Presentation is loading. Please wait.

Presentation is loading. Please wait.

1 © 2005 Cisco Systems, Inc. All rights reserved. 111 © 2004, Cisco Systems, Inc. All rights reserved.

Similar presentations


Presentation on theme: "1 © 2005 Cisco Systems, Inc. All rights reserved. 111 © 2004, Cisco Systems, Inc. All rights reserved."— Presentation transcript:

1 1 © 2005 Cisco Systems, Inc. All rights reserved. 111 © 2004, Cisco Systems, Inc. All rights reserved.

2 2 © 2005 Cisco Systems, Inc. All rights reserved. Network Security 1 Module 8 – Configure Filtering on a Router

3 3 © 2005 Cisco Systems, Inc. All rights reserved. Learning Objectives 8.1 Filtering Technologies 8.2 Cisco IOS Firewall Context-Based Access Control 8.3 Configure Cisco IOS Firewall Context-Based Access Control

4 4 © 2005 Cisco Systems, Inc. All rights reserved. Module 8 – Configure Filtering on a Router 8.1 Filtering Technologies

5 5 © 2005 Cisco Systems, Inc. All rights reserved. Packet Filtering

6 6 © 2005 Cisco Systems, Inc. All rights reserved. Stateful Packet Filtering

7 7 © 2005 Cisco Systems, Inc. All rights reserved. URL Filtering

8 8 © 2005 Cisco Systems, Inc. All rights reserved. Cisco IOS ACLs Provide traffic filtering by: Source and destination IP addresses Source and destination ports Can be used to implement a filtering firewall Ports are opened permanently to allow traffic, creating a security vulnerability. Do not work with applications that negotiate ports dynamically.

9 9 © 2005 Cisco Systems, Inc. All rights reserved. Access Control List (ACL) Review

10 10 © 2005 Cisco Systems, Inc. All rights reserved. Identifying Access Lists Access list number (All IOS versions)—The number of the access list determines what protocol it is filtering: (1-99) and (1300-1399)—Standard IP access lists. (100-199) and (2000-2699)—Extended IP access lists. (800-899)—Standard IPX access lists. Access list name (IOS versions > 11.2)—You provide the name of the access list: Names contain alphanumeric characters. Names cannot contain spaces or punctuation and must begin with a alphabetic character. Cisco routers can identify access lists using two methods:

11 11 © 2005 Cisco Systems, Inc. All rights reserved. Basic Types of IP Access Lists Standard—Filter IP packets based on the source address only. Extended—Filter IP packets based on several attributes, including: Protocol type. Source and destination IP addresses. Source and destination TCP/UDP ports. ICMP and IGMP message types. Cisco routers support two basic types of IP access lists:

12 12 © 2005 Cisco Systems, Inc. All rights reserved. Standard Numbered Access List Format Austin2(config)# access-list 2 permit 36.48.0.3 Austin2(config)# access-list 2 deny 36.48.0.0 0.0.255.255 Austin2(config)# access-list 2 permit 36.0.0.0 0.255.255.255 Austin2(config)# interface e0/1 Austin2(config-if)# ip access-group 2 in Router(config)# access-list access-list-number {deny | permit} source [source-wildcard]

13 13 © 2005 Cisco Systems, Inc. All rights reserved. Standard Named Access List Format Austin2(config)# ip access-list standard protect Austin2(config-std-nacl)# deny 36.48.0.0 0.0.255.255 Austin2(config-std-nacl)# permit 36.0.0.0 0.255.255.255 Austin2(config)# exit Router(config)# ip access-list standard access-list-name Router(config-std-nacl)# {deny | permit} source [source-wildcard]

14 14 © 2005 Cisco Systems, Inc. All rights reserved. Extended Numbered Access List Format Miami(config)# access-list 103 permit tcp any 128.88.0.0 0.0.255.255 established Miami(config)# access-list 103 permit tcp any host 128.88.1.2 eq smtp Miami(config)# interface e0/0 Miami(config-if)# ip access-group 103 in Router(config)# access-list access-list-number {deny | permit} {protocol-number | protocol-keyword}{source source-wildcard | any | host} {source-port} {destination destination-wildcard | any | host} {destination-port} [established][log | log-input] Internet Miami e0/0 128.88.1.2 128.88.1.0 128.88.3.0 SMTP host

15 15 © 2005 Cisco Systems, Inc. All rights reserved. Extended Named Access List Format Miami(config)# ip access-list extended mailblock Miami(config-ext-nacl)# permit tcp any 128.88.0.0 0.0.255.255 established Miami(config-ext-nacl)# permit tcp any host 128.88.1.2 eq smtp Miami(config-ext-nacl)# exit Router(config)# ip access-list extended access-list-name Router(config-ext-nacl)# {deny | permit} {protocol-number | protocol- keyword} {source source-wildcard | any | host} {source-port} {destination destination-wildcard | any | host} {destination-port} [established][log | log-input]

16 16 © 2005 Cisco Systems, Inc. All rights reserved. Commenting IP Access-List Entries Miami(config)# access-list 102 remark Allow traffic to file server Miami(config)# access-list 102 permit ip any host 128.88.1.6 Router(config)# remark message

17 17 © 2005 Cisco Systems, Inc. All rights reserved. Basic Rules for Developing Access Lists Rule #1—Write it out! Get a piece of paper and write out what you want this access list to accomplish. This is the time to think about potential problems. Rule #2—Setup a development system. Allows you to copy and paste statements easily. Allows you to develop a library of access lists. Store the files as ASCII text files. Rule #3—Apply access list to a router and test. If at all possible, run your access lists in a test environment before placing them into production. Here are some basic rules you should follow when developing access lists:

18 18 © 2005 Cisco Systems, Inc. All rights reserved. Access List Directional Filtering Austin1 s0/0e0/0 e0/1 Internet InboundOutbound Inbound—Data flows toward router interface. Outbound—Data flows away from router interface.

19 19 © 2005 Cisco Systems, Inc. All rights reserved. Applying Access Lists to Interfaces Tulsa(config)# interface e0/1 Tulsa(config-if)# ip access-group 2 in Tulsa(config-if)# exit Tulsa(config)# interface e0/2 Tulsa(config-if)# ip access-group mailblock out Router(config)# ip access-group {access-list-number | access- list-name} {in | out}

20 20 © 2005 Cisco Systems, Inc. All rights reserved. Displaying Access Lists Miami# show access-lists Extended IP access list 102 permit ip any host 128.88.1.6 Extended IP access list mailblock permit tcp any 128.88.0.0 0.0.255.255 established Miami# Router# show access-lists {access-list-number | access- list-name}

21 21 © 2005 Cisco Systems, Inc. All rights reserved. Module 8 – Configure Filtering on a Router 8.2 Cisco IOS Firewall Context-Based Access Control

22 22 © 2005 Cisco Systems, Inc. All rights reserved. TCP UDP Cisco IOS Firewall CBAC Packets are inspected upon entering the firewall by CBAC if they are not specifically denied by an ACL. CBAC permits or denies specified TCP and UDP traffic through a firewall. A state table is maintained with session information. ACLs are dynamically created or deleted. CBAC protects against DoS attacks. Internet

23 23 © 2005 Cisco Systems, Inc. All rights reserved. How CBAC Works

24 24 © 2005 Cisco Systems, Inc. All rights reserved. CBAC Supported Protocols

25 25 © 2005 Cisco Systems, Inc. All rights reserved. Alerts and Audit Trails

26 26 © 2005 Cisco Systems, Inc. All rights reserved. Module 8 – Configure Filtering on a Router 8.3 Configure Cisco IOS Firewall Context- Based Access Control

27 27 © 2005 Cisco Systems, Inc. All rights reserved. CBAC Configuration Pick an Interface – Internal or External. Configure IP Access Lists at the interface Set audit trails and alerts. Set global timeouts and thresholds. Define PAM. Define inspection rules. Apply inspection rules and ACLs to interfaces. Test and verify.

28 28 © 2005 Cisco Systems, Inc. All rights reserved. Router(config)# logging on Router(config)# logging 10.0.0.3 Router(config)# ip inspect audit-trail Router(config)# no ip inspect alert-off Enables the delivery of audit trail messages using Syslog Enable Audit Trails and Alerts ip inspect audit-trail Router(config)# Enables real-time alerts no ip inspect alert-off Router(config)#

29 29 © 2005 Cisco Systems, Inc. All rights reserved. Set global timeouts - TCP SYN and FIN Wait Times

30 30 © 2005 Cisco Systems, Inc. All rights reserved. Set global timeouts - TCP, UDP, and DNS Idle Times

31 31 © 2005 Cisco Systems, Inc. All rights reserved. Global Half-Opened Connection Limits

32 32 © 2005 Cisco Systems, Inc. All rights reserved. Global Half-Opened Connection Limits

33 33 © 2005 Cisco Systems, Inc. All rights reserved. Half-open connection limits by host

34 34 © 2005 Cisco Systems, Inc. All rights reserved. Port-to-Application Mapping Overview

35 35 © 2005 Cisco Systems, Inc. All rights reserved. User-Defined Port Mapping

36 36 © 2005 Cisco Systems, Inc. All rights reserved. Display PAM Configuration

37 37 © 2005 Cisco Systems, Inc. All rights reserved. Inspection Rules for Application Protocols

38 38 © 2005 Cisco Systems, Inc. All rights reserved. Inspection Rules for Java

39 39 © 2005 Cisco Systems, Inc. All rights reserved. Inspection Rules for RPC Applications

40 40 © 2005 Cisco Systems, Inc. All rights reserved. Inspection Rules for SMTP Applications

41 41 © 2005 Cisco Systems, Inc. All rights reserved. Inspection Rules for IP Packet Fragmentation

42 42 © 2005 Cisco Systems, Inc. All rights reserved. Define inspection rules for ICMP

43 43 © 2005 Cisco Systems, Inc. All rights reserved. Applying Inspection Rules and ACLs

44 44 © 2005 Cisco Systems, Inc. All rights reserved. General Rules for Applying Inspection Rules and ACLs Interface where traffic initiates Apply ACL on the inward direction that permits only wanted traffic. Apply rule on the inward direction that inspects wanted traffic. All other interfaces Apply ACL on the inward direction that denies all unwanted traffic.

45 45 © 2005 Cisco Systems, Inc. All rights reserved. Example—Two Interface Firewall

46 46 © 2005 Cisco Systems, Inc. All rights reserved. Outbound Traffic

47 47 © 2005 Cisco Systems, Inc. All rights reserved. Inbound Traffic

48 48 © 2005 Cisco Systems, Inc. All rights reserved. Example—Three-Interface Firewall

49 49 © 2005 Cisco Systems, Inc. All rights reserved. Outbound Traffic

50 50 © 2005 Cisco Systems, Inc. All rights reserved. Inbound Traffic

51 51 © 2005 Cisco Systems, Inc. All rights reserved. DMZ-Bound Traffic

52 52 © 2005 Cisco Systems, Inc. All rights reserved. show Commands

53 53 © 2005 Cisco Systems, Inc. All rights reserved. debug Commands

54 54 © 2005 Cisco Systems, Inc. All rights reserved. no ip inspect Removes entire CBAC configuration. Resets all global timeouts and thresholds to the defaults. Deletes all existing sessions. Removes all associated dynamic ACLs. Remove CBAC Configuration Router(config)#

55 55 © 2005 Cisco Systems, Inc. All rights reserved. Firewall and ACL Main Window

56 56 © 2005, Cisco Systems, Inc. All rights reserved.


Download ppt "1 © 2005 Cisco Systems, Inc. All rights reserved. 111 © 2004, Cisco Systems, Inc. All rights reserved."

Similar presentations


Ads by Google