Module 8: Configure Filtering on a Router - Modified
Upcoming SlideShare
Loading in...5
×
 

Like this? Share it with your network

Share

Module 8: Configure Filtering on a Router - Modified

on

  • 715 views

 

Statistics

Views

Total Views
715
Views on SlideShare
715
Embed Views
0

Actions

Likes
0
Downloads
26
Comments
0

0 Embeds 0

No embeds

Accessibility

Categories

Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment
  • cuseeme CUSeeMe Protocol dns Domain Name Server exec Remote Process Execution finger Finger ftp File Transfer Protocol gopher Gopher gtpv0 GPRS Tunneling Protocol Version 0 gtpv1 GPRS Tunneling Protocol Version 1 h323 H.323 Protocol (e.g, MS NetMeeting, Intel Video Phone) http Hypertext Transfer Protocol https Secure Hypertext Transfer Protocol imap Internet Message Access Protocol kerberos Kerberos ldap Lightweight Directory Access Protocol login Remote login lotusnote Lotus Note mgcp Media Gateway Control Protocol ms-sql Microsoft SQL msrpc Microsoft Remote Procedure Call netshow Microsoft NetShow nfs Network File System nntp Network News Transfer Protocol pop2 Post Office Protocol - Version 2 pop3 Post Office Protocol - Version 3 realmedia RealNetwork's Realmedia Protocol rtsp Real Time Streaming Protocol sap SAP shell Remote command sip Session Initiation Protocol skinny Skinny Client Control Protocol smtp Simple Mail Transfer Protocol snmp Simple Network Management Protocol sql-net SQL-NET streamworks StreamWorks Protocol sunrpc SUN Remote Procedure Call sybase-sql Sybase SQL tacacs Login Host Protocol (TACACS) telnet Telnet tftp Trivial File Transfer Protocol vdolive VDOLive Protocol

Module 8: Configure Filtering on a Router - Modified Presentation Transcript

  • 1. © 2004, Cisco Systems, Inc. All rights reserved.
  • 2. Network Security 1 Module 8 – Configure Filtering on a Router
  • 3. Learning Objectives
      • 8.1 Filtering Technologies
      • 8.2 Cisco IOS Firewall Context-Based Access Control
      • 8.3 Configure Cisco IOS Firewall Context-Based Access Control
  • 4. Module 8 – Configure Filtering on a Router 8.1 Filtering Technologies
  • 5. Overview of Filtering Technologies
    • Packet Filtering
    • Proxy Server
    • Stateful Packet Filtering
  • 6. Packet Filtering
  • 7. Packet Filtering
    • Packet Filtering uses ACLs to accept or deny access based on header information.
    • Packet-filtering firewalls do not keep track of the state of a connection, which takes place in a stateful firewall.
    • Packet filtering is the first generation firewall.
  • 8. Problems with Packet Filtering
      • Arbitrary but undesirable packets can be sent that fit the ACL criteria and, therefore, pass through the filter.
      • Packets can pass through the filter by being fragmented.
      • Complex ACLs are difficult to implement and maintain correctly.
      • Some services cannot be filtered.
  • 9. Problems with Proxy
      • They create single points of failure, which means that if the entrance to the network is compromised, then the entire network is compromised.
      • They make it difficult to add new services to the firewall.
      • They are CPU intensive and often perform slower under stress.
  • 10. Stateful Packet Filtering
      • This technology maintains the complete session state.
      • Each time a TCP or UDP connection is established for inbound or outbound connections, the information is logged in a stateful session flow table. This table contains the source and destination address, port numbers, TCP sequencing information, and additional flags for each TCP or UDP connection associated with a given session.
      • This requires that the firewall maintain a state table, which is like a score sheet of who said what to whom.
      • The stateful firewall will only allow packets in that the internal hosts requested.
  • 11. Stateful Packet Filtering
  • 12. URL Filtering
  • 13. Module 8 – Configure Filtering on a Router 8.2 Cisco IOS Firewall Context-Based Access Control
  • 14. Cisco IOS Firewall CBAC
      • Packets are inspected upon entering the firewall by CBAC if they are not specifically denied by an ACL.
      • CBAC permits or denies specified TCP and UDP traffic through a firewall.
      • A state table is maintained with session information.
      • ACLs are dynamically created or deleted.
      • CBAC protects against DoS attacks.
    TCP UDP Internet
  • 15. Cisco IOS ACLs
      • Provide traffic filtering by
        • Source and destination IP addresses.
        • Source and destination ports.
      • Can be used to implement a filtering firewall
        • Ports are opened permanently to allow traffic, creating a security vulnerability.
        • Do not work with applications that negotiate ports dynamically.
  • 16. IOS and CBAC – Working Together
  • 17. How CBAC Works
  • 18. How CBAC Works (Cont)
  • 19. CBAC Supported Protocols
      • TCP (single channel)
      • UDP (single channel)
      • RPC
      • FTP
      • TFTP
      • UNIX R-commands (such as rlogin, rexec, and rsh)
      • SMTP
      • HTTP (Java blocking)
      • Java
      • SQL*Net
      • RTSP (such as RealNetworks)
      • H.323 (such as NetMeeting, ProShare, CUSeeMe)
      • Other multimedia
        • Microsoft NetShow
        • StreamWorks
        • VDOLive
  • 20. Alerts and Audit Trails
      • CBAC generates real-time alerts and audit trails.
      • Audit trail features use Syslog to track all network transactions.
      • With CBAC inspection rules, you can configure alerts and audit trail information on a per-application protocol basis.
  • 21. Access Control List (ACL) Review
  • 22. Identifying Access Lists
    • Access list number (All IOS versions) —The number of the access list determines what protocol it is filtering:
      • (1-99) and (1300-1399)—Standard IP access lists.
      • (100-199) and (2000-2699)—Extended IP access lists.
      • (800-899)—Standard IPX access lists.
    • Access list name (IOS versions > 11.2)—You provide the name of the access list:
      • Names contain alphanumeric characters.
      • Names cannot contain spaces or punctuation and must begin with a alphabetic character.
    Cisco routers can identify access lists using two methods:
  • 23. Basic Types of IP Access Lists
    • Standard —Filter IP packets based on the source address only.
    • Extended—Filter IP packets based on several attributes, including:
      • Protocol type.
      • Source and destination IP addresses.
      • Source and destination TCP/UDP ports.
      • ICMP and IGMP message types.
    Cisco routers support two basic types of IP access lists:
  • 24. Standard Numbered Access List Format Austin2(config)# access-list 2 permit 36.48.0.3 Austin2(config)# access-list 2 deny 36.48.0.0 0.0.255.255 Austin2(config)# access-list 2 permit 36.0.0.0 0.255.255.255 Austin2(config)# interface e0/1 Austin2(config-if)# ip access-group 2 in Router(config)# access-list access-list-number {deny | permit} source [ source-wildcard ]
  • 25. Standard Named Access List Format Austin2(config)# ip access-list standard protect Austin2(config-std-nacl)# deny 36.48.0.0 0.0.255.255 Austin2(config-std-nacl)# permit 36.0.0.0 0.255.255.255 Austin2(config)# exit Router(config)# ip access-list standard access-list-name Router(config-std-nacl)# {deny | permit} source [ source-wildcard ]
  • 26. Extended Numbered Access List Format Miami(config)# access-list 103 permit tcp any 128.88.0.0 0.0.255.255 established Miami(config)# access-list 103 permit tcp any host 128.88.1.2 eq smtp Miami(config)# interface e0/0 Miami(config-if)# ip access-group 103 in Router(config)# access-list access-list-number {deny | permit} { protocol-number | protocol-keyword }{ source source-wildcard | any | host} { source-port } { destination destination-wildcard | any | host} { destination-port } [established][log | log-input] Miami e0/0 128.88.1.2 128.88.1.0 128.88.3.0 SMTP host Internet
  • 27. Extended Named Access List Format Miami(config)# ip access-list extended mailblock Miami(config-ext-nacl)# permit tcp any 128.88.0.0 0.0.255.255 established Miami(config-ext-nacl)# permit tcp any host 128.88.1.2 eq smtp Miami(config-ext-nacl)# exit Router(config)# ip access-list extended access-list-name Router(config-ext-nacl)# {deny | permit} { protocol-number | protocol-keyword } { source source-wildcard | any | host} { source-port } { destination destination-wildcard | any | host} { destination-port } [established][log | log-input]
  • 28. Commenting IP Access-List Entries Miami(config)# access-list 102 remark Allow traffic to file server Miami(config)# access-list 102 permit ip any host 128.88.1.6 Router(config)# remark message
  • 29. Basic Rules for Developing Access Lists
    • Rule #1 — Write it out!
      • Get a piece of paper and write out what you want this access list to accomplish.
      • This is the time to think about potential problems.
    • Rule #2—Setup a development system.
      • Allows you to copy and paste statements easily.
      • Allows you to develop a library of access lists.
      • Store the files as ASCII text files.
    • Rule #3—Apply access list to a router and test.
      • If at all possible, run your access lists in a test environment before placing them into production.
    Here are some basic rules you should follow when developing access lists:
  • 30. Access List Directional Filtering Austin1 s0/0 e0/0 e0/1 Inbound Outbound
    • Inbound —Data flows toward router interface.
    • Outbound—Data flows away from router interface.
    Internet
  • 31. Applying Access Lists to Interfaces Tulsa (config)# interface e0/1 Tulsa(config-if)# ip access-group 2 in Tulsa(config-if)# exit Tulsa(config)# interface e0/2 Tulsa(config-if)# ip access-group mailblock out Router(config)# ip access-group { access-list-number | access-list-name } {in | out}
  • 32. Displaying Access Lists Miami # show access-lists Extended IP access list 102 permit ip any host 128.88.1.6 Extended IP access list mailblock permit tcp any 128.88.0.0 0.0.255.255 established Miami# Router# show access-lists { access-list-number | access-list-name }
  • 33. Module 8 – Configure Filtering on a Router 8.3 Configure Cisco IOS Firewall Context-Based Access Control
  • 34. CBAC Configuration Tasks
      • 1. Set audit trails and alerts.
      • 2. Set global timeouts and thresholds.
      • 3. Define Port-to-Application Mapping (PAM).
      • 4. Define inspection rules.
      • 5. Apply inspection rules and ACLs to interfaces.
      • 6. Test and verify.
  • 35. Configure CBAC (Task 1 and 2)
  • 36. Enable Audit Trails and Alerts Router(config)# logging on Router(config)# logging 10.0.0.3 Router(config)# ip inspect audit-trail Router(config)# no ip inspect alert-off
      • Enables the delivery of audit trail messages using Syslog
    ip inspect audit-trail Router(config)#
      • Enables real-time alerts
    no ip inspect alert-off Router(config)#
  • 37. Types of Timeouts and Thresholds
    • CBAC uses timeouts and thresholds to determine how long to manage state information for a session, and to determine when to drop sessions that do not become fully established.
    • Types of Timeouts and thresholds:
      • TCP- SYN and FIN Wait Times
      • TCP, UDP, and DNS Idle Times
      • Global Half-Open Connection Limits
      • Half-Open Connection Limits by Host
  • 38. TCP - SYN, and FIN Wait Times ip inspect tcp synwait-time seconds (default is 30 seconds) ip inspect tcp finwait-time seconds (default is 5 seconds)
      • Specifies the time the Cisco IOS Firewall waits for a TCP session to reach the established state before dropping the session.
      • Specifies the time the Cisco IOS Firewall waits for a FIN exchange to complete before quitting the session.
    Router(config)# Router(config)#
  • 39. TCP - UDP, and DNS Idle Times ip inspect dns-timeout seconds (default is 5 seconds) ip inspect tcp idle-time seconds (default is 1 hour) ip inspect udp idle-time seconds (default is 30 seconds)
      • Specifies the time allowed for a TCP or UDP session with no activity.
      • Specifies the time allowed for a DNS session with no activity.
    Router(config)# Router(config)#
  • 40. Global Half-Opened Connection Limits ip inspect max-incomplete high number ip inspect max-incomplete low number
      • Defines the number of existing half-opened sessions that cause the software to start deleting half-opened sessions (aggressive mode)
      • Defines the number of existing half-opened sessions that cause the software to stop deleting half-opened sessions
    Router(config)# Router(config)#
  • 41. Global Half-Opened Connection Limits ip inspect one-minute high number ip inspect one-minute low number
      • Defines the number of new half-opened sessions per minute at which they start being deleted
      • Defines the number of new half-opened sessions per minute at which they stop being deleted
    Router(config)# Router(config)#
  • 42. Half-Opened Connection Limits by Host
      • Defines the number of half-opened TCP sessions with the same host destination address that can exist at a time before the Cisco IOS Firewall starts deleting half-open sessions to the host.
      • After the number of half-opened connections is exceeded to a given host, the software deletes half-open sessions on that host in the following manner:
        • If block-time is 0, the oldest half-opened session is deleted, per new connection request, to allow new connections.
        • If block-time is greater than 0, all half-opened sessions are deleted, and new connections to the host are not allowed during the specified block time.
    ip inspect tcp max-incomplete host number block-time seconds Router(config)#
  • 43. Port-to-Application Mapping (Task 3)
  • 44. Port-to-Application Mapping Overview
      • Ability to configure any port number for an application protocol.
      • CBAC uses PAM to determine the application configured for a port.
  • 45. User-Defined Port Mapping ip port-map appl_name port port_num
      • Maps a port number to an application.
    access-list permit acl_num ip_addr ip port-map appl_name port port_num list acl_num
      • Maps a port number to an application for a given host.
    access-list permit acl_num ip_addr wildcard_mask ip port-map appl_name port port_num list acl_num
      • Maps a port number to an application for a given network.
    Router(config)# Router(config)# Router(config)#
  • 46. Display PAM Configuration show ip port-map
      • Shows all port mapping information.
    show ip port-map appl_name
      • Shows port mapping information for a given application.
    show ip port-map port port_num
      • Shows port mapping information for a given application on a given port.
    Router# Router# Router# Router# sh ip port-map ftp Default mapping: ftp port 21 system defined Host specific: ftp port 1000 in list 10 user
  • 47. Define Inspection Rules (Task 4)
  • 48. Inspection Rules for Application Protocols
      • Defines the application protocols to inspect.
      • Will be applied to an interface
        • Available protocols: tcp, udp, cuseeme, ftp, http, h323, netshow, rcmd, realaudio, rpc, smtp, sqlnet, streamworks, tftp, and vdolive.
        • alert, audit-trail, and timeout are configurable per protocol and override global settings.
    ip inspect name inspection-name protocol [alert {on|off}] [audit-trail {on|off}] [timeout seconds ] Router(config)# Router(config)# ip inspect name FWRULE smtp alert on audit-trail on timeout 300 Router(config)# ip inspect name FWRULE ftp alert on audit-trail on timeout 300
  • 49. Inspection Rules for Java Router(config)# ip inspect name FWRULE http java-list 10 alert on audit-trail on timeout 300 Router(config)# ip access-list 10 deny 172.26.26.0 0.0.0.255 Router(config)# ip access-list 10 permit 172.27.27.0 0.0.0.255
      • Controls java blocking with a standard ACL.
    ip inspect name inspection-name http java-list acl-num [alert {on|off}] [audit-trail {on|off}] [timeout seconds ] Router(config)#
  • 50. Inspection Rules for RPC Applications Router(config)# ip inspect name FWRULE rpc program-number 100022 wait-time 0 alert off audit-trail on
      • Allows given RPC program numbers—wait-time keeps the connection open for a specified number of minutes.
    ip inspect name inspection-name rpc program-number number [wait-time minutes ] [alert {on|off}] [audit-trail {on|off}] [timeout seconds ] Router(config)#
  • 51. Inspection Rules for SMTP Applications Router(config)# ip inspect name FWRULE smtp
      • Allows only the following legal commands in SMTP applications: DATA, EXPN, HELO, HELP, MAIL, NOOP, QUIT, RCPT, RSET, SAML, SEND, SOML, and VRFY.
      • If disabled, all SMTP commands are allowed through the firewall, and potential mail server vulnerabilities are exposed.
    ip inspect name inspection-name smtp [alert {on|off}] [audit-trail {on|off}] [timeout seconds ] Router(config)#
  • 52. Inspection Rules for IP Packet Fragmentation Router(config)# ip inspect name FWRULE fragment max 254 timeout 4
      • Protects hosts from certain DoS attacks involving fragmented IP packets
        • max—number of unassembled fragmented IP packets.
        • timeout—seconds when the unassembled fragmented IP packets begin to be discarded.
    ip inspect name inspection-name fragment max number timeout seconds Router(config)#
  • 53. ICMP Packet Types Supported by CBAC (IOS 12.2(15)T)
  • 54. Inspection Rules and ACLs Applied to Router Interfaces (Task 5)
  • 55. Applying Inspection Rules and ACLs
      • Applies the named inspection rule to an interface.
    ip inspect inspection-name {in | out} Router (config-if)# Router(config)# interface e0/0 Router(config-if)# ip inspect FWRULE in
      • Applies the inspection rule to interface e0/0 in inward direction.
  • 56. General Rules for Applying Inspection Rules and ACLs
      • Interface where traffic initiates
        • Apply ACL on the inward direction that permits only wanted traffic.
        • Apply rule on the inward direction that inspects wanted traffic.
      • All other interfaces
        • Apply ACL on the inward direction that denies all unwanted traffic.
  • 57. Example — Two Interface Firewall
  • 58. Outbound Traffic
      • Apply an ACL and inspection rule to the inside interface in an inward direction.
      • Permit inside-initiated traffic from the 10.0.0.0 network.
    Router(config)# interface e0/0 Router(config-if)# ip inspect OUTBOUND in Router(config-if)# ip access-group 101 in Router(config)# access-list 101 permit ip 10.0.0.0 0.0.0.255 any Router(config)# access-list 101 deny ip any any Router(config)# ip inspect name OUTBOUND tcp Router(config)# ip inspect name OUTBOUND udp
      • Configure CBAC to inspect TCP and UDP traffic.
  • 59. Inbound Traffic Router(config)# interface e0/1 Router(config-if)# ip access-group 102 in Router(config)# access-list 102 permit icmp any host 10.0.0.3 Router(config)# access-list 102 permit tcp any host 10.0.0.3 eq www Router(config)# access-list 102 deny ip any any
      • Apply an ACL and inspection rule to outside interface in inward direction.
      • Permit outside-initiated ICMP and HTTP traffic to host 10.0.0.3.
  • 60. Example — Three-Interface Firewall
  • 61. Outbound Traffic
      • Apply an ACL and inspection rule to the inside interface in an inward direction.
      • Permit inside-initiated traffic from 10.0.0.0 network.
    Router(config)# interface e0/0 Router(config-if)# ip inspect OUTBOUND in Router(config-if)# ip access-group 101 in Router(config)# access-list 101 permit ip 10.0.0.0 0.0.0.255 any Router(config)# access-list 101 deny ip any any Router(config)# ip inspect name OUTBOUND tcp Router(config)# ip inspect name OUTBOUND udp
      • Configure CBAC to inspect TCP and UDP traffic.
  • 62. Inbound Traffic
      • Apply an ACL and inspection rule to the outside interface in an inward direction.
      • Permit outside-initiated ICMP and HTTP traffic to host 172.16.0.2.
    Router(config)# interface e0/1 Router(config-if)# ip access-group 102 in Router(config)# access-list 102 permit icmp any host 172.16.0.2 Router(config)# access-list 102 permit tcp any host 172.16.0.2 eq www Router(config)# access-list 102 deny ip any any Router(config)# ip inspect name INBOUND tcp
      • Configure CBAC to inspect TCP traffic.
  • 63. DMZ-Bound Traffic Router(config)# interface e1/0 Router(config-if)# ip access-group 103 in Router(config-if)# ip access-group 104 out Router(config)# access-list 103 permit icmp host 172.16.0.2 any Router(config)# access-list 103 deny ip any any Router(config)# access-list 104 permit icmp any host 172.16.0.2 Router(config)# access-list 104 permit tcp any host 172.16.0.2 eq www Router(config)# access-list 104 deny ip any any
      • Permit only ICMP traffic initiated in the DMZ.
      • Permit only outward ICMP and HTTP traffic to host 172.16.0.2.
      • Apply proper access lists and an inspection rule to the interface.
  • 64. Test and Verify (Task 6)
  • 65. show Commands show ip inspect name inspection-name show ip inspect config show ip inspect interfaces show ip inspect session [detail] show ip inspect all
      • Displays CBAC configurations, interface configurations, and sessions.
    Router# Router# sh ip inspect session Established Sessions Session 6155930C (10.0.0.3:35009)=>(172.30.0.50:34233) tcp SIS_OPEN Session 6156F0CC (10.0.0.3:35011)=>(172.30.0.50:34234) tcp SIS_OPEN Session 6156AF74 (10.0.0.3:35010)=>(172.30.0.50:5002) tcp SIS_OPEN
  • 66. debug Commands debug ip inspect function-trace debug ip inspect object-creation debug ip inspect object-deletion debug ip inspect events debug ip inspect timers
      • General debug commands.
    Router# debug ip inspect protocol
      • Protocol-specific debug.
    Router(config)#
  • 67. Remove CBAC Configuration no ip inspect
      • Removes entire CBAC configuration.
      • Resets all global timeouts and thresholds to the defaults.
      • Deletes all existing sessions.
      • Removes all associated dynamic ACLs.
    Router(config)#
  • 68. Firewall and ACL Main Window
  • 69. Configuring Null Interface
  • 70. © 2005, Cisco Systems, Inc. All rights reserved.