1 © 2005 Cisco Systems, Inc. All rights reserved. 111 © 2004, Cisco Systems, Inc. All rights reserved.
2 © 2005 Cisco Systems, Inc. All rights reserved. Network Security 1 Module 8 – Configure Filtering on a Router
3 © 2005 Cisco Systems, Inc. All rights reserved. Learning Objectives 8.1 Filtering Technologies 8.2 Cisco IOS Firewall Context-Based Access Control 8.3 Configure Cisco IOS Firewall Context-Based Access Control
4 © 2005 Cisco Systems, Inc. All rights reserved. Module 8 – Configure Filtering on a Router 8.1 Filtering Technologies
5 © 2005 Cisco Systems, Inc. All rights reserved. Packet Filtering
6 © 2005 Cisco Systems, Inc. All rights reserved. Stateful Packet Filtering
7 © 2005 Cisco Systems, Inc. All rights reserved. URL Filtering
8 © 2005 Cisco Systems, Inc. All rights reserved. Cisco IOS ACLs Provide traffic filtering by: Source and destination IP addresses Source and destination ports Can be used to implement a filtering firewall Ports are opened permanently to allow traffic, creating a security vulnerability. Do not work with applications that negotiate ports dynamically.
9 © 2005 Cisco Systems, Inc. All rights reserved. Access Control List (ACL) Review
10 © 2005 Cisco Systems, Inc. All rights reserved. Identifying Access Lists Access list number (All IOS versions)—The number of the access list determines what protocol it is filtering: (1-99) and ( )—Standard IP access lists. ( ) and ( )—Extended IP access lists. ( )—Standard IPX access lists. Access list name (IOS versions > 11.2)—You provide the name of the access list: Names contain alphanumeric characters. Names cannot contain spaces or punctuation and must begin with a alphabetic character. Cisco routers can identify access lists using two methods:
11 © 2005 Cisco Systems, Inc. All rights reserved. Basic Types of IP Access Lists Standard—Filter IP packets based on the source address only. Extended—Filter IP packets based on several attributes, including: Protocol type. Source and destination IP addresses. Source and destination TCP/UDP ports. ICMP and IGMP message types. Cisco routers support two basic types of IP access lists:
12 © 2005 Cisco Systems, Inc. All rights reserved. Standard Numbered Access List Format Austin2(config)# access-list 2 permit Austin2(config)# access-list 2 deny Austin2(config)# access-list 2 permit Austin2(config)# interface e0/1 Austin2(config-if)# ip access-group 2 in Router(config)# access-list access-list-number {deny | permit} source [source-wildcard]
13 © 2005 Cisco Systems, Inc. All rights reserved. Standard Named Access List Format Austin2(config)# ip access-list standard protect Austin2(config-std-nacl)# deny Austin2(config-std-nacl)# permit Austin2(config)# exit Router(config)# ip access-list standard access-list-name Router(config-std-nacl)# {deny | permit} source [source-wildcard]
14 © 2005 Cisco Systems, Inc. All rights reserved. Extended Numbered Access List Format Miami(config)# access-list 103 permit tcp any established Miami(config)# access-list 103 permit tcp any host eq smtp Miami(config)# interface e0/0 Miami(config-if)# ip access-group 103 in Router(config)# access-list access-list-number {deny | permit} {protocol-number | protocol-keyword}{source source-wildcard | any | host} {source-port} {destination destination-wildcard | any | host} {destination-port} [established][log | log-input] Internet Miami e0/ SMTP host
15 © 2005 Cisco Systems, Inc. All rights reserved. Extended Named Access List Format Miami(config)# ip access-list extended mailblock Miami(config-ext-nacl)# permit tcp any established Miami(config-ext-nacl)# permit tcp any host eq smtp Miami(config-ext-nacl)# exit Router(config)# ip access-list extended access-list-name Router(config-ext-nacl)# {deny | permit} {protocol-number | protocol- keyword} {source source-wildcard | any | host} {source-port} {destination destination-wildcard | any | host} {destination-port} [established][log | log-input]
16 © 2005 Cisco Systems, Inc. All rights reserved. Commenting IP Access-List Entries Miami(config)# access-list 102 remark Allow traffic to file server Miami(config)# access-list 102 permit ip any host Router(config)# remark message
17 © 2005 Cisco Systems, Inc. All rights reserved. Basic Rules for Developing Access Lists Rule #1—Write it out! Get a piece of paper and write out what you want this access list to accomplish. This is the time to think about potential problems. Rule #2—Setup a development system. Allows you to copy and paste statements easily. Allows you to develop a library of access lists. Store the files as ASCII text files. Rule #3—Apply access list to a router and test. If at all possible, run your access lists in a test environment before placing them into production. Here are some basic rules you should follow when developing access lists:
18 © 2005 Cisco Systems, Inc. All rights reserved. Access List Directional Filtering Austin1 s0/0e0/0 e0/1 Internet InboundOutbound Inbound—Data flows toward router interface. Outbound—Data flows away from router interface.
19 © 2005 Cisco Systems, Inc. All rights reserved. Applying Access Lists to Interfaces Tulsa(config)# interface e0/1 Tulsa(config-if)# ip access-group 2 in Tulsa(config-if)# exit Tulsa(config)# interface e0/2 Tulsa(config-if)# ip access-group mailblock out Router(config)# ip access-group {access-list-number | access- list-name} {in | out}
20 © 2005 Cisco Systems, Inc. All rights reserved. Displaying Access Lists Miami# show access-lists Extended IP access list 102 permit ip any host Extended IP access list mailblock permit tcp any established Miami# Router# show access-lists {access-list-number | access- list-name}
21 © 2005 Cisco Systems, Inc. All rights reserved. Module 8 – Configure Filtering on a Router 8.2 Cisco IOS Firewall Context-Based Access Control
22 © 2005 Cisco Systems, Inc. All rights reserved. TCP UDP Cisco IOS Firewall CBAC Packets are inspected upon entering the firewall by CBAC if they are not specifically denied by an ACL. CBAC permits or denies specified TCP and UDP traffic through a firewall. A state table is maintained with session information. ACLs are dynamically created or deleted. CBAC protects against DoS attacks. Internet
23 © 2005 Cisco Systems, Inc. All rights reserved. How CBAC Works
24 © 2005 Cisco Systems, Inc. All rights reserved. CBAC Supported Protocols
25 © 2005 Cisco Systems, Inc. All rights reserved. Alerts and Audit Trails
26 © 2005 Cisco Systems, Inc. All rights reserved. Module 8 – Configure Filtering on a Router 8.3 Configure Cisco IOS Firewall Context- Based Access Control
27 © 2005 Cisco Systems, Inc. All rights reserved. CBAC Configuration Pick an Interface – Internal or External. Configure IP Access Lists at the interface Set audit trails and alerts. Set global timeouts and thresholds. Define PAM. Define inspection rules. Apply inspection rules and ACLs to interfaces. Test and verify.
28 © 2005 Cisco Systems, Inc. All rights reserved. Router(config)# logging on Router(config)# logging Router(config)# ip inspect audit-trail Router(config)# no ip inspect alert-off Enables the delivery of audit trail messages using Syslog Enable Audit Trails and Alerts ip inspect audit-trail Router(config)# Enables real-time alerts no ip inspect alert-off Router(config)#
29 © 2005 Cisco Systems, Inc. All rights reserved. Set global timeouts - TCP SYN and FIN Wait Times
30 © 2005 Cisco Systems, Inc. All rights reserved. Set global timeouts - TCP, UDP, and DNS Idle Times
31 © 2005 Cisco Systems, Inc. All rights reserved. Global Half-Opened Connection Limits
32 © 2005 Cisco Systems, Inc. All rights reserved. Global Half-Opened Connection Limits
33 © 2005 Cisco Systems, Inc. All rights reserved. Half-open connection limits by host
34 © 2005 Cisco Systems, Inc. All rights reserved. Port-to-Application Mapping Overview
35 © 2005 Cisco Systems, Inc. All rights reserved. User-Defined Port Mapping
36 © 2005 Cisco Systems, Inc. All rights reserved. Display PAM Configuration
37 © 2005 Cisco Systems, Inc. All rights reserved. Inspection Rules for Application Protocols
38 © 2005 Cisco Systems, Inc. All rights reserved. Inspection Rules for Java
39 © 2005 Cisco Systems, Inc. All rights reserved. Inspection Rules for RPC Applications
40 © 2005 Cisco Systems, Inc. All rights reserved. Inspection Rules for SMTP Applications
41 © 2005 Cisco Systems, Inc. All rights reserved. Inspection Rules for IP Packet Fragmentation
42 © 2005 Cisco Systems, Inc. All rights reserved. Define inspection rules for ICMP
43 © 2005 Cisco Systems, Inc. All rights reserved. Applying Inspection Rules and ACLs
44 © 2005 Cisco Systems, Inc. All rights reserved. General Rules for Applying Inspection Rules and ACLs Interface where traffic initiates Apply ACL on the inward direction that permits only wanted traffic. Apply rule on the inward direction that inspects wanted traffic. All other interfaces Apply ACL on the inward direction that denies all unwanted traffic.
45 © 2005 Cisco Systems, Inc. All rights reserved. Example—Two Interface Firewall
46 © 2005 Cisco Systems, Inc. All rights reserved. Outbound Traffic
47 © 2005 Cisco Systems, Inc. All rights reserved. Inbound Traffic
48 © 2005 Cisco Systems, Inc. All rights reserved. Example—Three-Interface Firewall
49 © 2005 Cisco Systems, Inc. All rights reserved. Outbound Traffic
50 © 2005 Cisco Systems, Inc. All rights reserved. Inbound Traffic
51 © 2005 Cisco Systems, Inc. All rights reserved. DMZ-Bound Traffic
52 © 2005 Cisco Systems, Inc. All rights reserved. show Commands
53 © 2005 Cisco Systems, Inc. All rights reserved. debug Commands
54 © 2005 Cisco Systems, Inc. All rights reserved. no ip inspect Removes entire CBAC configuration. Resets all global timeouts and thresholds to the defaults. Deletes all existing sessions. Removes all associated dynamic ACLs. Remove CBAC Configuration Router(config)#
55 © 2005 Cisco Systems, Inc. All rights reserved. Firewall and ACL Main Window
56 © 2005, Cisco Systems, Inc. All rights reserved.