Advanced Zone-Based Policy Firewall
FIGURE 5-1 Audit trail of inbound
SMTP sessions
WARNING
Do not delete and re- create a policy map as you would do with an access list. Deleting a policy map silently removes all references to it, thus potentially modi- fying your router config-
Outside Inside Perimeter Internet Client 10.0.0.2 Internal Server 10.0.0.10
External Mail Server 172.18.25.10
Syslog Alert Inbound SMTP
Session
Web/Mail Server 192.168.0.2
Firewall Configuration
LISTING 5-1 Configuring the Audit Trail of Inbound SMTP Sessions
fw#ccoonnff tt
Enter configuration commands, one per line. End with CNTL/Z fw(config)#ccllaassss--mmaapp ttyyppee iinnssppeecctt PPuubblliiccSSMMTTPP fw(config-cmap)#mmaattcchh ccllaassss--mmaapp SSMMTTPP fw(config-cmap)#mmaattcchh aacccceessss--ggrroouupp nnaammee EExxtteerrnnaallSSeerrvveerr fw(config-cmap)#eexxiitt fw(config)#ppaarraammeetteerr--mmaapp ttyyppee iinnssppeecctt aauuddiitt fw(config-profile)#aauuddiitt--ttrraaiill oonn fw(config-profile)#eexxiitt fw(config)#ppoolliiccyy--mmaapp ttyyppee iinnssppeecctt OOuuttssiiddeeTTooPPeerriimmeetteerr fw(config-pmap)#nnoo ccllaassss ttyyppee iinnssppeecctt PPuubblliiccTTrraaffffiicc fw(config-pmap)#ccllaassss ttyyppee iinnssppeecctt PPuubblliiccSSMMTTPP fw(config-pmap-c)#iinnssppeecctt aauuddiitt fw(config-pmap-c)#ccllaassss ttyyppee iinnssppeecctt PPuubblliiccTTrraaffffiicc fw(config-pmap-c)#iinnssppeecctt fw(config-pmap-c)#^^ZZ fw#
After this configuration change, the router generates a line in the syslog for every session establishment and termination event. Sample log messages are displayed in Listing 5-2.
LISTING 5-2 SMTP Session Audit Trail
%FW-6-SESS_AUDIT_TRAIL_START: (target:class)-(OutsideToPerimeter:PublicSMTP):Start smtp session: initiator (172.18.25.10:1044) -- responder (192.168.0.2:25)
%FW-6-SESS_AUDIT_TRAIL: (target:class)-(OutsideToPerimeter:PublicSMTP)
Firewall
Configuration
Tuning Denial-of-Service Protection
The stateful firewall inspection in Cisco IOS contains inherent denial-of-service (DoS) protection mechanisms. The router constantly monitors the number of established and half-open connections and the connection creation rate and issues warnings or alerts when they exceed configured thresholds. The router also tries to cope with a DoS attack (primarily SYN attacks in which the intruder sends a large number of TCP SYN packets, also called SYN floods) by aggressively deleting half-open sessions when their number exceeds the threshold or when the session establishment rate exceeds the threshold.
WARNING
The rapid deletion of half-open TCP sessions helps preserve the integrity of the network infrastructure and the existing TCP sessions (servers might simply crash or hang up under a DoS attack). It does not help preserve the service availability, because the legitimate sessions in the establishment phase also get dropped among the fake ones. TCP intercept is a much better mechanism to maintain service availability during an aggressive SYN flood. However, it has a big performance impact, which might prevent its use on a heavily loaded router.
The Cisco IOS Firewall Stateful Inspection (CBAC) feature enables you to configure only the global thresholds. The zone-based policy firewall uses parameter maps that can be attached to every inspect statement in a policy map, resulting in a very granular solution that can be fine-tuned to the actual network environment and traffic patterns.
The commands described in Table 5-2 are used to configure the inspect thresholds in a parameter map. (The parameter-
map syntax is described in Table 5-1.) Remember that all parameters apply to a single traffic class between a pair of
zones.
NOTE
Half-open TCP connec- tions are connections where the SYN packet has been received, but the first non-SYN packet hasn’t been seen yet.
Firewall Configuration
TABLE 5-2 Configuring Inspect Thresholds
Command Syntax Description
alert on | off Enables or disables syslog alerts (default: on).
audit-trail on | off Enables or disables the session audit trail written to the router’s log (default: off). sessions maximum number Configures the maximum number of sessions in this traffic class.
dns-timeout seconds Configures the maximum time between the DNS query and response packet. icmp idle-timeout seconds Configures the maximum time between ICMP request and reply.
max-incomplete high Configures the threshold at which the Cisco IOS firewall starts the DoS protection (high parameter) number | low number and when the DoS protection stops (low parameter). While the DoS protection is active, the firewall
resets one half-open connection for every new connection attempt.
one-minute high number | Configures the per-minute session establishment threshold that triggers the DoS protection. The low number process starts after the high threshold has been exceeded and stops when the session establishment
rate drops below the low threshold.
tcp max-incomplete host Configures the maximum number of half-open sessions from a single IP host. The offending host threshold [ block minutes ] could be (optionally) blocked for the specified duration.
tcp synwait-time seconds Configures TCP timers—the maximum time between packets in session establishment, the tcp finwait-time seconds maximum time between packets in session termination and the session idle timer.
tcp idle-time seconds
udp idle-time seconds Configures the idle timer for non-DNS UDP sessions.
You can display the default values of all these parameters with the show parameter-map type inspect default command, which displays the values in Listing 5-3.
Firewall Configuration
LISTING 5-3 Default Stateful Packet Inspection Thresholds
fw#sshhooww ppaarraammeetteerr--mmaapp ttyyppee iinnssppeecctt ddeeffaauulltt parameter-map type inspect default values
audit-trail off alert on max-incomplete low 400 max-incomplete high 500 one-minute low 400 one-minute high 500 udp idle-time 30 icmp idle-time 10 dns-timeout 5 tcp idle-time 3600 tcp finwait-time 5 tcp synwait-time 30
tcp max-incomplete host 50 block-time 0
You would usually need to modify the inspect thresholds in high-volume environments when the router starts issuing warning and alert messages (similar to Listing 3-9). For example, it’s quite easy to get more than 500 HTTP requests per minute on a popular website.
Before changing the thresholds, it might be beneficial to reduce the various timeouts (which will by itself reduce the number of half-open sessions). For example, many host DNS resolvers time out in 2 seconds. Thus, having a 5-second DNS timeout is overkill. Similarly, a 30-second synwait-time is useful only if there is a dialup connection in the outbound session establishment path; otherwise, you should use a timeout of a few seconds. The 10-second icmp idle-
Firewall Configuration
After you have adapted the timeouts to your environment, perform the following steps to fine-tune the half-open session thresholds:
Step 1. Make sure your network is not infected with a worm or a target of a DoS attack. (In both cases, tuning DoS