8/14/2019 Create a Poor Man's Firewall With the Cisco IOS

1/4

Build Your Skills: Create a poor man's

firewall with the Cisco IOS

Takeaway: Uncovers a little-known secret regarding a built-in feature set for creating afirewall and intrusion-detection system within the Cisco IOS router

Today, network security has become a top priority for every organization connected to the

Internet, and firewalls have come to serve as the main security mechanism. While vendors

have been pushing toward dedicated firewall appliancesand I dont argue that these are

excellent solutionssuch appliances can also be very costly for small to medium-size

businesses. For example, a Cisco PIX Firewall can cost thousands of dollars.

However, there is an inexpensive and effective firewall solution that you may have

overlooked. Most companies that connect to the Internet use a standard router to do so. If youuse a Cisco router, you should know that the Cisco IOS has a built-in feature set for creating

a firewall and intrusion detection system. Using this solution, you dont need a separate

firewall boxit can all be done inside your current Cisco router. I like to call this a "poor

mans firewall.

Security resource

An excellent source for the proper recommendations and precautions for Cisco routers is the

National Security Agency'sexecutive summary for Cisco router security. This is the best

single list of recommendations I have found for implementing strong security on Cisco

routers.

Getting the proper IOS

The first step is to get the proper IOS for your Cisco router. If you are interested in only the

most basic form of a firewall (allowing only the required IP addresses/ports and blocking the

others), its likely that your existing Cisco router can do this by configuring extended IP

access control lists. However, if you want many of the same features available in todays

more powerful firewalls, you need the firewall/intrusion detection system (FW/IDS) feature

set.

You can get the IOS with the FW/IDS feature set by using the Cisco IOS Upgrade Planner.

You must be a registered user on the Cisco site to access this. Using the IOS Upgrade

Planner, you can select the model of router you have, the IOS version you would like(preferably one of the most recent), and the software features you're looking for. Make sure

that you choose one with the FW/IDS feature set. (You may need to pay a small licensing fee

to use this feature set.) Then, download the IOS, update your router to the new version, and

reboot.

Configuring NAT

Next, youll need to properly configure the firewall and IDS features. As I mentioned earlier,

the most basic firewall is configured with extended IP access control lists. This will also be

the place we start when configuring a more advanced firewall.

Because many companies use network address translation (NAT) and private internal TCP/IPaddresses, we'll build that part of the access list first. One common NAT scenario is for a

http://nsa2.www.conxion.com/cisco/guides/cis-1.pdfhttp://nsa2.www.conxion.com/cisco/guides/cis-1.pdfhttp://www.techrepublic.com/article.jhtml?id=r00220010306mul01.htmhttp://www.techrepublic.com/article.jhtml?id=r00220010306mul01.htmhttp://www.cisco.com/cgi-bin/Software/Iosplanner/Planner-tool/iosplanner.cgi?http://www.techrepublic.com/article.jhtml?id=r00220010306mul01.htmhttp://www.techrepublic.com/article.jhtml?id=r00220010306mul01.htmhttp://www.cisco.com/cgi-bin/Software/Iosplanner/Planner-tool/iosplanner.cgi?http://nsa2.www.conxion.com/cisco/guides/cis-1.pdf

8/14/2019 Create a Poor Man's Firewall With the Cisco IOS

2/4

router to have a serial connection to the Internet and an Ethernet connection to the local

network. In this case, NAT enables the use of private TCP/IP addresses on the internal

network, which provides additional privacy and security for internal systems and keeps you

from having to change your internal addresses if you change your Internet Service Provider

(ISP).

The configuration on your Cisco router might look something like this:

interface Serial1/0

description Internet connection external

ip address 1.1.1.254 255.255.255.0 !real Internet network

no ip proxy-arp

ip nat outside

interface Ethernet1/1

description Local Network Ethernet Connection - internal

ip address 10.253.2.2 255.255.0.0 !local private network

no ip proxy-arpip nat inside

ip nat inside source static 10.253.1.1 1.1.1.1 ! Web server

ip nat inside source static 10.253.1.2 1.1.1.2 ! Email server

ip route 0.0.0.0 0.0.0.0 1.1.1.0

Note that the IP address of the local Web server is now 10.253.1.1, and the IP address of the

local mail server is now 10.253.1.2. Before implementing the firewall, these two systems

were sitting unprotected on the Internet with their two public Internet addresses, 1.1.1.1 (Web

server) and 1.1.1.2 (mail server). Now, these two servers have internal IPs. Their external IPs,

which stay the same, are terminated at the firewall; they're then translated to the internal IPs.

Also, all of the other internal and external addresses are translated, and anything that isnt on

the local 10.x.x.x network is sent out the serial interface with a default route. That takes care

of NAT and internal addressing.

Configuring access lists

Now, for some network security, let's configure the access lists. If you wanted to allow only

the HTTP protocol for the Web server and SMTP protocol for the mail server, the list would

look like this:access-list 100 remark Begin -- IP .1 10.253.1.1 Web Server

access-list 100 permit tcp any eq www host 1.1.1.1

access-list 100 remark End ----------------------------------

!

access-list 100 remark Begin -- IP .2 10.253.1.2 Email Server

access-list 100 permit tcp any eq smtp host 1.1.1.2 gt 1023

access-list 100 permit tcp any host 1.1.1.2 eq smtp

access-list 100 remark End ----------------------------------

You would then apply it to the serial (Internet) interface with the following commands:

interface Serial1/0ip access-group 100 in

8/14/2019 Create a Poor Man's Firewall With the Cisco IOS

3/4

Since this is going to be an important point of network security, you would want a log of the

types of data being denied by your firewall. Although there is an implicit deny at the end of

every access list, those denies arent logged. I would suggest running a syslog server on your

network and telling the router to log, on the syslog server, all packets that are denied by your

firewall. In this example, if the Web server were also your syslog server, you would add thefollowing commands:

access-list 100 deny ip any any log

logging 10.253.1.1

Working with NBAR

So far, we really havent tapped into the FW/IDS feature set. Now we'll configureNetwork-

Based Application Recognition (NBAR), which is one of the firewall features. Basically,

NBAR recognizes applications, such as HTTP, MIME, PCAnywhere, Microsoft SQL

server, and many others, and takes action on themmost likely to discard the traffic.

For a simple example, let's useCiscos article on blocking the Code Red worm with NBAR.First, create a class-map that defines the traffic, in this case, applications and names of files

that you want to block:

class-map match-any http-hacks

match protocol http url "*cmd.exe*"

match protocol http url "*root.exe*"

Next, use a policy map to mark packets with these characteristics:

policy-map mark-inbound-http-hacks

class http-hacks

set ip dscp 1

Then, apply the policy map to the serial (Internet) interface:

interface Serial1/0

service-policy input mark-inbound-http-hacks

NBAR is useful for blocking all types of worms that are slithering around the Internet or even

just known trouble-making executables that are distributed through e-mail or via

downloading from a Web page. NBAR is just one of the many features in the firewall feature

set; the others can be found in this Cisco configuration guide.

Using IDS features and other optionsThe other important aspect of network security is an intrusion detection system, or IDS. The

Cisco IDS will recognize signatures, or what I call "attack patterns." One example is

spamming a mail server. The IDS can recognize this is occurring and take whatever actions

you specify (drop packets, notify you, etc.).

I could write an entire article on configuring Ciscos IDS. Since IDS is an optional part of

your firewall, Ill save that configuration for another time and instead suggest you read

Configuring Cisco IOS Firewall Intrusion Detection System before you begin such

configuration.

A couple of other useful features in the firewall set are Context-Based Access Control(CBAC) and TCP Intercept. CBAC recognizes content in packets and creates a dynamic

http://www.cisco.com/univercd/cc/td/doc/product/software/ios121/121newft/121limit/121e/121e2/nbar2e.htmhttp://www.cisco.com/univercd/cc/td/doc/product/software/ios121/121newft/121limit/121e/121e2/nbar2e.htmhttp://www.cisco.com/warp/public/63/nbar_acl_codered.shtmlhttp://www.cisco.com/warp/public/63/nbar_acl_codered.shtmlhttp://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122cgcr/fsecur_c/ftrafwl/index.htmhttp://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122cgcr/fsecur_c/ftrafwl/scfids.htmhttp://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122cgcr/fsecur_c/ftrafwl/scfcbac.htmhttp://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122cgcr/fsecur_c/ftrafwl/scfdenl.htmhttp://www.cisco.com/univercd/cc/td/doc/product/software/ios121/121newft/121limit/121e/121e2/nbar2e.htmhttp://www.cisco.com/univercd/cc/td/doc/product/software/ios121/121newft/121limit/121e/121e2/nbar2e.htmhttp://www.cisco.com/warp/public/63/nbar_acl_codered.shtmlhttp://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122cgcr/fsecur_c/ftrafwl/index.htmhttp://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122cgcr/fsecur_c/ftrafwl/scfids.htmhttp://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122cgcr/fsecur_c/ftrafwl/scfcbac.htmhttp://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122cgcr/fsecur_c/ftrafwl/scfdenl.htm

8/14/2019 Create a Poor Man's Firewall With the Cisco IOS

4/4

access list for that content.

An example is FTP traffic. If you wanted to allow users to FTP out of your network, you

could use CBAC rather than have those ports open all the time in your access list. Normally,

you would have the return FTP traffic denied back into your network. But CBAC will

recognize that the FTP outbound traffic was initiated from your network and dynamicallyopen up a port so that the traffic can return. This makes your network more secure because

when that type of traffic is not occurring, there is no hole (open port) in your network that a

hacker might be able to exploit.

TCP Intercept can prevent denial of service (DoS) attacks on your network. TCP Intercept

will verify that a packets source is real before forwarding it on to its destination (your

server). If the incoming packets source does not exist, the router drops it before it ever

reaches your server and can chew up valuable processing time. This can stop DoS attacks in

their tracks.

SummaryYou can see what a variety of rich capabilities the Cisco IOS FW/IDS feature set offers. This

all-in-one router and firewall has been a money-saving solution for my company, and perhaps

it can be for yours as well. Although this article just scratched the surface of what you can do

with the Cisco IOS firewall, it should get you off to a good start. The links below will also

help you build and customize an IOS firewall to meet your needs.

Useful Cisco IOS firewall links

Cisco IOS Upgrade Planner

Cisco IOS Software

Cisco IOS Security Configuration Guide, Release 12.2, Traffic Filtering and Firewalls

Section

Cisco IOS Firewall Overview

Configuring Cisco IOS Firewall Intrusion Detection System

Configuring TCP Intercept (Preventing Denial-of-Service Attacks)

Configuring Context-Based Access Control

Access Control Lists: Overview and Guidelines

Cisco IOS Security Command Reference, Release 12.2, Traffic Filtering and

Firewalls Section

TCP Intercept Commands

Context-Based Access Control Commands

Cisco IOS Firewall Intrusion Detection System Commands Cisco - Security Technical Tips

Cisco - Configuring Network Based Application Recognition (NBAR)

Cisco - Using Network-Based Application Recognition and Access Control Lists for

Blocking the Code Red Worm

National Security Agency (NSA): Cisco Router Security Configuration Guide

National Security Agency (NSA): Cisco Router Security Configuration Guide

EXECUTIVE SUMMARY

TechRepublic: Cisco's hidden gem: The IOS firewall

TechRepublic: Get secure with Cisco extended IP access control lists

CertCities: The NBAR Defense

http://www.cisco.com/cgi-bin/Software/Iosplanner/Planner-tool/iosplanner.cgi?http://www.cisco.com/kobayashi/sw-center/sw-ios.shtmlhttp://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122cgcr/fsecur_c/ftrafwl/index.htmhttp://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122cgcr/fsecur_c/ftrafwl/index.htmhttp://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122cgcr/fsecur_c/ftrafwl/scffirwl.htmhttp://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122cgcr/fsecur_c/ftrafwl/scfids.htmhttp://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122cgcr/fsecur_c/ftrafwl/scfdenl.htmhttp://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122cgcr/fsecur_c/ftrafwl/scfcbac.htmhttp://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122cgcr/fsecur_c/ftrafwl/scfacls.htmhttp://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122cgcr/fsecur_r/ftrafwlr/index.htmhttp://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122cgcr/fsecur_r/ftrafwlr/index.htmhttp://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122cgcr/fsecur_r/ftrafwlr/srfdenl.htmhttp://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122cgcr/fsecur_r/ftrafwlr/srfcbac.htmhttp://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122cgcr/fsecur_r/ftrafwlr/srfids.htmhttp://www.cisco.com/warp/customer/707/index.shtmlhttp://www.cisco.com/univercd/cc/td/doc/product/software/ios121/121newft/121limit/121e/121e2/nbar2e.htmhttp://www.cisco.com/warp/public/63/nbar_acl_codered.shtmlhttp://www.cisco.com/warp/public/63/nbar_acl_codered.shtmlhttp://nsa1.www.conxion.com/cisco/guides/cis-2.pdfhttp://nsa2.www.conxion.com/cisco/guides/cis-1.pdfhttp://nsa2.www.conxion.com/cisco/guides/cis-1.pdfhttp://www.techrepublic.com/article_guest.jhtml?id=r00220011206rmc01.htmhttp://www.techrepublic.com/article.jhtml?id=r00220010306mul01.htmhttp://certcities.com/editorial/columns/story.asp?EditorialsID=76http://www.cisco.com/cgi-bin/Software/Iosplanner/Planner-tool/iosplanner.cgi?http://www.cisco.com/kobayashi/sw-center/sw-ios.shtmlhttp://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122cgcr/fsecur_c/ftrafwl/index.htmhttp://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122cgcr/fsecur_c/ftrafwl/index.htmhttp://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122cgcr/fsecur_c/ftrafwl/scffirwl.htmhttp://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122cgcr/fsecur_c/ftrafwl/scfids.htmhttp://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122cgcr/fsecur_c/ftrafwl/scfdenl.htmhttp://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122cgcr/fsecur_c/ftrafwl/scfcbac.htmhttp://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122cgcr/fsecur_c/ftrafwl/scfacls.htmhttp://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122cgcr/fsecur_r/ftrafwlr/index.htmhttp://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122cgcr/fsecur_r/ftrafwlr/index.htmhttp://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122cgcr/fsecur_r/ftrafwlr/srfdenl.htmhttp://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122cgcr/fsecur_r/ftrafwlr/srfcbac.htmhttp://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122cgcr/fsecur_r/ftrafwlr/srfids.htmhttp://www.cisco.com/warp/customer/707/index.shtmlhttp://www.cisco.com/univercd/cc/td/doc/product/software/ios121/121newft/121limit/121e/121e2/nbar2e.htmhttp://www.cisco.com/warp/public/63/nbar_acl_codered.shtmlhttp://www.cisco.com/warp/public/63/nbar_acl_codered.shtmlhttp://nsa1.www.conxion.com/cisco/guides/cis-2.pdfhttp://nsa2.www.conxion.com/cisco/guides/cis-1.pdfhttp://nsa2.www.conxion.com/cisco/guides/cis-1.pdfhttp://www.techrepublic.com/article_guest.jhtml?id=r00220011206rmc01.htmhttp://www.techrepublic.com/article.jhtml?id=r00220010306mul01.htmhttp://certcities.com/editorial/columns/story.asp?EditorialsID=76