Cisco IOS Firewall

1
Cisco IOS Firewall (CBAC-Context
Based Access Control)
2
Cisco IOS Firewall(CBAC-Context Base
Access Control)
3
Introduction

• Basic Definition

4
Benefits

• Monitor Traffic
• (NAT)

5
Methods of Attack

• Port Scans, ping sweeps
• Packet Sniffers
• IP spoofing
• Application Level Attacks
• Denial of Service Attacks

6
Types of Firewalls

• Basic Router Security
• Packet Filtering Firewalls
• Stateful Inspection Firewalls

7
Cisco IOS Feature Set

• Security specific option for IOS software.
• Version of the Cisco IOS with an add-on feature
  set that can be run on several router platforms.
• Affordability

8
Router Requirements

• Cisco IOS software release IOS 11.2(11)P and
  above.
• Generally requires more memory, both in terms of
  flash and RAM.

9
Secure Cisco Router

• Ability to configure a Cisco router in a fairly
  secure fashion using plain old ACLs
• ACLs provide granular packet filtering at layers
  2, 3, and 4 only.
• IOS firewall provides this level of traffic
  filtering and more.

10
What CBAC Does

• Traffic Filtering
• Traffic Inspection
• Alerts and Audit Trails
• Intrusion detection

11
Traffic Filtering

• Context-Based Access Control intelligently
  filters TCP and UDP packets.
• Without CBAC, traffic filtering is limited to
  access-list iplementations that examine packets
  at the network layer.
• CBAC examines not only network and transport
  layer info, but also examines appication layer
  protocol info, such as FTP connection info.

12
Traffic Inpsection

• CBAC inspects traffic that travels through the
  firewall to discover and manage state information
  for TCP and UDP sessions.
• This creates temporary openings in the firewall
  ACLs to allow return traffic originating from
  within the internal network.
• Prevents SYN-flood and DoS attacks.

13
Alerts and Audit Trails

• Generates real-time alerts and audit trails on
  events tracked by the firewall.
• Uses SYSLOG to track all network transactions

14
Intrusion Detection

• Cisco IOS IDS identifies 59 of the most common
  attacks using signatures to detect patterns of
  misuse in network traffic.

15
CBAC Opens Temporary Holes in Firewall Access
Lists
16
Configuring CBAC

• A common setup is to configure ACLs and CBAC
  inbound on the external interface of an internet
  router to protect a private network from harmful
  traffic initiated from the internet.
• Youre main concern is to allow in only return
  traffic from sessions initiated internally.

17
Cont. Config

• Router (config) Access-list 105 deny tcp any any
• Router (config) Access-list 105 deny udp any any
• Router (config) Interface serial 0/0
• Router (config) Ip address-group 105 in

18

• The previous statements block all TCP and UDP
  traffic when applied inbound on the external
  interface. This provides a blanket form of
  inspection across all TCP and UDP traffic. By
  applying access list 105 to the external
  interface, we ensured that Internet traffic was
  intercepted as soon as it reached the Internet
  router. we could also exercise a more granular
  level of control by specifying certain
  application protocols, as this example
  demonstrates
• Router (config) Access-list 105 deny tcp any any
  eq smtp
• This statement blocks all SMTP traffic to the
  internal network. It would need to occur in the
  access list before the previous TCP blanket
  statements or it would have little effect.

19

• The next step in this process is to define the
  timeout and threshold values for CBAC to use when
  tracking sessions. You can configure several
  values to enhance CBACs ability to defend
  against network attacks. Most of the timeout and
  threshold settings have default values that will
  generally suffice in a startup scenario. Many of
  the timeouts and thresholds control how the
  router responds to DoS attacks. (well save a
  more in-depth discussion of timer/threshold
  configuration for another time.)

20

• Keep in mind that CBAC does not inspect ICMP,
  only TCP and UDP. Accordingly, youll need to add
  inbound ACL entries for appropriate ICMP
  restrictions. Consider adding these ICMP entries
  to your ACL. Theyll make it possible for those
  inside your network to ping hosts on the
  Internet, as well as allow your router to respond
  to proper ICMP traffic.

21

• Up to this point, weve shown you how to
  configure entries for the extended access list
  and apply that configuration to the inbound
  traffic on the external interface. The ACL has
  entries to block all the traffic we want to
  inspect with CBAC. Rather than modify the timeout
  and threshold settings, we went with the
  defaults. we recommend starting with the defaults
  and tuning these as you go. Its not a good idea
  to make changes to these settings if you dont
  understand how those changes will affect firewall
  operation. Next, we defined the actual inspection
  rule that governs which application layer
  protocols are examined.

22

• Inspection rule command structure
• ip inspect name inspection-name protocol alert
  on off audit-trail on off timeout
  seconds
• This is a global config mode command. It requires
  that you specify a name, protocol, alert setting,
  auditing, and the timeout value in seconds

23

• Applying the inspect command
• Router (config) ip inspect name myfw tcp alert
  on audit-trail on

24

• Weve named the rule myfw, specified TCP as the
  protocol to inspect, and activated the alert and
  auditing options. Notice the alert and
  audit-trail options. This requires a Syslog
  system to send the information to. Although that
  configuration is beyond the scope of this
  article, I do recommend using auditing for
  logging all firewall activity. At this point,
  Ill apply the rule to the external interface,
  Serial0, with the following
• Router (config) Interface serial0/0
• Router (config-if) ip inspect myfw out

25

• Notice that we have applied the inspection rule
  outbound on the external interface. It will track
  sessions started internally and heading out
  through the external interface, bound for the
  Internet or some other external network.

26

• If you have difficulty during CBAC configuration,
  you can disable and reset all related settings
  using the following global mode command. This
  wont remove your extended access list configured
  on the outside interface. If you turn off
  inspection, keep in mind that it will most likely
  halt all traffic entering your private network
  because the access list is filtering most, if not
  all, inbound traffic at the external interface.
  Turning off inspection is as simple as
• Router (config) no ip inspect

27

• That command will remove all the inspection
  information from the configuration, including the
  filter statements and command line that applies
  it to the interface.

28

• Now that the basic configuration details are out
  of the way, lets look at an
• Configuration with ACLs and CBAC inspection
  activated
• !generic inspection of UDP and TCP, and
  application inspection for http, smtp, ftp
• ip inspect name myfw tcp alert on audit-trail on
• ip inspect name myfw udp alert on audit-trail on
• ip inspect name myfw http
• ip inspect name myfw smtp
• ip inspect name myfw ftp

29

• access list applied inbound to external interface
• access-list 105 deny tcp any any
• access-list 105 deny udp any any
• access-list 105 permit icmp any any unreachable
• access-list 105 permit icmp any any echo-reply
• access-list 105 permit icmp any any
  packet-too-big
• access-list 105 permit icmp any any time-exceeded
• access-list 105 permit icmp any any traceroute
• access-list 105 permit icmp any any
  administratively-prohibited

30

• access-list 105 permit icmp any any echo
• access-list 105 deny icmp any any
• !external interface interface serial0
• ip access-group 105 in
• ip inspect myfw out

31

• This basic CBAC configuration will allow only
  limited ICMP information through the firewall
  router because access list 101 is applied
  incoming to the external interface. The
  inspection rule, filter1, will allow internal
  users to start outbound WWW sessions via HTTP and
  track the sessions, opening return points in the
  static, extended access list. This is also true
  for FTP and SMTP. If, in the future, I choose to
  allow users RealAudio or NetMeeting access, I
  would simply add ip inspect name statements,
  using filter1 as the name.

32

• To change the inspection rule, you can easily add
  or remove line items. To add statements, simply
  use the ip inspect name command, using the same
  user-defined rule name. If you need to remove a
  line, use the no form of the ip inspect name
  command, as follows
• Router (config) ip inspect myfw tcp
• Router (config) no ip inspect myfw tcp

33

• If at any point you want to check the
  configuration, you can get CBAC setup details
  using the show ip inspect command, as in the
  following
• Router show ip inspect all
• The all parameter will display information such
  as current configuration of inspection, as well
  as current sessions traversing the firewall.

34
General firewall configuration recommendations

• Simply installing the IOS firewall software does
  not fully ensure a secure network. The router and
  CBAC must be configured properly to secure the
  private network from unwanted access. With this
  in mind, youll want to apply other well-known
  protections to the firewall router. Among these
  are broadcast protection and antispoofing
  measures. Here are some recommended measures

35
General firewall configuration recommendations

• No ip directed-broadcast
• No icmp redirect
• No ip redirect
• No service finger
• No cdp run
• No ip source-route
• Access-list 100 deny ip internal network range
  any

36
General firewall configuration recommendations

• Dont consider this to be a complete list of
  precautions. This is merely a sample of the types
  of settings to implement for a secure network
  environment. Youll also want to check the Cisco
  support Web site for current security
  recommendations for edge routers. For instance,
  Cisco recently acknowledged a rather serious
  security issue for routers running the ip http
  service. I recommend checking the security area
  of the Cisco support Web site regularly to
  evaluate any potential vulnerability in your
  router/IOS combination and configuration
  attributes.

37
Summary

• Although the IOS firewall provides a higher level
  of security than the standard access list
  approach, like other firewalls, it shouldnt be
  considered invulnerable. A determined hacker may
  be able to find holes in the most secure of
  systems. Ive demonstrated the strong security
  features of CBAC, but you may want to consider a
  dual firewall approach if your security needs are
  highly demanding.

38
Summary

• When implementing CBAC, consider its limitations
  carefully. For instance, it will handle
  inspection of FTP data channels only in the range
  of 1024 to 65535. Also, if youre using IPSec,
  carefully plan how it will interact with the IOS
  firewall router. Keep in mind the strengths and
  configuration options, which are plentiful. For
  example, CBAC can be used as an extranet
  protection method when your network is connected
  to a business partners network. In this manner,
  it would inspect traffic in both directions,
  protecting both networks from unapproved access.
  You can also guard against traffic leaving the
  network by applying inspection to outbound traffic