Network Security 1. Module 8 Configure Filtering on a Router

(1)

Network Security 1

Module 8 – Configure Filtering on

a Router

(2)

Module 8 – Configure Filtering on a

Router

(3)

(4)

(5)

(6)

Module 8 – Configure Filtering on a

Router

8.2 Cisco IOS Firewall

Context-Based Access Control

(7)

TCP

UDP

Cisco IOS Firewall CBAC

– Packets are inspected upon entering the firewall by CBAC if

they are not specifically denied by an ACL.

– CBAC permits or denies specified TCP and UDP traffic

through a firewall.

– A state table is maintained with session information.

– ACLs are dynamically created or deleted.

– CBAC protects against DoS attacks.

(8)

Cisco IOS ACLs

– Provide traffic filtering by:

• Source and destination IP addresses

• Source and destination ports

– Can be used to implement a filtering firewall

• Ports are opened permanently to allow traffic,

creating a security vulnerability.

• Do not work with applications that negotiate ports

dynamically.

(9)

(10)

(11)

CBAC Supported Protocols

– TCP (single channel)

– UDP (single channel)

– RPC

– FTP

– TFTP

– UNIX R-commands (such

as rlogin, rexec, and rsh)

– SMTP

– HTTP (Java blocking)

– Java

– SQL*Net

– RTSP (such as

RealNetworks)

– H.323 (such as NetMeeting,

ProShare, CUSeeMe)

– Other multimedia

• Microsoft NetShow • StreamWorks • VDOLive

(12)

Alerts and Audit Trails

– CBAC generates real-time alerts and

audit trails.

– Audit trail features use Syslog to track all

network transactions.

– With CBAC inspection rules, you can

configure alerts and audit trail information

on a per-application protocol basis.

(13)

(14)

Identifying Access Lists

• Access list number (All IOS versions)—The number of the access

list determines what protocol it is filtering:

– (1-99) and (1300-1399)—Standard IP access lists.

– (100-199) and (2000-2699)—Extended IP access lists.

– (800-899)—Standard IPX access lists.

• Access list name (IOS versions > 11.2)—You provide the name of

the access list:

– Names contain alphanumeric characters.

– Names cannot contain spaces or punctuation and must

begin with a alphabetic character.

(15)

Basic Types of IP Access Lists

• Standard—Filter IP packets based on the source address

only.

• Extended—Filter IP packets based on several attributes,

including:

– Protocol type.

– Source and destination IP addresses.

– Source and destination TCP/UDP ports.

– ICMP and IGMP message types.

(16)

Standard Numbered Access List Format

Austin2(config)# access-list 2 permit 36.48.0.3 Austin2(config)# access-list 2 deny 36.48.0.0

0.0.255.255

Austin2(config)# access-list 2 permit 36.0.0.0 0.255.255.255

Austin2(config)# interface e0/1

Austin2(config-if)# ip access-group 2 in

Router(config)#

access-list access-list-number {deny | permit}

(17)

Standard Named Access List Format

Austin2(config)# ip access-list standard protect Austin2(config-std-nacl)# deny 36.48.0.0 0.0.255.255 Austin2(config-std-nacl)# permit 36.0.0.0 0.255.255.255 Austin2(config)# exit Router(config)#

ip access-list standard access-list-name

Router(config-std-nacl)#

(18)

Extended Numbered Access List Format

Miami(config)# access-list 103 permit tcp any 128.88.0.0 0.0.255.255 established

Miami(config)# access-list 103 permit tcp any host 128.88.1.2 eq smtp

Miami(config)# interface e0/0

Miami(config-if)# ip access-group 103 in

Router(config)#

access-list access-list-number {deny | permit} {protocol-number | protocol-keyword}{source

source-wildcard | any | host} {source-port}

{destination destination-wildcard | any | host} {destination-port} [established][log | log-input]

Internet Miami e0/0 128.88.1.2 128.88.1.0 128.88.3.0 SMTP host

(19)

Extended Named Access List Format

Miami(config)# ip access-list extended mailblock Miami(config-ext-nacl)# permit tcp any

128.88.0.0 0.0.255.255 established

Miami(config-ext-nacl)# permit tcp any host 128.88.1.2 eq smtp

Miami(config-ext-nacl)# exit

Router(config)#

ip access-list extended access-list-name

Router(config-ext-nacl)#

{deny | permit} {number |

protocol-keyword} {source source-wildcard | any | host}

{source-port} {destination destination-wildcard | any | host} {destination-port}

(20)

Commenting IP Access-List Entries

Miami(config)# access-list 102 remark Allow traffic to file server

Miami(config)# access-list 102 permit ip any host 128.88.1.6

Router(config)#

(21)

Basic Rules for Developing Access Lists

• Rule #1—Write it out!

– Get a piece of paper and write out what you want this access list to

accomplish.

– This is the time to think about potential problems.

• Rule #2—Setup a development system.

– Allows you to copy and paste statements easily.

– Allows you to develop a library of access lists.

– Store the files as ASCII text files.

• Rule #3—Apply access list to a router and test.

– If at all possible, run your access lists in a test environment before

placing them into production.

Here are some basic rules you should follow when developing access lists:

(22)

Access List Directional Filtering

Austin1 s0/0 e0/0 e0/1 Internet Inbound Outbound

• Inbound—Data flows toward router interface.

(23)

Applying Access Lists to Interfaces

Tulsa(config)# interface e0/1

Tulsa(config-if)# ip access-group 2 in Tulsa(config-if)# exit

Tulsa(config)# interface e0/2

Tulsa(config-if)# ip access-group mailblock out

Router(config)#

ip group {list-number |

(24)

Displaying Access Lists

Miami# show access-lists

Extended IP access list 102

permit ip any host 128.88.1.6 Extended IP access list mailblock

permit tcp any 128.88.0.0 0.0.255.255 established

Miami#

Router#

show lists {list-number |

(25)

Module 8 – Configure Filtering on a

Router

8.3 Configure Cisco IOS Firewall

Context-Based Access Control

(26)

CBAC Configuration

– Pick an Interface – Internal or External.

– Configure IP Access Lists at the interface

– Set audit trails and alerts.

– Set global timeouts and thresholds.

– Define PAM.

– Define inspection rules.

– Apply inspection rules and ACLs to

interfaces.

(27)

Router(config)# logging on

Router(config)# logging 10.0.0.3

Router(config)# ip inspect audit-trail

Router(config)# no ip inspect alert-off

• Enables the delivery of audit trail messages using Syslog

Enable Audit Trails and Alerts

ip inspect audit-trail

Router(config)#

• Enables real-time alerts

no ip inspect alert-off

(28)

ip inspect max-incomplete high number

ip inspect max-incomplete low number

• Defines the number of existing half-opened sessions

that cause the software to start deleting half-opened

sessions (aggressive mode)

• Defines the number of existing half-opened sessions

that cause the software to stop deleting half-opened

sessions

Global Half-Opened Connection Limits

Router(config)#

(29)

ip inspect one-minute high number

ip inspect one-minute low number

• Defines the number of new half-opened

sessions per minute at which they start being

deleted

• Defines the number of new half-opened

sessions per minute at which they stop being

deleted

Router(config)#

(30)

Port-to-Application Mapping Overview

– Ability to configure any port number for

an application protocol.

– CBAC uses PAM to determine the

application configured for a port.

(31)

ip port-map appl_name port port_num

• Maps a port number to an application.

access-list permit acl_num ip_addr

ip port-map appl_name port port_num list acl_num

• Maps a port number to an application for a given host.

access-list permit acl_num ip_addr wildcard_mask ip port-map appl_name port port_num list acl_num

• Maps a port number to an application for a given network.

User-Defined Port Mapping

Router(config)#

(32)

show ip port-map

• Shows all port mapping information.

show ip port-map appl_name

• Shows port mapping information for a given application.

show ip port-map port port_num

• Shows port mapping information for a given application on a given port.

Display PAM Configuration

Router#

Router# sh ip port-map ftp

Default mapping: ftp port 21 system defined Host specific: ftp port 1000 in list 10 user

(33)

ip inspect name inspection-name protocol [alert

{on|off}] [audit-trail {on|off}] [timeout seconds]

Inspection Rules for Application

Protocols

– Defines the application protocols to inspect. – Will be applied to an interface

• Available protocols: tcp, udp, cuseeme, ftp, http, h323, netshow, rcmd, realaudio, rpc, smtp, sqlnet, streamworks, tftp, and vdolive.

• alert, audit-trail, and timeout are configurable per protocol and override global settings.

Router(config)#

Router(config)# ip inspect name FWRULE smtp alert on audit-trail on timeout 300

Router(config)# ip inspect name FWRULE ftp alert on audit-trail on timeout 300

(34)

Router(config)# ip inspect name FWRULE http java-list 10 alert on audit-trail on timeout 300

Router(config)# ip access-list 10 deny 172.26.26.0 0.0.0.255

Router(config)# ip access-list 10 permit 172.27.27.0 0.0.0.255

• Controls java blocking with a standard ACL.

Inspection Rules for Java

ip inspect name inspection-name http java-list

acl-num [alert {on|off}] [audit-trail {on|off}]

[timeout seconds]

(35)

Router(config)# ip inspect name FWRULE rpc

program-number 100022 wait-time 0 alert off

audit-trail on

• Allows given RPC program numbers—wait-time keeps the connection open for a specified number of minutes.

Inspection Rules for RPC Applications

ip inspect name inspection-name rpc

program-number number [wait-time minutes]

[alert {on|off}] [audit-trail {on|off}]

[timeout seconds]

(36)

Router(config)# ip inspect name FWRULE smtp

• Allows only the following legal commands in SMTP

applications: DATA, EXPN, HELO, HELP, MAIL, NOOP, QUIT, RCPT, RSET, SAML, SEND, SOML, and VRFY.

• If disabled, all SMTP commands are allowed through the

firewall, and potential mail server vulnerabilities are exposed.

Inspection Rules for SMTP Applications

ip inspect name inspection-name smtp [alert

{on|off}] [audit-trail {on|off}] [timeout

seconds]

(37)

Router(config)# ip inspect name FWRULE

fragment max 254 timeout 4

• Protects hosts from certain DoS attacks involving fragmented IP packets

– max—number of unassembled fragmented IP packets.

– timeout—seconds when the unassembled fragmented IP packets begin to be discarded.

Inspection Rules for IP Packet

Fragmentation

ip inspect name inspection-name fragment max

number timeout seconds

(38)

ip inspect inspection-name {in | out}

Applying Inspection Rules and ACLs

– Applies the named inspection rule to an interface.

Router (config-if)#

Router(config)# interface e0/0

Router(config-if)# ip inspect FWRULE in

(39)

General Rules for Applying Inspection

Rules and ACLs

– Interface where traffic initiates

• Apply ACL on the inward direction that permits

only wanted traffic.

• Apply rule on the inward direction that inspects

wanted traffic.

– All other interfaces

• Apply ACL on the inward direction that denies all

unwanted traffic.

(40)

(41)

• Apply an ACL and inspection rule to the inside interface in an inward direction.

• Permit inside-initiated traffic from the 10.0.0.0 network.

Router(config-if)# ip inspect OUTBOUND in Router(config-if)# ip access-group 101 in

Router(config)# access-list 101 permit ip 10.0.0.0 0.0.0.255 any

Router(config)# access-list 101 deny ip any any Router(config)# ip inspect name OUTBOUND tcp

Router(config)# ip inspect name OUTBOUND udp

• Configure CBAC to inspect TCP and UDP traffic.

(42)

Router(config-if)# ip access-group 102 in

Router(config)# access-list 102 permit icmp any host 10.0.0.3

Router(config)# access-list 102 permit tcp any host 10.0.0.3 eq www

Router(config)# access-list 102 deny ip any any

• Apply an ACL and inspection rule to outside interface in inward direction.

• Permit outside-initiated ICMP and HTTP traffic to host 10.0.0.3.

(43)

(44)

• Apply an ACL and inspection rule to the inside interface in an inward direction.

• Permit inside-initiated traffic from 10.0.0.0 network.

Router(config-if)# ip inspect OUTBOUND in Router(config-if)# ip access-group 101 in

Router(config)# access-list 101 permit ip 10.0.0.0 0.0.0.255 any

Router(config)# access-list 101 deny ip any any Router(config)# ip inspect name OUTBOUND tcp

Router(config)# ip inspect name OUTBOUND udp

• Configure CBAC to inspect TCP and UDP traffic.

(45)

• Apply an ACL and inspection rule to the outside interface in an inward direction.

• Permit outside-initiated ICMP and HTTP traffic to host 172.16.0.2.

Router(config-if)# ip access-group 102 in

Router(config)# access-list 102 permit icmp any host 172.16.0.2

Router(config)# access-list 102 permit tcp any host 172.16.0.2 eq www

Inbound Traffic

Router(config)# ip inspect name INBOUND tcp

(46)

Router(config-if)# ip access-group 103 in Router(config-if)# ip access-group 104 out

Router(config)# access-list 103 permit icmp host 172.16.0.2 any Router(config)# access-list 103 deny ip any any

Router(config)# access-list 104 permit icmp any host 172.16.0.2 Router(config)# access-list 104 permit tcp any host 172.16.0.2

eq www

• Permit only ICMP traffic initiated in the DMZ.

• Permit only outward ICMP and HTTP traffic to host 172.16.0.2.

DMZ-Bound Traffic

(47)

show ip inspect name inspection-name show ip inspect config

show ip inspect interfaces

show ip inspect session [detail] show ip inspect all

• Displays CBAC configurations, interface configurations, and sessions.

•

show

Commands

Router#

Router# sh ip inspect session Established Sessions Session 6155930C (10.0.0.3:35009)=>(172.30.0.50:34233) tcp SIS_OPEN Session 6156F0CC (10.0.0.3:35011)=>(172.30.0.50:34234) tcp SIS_OPEN Session 6156AF74 (10.0.0.3:35010)=>(172.30.0.50:5002) tcp SIS_OPEN