vpn roadshow optional module 7 ios firewall

Cisco IOS Firewall OverviewCisco IOS Firewall Feature Set is a suite of powerful security features for Cisco IOS routers, including: • Context-Based Access Control CBAC • Authentication

Cisco VPN Partner Technical Development

Module 7 : IOS Router Security Features

APAC Channels Technical Operations

• IOS Firewall (CBAC)

• IOS IDS

Cisco IOS Firewall

Context-Based Access Control (CBAC)

Cisco IOS Firewall Overview

Cisco IOS Firewall Feature Set is a suite of powerful

security features for Cisco IOS routers, including:

• Context-Based Access Control (CBAC)

• Authentication proxy

• Intrusion detection

• Denial-of-service detection and prevention

• Network Address Translation hides internal network from the

outside for enhanced security

• Time-based access lists defines security policy by time of day and day of week

• Real-time alerts, Audit trail and Event logging

• Redundancy/fail-over traffic is automatically routed to a backup router if a failure occurs

• VPNs, IPSec encryption, and QoS support

Key platforms: Cisco 800, 900, 1400, 1600, 1700, 2500, 2600,

3600, 7100, 7200, and 7500 routers

Context-Based Access Control (CBAC)

– A state table is maintained with session information.

– Opening allows returning traffic and additional data to enter

– CBAC only allows traffic back that is part of the original same session

• CBAC permits or denies specified TCP and UDP traffic through a firewall.

• ACLs are dynamically created or deleted.

• Provides Denial of Service detection and prevention.

Internet

TCP UDP

Context-Based Access Control (CBAC)

Overview

Cisco IOS ACLs

• Provide traffic filtering by

– Source and destination IP addresses

– Source and destination ports

• Can be used to implement a filtering firewall

– Ports are opened permanently to allow traffic, creating a security vulnerability.

– Do not work with applications that negotiate ports dynamically

CBAC

• Inspects and monitors control channels of connections

• Can specify which protocol is inspected

• Recognizes application- specific commands

• Configurable attack responses

• Handles multichannel applications and uses sequence

How CBAC Works

access-list 102 permit TCP host 172.30.1.50 eq 23 host 10.0.0.3 eq 2447

CBAC creates a dynamic ACL allowing return traffic back through the firewall.

2

1 Control traffic is inspected by

the CBAC rule.

ip inspect name FWRULE tcp

Port 2447

Port 23

CBAC detects when an application terminates or times out and removes all dynamic ACLs for that session.

4

CBAC continues to inspect control

traffic and dynamically creates and

removes ACLs as required by the

application It also monitors and

protects against

application-specific attacks.

3

• UNIX R-commands (such as

rlogin, rexec, and rsh)

• Other multimedia

– Microsoft NetShow

– StreamWorks

– VDOLive

CBAC Configuration

• Enable audit trails and alerts.

• Set global timeouts and thresholds.

• Define Port-to-Application Mapping (PAM).

• Define inspection rules.

• Apply inspection rules and ACLs to

interfaces.

• Test and verify.

Alerts and Audit Trails

• CBAC generates real-time alerts and audit trails.

– Automatic alerts generated when attack

prevention enabled

– Alerts configurable via syslog management tool

• Audit trail features use Syslog to track all network

transactions.

• With CBAC inspection rules, you can configure

alerts and audit trail information on a per-application protocol basis.

– Examples include: Denial-of-Service (DoS) attacks, SMTP command attacks, or denied Java applet

Enable Audit Trail and Alert

Router(config)# logging on Router(config)# logging 10.0.0.3 Router(config)# ip inspect audit-trail

• Enables the Syslog server and turns on logging

Set Global Timeouts and Thresholds

TCP, SYN, and FIN Wait Times

ip inspect tcp synwait-time seconds

Set Global Timeouts and Thresholds

TCP, UDP, and DNS Idle Times

ip inspect tcp idle-time seconds

ip inspect udp idle-time seconds

Router(config)#

• Length of time allowed for a TCP or UDP session with

no activity.

• TCP idle-time default 3600 seconds (1 hour)

• UDP idle-time default 30 seconds

ip inspect dns-timeout seconds

Router(config)#

• Length of time allowed for a DNS session with no

activity.

• Default 5 seconds

Port-to-Application Mapping (PAM)

• Can specify a single or range of ports in PAM

table

• User-defined entries are saved in router

configuration

• CBAC uses PAM to determine the application

configured for a port.

• Default examples include (but not limited):

Display PAM Configuration

show ip port-map

Router#

• Shows all port mapping information.

show ip port-map appl_name

Router#

• Shows port mapping information for a given application.

show ip port-map port port_num

Router#

• Shows port mapping information for a given application on a

given port.

Router# sh ip port-map ftp

Default mapping: ftp port 21 system defined

Host specific: ftp port 1000 in list 10 user

Inspection Rules

• Inspection rules specify what is to be inspected by CBAC

• Typically one inspection rule defined for firewall interface

– Exception is to define two rules for two directions at single firewall interface

• Define Inspection Rules for:

Inspection Rules for Application Protocols

ip inspect name inspection-name protocol [alert

{on|off}] [audit-trail {on|off}] [timeout seconds]

Router(config)#

• Defines the application protocols to inspect.

• Will be applied to an interface

– Available protocols: tcp, udp, cuseeme, ftp, http, h323, netshow, rcmd, realaudio, rpc, smtp, sqlnet, streamworks, tftp, and vdolive.

– alert, audit-trail, and timeout are configurable per protocol and override global settings.

Router(config)# ip inspect name FWRULE smtp alert on audit-trail on timeout 300

Router(config)# ip inspect name FWRULE ftp alert on audit-trail on timeout 300

Apply an Inspection Rule to an Interface

ip inspect inspection-name {in | out}

Router (config-if)#

• Applies the named inspection rule to an interface.

Router(config)# interface e0/0

Router(config-if)# ip inspect FWRULE in

• Applies the inspection rule to interface e0/0 in inward direction.

General Rules for Applying

Inspection Rules and ACLs

• Interface where traffic initiates

– Apply ACL on the inward direction that permits only wanted traffic.

– Apply rule on the inward direction that inspects

wanted traffic.

• All other interfaces

– Apply ACL on the inward direction that denies all

unwanted traffic, except traffic (such as ICMP) not inspected by CBAC.

Example—Two Interface Firewall

Internet

Outbound

• Allow all general TCP and UDP traffic

• Allow all ICMP traffic

• Deny everything else

Outbound

• Allow all general TCP and UDP traffic

• Allow all ICMP traffic

• Deny everything else

Outbound Traffic Configuration

• Apply an ACL and inspection rule to the inside interface in an

inward direction.

• Permit inside-initiated traffic from the 10.0.0.0 network.

Router(config)# interface e0/0

Router(config-if)# ip inspect OUTBOUND in

Router(config-if)# ip access-group 101 in

Router(config)# access-list 101 permit ip 10.0.0.0

0.0.0.255 any

Router(config)# access-list 101 deny ip any any

Router(config)# ip inspect name OUTBOUND tcp

Router(config)# ip inspect name OUTBOUND udp

• Configure CBAC to inspect TCP and UDP traffic.

Outside Inside

Inbound Traffic Configuration

Router(config)# access-list 102 permit icmp any

host 10.0.0.3 Router(config)# access-list 102 permit tcp any host 10.0.0.3 eq www

Router(config)# access-list 102 deny ip any any

• Permit outside-initiated ICMP and HTTP traffic to host 10.0.0.3.

Router(config)# interface e0/1

Router(config-if)# ip access-group 102 in

• Apply an ACL and inspection rule to outside interface in inward

direction.

show Commands

Router#

show ip inspect name inspection-name

show ip inspect config

show ip inspect interfaces

show ip inspect session [detail]

show ip inspect all

• Displays CBAC configurations, interface configurations, and

sessions.

Router# sh ip inspect session

Established Sessions

Session 6155930C (10.0.0.3:35009)=>(172.30.0.50:34233) tcp SIS_OPEN

Session 6156F0CC (10.0.0.3:35011)=>(172.30.0.50:34234) tcp SIS_OPEN

Session 6156AF74 (10.0.0.3:35010)=>(172.30.0.50:5002) tcp SIS_OPEN

debug Commands

debug ip inspect function-trace debug ip inspect object-creation debug ip inspect object-deletion debug ip inspect events

debug ip inspect timers Router#

• General debug commands.

debug ip inspect protocol

Router(config)#

• Protocol-specific debug.

Remove CBAC Configuration

no ip inspect

Router(config)#

• Removes entire CBAC configuration.

• Resets all global timeouts and thresholds

to the defaults.

• Deletes all existing sessions.

• Removes all associated dynamic ACLs.

• Cisco IOS Firewall is a suite of features for Cisco IOS routers that provide context-based access control, authentication

proxy, and intrusion detection and many more features.

• CBAC protects networks by controlling access through a Cisco router and protecting against DoS attacks.

• Configuration Sequence:

– Enable audit trails and alerts.

– Set global timeouts and thresholds.

– Define Port-to-Application Mapping (PAM).

– Define inspection rules.

– Apply inspection rules and ACLs to interfaces.

– Test and verify

Cisco IOS IDS

Cisco IOS Firewall Intrusion Detection

• Acts as an in-line intrusion detection sensor protecting the

network from internal and external attacks and threats

• Matches network traffic against 102 common attacks signatures

• Smaller version of the IDS Sensor and combined with Cisco IOS Firewall for Cisco 831, 1720, 2600, 3600, 7100, 7200, 7500 and Catalyst Series Routers

• Forces nearly all traffic through Intrusion Detection

• Eliminates requirement for switch configuration modification

• Ideal for intranet, extranet, and branch-office Internet

perimeters

Internet

TCP UDP

Signature Implementations

• Atomic

– Single packet signatures

– Typically does not require memory allocation

– Minimally impacts router performance

Attack Response Options

When packet or packets match a signature, it can perform an attack response

• Alarm

– Sends alarms to the Cisco IDS Director, Syslog server, or router console

– Forwards the packet

• Reset—Sends packets with a reset flag to both

session participants if TCP forwards the packet

• Drop—Immediately drops the packet

Director

S0 E0

Attack

Untrusted network

Cisco IOS router with Firewall IDS

Send alarm to Director

or Syslog server

Syslog server

Configuration Tasks

• Initialize IOS Firewall IDS on the router.

• Configure, disable, or exclude signatures.

• Create and apply audit rules.

• Verify the configuration.

• Add the IOS Firewall IDS router to the

Director or Syslog server.

Initializing the Cisco IOS Firewall IDS

Initializing the Cisco IOS Firewall IDS on the router includes:

• Set Notification Type

– SYSLOG server

– Routers PostOffice Parameters (for CSIDD)

– Director’s PostOffice Parameters (for CSIDD)

• Set the Protected Network

• Set the Notification Queue Size

Set Notification Type

ip audit notify {nr-director|log}

Router (config)#

• Sets notification type

– nr-director sends messages in PostOffice format to

the CSIDD or sensor

– log sends messages in SYSLG format to routers

console or SYSLOG server

Router(config)# ip audit notify nr-director

Router(config)# ip audit notify log

Set the Protected Network

ip audit po protected ip-addr [to ip-addr]

Set the Notification Queue Size

ip audit po max-events num-of-events

Router (config)#

• Sets the maximum number of alarms saved in the router queue.

• The default is 100 alarms

• Caution, the router has limited persistent storage; if the

queue fills, alarms are lost on FIFO basis

• The reliability versus memory trade-off is that each

alarm uses 32 KB of memory

Router(config)# ip audit po max-events 300

Configure Spam Attack

ip audit smtp spam num-of-recipients

Router (config)#

• Specifies the number of mail recipients over which a spam attack is suspected (signature identification 3106)

• The default is 250

Router(config)# ip audit smtp spam 350

Cisco IOS IDS: DoS Prevention

ip inspect max-incomplete high <n1>

ip inspect max-incomplete low <n2>

ip inspect max-incomplete high <n1>

ip inspect max-incomplete low <n2>

• Cisco IOS Software maintains a list of connection

attempts through configured services when CBAC and Cisco IOS IDS are configured

• If configured thresholds for unfinished connections are exceeded, RST will be sent to host requesting

connection

Defaults for n1 and n2 are 500 and 400, respectively.

Disable Signatures Globally

ip audit signature sig-id disable

Router (config)#

• Specifies signatures that will not be audited.

• Keeps specific signatures from alarming

• Performance reasons

• Prevent normal traffic from generating false alarms

• Refer to Cisco IOS Security Configuration Guide for the

complete list of signatures

Router(config)# ip audit signature 1004 disable

Router(config)# ip audit signature 1006 disable

Router(config)# ip audit signature 3102 disable

Router(config)# ip audit signature 3104 disable

Packet Auditing Process

• Step 1—Set the default actions for information and attack

signatures.

• Step 2—Create an audit rule:

– Signatures to audit—Information, attack

– Actions to take—Alarm, reset, drop

• Step 3—Apply the audit rule to an interface:

– Inbound—Audit packets before ACLs discard them

– Outbound—No auditing of the packets discarded by ACLs

• Step 4—Packets are audited

Step 1—Set the Default Actions for

Information and Attack Signatures

ip audit info action [alarm] [drop] [reset]

Router (config)#

• Sets default actions for information signatures.

Router(config)# ip audit info action alarm

ip audit attack action [alarm] [drop] [reset]Router (config-if)#

• Sets default actions for attack signatures.

Router(config-if)# ip audit attack action alarm drop reset

Steps 2 and 3—Create

and Apply an IDS Audit

Router (config)#

ip audit name audit-name {info|attack} [action

[alarm] [drop] [reset]]

• Specifies audit name, signature type, and actions.

Router(config)# ip audit name AUDIT1 info action alarm

Router(config)# ip audit name AUDIT1 attack action alarm

drop reset

Router (config-if)#

ip audit audit-name {in|out}

• Applies audit to interface.

Router(config)# interface e0

Router(config-if)# ip audit AUDIT1 in

show Commands

Router# show ip audit statistics Router# show ip audit configuration Router# show ip audit interface

Router# show ip audit debug

• Displays various statistics, configurations, interface configurations, and debug flags.

debug Commands

Router# debug ip audit timers Router# debug ip audit object-creation Router# debug ip audit object-deletion Router# debug ip audit function trace Router# debug ip audit detailed

Router# debug ip audit ftp-cmd Router# debug ip audit ftp-token Router# debug ip audit icmp

Router# debug ip audit ip Router# debug ip audit rpc Router# debug ip audit smtp Router# debug ip audit tcp Router# debug ip audit tftp Router# debug ip audit udp

• Instead of no, undebug may be used.

• The Cisco IOS Firewall IDS package is a smaller version

of the IDS Sensor located within IOS routers.

• The two types of signature implementations used by the Cisco IOS Firewall IDS are Atomic and Compound.

• You need to create and apply audit rules to the IDS

configuration.

• You need to select the attack signatures for IDS

monitoring.

• You need to verify the Cisco IOS Firewall IDS

configuration using debug commands.

• You may add a Cisco IOS Firewall IDS router to a Syslog server.