Network Security 1
Module 8 – Configure Filtering on
a Router
Module 8 – Configure Filtering on a
Router
Module 8 – Configure Filtering on a
Router
8.2 Cisco IOS Firewall
Context-Based Access Control
TCP
UDP
Cisco IOS Firewall CBAC
– Packets are inspected upon entering the firewall by CBAC if
they are not specifically denied by an ACL.
– CBAC permits or denies specified TCP and UDP traffic
through a firewall.
– A state table is maintained with session information.
– ACLs are dynamically created or deleted.
– CBAC protects against DoS attacks.
Cisco IOS ACLs
– Provide traffic filtering by:
• Source and destination IP addresses
• Source and destination ports
– Can be used to implement a filtering firewall
• Ports are opened permanently to allow traffic,
creating a security vulnerability.
• Do not work with applications that negotiate ports
dynamically.
CBAC Supported Protocols
– TCP (single channel)
– UDP (single channel)
– RPC
– FTP
– TFTP
– UNIX R-commands (such
as rlogin, rexec, and rsh)
– SMTP
– HTTP (Java blocking)
– Java
– SQL*Net
– RTSP (such as
RealNetworks)
– H.323 (such as NetMeeting,
ProShare, CUSeeMe)
– Other multimedia
• Microsoft NetShow • StreamWorks • VDOLiveAlerts and Audit Trails
– CBAC generates real-time alerts and
audit trails.
– Audit trail features use Syslog to track all
network transactions.
– With CBAC inspection rules, you can
configure alerts and audit trail information
on a per-application protocol basis.
Identifying Access Lists
• Access list number (All IOS versions)—The number of the access
list determines what protocol it is filtering:
– (1-99) and (1300-1399)—Standard IP access lists.
– (100-199) and (2000-2699)—Extended IP access lists.
– (800-899)—Standard IPX access lists.
• Access list name (IOS versions > 11.2)—You provide the name of
the access list:
– Names contain alphanumeric characters.
– Names cannot contain spaces or punctuation and must
begin with a alphabetic character.
Basic Types of IP Access Lists
• Standard—Filter IP packets based on the source address
only.
• Extended—Filter IP packets based on several attributes,
including:
– Protocol type.
– Source and destination IP addresses.
– Source and destination TCP/UDP ports.
– ICMP and IGMP message types.
Standard Numbered Access List Format
Austin2(config)# access-list 2 permit 36.48.0.3 Austin2(config)# access-list 2 deny 36.48.0.0
0.0.255.255
Austin2(config)# access-list 2 permit 36.0.0.0 0.255.255.255
Austin2(config)# interface e0/1
Austin2(config-if)# ip access-group 2 in
Router(config)#
access-list access-list-number {deny | permit}
Standard Named Access List Format
Austin2(config)# ip access-list standard protect Austin2(config-std-nacl)# deny 36.48.0.0 0.0.255.255 Austin2(config-std-nacl)# permit 36.0.0.0 0.255.255.255 Austin2(config)# exit Router(config)#
ip access-list standard access-list-name
Router(config-std-nacl)#
Extended Numbered Access List Format
Miami(config)# access-list 103 permit tcp any 128.88.0.0 0.0.255.255 established
Miami(config)# access-list 103 permit tcp any host 128.88.1.2 eq smtp
Miami(config)# interface e0/0
Miami(config-if)# ip access-group 103 in
Router(config)#
access-list access-list-number {deny | permit} {protocol-number | protocol-keyword}{source
source-wildcard | any | host} {source-port}
{destination destination-wildcard | any | host} {destination-port} [established][log | log-input]
Internet Miami e0/0 128.88.1.2 128.88.1.0 128.88.3.0 SMTP host
Extended Named Access List Format
Miami(config)# ip access-list extended mailblock Miami(config-ext-nacl)# permit tcp any
128.88.0.0 0.0.255.255 established
Miami(config-ext-nacl)# permit tcp any host 128.88.1.2 eq smtp
Miami(config-ext-nacl)# exit
Router(config)#
ip access-list extended access-list-name
Router(config-ext-nacl)#
{deny | permit} {number |
protocol-keyword} {source source-wildcard | any | host}
{source-port} {destination destination-wildcard | any | host} {destination-port}
Commenting IP Access-List Entries
Miami(config)# access-list 102 remark Allow traffic to file server
Miami(config)# access-list 102 permit ip any host 128.88.1.6
Router(config)#
Basic Rules for Developing Access Lists
• Rule #1—Write it out!
– Get a piece of paper and write out what you want this access list to
accomplish.
– This is the time to think about potential problems.
• Rule #2—Setup a development system.
– Allows you to copy and paste statements easily.
– Allows you to develop a library of access lists.
– Store the files as ASCII text files.
• Rule #3—Apply access list to a router and test.
– If at all possible, run your access lists in a test environment before
placing them into production.
Here are some basic rules you should follow when developing access lists:
Access List Directional Filtering
Austin1 s0/0 e0/0 e0/1 Internet Inbound Outbound•
Inbound—Data flows toward router interface.
Applying Access Lists to Interfaces
Tulsa(config)# interface e0/1
Tulsa(config-if)# ip access-group 2 in Tulsa(config-if)# exit
Tulsa(config)# interface e0/2
Tulsa(config-if)# ip access-group mailblock out
Router(config)#
ip group {list-number |
Displaying Access Lists
Miami# show access-lists
Extended IP access list 102
permit ip any host 128.88.1.6 Extended IP access list mailblock
permit tcp any 128.88.0.0 0.0.255.255 established
Miami#
Router#
show lists {list-number |
Module 8 – Configure Filtering on a
Router
8.3 Configure Cisco IOS Firewall
Context-Based Access Control
CBAC Configuration
– Pick an Interface – Internal or External.
– Configure IP Access Lists at the interface
– Set audit trails and alerts.
– Set global timeouts and thresholds.
– Define PAM.
– Define inspection rules.
– Apply inspection rules and ACLs to
interfaces.
Router(config)# logging on
Router(config)# logging 10.0.0.3
Router(config)# ip inspect audit-trail
Router(config)# no ip inspect alert-off
• Enables the delivery of audit trail messages using Syslog
Enable Audit Trails and Alerts
ip inspect audit-trail
Router(config)#
• Enables real-time alerts
no ip inspect alert-off
ip inspect max-incomplete high number
ip inspect max-incomplete low number
•
Defines the number of existing half-opened sessions
that cause the software to start deleting half-opened
sessions (aggressive mode)
•
Defines the number of existing half-opened sessions
that cause the software to stop deleting half-opened
sessions
Global Half-Opened Connection Limits
Router(config)#
ip inspect one-minute high number
ip inspect one-minute low number
•
Defines the number of new half-opened
sessions per minute at which they start being
deleted
•
Defines the number of new half-opened
sessions per minute at which they stop being
deleted
Router(config)#
Router(config)#
Port-to-Application Mapping Overview
– Ability to configure any port number for
an application protocol.
– CBAC uses PAM to determine the
application configured for a port.
ip port-map appl_name port port_num
• Maps a port number to an application.
access-list permit acl_num ip_addr
ip port-map appl_name port port_num list acl_num
• Maps a port number to an application for a given host.
access-list permit acl_num ip_addr wildcard_mask ip port-map appl_name port port_num list acl_num
• Maps a port number to an application for a given network.
User-Defined Port Mapping
Router(config)#
Router(config)#
show ip port-map
• Shows all port mapping information.
show ip port-map appl_name
• Shows port mapping information for a given application.
show ip port-map port port_num
• Shows port mapping information for a given application on a given port.
Display PAM Configuration
Router#
Router#
Router#
Router# sh ip port-map ftp
Default mapping: ftp port 21 system defined Host specific: ftp port 1000 in list 10 user
ip inspect name inspection-name protocol [alert
{on|off}] [audit-trail {on|off}] [timeout seconds]
Inspection Rules for Application
Protocols
– Defines the application protocols to inspect. – Will be applied to an interface
• Available protocols: tcp, udp, cuseeme, ftp, http, h323, netshow, rcmd, realaudio, rpc, smtp, sqlnet, streamworks, tftp, and vdolive.
• alert, audit-trail, and timeout are configurable per protocol and override global settings.
Router(config)#
Router(config)# ip inspect name FWRULE smtp alert on audit-trail on timeout 300
Router(config)# ip inspect name FWRULE ftp alert on audit-trail on timeout 300
Router(config)# ip inspect name FWRULE http java-list 10 alert on audit-trail on timeout 300
Router(config)# ip access-list 10 deny 172.26.26.0 0.0.0.255
Router(config)# ip access-list 10 permit 172.27.27.0 0.0.0.255
• Controls java blocking with a standard ACL.
Inspection Rules for Java
ip inspect name inspection-name http java-list
acl-num [alert {on|off}] [audit-trail {on|off}]
[timeout seconds]
Router(config)# ip inspect name FWRULE rpc
program-number 100022 wait-time 0 alert off
audit-trail on
• Allows given RPC program numbers—wait-time keeps the connection open for a specified number of minutes.
Inspection Rules for RPC Applications
ip inspect name inspection-name rpc
program-number number [wait-time minutes]
[alert {on|off}] [audit-trail {on|off}]
[timeout seconds]
Router(config)# ip inspect name FWRULE smtp
• Allows only the following legal commands in SMTP
applications: DATA, EXPN, HELO, HELP, MAIL, NOOP, QUIT, RCPT, RSET, SAML, SEND, SOML, and VRFY.
• If disabled, all SMTP commands are allowed through the
firewall, and potential mail server vulnerabilities are exposed.
Inspection Rules for SMTP Applications
ip inspect name inspection-name smtp [alert
{on|off}] [audit-trail {on|off}] [timeout
seconds]
Router(config)# ip inspect name FWRULE
fragment max 254 timeout 4
• Protects hosts from certain DoS attacks involving fragmented IP packets
– max—number of unassembled fragmented IP packets.
– timeout—seconds when the unassembled fragmented IP packets begin to be discarded.
Inspection Rules for IP Packet
Fragmentation
ip inspect name inspection-name fragment max
number timeout seconds
ip inspect inspection-name {in | out}
Applying Inspection Rules and ACLs
– Applies the named inspection rule to an interface.
Router (config-if)#
Router(config)# interface e0/0
Router(config-if)# ip inspect FWRULE in
General Rules for Applying Inspection
Rules and ACLs
– Interface where traffic initiates
• Apply ACL on the inward direction that permits
only wanted traffic.
• Apply rule on the inward direction that inspects
wanted traffic.
– All other interfaces
• Apply ACL on the inward direction that denies all
unwanted traffic.
• Apply an ACL and inspection rule to the inside interface in an inward direction.
• Permit inside-initiated traffic from the 10.0.0.0 network.
Router(config)# interface e0/0
Router(config-if)# ip inspect OUTBOUND in Router(config-if)# ip access-group 101 in
Router(config)# access-list 101 permit ip 10.0.0.0 0.0.0.255 any
Router(config)# access-list 101 deny ip any any Router(config)# ip inspect name OUTBOUND tcp
Router(config)# ip inspect name OUTBOUND udp
• Configure CBAC to inspect TCP and UDP traffic.
Router(config)# interface e0/1
Router(config-if)# ip access-group 102 in
Router(config)# access-list 102 permit icmp any host 10.0.0.3
Router(config)# access-list 102 permit tcp any host 10.0.0.3 eq www
Router(config)# access-list 102 deny ip any any
• Apply an ACL and inspection rule to outside interface in inward direction.
• Permit outside-initiated ICMP and HTTP traffic to host 10.0.0.3.
• Apply an ACL and inspection rule to the inside interface in an inward direction.
• Permit inside-initiated traffic from 10.0.0.0 network.
Router(config)# interface e0/0
Router(config-if)# ip inspect OUTBOUND in Router(config-if)# ip access-group 101 in
Router(config)# access-list 101 permit ip 10.0.0.0 0.0.0.255 any
Router(config)# access-list 101 deny ip any any Router(config)# ip inspect name OUTBOUND tcp
Router(config)# ip inspect name OUTBOUND udp
• Configure CBAC to inspect TCP and UDP traffic.
• Apply an ACL and inspection rule to the outside interface in an inward direction.
• Permit outside-initiated ICMP and HTTP traffic to host 172.16.0.2.
Router(config)# interface e0/1
Router(config-if)# ip access-group 102 in
Router(config)# access-list 102 permit icmp any host 172.16.0.2
Router(config)# access-list 102 permit tcp any host 172.16.0.2 eq www
Router(config)# access-list 102 deny ip any any
Inbound Traffic
Router(config)# ip inspect name INBOUND tcp
Router(config)# interface e1/0
Router(config-if)# ip access-group 103 in Router(config-if)# ip access-group 104 out
Router(config)# access-list 103 permit icmp host 172.16.0.2 any Router(config)# access-list 103 deny ip any any
Router(config)# access-list 104 permit icmp any host 172.16.0.2 Router(config)# access-list 104 permit tcp any host 172.16.0.2
eq www
Router(config)# access-list 104 deny ip any any
• Permit only ICMP traffic initiated in the DMZ.
• Permit only outward ICMP and HTTP traffic to host 172.16.0.2.
DMZ-Bound Traffic
show ip inspect name inspection-name show ip inspect config
show ip inspect interfaces
show ip inspect session [detail] show ip inspect all
• Displays CBAC configurations, interface configurations, and sessions.
•
show
Commands
Router#
Router# sh ip inspect session Established Sessions Session 6155930C (10.0.0.3:35009)=>(172.30.0.50:34233) tcp SIS_OPEN Session 6156F0CC (10.0.0.3:35011)=>(172.30.0.50:34234) tcp SIS_OPEN Session 6156AF74 (10.0.0.3:35010)=>(172.30.0.50:5002) tcp SIS_OPEN
debug ip inspect function-trace
debug ip inspect object-creation
debug ip inspect object-deletion
debug ip inspect events
debug ip inspect timers
•
General debug commands.
debug
Commands
Router#
debug ip inspect protocol
•
Protocol-specific debug.
Router(config)#
no ip inspect
•
Removes entire CBAC configuration.
•
Resets all global timeouts and thresholds
to the defaults.
•
Deletes all existing sessions.
•
Removes all associated dynamic ACLs.
Remove CBAC Configuration
51 51 51