Acls and Firewall Technologies
Acls and Firewall Technologies
Acls and Firewall Technologies
3‐nov‐2009
What
this
lecture
is
about:
Some
more
ACL
types
Dynamic
ACLs
Time‐based
ACLs
TroubleshooDng
ACL
misconfiguraDon
Cisco
IOS
Firewall
2
ACLs,
season
one
–
The
beginnings
Quick
recap!
What
you’ve
learned
so
far:
By
the
process
of
decision,
ACLs
are:
Standard
(filter
only
the
source
IP
address)
Extended
(filter
source,
desDnaDon,
protocols…)
By
the
way
they
are
created:
Numbered
(1‐99
and
100‐199:
remember
these!)
Named:
use
a
meaningful
name
You
know
you
can
filter
certain
TCP
packets
(“established”,
“ack”,
“fin”…)
And
you’ve
learned
about
reflexive
ACLs
They
allow
replies
for
internally
iniDated
connecDons
3
ACLs,
season
two
–
The
revenge
of
ACLs
But
there’s
more!
We
also
have:
Dynamic
ACLs
(or
lock‐and‐key
ACLs)
You’ll
see
who’s
the
lock
and
who’s
the
key.
Time‐based
ACLs
Because
it
was
“about
Dme”
you
knew
about
these
too…
We’re
going
to
talk
about
these
in
the
first
part
of
this
lecture.
4
Dynamic
ACLs
They’re so dynamic, they’ll drive you crazy
5
Dynamic
ACLs
Also
known
as
lock‐and‐key
ACLs
Can
only
be
used
for
IP
traffic
only
and
have
some
requirements:
Telnet
connecDvity
Some
form
of
authenDcaDon
(local
or
not)
Extended
ACLs
6
Dynamic
ACL
behaviour
What’s
so
dynamic
about
them?
IniDally,
an
extended
ACL
blocks
all
traffic
to
the
router,
except
for
Telnet
connecDons.
To
traverse
the
router,
a
user
must
first
use
Telnet
and
authenDcate
successfully.
If
successful,
a
single
entry
dynamic
ACL
entry
is
added
to
the
exisDng
extended
ACL.
The
Telnet
connecDon
is
dropped
The
dynamic
entry
can
permit
anything
you
want
The
dynamic
entry
has
a
limited
“lifeDme”
7
Dynamic
ACL
behaviour
example
Local
Username or
Database
AAA server
2
Authenticate
user
Internet
Router
Remote host
1
Allow telnet to router
3
Add user’s Telnet to router
ACL entry Deny everything else
8
Dynamic
ACLs
from
a
security
point
of
view
Dynamic
ACLs
offer
several
security
benefits:
Rely
on
user
authenDcaDon.
Reduce
router
processing
for
ACLs.
By
default,
everything
except
Telnet
is
denied.
Less
exposed
network
for
acackers.
Can
create
dynamic
access
for
users
through
a
firewall.
Without
permanently
“punching
a
hole”
in
the
firewall.
Can
work
with
SSH
connecDons
instead
of
Telnet.
Simplify
and
secure
management
tasks
for
larger
networks.
9
Steps
for
defining
dynamic
ACLs
Create
the
authenDcaDon
method
Local
(user
database)
External
AAA
server
Line
password
normally
not
used
because
all
users
would
have
the
same
password…
Create
the
extended
ACL
Can
be
numbered
or
named
Must
have
a
statement
that
permits
Telnet
and/or
SSH
Must
have
only
one
dynamic
entry
This
entry
becomes
acDve
only
ager
user
authenDcaDon
Enable
the
dynamic
authenDcaDon
method
On
the
vty
lines
10
Dynamic
ACLs
scenario
R1
192.168.10.0/24
10.2.2.2/30
Server 192.168.30.1/24
10.2.2.0/30
R2 192.168.30.0/24
The
PC
uses
Telnet
to
connect
to
R2
and
authenDcate
Within
a
given
Dme
allowance,
the
PC
is
granted
access
to
all
192.168.30.10/24
server
services
through
R2
11
Dynamic
ACLs
example
configuraDon
Defining
a
username:
R2(config)#username student secret b33r
CreaDng
the
ACL:
R2(config)#access-list 120 permit tcp any host 10.2.2.2 eq telnet
R2(config)#access-list 120 dynamic MY_LIST timeout 10 permit ip
192.168.10.0 0.0.0.255 192.168.30.0 0.0.0.255
Applying
the
ACL:
R2(config)#int fast0/0
R2(config-if)#ip access-group 120 in
Instruct
the
line
to
acDvate
the
dynamic
entriy
upon
login
R2(config)#line vty 0 4
R2(config-line)#login local
R2(config-line)#autocommand access-enable host timeout 5
12
ACL
creaDon
explained
CreaDng
the
ACL:
R2(config)#access-list 120 permit tcp any host 10.2.2.2 eq telnet
R2(config)#access-list 120 dynamic MY_LIST timeout 10 permit ip
192.168.10.0 0.0.0.255 192.168.30.0 0.0.0.255
The
first
entry
only
allows
telnet
connecDons
to
the
router’s
interface.
The
second
entry
is
inacDve
unDl
a
successful
Telnet
authenDcaDon
is
completed
It
will
then
allow
all
traffic
coming
from
the
server
and
going
to
the
LAN.
…
for
a
limited
Dme:
ager
10
minutes
(“Dmeout
10”)
the
dynamic
entry
is
deacDvated.
It
doesn’t
macer
whether
there’s
sDll
traffic
flowing
or
not.
The
name
is
not
relevant
at
this
Dme.
13
ACL
creaDon
explained
‐
acDvaDng
Instruct
the
line
to
acDvate
the
dynamic
entry
upon
login
R2(config)#line vty 0 4
R2(config-line)#login local
R2(config-line)#autocommand access-enable host timeout 5
“autocommand”
tells
the
router
to
execute
a
privileged‐level
command
ager
each
login
The
“access‐enable”
command
acDvates
the
dynamic
entry
in
the
dynamic
ACL.
The
Dmeout
in
this
command
is
the
“idle”
Dmeout
If
the
connecDon
has
been
idle
for
5
minutes,
the
dynamic
entry
is
deacDvated.
The
Dmeout
in
the
dynamic
entry
is
the
“global”
Dmeout.
“host”
will
enable
the
dynamic
entry
only
for
the
connecDng
host,
not
its
enDre
subnet
14
A
licle
hint
Right
ager
authenDcaDng
using
Telnet,
the
connecDon
is
dropped.
If
you
intended
to
access
the
CLI,
you’ll
probably
use
Telnet
again.
If
the
global
Dmeout
value
is
too
short
for
you,
you
can
use
the
following
command
to
add
another
6
minutes
to
the
Dmeout
value:
R2(config)#access-list dynamic-extended
It
will
only
work
if
the
dynamic
ACL
entry
hasn’t
expired
yet.
And
only
once.
15
Dynamic
ACL
summary
Dynamic
entries
are
introduced
in
normal
ACLs
They
are
inacDve
by
default
They
are
acDvated
by
a
successful
Telnet
or
SSH
login
They
don’t
last
long…
16
Time‐based
ACLs
Not even services work 24/7…
17
Time‐based
ACLs
Have
the
same
funcDonality
as
extended
ACLs
Can
also
control
access
based
on
Dme
“no
access
to
company
servers
outside
the
working
hours”
“employee
access
to
messenger
service
only
during
lunch”
“eu.logon.worldofwarcrag.com”
only
on
weekends
Can
provide
a
more
secure
access
to
resources
Allowing
a
certain
type
of
traffic
indefinitely
might
not
be
desirable.
Network
overview:
Dme‐based
ACLs
can
log
traffic
only
at
certain
Dmes
of
the
day.
18
Configuring
Dme‐based
ACLs
First,
a
“Dme
range”
object
must
be
created
globally.
Example
–
absolute
Dme
range:
R1(config)#time-range MYTIME
R1(config-time-range)#absolute start 08:00 27 November 2009
end 20:00 28 November 2009
Example
–
periodic
Dme
range:
R1(config)#time-range PERIODIC
R1(config-time-range)#periodic daily 09:30 to 12:00
19
Absolute
and
periodic
events
Absolute
events
take
place
only
once
They
last
for
the
enDre
duraDon
on
the
Dmespan
Periodic
events
can
repeat
every
(keyword
list):
Monday,
Tuesday,
Wednesday,
…
Daily
Weekdays
Weekend
20
Using
Dme
ranges
with
ACLs
Using
the
“Dme‐range”
keyword”
R1(config)#access-list 101 permit tcp any host 192.168.1.1 eq www
time-range MYTIME
The
ACL
can
then
be
applied
to
any
interface
The
“Dme‐range”
entries
are
only
checked
during
their
respecDve
Dme
intervals.
Extended
ranges
for
absolute
entries:
OmiDtng
the
start
Dme
will
default
to
the
current
Dme
Ominng
the
end
Dme
will
default
to
23:59
on
31st
of
Dec,
2035
Don’t
forget
to
set
the
clock
right!
Remember
NTP!
21
Debugging
access
lists
Use
the
“show
access‐lists”
command
to
view
all
configured
ACLs
on
the
router
or
a
specific
ACL:
Non‐applied
ACLs
are
also
displayed
The
number
of
matched
packets
is
also
displayed
for
each
entry.
Matches
include
permiced
and
denied
packets.
22
Number
of
matches
Analyze
the
number
of
matches
per
entry
in
order
to:
Determine
whether
the
traffic
flows
as
expected
Test
load
balancing
Determine
whether
the
ACL
entries
are
in
the
correct
order
Ex:
denying
TCP
ager
perminng
IP
has
no
effect
Ex:
perminng
a
certain
service
to
a
subnet
ager
denying
all
traffic
to
the
subnet
has
no
effect
OpDmize
the
ACL
Higher
numbers
should
be
at
the
beginning
of
the
ACL
Stepping
through
all
the
entries
of
an
ACL
for
each
packet
uses
CPU
cycles
Security
Matches
on
explicitely
denied
services
or
types
of
packets
can
indicate
acack
acempts.
23
Real‐Dme
traffic
Use
“debug”
commands
to
view
allowed
and
dropped
packets:
R1#debug ip packet
IP packet debugging is on
R1#
Oct 30 09:31:47.668: IP: s=10.2.2.2 (FastEthernet0/0), d=10.1.1.1, len 100, access denied
Oct 30 09:31:47.668: IP: s=10.1.1.1 (local), d=10.2.2.2 (FastEthernet0/0), len 56, sending
Oct 30 09:31:49.668: IP: s=10.2.2.2 (FastEthernet0/0), d=10.1.1.1, len 100, access denied
Oct 30 09:31:49.668: IP: tableid=0, s=10.1.1.1 (local), d=10.2.2.2 (FastEthernet0/0), routed via FIB
Oct 30 09:31:49.668: IP: s=10.1.1.1 (local), d=10.2.2.2 (FastEthernet0/0), len 56, sending
Oct 30 09:31:51.668: IP: s=10.2.2.2 (FastEthernet0/0), d=10.1.1.1, len 100, access denied
Oct 30 09:31:51.668: IP: s=10.1.1.1 (local), d=10.2.2.2 (FastEthernet0/0), len 56, sending
Oct 30 09:31:57.996: IP: s=10.2.2.2 (FastEthernet0/0), d=10.1.1.1 (FastEthernet0/0), len 44, rcvd 3
Displayed
packets
can
also
be
filtered
using
an
access
list:
R1#debug ip packet ?
<1-199> Access list
<1300-2699> Access list (expanded range)
detail Print more debugging detail
24
MiDgaDng
Acacks
With
ACLs
Just when you thought the ACLs were over…
25
Prevent
address
spoofing
You
should
not
allow
inbound
packets
having
a
source
IP
address
from
inside
your
private
network
Generally,
the
following
addresses
should
not
be
allowed:
Any
local
host
address
(127.0.0.8/8)
Any
private
addresses
(RFC
1918
–
specific)
Any
addresses
from
the
IP
mulDcast
range
(224.0.0.0/4)
S:192.168.12.23
D:
192.168.12.1
Let
me
through,
i’m
from
your
192.168.12.1
network!
Server
26
Example
ACL
Example
general
anD‐spoofing
configuraDon:
R2(config-std-nacl)#do sh access-list NO_SPOOF
Standard IP access list NO_SPOOF
10 deny 127.0.0.0, wildcard bits 0.255.255.255
20 deny 10.0.0.0, wildcard bits 0.255.255.255
30 deny 172.16.0.0, wildcard bits 0.15.255.255
40 deny 192.168.0.0, wildcard bits 0.0.255.255
50 deny 224.0.0.0, wildcard bits 15.25.255.255
Also,
packets
coming
from
inside
the
network
with
a
source
address
other
than
one
from
your
own
subnets
should
not
be
allowed.
27
MiDgaDng
DoS
Smurf
acacks
Do
you
remember
what
a
smurf
acack
was?
Smurf
acack:
sending
a
spoofed
ping
request
to
the
broadcast
address
of
a
subnet.
All
hosts
reply
with
an
echo‐request
The
network
can
become
saturated
The
“evil”
way:
The
acacker
also
spoofs
the
source
IP
address
of
the
ping
packets
A
vicDm’s
real
IP
address
is
used
All
replies
go
back
to
one
single
vicDm
The
network
acts
as
an
amplifier
for
the
acack
28
MiDgaDng
DoS
Smurf
Acacks
Disable
directed
broadcasts
on
a
per‐interface
basis:
R2(config)#int fastEthernet 0/0
R2(config-if)#no ip directed-broadcast
StarDng with IOS version 12.0, this is the default senng.
29
PrevenDng
TCP
acacks
A
device
maintains
the
state
of
every
acDve
TCP
connecDon.
A
TCP
SYN
flood
overwhelms
the
device’s
operaDng
system
by
opening
a
large
number
of
TCP
sessions
without
closing
them.
You’ve
learned
about
a
way
to
prevent
this.
How?
Answer:
Use
an
extended
ACL
to
block
SYN
TCP
packets
from
the
outside.
R2(config-ext-nacl)#deny tcp any 192.168.2.0 0.0.0.255 syn
Another
way:
using
TCP
Intercept
…AND
access
lists
30
TCP
Intercept
Helps
prevent
SYN‐flooding
acacks
by
intercepDng
and
validaDng
TCP
connecDon
requests.
Intercepts
TCP
SYN
connecDons
from
clients
to
servers
on
according
to
an
extended
ACL.
Establishes
a
connecDon
to
the
client,
on
behalf
of
the
server
Establishes
a
connecDon
to
the
server,
on
behalf
of
the
client
ConnecDon
acempts
from
unreachable
clients
will
not
reach
the
servers
–
it
would
fail
the
first
acempt
If
illegiDmate
requests
are
detected,
acDons
are
taken:
Half‐open
connecDons
are
closed
are
closed
ager
a
threshold
A
Dmeout
Dmer
is
started
for
all
sessions
31
Example
TCP
Intercept
ConfiguraDon
Define
an
aceess
list
to
idenDfy
connecDons
to
be
intercepted:
ip access-list extended TCP_INTER
permit tcp any host 192.168.1.1 eq www
permit tcp any host 192.168.1.1 eq smtp
permit tcp any host 192.168.1.1 eq pop3
Configure
TCP
Intercept
parameters:
ip tcp intercept list TCP_INTER
ip tcp intercept connection-timeout 1800
ip tcp intercept max-incomplete low 1000
ip tcp intercept max-incomplete high 1500
ip tcp intercept drop-mode oldest
Drop
oldest
or
random
connecDons
32
TCP
Intercept
behaviour
4 SYN 1 SYN
5 SYN+ACK 2 SYN+ACK
6 ACK 3 ACK
7
33
Firewall
Technologies
Who let the dogs… in?
34
Firewalls
Original
term..
Firewall:
A
system
that
enforces
an
access
control
policy
between
networks.
A
firewall
must
be:
Resistant
to
acacks
(why?)
The
only
transit
point
(why?)
Responsible
fo
enforcing
the
access
control
policy
Network
access
policies
are
implemented
on
firewalls
that
manage
all
inbound
connecDons
35
Benefits
of
firewalls
Can
hide
sensiDve
data
Prevent
malicious
data
from
entering
a
network
Can
prevent
exploits
Central
point
for
implemenDng
security
policies
36
Drawbacks
of
firewalls
A
single
firewall
is
also
a
single
point
of
failure
MisconfiguraDon
can
make
the
enDre
network
vulnerable
Many
applicaDons
cannot
be
passed
over
a
firewall
securely
Network
performance
slows
down
Unauthorized
traffic
can
be
tunneled
or
hidden
Your
users
will
constantly
try
to
find
new
ways
of
bypassing
your
firewall.
37
Firewall
flavors
Sogware‐based
Simple
applicaDons
that
make
sogware
decisions
about
traffic
entering
or
leaving
the
machine
they
are
running
on
Suited
for
single
computers
or
very
small
networks
Dedicated
devices
–
hardware
processing
Cisco
PIX
Cisco
ASA
38
Types
of
firewalls:
Packet
filtering
Packet‐filtering
firewall
(or
stateless
firewall)
Has
a
limited
ability
to
filter
packets
based
on
layer
3
and
layer
4
informaDon.
That’s
right!
Access
lists!
39
Packet
filtering
pros
and
cons
Simple
rules,
easy
to
SuscepDble
to
IP
spoofing
implement
and
update
Complex
ACLs
are
difficult
Low
CPU
requirements
to
maintain
and
update
Supported
by
all
routers
Limited
funcDonality
Low
cost
Stateless
40
Types
of
firewalls
–
Stateful
firewall
Also
monitors
the
state
of
connecDons
IniDaDon,
data
transfer,
terminaDon
Can
detect
abnormal
connecDon
behaviour
that
might
indicate
acacks
or
exploits.
41
Stateful
firewalls
pros
and
cons
More
granular
control
for
They
do
not
examine
the
packet
filtering
applicaDon‐layer
content
Can
defent
against
DoS
Not
all
protocols
are
acacks
stateful
(UDP,
ICMP)
Offer
more
precise
staDsDc
data
42
Types
of
firewalls
–
ApplicaDon
Layer
Gateway
Also
known
as
a
“proxy
firewall”
Also
analyzes
the
applicaDon
layer
in
its
decisions
Control
and
filtering
is
mostly
done
in
sogware
43
Cisco’s
dedicated
soluDon
44
Firewalls
in
network
design
The
simplest
design:
LAN
Internet
Firewall
The DMZ design:
DMZ
LAN
Internet
Firewall
45
Trust
Considering
the
second
design,
a
firewall
would
have
three
interfaces:
A
“trusted”
interface
facing
the
local
network
(inside)
An
“untrusted”
interface
connecDng
to
the
Internet
(outside)
A
“DMZ”
interface
Usual
policies:
No
connecDons
can
be
made
from
outside
to
the
inside
The
inside
network
can
access
the
DMZ
and
the
Internet
The
DMZ
can
be
accessed
from
the
internet
and
the
LAN
The
place
for
public
services
(DNS,
HTTP,
SMTP,
etc)
46
The
DMZ
The
DMZ
is
intenDonally
exposed
Public
services
must
be
…
publicly
accessible
For
security
reasons,
the
DMZ
must
not
be
allowed
to
connect
to
the
LAN.
In
case
the
DMZ
is
compromised,
the
internal
network
must
sDll
be
secured.
The
firewall
allows
traffic
to
the
DMZ,
with
restricDons
Only
permit
necessary
traffic,
block
everything
else
Must
detect
abnormal
usage
of
DMZ
services
(acacks,
exploits)
47
CBAC
=
Context‐Based
Access
Control
SoluDon
available
within
the
Cisco
IOS
Firewall.
Intelligent
TCP
and
UDP
filter,
inspects
applicaDon
layer
protocol
and
session
informaDon.
Stateful
session
tracking
48
CBAC
improvements
CBAC
provides
several
improvements
over
established
and
reflexive
ACL
rules:
Monitors
TCP
setup
(three‐way‐handshake)
Tracks
TCP
sequence
numbers
Inspects
DNS
queries
and
replies
Inspects
ICMP
message
types
Supports
applicaDons
that
rely
on
mulDple
connecDons
Inspects
embedded
addresses
(for
NAT/PAT)
Inspects
applicaDon‐layer
informaDon
Based
on
Dmeouts
for
stateless
protocols,
to
prevent
spoofing.
CBAC
is
not
intended
to
protect
against
internal
threats.
49
How
does
CBAC
work?
Creates
temporary
openings
in
ACLs
to
allow
valid
traffic
replies
back
inside
the
network
(like
dynamic
ACLs)
Unlike
dynamic
ACLs,
CBAC
tracks:
ApplicaDon‐layer
protocol
informaDon
ConnecDon
state
informaDon
The
state
table
adapts
dynamically
InspecDon
rules
are
applied
only
if
the
packet
passes
the
inbound
ACL
of
the
interface.
50
CBAC
operaDon
example
51
CBAC
protocol
operaDon
TCP
handling
Each
session
is
described
and
tracked
by:
Endpoint
addresses
and
port
numbers
Sequence
numbers
(including
ACKs)
Flags
Packets
are
checked
against
the
current
state
and
discarded
if
they
do
not
comply.
UDP
handling
There
is
no
trackable
connecDon
state
Traffic
is
allowed
back
in
for
a
preconfigured
Dme
interval
Other
IP
protocols
CBAC
inspects
protocols
that
negociate
protocol
numbers
(FTP)
Other
protocols,
like
GRE
and
Ipsec
are
treated
in
a
connecDonless
manner
52
CBAC
inspecDon
rules
CBAC
firewall
rules
are
called
“inspecDon
rules”
An
inspecDon
rule
is
applied
to
an
interface
with
regards
to
the
direcDon
of
traffic
(in/out),
just
like
an
ACL.
The
rule
must
be
configured
to
inspect
all
the
required
protocols.
The
Cisco
Firewall
engine
recognizes
illegal
applicaDon‐
specific
commands
and
can
take
several
acDons:
Generate
alert
messages
Protect
certain
system
resources
Block
packets
from
possible
acackers
53
CBAC
and
TCP‐based
DoS
acacks
The
connecDon
state
database
is
also
used
to
determine
abnormal
connecDons.
Three
thresholds
are
provided
by
the
Cisco
IOS
Firewall:
Total
number
of
half‐opened
TCP
sessions
Number
of
half‐opened
TCP
sessions
in
a
Dme
interval
Number
of
half‐opened
TCP
sessions
for
a
certain
host
If
a
threshold
is
exceeded,
the
firewall
acts
in
one
of
two
ways:
Starts
sending
reset
messages
to
the
oldest
connecDons
in
the
table
in
order
to
free
up
resources
Temporarily
blocks
all
SYN
packets,
to
preserve
resources
54
Before
configuring
CBAC:
ACLs
(again!)
Remember
that
traffic
must
pe
permiced
through
the
interface
ACL
before
it
gets
inspected
by
the
CBAC
rules.
55
Configuring
CBAC
–
inspecDon
rules
An
inspect
rule
can
specify:
Generic
protocols,
like
TCP,
UDP,
ICMP
Specific
applicaDon‐layer
protocols
An
inspecDon
rule
consists
of
a
series
of
statements
Each
statement
of
a
rule
has
the
same
rule
name
and
a
specific
protocol
to
inspect.
R2(config)#ip inspect name FWRULE bittorrent
R2(config)#ip inspect name FWRULE edonkey
R2(config)#ip inspect name FWRULE pop3
R2(config)#ip inspect name FWRULE smtp
R2(config)#ip inspect name FWRULE http
R2(config)#ip inspect name FWRULE https
The
firewall
will
inspect
all
TCP
and
UDP
connecDons,
but
protocols
in
the
inspect
rules
will
be
enhanced
–
applicaDon‐level
analysis.
56
Configuring
CBAC
–
inspecDon
rules
opDons
Other
opDons
available
for
each
entry:
R2(config)#ip inspect name FWRULE ssh alert on audit-trail on
timeout 3600
R2(config)#ip inspect name FWRULE irc alert off audit-trail off
The
“alert”
keyword
controls
syslog
messages.
The
“audit‐trail”
keyword
builds
an
audit
trail
of
the
specified
events
occuring
in
the
firewall
A
chronological
sequence
of
audit
records.
The
“Dmeout”
value
overrides
the
default
TCP
and
UDP
Dmeout
values.
If
unspecified,
the
“alert”
and
“audit‐trail”
values
are
set
accordingly
to
the
following
commands:
R2(config)#ip inspect audit-trail
R2(config)#no ip inspect alert-off
57
Configuring
CBAC
(3)
–
Alerts
and
audits
CBAC
has
2
types
of
logging
funcDons:
alerts
and
audits
Alerts
–
messages
concerning
CBAC
operaDon
Alert
on
low
resources
Alert
on
detected
DoS
acack
Enabled
by
default
and
displayed
on
the
console.
Disable
with:
R(config)#ip
inspect
alert‐off
Alert
example:
SMTP
acack
acempt:
%FW-4-SMTP_INVALID_COMMAND: Invalid SMTP command from initiator
(209.165.201.5:49387)
58
Configuring
CBAC
(4)
–
alerts
and
audits
Audits
keep
track
of
connecDons
inspected
by
CBAC.
Display
messages
when
the
router
adds
or
removes
an
entry
from
the
state
table.
The
audit
record
gives
basic
staDsDcal
info
about
the
connecDon.
Disabled
by
default,
enable
with:
R(config)#ip inspect audit-trail
Example
audit
message
for
iniDaDng
a
Telnet
connecDon:
%FW-6-SESS_AUDIT_TRAIL: tcp session
initiator (192.168.1.2:32782) sent 22 bytes
responder (209.165.201.1:23) sent 200 bytes
59
Configuring
CBAC
(5)
Applying
the
inspecDon
rule
to
an
interface:
R2(config)#int fastEthernet 0/0
R2(config-if)#ip inspect FWRULE in
General
rules
when
applying
ACLs
and
inspecDon
rules:
On
the
“inside”
interface,
use
an
ACL
that
permits
only
allowed
traffic
to
leave
the
network.
On
the
“outside”
interface,
use
an
ACL
that
permits
the
required
traffic,
including
the
traffic
to
be
inspected
by
CBAC.
60
Verifying
CBAC
R2#show ip inspect config
Session audit trail is enabled
Session alert is enabled
one-minute (sampling period) thresholds are [400:500] connections
max-incomplete sessions thresholds are [400:500]
max-incomplete tcp connections per host is 50. Block-time 0 minute.
tcp synwait-time is 30 sec -- tcp finwait-time is 5 sec
tcp idle-time is 3600 sec -- udp idle-time is 30 sec
dns-timeout is 5 sec
Inspection Rule Configuration
Inspection name FWRULE
bittorrent alert is on audit-trail is on timeout 3600
edonkey alert is on audit-trail is on timeout 3600
ftp alert is on audit-trail is on timeout 3600
pop3 alert is on audit-trail is on timeout 3600
smtp max-data 20000000 alert is on audit-trail is on timeout 3600
http alert is on audit-trail is on timeout 3600
https alert is on audit-trail is on timeout 3600
ssh alert is on audit-trail is on timeout 3600
irc alert is off audit-trail is off timeout 3600
61
Windows
Firewall
An enDrely new approach to security
62
Windows
Firewall
design
and
deployment
63
Nope,
just
kidding
:)
THE END!!!
64