Network Security 1. Module 8 Configure Filtering on a Router



Similar documents
Lab Configure Cisco IOS Firewall CBAC on a Cisco Router

FIREWALLS & CBAC. philip.heimer@hh.se

Network Security 2. Module 2 Configure Network Intrusion Detection and Prevention

Firewall Stateful Inspection of ICMP

Firewall Technologies. Access Lists Firewalls

Lab Configure Cisco IOS Firewall CBAC

Securizarea Calculatoarelor și a Rețelelor 13. Implementarea tehnologiei firewall CBAC pentru protejarea rețelei

Central America Workshop - Guatemala City Guatemala 30 January - 1 February 07. IPv6 Security

Classic IOS Firewall using CBACs Cisco and/or its affiliates. All rights reserved. 1

Virtual Fragmentation Reassembly

Output Interpreter. SHOW RUNNING-CONFIG SECURITY Analysis SHOW RUNNING-CONFIG - FW Analysis. Back to top

Configure Cisco IOS Firewall to use stateful packet inspection for IPv6. Configure Cisco IOS Firewall to use packet filtering for IPv6.

Lab Configure and Test Advanced Protocol Handling on the Cisco PIX Security Appliance

Firewall Authentication Proxy for FTP and Telnet Sessions

RSA Security Analytics

Cisco Secure PIX Firewall with Two Routers Configuration Example

Cisco IOS Firewall. Executive Summary

The Cisco IOS Firewall feature set is supported on the following platforms: Cisco 2600 series Cisco 3600 series

Protect or Not Protect Your Network? Defense Techniques. Firewall. Agenda. L91C - Defense Techniques (FW, IDS, IPS)

ACADEMIA LOCAL CISCO UCV-MARACAY CONTENIDO DE CURSO CURRICULUM CCNA. SEGURIDAD SEGURIDAD EN REDES. NIVEL I. VERSION 2.0

CISCO IOS FIREWALL DESIGN GUIDE

Introduction of Intrusion Detection Systems

Firewall Support for SIP

Firewall Introduction Several Types of Firewall. Cisco PIX Firewall

IOS Zone Based Firewall Step-by-Step Basic Configuration

Firewall Stateful Inspection of ICMP

Configuring TCP Intercept (Preventing Denial-of-Service Attacks)

Table of Contents. Configuring IP Access Lists

Lab Configure IOS Firewall IDS

Adding an Extended Access List

Firewall Firewall August, 2003

Troubleshooting Cisco Secure Intrusion Detection Systems

Configuring Class Maps and Policy Maps

Securing Networks with PIX and ASA

ASA 8.3 and Later: Enable FTP/TFTP Services Configuration Example

Internetwork Expert s CCNA Security Bootcamp. IOS Firewall Feature Set. Firewall Design Overview

TABLE OF CONTENTS NETWORK SECURITY 1...1

Firewalls (IPTABLES)

How To Block On A Network With A Group Control On A Router On A Linux Box On A Pc Or Ip Access Group On A Pnet 2 On A 2G Router On An Ip Access-Group On A Ip Ip-Control On A Net

CSCE 465 Computer & Network Security

This Technical Support Note shows the different options available in the Firewall menu of the ADTRAN OS Web GUI.

LAB II: Securing The Data Path and Routing Infrastructure

Cisco Configuring Commonly Used IP ACLs

Lab 7: Firewalls Stateful Firewalls and Edge Router Filtering

Cisco IOS Firewall Zone-Based Policy Firewall Release 12.4(6)T Technical Discussion February 2006

Integrated Cisco Products

Controlling Access to a Virtual Terminal Line

Cisco PIX. Upgrade-Workshop PixOS 7. Dipl.-Ing. Karsten Iwen CCIE #14602 (Seccurity)

Configuring NetFlow Secure Event Logging (NSEL)

Lab Exercise Configure the PIX Firewall and a Cisco Router

Table of Contents. Cisco Using the Cisco IOS Firewall to Allow Java Applets From Known Sites while Denying Others

Configuring NetFlow Secure Event Logging (NSEL)

12. Firewalls Content

Implementing Secure Converged Wide Area Networks (ISCW)

Configuring Control Plane Policing

Introduction to Network Address Translation

We will give some overview of firewalls. Figure 1 explains the position of a firewall. Figure 1: A Firewall

Chapter 3 Using Access Control Lists (ACLs)

INTRODUCTION TO FIREWALL SECURITY

Network Data Encryption Commands

PIX/ASA 7.x and above: Mail (SMTP) Server Access on the DMZ Configuration Example

Firewalls. Chapter 3

IPv4 Supplement Tutorial - Job Aids and Subnetting

Packet Filtering using the ADTRAN OS firewall has two fundamental parts:

Cork Institute of Technology Master of Science in Computing in Education National Framework of Qualifications Level 9

Chapter 4 Firewall Protection and Content Filtering

The information in this document is based on these software and hardware versions:

Access Control Lists: Overview and Guidelines

Chapter 4 Firewall Protection and Content Filtering

Chapter 11 Network Address Translation

Firewall Defaults, Public Server Rule, and Secondary WAN IP Address

Lab 8: Confi guring QoS

- Basic Router Security -

8 steps to protect your Cisco router

Security Technology: Firewalls and VPNs

Cisco PIX vs. Checkpoint Firewall

Security and Access Control Lists (ACLs)

Configure a Microsoft Windows Workstation Internal IP Stateful Firewall

Troubleshooting IP Access Lists

- QoS Classification and Marking -

Configuring Network Address Translation

Firewalls and VPNs. Principles of Information Security, 5th Edition 1

Table of Contents. Cisco Blocking Peer to Peer File Sharing Programs with the PIX Firewall

Firewalls. Test your Firewall knowledge. Test your Firewall knowledge (cont) (March 4, 2015)

Cisco Firewall Technology

NC School Connectivity Initiative Firewall Best Practices. NCET 2014 Conference

Firewall Defaults and Some Basic Rules

F-SECURE MESSAGING SECURITY GATEWAY

PIX/ASA 7.x with Syslog Configuration Example

Firewall Design Principles

Security Threats VPNs and IPSec AAA and Security Servers PIX and IOS Router Firewalls. Intrusion Detection Systems

PIX/ASA 7.x: Enable FTP/TFTP Services Configuration Example

Emerald. Network Collector Version 4.0. Emerald Management Suite IEA Software, Inc.

Packet Filtering using Access Control Policies and Lists

Virtual private network. Network security protocols VPN VPN. Instead of a dedicated data link Packets securely sent over a shared network Internet VPN

Chapter 46. Firewall

TROUBLESHOOTING FIREWALLS

FWSM introduction Intro 5/1

Configuring Network Address Translation

How To Secure Network Threads, Network Security, And The Universal Security Model

Transcription:

Network Security 1 Module 8 Configure Filtering on a Router

Module 8 Configure Filtering on a Router 8.1 Filtering Technologies

Packet Filtering

Stateful Packet Filtering

URL Filtering

Module 8 Configure Filtering on a Router 8.2 Cisco IOS Firewall Context- Based Access Control

Cisco IOS Firewall CBAC TCP UDP Internet Packets are inspected upon entering the firewall by CBAC if they are not specifically denied by an ACL. CBAC permits or denies specified TCP and UDP traffic through a firewall. A state table is maintained with session information. ACLs are dynamically created or deleted. CBAC protects against DoS attacks.

Cisco IOS ACLs Provide traffic filtering by: Source and destination IP addresses Source and destination ports Can be used to implement a filtering firewall Ports are opened permanently to allow traffic, creating a security vulnerability. Do not work with applications that negotiate ports dynamically.

How CBAC Works

How CBAC Works (Cont)

CBAC Supported Protocols TCP (single channel) UDP (single channel) RPC FTP TFTP UNIX R-commands (such as rlogin, rexec, and rsh) SMTP HTTP (Java blocking) Java SQL*Net RTSP (such as RealNetworks) H.323 (such as NetMeeting, ProShare, CUSeeMe) Other multimedia Microsoft NetShow StreamWorks VDOLive

Alerts and Audit Trails CBAC generates real-time alerts and audit trails. Audit trail features use Syslog to track all network transactions. With CBAC inspection rules, you can configure alerts and audit trail information on a per-application protocol basis.

Access Control List (ACL) Review

Identifying Access Lists Cisco routers can identify access lists using two methods: Access list number (All IOS versions) The number of the access list determines what protocol it is filtering: (1-99) and (1300-1399) Standard IP access lists. (100-199) and (2000-2699) Extended IP access lists. (800-899) Standard IPX access lists. Access list name (IOS versions > 11.2) You provide the name of the access list: Names contain alphanumeric characters. Names cannot contain spaces or punctuation and must begin with a alphabetic character.

Basic Types of IP Access Lists Cisco routers support two basic types of IP access lists: Standard Filter IP packets based on the source address only. Extended Filter IP packets based on several attributes, including: Protocol type. Source and destination IP addresses. Source and destination TCP/UDP ports. ICMP and IGMP message types.

Standard Numbered Access List Format Router(config)# access-list access-list-number {deny permit} source [source-wildcard] Austin2(config)# access-list 2 permit 36.48.0.3 Austin2(config)# access-list 2 deny 36.48.0.0 0.0.255.255 Austin2(config)# access-list 2 permit 36.0.0.0 0.255.255.255 Austin2(config)# interface e0/1 Austin2(config-if)# ip access-group 2 in

Standard Named Access List Format Router(config)# ip access-list standard access-list-name Router(config-std-nacl)# {deny permit} source [source-wildcard] Austin2(config)# ip access-list standard protect Austin2(config-std-nacl)# deny 36.48.0.0 0.0.255.255 Austin2(config-std-nacl)# permit 36.0.0.0 0.255.255.255 Austin2(config)# exit

Extended Numbered Access List Format Internet e0/0 128.88.3.0 Miami 128.88.1.0 128.88.1.2 SMTP host Router(config)# access-list access-list-number {deny permit} {protocol-number protocol-keyword}{source source-wildcard any host} {source-port} {destination destination-wildcard any host} {destination-port} [established][log log-input] Miami(config)# access-list 103 permit tcp any 128.88.0.0 0.0.255.255 established Miami(config)# access-list 103 permit tcp any host 128.88.1.2 eq smtp Miami(config)# interface e0/0 Miami(config-if)# ip access-group 103 in

Extended Named Access List Format Router(config)# ip access-list extended access-list-name Router(config-ext-nacl)# {deny permit} {protocol-number protocolkeyword} {source source-wildcard any host} {source-port} {destination destination-wildcard any host} {destination-port} [established][log log-input] Miami(config)# ip access-list extended mailblock Miami(config-ext-nacl)# permit tcp any 128.88.0.0 0.0.255.255 established Miami(config-ext-nacl)# permit tcp any host 128.88.1.2 eq smtp Miami(config-ext-nacl)# exit

Commenting IP Access-List Entries Router(config)# remark message Miami(config)# access-list 102 remark Allow traffic to file server Miami(config)# access-list 102 permit ip any host 128.88.1.6

Basic Rules for Developing Access Lists Here are some basic rules you should follow when developing access lists: Rule #1 Write it out! Get a piece of paper and write out what you want this access list to accomplish. This is the time to think about potential problems. Rule #2 Setup a development system. Allows you to copy and paste statements easily. Allows you to develop a library of access lists. Store the files as ASCII text files. Rule #3 Apply access list to a router and test. If at all possible, run your access lists in a test environment before placing them into production.

Access List Directional Filtering Internet Austin1 s0/0 e0/0 e0/1 Inbound Outbound Inbound Data flows toward router interface. Outbound Data flows away from router interface.

Applying Access Lists to Interfaces Router(config)# ip access-group {access-list-number accesslist-name} {in out} Tulsa(config)# interface e0/1 Tulsa(config-if)# ip access-group 2 in Tulsa(config-if)# exit Tulsa(config)# interface e0/2 Tulsa(config-if)# ip access-group mailblock out

Displaying Access Lists Router# show access-lists {access-list-number accesslist-name} Miami# show access-lists Extended IP access list 102 permit ip any host 128.88.1.6 Extended IP access list mailblock permit tcp any 128.88.0.0 0.0.255.255 established Miami#

Module 8 Configure Filtering on a Router 8.3 Configure Cisco IOS Firewall Context-Based Access Control

CBAC Configuration Pick an Interface Internal or External. Configure IP Access Lists at the interface Set audit trails and alerts. Set global timeouts and thresholds. Define PAM. Define inspection rules. Apply inspection rules and ACLs to interfaces. Test and verify.

Enable Audit Trails and Alerts Router(config)# ip inspect audit-trail Enables the delivery of audit trail messages using Syslog Router(config)# no ip inspect alert-off Enables real-time alerts Router(config)# logging on Router(config)# logging 10.0.0.3 Router(config)# ip inspect audit-trail Router(config)# no ip inspect alert-off

Global Half-Opened Connection Limits Router(config)# ip inspect max-incomplete high number Defines the number of existing half-opened sessions that cause the software to start deleting half-opened sessions (aggressive mode) Router(config)# ip inspect max-incomplete low number Defines the number of existing half-opened sessions that cause the software to stop deleting half-opened sessions

Global Half-Opened Connection Limits Router(config)# ip inspect one-minute high number Defines the number of new half-opened sessions per minute at which they start being deleted Router(config)# ip inspect one-minute low number Defines the number of new half-opened sessions per minute at which they stop being deleted

Port-to-Application Mapping Overview Ability to configure any port number for an application protocol. CBAC uses PAM to determine the application configured for a port.

User-Defined Port Mapping Router(config)# ip port-map appl_name port port_num Maps a port number to an application. Router(config)# access-list permit acl_num ip_addr ip port-map appl_name port port_num list acl_num Maps a port number to an application for a given host. Router(config)# access-list permit acl_num ip_addr wildcard_mask ip port-map appl_name port port_num list acl_num Maps a port number to an application for a given network.

Display PAM Configuration Router# show ip port-map Shows all port mapping information. Router# show ip port-map appl_name Shows port mapping information for a given application. Router# show ip port-map port port_num Shows port mapping information for a given application on a given port. Router# sh ip port-map ftp Default mapping: ftp port 21 system defined Host specific: ftp port 1000 in list 10 user

Inspection Rules for Application Protocols Router(config)# ip inspect name inspection-name protocol [alert {on off}] [audit-trail {on off}] [timeout seconds] Defines the application protocols to inspect. Will be applied to an interface Available protocols: tcp, udp, cuseeme, ftp, http, h323, netshow, rcmd, realaudio, rpc, smtp, sqlnet, streamworks, tftp, and vdolive. alert, audit-trail, and timeout are configurable per protocol and override global settings. Router(config)# ip inspect name FWRULE smtp alert on audit-trail on timeout 300 Router(config)# ip inspect name FWRULE ftp alert on audit-trail on timeout 300

Inspection Rules for Java Router(config)# ip inspect name inspection-name http java-list acl-num [alert {on off}] [audit-trail {on off}] [timeout seconds] Controls java blocking with a standard ACL. Router(config)# ip inspect name FWRULE http java-list 10 alert on audit-trail on timeout 300 Router(config)# ip access-list 10 deny 172.26.26.0 0.0.0.255 Router(config)# ip access-list 10 permit 172.27.27.0 0.0.0.255

Inspection Rules for RPC Applications Router(config)# ip inspect name inspection-name rpc program-number number [wait-time minutes] [alert {on off}] [audit-trail {on off}] [timeout seconds] Allows given RPC program numbers wait-time keeps the connection open for a specified number of minutes. Router(config)# ip inspect name FWRULE rpc program-number 100022 wait-time 0 alert off audit-trail on

Inspection Rules for SMTP Applications Router(config)# ip inspect name inspection-name smtp [alert {on off}] [audit-trail {on off}] [timeout seconds] Allows only the following legal commands in SMTP applications: DATA, EXPN, HELO, HELP, MAIL, NOOP, QUIT, RCPT, RSET, SAML, SEND, SOML, and VRFY. If disabled, all SMTP commands are allowed through the firewall, and potential mail server vulnerabilities are exposed. Router(config)# ip inspect name FWRULE smtp

Inspection Rules for IP Packet Fragmentation Router(config)# ip inspect name inspection-name fragment max number timeout seconds Protects hosts from certain DoS attacks involving fragmented IP packets max number of unassembled fragmented IP packets. timeout seconds when the unassembled fragmented IP packets begin to be discarded. Router(config)# ip inspect name FWRULE fragment max 254 timeout 4

Applying Inspection Rules and ACLs Router (config-if)# ip inspect inspection-name {in out} Applies the named inspection rule to an interface. Router(config)# interface e0/0 Router(config-if)# ip inspect FWRULE in Applies the inspection rule to interface e0/0 in inward direction.

General Rules for Applying Inspection Rules and ACLs Interface where traffic initiates Apply ACL on the inward direction that permits only wanted traffic. Apply rule on the inward direction that inspects wanted traffic. All other interfaces Apply ACL on the inward direction that denies all unwanted traffic.

Example Two Interface Firewall

Outbound Traffic Router(config)# ip inspect name OUTBOUND tcp Router(config)# ip inspect name OUTBOUND udp Configure CBAC to inspect TCP and UDP traffic. Router(config)# access-list 101 permit ip 10.0.0.0 0.0.0.255 any Router(config)# access-list 101 deny ip any any Permit inside-initiated traffic from the 10.0.0.0 network. Router(config)# interface e0/0 Router(config-if)# ip inspect OUTBOUND in Router(config-if)# ip access-group 101 in Apply an ACL and inspection rule to the inside interface in an inward direction.

Inbound Traffic Router(config)# access-list 102 permit icmp any host 10.0.0.3 Router(config)# access-list 102 permit tcp any host 10.0.0.3 eq www Router(config)# access-list 102 deny ip any any Permit outside-initiated ICMP and HTTP traffic to host 10.0.0.3. Router(config)# interface e0/1 Router(config-if)# ip access-group 102 in Apply an ACL and inspection rule to outside interface in inward direction.

Example Three-Interface Firewall

Outbound Traffic Router(config)# ip inspect name OUTBOUND tcp Router(config)# ip inspect name OUTBOUND udp Configure CBAC to inspect TCP and UDP traffic. Router(config)# access-list 101 permit ip 10.0.0.0 0.0.0.255 any Router(config)# access-list 101 deny ip any any Permit inside-initiated traffic from 10.0.0.0 network. Router(config)# interface e0/0 Router(config-if)# ip inspect OUTBOUND in Router(config-if)# ip access-group 101 in Apply an ACL and inspection rule to the inside interface in an inward direction.

Inbound Traffic Router(config)# ip inspect name INBOUND tcp Configure CBAC to inspect TCP traffic. Router(config)# access-list 102 permit icmp any host 172.16.0.2 Router(config)# access-list 102 permit tcp any host 172.16.0.2 eq www Router(config)# access-list 102 deny ip any any Permit outside-initiated ICMP and HTTP traffic to host 172.16.0.2. Router(config)# interface e0/1 Router(config-if)# ip access-group 102 in Apply an ACL and inspection rule to the outside interface in an inward direction.

DMZ-Bound Traffic Router(config)# access-list 103 permit icmp host 172.16.0.2 any Router(config)# access-list 103 deny ip any any Permit only ICMP traffic initiated in the DMZ. Router(config)# access-list 104 permit icmp any host 172.16.0.2 Router(config)# access-list 104 permit tcp any host 172.16.0.2 eq www Router(config)# access-list 104 deny ip any any Permit only outward ICMP and HTTP traffic to host 172.16.0.2. Router(config)# interface e1/0 Router(config-if)# ip access-group 103 in Router(config-if)# ip access-group 104 out Apply proper access lists and an inspection rule to the interface.

show Commands Router# show ip inspect name inspection-name show ip inspect config show ip inspect interfaces show ip inspect session [detail] show ip inspect all Displays CBAC configurations, interface configurations, and sessions. Router# sh ip inspect session Established Sessions Session 6155930C (10.0.0.3:35009)=>(172.30.0.50:34233) tcp SIS_OPEN Session 6156F0CC (10.0.0.3:35011)=>(172.30.0.50:34234) tcp SIS_OPEN Session 6156AF74 (10.0.0.3:35010)=>(172.30.0.50:5002) tcp SIS_OPEN

debug Commands Router# debug ip inspect function-trace debug ip inspect object-creation debug ip inspect object-deletion debug ip inspect events debug ip inspect timers General debug commands. Router(config)# debug ip inspect protocol Protocol-specific debug.

Remove CBAC Configuration Router(config)# no ip inspect Removes entire CBAC configuration. Resets all global timeouts and thresholds to the defaults. Deletes all existing sessions. Removes all associated dynamic ACLs.

Firewall and ACL Main Window

2005, Cisco Systems, Inc. All rights reserved. 51

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information