Acls and Firewall Technologies

Download as pdf or txt
Download as pdf or txt
You are on page 1of 64

ACLs
and
Firewall
Technologies


3‐nov‐2009

What
this
lecture
is
about:


  Some
more
ACL
types

  Dynamic
ACLs

  Time‐based
ACLs

  TroubleshooDng

  ACL
misconfiguraDon

  Cisco
IOS
Firewall


2

ACLs,
season
one
–
The
beginnings

  Quick
recap!

  What
you’ve
learned
so
far:

  By
the
process
of
decision,
ACLs
are:

  Standard
(filter
only
the
source
IP
address)

  Extended
(filter
source,
desDnaDon,
protocols…)

  By
the
way
they
are
created:

  Numbered
(1‐99
and
100‐199:
remember
these!)

  Named:
use
a
meaningful
name

  You
know
you
can
filter
certain
TCP
packets
(“established”,

“ack”,
“fin”…)

  And
you’ve
learned
about
reflexive
ACLs

  They
allow
replies
for
internally
iniDated
connecDons


3

ACLs,
season
two
–
The
revenge
of
ACLs

  But
there’s
more!


  We
also
have:

  Dynamic
ACLs
(or
lock‐and‐key
ACLs)

  You’ll
see
who’s
the
lock
and
who’s
the
key.

  Time‐based
ACLs

  Because
it
was
“about
Dme”
you
knew
about
these
too…


  We’re
going
to
talk
about
these
in
the
first
part
of
this

lecture.


4

Dynamic
ACLs


They’re
so
dynamic,
they’ll
drive
you
crazy


5

Dynamic
ACLs

  Also
known
as
lock‐and‐key
ACLs

  Can
only
be
used
for
IP
traffic
only
and
have
some

requirements:

  Telnet
connecDvity

  Some
form
of
authenDcaDon
(local
or
not)

  Extended
ACLs


6

Dynamic
ACL
behaviour

  What’s
so
dynamic
about
them?


  IniDally,
an
extended
ACL
blocks
all
traffic
to
the
router,

except
for
Telnet
connecDons.

  To
traverse
the
router,
a
user
must
first
use
Telnet
and

authenDcate
successfully.

  If
successful,
a
single
entry
dynamic
ACL
entry
is
added
to

the
exisDng
extended
ACL.

  The
Telnet
connecDon
is
dropped

  The
dynamic
entry
can
permit
anything
you
want

  The
dynamic
entry
has
a
limited
“lifeDme”


7

Dynamic
ACL
behaviour
example

Local
Username or
Database
AAA server

2

Authenticate
user

Internet
Router
Remote host

1

Allow telnet to router
3

Add user’s Telnet to router
ACL entry Deny everything else

Allow telnet to router


Dynamic entry: allow authenticated user
4
 Access internal resources
Deny everything else

8

Dynamic
ACLs
from
a
security
point
of
view


  Dynamic
ACLs
offer
several
security
benefits:

  Rely
on
user
authenDcaDon.

  Reduce
router
processing
for
ACLs.

  By
default,
everything
except
Telnet
is
denied.

  Less
exposed
network
for
acackers.

  Can
create
dynamic
access
for
users
through
a
firewall.

  Without
permanently
“punching
a
hole”
in
the
firewall.

  Can
work
with
SSH
connecDons
instead
of
Telnet.

  Simplify
and
secure
management
tasks
for
larger
networks.


9

Steps
for
defining
dynamic
ACLs

  Create
the
authenDcaDon
method

  Local
(user
database)

  External
AAA
server

  Line
password


  normally
not
used
because
all
users
would
have
the
same
password…

  Create
the
extended
ACL

  Can
be
numbered
or
named

  Must
have
a
statement
that
permits
Telnet
and/or
SSH

  Must
have
only
one
dynamic
entry

  This
entry
becomes
acDve
only
ager
user
authenDcaDon

  Enable
the
dynamic
authenDcaDon
method

  On
the
vty
lines

10

Dynamic
ACLs
scenario

R1
192.168.10.0/24

10.2.2.2/30

Server 192.168.30.1/24
10.2.2.0/30
R2 192.168.30.0/24

The
PC
uses
Telnet
to

connect
to
R2
and

authenDcate


Within
a
given
Dme
allowance,

the
PC
is
granted
access
to
all

192.168.30.10/24
server
services
through
R2


11

Dynamic
ACLs
example
configuraDon

  Defining
a
username:

R2(config)#username student secret b33r

  CreaDng
the
ACL:

R2(config)#access-list 120 permit tcp any host 10.2.2.2 eq telnet
R2(config)#access-list 120 dynamic MY_LIST timeout 10 permit ip
192.168.10.0 0.0.0.255 192.168.30.0 0.0.0.255

  Applying
the
ACL:

R2(config)#int fast0/0
R2(config-if)#ip access-group 120 in

  Instruct
the
line
to
acDvate
the
dynamic
entriy
upon
login

R2(config)#line vty 0 4
R2(config-line)#login local
R2(config-line)#autocommand access-enable host timeout 5

12

ACL
creaDon
explained

  CreaDng
the
ACL:

R2(config)#access-list 120 permit tcp any host 10.2.2.2 eq telnet
R2(config)#access-list 120 dynamic MY_LIST timeout 10 permit ip
192.168.10.0 0.0.0.255 192.168.30.0 0.0.0.255

  The
first
entry
only
allows
telnet
connecDons
to
the

router’s
interface.

  The
second
entry
is
inacDve
unDl
a
successful
Telnet

authenDcaDon
is
completed

  It
will
then
allow
all
traffic
coming
from
the
server
and
going
to

the
LAN.

  …
for
a
limited
Dme:
ager
10
minutes
(“Dmeout
10”)
the

dynamic
entry
is
deacDvated.

  It
doesn’t
macer
whether
there’s
sDll
traffic
flowing
or
not.

  The
name
is
not
relevant
at
this
Dme.

13

ACL
creaDon
explained
‐
acDvaDng

  Instruct
the
line
to
acDvate
the
dynamic
entry
upon
login

R2(config)#line vty 0 4
R2(config-line)#login local
R2(config-line)#autocommand access-enable host timeout 5

  “autocommand”
tells
the
router
to
execute
a
privileged‐level

command
ager
each
login

  The
“access‐enable”
command
acDvates
the
dynamic
entry
in

the
dynamic
ACL.

  The
Dmeout
in
this
command
is
the
“idle”
Dmeout

  If
the
connecDon
has
been
idle
for
5
minutes,
the
dynamic
entry
is

deacDvated.

  The
Dmeout
in
the
dynamic
entry
is
the
“global”
Dmeout.

  “host”
will
enable
the
dynamic
entry
only
for
the
connecDng

host,
not
its
enDre
subnet

14

A
licle
hint

  Right
ager
authenDcaDng
using
Telnet,
the
connecDon
is

dropped.

  If
you
intended
to
access
the
CLI,
you’ll
probably
use

Telnet
again.

  If
the
global
Dmeout
value
is
too
short
for
you,
you
can

use
the
following
command
to
add
another
6
minutes
to

the
Dmeout
value:

R2(config)#access-list dynamic-extended

  It
will
only
work
if
the
dynamic
ACL
entry
hasn’t
expired

yet.

  And
only
once.


15

Dynamic
ACL
summary

  Dynamic
entries
are
introduced
in
normal
ACLs

  They
are
inacDve
by
default

  They
are
acDvated
by
a
successful
Telnet
or
SSH
login

  They
don’t
last
long…


16

Time‐based
ACLs


Not
even
services
work
24/7…


17

Time‐based
ACLs

  Have
the
same
funcDonality
as
extended
ACLs

  Can
also
control
access
based
on
Dme

  “no
access
to
company
servers
outside
the
working
hours”

  “employee
access
to
messenger
service
only
during
lunch”

  “eu.logon.worldofwarcrag.com”
only
on
weekends



  Can
provide
a
more
secure
access
to
resources

  Allowing
a
certain
type
of
traffic
indefinitely
might
not
be

desirable.

  Network
overview:
Dme‐based
ACLs
can
log
traffic
only
at

certain
Dmes
of
the
day.


18

Configuring
Dme‐based
ACLs

  First,
a
“Dme
range”
object
must
be
created
globally.


  Example
–
absolute
Dme
range:

R1(config)#time-range MYTIME
R1(config-time-range)#absolute start 08:00 27 November 2009
end 20:00 28 November 2009

  Example
–
periodic
Dme
range:

R1(config)#time-range PERIODIC
R1(config-time-range)#periodic daily 09:30 to 12:00

19

Absolute
and
periodic
events

  Absolute
events
take
place
only
once

  They
last
for
the
enDre
duraDon
on
the
Dmespan


  Periodic
events
can
repeat
every
(keyword
list):

  Monday,
Tuesday,
Wednesday,
…

  Daily

  Weekdays

  Weekend


20

Using
Dme
ranges
with
ACLs

  Using
the
“Dme‐range”
keyword”

R1(config)#access-list 101 permit tcp any host 192.168.1.1 eq www
time-range MYTIME

  The
ACL
can
then
be
applied
to
any
interface

  The
“Dme‐range”
entries
are
only
checked
during
their

respecDve
Dme
intervals.


  Extended
ranges
for
absolute
entries:

  OmiDtng
the
start
Dme
will
default
to
the
current
Dme

  Ominng
the
end
Dme
will
default
to
23:59
on
31st
of
Dec,
2035


  Don’t
forget
to
set
the
clock
right!

  Remember
NTP!

21

Debugging
access
lists

  Use
the
“show
access‐lists”
command
to
view
all

configured
ACLs
on
the
router
or
a
specific
ACL:

  Non‐applied
ACLs
are
also
displayed


Router# show access-list MyACL


Extended IP access list MyACL
10 permit tcp host 21.35.80.22 eq telnet host 21.23.77.101
20 permit tcp host 21.35.80.25 eq 16100 host 21.23.77.101 (149407 matches)
30 permit tcp host 21.35.80.25 eq 17600 host 21.23.77.101 (80592 matches)
40 permit tcp host 21.35.80.27 eq 10701 host 21.23.77.101 (26008 matches)

  The
number
of
matched
packets
is
also
displayed
for
each

entry.

  Matches
include
permiced
and
denied
packets.

22

Number
of
matches

  Analyze
the
number
of
matches
per
entry
in
order
to:

  Determine
whether
the
traffic
flows
as
expected

  Test
load
balancing

  Determine
whether
the
ACL
entries
are
in
the
correct
order

  Ex:
denying
TCP
ager
perminng
IP
has
no
effect

  Ex:
perminng
a
certain
service
to
a
subnet
ager
denying
all
traffic
to
the

subnet
has
no
effect

  OpDmize
the
ACL

  Higher
numbers
should
be
at
the
beginning
of
the
ACL

  Stepping
through
all
the
entries
of
an
ACL
for
each
packet
uses
CPU
cycles

  Security

  Matches
on
explicitely
denied
services
or
types
of
packets
can
indicate
acack

acempts.


23

Real‐Dme
traffic

  Use
“debug”
commands
to
view
allowed
and
dropped

packets:

R1#debug ip packet
IP packet debugging is on
R1#
Oct 30 09:31:47.668: IP: s=10.2.2.2 (FastEthernet0/0), d=10.1.1.1, len 100, access denied
Oct 30 09:31:47.668: IP: s=10.1.1.1 (local), d=10.2.2.2 (FastEthernet0/0), len 56, sending
Oct 30 09:31:49.668: IP: s=10.2.2.2 (FastEthernet0/0), d=10.1.1.1, len 100, access denied
Oct 30 09:31:49.668: IP: tableid=0, s=10.1.1.1 (local), d=10.2.2.2 (FastEthernet0/0), routed via FIB
Oct 30 09:31:49.668: IP: s=10.1.1.1 (local), d=10.2.2.2 (FastEthernet0/0), len 56, sending
Oct 30 09:31:51.668: IP: s=10.2.2.2 (FastEthernet0/0), d=10.1.1.1, len 100, access denied
Oct 30 09:31:51.668: IP: s=10.1.1.1 (local), d=10.2.2.2 (FastEthernet0/0), len 56, sending
Oct 30 09:31:57.996: IP: s=10.2.2.2 (FastEthernet0/0), d=10.1.1.1 (FastEthernet0/0), len 44, rcvd 3

  Displayed
packets
can
also
be
filtered
using
an
access
list:

R1#debug ip packet ?
<1-199> Access list
<1300-2699> Access list (expanded range)
detail Print more debugging detail

24

MiDgaDng
Acacks
With
ACLs


Just
when
you
thought
the
ACLs
were
over…


25

Prevent
address
spoofing

  You
should
not
allow
inbound
packets
having
a
source
IP

address
from
inside
your
private
network


  Generally,
the
following
addresses
should
not
be
allowed:

  Any
local
host
address
(127.0.0.8/8)

  Any
private
addresses
(RFC
1918
–
specific)

  Any
addresses
from
the
IP
mulDcast
range
(224.0.0.0/4)

S:192.168.12.23
D:
192.168.12.1

Let
me
through,
i’m
from
your
 192.168.12.1
network!
 Server

26

Example
ACL

  Example
general
anD‐spoofing
configuraDon:

R2(config-std-nacl)#do sh access-list NO_SPOOF
Standard IP access list NO_SPOOF
10 deny 127.0.0.0, wildcard bits 0.255.255.255
20 deny 10.0.0.0, wildcard bits 0.255.255.255
30 deny 172.16.0.0, wildcard bits 0.15.255.255
40 deny 192.168.0.0, wildcard bits 0.0.255.255
50 deny 224.0.0.0, wildcard bits 15.25.255.255

  Also,
packets
coming
from
inside
the
network
with
a

source
address
other
than
one
from
your
own
subnets

should
not
be
allowed.


27

MiDgaDng
DoS
Smurf
acacks

  Do
you
remember
what
a
smurf
acack
was?


  Smurf
acack:
sending
a
spoofed
ping
request
to
the

broadcast
address
of
a
subnet.

  All
hosts
reply
with
an
echo‐request

  The
network
can
become
saturated

  The
“evil”
way:

  The
acacker
also
spoofs
the
source
IP
address
of
the
ping

packets

  A
vicDm’s
real
IP
address
is
used

  All
replies
go
back
to
one
single
vicDm

  The
network
acts
as
an
amplifier
for
the
acack

28

MiDgaDng
DoS
Smurf
Acacks


  Disable
directed
broadcasts
on
a
per‐interface
basis:

R2(config)#int fastEthernet 0/0
R2(config-if)#no ip directed-broadcast

  StarDng
with
IOS
version
12.0,
this
is
the
default
senng.


29

PrevenDng
TCP
acacks

  A
device
maintains
the
state
of
every
acDve
TCP

connecDon.

  A
TCP
SYN
flood
overwhelms
the
device’s
operaDng

system
by
opening
a
large
number
of
TCP
sessions

without
closing
them.

  You’ve
learned
about
a
way
to
prevent
this.
How?

  Answer:
Use
an
extended
ACL
to
block
SYN
TCP
packets
from

the
outside.

R2(config-ext-nacl)#deny tcp any 192.168.2.0 0.0.0.255 syn

  Another
way:
using
TCP
Intercept

  …AND
access
lists



30

TCP
Intercept

  Helps
prevent
SYN‐flooding
acacks
by
intercepDng
and

validaDng

TCP
connecDon
requests.

  Intercepts
TCP
SYN
connecDons
from
clients
to
servers
on

according
to
an
extended
ACL.

  Establishes
a
connecDon
to
the
client,
on
behalf
of
the
server

  Establishes
a
connecDon
to
the
server,
on
behalf
of
the
client

  ConnecDon
acempts
from
unreachable
clients
will
not
reach

the
servers
–
it
would
fail
the
first
acempt

  If
illegiDmate
requests
are
detected,
acDons
are
taken:

  Half‐open
connecDons
are
closed
are
closed
ager
a
threshold

  A
Dmeout
Dmer
is
started
for
all
sessions


31

Example
TCP
Intercept
ConfiguraDon

  Define
an
aceess
list
to
idenDfy
connecDons
to
be

intercepted:

ip access-list extended TCP_INTER
permit tcp any host 192.168.1.1 eq www
permit tcp any host 192.168.1.1 eq smtp
permit tcp any host 192.168.1.1 eq pop3

  Configure
TCP
Intercept
parameters:

ip tcp intercept list TCP_INTER
ip tcp intercept connection-timeout 1800
ip tcp intercept max-incomplete low 1000
ip tcp intercept max-incomplete high 1500
ip tcp intercept drop-mode oldest

Drop
oldest
or

random
connecDons

32

TCP
Intercept
behaviour


4
 SYN 1
 SYN

5
 SYN+ACK 2
 SYN+ACK

6
 ACK 3
 ACK

Server Bound connection

7


1 – 3: Session establishment between client and router


4 – 6: Session establishment between router and server

33

Firewall
Technologies


Who
let
the
dogs…
in?


34

Firewalls

  Original
term..


  Firewall:
A
system
that
enforces
an
access
control
policy

between
networks.


  A
firewall
must
be:

  Resistant
to
acacks
(why?)

  The
only
transit
point
(why?)

  Responsible
fo
enforcing
the
access
control
policy

  Network
access
policies
are
implemented
on
firewalls
that
manage
all

inbound
connecDons


35

Benefits
of
firewalls


  Can
hide
sensiDve
data

  Prevent
malicious
data
from
entering
a
network

  Can
prevent
exploits

  Central
point
for
implemenDng
security
policies


36

Drawbacks
of
firewalls


  A
single
firewall
is
also
a
single
point
of
failure

  MisconfiguraDon
can
make
the
enDre
network
vulnerable

  Many
applicaDons
cannot
be
passed
over
a
firewall

securely

  Network
performance
slows
down

  Unauthorized
traffic
can
be
tunneled
or
hidden


  Your
users
will
constantly
try
to
find
new
ways
of

bypassing
your
firewall.

37

Firewall
flavors

  Sogware‐based

  Simple
applicaDons
that
make
sogware
decisions
about
traffic

entering
or
leaving
the
machine
they
are
running
on

  Suited
for
single
computers
or
very
small
networks


  Dedicated
devices
–
hardware
processing

  Cisco
PIX

  Cisco
ASA


38

Types
of
firewalls:
Packet
filtering


  Packet‐filtering
firewall
(or
stateless
firewall)

  Has
a
limited
ability
to
filter
packets
based
on
layer
3
and
layer

4
informaDon.

  That’s
right!
Access
lists!

39

Packet
filtering
pros
and
cons

  Simple
rules,
easy
to
   SuscepDble
to
IP
spoofing

implement
and
update
   Complex
ACLs
are
difficult

  Low
CPU
requirements
 to
maintain
and
update

  Supported
by
all
routers
   Limited
funcDonality

  Low
cost
   Stateless


40

Types
of
firewalls
–
Stateful
firewall


  Also
monitors
the
state
of
connecDons

  IniDaDon,
data
transfer,
terminaDon

  Can
detect
abnormal
connecDon
behaviour
that
might

indicate
acacks
or
exploits.

41

Stateful
firewalls
pros
and
cons

  More
granular
control
for
   They
do
not
examine
the

packet
filtering
 applicaDon‐layer
content

  Can
defent
against
DoS
   Not
all
protocols
are

acacks
 stateful
(UDP,
ICMP)

  Offer
more
precise
staDsDc

data


42

Types
of
firewalls
–
ApplicaDon
Layer
Gateway


  Also
known
as
a
“proxy
firewall”

  Also
analyzes
the
applicaDon
layer
in
its
decisions

  Control
and
filtering
is
mostly
done
in
sogware

43

Cisco’s
dedicated
soluDon


44

Firewalls
in
network
design

  The
simplest
design:


LAN
Internet
Firewall

  The
DMZ
design:


DMZ

LAN
Internet
Firewall

45

Trust

  Considering
the
second
design,
a
firewall
would
have

three
interfaces:

  A
“trusted”
interface
facing
the
local
network
(inside)

  An
“untrusted”
interface
connecDng
to
the
Internet
(outside)

  A
“DMZ”
interface


  Usual
policies:

  No
connecDons
can
be
made
from
outside
to
the
inside

  The
inside
network
can
access
the
DMZ
and
the
Internet

  The
DMZ
can
be
accessed
from
the
internet
and
the
LAN

  The
place
for
public
services
(DNS,
HTTP,
SMTP,
etc)


46

The
DMZ

  The
DMZ
is
intenDonally
exposed

  Public
services
must
be
…
publicly
accessible


  For
security
reasons,
the
DMZ
must
not
be
allowed
to

connect
to
the
LAN.

  In
case
the
DMZ
is
compromised,
the
internal
network
must

sDll
be
secured.


  The
firewall
allows
traffic
to
the
DMZ,
with
restricDons

  Only
permit
necessary
traffic,
block
everything
else

  Must
detect
abnormal
usage
of
DMZ
services
(acacks,
exploits)


47

CBAC
=
Context‐Based
Access
Control

  SoluDon
available
within
the
Cisco
IOS
Firewall.

  Intelligent
TCP
and
UDP
filter,
inspects
applicaDon
layer

protocol
and
session
informaDon.

  Stateful
session
tracking


48

CBAC
improvements

  CBAC
provides
several
improvements
over
established

and
reflexive
ACL
rules:

  Monitors
TCP
setup
(three‐way‐handshake)

  Tracks
TCP
sequence
numbers

  Inspects
DNS
queries
and
replies

  Inspects
ICMP
message
types

  Supports
applicaDons
that
rely
on
mulDple
connecDons

  Inspects
embedded
addresses
(for
NAT/PAT)

  Inspects
applicaDon‐layer
informaDon


  Based
on
Dmeouts
for
stateless
protocols,
to
prevent
spoofing.

  CBAC
is
not
intended
to
protect
against
internal
threats.

49

How
does
CBAC
work?

  Creates
temporary
openings
in
ACLs
to
allow
valid
traffic

replies
back
inside
the
network
(like
dynamic
ACLs)

  Unlike
dynamic
ACLs,
CBAC
tracks:

  ApplicaDon‐layer
protocol
informaDon

  ConnecDon
state

informaDon


  The
state
table
adapts
dynamically

  InspecDon
rules
are
applied
only
if
the


packet
passes
the
inbound
ACL
of
the
interface.


50

CBAC
operaDon
example


51

CBAC
protocol
operaDon

  TCP
handling

  Each
session
is
described
and
tracked
by:

  Endpoint
addresses
and
port
numbers

  Sequence
numbers
(including
ACKs)

  Flags

  Packets
are
checked
against
the
current
state
and
discarded
if
they
do

not
comply.

  UDP
handling

  There
is
no
trackable
connecDon
state

  Traffic
is
allowed
back
in
for
a
preconfigured
Dme
interval

  Other
IP
protocols

  CBAC
inspects
protocols
that
negociate
protocol
numbers
(FTP)

  Other
protocols,
like
GRE
and
Ipsec
are
treated
in
a
connecDonless

manner

52

CBAC
inspecDon
rules

  CBAC
firewall
rules
are
called
“inspecDon
rules”

  An
inspecDon
rule
is
applied
to
an
interface
with
regards

to
the
direcDon
of
traffic
(in/out),
just
like
an
ACL.

  The
rule
must
be
configured
to
inspect
all
the
required

protocols.


  The
Cisco
Firewall
engine
recognizes
illegal
applicaDon‐
specific
commands
and
can
take
several
acDons:

  Generate
alert
messages

  Protect
certain
system
resources

  Block
packets
from
possible
acackers


53

CBAC
and
TCP‐based
DoS
acacks

  The
connecDon
state
database
is
also
used
to
determine

abnormal
connecDons.

  Three
thresholds
are
provided
by
the
Cisco
IOS
Firewall:

  Total
number
of
half‐opened
TCP
sessions

  Number
of
half‐opened
TCP
sessions
in
a
Dme
interval

  Number
of
half‐opened
TCP
sessions
for
a
certain
host


  If
a
threshold
is
exceeded,
the
firewall
acts
in
one
of
two

ways:

  Starts
sending
reset
messages
to
the
oldest
connecDons
in
the

table
in
order
to
free
up
resources

  Temporarily
blocks
all
SYN
packets,
to
preserve
resources

54

Before
configuring
CBAC:
ACLs
(again!)

  Remember
that
traffic
must
pe
permiced
through
the

interface
ACL
before
it
gets
inspected
by
the
CBAC
rules.


55

Configuring
CBAC
–
inspecDon
rules

  An
inspect
rule
can
specify:

  Generic
protocols,
like
TCP,
UDP,
ICMP

  Specific
applicaDon‐layer
protocols

  An
inspecDon
rule
consists
of
a
series
of
statements

  Each
statement
of
a
rule
has
the
same
rule
name
and
a
specific

protocol
to
inspect.

R2(config)#ip inspect name FWRULE bittorrent
R2(config)#ip inspect name FWRULE edonkey
R2(config)#ip inspect name FWRULE pop3
R2(config)#ip inspect name FWRULE smtp
R2(config)#ip inspect name FWRULE http
R2(config)#ip inspect name FWRULE https
  The
firewall
will
inspect
all
TCP
and
UDP
connecDons,
but
protocols
in
the

inspect
rules
will
be
enhanced
–
applicaDon‐level
analysis.

56

Configuring
CBAC
–
inspecDon
rules
opDons

  Other
opDons
available
for
each
entry:

R2(config)#ip inspect name FWRULE ssh alert on audit-trail on
timeout 3600
R2(config)#ip inspect name FWRULE irc alert off audit-trail off

  The
“alert”
keyword
controls
syslog
messages.

  The
“audit‐trail”
keyword
builds
an
audit
trail
of
the
specified

events
occuring
in
the
firewall

  A
chronological
sequence
of
audit
records.

  The
“Dmeout”
value
overrides
the
default
TCP
and
UDP

Dmeout
values.

  If
unspecified,
the
“alert”
and
“audit‐trail”
values
are
set

accordingly
to
the
following
commands:

R2(config)#ip inspect audit-trail
R2(config)#no ip inspect alert-off

57

Configuring
CBAC
(3)
–
Alerts
and
audits

  CBAC
has
2
types
of
logging
funcDons:
alerts
and
audits


  Alerts
–
messages
concerning
CBAC
operaDon

  Alert
on
low
resources

  Alert
on
detected
DoS
acack

  Enabled
by
default
and
displayed
on
the
console.
Disable
with:

  R(config)#ip
inspect
alert‐off


  Alert
example:
SMTP
acack
acempt:

%FW-4-SMTP_INVALID_COMMAND: Invalid SMTP command from initiator
(209.165.201.5:49387)

58

Configuring
CBAC
(4)
–
alerts
and
audits

  Audits
keep
track
of
connecDons
inspected
by
CBAC.

  Display
messages
when
the
router
adds
or
removes
an

entry
from
the
state
table.

  The
audit
record
gives
basic
staDsDcal
info
about
the

connecDon.

  Disabled
by
default,
enable
with:

R(config)#ip inspect audit-trail

  Example
audit
message
for
iniDaDng
a
Telnet
connecDon:

%FW-6-SESS_AUDIT_TRAIL: tcp session
initiator (192.168.1.2:32782) sent 22 bytes
responder (209.165.201.1:23) sent 200 bytes

59

Configuring
CBAC
(5)


  Applying
the
inspecDon
rule
to
an
interface:

R2(config)#int fastEthernet 0/0
R2(config-if)#ip inspect FWRULE in

  General
rules
when
applying
ACLs
and
inspecDon
rules:

  On
the
“inside”
interface,
use
an
ACL
that
permits
only
allowed

traffic
to
leave
the
network.

  On
the
“outside”
interface,
use
an
ACL
that
permits
the

required
traffic,
including
the
traffic
to
be
inspected
by
CBAC.


60

Verifying
CBAC

R2#show ip inspect config
Session audit trail is enabled
Session alert is enabled
one-minute (sampling period) thresholds are [400:500] connections
max-incomplete sessions thresholds are [400:500]
max-incomplete tcp connections per host is 50. Block-time 0 minute.
tcp synwait-time is 30 sec -- tcp finwait-time is 5 sec
tcp idle-time is 3600 sec -- udp idle-time is 30 sec
dns-timeout is 5 sec
Inspection Rule Configuration
Inspection name FWRULE
bittorrent alert is on audit-trail is on timeout 3600
edonkey alert is on audit-trail is on timeout 3600
ftp alert is on audit-trail is on timeout 3600
pop3 alert is on audit-trail is on timeout 3600
smtp max-data 20000000 alert is on audit-trail is on timeout 3600
http alert is on audit-trail is on timeout 3600
https alert is on audit-trail is on timeout 3600
ssh alert is on audit-trail is on timeout 3600
irc alert is off audit-trail is off timeout 3600

61

Windows
Firewall


An
enDrely
new
approach
to
security


62

Windows
Firewall
design
and
deployment


63

Nope,
just
kidding
:)


THE
END!!!


64


You might also like