouter(config-if)# ip access-group 101 in

Router(config)# access-list 101 permit ip 10.0.0.0 0.0.0.255 any

Router(config)# access-list 101 deny ip any any

Router(config)# ip inspect name OUTBOUND tcpRouter(config)# ip inspect name OUTBOUND udp

• Configure CBAC to inspect TCP and UDP traffic.

Outbound Traffic


Router(config)# interface e0/1Router(config-if)# ip access-group 102 in

Router(config)# access-list 102 permit icmp any host 10.0.0.3

Router(config)# access-list 102 permit tcp any host 10.0.0.3 eq www


• Apply an ACL and inspection rule to outside interface in inward direction.

• Permit outside-initiated ICMP and HTTP traffic to host 10.0.0.3.

Inbound Traffic


Example—Three-Interface Firewall


• Apply an ACL and inspection rule to the inside interface in an inward direction.

• Permit inside-initiated traffic from 10.0.0.0 network.

Router(config)# interface e0/0Router(config-if)# ip inspect OUTBOUND inRouter(config-if)# ip access-group 101 in

Router(config)# access-list 101 permit ip 10.0.0.0 0.0.0.255 any


Router(config)# ip inspect name OUTBOUND tcpRouter(config)# ip inspect name OUTBOUND udp

• Configure CBAC to inspect TCP and UDP traffic.

Outbound Traffic


• Apply an ACL and inspection rule to the outside interface in an inward direction.

• Permit outside-initiated ICMP and HTTP traffic to host 172.16.0.2.

Router(config)# interface e0/1Router(config-if)# ip access-group 102 in

Router(config)# access-list 102 permit icmp any host 172.16.0.2

Router(config)# access-list 102 permit tcp any host 172.16.0.2 eq www


Inbound Traffic

Router(config)# ip inspect name INBOUND tcp

• Configure CBAC to inspect TCP traffic.


Router(config)# interface e1/0Router(config-if)# ip access-group 103 inRouter(config-if)# ip access-group 104 out

Router(config)# access-list 103 permit icmp host 172.16.0.2 anyRouter(config)# access-list 103 deny ip any any

Router(config)# access-list 104 permit icmp any host 172.16.0.2Router(config)# access-list 104 permit tcp any host 172.16.0.2 eq www


• Permit only ICMP traffic initiated in the DMZ.

• Permit only outward ICMP and HTTP traffic to host 172.16.0.2.

DMZ-Bound Traffic

• Apply proper access lists and an inspection rule to the interface.


show ip inspect name inspection-nameshow ip inspect configshow ip inspect interfacesshow ip inspect session [detail]show ip inspect all

• Displays CBAC configurations, interface configurations, and sessions.

show Commands

Router#

Router# sh ip inspect sessionEstablished Sessions Session 6155930C (10.0.0.3:35009)=>(172.30.0.50:34233) tcp SIS_OPEN

Session 6156F0CC (10.0.0.3:35011)=>(172.30.0.50:34234) tcp SIS_OPEN

Session 6156AF74 (10.0.0.3:35010)=>(172.30.0.50:5002) tcp SIS_OPEN


debug ip inspect function-tracedebug ip inspect object-creationdebug ip inspect object-deletiondebug ip inspect eventsdebug ip inspect timers

• General debug commands.

debug Commands

Router#

debug ip inspect protocol• Protocol-specific debug.

Router(config)#


no ip inspect

• Removes entire CBAC configuration.

• Resets all global timeouts and thresholds to the defaults.

• Deletes all existing sessions.

• Removes all associated dynamic ACLs.

Remove CBAC Configuration

Router(config)#


Firewall and ACL Main Window

49© 2005 Cisco Systems, Inc. All rights reserved. 494949© 2005, Cisco Systems, Inc. All rights reserved.

Date post:	26-Mar-2015
Category:	Documents
Upload:	jason-brown
View:	214 times
Download:	0 times

1 © 2005 Cisco Systems, Inc. All rights reserved. 111 © 2004, Cisco Systems, Inc. All rights...

Documents