CISCO IOS FIREWALL DESIGN GUIDE



Similar documents
FIREWALLS & CBAC. philip.heimer@hh.se

Configuring the Transparent or Routed Firewall

Securing Networks with PIX and ASA

Network Security 1. Module 8 Configure Filtering on a Router

- QoS Classification and Marking -

- Basic Router Security -

Configuring Denial of Service Protection

Lab Configure Cisco IOS Firewall CBAC

Firewall Stateful Inspection of ICMP

Configuring NetFlow Secure Event Logging (NSEL)

Firewall Stateful Inspection of ICMP

The Cisco IOS Firewall feature set is supported on the following platforms: Cisco 2600 series Cisco 3600 series

Cisco Configuring Commonly Used IP ACLs

Configuring Network Address Translation

Enabling Remote Access to the ACE

Virtual Fragmentation Reassembly

Firewall Technologies. Access Lists Firewalls

Table of Contents. Configuring IP Access Lists

Security Technology: Firewalls and VPNs

Network security includes the detection and prevention of unauthorized access to both the network elements and those devices attached to the network.

Cisco IOS Firewall Zone-Based Policy Firewall Release 12.4(6)T Technical Discussion February 2006

Configuring the Firewall Management Interface

Firewalls and VPNs. Principles of Information Security, 5th Edition 1

A host-based firewall can be used in addition to a network-based firewall to provide multiple layers of protection.

Configuring Class Maps and Policy Maps

WhatsUpGold. v14.4. Flow Monitor User Guide

Troubleshooting the Firewall Services Module

Lab Configure IOS Firewall IDS

Transactions. Georgian Technical University. AUTOMATED CONTROL SYSTEMS - No 1(8), 2010

Configuring Control Plane Policing

Firewall Introduction Several Types of Firewall. Cisco PIX Firewall

Chapter 6 Configuring the SSL VPN Tunnel Client and Port Forwarding

- QoS and Queuing - Queuing Overview

Internetwork Expert s CCNA Security Bootcamp. IOS Firewall Feature Set. Firewall Design Overview

Firewall Authentication Proxy for FTP and Telnet Sessions

Configuring NetFlow Secure Event Logging (NSEL)

Central America Workshop - Guatemala City Guatemala 30 January - 1 February 07. IPv6 Security

Cisco ASA, PIX, and FWSM Firewall Handbook

Virtual private network. Network security protocols VPN VPN. Instead of a dedicated data link Packets securely sent over a shared network Internet VPN

Chapter 4 Security and Firewall Protection

Cisco Performance Monitor Commands

A Model Design of Network Security for Private and Public Data Transmission

Firewall Firewall August, 2003

Cisco AnyConnect Secure Mobility Solution Guide

CSCE 465 Computer & Network Security

8 steps to protect your Cisco router

Firewall. User Manual

Table of Contents. Cisco Using the Cisco IOS Firewall to Allow Java Applets From Known Sites while Denying Others

Lab Configure Cisco IOS Firewall CBAC on a Cisco Router

Firewall Defaults and Some Basic Rules

FWSM introduction Intro 5/1

Firewall Defaults, Public Server Rule, and Secondary WAN IP Address

Troubleshooting the Firewall Services Module

Implementing Cisco IOS Network Security

Configuring Role-Based Access Control

Securizarea Calculatoarelor și a Rețelelor 13. Implementarea tehnologiei firewall CBAC pentru protejarea rețelei

Flow Monitor for WhatsUp Gold v16.2 User Guide

ACADEMIA LOCAL CISCO UCV-MARACAY CONTENIDO DE CURSO CURRICULUM CCNA. SEGURIDAD SEGURIDAD EN REDES. NIVEL I. VERSION 2.0

Skills Assessment Student Training Exam

UIP1868P User Interface Guide

Adding an Extended Access List

Cisco Secure PIX Firewall with Two Routers Configuration Example

We will give some overview of firewalls. Figure 1 explains the position of a firewall. Figure 1: A Firewall

IOS Zone Based Firewall Step-by-Step Basic Configuration

Introduction of Intrusion Detection Systems

Firewall Support for SIP

Configuring Health Monitoring

Chapter 4 Firewall Protection and Content Filtering

Lab Developing ACLs to Implement Firewall Rule Sets

The information in this document is based on these software and hardware versions:

Network Security 2. Module 2 Configure Network Intrusion Detection and Prevention

IINS Implementing Cisco Network Security 3.0 (IINS)

WiNG 5.X How To. Policy Based Routing Cache Redirection. Part No. TME Rev. A

Flow Monitor for WhatsUp Gold v16.1 User Guide

CCT vs. CCENT Skill Set Comparison

How To Block On A Network With A Group Control On A Router On A Linux Box On A Pc Or Ip Access Group On A Pnet 2 On A 2G Router On An Ip Access-Group On A Ip Ip-Control On A Net

Chapter 3 Using Access Control Lists (ACLs)

1 Data information is sent onto the network cable using which of the following? A Communication protocol B Data packet

Implementing Secure Converged Wide Area Networks (ISCW)

Configuration Guide for RFMS 3.0 Initial Configuration. WiNG 5 How-To Guide. Firewall. June 2011 Revision 1.0

Firewalls. Chapter 3

Högskolan i Halmstad Sektionen för Informationsvetenskap, Data- Och Elektroteknik (IDÉ) Ola Lundh. Name (in block letters) :

INTRODUCTION TO FIREWALL SECURITY

Chapter 4 Firewall Protection and Content Filtering

Configure a Microsoft Windows Workstation Internal IP Stateful Firewall

Quality of Service (QoS) for Enterprise Networks. Learn How to Configure QoS on Cisco Routers. Share:

Configuring Server Load Balancing

Firewall Load Balancing

Reverse Shells Enable Attackers To Operate From Your Network. Richard Hammer August 2006

Integrated Cisco Products

Configure Cisco IOS Firewall to use stateful packet inspection for IPv6. Configure Cisco IOS Firewall to use packet filtering for IPv6.

12. Firewalls Content

Implementing Network Address Translation and Port Redirection in epipe

NETASQ MIGRATING FROM V8 TO V9

Network Security. Chapter 3. Cornelius Diekmann. Version: October 21, Lehrstuhl für Netzarchitekturen und Netzdienste Institut für Informatik

Network Defense Tools

Government of Canada Managed Security Service (GCMSS) Annex A-1: Statement of Work - Firewall

LAB THREE STATIC ROUTING

Flow-Based per Port-Channel Load Balancing

Transcription:

CISCO IOS FIREWALL DESIGN GUIDE http://www.cisco.com/en/us/prod/collateral/vpndevc/ps5708/ps5710/ps1018/product_implement ation_design_guide09186a00800fd670.html I'm going to go through this document now..i'll note down all the stuff that i find interesting! STATEFUL PACKET INSPECTION SPI inspection happnes after the ACL check Suppose we have " ip inspect in " on the inbound interface, then the inspection happens after the Inbound ACL ( if configured ) is processed. Similarly, if " ip inspect out" is configured on the outbound interface, then the inspection is done after the outbound ACL ( if configured ) is processed. Earlier CBAC used to allow returning connections by creating dynamic ACL entries, but now SPI creates openings in the session-table ( this can be seen using the "sh ip inspect sessions" command " - > ACL BYPASS Certain applications that use a secondary data channel, such as voice applications or streaming media applications, may require that you configure the protocol-specific inspection for that particular service ( ex : inspect ftp, etc ) Suppose a protocol opens up data channels later on..( ex : FTP passive mode ), all we need to do is to inspect the primary channel ( the ftp control connection ), and SPI takes care of creating relevant state information to permit the data connections. -> FIXUP "Inspect http" adds capability to inspect returned content for java applets, offering the option to block potentially malicious java content. However, java filtering incurs a substantial performance penalty. To configure an http inspection policy that does not inspect for embedded java content, define an ACL exempting network address ranges from java inspection and associate the ACL with "inspect http": access-list 102 permit ip any any ip inspect name myfw http java-list 102 IOS-FW DoS protection is only enabled on network traffic if the traffic enters or leaves an interface with inspection applied in the same direction of the traffic's initial movement We cannot disable the IOS - FW Dos protection To enable logging and send messages to a syslog server: FWRouter(config)# logging on FWRouter(config)# logging 192.168.1.11 To enable audit-trail of firewall messages: FWRouter(config)# ip inspect audit-trail

Granular Protocol Inspection - Inspection for specific protocols. Full integration with PAM ( Port Application Mapping ).GPI allows creation of specific ACL Bypass for only the desired traffic, as defined by an inspection list consisting of only the protocols that are explicitly permitted by an organization's Internet/security access policy. use the " sh ip inspect transactions " to view the number of tcp/udp connections established/half-open over a period of time. TRANSPARENT FIREWALL Cisco IOS Transparent Firewall only inspects the traffic moving between the segments of the bridge group. Traffic to other subnets requires inspection as it traverses Layer 3 interfaces If you're configuring NAT in the transparent firewall, configure the outside interface IP, and then configure a BVI interface and use the BVI interface as the inside. So all connections originating from inside will have that IP address. AUTHENTICATION PROXY Auth Proxy provides HTTP, HTTPS, Telnet, and FTP interfaces to authenticate user access. Auth Proxy is configured on an interface without direction, as access authentication is always inbound, intercepting the packet before it reaches the inbound ACL HTTP/POP/SMTP..etc APPLICATION INSPECTION HTTP This is awesome! The 3 uses of HTTP application inspection Protection servers from malicious clients ex : HTTP METHOD inspection Protecting clients from malicious servers ex : HTTP Content verification Enforcing organizational policies ex : Blocking IM, P2P Also checks for RFC conformance of the HTTP sessions appfw policy-name method-control application http strict-http action reset alarm request-method rfc put action reset alarm ip inspect name my-fw appfw method-control Some implementations of IM applications and P2P file sharing software that offer the capability to conceal their traffic within a TCP port 80 (HTTP) header do not implement

the complete RFC 2616 dialogue methodology. The Application Inspection Engine's "strict-rfc" option recognizes these applications' traffic as it is clearly not HTTP traffic. However, some IM and P2P applications implement their TCP port 80 traffic with a sufficiently high degree of fidelity to RFC 2616 to make the traffic indistinguishable from legitimate HTTP traffic. The Application Inspection Engine can detect this traffic by enabling the "port-misuse" option, which currently recognizes Yahoo! Messenger IM, KaZaa and Gnutella P2P file sharing, and TCP port 80-based tunneling by HTTPPort/HTTPHost, GNU Httptunnel, GotoMyPC, Firethru, and the Http-tunnel.com client. Applying the port-misuse feature coupled with strict HTTP RFC compliance checking helps assure that valid HTTP dialogue is conducted according to the RFC's specification, and allows recognition of known IM and P2P traffic that closely emulates legitimate HTTP traffic. INTERNET EMAIL PROTOCOLS ( IMAP, POP3 ) the inspection basically monitors if the proper protocols are being followed and if there is a secure authentication method ip inspect name test pop3 log reset secure-login the secure-login command, forces the authenticator to use a secure method of authentication ( clear-text passwords won't work ) EMAIIL SERVER PROTOCOLS ( SMTP, ESMTP ) Ensures that valid messages are being used. This restriction prevents unauthorized use of the SMTP and ESMTP port (TCP port 25) so that mail servers are protected from invalid, possibly malicious traffic, and so that exploit software such as back doors and rootkits is not allowed to use TCP port 25. esmtp is a super-set of smtp. ( SMTP should only be configured where the e-mail servers are'nt compatible with ESMTP ) ip inspect name test [smtp estmp] BLOCKING IM AND P2P TRAFFIC Cisco IOS Software supports the most popular Internet protocols, as well as several protocols that require additional effort to accommodate secondary data connections (Appendix 1). This example requires support for VNC, which is not supported by default IP inspection capability; VNC runs on TCP port 5900 by default. Granular protocol inspection provides the capability to configure inspection for specific protocols that are not natively supported by IP inspection. Configure inspection for VNC by defining the PAM entry for the protocol. Note: User-defined protocol labels must begin with "user-": ip port-map user-vnc port tcp 5900 We use the port-misuse command to block P2P commands on HTTP appfw policy-name abuse-control application http port-misuse default action reset alarm CAVEAT : Inspection still doesn't cover ICMP ( Must check if it's still the same for the 12.4(T) series )

TRANSPARENT FIREWALL OVERVIEW http://www.cisco.com/en/us/docs/security/asa/asa72/configuration/guide/fwmode.html#wp1201 980 IPv4 traffic from higher to lower security interfaces are permitted by default ARP is permitted by default in both directions, can be controlled using ARP Inspection The following destination MAC addresses are allowed through the transparent firewall. Any MAC address not on this list is dropped. TRUE broadcast destination MAC address equal to FFFF.FFFF.FFFF IPv4 multicast MAC addresses from 0100.5E00.0000 to 0100.5EFE.FFFF IPv6 multicast MAC addresses from 3333.0000.0000 to 3333.FFFF.FFFF BPDU multicast address equal to 0100.0CCC.CCCD Appletalk multicast MAC addresses from 0900.0700.0000 to 0900.07FF.FFFF Note The transparent mode security appliance does not pass CDP packets or IPv6 packets, or any packets that do not have a valid EtherType greater than or equal to 0x600. For example, you cannot pass IS-IS packets. An exception is made for BPDUs, which are supported. The route-statements to hard-code mac -address lookups only apply to Firewall generated traffic ( ex : hardcoded route to a syslog server ) The management IP configured for the Transparent firewall, will be used as the source address for packets that originate from the firewall ( ex : syslog messages ) You can also configure an IP address for the Management 0/0 management-only interface. This IP address can be on a separate subnet from the main management IP address. For multiple context mode, each context must use different interfaces; you cannot share an interface across contexts. For multiple context mode, each context typically uses a different subnet. You can use overlapping subnets, but your network topology requires router and NAT configuration to make it possible from a routing standpoint. I'm looking for the document which tells me how the transparent firewall performs MAC lookups. Ahh, i found it :) o Packets for directly connected devices The adaptive security appliance generates an ARP request for the destination IP address, so that the adaptive security appliance can learn which interface receives the ARP response. o Packets for remote devices The adaptive security appliance generates a ping to the destination IP address so that the adaptive security appliance can learn which interface receives the ping reply.

TIDP BASED MITIGATION SERVICES http://www.cisco.com/en/us/docs/ios/sec_data_plane/configuration/guide/sec_tidp_mitig_svcs_ ps6441_tsd_products_configuration_guide_chapter.html TIDP -> Threat information distribution protocol TIM -> Threat information messages TMS -> Threat mitigation services TMS provides the framework to rapidly and efficiently distribute threat information to devices across the networ TIMs are distributed from a central device, the TMS controller. TMS consumers are devices configured to receive TIMs. Can be only one controller per group, upto 256 consumers per group. Max of 64 groups per network TIDP runs over TCP and it provides authentication and optional encryption of TIMs TIM -> Contains threat information as well as mitigation details Each Threat Information Message (TIM) is identified by a threat ID, owner ID, and version number.. Each TMS group can support up to 256 active TIMs. TIMs are created using a Threat definition file ( XML 1.0 compatible file ) The threat definition file is loaded to the TMS controller This action places the TIMs contained within the threat definition file into the "loaded" database, from where it is distributed to all/some of the consumers in the group TMS protocol operation, on the controller or consumer, is configured in a TMS type service policy using the Modular QoS CLI (MQC) The TMS type service policy is configured with TMS type class, parameter, and policy maps. The TMS type class map is identifies TMS group consumers a traffic class. The TMS type parameter map is a container for TMS protocol-specific configuration parameters. On the controller, TMS protocol operation timers, such as the heartbeat (keepalive) and message timers are configured. On the consumer, the controller is identified and the controller registration timer is configure TMS event logging is enabled on both the controller and consumer. The TMS type policy map binds (or attaches) the class and parameter maps. The policy map is attached to the global consumer or controller process, which activates the TMS type service policy. Mitigation is configured in the TIM's and it's enforced in 2 ways : Either follow the mitigation action specified in the TIM ( Block or Redirect, use the mitigation type parameter map configured in the TMS consumer - next step ) or use the Mitigation type parameter map configured in the TMS consumers Mitigation techniques :

Block Suspected traffic is dropped when the suspect traffic meets all conditions of the rule. Redirect The redirect enforcement action is configured to route to null0 or to route to a specific host Cisco OER ( Optimized Edge routing ) dynamically controls and implements redirect mitigation enforcement rules. Custom rules created in the Consumers can be used to "override" the TIM rules that are enforced by the Controller TMS rules are configured using the mitigation type service-policy -> ( mitgation type class-map, mitigation type parameter map, mitigation type policy-map ) The mitigation type class map is used to define threat primitive and priority traffic matching conditions. The mitigation type parameter map contains the next-hop variable in the mitigation type service policy. The mitigation type policy map is used to attach the class and parameter maps. The mitigation type policy map is configured to bind mitigation type class and parameter maps together, creating a mitigation type service policy The mitigation type service policy is activated by attaching the mitigation type policymap to the TMS type policy map in policy-map class configuration mode.the TMS type policy map is then attached to the global consumer configuration by configuring the service-policy command in TMS Consumer configuration mode. CONFIGURATION TMS type parameter maps must be configured on both the controller and the consumers with TMS protocol specific configuration parameters. STEP 1 On the controller, the heartbeat (keepalive) and threat message timers are configure parameter-map type tms The following example, starting in global configuration mode, configures a TMS type parameter map on a controller: Router(config)# parameter-map type tms TMS_PAR_1 Router(config-profile)# logging tms events Router(config-profile)# heartbeat retry interval 60 Router(config-profile)# heartbeat retry count 3 Router(config-profile)# message retry interval 15 Router(config-profile)# message retry count 5 Router(config-profile)# exit

STEP 2 On the consumer, it is configured to identify the controller to and to set registration timers. The following example, starting in global configuration mode, configures a TMS type parameter map on a consumer: Router(config)# parameter-map type tms TMS_PAR_2 Router(config-profile)# controller ipv4 10.1.1.1 Router(config-profile)# logging tms events Router(config-profile)# registration retry count 5 Router(config-profile)# registration retry interval 60 Router(config-profile)# exit STEP 3 The next step is to identify the TIDP group, over which TMS services are to be configured. Proceed to the next section to see more information. The following example, starting in global configuration mode, configures groups 10 through 20 and group 30 as match criteria in the TMS_CLASS_1 class map: Router(config)# class-map type tms TMS_CLASS_1 Router(config-cmap)# match tidp group 10-20 Router(config-cmap)# match tidp group 30 Router(config-cmap)# exit STEP 4 The next step is to attach the TMS type class and parameter maps to a TMS type policy map. Proceed to the next section to see more information. The following example, starting in global configuration mode, attaches TMS type class and parameter maps to a TMS type policy map: Router(config)# parameter-map type tms TMS_PAR_1 Router(config-profile)# logging tms events Router(config-profile)# exit Router(config)# class-map type tms TMS_CLASS_1

Router(config-cmap)# match tidp-group 10 Router(config-cmap)# exit Router(config)# policy-map type control tms TMS_POL_1 Router(config-pmap)# class TMS_CLASS_1 Router(config-pmap-c)# mitigation TMS_PAR_1 Router(config-pmap-c)# end STEP 5 ( controller only ) The next step is to attach the policy map to the global TMS controller or consumer process. Proceed to the next section to see more information. The identifiercommand is configured to assign a unique ID number to a TMS controller. The following example, starting in global configuration mode, configures a global TMS controller process, attaches a TMS type policy map: Router(config)# tms controller Router(cfg-tms-ctrl)# service-policy type tms TMS_POL_1 Router(cfg-tms-ctrl)# end STEP 6 ( Consumer only ) A TMS type policy map must also be attached to a global TMS consumer process. Proceed to the next section to see more information. The TMS consumer must register with the TMS controller before the controller can send Threat Information Messages (TIMs). If the service-policy is activated, the registration messages are automatic Explicit registration is configured by entering the tms consumer registration on the TMS consumer The exception access-groupcommand is configured to attach a local device exception to a TMS consumer process. A local device exception is an override configured on the TMS consumer that negates a enforcement action sent from the TMS controller or from a TMS Rules Engine configuration (mitigation type service policy) configured on the TMS consumer. The following example, starting in global configuration mode, configures a global TMS consumer process, attaches a TMS type policy map, and configures a device exception: Router(config)# ip access-list extended NAMED_ACL Router(config-ext-nacl)# permit tcp host 192.168.1.55 any Router(config-ext-nacl)# exit

Router(config)# interface Ethernet 0/0 Router(config-if)# ip access-group NAMED_ACL in Router(config-if)# tms-class Router(config-if)# exit Router(config)# tms consumer Router(cfg-tms-cons)# exception access-group NAMED_ACL Router(cfg-tms-cons)# service-policy type tms TMS_POL_1 Router(cfg-tms-cons)# end Implicit synchronization (resync) messages are sent between the controller and consumer when the tms consumer register command is entered. Implicit synchronization ensures that the consumer has received all threats that have been configured its TMS group. Threats remain active until they are removed by the controller or until the consumer is deregistered. The following example registers a TMS consumer with a TMS controller: Router# tms consumer register group 10 controller ipv4 10.1.1.1 We can use the tms controller load threat{file-source} command to load the TIM XML file to create the TIM STEP 7 ( Controller only ) The threat message is not activated until it is sent to TMS consumers. Proceed to the next section to see more informa single threat, a range of threats, or all threats can be sent. The threat can be sent to a single group or all groups. The start time when the threat is activated and the duration of the threat are configurable. The tms controller send command is entered in privileged EXEC mode. The following example sends threat ID 100 to all consumers in TIDP group 10. The threat will remain active for 1 hour. Router# tms controller send group 10 owner 1000 tid 100 consumer all duration 3600

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information