© 2012 Cisco and/or its affiliates. All rights reserved. 1 Classic IOS Firewall using CBACs

© 2012 Cisco and/or its affiliates. All rights reserved. 2 Although CBAC serves as a good foundation for understanding the revolutionary path toward modern zone based firewalls, detailed knowledge of the configuration, monitoring and troubleshooting of this technology is no longer part of the certification exam. This CBAC presentation has been included for instructors who wish to provide background information for students.

© 2012 Cisco and/or its affiliates. All rights reserved. 3 Context-based access control (CBAC) is a Cisco IOS Firewall solution. CBAC intelligently filters TCP and UDP packets based on Application Layer protocol session information. –CBAC can also examine NAT and PAT translations. –Provides stateful Application Layer filtering for protocols that are specific to unique applications, as well as applications and protocols that require multiple ports, such as FTP and H.323. –CBAC can block peer-to-peer (P2P) connections and instant messaging traffic.

© 2012 Cisco and/or its affiliates. All rights reserved. 4 Introduced in 1997, CBAC was a dramatic improvement over the TCP established and reflexive ACL firewall options: –Monitors TCP connection setup –Tracks TCP sequence numbers –Inspects DNS queries and replies –Inspects common ICMP message types –Supports applications that rely on multiple connections –Inspects embedded NAT/PAT addresses –Inspects Application Layer information

© 2012 Cisco and/or its affiliates. All rights reserved. 5 Without CBAC, traffic filtering is limited to ACL implementations. –ACLs can only examine Layer 3 and some Layer 4 packets. CBAC provides four main functions: –Traffic filtering –Traffic inspection –Intrusion detection –Generation of audits and alerts

© 2012 Cisco and/or its affiliates. All rights reserved. 6 Permit specified TCP and UDP return traffic through a firewall. –It creates temporary openings in an ACL that would otherwise deny the traffic. Inspect traffic that originate from either side of the firewall. –Can be used for intranet, extranet, and Internet perimeters. Examines Layer 3, Layer 4 and Layer 7 protocols.

© 2012 Cisco and/or its affiliates. All rights reserved. 7 Inspect layer 7 packets and maintains TCP and UDP session information, it can detect and prevent certain types of network attacks such as SYN-flooding. Inspect packet sequence numbers in TCP connections to see if they are within expected ranges and drops any suspicious packets. Drop half-open connections, which require firewall processing and memory resources to maintain.

© 2012 Cisco and/or its affiliates. All rights reserved. 8 Provide a limited amount of intrusion detection to protect against specific SMTP attacks. –With intrusion detection, syslog messages are reviewed and monitored for specific attack signatures. Reset the offending connections and sends syslog information. –CBACs can identify certain types of network attacks because they have specific characteristic or signatures.

© 2012 Cisco and/or its affiliates. All rights reserved. 9 Provide real-time alerts: –Send syslog error messages to central management consoles upon detecting suspicious activity. Provide enhanced audit trail features: –Uses syslog to track all network transactions and record timestamps to record: source and destination hosts ports used total number of transmitted bytes for advanced session-based reporting.

© 2012 Cisco and/or its affiliates. All rights reserved. 10 CBAC relies on a stateful packet filter that is application-aware. –The state table tracks the sessions and inspects all packets that pass through the stateful packet filter firewall. –CBAC then uses the state table to build dynamic ACL entries that permit returning traffic through the perimeter router or firewall.

© 2012 Cisco and/or its affiliates. All rights reserved. 11

© 2012 Cisco and/or its affiliates. All rights reserved. 12

© 2012 Cisco and/or its affiliates. All rights reserved. 13

© 2012 Cisco and/or its affiliates. All rights reserved. 14

© 2012 Cisco and/or its affiliates. All rights reserved. 15 Configuring CBACs

© 2012 Cisco and/or its affiliates. All rights reserved. 16 Simple Topology — Configuring an External Interface

© 2012 Cisco and/or its affiliates. All rights reserved. 17 Simple Topology — Configuring an Internal Interface

© 2012 Cisco and/or its affiliates. All rights reserved. 18

© 2012 Cisco and/or its affiliates. All rights reserved. 19 Use extended ACLs to filter traffic from unprotected sources. Rule 3 Set up antispoofing protection prevents traffic from an unprotected network from assuming the identity of a device on the protected network. Rule 4 Deny broadcast attacks (source address of ). Rule 5 Deny any traffic not already included in previous configuration.  Although it’s implicit, using it with the log keyword provides necessary log information about the denied packets. Rule 6 Permit traffic the Cisco IOS Firewall is to inspect.  For example, if the firewall is set to inspect Telnet, Telnet traffic should be permitted on all ACLs that apply to the initial Telnet flow. Rule 2 Start with a basic configuration. Rule 1

© 2012 Cisco and/or its affiliates. All rights reserved. 20 Define the application protocols to inspect –The inspection rule will be applied to an interface. –Available protocols include: tcp, udp, icmp, smtp, esmtp, cuseeme, ftp, ftps, http, h323, netshow, rcmd, realaudio, rpc, rtsp, sip, skinny, sqlnet, tftp, vdolive, and so on. –Alert, audit-trail, and timeout are configurable per protocol and override global settings.

© 2012 Cisco and/or its affiliates. All rights reserved. 21 ip inspect name inspection-name protocol [alert {on|off}] [audit- trail {on|off}] [timeout seconds] Router(config)#

© 2012 Cisco and/or its affiliates. All rights reserved. 22  HTTP Inspection Syntax – ip inspect name inspection-name http [java-list access-list] [urlfilter] [alert {on | off}] [audit-trail {on | off}] [timeout seconds]  SMTP and ESMTP Inspection Syntax – ip inspect name inspection-name {smtp | esmtp} [alert {on | off}] [audit- trail {on | off}] [max-data number] [timeout seconds]  remote-procedure call (RPC) Inspection Syntax – ip inspect name inspection-name [parameter max-sessions number] rpc program-number number [wait-time minutes] [alert {on | off}] [audit-trail {on | off}] [timeout seconds]  POP3/IMAP Inspection Syntax – ip inspect name inspection-name imap [alert {on | off}] [audit-trail {on | off}] [reset] [secure-login] [timeout number] – ip inspect name inspection-name pop3 [alert {on | off}] [audit-trail {on | off}] [reset] [secure-login] [timeout number]

© 2012 Cisco and/or its affiliates. All rights reserved. 23  Fragment Inspection Syntax – ip inspect name inspection-name [parameter max-sessions number] fragment [max number timeout seconds]  Application Firewall Provisioning Syntax – ip inspect name inspection-name [parameter max-sessions number] appfw policy-name  User-Defined Application Syntax – ip inspect name inspection-name user-10 [alert {on | off}] [audit-trail {on | off}] [timeout seconds}  Session Limiting Syntax – no ip inspect name inspection-name [parameter max-sessions number]

© 2012 Cisco and/or its affiliates. All rights reserved. 24 Create an IP inspection rule named FWRULE that inspects extended SMTP and FTP with alert and audit trails enabled. –FWRULE has an idle timeout of 300 seconds. R1(config)# ip inspect name FWRULE smtp alert on audit-trail on timeout 300 R1(config)# ip inspect name FWRULE ftp alert on audit-trail on timeout 300 ip inspect name inspection-name protocol [alert {on|off}] [audit-trail {on|off}] [timeout seconds] Router(config)#

© 2012 Cisco and/or its affiliates. All rights reserved. 25 Create an IP inspection rule named PERMIT-JAVA that allows all users permitted by standard ACL 10 to download Java applets. R1(config)# access-list 10 permit R1(config)# ip inspect name PERMIT_JAVA http java-list 10 ip inspect name inspection-name protocol [alert {on|off}] [audit-trail {on|off}] [timeout seconds] Router(config)#

© 2012 Cisco and/or its affiliates. All rights reserved. 26 Create an IP inspection rule named IN-2-OUT that inspects TCP with an idle timeout of 12 hours. –The idle-timeout is usually 1 hour. –A list of protocols including UDP, FTP, TFTP, and HTTP. R1(config)# ip inspect name IN-2-OUT tcp timeout R1(config)# ip inspect name IN-2-OUT udp R1(config)# ip inspect name IN-2-OUT ftp R1(config)# ip inspect name IN-2-OUT tftp R1(config)# ip inspect name IN-2-OUT http ip inspect name inspection-name protocol [alert {on|off}] [audit-trail {on|off}] [timeout seconds] Router(config)#

© 2012 Cisco and/or its affiliates. All rights reserved. 27 For the Cisco IOS Firewall to be effective, both inspection rules and ACLs should be strategically applied to all router interfaces. There are two guiding principles: –Apply the rule on the interface where traffic initiates: Apply ACL on the inward direction that permits only wanted traffic. Apply rule on the inward direction that inspects wanted traffic. –On all other interfaces, apply ACL on the inward direction that denies all unwanted traffic.

© 2012 Cisco and/or its affiliates. All rights reserved. 28  To remove CBAC from the router, use the no ip inspect global command.  This command removes all CBAC commands, the state table, and all temporary ACL entries created by CBAC.  It also resets all timeout and threshold values to their factory defaults.  After CBAC is removed, all inspection processes are no longer available, and the router uses only the current ACL implementations for filtering. ip inspect inspection-name {in | out} Router(config-if)#

© 2012 Cisco and/or its affiliates. All rights reserved. 29 Permit inside users to initiate TCP, UDP, and ICMP traffic with all external sources. –Outside clients are allowed to communicate with the SMTP server ( ) and HTTP server ( ) that are located in the enterprise DMZ. –Also permit certain ICMP messages to all interfaces. –All other traffic from the external network is denied /24

© 2012 Cisco and/or its affiliates. All rights reserved. 30 First create an ACL that processes traffic initiating from the internal network prior to leaving the network. –Specifically, it allows TCP, UDP, and ICMP sessions and denies all other traffic. Apply the ACL to the internal interface in the inbound direction. R1(config)# access-list 101 permit tcp any R1(config)# access-list 101 permit udp any R1(config)# access-list 101 permit icmp any R1(config)# access-list 101 deny ip any any R1(config)# interface Fa0/0 R1(config-if)# ip access-group 101 in /24

© 2012 Cisco and/or its affiliates. All rights reserved /24 Next, create an extended ACL in which SMTP, HTTP, and ICMP traffic is permitted from the external network to the DMZ network only, and all other traffic is denied. Apply the ACL to the external interface in the inbound direction. R1(config)# interface S0/0/0 R1(config-if)# ip access-group 102 in access-list 102 permit tcp any eq 80 access-list 102 permit tcp any eq smtp access-list 102 permit icmp any any echo-reply access-list 102 permit icmp any any unreachable access-list 102 permit icmp any any administratively- prohibited access-list 102 permit icmp any any packet-too-big access-list 102 permit icmp any any echo access-list 102 permit icmp any any time-exceeded access-list 102 deny ip any any R1(config)#

© 2012 Cisco and/or its affiliates. All rights reserved. 32 Next, create inspection rules for TCP inspection and UDP inspection. –Otherwise, all returning traffic, with the exception of ICMP messages, is denied because of the external ACL. Apply the inspection rule in the inbound direction.  The inspection list automatically creates temporary ACL statements in the inbound ACL applied to the external interface permitting TCP and UDP return traffic. R1(config)# interface Fa0/0 R1(config-if)# ip inspect MYSITE in R1(config)# ip inspect name MYSITE tcp R1(config)# ip inspect name MYSITE udp /24

© 2012 Cisco and/or its affiliates. All rights reserved. 33 access-list 101 permit tcp any permit udp any permit icmp any deny ip any any ! access-list 102 permit tcp any eq http permit tcp any eq smtp permit icmp any any echo-reply permit icmp any any unreachable permit icmp any any administratively-prohibited permit icmp any any packet-too-big permit icmp any any echo permit icmp any any time-exceeded deny ip any any ! ip inspect name MYSITE tcp ip inspect name MYSITE udp ! interface FastEthernet0/0 ip access-group 101 in ip inspect MYSITE in ! interface Serial 0/0/0 ip access-group 102 in /24

© 2012 Cisco and/or its affiliates. All rights reserved. 34 ip inspect name INSIDE tcp ip inspect name OUTSIDE tcp ! ip access-list extended OUTSIDEACL permit tcp any host eq 25 permit tcp any host eq 80 permit icmp any any packet-too-big deny ip any any log ! ip access-list extended INSIDEACL permit tcp any any eq 80 permit icmp any any packet-too-big deny ip any any log ! ip access-list extended DMZACL permit icmp any any packet-too-big deny ip any any log ! interface FastEthernet0/0 ip inspect OUTSIDE in ip access-group OUTSIDEACL in ! interface FastEthernet0/1 ip inspect INSIDE in ip access-group INSIDEACL in ! interface FastEthernet0/2 ip access-group DMZACL in

© 2012 Cisco and/or its affiliates. All rights reserved. 35 ip inspect name OUTBOUND tcp ip inspect name OUTBOUND udp ip inspect name OUTBOUND icmp ! ip access-list extended OUTSIDEACL permit icmp any any packet-too-big deny ip any any log ! ip access-list extended INSIDEACL permit tcp any any permit udp any any permit icmp any any interface FastEthernet0/0 ip access-group OUTSIDEACL in ! interface FastEthernet0/1 ip inspect OUTBOUND in ip access-group INSIDEACL in packet-too-big: Required to support maximum transmission unit (MTU) path discovery. Enable systems to autodiscover the biggest MTU size supported. packet-too-big: Required to support maximum transmission unit (MTU) path discovery. Enable systems to autodiscover the biggest MTU size supported.

© 2012 Cisco and/or its affiliates. All rights reserved. 36 CBAC inspection supports two types of logging functions: –Alerts –Audits Alerts display messages concerning CBAC operation, such as insufficient router resources, DoS attacks, and other threats. Auditing keeps track of the connections that CBAC inspects, including valid and invalid access attempts such as displays messages when CBAC adds or removes an entry from the state table. –The audit record gives some basic statistical information about the connection.

© 2012 Cisco and/or its affiliates. All rights reserved. 37 Turn on audit trail logging and real-time alerts globally. Turn on logging to your syslog host using standard logging commands. –Set the syslog server IP address. Turn on Cisco IOS Firewall audit trail messages using the ip inspect audit-trail command in global configuration mode. The Cisco IOS Firewall real-time alerts are off by default therefore enable real-time alerts using the no ip inspect alert-off command in global configuration mode. R1(config)# logging on R1(config)# logging host R1(config)# ip inspect audit-trail R1(config)# no ip inspect alert-off

© 2012 Cisco and/or its affiliates. All rights reserved. 38 Display inspections, interface configurations, sessions, and statistics. show ip inspect name inspection-name show ip inspect config show ip inspect interfaces show ip inspect session [detail] show ip inspect statistics show ip inspect all Router#

© 2012 Cisco and/or its affiliates. All rights reserved. 39 R1# show ip inspect session Established Sessions Session C ( :35009)=>( :34233) tcp SIS_OPEN Session 6156F0CC ( :35011)=>( :34234) tcp SIS_OPEN Session 6156AF74 ( :35010)=>( :5002) tcp SIS_OPEN Router# show ip inspect name INSPECT-OUTBOUND Inspection name INSPECT-OUTBOUND cuseeme alert is on audit-trail is on timeout 3600 ftp alert is on audit-trail is on timeout 3600 http alert is on audit-trail is on timeout 3600 rcmd alert is on audit-trail is on timeout 3600 realaudio alert is on audit-trail is on timeout 3600 smtp max-data alert is on audit-trail is on timeout 3600 tftp alert is on audit-trail is on timeout 30 udp alert is on audit-trail is on timeout 15 tcp alert is on audit-trail is on timeout 3600

© 2012 Cisco and/or its affiliates. All rights reserved. 40 General commands. Protocol-specific debug. debug ip inspect function-trace debug ip inspect object-creation debug ip inspect object-deletion debug ip inspect events debug ip inspect timers debug ip inspect detail debug ip inspect protocol Router#

© 2012 Cisco and/or its affiliates. All rights reserved. 41 Router# debug ip inspect timers *Mar 2 01:20:43: CBAC* sis 25A3604 pak 2541C58 TCP P ack seq (22) ( :46409) => ( :21) *Mar 2 01:20:43: CBAC* sis 25A3604 ftp L7 inspect result: PROCESS-SWITCH packet *Mar 2 01:20:43: CBAC sis 25A3604 pak 2541C58 TCP P ack seq (22) ( :46409) => ( :21) *Mar 2 01:20:43: CBAC sis 25A3604 ftp L7 inspect result: PASS packet *Mar 2 01:20:43: CBAC* sis 25A3604 pak TCP P ack seq (30) ( :46409) <= ( :21) *Mar 2 01:20:43: CBAC* sis 25A3604 ftp L7 inspect result: PASS packet *Mar 2 01:20:43: CBAC* sis 25A3604 pak 25412F8 TCP P ack seq (15) ( :46409) => ( :21) *Mar 2 01:20:43: CBAC* sis 25A3604 ftp L7 inspect result: PASS packet *Mar 2 01:20:43: CBAC sis 25C1CC4 pak TCP S seq (0) ( :20) => ( :46411) *Mar 2 01:20:43: CBAC* sis 25C1CC4 pak 2541E38 TCP S ack seq (0) ( :20) <= ( :46411) Beginning with Cisco IOS Release 12.4(20)T, the debug policy-firewall command replaces the debug ip inspect command.