Introduction to CBAC Configuration 151
Introduction to CBAC Configuration
To help you set up and configure CBACs, Cisco has defined six steps for configuring CBAC:
1.Set audit trails and alerts.
2.Set global timeouts and thresholds.
3.Define Port-to-Application Mapping (PAM).
4.Define inspection rules.
5.Apply inspection rules and ACLs to interfaces.
6.Test and verify CBAC.
You’ll learn about each of these steps in detail throughout the rest of this chapter. The following graphic illustrates the network you’ll be working with and configuring:
Lab_A |
HostA HostB
172.16.2.0/24
|
Perimeter |
WWW Server |
DNS Server |
|
10.1.1.0/24 |
Router |
172.16.1.2/24 |
172.16.1.3/24 |
|
Internet |
|
|
|
|
|
Lab_B |
|
|
|
|
|
|
172.16.1.0/24 |
|
|
F0/0 |
"Dirty DMZ" |
|
|
172.16.1.254/24 |
|
|||
|
|
|
||
Protected DMZ |
|
|
|
|
|
PIX |
|
Bastion Host |
|
|
|
|
F0/0 |
|
|
|
192.168.254.254/24 |
|
|
Bastion Host |
|
|
|
|
NAS |
|
|
|
|
|
F0/0 |
|
|
|
192.168.254.252/24 |
|
|
|
|
|
CiscoSecure ACS 3.0 |
Management Station |
||
|
192.168.254.253/24 |
192.168.254.251/24 |
||
Copyright ©2003 SYBEX Inc., 1151 Marina Village Parkway, Alameda, CA 94501. |
www.sybex.com |
152 Chapter 5 Context-Based Access Control Configuration
First, you need to understand the configuration and the order of the steps you’ll take to build CBAC on the Lab_B router as you work through the examples in the rest of this chapter.
You’ll be configuring the border router Lab_B with CBAC to protect the internal network, and you’ll need to provide full access to both the web server and the DNS server from the Internet. You’re also going to allow all general TCP and UDP traffic out to the Internet from your internal hosts, but not anything else.
The next section describes how to set up auditing and real-time alerts from routers running CBAC.
Using Audit Trails and Alerts
If you need it to, CBAC can generate real-time alerts and audit trails through the use of a Syslog server. This is an especially cool, useful feature if you have multiple routers running CBAC, because it allows you to monitor all enterprise alerts and even audit trails at a single, centralized location.
Alerts are triggered when CBAC discovers any suspicious activity. They’re reported as Syslog error messages to the central Syslog server that you’ve specified. Alerts provide a record of suspected problems, and they can be used to trigger other real-time events on the Syslog server.
You can use audit trails to create a log of all inspected activities. Think of this as a record of any and all accesses, whether they’re a problem or not. Audit trails are useful if your security policy identifies a need to keep a record of all network traffic.
The following example shows how both audit trails and alerts would be configured on your Lab_B router, assuming that your Syslog server is at 192.168.254.251:
Lab_B#conf t
Lab_B(config)#logging on
Lab_B(config)#logging 192.168.254.251
Lab_B(config)#ip inspect audit-trail
Lab_B(config)#no ip inspect alert-off
The no version of the ip inspect alert-off command enables alerts. Removing the no disables alerts. Likewise, the no version of the ip inspect audit-trail command disables the audit trail.
Great! You’re now logging both alerts and audit trails to your Syslog server. The next step is to configure global timeouts and thresholds.
Configuring Global Timeouts and Thresholds
CBAC uses global timeouts and thresholds to determine how long to preserve state information for all sessions, established or otherwise. You can use the defaults—and you need to know what these are—or you can modify them to meet your individual needs. If you’re going to change them, do it now before proceeding with any further CBAC configuration tasks.
Copyright ©2003 SYBEX Inc., 1151 Marina Village Parkway, Alameda, CA 94501. |
www.sybex.com |
Introduction to CBAC Configuration 153
Table 5.1 lists the commands you use to modify the default values and then describes the timeout or threshold and its default value. Once set, these values can be restored to default values by using the no form of the command, as in the following example:
Lab_B#conf t
Lab_B(config)#ip inspect tcp synwait-time 60
The default time of 30 seconds has now been changed to 60 seconds.
Lab_B(config)#no ip inspect tcp synwait-time 60
The default of 30 seconds has now been restored.
T A B L E 5 . 1 Some Commands for Changing CBAC Timeouts and Thresholds
Command |
Description |
|
|
ip inspect tcp synwait-time |
Sets how long CBAC will wait for a TCP session |
|
to be established before dropping the session. |
|
The default is 30 seconds. |
ip inspect tcp finwait-time |
Sets how long CBAC will wait after a TCP FIN |
|
before dropping the session. The default is |
|
5 seconds. |
ip inspect tcp idle-time |
Sets how long CBAC will maintain an idle |
|
TCP connection. The default is 1 hour (3600 |
|
seconds). |
ip inspect udp idle-time |
Sets how long CBAC will maintain idle UDP |
|
sessions. The default is 30 seconds. |
ip inspect dns-timeout |
Sets how long CBAC will maintain an idle DNS |
|
name lookup session. The default is 5 seconds. |
ip inspect max-incomplete high |
Sets the maximum number of half-opened |
|
connections that CBAC will allow before it starts |
|
deleting them. The default is 500. |
ip inspect max-incomplete low |
Sets the number to go below before CBAC |
|
stops deleting half-open connections, once it |
|
starts deleting these connections. The default |
|
is 400. |
ip inspect one-minute high |
Sets the rate of new, half-open connections that |
|
will trigger CBAC to start deleting them. The |
|
default is 500 per minute. |
Copyright ©2003 SYBEX Inc., 1151 Marina Village Parkway, Alameda, CA 94501. |
www.sybex.com |
154 |
Chapter 5 Context-Based Access Control Configuration |
|
T A B L E |
5 . 1 Some Commands for Changing CBAC Timeouts and Thresholds (continued) |
|
|
|
|
Command |
Description |
|
|
|
|
ip inspect one-minute low |
Sets the rate to go below before CBAC |
|
|
|
stops deleting half-open connections, once it |
|
|
starts deleting these connections. The default |
|
|
is 400 per minute. |
ip inspect tcp max-incomplete host |
Sets the maximum number of half-open connec- |
|
|
|
tions to the same host that CBAC will allow |
|
|
before starting to drop them. The default is 50. |
|
|
|
Most of these commands should be familiar to you, but a few deserve special mention.
ip inspect max-incomplete These values can monitor both TCP and UDP sessions. Incomplete TCP sessions are defined as sessions where the three-way handshake hasn’t been completed. Incomplete UDP sessions are defined as sessions where no return traffic has been detected. Once the maximum number of incomplete sessions is reached, CBAC begins deleting half-open sessions until their numbers total below the minimum value.
ip inspect one-minute These commands are similar in operation, except instead of monitoring the total number of incomplete TCP or UDP sessions, they monitor the rate at which incomplete TCP or UDP sessions are being established. A sudden surge in incomplete sessions can trigger CBAC to aggressively close them, which it does until the low threshold is reached.
Let’s leave the defaults on the Lab_B router and continue on to the Port-to-Application Mapping section.
Configuring PAM
You ask, and Cisco delivers! Previous versions of CBAC assumed that applications were always hosted on the same, well-known port. Live and learn. In the real world, this isn’t always the case. Haven’t you all set up a rogue web server on some obscure port? Port-to-Application Mapping (PAM) allows you to modify the default values of well-known ports, and thus teach CBAC how to recognize these familiar apps in their new homes. Check out the default PAM mappings in Table 5.2.
T A B L E 5 . 2 |
Default Application Mappings |
|
|
Application |
Port |
|
|
Cuseeme |
7648 |
Exec |
512 |
Copyright ©2003 SYBEX Inc., 1151 Marina Village Parkway, Alameda, CA 94501. |
www.sybex.com |
|
Introduction to CBAC Configuration |
155 |
T A B L E 5 . 2 |
Default Application Mappings (continued) |
|
|
|
|
Application |
Port |
|
|
|
|
ftp |
21 |
|
http |
80 |
|
h323 |
1720 |
|
login |
513 |
|
mgcp |
2427 |
|
msrpc |
135 |
|
netshow |
1755 |
|
realmedia |
7070 |
|
rtsp |
554 |
|
rtsp |
8554 |
|
shell |
514 |
|
sip |
5060 |
|
smtp |
25 |
|
sql-net |
1521 |
|
streamworks |
1558 |
|
sunrpc |
111 |
|
telnet |
23 |
|
tftp |
69 |
|
vdolive |
7000 |
|
|
|
|
Okay, so these are the defaults. But what if you have an HTTP server running on port 8000? That’s where PAM comes in. PAM allows you to map these applications or services to the ports
Copyright ©2003 SYBEX Inc., 1151 Marina Village Parkway, Alameda, CA 94501. |
www.sybex.com |
156 Chapter 5 Context-Based Access Control Configuration
that you’re really using and still get to enjoy all of CBAC’s capabilities. The available options in your configuration look like this:
Lab_B#conf t
Lab_B(config)#ip port-map ?
cuseeme |
CUSeeMe Protocol |
dns |
Domain Name Server |
exec |
Remote Process Execution |
finger |
Finger |
ftp |
File Transfer Protocol |
gopher |
Gopher |
h323 |
H.323 Protocol (e.g, MS NetMeeting, Intel Video Phone) |
http |
Hypertext Transfer Protocol |
imap |
Internet Message Access Protocol |
kerberos |
Kerberos |
ldap |
Lightweight Directory Access Protocol |
login |
Remote login |
lotusnote |
Lotus Note |
mgcp |
Media Gateway Control Protocol |
ms-sql |
Microsoft SQL |
msrpc |
Microsoft Remote Procedure Call |
netshow |
Microsoft NetShow |
nfs |
Network File System |
nntp |
Network News Transfer Protocol |
pop2 |
Post Office Protocol - Version 2 |
pop3 |
Post Office Protocol - Version 3 |
realmedia |
RealNetwork's Realmedia Protocol |
rtsp |
Real Time Streaming Protocol |
sap |
SAP |
shell |
Remote command |
sip |
Session Initiation Protocol |
smtp |
Simple Mail Transfer Protocol |
snmp |
Simple Network Management Protocol |
sql-net |
SQL-NET |
streamworks |
StreamWorks Protocol |
sunrpc |
SUN Remote Procedure Call |
sybase-sql |
Sybase SQL |
tacacs |
Login Host Protocol (TACACS) |
telnet |
Telnet |
tftp |
Trivial File Transfer Protocol |
vdolive |
VDOLive Protocol |
Lab_B(config)#ip port-map http port 8000
Copyright ©2003 SYBEX Inc., 1151 Marina Village Parkway, Alameda, CA 94501. |
www.sybex.com |
Introduction to CBAC Configuration 157
Configuring options such as these modifies the default port-mapping of HTTP. You can create multiple ports for the same application, but you’ll receive a warning if you try to map an application to the well-known port of another application. You can use the no version of the ip port-map command to remove the configuration, and you can use the show ip port-map command to review the changes and current PAM settings:
Lab_B(config)#^Z |
|
|
Lab_B#show ip port-map |
|
|
Default mapping: vdolive |
port 7000 |
system defined |
Default mapping: sunrpc |
port 111 |
system defined |
Default mapping: netshow |
port 1755 |
system defined |
Default mapping: cuseeme |
port 7648 |
system defined |
Default mapping: tftp |
port 69 |
system defined |
Default mapping: rtsp |
port 8554 |
system defined |
Default mapping: realmedia |
port 7070 |
system defined |
Default mapping: streamworks |
port 1558 |
system defined |
Default mapping: ftp |
port 21 |
system defined |
Default mapping: telnet |
port 23 |
system defined |
Default mapping: rtsp |
port 554 |
system defined |
Default mapping: h323 |
port 1720 |
system defined |
Default mapping: sip |
port 5060 |
system defined |
Default mapping: smtp |
port 25 |
system defined |
Default mapping: http |
port 80 |
system defined |
Default mapping: msrpc |
port 135 |
system defined |
Default mapping: exec |
port 512 |
system defined |
Default mapping: login |
port 513 |
system defined |
Default mapping: sql-net |
port 1521 |
system defined |
Default mapping: shell |
port 514 |
system defined |
Default mapping: mgcp |
port 2427 |
system defined |
Default mapping: http |
port 8000 |
user defined |
Lab_B# |
|
|
Did you notice that the HTTP mapping on port 8000 is user-defined, but all the other ports are system-defined? You can also set additional parameters for this command to get more than just one application or port, as follows:
Lab_B#show ip port-map http |
|
|
Default mapping: http |
port 80 |
system defined |
Default mapping: http |
port 8000 |
user defined |
Lab_B#show ip port-map port 8000 |
|
|
Default mapping: http |
port 8000 |
user defined |
Lab_B# |
|
|
Copyright ©2003 SYBEX Inc., 1151 Marina Village Parkway, Alameda, CA 94501. |
www.sybex.com |