© 2006 Cisco Systems, Inc. All rights reserved. Implementing Secure Converged Wide Area Networks (ISCW) Module 6: Cisco IOS Threat Defense Features

© 2006 Cisco Systems, Inc. All rights reserved. Module 6: Cisco IOS Threat Defense Features Lesson 6.2: Implementing Cisco IOS Firewalls

© 2006 Cisco Systems, Inc. All rights reserved. Objectives  Describe the steps needed to configure a network firewall using Cisco IOS.  Explain how to determine which interfaces should be configured with firewall commands.  Explain where to place Access Control Lists in order to filter traffic.  Describe how to configure inspection rules for application protocols.  Describe how to verify and troubleshoot firewall configurations.

© 2006 Cisco Systems, Inc. All rights reserved. Cisco IOS Firewall Configuration Tasks Using the CLI  Pick an interface: internal or external.  Configure IP ACLs at the interface.  Define inspection rules.  Apply inspection rules and ACLs to interfaces.  Test and verify.

© 2006 Cisco Systems, Inc. All rights reserved. Configuring an External Interface Traffic exiting Traffic entering Internet Serial 1 Internal Network External Network Simple Topology — Configuring an External Interface

© 2006 Cisco Systems, Inc. All rights reserved. Configuring an Internal Interface Simple Topology — Configuring an Internal Interface Traffic exiting Traffic entering Ethernet 0 Internal Network External Network Web Server DNS Server Internet DMZ Access allowed

© 2006 Cisco Systems, Inc. All rights reserved. Access Control Lists Filter Traffic Host A Research and Development Network Human Resources Network Host B X

© 2006 Cisco Systems, Inc. All rights reserved. IP ACL Configuration Guidelines Rule 1Start with a basic configuration. Rule 2Permit traffic the Cisco IOS Firewall is to inspect. Rule 3Use extended ACLs to filter traffic from unprotected sources. Rule 4Set up antispoofing protection. Rule 5Deny broadcast attacks. Rule 6Deny any traffic not already included in previous configuration.

© 2006 Cisco Systems, Inc. All rights reserved. Set Audit Trails and Alerts Router(config)#logging on Router(config)#logging host Router(config)#ip inspect audit-trail Router(config)#no ip inspect alert-off Enables the delivery of audit trail messages using syslog ip inspect audit-trail Router(config)# Enables real-time alerts no ip inspect alert-off Router(config)#

© 2006 Cisco Systems, Inc. All rights reserved. Define Inspection Rules for Application Protocols ip inspect name inspection-name protocol [alert {on|off}] [audit-trail {on|off}] [timeout seconds] Defines the application protocols to inspect Will be applied to an interface: –Available protocols are tcp, udp, icmp, smtp, esmtp, cuseeme, ftp, ftps, http, h323, netshow, rcmd, realaudio, rpc, rtsp, sip, skinny, sqlnet, tftp, vdolive, and so on. –Alert, audit-trail, and timeout are configurable per protocol and override global settings. Router(config)# Router(config)#ip inspect name FWRULE smtp alert on audit-trail on timeout 300 Router(config)#ip inspect name FWRULE ftp alert on audit-trail on timeout 300

© 2006 Cisco Systems, Inc. All rights reserved. ip inspect name Parameters ParameterDescription inspection-nameNames the set of inspection rules. If you want to add a protocol to an existing set of rules, use the same inspection name for the rules. protocolThe protocol to inspect. alert {on | off}(Optional) For each inspected protocol, the generation of alert messages can be set to on or off. If no option is selected, alerts are generated based on the setting of the ip inspect alert-off command. audit-trail {on | off}(Optional) For each inspected protocol, the audit-trail option can be set to on or off. If no option is selected, audit trail messages are generated based on the setting of the ip inspect audit-trail command. timeout seconds(Optional) Specify the number of seconds for a different idle timeout to override the global TCP or UDP idle timeouts for the specified protocol. This timeout overrides the global TCP and UDP timeouts but does not override the global Domain Name Service (DNS) timeout.

© 2006 Cisco Systems, Inc. All rights reserved. Inspection Rules for Application Protocols ip inspect name PERMIT_JAVA http java-list 10 access-list 10 permit access-list 10 any Example 1: Users on access list 10 are allowed to download Java applets: ip inspect name in2out rcmd ip inspect name in2out ftp ip inspect name in2out tftp ip inspect name in2out tcp timeout ip inspect name in2out http ip inspect name in2out udp Example 2: Telling Cisco IOS Firewall what to inspect:

© 2006 Cisco Systems, Inc. All rights reserved. ip inspect Parameters and Guidelines ParameterDescription inspection-nameNames the set of inspection rules inApplies the inspection rules to inbound traffic outApplies the inspection rules to outbound traffic  On the interface where traffic initiates: Apply ACL on the inward direction that permits only wanted traffic. Apply rule on the inward direction that inspects wanted traffic.  On all other interfaces, apply ACL on the inward direction that denies all unwanted traffic. ip inspect inspection-name {in | out} Applies the named inspection rule to an interface Router(config-if)#

© 2006 Cisco Systems, Inc. All rights reserved. Example: Two-Interface Firewall ip inspect name OUTBOUND tcp ip inspect name OUTBOUND udp ip inspect name OUTBOUND icmp ! interface FastEthernet0/0 ip access-group OUTSIDEACL in ! interface FastEthernet0/1 ip inspect OUTBOUND in ip access-group INSIDEACL in ! ip access-list extended OUTSIDEACL permit icmp any any packet-too-big deny ip any any log ! ip access-list extended INSIDEACL permit tcp any any permit udp any any permit icmp any any

© 2006 Cisco Systems, Inc. All rights reserved. Example: Three-Interface Firewall interface FastEthernet0/0 ip inspect OUTSIDE in ip access-group OUTSIDEACL in ! interface FastEthernet0/1 ip inspect INSIDE in ip access-group INSIDEACL in ! interface FastEthernet0/2 ip access-group DMZACL in ! ip inspect name INSIDE tcp ip inspect name OUTSIDE tcp ! ip access-list extended OUTSIDEACL permit tcp any host eq 25 permit tcp any host eq 80 permit icmp any any packet-too-big deny ip any any log ! ip access-list extended INSIDEACL permit tcp any any eq 80 permit icmp any any packet-too-big deny ip any any log ! ip access-list extended DMZACL permit icmp any any packet-too-big deny ip any any log

© 2006 Cisco Systems, Inc. All rights reserved. Verifying Cisco IOS Firewall show ip inspect name inspection-name show ip inspect config show ip inspect interfaces show ip inspect session [detail] show ip inspect statistics show ip inspect all Displays inspections, interface configurations, sessions, and statistics Router#show ip inspect session Established Sessions Session C ( :35009)=>( :34233) tcp SIS_OPEN Session 6156F0CC ( :35011)=>( :34234) tcp SIS_OPEN Session 6156AF74 ( :35010)=>( :5002) tcp SIS_OPEN Router#

© 2006 Cisco Systems, Inc. All rights reserved. Troubleshooting Cisco IOS Firewall debug ip inspect function-trace debug ip inspect object-creation debug ip inspect object-deletion debug ip inspect events debug ip inspect timers debug ip inspect detail General debug commands debug ip inspect protocol Protocol-specific debug Router#

© 2006 Cisco Systems, Inc. All rights reserved. Summary  The main feature of the Cisco IOS Firewall has always been its stateful inspection.  An ACL can allow one host to access a part of your network and prevent another host from accessing the same area.  Use access lists in "firewall" routers that you position between your internal network and an external network such as the Internet. You can also use access lists on a router positioned between two parts of your network, to control traffic entering or exiting a specific part of your internal network.  An inspection rule should specify each desired application layer protocol that the Cisco IOS Firewall will inspect, as well as generic TCP, UDP, or Internet Control Message Protocol (ICMP), if desired.  Use the ip inspect name command in global configuration mode to define a set of inspection rules.

© 2006 Cisco Systems, Inc. All rights reserved. Q and A

© 2006 Cisco Systems, Inc. All rights reserved. Resources  Cisco IOS Firewall Introduction ex.html  Cisco IOS Firewall Support _products_support_series_home.html  Cisco IOS Firewall Design Guides ducts_implementation_design_guides_list.html

© 2006 Cisco Systems, Inc. All rights reserved.