access control list is also removed, but the remainder of the page, text, and graphics will continue to load through each TCP session as they normally would.
These data channels are inspected for properly incrementing sequence and acknowledgment numbers as well as proper flag use. They will also be terminated in the way described earlier if they exceed the idle timeout values. However, to speed processing, the contents of the data channel packets are not inspected for commands as the control channel packets are.
Context−Based Access Control and IPSec
Because CBAC is configured on perimeter devices that protect internal devices, one question always arises: Is CBAC compatible with IPSec? And the answer is, in a limited fashion. If the router is running both CBAC and IPSec, it must be configured as an IPSec endpoint. For CBAC to function properly, the data within the packets must be examined, and if this data is encrypted, CBAC cannot examine the payload, which causes CBAC to cease functioning.
As mentioned in the preceding paragraph, when CBAC and IPSec are enabled on the same router, that router must be an IPSec end point. CBAC cannot accurately inspect the payload of packets that have been encrypted with IPSec because the protocol number in the IP header of the packet is not TCP or UDP and CBAC inspects only TCP and UDP packets. This should, however, be expected; the purpose of encryption is to prevent unauthorized deciphering of the packets in the first place.
Port Application Mapping
Port Application Mapping (PAM) allows security administrators to customize or change TCP and UDP port numbers for services or applications used with CBAC. This gives networks the flexibility to support services that use ports that are different from the registered and wellknown port numbers commonly associated with certain applications. Port Application Mapping should be used under these conditions:
∙To apply a nonstandard port number to a service or application
∙When host or subnets use a port number for an application that is different from the default port number associated with the application in the PAM table
∙When different hosts or subnets use the same port number for different applications
Port Application Mapping creates and maintains a table of default port−to−application mapping information on the router. The table that is created is populated with system−defined maps by default at boot time; however, the table can be modified to include host−defined mappings as well as user−defined mappings. PAM supports host− or subnet−based port mapping, which allows you to apply PAM to a single host or subnet using standard access control lists. The PAM table information enables Context−Based Access Control services to run on nonstandard ports. Previously, CBAC was limited to inspecting traffic that was using only the well−known ports associated with an application.PAM entries can consist of three different types of mappings: system−defined mapping entries, user−defined mapping entries, and host−specific mapping entries. Each of these mapping entries will be discussed in greater detail in the following sections.
System−Defined Mapping
After the router loads, PAM populates a table of system−defined mapping entries with the well−known or registered port mapping information. The PAM table entries contain all the services that are supported by CBAC and needed to function properly. The system−defined mapping information cannot be deleted or changed, but you can create host−defined mappings, which in
127
effect would override the system−defined parameters. Table 4.1 details each of the system−defined services.
Table 4.1: System−defined port application services.
Application |
Port Number |
Protocol |
http |
80 |
Hypertext Transfer |
|
|
Protocol |
|
|
|
ftp |
21 |
File Transfer Protocol |
|
|
|
exec |
512 |
Remote Process |
|
|
Execution |
|
|
|
cuseeme |
7648 |
Cu−SeeMe Protocol |
|
|
|
h.323 |
1720 |
H.323 Protocol |
|
|
|
msrpc |
135 |
Microsoft Remote |
|
|
Procedure Call |
|
|
|
netshow |
1755 |
Microsoft NetShow |
|
|
|
real audio |
7070 |
RealAudio |
|
|
|
real video |
707 |
RealVideo |
|
|
|
sqlnet |
1521 |
SQLNet |
|
|
|
smtp |
25 |
Simple Mail Transport |
|
|
Protocol |
|
|
|
streamworks |
1558 |
StreamWorks Protocol |
|
|
|
sunrpc |
111 |
Sun Remote Procedure |
|
|
Call |
|
|
|
tftp |
69 |
Trivial File Transfer |
|
|
Protocol |
|
|
|
vdolive |
7000 |
VDOLive |
128
User−Defined Mapping
When the network includes applications that use nonstandard ports, the security administrator must configure user−defined mapping entries into the PAM table. Each user−defined mapping entry requires a table entry for the application. User−defined mapping entries can also specify a range of ports for an application to use by configuring a separate entry in the PAM table for each port number of the range in succession. If a user−defined mapping entry is entered multiple times, it overwrites the previous entry in the table. An example of a user−defined mapping entry would be if HTTP services ran on the nonstandard port of 4010 instead of the system−defined port 80. In this case, PAM would be used to map port 4010 with HTTP services. You are not allowed to map a user−defined entry over a system−defined entry, and the router will complain with an error message.
Host−Specific Mapping
Host−specific port mapping entries create port application mapping on a per−host or per−subnet basis. User−defined mapping entries cannot overwrite system−defined mapping entries in the PAM table; however, host−specific port mapping allows you to override a system−defined entry in the PAM table. Using host−specific port mapping, you can use the same port number for different services on different hosts. For example, a security administrator can assign port 1717 to FTP for one host while assigning port 1717 to Telnet for another host. Host−specific port mapping also lets you configure mapping entries on a per−subnet basis. This allows security administrators to apply PAM to a specific subnet when that subnet runs a service that uses a port number that is different from the port number defined in the default mapping information. This is similar to host−specific port mapping, but it works on a per−subnet basis and not a per−host basis.
IOS Firewall Intrusion Detection
The IOS Firewall Intrusion Detection System (IDS) feature extends the features of intrusion detection to Cisco routers and provides a cost−effective method for extending security services across network boundaries. Intrusion detection systems provide a level of protection beyond the firewall by protecting the network from internal and external attacks and threats caused by routers forwarding traffic from one network to another network. By leveraging the features of intrusion detection, the router can act as an inline probe examining packets and flows to match against current IDS signatures, thus providing the same features that a dedicated probe or sensor device can provide without adding additional hardware onto the network. Intrusion detection should be deployed within all parts of the network with the exception of the core layer elements in the network design; it should especially be deployed within the perimeter of the enterprise network and distribution layer of the network or in locations where a router is being deployed and additional security between different network segments is required.
Typically, intrusion detection consists of three components:
∙Sensor—A network device—in this case, a router with the IDS Firewall feature set loaded—that uses a rules−based engine to interpret large volumes of IP network traffic into meaningful security events. The Sensor can also log security data and close TCP sessions. The Sensor reports the events to an IDS Director or a syslog server.
∙Director—A device that provides centralized management and reporting for security issues. Sensors are managed through a graphical user interface, and the Director can provide a multitude of other services outside of centralized reporting.
129
∙Post Office—A protocol that provides the backbone by which all IDS devices communicate among one another.
The IOS Firewall IDS uses realtime monitoring of network packets to detect intrusions or malicious network activity through the use of attack signatures. The IOS Firewall IDS searches for patterns of misuse by examining either the data portion or the header portion of network packets. Currently, the IOS Firewall IDS identifies 59 attack signatures.
A signature detects patterns of misuse in network traffic. In the Cisco IOS Firewall IDS, signatures are categorized into four types:
∙Info Atomic—Info signatures detect information−gathering activity, such as a port probe. These attacks can be classified as either atomic or compound signatures.
∙Info Compound—Attack signatures detect attacks attempted with the protected network as the intended target. These attacks can be classified as either atomic or compound signatures.
∙Attack Atomic—Can detect simple patterns of misuse.
∙Attack Compound—Can detect complex patterns of misuse.
When the IOS Firewall IDS detects suspicious network traffic, and before the traffic causes a breech in the security policy of the network, the IDS responds and logs all activity to a syslog server or to an IDS Director using the Post Office Protocol (POP).
Security administrators have the ability with the IOS Firewall IDS software to configure the method of response to packets that match one of the attack signatures just mentioned. The IOS Firewall IDS software can be configured to use four different methods to respond to an attack when it matches a signature:
∙Generate alarms—Alarms are generated by the Sensor and sent to one or more Directors. The Director displays the alarm and logs the event.
∙Generate logs—Event logs can be sent to separate syslog server in order analyze the event.
∙Reset TCP connections—The Sensor will reset individual TCP connection requests during and after an attack to minimize the threat yet will allow all other valid requests to continue.
∙Shun the attack—Upon matching a signature the Sensor can be configured to deny request attempts to a host or subnet by dropping the packets. Shunning should be carefully thought out before being deployed in the production network.
If there are multiple signature matches in a session, only the first match triggers an action from the IOS Firewall IDS. Other matches in other modules trigger additional alarms, but only one per session. This process is different than on the dedicated IDS Sensor device, which identifies all signature matches for each packet. The IOS Firewall IDS capabilities provide additional security visibility at the enterprise network perimeters. Security administrators enjoy more robust protection against attacks on the network and can automatically respond to threats from internal or external hosts.
The only significant disadvantage to using the features of the IOS Firewall IDS is that the overall performance of the router will be slightly degraded and end−to−end propagation delay will be added.
130