Iewb Sc Vol i v5.Section.2.Ios.firsdfweewall.024

8/11/2019 Iewb Sc Vol i v5.Section.2.Ios.firsdfweewall.024

1/116

Accessed by [email protected] from 115.240.81.217 at 20:26:07 Nov 23,2009

CCIE Security Lab Workbook Volume I Version 5.0 IOS Firewall

Copyright 2009 Internetwork Expert www.INE.comi

Copyright Information

Copyright 2009 Internetwork Expert, Inc. All rights reserved.

The following publication, CCIE Security Lab Workbook Volume I Version 5.0, was developed byInternetwork Expert, Inc. All rights reserved. No part of this publication may be reproduced or distributed inany form or by any means without the prior written permission of Internetwork Expert, Inc.

Cisco, Cisco Systems, CCIE, and Cisco Certified Internetwork Expert, are registered trademarks ofCisco Systems, Inc. and/or its affiliates in the U.S. and certain countries.

All other products and company names are the trademarks, registered trademarks, and service marks of therespective owners. Throughout this manual, Internetwork Expert, Inc. has used its best efforts to distinguishproprietary trademarks from descriptive names by following the capitalization styles used by themanufacturer.


2/116



Copyright 2009 Internetwork Expert www.INE.comii

Disclaimer

The following publication, CCIE Security Lab Workbook Volume I Version 5.0, is designed to assistcandidates in the preparation for Cisco Systems CCIE Security Lab Exam. While every effort has beenmade to ensure that all material is as complete and accurate as possible, the enclosed material is presentedon an as is basis. Neither the authors nor Internetwork Expert, Inc. assume any liability or responsibility to

any person or entity with respect to loss or damages incurred from the information contained in thisworkbook.

This workbook was developed by Internetwork Expert, Inc. and is an original work of the aforementionedauthors. Any similarities between material presented in this workbook and actual CCIE lab material iscompletely coincidental.


3/116



Copyright 2009 Internetwork Expert www.INE.comiii

Table of Contents

IOS Firewall........................................................................................ 42.1 Basic Access Lists...........................................................................5

2.2

Reflexive Access Lists.....................................................................5

2.3

Dynamic Access Lists......................................................................6

2.4

Basic CBAC.....................................................................................6

2.5 CBAC Port to Application Mapping..................................................62.6 CBAC TCP/UDP Intercept Feature..................................................72.7 CBAC Performance Optimization ....................................................72.8

IOS URL Filtering ............................................................................7

2.9

IOS Authentication Proxy ................................................................7

2.10

Flexible Packet Matching.................................................................8

2.11 Zone Based Firewall........................................................................82.12 ZFW Rate Limiting...........................................................................9

2.13

ZFW Application Inspection.............................................................92.14

Classic IOS Transparent Firewall ..................................................10

2.15

ZFW-Based IOS Transparent Firewall...........................................10

2.16

IOS IP Virtual Reassembly ............................................................11

2.17 IOS ACL Selective IP Option Drop ................................................11

IOS Firewall Solutions ...................................................................... 122.1

Basic Access Lists.........................................................................12

2.2

Reflexive Access Lists...................................................................21

2.3

Dynamic Access Lists....................................................................25

2.4

Basic CBAC...................................................................................29

2.5

CBAC Port to Application Mapping................................................34

2.6

CBAC TCP/UDP Intercept Feature................................................36

2.7

CBAC Performance Optimization ..................................................40

2.8

IOS URL Filtering ..........................................................................42

2.9

IOS Authentication Proxy ..............................................................46

2.10

Flexible Packet Matching...............................................................55

2.11

Zone Based Firewall......................................................................63

2.12

ZFW Rate Limiting.........................................................................83

2.13

ZFW Application Inspection...........................................................89

2.14

Classic IOS Transparent Firewall ..................................................96

2.15

ZFW-Based IOS Transparent Firewall.........................................106

2.16

IOS IP Virtual Reassembly ..........................................................111

2.17

IOS ACL Selective IP Option Drop ..............................................115


4/116



Copyright 2009 Internetwork Expert www.INE.com4

IOS Firewall

Note

Load the IOS.Firewallstartup configuration files to initialize your rack. Use thefollowing diagram as a reference when working with the tasks below.

RIPv2

136.X.13.0/24 VLAN 13

136.X.23.0/24 VLAN23 Lo0: 150.X.2.2/24

Lo0: 150.X.1.1/24

Fa0/0

Fa0/0Fa0/1.23Fa0/0

R3

R1

R2

AAA/CA

Server

Fa0/1.100

10.0.0.0/24 VLAN 100


5/116




2.1 Basic Access Lists

For this scenario, R1 in on the inside of the firewall, and R2 on theoutside.

Apply ingress and egress access-lists to R3s VLAN23 interface. The security policy states the following permissions for inside networks:

o Permit access to WWW applications.o Permit remote access to outside servers via standard virtual

terminal access protocols.o Permit sending/retrieving emails using the standard protocols.o Users on the inside should be able use outside DNS and access

outside FTP servers by means of active FTP mode.o Inside users should be able to traceroute and ping to outside.

The security policy states the following permissions for outside networks:

o Inside server at IP address 150.X.1.1 should be accessible fromoutside via HTTP and active FTP.

o Inside server should be protected from fragmented packetsattack.

o Packets for sessions initiated from inside should be permitted. ForTCP sessions, use only one line of access-list configuration.

o Make sure PMTU discovery process works.

2.2 Reflexive Access Lists

Remove the previous access-lists applied to VLAN23 interface. Using reflexive access-lists feature implement the following:

o Permit TCP, UDP and ICMP traffic from inside to outside.o Ensure RIP routing updates are not disrupted by this policy.

Do not permit RIP updates in the inbound access-group explicitly toaccomplish this.


6/116




2.3 Dynamic Access Lists

Remove the previously configured reflexive access-lists. Enable AAA in the router and configure dynamic access-list inbound on

VLAN23 interface of R3 per the following requirements:

o Remote users should authenticate against the local database usingthe name CISCO and the password of CISCO1234

o Dynamic access-rule should permit ICMP traffic from theauthenticated IP to any destination.

o The dynamic entry should expire unconditionally after 30 minutes.

Do not disrupt any control-plane traffic with your configuration.

2.4 Basic CBAC

Remove the access-lists configured for VLAN23 interface in R3previously.

Configure stateful traffic inspection per the following requirements:

o Inspect TCP, UDP and ICMP traffic.o Inspect FTP application traffic separately.

Apply the above policy to R3s VLAN23 interface and block any non-session returning traffic.

Maintain IP routing through the network and allow the firewall to ping any

destination.

2.5 CBAC Port to Appl ication Mapping

There is a web-server at 150.X.2.2 listening on port 21 and FTP serversomewhere on outside network listening on port 8080.

Ensure CBAC account for the port changes for the mentionedapplications.


7/116




2.6 CBAC TCP/UDP Intercept Feature

Allow TCP, UDP and ICMP traffic to the servers on VLAN13 using statefulinspection.

Configure global CBAC intercept parameters as follows:

o Start clamping when total number of half-open sessions reaches1000, and stop when it falls below 900.

o Start clamping when one-minute rate reaches 100 and stop when itfalls below 90.

o Set per-host limit of half-open sessions to 50. Block a host for 5minutes when the threshold is reached.

o Set number of seconds spent in connection establishment phasefor TCP to 15 seconds.

Allow for routing updates from R1 to be learned at R3.

2.7 CBAC Performance Optimization

In order to improve performance, disable CBAC alerts, but retain alertingfor ICMP sessions.

Keeping CBAC audit globally disabled, enable it for TCP sessions only. Change hashtable size to 4096, in order to accommodate to intensive

traffic flow.

2.8 IOS URL Filtering

Configure HTTP URL filtering to achieve the following:

o Filter all java applets from HTTP responses.o Filter URLs using the Websense server at 10.0.0.100.o Permit the domain cisco.com to be accessed at any time.

In case if Websense server fails, router should permit any HTTP request.

2.9 IOS Authentication Proxy

Configure Authentication Proxy settings on R3 per the following

requirements.

o Use the RADIUS server at 10.0.0.100 with the authentication keyCISCO.

o The authentication proxy should apply to the users sessionsinitiated from VLAN23 towards VLAN13.

o Authenticated users should be allowed to send ICMP packets andinitiate TCP sessions.


8/116




Configure the ACS server with the user named PROXY and the passwordof CISCO1234

Note

At this point, re-load the IOS.Firewallstartup configuration files to initialize yourrack.

2.10 Flexible Packet Matching

Configure R1 to filter ICMP Echo packets with the string AAA in thepayload. Look no deeper than 256 bytes in the packet.

Ensure the filtering applies only to ICMP/IP packets received in Ethernet

frames.

2.11 Zone Based Firewall

Configure three security zones in R3: INSIDE, OUTSIDE and DMZ forinterfaces facing R1, R2 and the AAA/CA server respectively.

Only allow R3 to be accessed using SSH and HTTPs from zonesOUTSIDE and DMZ.

Allow the INSIDE users to use the following protocols when accessingOUTSIDE: HTTP, FTP, ICMP, DNS, SSH, Telnet, AOL InstantMessenger.

Account for the AOL Messenger using the non-standard port 80 and usersconnecting to HTTP proxies on ports 3128 and 8080.

Allow the OUTSIDE users to access the servers in DMZ using the HTTP,FTP, DNS and TACACS+ protocols.

The INSIDE users should have the same set of protocols allowed to zoneDMZ with the addition of SSH and HTTPS.

Preserve IP routing with your configuration and allow the users logged intothe router to ping/telnet to OUTSIDE and DMZ zones.

Limit the inside users to subnet 136.X.13.0/24 and the DMZ server to the

subnet 10.0.0.0/24.


9/116




2.12 ZFW Rate Limiting

In order to prevent DoS attacks, limit the OUTSIDE to DMZ traffic flow to512Kbps.

Enable half-open session limiting, so that no more than 2000 half-opensessions are allowed and no more than 100 new half-open sessionsgenerated per minute are permitted.

Stop dropping the half-open session states once the absolute amount ofhalf-open connections falls below 1000 and the rate falls below 10.

2.13 ZFW Application Inspection

Configure the firewall so that the internal users are not allowed to useinsecure POP3/IMAP4 logins to the outside servers.

Block image downloads from digg.com for internal users and log anyattempts to use AOL messenger for non text-chat service (e.g. filetransfer).

Image files have filename extensions .jpg, .png, .gif

Log all violations.


10/116


11/116




2.16 IOS IP Virtual Reassembly

Ensure the firewall performs proper IP fragments assembly.

To reduce the risk of router resource exhaustion, only track up to 10

fragmented packets on every interface, and time out fragments in 1second.

There should be no more than five fragments per any IP packet.

2.17 IOS ACL Selective IP Option Drop

Configure R3 to drop any packets destined to the router with IP sourceroute option (either loose or strict).


12/116




IOS Firewall Solutions

2.1 Basic Access Lists

For this scenario, R1 in on the inside of the firewall, and R2 on theoutside.

Apply ingress and egress access-lists to R3s VLAN23 interface. The security policy states the following permissions for inside networks:

o Permit access to WWW applications.o Permit remote access to outside servers via standard virtual

terminal access protocols.o Permit sending/retrieving emails using the standard protocols.o Users on the inside should be able use outside DNS and access

outside FTP servers by means of active FTP mode.

o Inside users should be able to traceroute and ping to outside.

The security policy states the following permissions for outside networks:

o Inside server at IP address 150.X.1.1 should be accessible fromoutside via HTTP and active FTP.

o Inside server should be protected from fragmented packetsattack.

o Packets for sessions initiated from inside should be permitted. ForTCP sessions, use only one line of access-list configuration.

o Make sure PMTU discovery process works.

Configuration

Note

Basic concepts

The key problem with basic access-list is that they have no idea of sessionstracking, i.e. they are stateless. Thus, if you permit a packet from the inside withan egress ACL, you should make sure that there is an appropriate mirrored entry

within the return ACL.

Memorize the common protocols port numbers. A good list of them can be foundin the ASA Command Line Configuration Guide, in the Reference section(which is near the bottom), and the sub section named Addresses, Protocolsand Ports. Take a minute now to verify you can locate this in the onlinedocumentation. It is an excellent resource.


13/116




Also, keep in mind that popular FTP protocol has two functional modes, Activeand Passive. FTP Active mode is when the client connects to server on port 21,and the server opens data connection source from port 20 back to the client. FTPPassive is when client connects to server, server tells client the port number fordata connection, and client initiates data connection on that port.

Know that common UNIX and IOS tracerouteimplementation sends out UDP

packets destined toward port range 33434-33464 by default, and expects twotypes of ICMP messages in reply Time-Exceeded or Port-Unreachable.

Additionally, pMTU discovery process needs ICMP message type 3 with code 4Packet too Big to be permitted from outside.

Remember that you may permit packets from established TCP session usingkeyword established in access-list entry. This entry matches any packet havingeither of ACK or RST bits set. In addition to this, you can match non-initialfragments of IP traffic using fragments keyword.

Keep in mind that router-generated traffic is not subject to check by egressaccess-lists, it is simply permitted. However, the returning traffic is subject tocheck by ingress ACL, so make sure you permitted any routing and managementtraffic

Filtering IP Packet Fragments.

By default, the IP protocol allows packet fragmenting. This feature has been along time known weakness, exploited by various types of attacks (e.g. ping ofdeath). Overlapping fragments, fragments exceeding the assembly buffer, andfragments arriving out of order, are just a few examples of traffic that canseverely degrade end system performance when an attacker sends them at highrates.

Additionally, fragmented packets are often used to bypass IDS or firewallsystems. The attacker splits a packet in such a way that the firewall or IDSsystem is not able to extract information about something like the port numbers.

Advanced firewalls and IDS systems support packet stream reassembly, but thisprocedure may degrade overall security system performance.

Due to these reasons, it is a good practice to avoid traffic fragmentation in yournetwork and protect your servers against fragmented packets. One solutionwould be to configure matching MTU values and enable the PMTU Discoveryprocess.

The IOS firewall is able to classify IP packets as one of the following:

1) Non-fragmented packets or initial fragments. These packets have a fragment


14/116




offset of zero and commonly contain some upper-level protocol payload (TCP) toallow the extraction of information about application ports.

2) Non-initial fragments have a non-zero fragment offset and are the remainingparts of a fragmented packets. These packets do not have upper level protocol

port information and the IOS firewall cannot match them against ACL entriesconfigured with TCP/UDP port numbers. Instead of matching the port numbers,the firewall uses only Layer 3 information in an ACL entry (e.g. source/destinationIP addresses) to match against the source/destination IP addresses in thepacket.

This is why any non-initial fragment sourced from 1.1.1.1 to 2.2.2.2 matches thefollowing ACL entry:

permit tcp host 1.1.1.1 host 2.2.2.2 eq 80

Even though it does not contain any port information, the firewall only matchesthe source and destination IP addresses for non-initial fragments.

You can match non-initial fragments using the fragmentskeyword in your ACL

entry, for example:

deny ip any host 2.2.2.2 fragments

permit tcp host 1.1.1.1 host 2.2.2.2 eq 80

This configuration ensures that only non-fragmented packets and initialfragments may reach port 80 of the target system.

Packet Logging

You can configure an access-list entry with the logkeyword, making it log the

matching packets via syslog. Using the log-inputkeyword, you can also log

the input interface and the source MAC address. There are two configurationknobs to be used with access-list based logging. The first one is the loggingupdate-threshold. It specifies how many times a packet must hit the access-listentry to generate a logging message. By default, this value is zero, which meansthe router would generate an entry based on a periodic timeout of 5 minutes.This command serves the purpose of aggregating the hits on the entry and the

format is:

ip access-list log-update threshold

When this value is non-zero, the router generates a log entry for every number ofhits and also produces the periodic 5 minute logging message.


15/116




The second knob relates to the behavior of packet logging. You shouldremember that every logged packet is process-switched, thus a large packet flowmay easily eat all your CPU resources. For this reason, you may want to rate-limit the amount of process-switched packets using the command:

ip access-list logging interval

This command allows only one packet per the interval to be process-switched. Allexceeding packets are not process-switched and thus are not accounted forlogging purposes. By default, this feature is off and all packets are process-switched. Note that this interval does not apply to packets destined to the routeritself, since these are process-switched by default. Using this command limits theeffect of packet logging on the CPU, but may result in an unpredictable numberof packets being logged. In reality it is useful when you just need a general hint ofpacket matches, not the detailed statistics.

Finally, develop a useful habit of adding an explicit deny ip any any log at theend of your access-lists. This may assist the troubleshooting during your labexam.

R3:!! Egress ACL!i p access - l i st extended OUTBOUND

r emar k == HTTP/ HTTPsr emar k == SSH/ Tel net

per mi t t cp any any eq 80per mi t t cp any any eq 443per mi t t cp any any eq 22per mi t t cp any any eq 23

r emar k == SMTP POP3/ I MAP DNS

per mi t t cp any any eq 25per mi t t cp any any eq 110per mi t t cp any any eq 143permi t udp any any eq 53

r emark == FTP, Tracerout e, Pi ngs

per mi t t cp any any r ange 20 21permi t udp any any range 33434 33464permi t i cmp any any echo

r emar k == Tr af f i c f r om i nt er nal ser ver ( HTTP/ FTP)

permi t t cp host 150. 1. 1. 1 eq 80 anypermi t t cp host 150. 1. 1. 1 range 20 21 any


16/116




deny i p any any l og

!! Ingress ACL!i p access- l i st ext ended I NBOUND

r emark == Permi t i nbound RI P updates

per mi t udp any any eq r i p

r emar k == Bl ock non- i ni t i al f r ags t o ser ver

deny i p any host 150. 1. 1. 1 f r agment s

r emark == Per mi t HTTP/ Act i ve FTP t o server

permi t t cp any host 150. 1. 1. 1 eq 80permi t t cp any host 150. 1. 1. 1 range 20 21


17/116




r emark == Retur ni ng TCP t r af f i c f or i nsi de TCP sessi on

permi t t cp any any est abl i shed

r emark == Act i ve FTP dat a channel

per mi t t cp any eq 20 any

r emark == Ret urni ng DNS t r af f i c

permi t udp any eq 53 any

r emark == Pi ngs, Tracer out e and pMTU di sc r eturni ng t r af f i c

per mi t i cmp any any echo- r epl yper mi t i cmp any any por t - unr eachabl eper mi t i cmp any any t i me- exceededpermi t i cmp any any packet - t oo- bi g

deny i p any any l og

!! Appl y access- l i st s!i nt er f ace Fast Et her net 0/ 1. 23

i p access- group OUTBOUND outi p access- group I NBOUND i n


18/116




Verification

Note

Use the show commands to list the access-lists contents:

R3#show ip access-listsExt ended I P access l i st I NBOUND

10 per mi t udp any any eq r i p (8 mat ches)20 deny i p any host 150. 1. 1. 1 f r agment s30 per mi t t cp any host 150. 1. 1. 1 eq www40 permi t t cp any host 150. 1. 1. 1 r ange f t p- data f t p50 permi t t cp any any est abl i shed60 permi t t cp any eq f t p- data any70 per mi t udp any eq domai n any80 per mi t i cmp any any echo- r epl y90 per mi t i cmp any any por t - unr eachabl e100 per mi t i cmp any any t i me- exceeded110 per mi t i cmp any any packet - t oo- bi g120 deny i p any any l og

Extended I P access l i st OUTBOUND10 permi t t cp any any eq www20 permi t t cp any any eq 44330 per mi t t cp any any eq 2240 permi t t cp any any eq t el net50 permi t t cp any any eq smt p60 permi t t cp any any eq pop370 permi t t cp any any eq 14380 per mi t udp any any eq domai n

90 permi t t cp any any range f t p- data f t p100 permi t udp any any range 33434 33464110 per mi t i cmp any any echo120 permi t t cp host 150. 1. 1. 1 eq www any130 per mi t t cp host 150. 1. 1. 1 r ange f t p- data f t p any140 deny i p any any l og

Note

Ping and traceroute across the firewall, then test telnet and ensure you cannotconnect on disallowed port 8080.

R1#ping 150.1.2.2

Type escape sequence t o abort .Sendi ng 5, 100- byte I CMP Echos t o 150. 1. 2. 2, t i meout i s 2 seconds:! ! ! ! !Success r ate i s 100 per cent ( 5/ 5) , r ound- t r i p mi n/ avg/ max = 4/ 4/ 4 ms


19/116




R1#traceroute 150.1.2.2

Type escape sequence t o abort .Tr aci ng t he r out e t o 150. 1. 2. 2

1 136. 1. 13. 3 4 msec 0 msec 0 msec2 136. 1. 23. 2 4 msec * 0 msec

R1#telnet 150.1.2.2Tr yi ng 150. 1. 2. 2 . . . Open

Password r equi r ed, but none set

[ Connect i on t o 150. 1. 2. 2 cl osed by f or ei gn host ]

R1#telnet 150.1.2.2 80Tr yi ng 150. 1. 2. 2, 80 . . . Open

R1#disc 1Cl osi ng connect i on t o 150. 1. 2. 2 [ conf i r m]

R1#telnet 150.1.2.2 8080Tr yi ng 150. 1. 2. 2, 8080 . . .% Dest i nat i on unr eachabl e; gat eway or host down

Note

Check the access-list counters now and notice the increments matching theprotocols being tested.


20/116





10 per mi t udp any any eq r i p (34 mat ches)20 deny i p any host 150. 1. 1. 1 f r agment s30 per mi t t cp any host 150. 1. 1. 1 eq www40 permi t t cp any host 150. 1. 1. 1 r ange f t p- data f t p

50 per mi t t cp any any est abl i shed ( 16 mat ches)60 permi t t cp any eq f t p- data any70 per mi t udp any eq domai n any80 per mi t i cmp any any echo- r epl y ( 11 mat ches)90 per mi t i cmp any any por t - unr eachabl e ( 2 mat ches)100 per mi t i cmp any any t i me- exceeded110 per mi t i cmp any any packet - t oo- bi g120 deny i p any any l og

Extended I P access l i st OUTBOUND10 per mi t t cp any any eq www ( 12 mat ches)20 permi t t cp any any eq 44330 per mi t t cp any any eq 2240 per mi t t cp any any eq tel net ( 20 mat ches)50 permi t t cp any any eq smt p

60 permi t t cp any any eq pop370 permi t t cp any any eq 14380 per mi t udp any any eq domai n90 permi t t cp any any range f t p- data f t p100 per mi t udp any any r ange 33434 33464 ( 3 mat ches)110 permi t i cmp any any echo (10 mat ches)120 permi t t cp host 150. 1. 1. 1 eq www any130 per mi t t cp host 150. 1. 1. 1 r ange f t p- data f t p any140 deny i p any any l og ( 1 mat ch)

Note

Confirm that the outside host cannot ping or connect to an inside destination:

R2>ping 150.1.1.1

Type escape sequence t o abort .Sendi ng 5, 100- byte I CMP Echos t o 150. 1. 1. 1, t i meout i s 2 seconds:U. U. USuccess r at e i s 0 per cent ( 0/ 5)

R2>telnet 150.1.1.1 80Tr yi ng 150. 1. 1. 1, 80 . . . Open

R2>disc 1Cl osi ng connect i on t o 150. 1. 1. 1 [ conf i r m]


21/116


22/116




R3:!! Outbound access-list, mirror all outbound sessions!no i p access- l i st ext ended OUTBOUNDi p access - l i st extended OUTBOUNDper mi t t cp any any r ef l ect MI RRORper mi t udp any any r ef l ect MI RRORper mi t i cmp any any r ef l ect MI RROR

!! Ingress ACL, permit only the returning packets!no i p access- l i st ext ended I NBOUNDi p access- l i st ext ended I NBOUNDeval uate MI RROR

!! Match RIP traffic!i p access- l i st ext ended RI Pper mi t udp any any eq r i p

!! Create route-map to divert RIP traffic to loopback!r out e- map LOCAL 10mat ch i p addr ess RI Pset i nt erf ace Loopback0

!i p l ocal pol i cy r out e- map LOCAL!! Apply ACLs!i nt er f ace Fast Et her net 0/ 1. 23i p access- group OUTBOUND outi p access- group I NBOUND i n


23/116




Verification

Note

With some IOS versions, local policy routing may refuse to route multicastpackets. Configure static RIP neighbors in such case:

R3:r out er r i pnei ghbor 136. 1. 23. 2passi ve Fast Et her net 0/ 1. 23

R2:r out er r i pnei ghbor 136. 1. 23. 3

passi ve Fast Et her net 0/ 0

Note

Check for the reflected RIP traffic:


10 eval uat e MI RRORRef l exi ve I P access l i st MI RROR

per mi t udp host 136. 1. 23. 2 eq r i p host 136. 1. 23. 3 eq r i p ( 13

matches) ( t i me l ef t 297)Extended I P access l i st OUTBOUND10 per mi t t cp any any ref l ect MI RROR20 per mi t udp any any r ef l ect MI RROR30 per mi t i cmp any any ref l ect MI RROR

Extended I P access l i st RI P10 per mi t udp any any eq r i p (15 mat ches)

Note

Connect across the firewall using TCP and make sure this session is reflected.


24/116




R1>telnet 150.1.2.2Tr yi ng 150. 1. 2. 2 . . . Open

R2>

R3#show i p access- l i st sExt ended I P access l i st I NBOUND10 eval uat e MI RROR

Ref l exi ve I P access l i st MI RRORper mi t t cp host 150. 1. 2. 2 eq tel net host 136. 1. 13. 1 eq 11009 (31

matches) ( t i me l ef t 294)per mi t udp host 136. 1. 23. 2 eq r i p host 136. 1. 23. 3 eq r i p ( 18

matches) ( t i me l ef t 295)Extended I P access l i st OUTBOUND

10 per mi t t cp any any ref l ect MI RROR20 per mi t udp any any r ef l ect MI RROR30 per mi t i cmp any any ref l ect MI RROR


R1>ping 150.1.2.2

Type escape sequence t o abort .Sendi ng 5, 100- byte I CMP Echos t o 150. 1. 2. 2, t i meout i s 2 seconds:! ! ! ! !Success r ate i s 100 per cent ( 5/ 5) , r ound- t r i p mi n/ avg/ max = 4/ 4/ 4 msR1>

R3#show ip access-lists MIRRORRef l exi ve I P access l i st MI RROR

permi t i cmp host 150. 1. 2. 2 host 136. 1. 13. 1 ( 19 matches) ( t i mel ef t 292)

per mi t udp host 136. 1. 23. 2 eq r i p host 136. 1. 23. 3 eq r i p ( 25matches) ( t i me l ef t 291)


25/116




2.3 Dynamic Access Lists

Remove the previously configured reflexive access-lists. Enable AAA in the router and configure dynamic access-list inbound on

VLAN23 interface of R3 per the following requirements:

o Remote users should authenticate against the local database usingthe name CISCO and the password of CISCO1234

o Dynamic access-rule should permit ICMP traffic from theauthenticated IP to any destination.

o The dynamic entry should expire unconditionally after 30 minutes.

Do not disrupt any control-plane traffic with your configuration.

Configuration

Note

Dynamic access-list is a type of access policy which is activated by a userlogging into router. The key factor here is the access-enableexec command,which activates all dynamic access entries in all access-lists. This command maybe assigned to a particular users profile, or could be attached to a virtualterminal line.

You may special two optional arguments along with the access-enablecommand: The host keyword, which creates dynamic ACL entry ONLY for a

host that triggered the authentication session. The other argument is thetimeout keyword, which specifies inactivity timeout to remove the dynamic ACLentry.

While creating a dynamic template entry in an access-list you may also specifyabsolute timeout with the timeout keyword. If you have configured AAA on arouter, remember to configure exec authorization appropriately, as by defaultexec commands are not authorized locally.


26/116




R3:aaa new- modelaaa aut hent i cat i on l ogi n CONSOLE noneaaa aut hor i zat i on exec def aul t l ocal!user name CI SCO passwor d CI SCO1234user name CI SCO autocommand access- enabl e host t i meout 10!l i ne con 0l ogi n authent i cat i on CONSOLE

!! Ingress ACL with dynamic templates!no i p access- l i st ext ended I NBOUNDi p access- l i st ext ended I NBOUNDpermi t t cp any host 136. 1. 23. 3 eq 23permi t udp any any eq 520dynami c ACCESS t i meout 30 permi t i cmp any anydeny i p any any l og

!! Apply the access-lists!i nt er f ace Fast Et her net 0/ 1. 23i p access- group I NBOUND i nno i p access- group OUTBOUND out


27/116




Verification

Note

Check the dynamic entry in the access-list and trigger the dynamic ACL entry byconnecting to R3 and authenticating:


10 permi t t cp any host 136. 1. 23. 3 eq tel net20 per mi t udp any any eq r i p (48 mat ches)30 Dynami c ACCESS permi t i cmp any any40 deny i p any any l og



User Access Ver i f i cat i on

User name: CI SCOPasswor d: CI SCO1234

[ Connect i on to 136. 1. 23. 3 cl osed by f orei gn host ]

Note

Now check the activate access-list entry and test it using the ping command.Notice that inactivity timer activated for the entry after you sent the packets.


10 permi t t cp any host 136. 1. 23. 3 eq t el net ( 723 matches)20 per mi t udp any any eq r i p (93 mat ches)30 Dynami c ACCESS permi t i cmp any any

permi t i cmp host 136. 1. 23. 2 any40 deny i p any any l og

Extended I P access l i st RI P

10 per mi t udp any any eq r i p (291 mat ches)


28/116




R2#ping 150.1.1.1

Type escape sequence t o abort .Sendi ng 5, 100- byte I CMP Echos t o 150. 1. 1. 1, t i meout i s 2 seconds:! ! ! ! !

Success r ate i s 100 per cent ( 5/ 5) , r ound- t r i p mi n/ avg/ max = 4/ 4/ 4 msR2#


10 permi t t cp any host 136. 1. 23. 3 eq t el net ( 723 matches)20 per mi t udp any any eq r i p (96 mat ches)30 Dynami c ACCESS permi t i cmp any any

permi t i cmp host 136. 1. 23. 2 any ( 5 matches) ( t i me l ef t 595)40 deny i p any any l og



29/116




2.4 Basic CBAC

Remove the access-lists configured for VLAN23 interface in R3previously.

Configure stateful traffic inspection per the following requirements:

o Inspect TCP, UDP and ICMP traffic.o Inspect FTP application traffic separately.

Apply the above policy to R3s VLAN23 interface and block any non-session returning traffic.

Maintain IP routing through the network and allow the firewall to ping anydestination.

Configuration

Note

CBAC or context-based access-control introduces true stateful inspection to IOScode. You can compare it to the reflexive ACL feature as being an advancedinspection technology. The general idea is to inspect protocol-specific informationin traffic flows going across the router and dynamically open holes in access-listsfor returning traffic. CBAC configurations commonly consist of two parts:

1) The CBAC inspection rule (defines traffic classes to inspect) applied to aninterface in the direction matching the initial flow of traffic (usually from the

protected network to the outside world).

2) An access-group applied to an interface in the direction matching the returningtraffic flow (usually from the outside network to the protected network).

Commonly, the initial flow of the traffic is from the protected network (inside ofthe firewall) to the unprotected network (outside of the firewall). For example,think of an office network initiating HTTP connections to the Internet across thefiltering router.

You define an inspection rule using the command:

ip inspect name

ip inspect name

and apply it to an interface using the interface-level command

ip inspect {in|out}


30/116




The rule inspects traffic flowing in the direction specified and installs a specialACL bypass entry in the packet switching path to allow returning packets to passthrough the router, even if there is an ACL denying them (in older IOS releasesCBAC was simply adding new ACL entries dynamically, but now its a bypassrule which performs more efficiently). Therefore, even if there is a local ACL in

the path of returning packets, it will be bypassed by packets identified as part ofthe returning protocol traffic flow. For example, with the FTP protocol, CBACdynamically permits the active data transfer connection (which is in the reversedirection), even without knowing the communication port in advance.

You may put the inspection rule and the access-list on different interfaces. Aslong as they apply to the initial connections and returning traffic flowsrespectively its fine. For example, you can apply the inspection rule as outgoingon the outside interface and an access-list in the incoming direction. You canalso put the inspection rule in the incoming direction on the inside interface andthe access-list in incoming direction on the outside interface.

CBAC protocol inspection can provide you with alarms, notifying you of protocolviolations and potential attacks. By default alerts are enabled for all inspectedprotocols. You can disable alarms globally and configure them selectively per-protocol.

In addition to providing you with alarm messages, CBAC can perform basic trafficaccounting (duration, bytes transferred) by logging audit trails in syslog. Thisfeature is disabled by default, and could be enabled globally for all inspectedprotocols or tuned selectively per protocol in an inspection rule.

CBAC may inspect generic TCP/UDP connections (without looking for specificupper level protocol information) just to check their integrity and open a hole forreturning traffic. If you enable TCP inspection along with HTTP inspection at thesame time, HTTP inspection would be used for connections made on port 80.

By default, CBAC (as well as outgoing ACLs) do not apply to router-generatedtraffic. You need to add manual ACL entries in order to permit returning traffic forrouter-generated packets. Alternatively, you can use local policy routing or aspecial CBAC feature for router-generated traffic inspection. We are going todiscuss this feature in a separate task.

CBAC has a number of configurable inspection timeouts. In this task we aregoing to discuss just the application inactivity timeout. For every inspectedprotocol you can set up an inactivity timeout. CBAC will close the inspection entryafter the timeout expires.


31/116




There is a special command ip inspect dns-timeout which

applies when you inspect generic UDP sessions. Since DNS represents a specialcase of the UDP protocol, it has a separate timeout. DNS sessions are quickrequest/response, so by default when CBAC sees UDP packet on port 53 it holdsthe inspection entry for 5 seconds, not the default interval specified for the UDP

protocol. In the later releases of IOS, you can define separate DNS inspectionrules with their own timeouts.

R3:i p i nspect name I NSPECT t cpi p i nspect name I NSPECT udpi p i nspect name I NSPECT i cmp r out er - t r af f i c

!! FTP-specific inspection! Uses port-map to apply the rule

!i p i nspect name I NSPECT f t p

no i p access- l i st ext ended I NBOUNDi p access- l i st ext ended I NBOUNDper mi t udp any any eq r i pdeny i p any any l og

i nt er f ace Fast Et her net 0/ 1. 23i p access- group I NBOUND i ni p i nspect I NSPECT out


32/116




Verification

Note

Check the CBAC configuration and the port-map.

R3#show ip inspect allSessi on audi t t r ai l i s di sabl edSessi on al er t i s enabl edone- mi nut e ( sampl i ng peri od) t hr eshol ds are [ 400: 500] connect i onsmax- i ncompl ete sessi ons t hr eshol ds are [ 400: 500]max- i ncompl et e t cp connect i ons per host i s 50. Bl ock- t i me 0 mi nut e.t cp synwai t - t i me i s 30 sec - - t cp f i nwai t - t i me i s 5 sect cp i dl e- t i me i s 3600 sec - - udp i dl e- t i me i s 30 secdns- t i meout i s 5 secI nspect i on Rul e Conf i gur at i onI nspect i on name I NSPECT

t cp al er t i s on audi t - t r ai l i s of f t i meout 3600udp al er t i s on audi t - t r ai l i s of f t i meout 30i cmp al er t i s on audi t - t r ai l i s of f t i meout 10f t p al er t i s on audi t - t r ai l i s of f t i meout 3600

I nt er f ace Conf i gur at i onI nt er f ace Et her net 0/ 1I nbound i nspect i on r ul e i s not setOut goi ng i nspect i on r ul e i s I NSPECT

t cp al er t i s on audi t - t r ai l i s of f t i meout 3600udp al er t i s on audi t - t r ai l i s of f t i meout 30i cmp al er t i s on audi t - t r ai l i s of f t i meout 10f t p al er t i s on audi t - t r ai l i s of f t i meout 3600

I nbound access l i st i s I NBOUNDOut goi ng access l i st i s not set


10 per mi t udp any any eq r i p (21 mat ches)20 deny i p any any l og

R3#show ip port-map ftpDef aul t mappi ng: f t p port 21 syst emdef i ned

Note

Now generate some traffic across the firewall to make sure it is statefullyinspected.


33/116




R1#ping 150.1.2.2

Type escape sequence t o abort .Sendi ng 5, 100- byte I CMP Echos t o 150. 1. 2. 2, t i meout i s 2 seconds:! ! ! ! !Success r ate i s 100 per cent ( 5/ 5) , r ound- t r i p mi n/ avg/ max = 4/ 4/ 8 ms

R1#

R3#sh ip access-listsExt ended I P access l i st I NBOUND

per mi t i cmp any host 136. 1. 13. 1 t i me- exceededpermi t i cmp any host 136. 1. 13. 1 unr eachabl epermi t i cmp any host 136. 1. 13. 1 t i mest amp- r epl ypermi t i cmp any host 136. 1. 13. 1 echo- r epl y ( 5 matches)

10 per mi t udp any any eq r i p (99 mat ches)20 deny i p any any l og ( 5 mat ches)


R2>

R3#show ip inspect sessionsEst abl i shed Sessi onsSess i on 82C79F24 ( 136. 1. 13. 1: 11010)=>( 150. 1. 2. 2: 23) t cp SI S_OPEN


per mi t t cp host 150. 1. 2. 2 eq tel net host 136. 1. 13. 1 eq 11010 (8mat ches)

10 per mi t udp any any eq r i p (105 mat ches)20 deny i p any any l og ( 5 mat ches)


34/116




2.5 CBAC Port to Appl ication Mapping

There is a web-server at 150.X.2.2 listening on port 21 and FTP server

somewhere on outside network listening on port 8080. Ensure CBAC account for the port changes for the mentioned

applications.

Configuration

Note

To inspect application traffic, CBAC uses a system table of port to applicationmappings. There are some system defined ports, e.g. 21, 80 or 25. You can notmap HTTP service to port 21 directly, since its system-defined. However, you

may use an access-list to specify the server, which have standard port re-mapped.

R3:access- l i st 99 per mi t host 150. 1. 2. 2!i p port - map ht t p port 21 l i st 99i p port - map f t p port 8080!i p i nspect name I NSPECT ht t p


35/116




Verification

Note

Use the show commands to validate the port to application mapping table.

R3(config)#ip port-map http port 21Command f ai l : t he port 21 has al r eady been def i ned f or f t p by t hesyst em.

No change can be made t o t he syst em def i ned por tmappi ngs.

R3(config)#ip port-map http port 21 list 99

R3#show ip port-map | inc httpHost speci f i c: ht t p por t 21 i n l i st 99 user def i ned

Def aul t mappi ng: ht t p port 80 syst emdef i ned

R3#show ip port-map | inc ftpDef aul t mappi ng: t f t p port 69 syst emdef i nedDef aul t mappi ng: f t p port 21 syst emdef i nedDef aul t mappi ng: f t p port 8080 user def i ned


36/116




2.6 CBAC TCP/UDP Intercept Feature

Allow TCP, UDP and ICMP traffic to the servers on VLAN13 using statefulinspection.

Configure global CBAC intercept parameters as follows:

o Start clamping when total number of half-open sessions reaches1000, and stop when it falls below 900.

o Start clamping when one-minute rate reaches 100 and stop when itfalls below 90.

o Set per-host limit of half-open sessions to 50. Block a host for 5minutes when the threshold is reached.

o Set number of seconds spent in connection establishment phasefor TCP to 15 seconds.

Allow for the routing updates from R1 to be learned at R3.

Configuration

Note

By default, with every inspection rule, CBAC enables DoS prevention featuresvery similar to the TCP Intercept feature. However, with CBAC you cannotdisable this behavior (only in some recent IOS releases, since 12.4(10) and later12.4T trains). Another difference is that CBAC applies DoS prevention to UDPsessions as well. A UDP session is considered half-open if no packets have beensent in response to the initial packet. Both UDP and TCP half-open sessions

count against maximum connection thresholds at the same time. Therefore, ifyou set up a limit of 100 half-open sessions the router will count both numbers ofUDP and TCP sessions against this threshold.

CBAC supports maximum thresholds and per-minute rates for half-opensessions. When the current number of connections exceeds any of thethresholds, the code starts deleting half-open connection entries and sendingRST packets to TCP session endpoints. The code does not delete any sessionsthat have already been established. For TCP sessions, the only supported modeof operations is watch mode. The code does not intervene with TCP sessions,

just watches them as they get established. Offending sessions (sessions that did

not complete in time or exceed thresholds) receive RST messages as well whenthey exceed configured timeouts. The amount of time CBAC waits for TCPconnection establishment is configured using the command:

ip inspect tcp synwait-time

Note this is the equivalent of watch-timeout for the TCP Intercept feature.


37/116




One feature special to CBAC is per-host TCP connection limits. CBAC boundsthe number of half-open connections per-host, in addition to having the globalthresholds. As the number of half-open sessions destined to the same IPaddress exceeds the per-host threshold, the router can block any furtherconnections from establishing for the amount of time specified. The command

syntax is:

ip inspect tcp max-incomplete host block-time

Lastly, remember that the CBAC interception feature applies whether youconfigure any inspection rule.

R3:i p i nspect max- i ncompl ete l ow 900i p i nspect max- i ncompl ete hi gh 1000i p i nspect one- mi nute l ow 90i p i nspect one- mi nute hi gh 100i p i nspect t cp synwai t - t i me 15i p i nspect t cp max- i ncompl ete host 50 bl ock- t i me 5!i p i nspect name PROTECT t cpi p i nspect name PROTECT udpi p i nspect name PROTECT i cmp!no i p access- l i st ext ended SERVERSi p access- l i st ext ended SERVERSper mi t udp any any eq r i pdeny i p any any l og

!

i nt er f ace Fast Et her net 0/ 0i p i nspect PROTECT outi p access- group SERVERS i n


38/116




Verification

Note

Verify CBAC configuration and then enable CBAC debugging.

R3#show ip inspect allSessi on audi t t r ai l i s di sabl edSessi on al er t i s enabl edone- mi nut e (sampl i ng peri od) t hr eshol ds are [90: 100] connect i onsmax- i ncompl ete sessi ons t hr eshol ds are [ 900: 1000]max- i ncompl et e t cp connect i ons per host i s 50. Bl ock- t i me 5 mi nut es.t cp synwai t - t i me i s 15 sec - - t cp f i nwai t - t i me i s 5 sect cp i dl e- t i me i s 3600 sec - - udp i dl e- t i me i s 30 secdns- t i meout i s 5 secI nspect i on Rul e Conf i gur at i onI nspect i on name PROTECT

t cp al er t i s on audi t - t r ai l i s of f t i meout 3600udp al er t i s on audi t - t r ai l i s of f t i meout 30i cmp al er t i s on audi t - t r ai l i s of f t i meout 10

I nt er f ace Conf i gur at i onI nt er f ace Fast Et her net 0/ 0I nbound i nspect i on r ul e i s not setOutgoi ng i nspect i on r ul e i s PROTECT

t cp al er t i s on audi t - t r ai l i s of f t i meout 3600udp al er t i s on audi t - t r ai l i s of f t i meout 30i cmp al er t i s on audi t - t r ai l i s of f t i meout 10

I nbound access l i st i s SERVERSOut goi ng access l i st i s not set


39/116




Note

Now check the TCP timeout settings:

R3#debug ip inspect eventsI NSPECT speci al event s debuggi ng i s onR3#

R2#telnet 150.1.1.100 3030Tr yi ng 150. 1. 1. 100, 3030 . . .% Connect i on t i med out ; r emot e host not r espondi ng

R3#CBAC 136. 1. 23. 2: 11011 150. 1. 1. 100: 3030 seq 3660436220 wnd 0


40/116




2.7 CBAC Performance Optimization

In order to improve performance, disable CBAC alerts, but retain alertingfor ICMP sessions.

Keeping CBAC audit globally disabled, enable it for TCP sessions only. Change hashtable size to 4096, in order to accommodate to intensive

traffic flow.

Configuration

Note

The core of CBAC algorithm is protocol inspection logic and session state table.In order to make CBAC more effective under heavy load conditions, you shouldtake in account the following:

1. State table is hashed structured, with configurable number of entries. Try tomake hashtable size close to the average number of concurrent sessionspassing through the firewall.

2. By default, protocol inspection logic generates alerts when it findsinconsistence in protocol tracking. This may cause additional CPU load underintensive traffic. Consider disable the alerts globally or per protocol in order toimprove performance.

The default hash table size is 1024 buckets. It may vary in size from 2048, 4096or 8192 buckets. When the number of concurrent connections across the firewallexceeds 4000, you may want to adjust the default size to match approximatelyhalf of the maximum connections count. In our case with 5000 sessions, theoptimal hash table size would be 2048 buckets.

Theres an additional CBAC feature called session audit. It allows for loggingevery session statistics for accounting or audit purposes. Audit could be enabledglobally or per-protocol.

R3:

i p i nspect al ert - of f!i p i nspect name I NSPECT i cmp al er t on!! Audit trails!no i p i nspect audi t - t r ai li p i nspect name I NSPECT t cp audi t - t r ai l on


41/116




Verification

Note

Check the global CBAC configuration and verify the generation of audit trails.

R3#show ip inspect allSessi on audi t t r ai l i s di sabl edSessi on al er t i s dl sabl edone- mi nut e (sampl i ng peri od) t hr eshol ds are [90: 100] connect i onsmax- i ncompl ete sessi ons t hr eshol ds are [ 900: 1000]max- i ncompl et e t cp connect i ons per host i s 50. Bl ock- t i me 5 mi nut es.t cp synwai t - t i me i s 15 sec - - t cp f i nwai t - t i me i s 5 sect cp i dl e- t i me i s 3600 sec - - udp i dl e- t i me i s 30 secdns- t i meout i s 5 secI nspect i on Rul e Conf i gur at i onI nspect i on name I NSPECT

t cp al er t i s of f audi t - t r ai l i s on t i meout 3600udp al er t i s of f audi t - t r ai l i s of f t i meout 30i cmp al er t i s on audi t - t r ai l i s of f t i meout 10f t p al ert i s of f audi t - t rai l i s of f t i meout 3600

I nt er f ace Conf i gur at i onI nt er f ace Fast Et her net 0/ 1I nbound i nspect i on r ul e i s not setOut goi ng i nspect i on r ul e i s I NSPECT

t cp al er t i s of f audi t - t r ai l i s on t i meout 3600udp al er t i s of f audi t - t r ai l i s of f t i meout 30i cmp al er t i s on audi t - t r ai l i s of f t i meout 10f t p al ert i s of f audi t - t rai l i s of f t i meout 3600

I nbound access l i st i s SERVERSOut goi ng access l i st i s not set

Note

Verify audit trails by initiating a session across the firewall.


R2>exit

R3#%FW- 6- SESS_AUDI T_TRAI L: t cp sessi on i ni t i ator ( 136. 1. 13. 1: 11011) sent36 bytes - - r esponder ( 150. 1. 2. 2: 23) sent 44 byt es


42/116




2.8 IOS URL Filtering

Configure HTTP URL filtering to achieve the following:

o Filter all java applets from HTTP responses.o Filter URLs using the Websense server at 10.0.0.100.o Permit the domain cisco.com to be accessed at any time.

In case if Websense server fails, router should permit any HTTP request.

Configuration

Note

This example demonstrates the URL filtering configuration using CBAC inspectrules. Another option would be to use the Zone-Based Firewall Configuration

Policy Language. As a part of CBAC configuration you may specify the list ofservers allowed to send java applets to users and configure exception domains,which are never subject to URL filtering. There is also an option to enable the so-called allow mode, which bypasses all requests in case when the filtering serveris down.

You need a URL filtering server with CBAC configuration, there is no option forlocal URL configuration. The latter, however, is possible with ZFW syntax.

Java blocking is a special feature that allows the CBAC HTTP inspection engineto block Java applet downloads from certain sites. You specify a list of allowed

sites using a standard ACL. This ACL lists servers that users may use todownload Java applets.

R3:!! Access-list for java-filtering!access- l i st 1 deny any

!! Websense Server!i p ur l f i l t er ser ver vendor websense 10. 0. 0. 100

!! Inspection rule to activate filtering!i p i nspect name I NSPECT ht t p j ava- l i st 1 ur l f i l t er

!! Configure cisco.com as exclusively permitted domain


43/116




!i p ur l f i l t er excl usi ve- domai n per mi t ci sco. com!! Enable allow-mode!i p ur l f i l t er al l ow- mode on

!! Apply inspection rule!i nt er f ace Fast Et her net 0/ 1. 23i p i nspect I NSPECT i n

Verification

Note

If you have functional Websense server you should see something like this onyour console:

R3(config)#ip urlfilter server vendor websense 10.0.0.100R3( conf i g) #%URLF- 5- SERVER_UP: Connect i on t o an URL f i l t er server( 10. 0. 0. 100) i smade, t he rout er i s r etur ni ng f r om ALLOW MODE

R3#show ip inspect allSessi on audi t t r ai l i s di sabl edSessi on al er t i s dl sabl edone- mi nut e (sampl i ng peri od) t hr eshol ds are [90: 100] connect i ons

max- i ncompl ete sessi ons t hr eshol ds are [ 900: 1000]max- i ncompl et e t cp connect i ons per host i s 50. Bl ock- t i me 5 mi nut es.t cp synwai t - t i me i s 15 sec - - t cp f i nwai t - t i me i s 5 sect cp i dl e- t i me i s 3600 sec - - udp i dl e- t i me i s 30 secdns- t i meout i s 5 secI nspect i on Rul e Conf i gur at i onI nspect i on name I NSPECT

ht t p j ava- l i st 1 ur l - f i l t er i s on al er t i s of f audi t - t r ai l i s of ft i meout 3600

I nt er f ace Conf i gur at i onI nt er f ace Fast Et her net 0/ 1. 23I nbound i nspect i on r ul e i s I NSPECT

ht t p j ava- l i st 1 ur l - f i l t er i s on al er t i s of f audi t - t r ai l i s of ft i meout 3600Out goi ng i nspect i on r ul e i s not setI nbound access l i st i s not setOut goi ng access l i st i s not set

Note


44/116




Check urlfilter configuration, note the server port. Sometimes you may need toopen a pinhole for it in access-lists:


45/116




R3#show ip urlfilter configWebsense URL Fi l t er i ng i s ENABLED

Pr i mary Websense ser ver conf i gur at i ons=========================================Websense server I P addr ess: 10. 0. 0. 100

Websense ser ver por t : 15868Websense ret r ansmi ssi on t i me out : 6 ( i n seconds)Websense number of r et r ansmi ssi on: 2

Secondary Websense ser ver s conf i gur at i ons============================================Ot her conf i gur at i ons=====================Al l ow Mode: ONSyst emAl ert : ENABLEDAudi t Trai l : DI SABLEDLog message on Websense ser ver : DI SABLEDMaxi mum number of cache ent r i es: 5000Maxi mumnumber of packet buf f ers: 200

Maxi mumout st andi ng r equest s: 1000


46/116




2.9 IOS Authentication Proxy

Configure Authentication Proxy settings on R3 per the followingrequirements.

o Use the RADIUS server at 10.0.0.100 with the authentication keyCISCO.

o The authentication proxy should apply to the users sessionsinitiated from VLAN23 towards VLAN13.

o Authenticated users should be allowed to send ICMP packets andinitiate TCP sessions.

Configure the ACS server with the user named PROXY and the passwordof CISCO1234

Configuration

Note

The idea behind Authentication Proxy is to download per-user access profile(ACL rules) and merge it with interface access-group.To authenticate user, theHTTP session is intercepted and authentication is handled by router. Normally, aremote authentication server is required to push down the Cisco AV pair valueswith the access-list contents.

Authentication proxy is configured as a rule applied ingress to the interface.

There should be an access-list applied ingress to the same interface andpreventing users from initiating any sessions. The access-list may need to allowthe control-plane traffic if required.

R3:

aaa new- model!! Safeguard console!aaa aut hent i cat i on l ogi n CONSOLE none!l i ne consol e 0l ogi n authent i cat i on CONSOLE

!! Configure AAA settings for auth-proxy!aaa aut hent i cat i on l ogi n def aul t gr oup r adi usaaa aut hori zat i on aut h- pr oxy def aul t gr oup radi us!r adi us- server host 10. 0. 0. 100 key CI SCO

!


47/116


48/116





49/116




Step 2:

Permit cisco av-pair attribute in user profile:


50/116




Step 3:

Add new user PROXY with password CISCO1234:


51/116




Step 4:

Configure auth-proxy attributes in user profile:


52/116




Step 5:

Add R3 as RADIUS client on ACS:


53/116




Verification

Note

Configure the Test PC in VLAN 23 with the IP address of 136.X.23.200 and thedefault gateway pointing to R3. Enable the following debugging commands in R3and initiate a HTTP session from the Test PC to R1:

R3#debug aaa authenticationAAA Aut hent i cat i on debuggi ng i s onR3#debug aaa authorizationAAA Aut hor i zat i on debuggi ng i s onR3#debug radiusRadi us pr otocol debuggi ng i s onRadi us pr ot ocol br i ef debuggi ng i s of fRadi us pr otocol ver bose debuggi ng i s of fRadi us packet hex dump debuggi ng i s of fRadi us packet pr otocol debuggi ng i s onRadi us packet r et r ansmi ssi on debuggi ng i s of fRadi us ser ver f ai l - over debuggi ng i s of f

R3#AAA/ AUTHEN/ START ( 4167353654) : port =' Et her net 0/ 1' l i st =' def aul t 'act i on=LOGI N ser vi ce=LOGI N: AAA/ AUTHEN/ START ( 4167353654) : f ound l i st def aul tAAA/ AUTHEN/ START ( 4167353654) : Met hod=r adi us ( r adi us)AAA/ AUTHEN( 4167353654) : St at us=GETUSERAAA/ AUTHEN/ CONT ( 4167353654) : cont i nue_l ogi n ( user =' ( undef ) ' )AAA/ AUTHEN( 4167353654) : St at us=GETUSER

AAA/ AUTHEN( 4167353654) : Met hod=r adi us ( r adi us)AAA/ AUTHEN( 4167353654) : St at us=GETPASSAAA/ AUTHEN/ CONT ( 4167353654) : cont i nue_l ogi n ( user=' PROXY' )AAA/ AUTHEN( 4167353654) : St at us=GETPASSAAA/ AUTHEN( 4167353654) : Met hod=r adi us ( r adi us)RADI US: Pi ck NAS I P f or u=0x82ECC30C t abl ei d=0 cf g_addr=0. 0. 0. 0best _addr =136. 1. 23. 3RADI US: ust r uct sharecount=1Radi us: r adi us_por t _i nf o( ) success=1 r adi us_nas_por t =1RADI US(00000000) : Send Access- Request t o 10. 0. 0. 100: 1645 i d 21645/ 9,l en 84RADI US: aut hent i cat or BB ED AA B9 32 98 61 51 - A5 9F A7 29 CF 38 ADF0RADI US: NAS- I P- Address [ 4] 6 136. 1. 23. 3RADI US: NAS- Port [ 5] 6 60001RADI US: NAS- Por t - Type [ 61] 6 Vi r t ual [ 5]RADI US: User - Name [ 1] 7 "PROXY"RADI US: Cal l i ng- St at i on- I d [ 31] 15 "136. 1. 200. 200"RADI US: User - Password [ 2] 18 *RADI US: Servi ce- Type [ 6] 6 Out bound [ 5]RADI US: Recei ved f r omi d 21645/ 9 10. 0. 0. 100: 1645, Access- Accept , l en181


54/116




RADI US: authent i cat or 35 55 0E 8A 76 28 14 EF - 90 82 89 E1 B6 3D D8EFRADI US: Fr amed- I P- Addr ess [ 8] 6 255. 255. 255. 255RADI US: Vendor , Ci sco [ 26] 30RADI US: Ci sco AVpai r [ 1] 24 "aut h- pr oxy: pr i v- l vl =15"RADI US: Vendor , Ci sco [ 26] 49RADI US: Ci sco AVpai r [ 1] 43 "aut h- proxy: pr oxyacl #1=permi ti cmp any any"RADI US: Vendor , Ci sco [ 26] 48

RADI US: Ci sco AVpai r [ 1] 42 "aut h- proxy: pr oxyacl #2=permi tt cp any any"RADI US: Cl ass [ 25] 28RADI US: 43 41 43 53 3A 30 2F 36 66 31 64 2F 38 38 30 31[ CACS: 0/ 6f 1d/ 8801]RADI US: 31 37 30 33 2F 36 30 30 30 31 [ 1703/ 60001]RADI US: saved aut hor i zat i on dat a f or user 82ECC30C at 82BC2E78AAA/ AUTHEN( 4167353654) : St at us=PASS

. . .

*Mar 1 22: 28: 31. 431: RADI US: ci sco AVPai r "aut h- pr oxy: pr i v- l vl =15"*Mar 1 22: 28: 31. 431: RADI US: ci sco AVPai r " aut h-proxy: proxyacl #1=per mi t i cmp any any"*Mar 1 22: 28: 31. 431: RADI US: ci sco AVPai r " aut h-proxy: proxyacl #2=per mi t t cp any any"*Mar 1 22: 28: 31. 431: AAA/ AUTHOR ( 476008236) : Post aut hor i zat i on st atus= PASS_ADD

R3#show ip access-listsExtended I P access l i st 100

per mi t i cmp host 136. 1. 23. 200 anypermi t t cp host 136. 1. 23. 200 any ( 7 mat ches)

10 per mi t udp any any eq r i p20 deny i p any any l og ( 20 mat ches)

R3#show ip auth-proxy cacheAut hent i cat i on Proxy CacheCl i ent I P 136. 1. 23. 200 Port 1248, t i meout 60, st ate HTTP_ESTAB


55/116




2.10 Flexible Packet Matching

Configure R1 to filter ICMP Echo packets with the string AAA in thepayload. Look no deeper than 256 bytes in the packet.

Ensure the filtering applies only to ICMP/IP packets received in Ethernet

frames.

Configuration

Note

Flexible Packet Matching is a new feature that allows for granular packetinspection in Cisco IOS routers. Using FPM you can match any string, byte oreven bit at any position in the IP (or theoretically non-IP) packet. This may greatlyaid in identifying and blocking network attacks using static patterns found in theattack traffic. This feature has some limitation though.

a) First, it is completely stateless, e.g. does not track the state/history of thepacket flow. Thus, FPM cannot discover dynamic protocol ports such as use byH.323 or FTP nor cannot it detect patterns split across multiple packets.Essentially, you are allowed to apply inspection per-packet basis only.

b) Additionally, you cannot apply FPM to the control-plane traffic, as the featureis implemented purely in CEF switching layer. Fragmented traffic is notassembled for matching, and the only inspected packet is the initial fragment ofthe IP packet flow.

c) IP packets with IP options are not matched by FPM as well, because they arepunted to the route processor.

d) Lastly, this feature inspects only unicast packets and does not apply to MPLSencapsulated packets.

Configuring an FPM filter consists of a few steps.

(1) Loading protocol headers.

(2) Defining a protocol stack.

(3) Defining a traffic filter.

(4) Applying the policy & Verifying


56/116




Lets look at every one of these steps in details.

Load a PHDF (optional).PHDF stands for Packet Header Definition file.

Those files use XML syntax and define the structure of various packet headers,such as Ethernet, IP, TCP, UDP and so on. They are very helpful in making

filtering more structured, as with the PHDFs loaded you may filter based on theheader field names and their values, instead of matching fixed offsets in theunstructured packet body. You may load the files into the routers memory usingthe command load protocol . The PDHF files could be manually

created using the simple XML syntax or downloaded from CCO. Since IOSversion 12.4(15)T, four basic PHDFs are included in the IOS code and located atthe virtual path system:fpm/phdfs. You could load the files directly from there.

Defining a custom PHDF requires understanding of protocol header formats andfield values along with basic XML formatting, which is beyond the scope of thisdocument.

Define a protocol stack (optional). This step uses the PDHFs loaded

previously and allows specifying the protocol headers found in the traffic youwant to inspect. Using the protocol stack definition induces structure in thepackets being inspected. This allows for filtering based on header field valuesand specifying offsets in the packet relative to the header fields. Additionally, youmay define various protocol stacks (e.g. UDP in IP, UDP in GRE in IP) and reusethe same access control policy with various stacks.

You define the protocol stack using the command class-map type-stackmatch-all . This class-map it is always of type match-all and consists

of a series of the match entries. Every match entry should specify a protocolname defined in loaded PHDFs, a header field value and the next protocol namefound in stack. Look at the sample below it defines the series of headers: TCPin IPIP tunnel headed (protocol 4) encapsulated in IP and in the Ethernet.


57/116


58/116




By default, the protocol stack is matched stating AFTER the data-link levelheader. That is, the first header defined in the stack is match against the headergoing after the L2 header. In real life, this is commonly the IP header. However,

sometime you may want to match the layer2 header fields as well, e.g. Ethernetaddresses. To make the protocol stack match starting at L2 level, use thecommand stack-start l2-start.

At this point, having just stack class-maps you may already apply traffic filteringto the packets matching the configured stack. To accomplish this, create a policy-map of type access-control and assign a stack class to the policy-map. Forexample:

cl ass- map t ype st ack TCP_I N_I P_I N_ETHERstat ck- star t l 2- s tar tmat ch f i el d ETHER t ype eq 0x800 next I Pmatch f i el d l ayer 2 I P pr otocol eq 0x6 next TCP

!pol i cy- map t ype access- cont r ol DROP_TCP_I N_I P_I N_ETHERcl ass TCP_I N_I P_I N_ETHER

dr op

There is basically just one action available with the access-control policy-maps,and the action is drop. You may also use the send-response command under aclass to make the router send an ICMP unreachable response. However, using

just stack class-maps might be inflexible, as you cannot match the packetspayload. You may however use this for filtering based on addresses, protocolflags and so on.

Define a traffic filter. Traffic filter is defined by means of special class-

map of type access-control and configuring a respective policy-map of thesame type. Using this type of class-maps you can match the protocol field valuesusing the commandmatch field if the respective protocols PHDF

has been loaded. If you match the protocol fields, than the policy-map using thenewly defined access-control class-map must be nested under the stack-typeclass-map defining this protocol. Well see an example later.

In addition to matching the protocol header fields, you can match the packetpayload at a fixed offset against a fixed value, value range, string or regularexpression. You may base the offset off the define protocol header field (e.g. +10bytes from TCP flags) using the commandmatch start offset size . For example:


59/116




match st art TCP checksum of f set 100 si ze 1mat ch st ar t I P ver si on of f set 0 si ze 1

Of course, this type of offset basing is only possible if the respective protocol

definition has been loaded and the containing stack-type class map has thisprotocol defined.

Irrespective of the protocols loaded/defined, you may base the offset from the L2or L3 packet starts (absolute offsets). For example if the packet is IP in Ethernet,than L2-start is the first bit of the Ethernet header and L3-start is the first bit ofthe IP header. The command syntax is as follows:

mat ch st ar t {l 2- st ar t | l 3- st ar t } of f set si ze

The command specifies the offset in bytes from the selected start. If the size ifless than or equal to 4 bytes, you can use the eq, neq, lt, gt operators inaddition to regex and string. This allows for per-bit matching using the eqand mask operators combination. For example:

mat ch st ar t l 3- st ar t of f set 0 si ze 1 eq 0x2 mask 0x3mat ch st ar t l 2- st ar t of f set 36 si ze 5 st r i ng ABCDE

Create an access-control policy-map. There are two options here. You maycreate a simple access-control policy-map, which has just the basic access-control assigned, without nesting. For example:

cl ass- map t ype access- cont r ol PASSWORDmat ch st ar t l 3- st ar t of f set 0 si ze 100 r egex

. *[ pP] [ aA] [ sS] [ wW] . *!pol i cy- map t ype access- cont r ol DROP_PASSWORDcl ass PASSWORDdr op

When using this simple non-nested syntax, you may only use the absoluteoffsets with the commandmatch {l2-start|l3-start}and cannot

reference any protocol header fields.


60/116




You may use a more flexible approach, by nesting the filtering policy under astack-type class-map configured in containing policy-map. This allows for usingprotocol headers in filtering policy or basing the offsets from the packet header

fields. Notice that the nested filtering policy may only use the protocol headersdefined in the containing stack class-map. Here is an example that looks forstring TEST in TCP packets:

cl ass- map t ype st ack TCP_I N_I Pmatch f i el d I P pr otocol eq 0x6 next TCP

!! Pr ot ocol f i el ds mat ched i n t he f i l t er i ng pol i cy! must be f or t he pr ot ocol s def i ned i n t he st ack! cl ass- map!

cl ass- map t ype access- cont r ol mat ch- any FI LTER_CLASSmat ch st ar t TCP payl oad of f set 0 si ze 4 st r i ng TEST

!pol i cy- map t ype access- cont r ol FI LTER_POLI CYcl ass FI LTER_CLASSdrop

!pol i cy- map t ype access- cont r ol STACK_POLI CY

cl ass TCP_I N_I Pser vi ce- pol i cy FI LTER_POLI CY

Apply the traffic filtering policy. Finally, the access-control policy

map should be applied to an interface either inbound or outbound using theinterface-level command service-policy type access-control

{input|output} . This could be a simple non-nested policy using just

stack-type class-maps or access-control class-maps or more advanced, stackand nested access-control policy-map.


61/116




R1:l oad pr ot ocol system: f pm/ phdf / i p. phdfl oad pr otocol syst em: f pm/ phdf / i cmp. phdfl oad pr ot ocol system: f pm/ phdf / t cp. phdfl oad pr otocol syst em: f pm/ phdf / udp. phdfl oad pr ot ocol system: f pm/ phdf / et her . phdf!cl ass- map type st ack I CMP_I N_I P_I N_ETHERstack- start l 2- startmat ch f i el d ether t ype eq 0x800 next i pmatch f i el d l ayer 2 i p pr otocol eq 1 next i cmp

!cl ass- map t ype access- cont r ol mat ch- al l I CMP_ECHO_STRI NGmat ch f i el d i cmp t ype eq 8match st art i cmp payl oad of f set 0 si ze 256 regex ". *AAAA. *"

!pol i cy- map t ype access ACCESS_CONTROL_POLI CYcl ass I CMP_ECHO_STRI NGl og

!

pol i cy- map t ype access- cont r ol STACK_POLI CYcl ass I CMP_I N_I P_I N_ETHER

ser vi ce- pol i cy ACCESS_CONTROL_POLI CY!i nt er f ace Fast Et her net 0/ 0servi ce- pol i cy t ype access- cont r ol i nput STACK_POLI CY


62/116




Verification

Note

Generate ICMP packets with the payload AAAA from R2 to R1. To accomplishthis, use any ASCII codes table to find that the ASCII code for A is 0x41. Afterthis, issue the following command from R2:

Rack1R2#ping 150.1.1.1 source loopback 0 data 4141

Type escape sequence t o abort .Sendi ng 5, 100- byte I CMP Echos t o 150. 1. 1. 1, t i meout i s 2 seconds:Packet sent wi t h a sour ce addr ess of 150. 1. 2. 2Packet has data pat t ern 0x4141! ! ! ! !Success r ate i s 100 per cent ( 5/ 5) , r ound- t r i p mi n/ avg/ max = 4/ 4/ 4 msRack1R2#

Note

Now check the access-control policy-map statistics in R1. Notice that both thestack-map and the access-control map have been matched. Additionally, youshould get the log message that appears after the debugging output:

Rack1R1#show policy-map type access-control interface

fastEthernet 0/0

Fast Et hernet 0/ 0

Ser vi ce- pol i cy access- cont r ol i nput : STACK_POLI CY

Cl ass- map: I CMP_I N_I P_I N_ETHER ( match- al l )5 packets, 570 byt es5 mi nut e of f ered r ate 0 bpsMat ch: f i el d ETHER t ype eq 0x800 next I PMat ch: f i el d I P pr ot ocol eq 1 next I CMP

Servi ce- pol i cy access- cont r ol : ACCESS_CONTROL_POLI CY

Cl ass- map: I CMP_ECHO_STRI NG ( mat ch- al l )

5 packet s, 570 byt es5 mi nut e of f ered r ate 0 bpsMatch: f i el d I CMP type eq 8Mat ch: st ar t I CMP payl oad- st ar t of f

Documents

Iewb Sc Vol i v5.Section.2.Ios.firsdfweewall.024