Upload
madham1985
View
219
Download
0
Embed Size (px)
Citation preview
8/14/2019 Create a Poor Man's Firewall With the Cisco IOS
1/4
Build Your Skills: Create a poor man's
firewall with the Cisco IOS
Takeaway: Uncovers a little-known secret regarding a built-in feature set for creating afirewall and intrusion-detection system within the Cisco IOS router
Today, network security has become a top priority for every organization connected to the
Internet, and firewalls have come to serve as the main security mechanism. While vendors
have been pushing toward dedicated firewall appliancesand I dont argue that these are
excellent solutionssuch appliances can also be very costly for small to medium-size
businesses. For example, a Cisco PIX Firewall can cost thousands of dollars.
However, there is an inexpensive and effective firewall solution that you may have
overlooked. Most companies that connect to the Internet use a standard router to do so. If youuse a Cisco router, you should know that the Cisco IOS has a built-in feature set for creating
a firewall and intrusion detection system. Using this solution, you dont need a separate
firewall boxit can all be done inside your current Cisco router. I like to call this a "poor
mans firewall.
Security resource
An excellent source for the proper recommendations and precautions for Cisco routers is the
National Security Agency'sexecutive summary for Cisco router security. This is the best
single list of recommendations I have found for implementing strong security on Cisco
routers.
Getting the proper IOS
The first step is to get the proper IOS for your Cisco router. If you are interested in only the
most basic form of a firewall (allowing only the required IP addresses/ports and blocking the
others), its likely that your existing Cisco router can do this by configuring extended IP
access control lists. However, if you want many of the same features available in todays
more powerful firewalls, you need the firewall/intrusion detection system (FW/IDS) feature
set.
You can get the IOS with the FW/IDS feature set by using the Cisco IOS Upgrade Planner.
You must be a registered user on the Cisco site to access this. Using the IOS Upgrade
Planner, you can select the model of router you have, the IOS version you would like(preferably one of the most recent), and the software features you're looking for. Make sure
that you choose one with the FW/IDS feature set. (You may need to pay a small licensing fee
to use this feature set.) Then, download the IOS, update your router to the new version, and
reboot.
Configuring NAT
Next, youll need to properly configure the firewall and IDS features. As I mentioned earlier,
the most basic firewall is configured with extended IP access control lists. This will also be
the place we start when configuring a more advanced firewall.
Because many companies use network address translation (NAT) and private internal TCP/IPaddresses, we'll build that part of the access list first. One common NAT scenario is for a
http://nsa2.www.conxion.com/cisco/guides/cis-1.pdfhttp://nsa2.www.conxion.com/cisco/guides/cis-1.pdfhttp://www.techrepublic.com/article.jhtml?id=r00220010306mul01.htmhttp://www.techrepublic.com/article.jhtml?id=r00220010306mul01.htmhttp://www.cisco.com/cgi-bin/Software/Iosplanner/Planner-tool/iosplanner.cgi?http://www.techrepublic.com/article.jhtml?id=r00220010306mul01.htmhttp://www.techrepublic.com/article.jhtml?id=r00220010306mul01.htmhttp://www.cisco.com/cgi-bin/Software/Iosplanner/Planner-tool/iosplanner.cgi?http://nsa2.www.conxion.com/cisco/guides/cis-1.pdf8/14/2019 Create a Poor Man's Firewall With the Cisco IOS
2/4
router to have a serial connection to the Internet and an Ethernet connection to the local
network. In this case, NAT enables the use of private TCP/IP addresses on the internal
network, which provides additional privacy and security for internal systems and keeps you
from having to change your internal addresses if you change your Internet Service Provider
(ISP).
The configuration on your Cisco router might look something like this:
interface Serial1/0
description Internet connection external
ip address 1.1.1.254 255.255.255.0 !real Internet network
no ip proxy-arp
ip nat outside
interface Ethernet1/1
description Local Network Ethernet Connection - internal
ip address 10.253.2.2 255.255.0.0 !local private network
no ip proxy-arpip nat inside
ip nat inside source static 10.253.1.1 1.1.1.1 ! Web server
ip nat inside source static 10.253.1.2 1.1.1.2 ! Email server
ip route 0.0.0.0 0.0.0.0 1.1.1.0
Note that the IP address of the local Web server is now 10.253.1.1, and the IP address of the
local mail server is now 10.253.1.2. Before implementing the firewall, these two systems
were sitting unprotected on the Internet with their two public Internet addresses, 1.1.1.1 (Web
server) and 1.1.1.2 (mail server). Now, these two servers have internal IPs. Their external IPs,
which stay the same, are terminated at the firewall; they're then translated to the internal IPs.
Also, all of the other internal and external addresses are translated, and anything that isnt on
the local 10.x.x.x network is sent out the serial interface with a default route. That takes care
of NAT and internal addressing.
Configuring access lists
Now, for some network security, let's configure the access lists. If you wanted to allow only
the HTTP protocol for the Web server and SMTP protocol for the mail server, the list would
look like this:access-list 100 remark Begin -- IP .1 10.253.1.1 Web Server
access-list 100 permit tcp any eq www host 1.1.1.1
access-list 100 remark End ----------------------------------
!
access-list 100 remark Begin -- IP .2 10.253.1.2 Email Server
access-list 100 permit tcp any eq smtp host 1.1.1.2 gt 1023
access-list 100 permit tcp any host 1.1.1.2 eq smtp
access-list 100 remark End ----------------------------------
You would then apply it to the serial (Internet) interface with the following commands:
interface Serial1/0ip access-group 100 in
8/14/2019 Create a Poor Man's Firewall With the Cisco IOS
3/4
Since this is going to be an important point of network security, you would want a log of the
types of data being denied by your firewall. Although there is an implicit deny at the end of
every access list, those denies arent logged. I would suggest running a syslog server on your
network and telling the router to log, on the syslog server, all packets that are denied by your
firewall. In this example, if the Web server were also your syslog server, you would add thefollowing commands:
access-list 100 deny ip any any log
logging 10.253.1.1
Working with NBAR
So far, we really havent tapped into the FW/IDS feature set. Now we'll configureNetwork-
Based Application Recognition (NBAR), which is one of the firewall features. Basically,
NBAR recognizes applications, such as HTTP, MIME, PCAnywhere, Microsoft SQL
server, and many others, and takes action on themmost likely to discard the traffic.
For a simple example, let's useCiscos article on blocking the Code Red worm with NBAR.First, create a class-map that defines the traffic, in this case, applications and names of files
that you want to block:
class-map match-any http-hacks
match protocol http url "*cmd.exe*"
match protocol http url "*root.exe*"
Next, use a policy map to mark packets with these characteristics:
policy-map mark-inbound-http-hacks
class http-hacks
set ip dscp 1
Then, apply the policy map to the serial (Internet) interface:
interface Serial1/0
service-policy input mark-inbound-http-hacks
NBAR is useful for blocking all types of worms that are slithering around the Internet or even
just known trouble-making executables that are distributed through e-mail or via
downloading from a Web page. NBAR is just one of the many features in the firewall feature
set; the others can be found in this Cisco configuration guide.
Using IDS features and other optionsThe other important aspect of network security is an intrusion detection system, or IDS. The
Cisco IDS will recognize signatures, or what I call "attack patterns." One example is
spamming a mail server. The IDS can recognize this is occurring and take whatever actions
you specify (drop packets, notify you, etc.).
I could write an entire article on configuring Ciscos IDS. Since IDS is an optional part of
your firewall, Ill save that configuration for another time and instead suggest you read
Configuring Cisco IOS Firewall Intrusion Detection System before you begin such
configuration.
A couple of other useful features in the firewall set are Context-Based Access Control(CBAC) and TCP Intercept. CBAC recognizes content in packets and creates a dynamic
http://www.cisco.com/univercd/cc/td/doc/product/software/ios121/121newft/121limit/121e/121e2/nbar2e.htmhttp://www.cisco.com/univercd/cc/td/doc/product/software/ios121/121newft/121limit/121e/121e2/nbar2e.htmhttp://www.cisco.com/warp/public/63/nbar_acl_codered.shtmlhttp://www.cisco.com/warp/public/63/nbar_acl_codered.shtmlhttp://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122cgcr/fsecur_c/ftrafwl/index.htmhttp://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122cgcr/fsecur_c/ftrafwl/scfids.htmhttp://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122cgcr/fsecur_c/ftrafwl/scfcbac.htmhttp://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122cgcr/fsecur_c/ftrafwl/scfdenl.htmhttp://www.cisco.com/univercd/cc/td/doc/product/software/ios121/121newft/121limit/121e/121e2/nbar2e.htmhttp://www.cisco.com/univercd/cc/td/doc/product/software/ios121/121newft/121limit/121e/121e2/nbar2e.htmhttp://www.cisco.com/warp/public/63/nbar_acl_codered.shtmlhttp://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122cgcr/fsecur_c/ftrafwl/index.htmhttp://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122cgcr/fsecur_c/ftrafwl/scfids.htmhttp://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122cgcr/fsecur_c/ftrafwl/scfcbac.htmhttp://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122cgcr/fsecur_c/ftrafwl/scfdenl.htm8/14/2019 Create a Poor Man's Firewall With the Cisco IOS
4/4
access list for that content.
An example is FTP traffic. If you wanted to allow users to FTP out of your network, you
could use CBAC rather than have those ports open all the time in your access list. Normally,
you would have the return FTP traffic denied back into your network. But CBAC will
recognize that the FTP outbound traffic was initiated from your network and dynamicallyopen up a port so that the traffic can return. This makes your network more secure because
when that type of traffic is not occurring, there is no hole (open port) in your network that a
hacker might be able to exploit.
TCP Intercept can prevent denial of service (DoS) attacks on your network. TCP Intercept
will verify that a packets source is real before forwarding it on to its destination (your
server). If the incoming packets source does not exist, the router drops it before it ever
reaches your server and can chew up valuable processing time. This can stop DoS attacks in
their tracks.
SummaryYou can see what a variety of rich capabilities the Cisco IOS FW/IDS feature set offers. This
all-in-one router and firewall has been a money-saving solution for my company, and perhaps
it can be for yours as well. Although this article just scratched the surface of what you can do
with the Cisco IOS firewall, it should get you off to a good start. The links below will also
help you build and customize an IOS firewall to meet your needs.
Useful Cisco IOS firewall links
Cisco IOS Upgrade Planner
Cisco IOS Software
Cisco IOS Security Configuration Guide, Release 12.2, Traffic Filtering and Firewalls
Section
Cisco IOS Firewall Overview
Configuring Cisco IOS Firewall Intrusion Detection System
Configuring TCP Intercept (Preventing Denial-of-Service Attacks)
Configuring Context-Based Access Control
Access Control Lists: Overview and Guidelines
Cisco IOS Security Command Reference, Release 12.2, Traffic Filtering and
Firewalls Section
TCP Intercept Commands
Context-Based Access Control Commands
Cisco IOS Firewall Intrusion Detection System Commands Cisco - Security Technical Tips
Cisco - Configuring Network Based Application Recognition (NBAR)
Cisco - Using Network-Based Application Recognition and Access Control Lists for
Blocking the Code Red Worm
National Security Agency (NSA): Cisco Router Security Configuration Guide
National Security Agency (NSA): Cisco Router Security Configuration Guide
EXECUTIVE SUMMARY
TechRepublic: Cisco's hidden gem: The IOS firewall
TechRepublic: Get secure with Cisco extended IP access control lists
CertCities: The NBAR Defense
http://www.cisco.com/cgi-bin/Software/Iosplanner/Planner-tool/iosplanner.cgi?http://www.cisco.com/kobayashi/sw-center/sw-ios.shtmlhttp://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122cgcr/fsecur_c/ftrafwl/index.htmhttp://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122cgcr/fsecur_c/ftrafwl/index.htmhttp://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122cgcr/fsecur_c/ftrafwl/scffirwl.htmhttp://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122cgcr/fsecur_c/ftrafwl/scfids.htmhttp://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122cgcr/fsecur_c/ftrafwl/scfdenl.htmhttp://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122cgcr/fsecur_c/ftrafwl/scfcbac.htmhttp://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122cgcr/fsecur_c/ftrafwl/scfacls.htmhttp://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122cgcr/fsecur_r/ftrafwlr/index.htmhttp://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122cgcr/fsecur_r/ftrafwlr/index.htmhttp://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122cgcr/fsecur_r/ftrafwlr/srfdenl.htmhttp://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122cgcr/fsecur_r/ftrafwlr/srfcbac.htmhttp://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122cgcr/fsecur_r/ftrafwlr/srfids.htmhttp://www.cisco.com/warp/customer/707/index.shtmlhttp://www.cisco.com/univercd/cc/td/doc/product/software/ios121/121newft/121limit/121e/121e2/nbar2e.htmhttp://www.cisco.com/warp/public/63/nbar_acl_codered.shtmlhttp://www.cisco.com/warp/public/63/nbar_acl_codered.shtmlhttp://nsa1.www.conxion.com/cisco/guides/cis-2.pdfhttp://nsa2.www.conxion.com/cisco/guides/cis-1.pdfhttp://nsa2.www.conxion.com/cisco/guides/cis-1.pdfhttp://www.techrepublic.com/article_guest.jhtml?id=r00220011206rmc01.htmhttp://www.techrepublic.com/article.jhtml?id=r00220010306mul01.htmhttp://certcities.com/editorial/columns/story.asp?EditorialsID=76http://www.cisco.com/cgi-bin/Software/Iosplanner/Planner-tool/iosplanner.cgi?http://www.cisco.com/kobayashi/sw-center/sw-ios.shtmlhttp://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122cgcr/fsecur_c/ftrafwl/index.htmhttp://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122cgcr/fsecur_c/ftrafwl/index.htmhttp://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122cgcr/fsecur_c/ftrafwl/scffirwl.htmhttp://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122cgcr/fsecur_c/ftrafwl/scfids.htmhttp://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122cgcr/fsecur_c/ftrafwl/scfdenl.htmhttp://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122cgcr/fsecur_c/ftrafwl/scfcbac.htmhttp://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122cgcr/fsecur_c/ftrafwl/scfacls.htmhttp://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122cgcr/fsecur_r/ftrafwlr/index.htmhttp://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122cgcr/fsecur_r/ftrafwlr/index.htmhttp://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122cgcr/fsecur_r/ftrafwlr/srfdenl.htmhttp://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122cgcr/fsecur_r/ftrafwlr/srfcbac.htmhttp://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122cgcr/fsecur_r/ftrafwlr/srfids.htmhttp://www.cisco.com/warp/customer/707/index.shtmlhttp://www.cisco.com/univercd/cc/td/doc/product/software/ios121/121newft/121limit/121e/121e2/nbar2e.htmhttp://www.cisco.com/warp/public/63/nbar_acl_codered.shtmlhttp://www.cisco.com/warp/public/63/nbar_acl_codered.shtmlhttp://nsa1.www.conxion.com/cisco/guides/cis-2.pdfhttp://nsa2.www.conxion.com/cisco/guides/cis-1.pdfhttp://nsa2.www.conxion.com/cisco/guides/cis-1.pdfhttp://www.techrepublic.com/article_guest.jhtml?id=r00220011206rmc01.htmhttp://www.techrepublic.com/article.jhtml?id=r00220010306mul01.htmhttp://certcities.com/editorial/columns/story.asp?EditorialsID=76