IOS Security
Deployment
BRKSEC-2004
Arshad Saeed
© 2008 Cisco Systems, Inc. All rights reserved.
Cisco Public
1
Agenda
ƒ Drivers for Integrated Security
ƒ Technology Overview
ƒ Design Considerations
ƒ Deployment Models
ƒ Real World Use Cases
ƒ Case Study
ƒ Summary
© 2008 Cisco Systems, Inc. All rights reserved.
Cisco Public
2
Customers See High Value in Intelligent
Services Integration
64% PREFERRED Integrated Services
Firewall
IP Telephony
Virus Protection
Intrusion
Prevention
Intrusion
Detection
IPSec VPN
SSL VPN
Wireless &
Mobility
0
20
Source: Yankee Group Research Inc., Jan 2006
© 2008 Cisco Systems, Inc. All rights reserved.
Cisco Public
40
60
80
100
3
Threats and Challenges
Threats at the Branch Office
Branch Office
DDoS on
Router
Attacks on branch
servers
Internet
Corporate Office
Web surfing
Branch Office
Worms/Viruses
Wireless attacks
Voice
attacks
Branch Office
© 2008 Cisco Systems, Inc. All rights reserved.
Cisco Public
4
Requirement of Integrated Security Solution
IOS Security
Securing the Branch Office
Branch Office
Network
Foundation
Protection
DDoS on
Router
Application
Firewall
Attacks on
branch servers
IPS
Worms
congesting
WAN
FPM
Corporate Office
Internet
011111101010101
Regulate
surfing
URL
Voice
Filtering
Security
Voice
attacks
Wireless
Security
Wireless
attacks
ƒ Secure Internet
access to branch,
without the need
for additional
devices
ƒ Control worms
and viruses right
at the remote site,
conserve WAN
bandwidth
ƒ Protect the router
itself from hacking
and DoS attacks
Branch Office
© 2008 Cisco Systems, Inc. All rights reserved.
Cisco Public
5
Agenda
ƒ Drivers for Integrated Security
ƒ Technology Overview
ƒ Design Considerations
ƒ Deployment Models
ƒ Real World Use Cases
ƒ Case Study
ƒ Summary
© 2008 Cisco Systems, Inc. All rights reserved.
Cisco Public
6
Cisco IOS Security—
Router Technologies
Secure Network Solutions
Compliance
Secure
Voice
Secure
Mobility
Business
Continuity
Integrated Threat Control
011111101010101
Advanced
URL
Firewall Filtering
Intrusion
Prevention
Flexible
Packet
Matching
DMVPN
SSL VPN IPsec VPN
© 2008 Cisco Systems, Inc. All rights reserved.
Network
Foundation
Protection
Management and Instrumentation
Secure Connectivity
GET VPN
Network
Admission 802.1x
Control
Cisco Public
SDM
Role Based
Access
NetFlow
IP SLA
7
Integrated Threat Control
ƒ Cisco IOS Firewall (Classic and Zone-Based)
ƒ Cisco IOS Application Intelligence Control
ƒ Cisco IOS Intrusion Prevention System
ƒ Cisco IOS URLF (Native and outside Server)
ƒ Cisco IOS Flexible Packet Matching (FPM)
ƒ Cisco IOS Network Foundation Protection
(NFP)
© 2008 Cisco Systems, Inc. All rights reserved.
Cisco Public
8
Cisco IOS Firewall Overview
Advanced Layer 3–7 Firewall
ƒ Cisco IOS Firewall is a ICSA and
Common Criteria certified firewall
Advanced
Firewall
ƒ Stateful filtering
ƒ Application inspection (Layer 3 through Layer 7)
ƒ Application control—Application Layer Gateway (ALG)
engines with wide range of protocols and applications
ƒ Built-in DoS protection capabilities
ƒ Supports deployments with VRFs, transparent mode
and stateful failover
ƒ IPv6 support
http://www.cisco.com/go/iosfw
© 2008 Cisco Systems, Inc. All rights reserved.
Cisco Public
9
Cisco IOS Zone-Based
Policy Firewall
ƒ Allows grouping of physical and
virtual interfaces into zones
Advanced
Firewall
Supported Features
ƒ Stateful Inspection
ƒ Firewall policies are applied to traffic
traversing zones
ƒ Application Inspection: IM, POP,
IMAP, SMTP/ESMTP, HTTP
ƒ Simple to add or remove interfaces
and integrate into firewall policy
ƒ Per-policy parameter
ƒ URL filtering
ƒ Transparent firewall
ƒ VRF-aware firewall
Private-DMZ
Policy
DMZ-Private
Policy
DMZ
Public-DMZ
Policy
Internet
Trusted
Untrusted
Private-Public
Policy
© 2008 Cisco Systems, Inc. All rights reserved.
Cisco Public
10
Cisco IOS Zone-Based Firewall—
Rule Table (SDM)
© 2008 Cisco Systems, Inc. All rights reserved.
Cisco Public
Advanced
Firewall
11
Cisco IOS Transparent Firewall
ƒ Introduces “stealth firewall” capability
No IP address associated with firewall (nothing to attack)
No need to renumber or break up IP subnets
IOS Router is bridging between the two “halves” of the network
Use Case: Firewall Between Wireless and Wired LANs
ƒ Both “wired” and wireless segments are in same subnet 192.168.1.0/24
ƒ VLAN 1 is the “private” protected network.
ƒ Wireless is not allowed to access wired LAN
192.168.1.3
Wireless
Fa 0/0
Internet
VLAN 1
Transparent
Firewall
192.168.1.2
© 2008 Cisco Systems, Inc. All rights reserved.
Cisco Public
12
Cisco IOS Flexible Packet
Matching (FPM)
011111101010101
Flexible
Packet
Matching
Rapid Response to New and Emerging Attacks
ƒ Network managers require tools to filter day-zero
attacks, such as before IPS signatures are
available
ƒ Traditional ACLs take a shotgun approach—
legitimate traffic could be blocked
Example: Stopping Slammer with ACLs
meant blocking
port 1434—denying business transactions
involving
Microsoft SQL
ƒ FPM delivers flexible, granular Layer 2–7
matching
Example: port 1434 + packet length 404B +
specific pattern within payload Æ Slammer
0111111010101010000111000100111110010001000100100010001001
Match Pattern
AND
OR
NOT
Cisco.com/go/fpm
© 2008 Cisco Systems, Inc. All rights reserved.
Cisco Public
13
Cisco IOS Intrusion Prevention (IPS)
IPS
Distributed Defense Against Worms and Viruses
ƒ Cisco IOS IPS stops attacks at the entry point, conserves WAN bandwidth, and
protects the router and remote network from DoS attacks
ƒ Integrated form factor makes it cost-effective and viable to deploy IPS in Small and
Medium Business and Enterprise branch/telecommuter sites
ƒ Supports 1700+ signatures sharing the same signature database available with
Cisco IPS sensors
ƒ Allows custom signature sets and actions to react quickly to new threats
Protect router
and local network
from DoS attacks
Branch Office
Stop attacks
before they fill
up the WAN
Internet
Small Branch
Small Office and
Telecommuter
Corporate Office
Apply IPS on traffic from
branches to kill worms
from infected PCs
http://www.cisco.com/go/iosips
© 2008 Cisco Systems, Inc. All rights reserved.
Cisco Public
14
Comprehensive, Scalable
IPS Management
IPS
Integrated, Collaborative Security for the Branch
ƒ Full range of management options:
Cisco SDM 2.4† provides full IPS provisioning and monitoring for single router
Cisco Security Manager 3.1† / CS-MARS for Enterprise IPS
CLI option supports automated provisioning and signature update†
Cisco Configuration Engine for MSSP—scales to thousands of devices‡
ƒ Operational consistency across Cisco IPS portfolio
ƒ Risk Rating and Event Action Processor (SEAP) reduce
false positives‡
ƒ Enhanced Microsoft signature support (MSRPC and SMB)†
†
‡
New in Cisco IOS 12.4(11)T1 / 12.4(13)T
Unique in the Industry
© 2008 Cisco Systems, Inc. All rights reserved.
Cisco Public
15
Cisco IOS Transparent IPS
Use Case: IPS Between Wireless and Wired LANs
IPS
ƒ Introduces “stealth IPS” capability
No IP address associated with IPS (nothing to attack)
IOS Router is bridging between the two “halves” of the network
ƒ Both “wired” and wireless segments are in same subnet
192.168.1.0/24
ƒ VLAN 1 is the “private” protected network.
192.168.1.3
Wireless
Fa 0/0
Internet
VLAN 1
Transparent
IPS
192.168.1.2
© 2008 Cisco Systems, Inc. All rights reserved.
Cisco Public
16
Cisco IOS URL Filtering
URL
Filtering
Internet Usage Control
ƒ Control employee access to
entertainment sites during
work hours
ƒ Control downloads of
objectionable or offensive
material, limit liabilities
Internet
Branch
Office
Web
Surfing
ƒ Cisco IOS supports static whitelist
and blacklist URL filtering
ƒ External filtering servers such as
Websense, Smartfilter can be
used at the corporate office, with
Cisco IOS static lists as backup
ƒ SDM 2.3 supports configuring
static lists and importing .csv files
for URL lists
© 2008 Cisco Systems, Inc. All rights reserved.
Cisco Public
17
Router Hardening
Data Plane
Ability to forward
data
Control Plane
Ability to route
Cisco NFP
Management
Plane
Ability to manage
Think “Divide and Conquer”:
Methodical Approach to Protect
Three Planes
© 2008 Cisco Systems, Inc. All rights reserved.
Cisco Public
Network
Foundation
Protection
A router can be logically divided
into three functional planes:
1. Data plane: The vast majority of
packets handled by a router travel
through the router by way of the
data plane
2. Management plane: Traffic from
management protocols and other
interactive access protocols, such
as Telnet, Secure Shell (SSH)
protocol, and SNMP, passes
through the management plane
3. Control plane: Routing control
protocols, keepalives, ICMP with
IP options, and packets destined
to the local IP addresses of the
router pass through the control
plane
18
Cisco IOS Control Plane Policing
Network
Foundation
Protection
Continual Router Availability Under Duress
ƒ Mitigates DoS attacks on control plane (route processor) such as
ICMP floods
ƒ Polices and throttles incoming traffic to control plane; maintains packet
forwarding and protocol states during attacks or heavy traffic load
Control Plane
Management
SNMP, Telnet
ICMP
IPv6
Input
to control plane
Routing
Updates
Management
SSH, SSL
…..
Output
from control plane
Silent Mode
(prevents
reconnaissance)
Control Plane Policing
(alleviates DoS attacks)
Processor
Switched Packets
Packet
Buffer
Output Packet
Buffer
Locally
Switched Packets
Incoming
Packets
CEF/FIB Lookup
Cisco.com/go/nfp
© 2008 Cisco Systems, Inc. All rights reserved.
Cisco Public
19
Cisco IOS AutoSecure
Network
Foundation
Protection
One Touch Automated Router Lockdown
Disables Non-Essential Services
ƒ Eliminates DoS attacks based on fake
requests
ƒ Disables mechanisms that could be
used to exploit security holes
Enforces Secure Access
ƒ Enforces enhanced security in
accessing device
ƒ Enhanced security logs
ƒ Prevents attackers from knowing
packets have been dropped
Secures Forwarding Plane
ƒ Protects against SYN attacks
ƒ Anti-Spoofing
ƒ Enforces stateful firewall configuration
on external interfaces, where available
© 2008 Cisco Systems, Inc. All rights reserved.
Cisco Public
http://www.cisco.com/go/autosecure
20
Secure Connectivity
Secure Connectivity
GET VPN
© 2008 Cisco Systems, Inc. All rights reserved.
Cisco Public
DMVPN
Easy VPN
SSL VPN
21
Cisco IOS Secure Connectivity Overview
Solution
Standard
IPsec
Key Technologies
ƒ Full standards compliance for interoperability with other vendors
ƒ Hub-and-Spoke VPN:
Enhanced Easy VPN—Dynamic Virtual Tunnel Interfaces, Reverse Route
Injection, dynamic policy push and high scalability
Advanced
Site-to-Site
VPN
Routed IPsec + GRE or DMVPN with dynamic routing
ƒ Spoke-to-Spoke VPN: Dynamic Multipoint VPN (DMVPN)—
On-demand VPNs (partial mesh)
ƒ Any-to-Any VPN: Group-Encrypted Transport (GET) VPN—
No point-to-point tunnels
Advanced
Remote
Access VPN
ƒ Enhanced Easy VPN (IPsec): Cisco dynamic policy push and FREE
VPN Clients for Windows, Linux, Solaris and Mac platforms
ƒ SSL VPN: No client pre-installation required and provides end-point
security through Cisco Secure desktop
© 2008 Cisco Systems, Inc. All rights reserved.
Cisco Public
22
Inside Cisco GET VPN
GET VPN Simplifies Security Policy and
Key Distribution
GET VPN Uses IP Header Preservation
to Mitigate Routing Overlay
Original IP packet
Group
Member
Subnet 1
Subnet 3
Private
WAN
Group
Member
Subnet 2
IP
Packet
IP Header
IP Payload
IPsec Tunnel Mode
IPsec
Group
Member
Group
Member
GET VPN
New IP
Header
ESP Header
Original
Original
IPIP
Header
Header
IP Payload
Subnet 4
Key Server
Key
Server
GET
IP Header Preservation
Original IP
Header
ESP Header
Original
Original
IPIP
Header
Header
IP Payload
ƒ GET uses Group Domain of Interpretation (GDOI): RFC 3547
standards-based key distribution
ƒ GET adds cooperative key servers for high availability
ƒ Key servers authenticate and distribute keys and policies; group member
provisioning is minimized; application traffic is encrypted by group members
© 2008 Cisco Systems, Inc. All rights reserved.
Cisco Public
23
Cisco Dynamic Multipoint VPN
ƒ Full meshed connectivity with
simple configuration of hub
and spokes
DMVPN
Secure On-Demand
Meshed Tunnels
Hub
ƒ Supports dynamically
addressed spokes
ƒ Zero touch configuration for
addition of new spokes
WAN
Spoke C
What’s New in Phase 3
ƒ Improved Scaling—NHRP/CEF Rewrite
and EIGRP Scaling enhancements
ƒ Manageability Enhancements
Spoke A
Spoke B
= DMVPN Tunnels
= Traditional Static Tunnels
= Static Known IP Addresses
Cisco.com/go/dmvpn
© 2008 Cisco Systems, Inc. All rights reserved.
Cisco Public
= Dynamic Unknown IP Addresses
24
Cisco Enhanced Easy VPN
Easy VPN
Centralized Policy-Based Management
ƒ Automated deployments—no user intervention
Enforces consistent policy on remote devices
What’s New in Easy VPN?
Add new devices without changes at headend
ƒ CTA/NAC policy enforcement
ƒ Supports dynamic connections with VPN
ƒ Interoperable across Cisco access and
security devices
ƒ Password aging via AAA
ƒ Cisco VPN client—the only FIPS-certified client
1.
ƒ Centralized policy push for
integrated client firewall
ƒ cTCP NAT transparency and
firewall traversal
ƒ DHCP client proxy and DDNS
registration
Remote calls ‘home’
ƒ Split DNS
ƒ Per-user policy from Radius
3.
Cisco Security
Router
2.
VPN tunnel
Validate, Policy push
Corporate
Office
Internet
Hardware Client: Cisco
ASA, PIX®, Security Router
© 2008 Cisco Systems, Inc. All rights reserved.
Cisco VPN Software
Client on PC/MAC/UNIX
Cisco Public
ƒ Support for identically
addressed spokes behind
NAT with split tunnels
ƒ VTI manageability—Display of
VRF information, summary
commands
http://www.cisco.com/go
/easyvpn
25
Cisco IOS SSL VPN
SSL VPN
Clientless Access
Full Network Access
Internet
Internet
IP over SSL
SSL
Web based + Application Helper
IP-Based Applications
ƒ Browser-based (clientless)
ƒ Gateway performs content
transformation
ƒ File sharing (CIFS), OWA, Citrix
ƒ Java-based application helper
ƒ
ƒ
ƒ
ƒ
Application agnostic
Tunnel client dynamically loaded
No reboot required after installation
Client may be permanently installed
or removed dynamically
ƒ Cisco Router and Security Device Manager—Simple GUI-based provisioning and
management with step-by-step wizards for turnkey deployment
ƒ Cisco Secure Desktop—Prevents digital leakage, protects user privacy, easy to
implement and manage, and works with desktop guest permissions
ƒ Virtualization and VRF awareness—Pool resources
© 2008 Cisco Systems, Inc. All rights reserved.
Cisco Public
26
Secure Connectivity Related Sessions
ƒ BRKSEC-3005 : Advanced Remote Access with
SSLVPN
ƒ BRKSEC-3008/2007 : Site to Site VPN with GETVPN
ƒ BRKSEC-3006 : Advanced Site to Site VPN Dynamic
Multipoint VPNs (DMVPN)
© 2008 Cisco Systems, Inc. All rights reserved.
Cisco Public
27
Instrumentation and
Management
© 2008 Cisco Systems, Inc. All rights reserved.
Cisco Public
Management and Instrumentation
SDM
Role Based
Access
NetFlow
IP SLA
28
Cisco Security Management Suite
•
Cisco® Security
Device Manager
Cisco Security
Manager
Quickest way to
setup a device
Quickest way to setup a device
New solution for configuring
routers, appliances, switches
•
Configures all
device
Wizards
toparameters
configure firewall,
• IPS, Ships
device
VPN,with
QoS,
and wireless
New user-centered design
Ships with device
New levels of scalability
Cisco Security
MARS
Solution for monitoring
and mitigation
Uses control capabilities within
infrastructure to eliminate attacks
Visualizes attack paths
© 2008 Cisco Systems, Inc. All rights reserved.
Cisco Public
29
Instrumentation
Your network management system is only as good as the data you can
get from the devices in the network
IP Service Level Agent
(IP SLAs)
NetFlow and NBAR
Network performance data (latency & jitter)
SNMP V3 and
SNMP informs
Syslog Manager and
XML-formatted syslog
Tcl Scripting and
Kron (Cron) jobs
Role-Based CLI Access
Reliable traps using SNMP informs
© 2008 Cisco Systems, Inc. All rights reserved.
Detailed statistics for all data flows in the
network Advanced Netflow Deployment BRKNMS-3005
Total flexibility to parse and control syslog
messages on the router itself
Flexible, programmatic control of the router
Provides partitioned, non-hierarchical, access
(e.g. Network and Security Operations)
Cisco Public
30
SDM (Security Device Manager 2.4)
© 2008 Cisco Systems, Inc. All rights reserved.
Cisco Public
31
CSM (Cisco Security Manager 3.1)
© 2008 Cisco Systems, Inc. All rights reserved.
Cisco Public
32
Cisco IOS Security Integration
with (CS-MARS)
ƒ CS-MARS correlates Cisco IOS Firewall, IOS
IPS and NetFlow data
IOS Firewall Logs
ƒ Gain network intelligence
Router Cfg
IOS IPS Events
Use the network you have, correlate router’s NetFlow
(WAN data) with Firewall, IDS/IPS, switch data
Build topology and traffic flow model
ACL
n
ctio
ion
lat
rre
Rules
du
Co
Sessions
Re
ƒ ContextCorrelation™
ƒ Allows for Response
...
Netflow
Isolated Events
Know device configuration, enforcement abilities
Correlates, Reduces, Categorizes events, Validates incidents
Syslogs
SNMP
Verify
Valid Incidents
© 2008 Cisco Systems, Inc. All rights reserved.
Cisco Public
33
Design
Consideration
© 2008 Cisco Systems, Inc. All rights reserved.
Cisco Public
34
Design Consideration
Cisco IOS Firewall
Advanced
Firewall
ƒ Classic or Zone based Firewall
Zone based Firewall 12.4(4)T or Classic Firewall
All new features would be offered in zone based policy firewall configuration model;
no end-of-life plan for Classic Cisco IOS Firewall but there will be no new features
ƒ Manageability
Provisioning firewall policies:
CLI, Cisco Security Manager, SDM and Config Engine
Monitoring firewall activity:
Syslog, snmp, screen-scrapes from "show" commands
Modifying Security policies
SDM supports zone-based Firewall
ƒ Interoperate
Cisco IOS Firewall interoperate with other features: NAT, VPN,
Intrusion Prevention System (IPS), WCCP/WAAS, proxy, URL Filtering and QoS
ƒ Memory Usage
Single TCP or UDP (layer3/4) session takes 600 bytes of memory
Multi-channel protocol sessions use more than 600 bytes of memory
© 2008 Cisco Systems, Inc. All rights reserved.
Cisco Public
35
Design Consideration
Cisco IOS Firewall
Cisco IOS Firewall went through a paradigm shift
12.4(4)T and onward supports Zone Based IOS Firewall
Before Release 12.4(4)T &
12.4 Mainline
Interface based policies
No granular support
Support for Classic IOS Firewall
No advanced AIC support
Release 12.4(4)T & Later
Zone based policies
Very granular Firewall policies
Support for Classic IOS Firewall
continued. No new features on Classic
IOS Firewall
Advanced protocol conformance
support (P2P, IM, VoIP, etc.)
Classic IOS Firewall
Zone Based IOS Firewall
Supported in CSM and SDM
Supported in SDM. CSM planned for
CY2008
No MIB—planned for future
No IPv6—future
MIB support
IPv6 support
Active/Passive failover support
© 2008 Cisco Systems, Inc. All rights reserved.
Cisco Public
No Active/Passive failover—future
36
Design Consideration
Cisco IOS Firewall
Advanced
Firewall
ƒ Denial of Service (DoS) Protection Settings
Prior 12.4(11)T default DoS settings were set low
http://www.cisco.com/en/US/products/sw/secursw/ps1018/products_white_
paper0900aecd804e5098.shtml
12.4(11)T onwards DOS settings are max out by default
ƒ Addressing
Firewall policies can be made much more efficient with a well thought-out IP
address scheme
ƒ Performance Consideration
Cisco IOS Firewall Performance Guidelines for ISRs (800-3800)
http://www.cisco.com/en/US/partner/products/ps5855/products_white_
paper0900aecd8061536b.shtml
Real world Performance analysis contact your local Account Team
© 2008 Cisco Systems, Inc. All rights reserved.
Cisco Public
37
Cisco IOS Firewall
Real world Performance: HTTP
© 2008 Cisco Systems, Inc. All rights reserved.
Cisco Public
38
Design Consideration
Cisco IOS Firewall Voice Features
Protocol
Advanced
Firewall
Supported Comments
Tested using CME 4.0
Locally generated/terminated traffic
supported
Coming Soon
12.4(11)T
Coming Soon
H.323 V1 & V2
Yes
H.323 V3 & V4
H.323 RAS
H.323 T.38 Fax
No
Yes
No
SIP UDP
Yes
CCM 4.2 supported
RFC 2543, RFC 3261 not supported
SIP TCP
SCCP
Locally generated traffic
inspection for SIP/SCCP
No
Yes
Coming Soon
Tested with CCM 4.2/CME 4.0
No
Coming Soon
For Cisco IOS® support, contact ask-stg-ios-pm@cisco.com with requirements
© 2008 Cisco Systems, Inc. All rights reserved.
Cisco Public
39
Design Consideration
Cisco IOS Flexible Packet Matching
Functionality
IOS FPM
FPM
12.4(11)T
ACL
# of ACEs per interface
Unlimited
Unlimited
# of match criteria/ ACE
4
Unlimited
Depth of Inspection
44 Bytes
Full Pkt
Raw offset
No
Yes
Relative offset (fixed header length support)
No
Yes
Dynamic offset (variable header length
support)
No
Yes
Nested policies
No
Yes
Nested class-maps
No
Yes
Regex match
No
Yes
String match
No
Yes
Match string pattern window
No
Full Pkt
Protocol Support
IPv4, TCP, UDP, ICMP
IPv4, TCP, UDP, ICMP,
Ethernet, GRE, IPsec
Actions supported
permit, deny, log
permit, count, drop, log,
send-response, nested-policy
redirect, rate limit
© 2008 Cisco Systems, Inc. All rights reserved.
Cisco Public
40
Design Consideration
Cisco IOS IPS 4.x and 5.x
Cisco IOS IPS went through a paradigm shift
12.4(11)T2 and onward supports IPS 5.x
IOS IPS Internal
Version (show
subsys name ips)
Signature Format
Signature
Download URL
Signature
Distribution
Loading Signatures
Configuration of
Signatures
Before Release 12.4(11)T2
& 12.4 Mainline
Release 12.4(11)T2 &
later
2.xxx.xxx
3.000.000
4.x
http://www.cisco.com/cgibin/tablebuild.pl/ios-sigup
Pre Tuned Signature Files
Basic/Advanced SDF Files
From a single SDF file
Flat single SDF file approach
5.x
http://www.cisco.com/cgibin/tablebuild.pl/ios-v5sigup
Signature package
IOS-Sxxx-CLI.pkg
From a set of configuration
files
Hierarchical multilevel/multi-file approach
Signature Update for Cisco IOS IPS 4.x (12.4(9)T or prior )will continue till June 2008
© 2008 Cisco Systems, Inc. All rights reserved.
Cisco Public
41
Design Consideration
Migrating to Cisco IOS IPS 5.x (12.4(11)T2)
ƒ Option 1: Existing customer using non-customized pre-built
signature files (SDFs)
No signature migration needed
Signatures in 128MB.sdf are in IOS-Basic Category
Signatures in 256MB.sdf are in IOS-Advanced Category
ƒ Option 2: Existing customer using customized pre-built
signature files (SDFs)
Signature migration (TCL) script available on Cisco.com to convert
customized SDF to 5.x format
This migration script does not migrate user-defined (non-Cisco)
signatures
ƒ Migration Guide:
http://www.cisco.com/en/US/products/ps6634/products_
white_paper0900aecd8057558a.shtml
© 2008 Cisco Systems, Inc. All rights reserved.
Cisco Public
42
Design Consideration
Cisco IOS IPS – 12.4(11)T2 and Later Release
IOS IPS
ƒ Manageability
Provisioning IPS policies:
CLI, Cisco Security Manager, SDM and Config Engine
Signature Tuning and Update:
The basic category is the Cisco recommended signature set
for routers with 128 MB RAM and the advanced category is
for 256MB RAM
Signature tuning with Command line Interface (CLI) is available after 12.4(11)T
Signature package update align with Cisco sensors 42xx. (Auto Update via CSM)
Monitoring IPS activity:
Reporting via CS-MARS (SDEE and Syslog support) and screen-scrapes from
"show" commands
Modifying Security policies
SDM/CSM supports IPS
© 2008 Cisco Systems, Inc. All rights reserved.
Cisco Public
43
Design Consideration
Provisioning and Monitoring Options
IPS Signature Provisioning
Up to 5
Cisco
Security
Device
Manager
(SDM)
More than 5
Same signature set/policy:
Opt 1: Cisco Security
Manager (CSM)
IPS Event Monitoring
1
Cisco IPS
Event
Viewer
(IEV)
Opt 2: Cisco SDM and Cisco
Configuration Engine to copy or
generated IPS files to large # Cisco SDM
of routers
Different signature set/policy:
Single or multiple instances
of CSM
© 2008 Cisco Systems, Inc. All rights reserved.
Cisco Public
Up to 5
Cisco
IEV or
syslog
server
More than 5
Cisco Security
MARS x.3.2
(model and
quantity
depends on #
of routers,
topology and
cumulative
EPS)
44
Design Consideration
Cisco IOS Intrusion Prevention System (IPS)
ƒ Performance Consideration
Performance of router is not effected by adding more signatures
ƒ Memory Usage
Signature compilation process is highly CPU-intensive while the
signatures are being compiled. The number of signatures that
can be loaded on a router is memory-dependent
ƒ Fragmentation
Cisco IOS IPS uses VFR (Virtual Fragmentation Reassembly)
to detect fragmentation attacks
© 2008 Cisco Systems, Inc. All rights reserved.
Cisco Public
45
Cisco IOS IPS and Out-of-Order Packets
ƒ Cisco IOS IPS supports Out-of-Order packet starting
from the following two releases:
Release 12.4(9)T2
Release 12.4(11)T
ƒ Configurable via CLI: ip inspect tcp reassembly
ƒ Notification for packets dropped due to insufficient
buffer space
© 2008 Cisco Systems, Inc. All rights reserved.
Cisco Public
46
Cisco Security Manager 3.1
Cisco IOS IPS Signature List View
© 2008 Cisco Systems, Inc. All rights reserved.
Cisco Public
47
Cisco IOS IPS and Auto Update
SDM
© 2008 Cisco Systems, Inc. All rights reserved.
CSM
Cisco Public
48
Design Consideration
IOS IPS and IPS Appliances/Modules
Signature Format
Signature Updates & Tuning
Signatures Supported
Recommended (pre-built or default)
Signature Set
Cisco IOS IPS
Release 12.4(9)T
Cisco IOS IPS
Release 12.4(11)T
Cisco IPS 42xx sensors, IDSM2,
SSM-AIP, NM-CIDS modules
4.x
5.x/6.0
5.x/6.0
using SDF
using IDCONF
using IDCONF
Subset of 1600+ signatures (depends
on router model/DRAM)
Basic or
Advanced SDF
IOS-Basic or IOSAdvanced
Category
1900+ signatures selected by
default
All signatures alarm-only
Day-Zero Anomaly Detection
No
Available in 6.0 release
Transparent (L2) IPS
Yes
Yes
Rate Limiting
No
Yes
IPv6 Detection
No
Yes
Signature Event Action Proc.
No
Yes
Yes
Meta Signatures
No
Yes
Voice, Sweep & Flood Engines
No
Yes (H.225 for voice)
Syslog & SDEE
SDEE
Event Notification
© 2008 Cisco Systems, Inc. All rights reserved.
Cisco Public
49
IPS Solutions on Cisco ISRs
Cisco IOS IPS
Cisco IPS AIM
Cisco NM-CIDS
Dedicated CPU/DRAM for IPS
No
Yes
Yes
Inline and Promiscuous Detection and
Mitigation
Yes
Yes
No, Promiscuous Mode
Only
Subset of 2000+
Signatures, Subject to
Available Memory
Full Set Signatures
(2200+)
Full Set Signatures
(2200+)
Automatic Signature Updates
Yes
Yes
Yes
Day-zero Anomaly Detection
No
Yes
Yes
Rate Limiting
No
Yes
Yes
Cisco Security Agent and Cisco IPS
Collaboration
No
Yes
No
Meta Event Generator
No
Yes
Yes
Syslog, SDEE
SNMP and SDEE
SNMP and SDEE
CLI, SDM
IOS CLI, IDM
IPS CLI, IDM
CSM
CSM
CSM
Signature Supported
Event Notification
Device Management
System/Network Management
Event Monitoring and Correlation
IEV, CS-MARS
IEV, CS-MARS, On-box IEV, CS-MARS, On-box
Meta Event Generator
Meta Event Generator
NOTE: Only One IPS Solution May Be Active in the Router. All Other Must Be Removed or Disabled.
© 2008 Cisco Systems, Inc. All rights reserved.
Cisco Public
50
Design Consideration
Recommendation
ƒ New web and collateral content at http://www.cisco.com/go/iosips/
ƒ Use the latest T Train image: 12.4(15)T2
Native support for Microsoft SMB and MSRPC signatures
Works with WAAS Module if Zone-Based FW also configured
Includes many bug fixes for SDM interoperability, etc.
ƒ To use IOS IPS with WAAS (WAN Optimization) Module:
You must use 12.4(11)T2/T3 or 12.4(15)T2 image
If IPS is applied on the optimized WAN interface, you must also
configure Zone-Based Firewall for a zone including that interface
ƒ If working with an image prior to 12.4(11)T or any Mainline image:
Use the latest Basic (128MB.sdf) and Advanced (256MB.sdf) signature
files at http://www.cisco.com/cgi-bin/tablebuild.pl/ios-sigup/
© 2008 Cisco Systems, Inc. All rights reserved.
Cisco Public
51
Agenda
ƒ Drivers for IOS Security
ƒ Technology Overview
ƒ Design Considerations
ƒ Deployment Models
ƒ Real World Use Cases
ƒ Case Study
ƒ Summary
© 2008 Cisco Systems, Inc. All rights reserved.
Cisco Public
52
Deployment Models
© 2008 Cisco Systems, Inc. All rights reserved.
Cisco Public
53
Enterprise Branch Profiles
Dual Router Model
Single Router Model
Private
Wan
Corporate
Office
Private
WAN
Corporate
Office
Internet
Security Services
Cisco IOS Firewall
Cisco IOS IPS
Infrastructure Protection
ACLs
IPsec VPNs
Security Services
Cisco IOS Firewall
Cisco IOS IPS
Infrastructure Protection
ACLs
IPsec VPNs
Branch
Office
Branch
Office
© 2008 Cisco Systems, Inc. All rights reserved.
Cisco Public
54
Enterprise Branch Profile
Single Router Model
ƒ Primary: Internet with
IPsec VPN - IPVPN
Single Router Model
ƒ Backup: None
Internet
Corporate
Office
ƒ Internet access is via splittunneling
Security Services
Cisco IOS Firewall
Cisco IOS IPS
Infrastructure Protection
ACLs
Branch
Office
© 2008 Cisco Systems, Inc. All rights reserved.
Cisco Public
55
Enterprise Branch Profile
Single Router Model
ƒ Primary WAN Services:
Lease line/E1/Fiber or
IP VPN
Single Router Model
ƒ Backup: Internet (ADSL)
with VPN or UMTS
Private
Wan
Corporate
Office
ƒ Internet access is via splittunneling
Internet
Security Services
Cisco IOS Firewall
Cisco IOS IPS
Infrastructure Protection
ACLs
ƒ Failover: Routing protocol
with EOT (Enhanced
Object Tracking)
Branch
Office
© 2008 Cisco Systems, Inc. All rights reserved.
Cisco Public
56
Enterprise Branch Profile
Single Router Model
ƒ Primary WAN Services: Lease
line/E1/Fiber
Single Router Model
ƒ Backup: Leased line/E1/Fiber
Private
Wan
Corporate
Office
ƒ Internet access
policy enforced via Corporate
Office
ƒ Failover: Routing Protocol
Security Services
Cisco IOS Firewall
Cisco IOS IPS
Infrastructure Protection
ACLs
Branch
Office
© 2008 Cisco Systems, Inc. All rights reserved.
Cisco Public
57
Enterprise Branch Profile
Dual Router Model
ƒ Primary WAN Services:
Lease line/E1/Fiber
Dual Router Model
ƒ Backup: Leased
line/E1/Fiber
Corporate
Office
Private
WAN
ƒ Internet access
policy enforced via
Corporate Office
ƒ Stateful Firewall
(Stateful Failover)
Security Services
Cisco IOS Firewall
Cisco IOS IPS
Infrastructure Protection
ACLs
Branch
Office
© 2008 Cisco Systems, Inc. All rights reserved.
Cisco Public
58
Agenda
ƒ Drivers for IOS Security
ƒ Technology Overview
ƒ Design Considerations
ƒ Deployment Models
ƒ Real World Use Cases
ƒ Case Study
ƒ Summary
© 2008 Cisco Systems, Inc. All rights reserved.
Cisco Public
59
Real World
Use Cases
© 2008 Cisco Systems, Inc. All rights reserved.
Cisco Public
60
Real World Use Cases
1. Protect the Inside LAN at Branch Office with Split Tunneling
Deployed
2. Protect Servers at Branch Office
3. Protect WAN Link and Corporate Office
4. Transparent Firewall and IPS
5. Virtual Firewall and IPS
6. Blocking Peer-to-Peer and Instant Messaging Applications
7. Load Balancing and Failover with two Providers
a. Load Balancing
b. Failover
© 2008 Cisco Systems, Inc. All rights reserved.
Cisco Public
61
1. Protect the Inside LAN at Branch Office
with Split Tunneling Deployed
Advanced
Firewall
Cisco IOS Firewall and IPS Policies:
ƒ Allow authenticated users to access corporate resources
ƒ Restrict guest users to Internet access only
ƒ Control peer-to-peer and instant messaging applications
Employees can
access corporate
network via
encrypted tunnel
IPsec
Tunnel
Employees
192.168.1.x/24
Internet
Branch Office
Router
Wireless Guests
192.168.2.x/24
Guests can
access
Internet only
© 2008 Cisco Systems, Inc. All rights reserved.
Cisco Public
Inspect
Internet
traffic
Corporate
Office
62
1. Firewall Configuration Snippet
Classification:
Security Zones:
class-map type inspect match-any protocols
zone security private
zone security public
match protocol dns
match protocol https
match protocol icmp
Security Zone Policy:
match protocol imap
zone-pair security zone-policy source
private destination public
match protocol pop3
service-policy type inspect firewall-policy
match protocol tcp
!
match protocol udp
interface VLAN 1
Order of match statement
is important
description private interface
zone-member security private
!
Security Policy:
policy-map type inspect firewall-policy
interface fastethernet 0
class type inspect protocols
description public interface
inspect
zone-member security public
© 2008 Cisco Systems, Inc. All rights reserved.
Cisco Public
63
1. Cisco IOS Zone-Based Firewall (SDM)
© 2008 Cisco Systems, Inc. All rights reserved.
Cisco Public
64
1. IPS Configuration Snippet
Download Cisco IOS IPS Files to your PC
Cisco IOS IPS Configuration (Con’t)
http://www.cisco.com/pcgi-bin/tablebuild.pl/ios-v5sigup
retired false
IOS-Sxxx-CLI.pkg
realm-cisco.pub.key.txt
interface fast Ethernet 0
ip ips ips-policy in
Configure Cisco IOS IPS Crypto Key
mkdir ipstore (Create directory on flash)
Load the signatures from TFTP server
Paste the crypto key from
realm-cisco.pub.key.txt
copy tftp://192.168.10.4/IOS-S289-CLI.pkg idconf
Loading IOS-S259-CLI.pkg from 192.168.10.4 :!!!
Cisco IOS IPS Configuration
show ip ips signature count
ip ips config location flash:ipstore retries 1
Total Compiled Signatures:
ip ips notify SDEE
338 -Total active compiled signatures
ip ips name ips-policy
ip ips signature-category
category all
retired true
category ios_ips basic
© 2008 Cisco Systems, Inc. All rights reserved.
Cisco Public
65
1. Cisco IOS IPS Signatures and Categories
(SDM)
© 2008 Cisco Systems, Inc. All rights reserved.
Cisco Public
66
1. Deploying IOS Firewall
Split Tunneling (CSM)
© 2008 Cisco Systems, Inc. All rights reserved.
Cisco Public
67
1. Deploying IOS IPS (CSM)
© 2008 Cisco Systems, Inc. All rights reserved.
Cisco Public
68
2. Protect Servers at Branch Office
Advanced
Firewall
ƒ Cisco® IOS® Firewall and IPS policies applied to DMZ
protect distributed application servers and Web servers hosted
at remote sites
Servers
192.168.3.14-16/24
Servers
hosted
separately
in DMZ
IPsec
Tunnel
Employees
192.168.1.x/24
Internet
Branch Office
Router
Corporate
Office
Wireless Guests
192.168.2.x/24
© 2008 Cisco Systems, Inc. All rights reserved.
Cisco Public
69
3. Protect WAN Link and
Corporate Office
Advanced
Firewall
ƒ Cisco® IOS® Firewall and Intrusion Prevention System (IPS)
policies applied to private interfaces protect WAN link from
worms and protocol misuse attacks
Servers
192.168.3.14-16/24
Protect WAN link
and upstream
corporate resources
Employees
192.168.1.x/24
IPsec
Tunnel
Internet
Branch Office
Router
Corporate
Office
Wireless Guests
192.168.2.x/24
© 2008 Cisco Systems, Inc. All rights reserved.
Cisco Public
70
4. Transparent Firewall and IPS
Advanced
Firewall
ƒ Cisco® IOS® transparent firewall policies at bridge interfaces enforce
inspection and control of LAN traffic
ƒ Simplifies firewall and IPS deployment at small offices running key
applications in a single address space
No change to statically
addressed devices
Servers
192.168.1.14-16/24
Supports DHCP pass
through to assign DHCP
addresses on opposite
interfaces
Contractors
192.168.1.13/24
Branch Office
Router
Wireless Guests
192.168.1.12/24
Restricts access to
specified devices on
a subnet
© 2008 Cisco Systems, Inc. All rights reserved.
Cisco Public
IPsec
Tunnel
Internet
Corporate
Office
71
5. Virtual Firewall and IPS
Advanced
Firewall
ƒ Cisco IOS Firewall, NAT, and URL-filtering policies are virtual route
forwarding (VRF) aware, providing support for overlapping address space,
which simplifies troubleshooting and operations
Photo Shop
192.168.1.x/24
Separate IPsec tunnels
for Photo Shop and
Retail Store traffic
IPsec
Tunnel
VRF A
Retail Store Cash Register
192.168.2.x/24
Photo Shop
Corporate Office
VRF B
VRF C
Internet
Store Router
Internet Services
192.168.2.x/24
Supports
overlapping
address space
© 2008 Cisco Systems, Inc. All rights reserved.
Cisco Public
IPsec
Tunnel
Retail Store
Corporate Office
72
5. Deployed Firewall Configuration Snippet
(SDM)
© 2008 Cisco Systems, Inc. All rights reserved.
Cisco Public
73
6. Blocking Peer-to-Peer and Instant
Messaging Applications
Advanced
Firewall
ƒ Cisco IOS Firewall can block/rate-limit instant messaging (IM)
applications like MSN, AOL and Yahoo.
Servers
192.168.3.14-16/24
Blocking the Instant
Messengers e.g.
MSN
Employees
192.168.1.x/24
IPsec
Tunnel
Internet
Branch Office
Router
Corporate
Office
Wireless Guests
192.168.2.x/24
© 2008 Cisco Systems, Inc. All rights reserved.
Cisco Public
74
6. Blocking Instant Messaging MSN/AOL (SDM)
© 2008 Cisco Systems, Inc. All rights reserved.
Cisco Public
75
7a. Load Balancing with
Two Providers
Advanced
Firewall
ƒ Cisco IOS Firewall supports WAN Load balancing
Servers
192.168.3.14-16/24
WAN Load Balancing
Multi-Home NAT
Destination Based Load
Balancing
Zone Based Firewall
ISP-1
IPsec
Tunnel
Employees
192.168.1.x/24
Internet
Branch Office ISP-2
Router
Corporate
Office
Wireless Guests
192.168.2.x/24
© 2008 Cisco Systems, Inc. All rights reserved.
Cisco Public
76
7b. Failover with Two Providers
Advanced
Firewall
ƒ WAN Object Tracking
Servers
192.168.3.14-16/24
WAN Failover
Object Tracking
Fail Over
Zone Based Firewall
ISP-1
IPsec
Tunnel
Employees
192.168.1.x/24
Internet
Branch Office ISP-2
Router
Corporate
Office
Wireless Guests
192.168.2.x/24
© 2008 Cisco Systems, Inc. All rights reserved.
Cisco Public
77
Case Study
© 2008 Cisco Systems, Inc. All rights reserved.
Cisco Public
78
Education—Centralized Deployment
Internet
URL Filtering
School
T1
URL Filtering
T1
Private WAN
School
T1
Apply Intrusion Prevention
System (IPS) on traffic from
Schools to kill worms from
infected PCs
School
URL Filtering
© 2008 Cisco Systems, Inc. All rights reserved.
Cisco Public
79
Education—Decentralized Deployment
Internet
URL Filtering
Backup
School
DSL
Illegal
surfing
T1
DSL
T1
Internet
Private WAN
School
T1
Backup
District School
Building
DSL
Apply IPS on traffic from
Schools to kill worms
from infected PCs
Secure Internet
ƒ Advanced Layer
3-7 firewall
ƒ Web usage control
School
© 2008 Cisco Systems, Inc. All rights reserved.
Cisco Public
80
Summary
© 2008 Cisco Systems, Inc. All rights reserved.
Cisco Public
81
Summary
ƒ There is an established and increasing trend of
integrated services in routing industry
ƒ Integrated Services Edge has become more common
deployment over distributed architecture
ƒ Cisco IOS network security technologies enable new
business applications by reducing risk, as well as
helping to protect sensitive data and corporate
resources from intrusion
ƒ Consolidation of branch office equipment for lowering
OPEX is giving rise to integrated security as evident
from the real world use cases
© 2008 Cisco Systems, Inc. All rights reserved.
Cisco Public
82
Q and A
© 2008 Cisco Systems, Inc. All rights reserved.
Cisco Public
83
Complete Your Online
Session Evaluation
ƒ Win fabulous prizes; give us
your feedback
ƒ Receive ten Passport Points
for each session evaluation
you complete
ƒ Go to the Internet stations
located throughout the
Convention Center to complete
your session evaluation
ƒ Winners will be announced
daily at the Internet stations
© 2008 Cisco Systems, Inc. All rights reserved.
Cisco Public
84
© 2008 Cisco Systems, Inc. All rights reserved.
Cisco Public
85
Appendix
© 2008 Cisco Systems, Inc. All rights reserved.
Cisco Public
86
Cisco Security Router Certifications
FIPS
ICSA
140-2,
Level 2
IPsec
Cisco® 870 ISR
9
Cisco 1800 ISR
Common Criteria
Firewall
IPsec
(EAL4)
Firewall
(EAL4)
9
9
Q3CY07
9
9
9
9
Q3CY07
9
Cisco 2800 ISR
9
9
9
Q3CY07
9
Cisco 3800 ISR
9
9
9
Q3CY07
9
Cisco 7200 VAM2+
9
9
9
Q3CY07
9
Q4CY07
Q2CY07
Q2CY07
Q3CY07
---
Cisco 7301 VAM2+
9
9
9
Q3CY07
9
Cisco 7600 IPsec VPN SPA
9
9
9
Q3CY07
---
Catalyst 6500 IPsec VPN SPA
9
9
---
Q3CY07
---
Cisco 7600
9
9
---
Q3CY07
9
Cisco 7200 VSA
Cisco.com/go/securitycert
© 2008 Cisco Systems, Inc. All rights reserved.
Cisco Public
87
Cisco IOS Network Foundation
Protection
Data Plane Feature
NetFlow
Access Control Lists
(ACLs)
Flexible Packet Matching
(FPM)
Unicast Reverse Path
Forwarding (uRPF)
Remotely Triggered
Black Holing (RTBH)
QoS Tools
Control Plane
Receive ACLs
Control Plane Policing
Routing Protection
Management Plane
CPU and Memory
Thresholding
Dual Export Syslog
Network
Foundation
Protection
Function and Benefit
ƒ Macro-level, anomaly-based DDoS detection through counting the number of
flows (instead of contents); provides rapid confirmation and isolation of attack
ƒ Protect edge routers from malicious traffic; explicitly permit the legitimate traffic
that can be sent to the edge router's destination address
ƒ Next generation “Super ACL” – pattern matching capability for more granular
and customized packet filters, minimizing inadvertent blocking of legitimate
business traffic
ƒ Mitigates problems caused by the introduction of malformed or spoofed IP
source addresses into either the service provider or customer network
ƒ Drops packets based on source IP address; filtering is at line rate on most
capable platforms. Hundreds of lines of filters can be deployed to multiple
routers even while the attack is in progress
ƒ Protects against flooding attacks by defining QoS policies to limit bandwidth or
drop offending traffic (identify, classify and rate limit)
Function and Benefit
ƒ Control the type of traffic that can be forwarded to the processor
ƒ Provides QoS control for packets destined to the control plane of the routers
ƒ Ensures adequate bandwidth for high-priority traffic such as routing protocols
ƒ MD5 neighbor authentication protects routing domain from spoofing attacks
ƒ Redistribution protection safe-guards network from excessive conditions
ƒ Overload protection (e.g. prefix limits) enhances routing stability
Function and Benefit
ƒ Protects CPU and memory of Cisco® IOS® Software device against DoS attacks
ƒ Syslog exported to dual collectors for increased availability
© 2008 Cisco Systems, Inc. All rights reserved.
Cisco Public
88
2. Firewall Configuration Snippet
Classification:
Security Zone Policy:
class-map type inspect match-all web-dmz
zone-pair security zone-policy source
public destination dmz
match protocol http
service-policy type inspect firewall-policy
match access-group 199
!
access-list 199 permit tcp any host 192.168.10.3
interface VLAN 1
description private interface
zone-member security private
Security Policy:
policy-map type inspect firewall-policy
class type inspect web-dmz
!
interface fastethernet 0
description public interface
Inspect
zone-member security public
Security Zones:
interface fastethernet 1
zone security private
description dmz interface
zone security public
zone-member security dmz
zone security dmz
© 2008 Cisco Systems, Inc. All rights reserved.
Cisco Public
89
2. IPS Configuration Snippet
a. Download Cisco IOS IPS Files to your PC
d. Cisco IOS IPS Configuration (Con’t)
http://www.cisco.com/pcgi-bin/tablebuild.pl/ios-v5sigup
retired false
IOS-Sxxx-CLI.pkg
realm-cisco.pub.key.txt
interface fast Ethernet 1
description DMZ interface
b. Configure Cisco IOS IPS Crypto Key
ip ips ips-policy out
mkdir ips5 (Create directory on flash)
Paste the crypto key from
e. Load the signatures from TFTP server
realm-cisco.pub.key.txt
copy tftp://192.168.10.4/IOS-S289-CLI.pkg idconf
Loading IOS-S259-CLI.pkg from 192.168.10.4 :!!!
c .Cisco IOS IPS Configuration
ip ips config location flash:ips5 retries 1
show ip ips signature count
ip ips notify SDEE
Total Compiled Signatures:
ip ips name ips-policy
338 -Total active compiled signatures
ip ips signature-category
category all
retired true
category ios_ips basic
© 2008 Cisco Systems, Inc. All rights reserved.
Cisco Public
90
3. Firewall Configuration Snippet
a. Classification:
c. Security Zones:
class-map type inspect match-any protocols
zone security private
zone security public
match protocol dns
Zone security vpn
match protocol https
d. Security Zone Policy:
match protocol icmp
zone-pair security zone-policy source private
destination vpn
match protocol imap
match protocol tcp
zone-pair security zone-policy source vpn
destination private (Helps to reduce clutter in
the tunnel)
match protocol udp
service-policy type inspect firewall-policy
match protocol pop3
interface VLAN 1
description private interface
Order of match statement
is important
zone-member security private
interface fastethernet 0
b. Security Policy:
description public interface
policy-map type inspect firewall-policy
class type inspect protocol-list
Interface tunnel0
Zone-member security vpn
inspect
© 2008 Cisco Systems, Inc. All rights reserved.
zone-member security public
Cisco Public
91
3. IPS Configuration Snippet
Download Cisco IOS IPS Files to your PC
Cisco IOS IPS Configuration (Con’t)
http://www.cisco.com/pcgi-bin/tablebuild.pl/ios-v5sigup
retired false
IOS-Sxxx-CLI.pkg
realm-cisco.pub.key.txt
interface vlan 1
description private interface
Configure Cisco IOS IPS Crypto Key
ip ips ips-policy out
mkdir ips5 (Create directory on flash)
ip ips ips-policy in
Paste the crypto key from
Protecting the IPsec
from worm/virus/attacks
realm-cisco.pub.key.txt
Cisco IOS IPS Configuration
Load the signatures from TFTP server
ip ips config location flash:ips5 retries 1
copy tftp://192.168.10.4/IOS-S289-CLI.pkg idconf
Loading IOS-S259-CLI.pkg from 192.168.10.4 :!!!
ip ips notify SDEE
ip ips name ips-policy
show ip ips signature count
ip ips signature-category
Total Compiled Signatures:
category all
338 -Total active compiled signatures
retired true
category ios_ips basic
© 2008 Cisco Systems, Inc. All rights reserved.
Cisco Public
92
4. Firewall Configuration Snippet
Classification:
Security Zone Policy:
class-map type inspect match-any protocols
zone-pair security zone-policy source wired
destination wireless
match protocol dns
service-policy type inspect firewall-policy
match protocol https
!
match protocol icmp
interface VLAN 1
match protocol imap
description private interface
match protocol pop3
bridge-group 1
match protocol tcp
zone-member security wired
match protocol udp
!
interface VLAN2
Security Policy:
policy-map type inspect firewall-policy
description public interface
bridge-group 1
class type inspect protocols
zone-member security wireless
Inspect
Layer2 Configuration:
bridge configuration
Security Zones:
bridge irb
zone security wired
bridge 1 protocol ieee
zone security wireless
bridge 1 route ip
© 2008 Cisco Systems, Inc. All rights reserved.
Cisco Public
93
4. IPS Configuration Snippet
Download Cisco IOS IPS Files to your PC
Cisco IOS IPS Configuration (Con’t)
http://www.cisco.com/pcgi-bin/tablebuild.pl/ios-v5sigup
interface VLAN 1
IOS-Sxxx-CLI.pkg
description private interface
realm-cisco.pub.key.txt
bridge-group 1
ip ips ips-policy out
Configure Cisco IOS IPS Crypto Key
mkdir ips5 (Create directory on flash)
interface VLAN 2
Paste the crypto key from
description private interface
realm-cisco.pub.key.txt
bridge-group 1
ip ips ips-policy in
Cisco IOS IPS Configuration
ip ips config location flash:ips5 retries 1
Load the signatures from TFTP server
ip ips notify SDEE
ip ips name ips-policy
copy tftp://192.168.10.4/IOS-S289-CLI.pkg
idconf
ip ips signature-category
Loading IOS-S259-CLI.pkg from 192.168.10.4 :!!!
category all
retired true
show ip ips signature count
category ios_ips basic
Total Compiled Signatures:
retired false
338 -Total active compiled signatures
© 2008 Cisco Systems, Inc. All rights reserved.
Cisco Public
94
5. Firewall Configuration Snippet
Classification:
Security Policy (Continued):
class-map type inspect retail-hq
policy-map type inspect hq-retail
match protocol ftp
class type inspect hq-retail
match protocol http
inspect
match protocol smtp extended
class class-default
class-map type inspect hq-retail
drop log
match protocol smtp extended
policy-map type inspect photo-hq
class-map type inspect photo-hq
class type inspect photo-hq
match protocol http
inspect
match protocol rtsp
class class-default
class-map type inspect hq-photo
drop log
match protocol h323
policy-map type inspect hq-photo-
Security Policy
class type inspect hq-photo
policy-map type inspect retail-hq
inspect
class type inspect retail-hq
class class-default
inspect
drop log
class class-default
drop log
© 2008 Cisco Systems, Inc. All rights reserved.
Cisco Public
95
5. Firewall Configuration Snippet
Security Zones:
Virtualization (Virtual Routing and Forwarding)
zone security retail-LAN
interface FastEthernet0/1.10
zone security retail-VPN
encapsulation dot1Q 10
zone security photo-LAN
ip vrf forwarding retail
zone security photo-VPN
zone-member security retail-LAN
!
Security Zone Policy:
interface Tunnel0
zone-pair security retail-VPN
ip vrf forwarding retail
source retail-LAN destination retail-VPN
zone-member security retail-VPN
zone-pair security VPN-retail
interface FastEthernet0/1.20
source retail-VPN destination retail-LAN
encapsulation dot1Q 20
ip vrf forwarding photo
zone-pair security photo-VPN
zone-member security photo-LAN
source photo-LAN destination photo-VPN
!
interface Tunnel0
zone-pair security VPN-photo
ip vrf forwarding photo
source photo-VPN destination photo-LAN
zone-member security photo-VPN
© 2008 Cisco Systems, Inc. All rights reserved.
Cisco Public
96
6. Deployed Firewall Configuration Snippet
Servers List:
IM-Blocking Policy:
parameter-map type protocol-info msn-servers
policy-map type inspect IM-blocking
server name messenger.hotmail.com
class type inspect IMs
server name gateway.messenger.hotmail.com
drop log
server name webmessenger.msn.com
Security Zones
zone security public
parameter-map type protocol-info aol-servers
zone security private
server name login.oscar.aol.com
Zone Policy
server name toc.oscar.aol.com
zone-pair security IM-Zone-policy source
private destination public
server name oam-d09a.blue.aol.com
service-policy type inspect IM-blocking
Classification:
class-map type inspect match-any IM
interface VLAN 1
match protocol msnmsgr msn-servers
description private interface
match protocol aol aol-servers
zone-member security private
class-map type inspect match-all IMs
interface fastethernet 0
match class-map IM
description public interface
zone-member security public
© 2008 Cisco Systems, Inc. All rights reserved.
Cisco Public
97
7a. Configuration Snippet
Classification:
WAN Load balancing Configs(Con’t)
class-map type inspect match-any internet
match protocol http
match protocol https
match protocol dns
match protocol smtp
match protocol icmp
!
!
policy-map type inspect private
class type inspect internet
inspect
class class-default
route-map dsl1 permit 10
match ip address 121
match interface Dialer1
route-map dsl0 permit 10
match ip address 120
match interface Dialer0
access-list 120 permit ip 192.168.10.0
0.0.0.255 any
access-list 121 permit ip 192.168.10.0
0.0.0.255 any
WAN Load balancing Configs
ip route 0.0.0.0 0.0.0.0 Dialer1
ip route 0.0.0.0 0.0.0.0 Dialer0
!
Policy Based Routing
ip nat inside source route-map dsl0 interface
Dialer0 overload
route-map IPSEC permit 10
match ip address 128
match interface Dialer1
access-list 128 permit esp 192.168.10.0
0.0.0.255 any
ip nat inside source route-map dsl1 interface
dialer1 overload
© 2008 Cisco Systems, Inc. All rights reserved.
Cisco Public
98
7a. Configuration Snippet
Security Zones Configs
zone security trust
zone security untrust
zone-pair security firewall source trust
destination untrust
!
service-policy type inspect private
Interface Configs:
interface Dialer0
zone-member security untrust
ip nat outside
!
interface Dialer1
zone-member security untrust
ip nat outside
!
interface BVI1
zone-member security trust
ip nat inside
© 2008 Cisco Systems, Inc. All rights reserved.
Cisco Public
99
7b. Configuration Snippet—
Private Zone Policy
Tracking Configuration: (Object Tracking)
Interface Configurations:
track timer interface 5
Interface Dialer 0
!
description WAN-Backup interface
track 123 rtr 1 reachability
ip address negotiated
delay down 15 up 10
ip nat outside
ip sla 1
NAT Configuration:
icmp-echo 172.16.1.1 source-interface Dialer0
ip nat inside source route-map fixed-nat
interface Dialer0 overload
timeout 1000
ip nat inside source route-map dhcp-nat
interface FastEthernet0 overload
threshold 40
frequency 3
ip sla schedule 1 life forever start-time now
route-map fixed-nat permit 10
match ip address 110
Interface Configurations:
match interface Dialer0
interface FastEthernet0
!
description WAN-1 Interface
route-map dhcp-nat permit 10
ip address dhcp
match ip address 110
ip nat outside
match interface FastEthernet0
ip dhcp client route track 123
© 2008 Cisco Systems, Inc. All rights reserved.
Cisco Public
100
7b. Configuration Snippet—
Private Zone Policy
NAT Configuration (Con’t):
Security Zones Configs
access-list 110 permit ip 192.168.108.0 0.0.0.255
any
zone security trust
Routing Configuration
ip route 0.0.0.0 0.0.0.0 dialer 0 track 123
zone-pair security firewall source trust
destination untrust
!
ip route 0.0.0.0 0.0.0.0 dhcp 10
service-policy type inspect private
Classification:
interface FastEthernet0
class-map type inspect match-any internet
match protocol http
match protocol https
match protocol dns
match protocol smtp
match protocol icmp
!
!
policy-map type inspect private
class type inspect internet
inspect
class class-default
description WAN- Interface
zone security untrust
Member security zone untrust
Interface Dialer0
description Backup-Interface
member security zone untrust
interface Vlan1
member security zone trust
© 2008 Cisco Systems, Inc. All rights reserved.
Cisco Public
101