Implementing Secure Converged Wide Area Networks (ISCW)

© 2006 Cisco Systems, Inc. All rights reserved.

Implementing Secure Converged Wide Area Networks (ISCW)

Module 6: Cisco IOS Threat Defense Features


Module 6: Cisco IOS Threat Defense Features

Lesson 6.2: Implementing Cisco IOS Firewalls


Objectives Describe the steps needed to configure a network

firewall using Cisco IOS.

Explain how to determine which interfaces should be configured with firewall commands.

Explain where to place Access Control Lists in order to filter traffic.

Describe how to configure inspection rules for application protocols.

Describe how to verify and troubleshoot firewall configurations.


Cisco IOS Firewall Configuration Tasks Using the CLI

Pick an interface: internal or external.

Configure IP ACLs at the interface.

Define inspection rules.

Apply inspection rules and ACLs to interfaces.

Test and verify.


Configuring an External Interface

Traffic exiting

Traffic entering

InternetSerial 1

Internal Network

External Network

Simple Topology — Configuring an External Interface


Configuring an Internal Interface

Simple Topology — Configuring an Internal Interface

Traffic exiting

Traffic entering

Ethernet 0

Internal Network

External Network

Web Server

DNS Server

Internet

DMZ

Access allowed


Access Control Lists Filter Traffic

Host A

Research and Development

Network

Human Resources

Network

Host B

X


IP ACL Configuration Guidelines

Rule 1 Start with a basic configuration.

Rule 2 Permit traffic the Cisco IOS Firewall is to inspect.

Rule 3 Use extended ACLs to filter traffic from unprotected sources.

Rule 4 Set up antispoofing protection.

Rule 5 Deny broadcast attacks.

Rule 6 Deny any traffic not already included in previous configuration.


Set Audit Trails and Alerts

Router(config)#logging onRouter(config)#logging host 10.0.0.3Router(config)#ip inspect audit-trailRouter(config)#no ip inspect alert-off

• Enables the delivery of audit trail messages using syslog

ip inspect audit-trail

Router(config)#

• Enables real-time alerts

no ip inspect alert-off

Router(config)#


Define Inspection Rules for Application Protocols

ip inspect name inspection-name protocol [alert {on|off}] [audit-trail {on|off}] [timeout seconds]

• Defines the application protocols to inspect

• Will be applied to an interface:

– Available protocols are tcp, udp, icmp, smtp, esmtp, cuseeme, ftp, ftps, http, h323, netshow, rcmd, realaudio, rpc, rtsp, sip, skinny, sqlnet, tftp, vdolive, and so on.

– Alert, audit-trail, and timeout are configurable per protocol and override global settings.

Router(config)#

Router(config)#ip inspect name FWRULE smtp alert on audit-trail on timeout 300Router(config)#ip inspect name FWRULE ftp alert on audit-trail on timeout 300


ip inspect name Parameters

Parameter Description

inspection-name Names the set of inspection rules. If you want to add a protocol to an existing set of rules, use the same inspection name for the rules.

protocol The protocol to inspect.

alert {on | off} (Optional) For each inspected protocol, the generation of alert messages can be set to on or off. If no option is selected, alerts are generated based on the setting of the ip inspect alert-off command.

audit-trail {on | off} (Optional) For each inspected protocol, the audit-trail option can be set to on or off. If no option is selected, audit trail messages are generated based on the setting of the ip inspect audit-trail command.

timeout seconds (Optional) Specify the number of seconds for a different idle timeout to override the global TCP or UDP idle timeouts for the specified protocol. This timeout overrides the global TCP and UDP timeouts but does not override the global Domain Name Service (DNS) timeout.


Inspection Rules for Application Protocols

ip inspect name PERMIT_JAVA http java-list 10 access-list 10 permit 144.224.10.0 0.0.0.255 access-list 10 any

Example 1:Users on access list 10 are allowed to download Java applets:

ip inspect name in2out rcmd ip inspect name in2out ftp ip inspect name in2out tftp ip inspect name in2out tcp timeout 43200 ip inspect name in2out http ip inspect name in2out udp

Example 2:Telling Cisco IOS Firewall what to inspect:


ip inspect Parameters and Guidelines

Parameter Description

inspection-name Names the set of inspection rules

in Applies the inspection rules to inbound traffic

out Applies the inspection rules to outbound traffic

On the interface where traffic initiates:

Apply ACL on the inward direction that permits only wanted traffic.

Apply rule on the inward direction that inspects wanted traffic.

On all other interfaces, apply ACL on the inward direction that denies all unwanted traffic.

ip inspect inspection-name {in | out}

• Applies the named inspection rule to an interface

Router(config-if)#


Example: Two-Interface Firewall

ip inspect name OUTBOUND tcp ip inspect name OUTBOUND udpip inspect name OUTBOUND icmp!interface FastEthernet0/0 ip access-group OUTSIDEACL in!interface FastEthernet0/1 ip inspect OUTBOUND in ip access-group INSIDEACL in!ip access-list extended OUTSIDEACL permit icmp any any packet-too-big deny ip any any log!ip access-list extended INSIDEACL permit tcp any any permit udp any any permit icmp any any


Example: Three-Interface Firewall

interface FastEthernet0/0 ip inspect OUTSIDE in ip access-group OUTSIDEACL in!interface FastEthernet0/1 ip inspect INSIDE in ip access-group INSIDEACL in! interface FastEthernet0/2 ip access-group DMZACL in!ip inspect name INSIDE tcp ip inspect name OUTSIDE tcp!ip access-list extended OUTSIDEACL permit tcp any host 200.1.2.1 eq 25 permit tcp any host 200.1.2.2 eq 80 permit icmp any any packet-too-big deny ip any any log!ip access-list extended INSIDEACL permit tcp any any eq 80 permit icmp any any packet-too-big deny ip any any log!ip access-list extended DMZACL permit icmp any any packet-too-big deny ip any any log


Verifying Cisco IOS Firewall

show ip inspect name inspection-nameshow ip inspect configshow ip inspect interfacesshow ip inspect session [detail]show ip inspect statisticsshow ip inspect all

• Displays inspections, interface configurations, sessions, and statistics

Router#show ip inspect sessionEstablished Sessions Session 6155930C (10.0.0.3:35009)=>(172.30.0.50:34233) tcp SIS_OPEN Session 6156F0CC (10.0.0.3:35011)=>(172.30.0.50:34234) tcp SIS_OPEN Session 6156AF74 (10.0.0.3:35010)=>(172.30.0.50:5002) tcp SIS_OPEN

Router#


Troubleshooting Cisco IOS Firewall

debug ip inspect function-tracedebug ip inspect object-creationdebug ip inspect object-deletiondebug ip inspect eventsdebug ip inspect timersdebug ip inspect detail

• General debug commands

debug ip inspect protocol

• Protocol-specific debug

Router#

Router#


Summary The main feature of the Cisco IOS Firewall has always been its

stateful inspection.

An ACL can allow one host to access a part of your network and prevent another host from accessing the same area.

Use access lists in "firewall" routers that you position between your internal network and an external network such as the Internet. You can also use access lists on a router positioned between two parts of your network, to control traffic entering or exiting a specific part of your internal network.

An inspection rule should specify each desired application layer protocol that the Cisco IOS Firewall will inspect, as well as generic TCP, UDP, or Internet Control Message Protocol (ICMP), if desired.

Use the ip inspect name command in global configuration mode to define a set of inspection rules.


Q and A


Resources Cisco IOS Firewall Introduction

http://cisco.com/en/US/partner/products/sw/secursw/ps1018/index.html

Cisco IOS Firewall Supporthttp://cisco.com/en/US/partner/products/sw/secursw/ps1018/tsd_products_support_series_home.html

Cisco IOS Firewall Design Guideshttp://cisco.com/en/US/partner/products/sw/secursw/ps1018/products_implementation_design_guides_list.html


Documents

Implementing Secure Converged Wide Area Networks (ISCW)