344 Chapter 7: Security Technologies
NOTE When troubleshooting why certain applications, such as SMTP mail or L2TP (TCP 1071) tunnels are not working, a good starting point is always to look at which TCP or UDP ports are filtered by the PIX because, by default, you must configure any TCP/UDP ports you will permit through the PIX with the conduit or static translations commands.
Cisco Secure PIX Firewalls, published by Cisco Press (ISBN 1-58705-035-8 by David W. Chapman Jr., Andy Fox), is an excellent resource if you want to learn more about the PIX Firewall.
Cisco IOS Firewall Security Feature Set
Cisco systems software has developed a version of IOS with security-specific features integrated in current IOS software. It is available only on some Cisco IOS devices.
NOTE The need to provide firewall functionally in existing router models led Cisco down a path of enabling IOS to be security aware. Not many folks think of Cisco as a software company but, in fact, they sell more software than hardware.
The Cisco IOS features set consists of the following:
•Context-based Access Control (CBAC) provides internal users secure, per-application- based access control for all traffic across perimeters, such as between private enterprise networks and the Internet.
•Java blocking protects against unidentified, malicious Java applets.
•Denial-of-service detection and prevention defends and protects router resources from common attacks, checking packet headers and dropping suspicious packets.
•Audit trail details transactions, recording time stamp, source host, destination host, ports, duration, and the total number of bytes transmitted.
•Real-time alerts log alerts in case of denial-of-service attacks or other preconfigured conditions.
You can use the Cisco IOS Firewall feature set to configure your Cisco IOS router as follows:
•An Internet firewall or part of an Internet firewall
•A firewall between groups in your internal network
•A firewall providing secure connections to or from branch offices
•A firewall between your company’s network and your company’s partners’ networks
Cisco IOS Firewall Security Feature Set 345
For example, when a user authenticates from the Cisco IOS Firewall proxy, authentication is completed by HTTP and access lists are downloaded from AAA server to authorized or rejected connections. The IOS Firewall feature set has many different applications for today’s IP networks.
CBAC provides secure, per-application access control across the network. CBAC is designed to enhance security for TCP and UDP applications, and supports protocols such as H.323, RealAudio, and SQL-based applications, to name a few.
CBAC can filter TCP/UDP packets based on application layer, transport, and network layer protocol information. Traffic is inspected for sessions that originate on any given interface and also inspect traffic flowing through a firewall. CBAC can inspect FTP, TFTP, or SMTP traffic, but does not inspect ICMP packet flows.
CBAC can even manually open and close openings in the firewall to test security in a network.
The following list provides samples of protocols supported by CBAC:
Telnet
SNMP
TFTP
SMTP
Finger
Java Blocking
Oracle SQL
RealAudio
H.323
The other major benefits of the Cisco IOS feature set include the following:
•Integrated solutions and no need for a PIX Firewall for investments already made in Cisco IOS routers.
•No new hardware is required (just a software upgrade).
•Allows for full IP routing capabilities.
•Cisco customers are already aware of IOS command structure.
•Low cost.
Cisco IOS Security feature-enabled routers should always maintain the same secure polices described in Chapter 8, “Network Security Policies, Vulnerabilities, and Protection,” such as password encryption and disabling nonessential service, such as Hypertext Transfer Protocol (HTTP) or Dynamic Host Configuration Protocol (DHCP).
346 Chapter 7: Security Technologies
CBAC Configuration Task List
Configuring CBAC requires the following tasks:
Picking an interface: internal or external
Configuring IP access lists at the interface
Configuring global timeouts and thresholds
Defining an inspection rule
Applying the inspection rule to an interface
Configuring logging and audit trail
Other guidelines for configuring a firewall
Verifying CBAC (Optional)
Example 7-5 shows a router named R1 with two Ethernet interfaces, one defined as the inside interface (Ethernet0) and one as the outside interface (Ethernet1). For this example, CBAC is being configured to inspect RTSP and H.323 protocol traffic inbound from the protected
network on a router with two Ethernet interfaces. Interface Ethernet0 is the protected network, and interface Ethernet1 is the unprotected network. The security policy for the protected site uses access control lists (ACLs) to inspect TCP/UDP protocol traffic. Inbound access for specific protocol traffic is provided through dynamic access lists, which are generated according to CBAC inspection rules.
ACL 199 permits TCP and UDP traffic from any source or destination, while denying specific ICMP protocol traffic and permitting ICMP trace route and unreachable messages. The final deny statement is not required but is included for explicitness—the final entry in any ACL is an implicit denial of all IP protocol traffic. Example 7-5 defines the Access-list 199 on Router R1, which has two Ethernet interfaces: Ethernet0 and ethernet1.
Example 7-5 Access-list Definition
R1(config)# access-list 199 permit tcp any any eq telnet
R1(config)# access-list 199 deny udp any any eq syslog
R1(config)# access-list 199 deny any any echo-reply
R1(config)# access-list 199 deny any any echo
R1(config)# access-list 199 deny any any time-exceeded
R1(config)# access-list 199 deny any any packet-too-big
R1(config)# access-list 199 permit any any traceroute
R1(config)# access-list 199 permit any any unreachable
R1(config)# access-list 199 permit deny ip any any
ACL 199 is applied inbound at interface Ethernet 1 to block all access from the unprotected network to the protected network. Example 7-6 configures the inbound ACL on R1.
Cisco IOS Firewall Security Feature Set 347
Example 7-6 R1 ACL Inbound Configuration
R1(config)#interface ethernet1
R1(config-if)# ip access-group 199 in
An inspection rule is created for “users” that covers two protocols: RTSP and H.323. Example 7-7 configures R1 to inspect RTSP and H.323 traffic.
Example 7-7 Inspected Traffic
R1(config)# ip inspect name users rtsp
R1(config)# ip inspect name users h323
The inspection rule is applied inbound at interface Ethernet1 to inspect traffic from users on the protected network. When CBAC detects multimedia traffic from the protected network, CBAC creates dynamic entries in Access-list 199 to allow return traffic for multimedia sessions.
Example 7-8 configures the R1 unprotected network to inspect traffic on interface ethernet1.
Example 7-8 Inspects Traffic on R1 Protected Interface
R1(config)# interface Ethernet1
R1(config-if)# ip inspect users in
You can view the CBAC logs by three methods:
Debugging output (refer to the Cisco Documentation CD for full details)
Syslog messages (show logging)
Console messages (system messages)
After you complete the inspection of traffic, you can turn off CBAC with the global IOS command no ip inspect. The Cisco Systems IOS feature set also supports AAA, TACACS+, and Kerberos authentication protocols.
NOTE Active audit and content filters are used with NetRanger and NetSonar products to allow administrators to decipher or reply to networks when an intruder has accessed the network. CBAC is just another useful tool in IOS that allows a quick audit of an IP network.
