Download presentation
Presentation is loading. Please wait.
Published byMadlyn Houston Modified over 9 years ago
1
1 © 2005 Cisco Systems, Inc. All rights reserved. 111 © 2004, Cisco Systems, Inc. All rights reserved.
2
2 © 2005 Cisco Systems, Inc. All rights reserved. Network Security 1 Module 8 – Configure Filtering on a Router
3
3 © 2005 Cisco Systems, Inc. All rights reserved. Learning Objectives 8.1 Filtering Technologies 8.2 Cisco IOS Firewall Context-Based Access Control 8.3 Configure Cisco IOS Firewall Context-Based Access Control
4
4 © 2005 Cisco Systems, Inc. All rights reserved. Module 8 – Configure Filtering on a Router 8.1 Filtering Technologies
5
5 © 2005 Cisco Systems, Inc. All rights reserved. Packet Filtering
6
6 © 2005 Cisco Systems, Inc. All rights reserved. Stateful Packet Filtering
7
7 © 2005 Cisco Systems, Inc. All rights reserved. URL Filtering
8
8 © 2005 Cisco Systems, Inc. All rights reserved. Cisco IOS ACLs Provide traffic filtering by: Source and destination IP addresses Source and destination ports Can be used to implement a filtering firewall Ports are opened permanently to allow traffic, creating a security vulnerability. Do not work with applications that negotiate ports dynamically.
9
9 © 2005 Cisco Systems, Inc. All rights reserved. Access Control List (ACL) Review
10
10 © 2005 Cisco Systems, Inc. All rights reserved. Identifying Access Lists Access list number (All IOS versions)—The number of the access list determines what protocol it is filtering: (1-99) and (1300-1399)—Standard IP access lists. (100-199) and (2000-2699)—Extended IP access lists. (800-899)—Standard IPX access lists. Access list name (IOS versions > 11.2)—You provide the name of the access list: Names contain alphanumeric characters. Names cannot contain spaces or punctuation and must begin with a alphabetic character. Cisco routers can identify access lists using two methods:
11
11 © 2005 Cisco Systems, Inc. All rights reserved. Basic Types of IP Access Lists Standard—Filter IP packets based on the source address only. Extended—Filter IP packets based on several attributes, including: Protocol type. Source and destination IP addresses. Source and destination TCP/UDP ports. ICMP and IGMP message types. Cisco routers support two basic types of IP access lists:
12
12 © 2005 Cisco Systems, Inc. All rights reserved. Standard Numbered Access List Format Austin2(config)# access-list 2 permit 36.48.0.3 Austin2(config)# access-list 2 deny 36.48.0.0 0.0.255.255 Austin2(config)# access-list 2 permit 36.0.0.0 0.255.255.255 Austin2(config)# interface e0/1 Austin2(config-if)# ip access-group 2 in Router(config)# access-list access-list-number {deny | permit} source [source-wildcard]
13
13 © 2005 Cisco Systems, Inc. All rights reserved. Standard Named Access List Format Austin2(config)# ip access-list standard protect Austin2(config-std-nacl)# deny 36.48.0.0 0.0.255.255 Austin2(config-std-nacl)# permit 36.0.0.0 0.255.255.255 Austin2(config)# exit Router(config)# ip access-list standard access-list-name Router(config-std-nacl)# {deny | permit} source [source-wildcard]
14
14 © 2005 Cisco Systems, Inc. All rights reserved. Extended Numbered Access List Format Miami(config)# access-list 103 permit tcp any 128.88.0.0 0.0.255.255 established Miami(config)# access-list 103 permit tcp any host 128.88.1.2 eq smtp Miami(config)# interface e0/0 Miami(config-if)# ip access-group 103 in Router(config)# access-list access-list-number {deny | permit} {protocol-number | protocol-keyword}{source source-wildcard | any | host} {source-port} {destination destination-wildcard | any | host} {destination-port} [established][log | log-input] Internet Miami e0/0 128.88.1.2 128.88.1.0 128.88.3.0 SMTP host
15
15 © 2005 Cisco Systems, Inc. All rights reserved. Extended Named Access List Format Miami(config)# ip access-list extended mailblock Miami(config-ext-nacl)# permit tcp any 128.88.0.0 0.0.255.255 established Miami(config-ext-nacl)# permit tcp any host 128.88.1.2 eq smtp Miami(config-ext-nacl)# exit Router(config)# ip access-list extended access-list-name Router(config-ext-nacl)# {deny | permit} {protocol-number | protocol- keyword} {source source-wildcard | any | host} {source-port} {destination destination-wildcard | any | host} {destination-port} [established][log | log-input]
16
16 © 2005 Cisco Systems, Inc. All rights reserved. Commenting IP Access-List Entries Miami(config)# access-list 102 remark Allow traffic to file server Miami(config)# access-list 102 permit ip any host 128.88.1.6 Router(config)# remark message
17
17 © 2005 Cisco Systems, Inc. All rights reserved. Basic Rules for Developing Access Lists Rule #1—Write it out! Get a piece of paper and write out what you want this access list to accomplish. This is the time to think about potential problems. Rule #2—Setup a development system. Allows you to copy and paste statements easily. Allows you to develop a library of access lists. Store the files as ASCII text files. Rule #3—Apply access list to a router and test. If at all possible, run your access lists in a test environment before placing them into production. Here are some basic rules you should follow when developing access lists:
18
18 © 2005 Cisco Systems, Inc. All rights reserved. Access List Directional Filtering Austin1 s0/0e0/0 e0/1 Internet InboundOutbound Inbound—Data flows toward router interface. Outbound—Data flows away from router interface.
19
19 © 2005 Cisco Systems, Inc. All rights reserved. Applying Access Lists to Interfaces Tulsa(config)# interface e0/1 Tulsa(config-if)# ip access-group 2 in Tulsa(config-if)# exit Tulsa(config)# interface e0/2 Tulsa(config-if)# ip access-group mailblock out Router(config)# ip access-group {access-list-number | access- list-name} {in | out}
20
20 © 2005 Cisco Systems, Inc. All rights reserved. Displaying Access Lists Miami# show access-lists Extended IP access list 102 permit ip any host 128.88.1.6 Extended IP access list mailblock permit tcp any 128.88.0.0 0.0.255.255 established Miami# Router# show access-lists {access-list-number | access- list-name}
21
21 © 2005 Cisco Systems, Inc. All rights reserved. Module 8 – Configure Filtering on a Router 8.2 Cisco IOS Firewall Context-Based Access Control
22
22 © 2005 Cisco Systems, Inc. All rights reserved. TCP UDP Cisco IOS Firewall CBAC Packets are inspected upon entering the firewall by CBAC if they are not specifically denied by an ACL. CBAC permits or denies specified TCP and UDP traffic through a firewall. A state table is maintained with session information. ACLs are dynamically created or deleted. CBAC protects against DoS attacks. Internet
23
23 © 2005 Cisco Systems, Inc. All rights reserved. How CBAC Works
24
24 © 2005 Cisco Systems, Inc. All rights reserved. CBAC Supported Protocols
25
25 © 2005 Cisco Systems, Inc. All rights reserved. Alerts and Audit Trails
26
26 © 2005 Cisco Systems, Inc. All rights reserved. Module 8 – Configure Filtering on a Router 8.3 Configure Cisco IOS Firewall Context- Based Access Control
27
27 © 2005 Cisco Systems, Inc. All rights reserved. CBAC Configuration Pick an Interface – Internal or External. Configure IP Access Lists at the interface Set audit trails and alerts. Set global timeouts and thresholds. Define PAM. Define inspection rules. Apply inspection rules and ACLs to interfaces. Test and verify.
28
28 © 2005 Cisco Systems, Inc. All rights reserved. Router(config)# logging on Router(config)# logging 10.0.0.3 Router(config)# ip inspect audit-trail Router(config)# no ip inspect alert-off Enables the delivery of audit trail messages using Syslog Enable Audit Trails and Alerts ip inspect audit-trail Router(config)# Enables real-time alerts no ip inspect alert-off Router(config)#
29
29 © 2005 Cisco Systems, Inc. All rights reserved. Set global timeouts - TCP SYN and FIN Wait Times
30
30 © 2005 Cisco Systems, Inc. All rights reserved. Set global timeouts - TCP, UDP, and DNS Idle Times
31
31 © 2005 Cisco Systems, Inc. All rights reserved. Global Half-Opened Connection Limits
32
32 © 2005 Cisco Systems, Inc. All rights reserved. Global Half-Opened Connection Limits
33
33 © 2005 Cisco Systems, Inc. All rights reserved. Half-open connection limits by host
34
34 © 2005 Cisco Systems, Inc. All rights reserved. Port-to-Application Mapping Overview
35
35 © 2005 Cisco Systems, Inc. All rights reserved. User-Defined Port Mapping
36
36 © 2005 Cisco Systems, Inc. All rights reserved. Display PAM Configuration
37
37 © 2005 Cisco Systems, Inc. All rights reserved. Inspection Rules for Application Protocols
38
38 © 2005 Cisco Systems, Inc. All rights reserved. Inspection Rules for Java
39
39 © 2005 Cisco Systems, Inc. All rights reserved. Inspection Rules for RPC Applications
40
40 © 2005 Cisco Systems, Inc. All rights reserved. Inspection Rules for SMTP Applications
41
41 © 2005 Cisco Systems, Inc. All rights reserved. Inspection Rules for IP Packet Fragmentation
42
42 © 2005 Cisco Systems, Inc. All rights reserved. Define inspection rules for ICMP
43
43 © 2005 Cisco Systems, Inc. All rights reserved. Applying Inspection Rules and ACLs
44
44 © 2005 Cisco Systems, Inc. All rights reserved. General Rules for Applying Inspection Rules and ACLs Interface where traffic initiates Apply ACL on the inward direction that permits only wanted traffic. Apply rule on the inward direction that inspects wanted traffic. All other interfaces Apply ACL on the inward direction that denies all unwanted traffic.
45
45 © 2005 Cisco Systems, Inc. All rights reserved. Example—Two Interface Firewall
46
46 © 2005 Cisco Systems, Inc. All rights reserved. Outbound Traffic
47
47 © 2005 Cisco Systems, Inc. All rights reserved. Inbound Traffic
48
48 © 2005 Cisco Systems, Inc. All rights reserved. Example—Three-Interface Firewall
49
49 © 2005 Cisco Systems, Inc. All rights reserved. Outbound Traffic
50
50 © 2005 Cisco Systems, Inc. All rights reserved. Inbound Traffic
51
51 © 2005 Cisco Systems, Inc. All rights reserved. DMZ-Bound Traffic
52
52 © 2005 Cisco Systems, Inc. All rights reserved. show Commands
53
53 © 2005 Cisco Systems, Inc. All rights reserved. debug Commands
54
54 © 2005 Cisco Systems, Inc. All rights reserved. no ip inspect Removes entire CBAC configuration. Resets all global timeouts and thresholds to the defaults. Deletes all existing sessions. Removes all associated dynamic ACLs. Remove CBAC Configuration Router(config)#
55
55 © 2005 Cisco Systems, Inc. All rights reserved. Firewall and ACL Main Window
56
56 © 2005, Cisco Systems, Inc. All rights reserved.
Similar presentations
© 2024 SlidePlayer.com Inc.
All rights reserved.