Implementing Secure
Converged Wide Area
Networks (ISCW)
Module 6: Cisco IOS Threat Defense Features
© 2006 Cisco Systems, Inc. All rights reserved.
Module 6: Cisco IOS
Threat Defense
Features
Lesson 6.1: Introducing the Cisco IOS Firewall
© 2006 Cisco Systems, Inc. All rights reserved.
Objectives
 Explain the purpose of the Demilitarized Zone (DMZ).
 Describe various DMZ topologies and design options.
 Describe firewall operations and implementation
technologies.
 Compare and contrast various firewall implementation
options.
 Describe the security features available in the Cisco
Firewall Feature Set IOS.
© 2006 Cisco Systems, Inc. All rights reserved.
DMZ
 A DMZ is established between security zones.
 DMZs are buffer networks that are neither the Inside nor the
Outside network.
© 2006 Cisco Systems, Inc. All rights reserved.
Layered Defense Features
 Access control is enforced on traffic entering and
exiting the buffer network to all security zones by:
Classic routers
Dedicated firewalls
 DMZs are used to host services:
Exposed public services are served on dedicated hosts inside
the buffer network.
The DMZ may host an application gateway for outbound
connectivity.
 A DMZ blocks and contains an attacker in the case of a
break-in.
© 2006 Cisco Systems, Inc. All rights reserved.
Multiple DMZs
Three Separate DMZs
 Multiple DMZs provide better separation and access control:
Each service can be hosted in a separate DMZ.
Damage is limited and attackers contained if a service is compromised.
© 2006 Cisco Systems, Inc. All rights reserved.
Modern DMZ Design
 Various systems (a stateful packet filter or proxy server) can filter
traffic.
 Proper configuration of the filtering device is critical.
© 2006 Cisco Systems, Inc. All rights reserved.
Private VLAN
Traffic flows on private
VLANs:
• RED and YELLOW can
communicate with BLUE
• RED and YELLOW cannot
communicate with each
other
Secondary VLANs
© 2006 Cisco Systems, Inc. All rights reserved.
Primary VLANs
Promiscuous Port
Host 1 (FTP)
Secondary VLAN Ports
Host 2 (HTTP)
Promiscuous Port
Host 3 (Admin)
© 2006 Cisco Systems, Inc. All rights reserved.
Firewall Technologies
 Firewalls use three technologies:
Packet filtering
Application layer gateway (ALG)
Stateful packet filtering
© 2006 Cisco Systems, Inc. All rights reserved.
Packet Filtering
 Packet filtering limits traffic into a network based on the destination
and source addresses, ports, and other flags that you compile in
an ACL.
© 2006 Cisco Systems, Inc. All rights reserved.
Packet Filtering Example
Router(config)# access-list 100 permit tcp any 16.1.1.0
0.0.0.255 established
Router(config)# access-list 100 deny ip any any log
Router(config)# interface Serial0/0
Router(config-if)# ip access-group 100 in
Router(config-if)# end
© 2006 Cisco Systems, Inc. All rights reserved.
Application Layer Gateway
 The ALG intercepts and establishes connections to the Internet
hosts on behalf of the client.
© 2006 Cisco Systems, Inc. All rights reserved.
ALG Firewall Device
© 2006 Cisco Systems, Inc. All rights reserved.
Stateful Packet Filtering
 Stateless ACLs filter traffic based on source and destination IP
addresses, TCP and UDP port numbers, TCP flags, and ICMP
types and codes.
 Stateful inspection then remembers certain details, or the state of
that request.
© 2006 Cisco Systems, Inc. All rights reserved.
Stateful Firewalls
 Also called “stateful packet filters” and “applicationaware packet filters.”
 Stateful firewalls have two main improvements over
packet filters:
They maintain a session table (state table) where they track all
connections.
They recognize dynamic applications and know which
additional connections will be initiated between the endpoints.
 Stateful firewalls inspect every packet, compare the
packet against the state table, and may examine the
packet for any special protocol negotiations.
 Stateful firewalls operate mainly at the connection (TCP
and UDP) layer.
© 2006 Cisco Systems, Inc. All rights reserved.
Stateful Packet Filtering Example
5.
All network packets associated with an authentication session are processed by an
application running on the firewall host.
Authentication daemons
Application space
Kernel space
4.
Accepted new
packets
2.
Network
stack
Based on information
contained within each
packet, each packet is
associated with
additional static
information.
Packet filters
Incoming
network packet
1.
If a packet satisfies all of the packet filter
rules, then depending on whether it is
destined for the firewall or a remote host,
the packet either propagates up the
network stack for future processing or gets
forwarded to the network host.
Outgoing
network packet
Dynamic
rules
Ordered
list of
rules
3.
Dynamic rules are added and removed
based on a combination of the data
contained within the network packet
and the static information.
All incoming packets are compared against defined rules composed from a very limited
command set for one or more low-level protocols, such as IP, TCP, and ICMP. Packets
are either denied and dropped here, or they are accepted and passed to the network
stack for delivery.
© 2006 Cisco Systems, Inc. All rights reserved.
Stateful Firewall Handling of Different
Protocols
TCP Sessions
– Keeping track of a TCP connection is easy
(check flow information and check TCP
sequence numbers against state table entry).
UDP Connections
– There are no flags or sequence numbers; hard
to robustly track.
– Only flow information is checked against;
timeouts are used to delete state table entries.
Other Connectionless
Services (GRE, IPsec)
– These are usually handled like a stateless
packet filter.
Dynamic Applications
– These are handled automatically by snooping
on application negotiation channels.
© 2006 Cisco Systems, Inc. All rights reserved.
The Cisco IOS Firewall Feature Set
 The Cisco IOS Firewall Feature Set contains these
features:
Standard and extended ACLs
TCP intercept
Cisco IOS Firewall
Cisco IOS Firewall IPS
Authentication proxy
Port-to-Application Mapping (PAM)
NAT
IPsec network security
Event logging
User authentication and authorization
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco IOS Firewall
 Packets are inspected when entering the Cisco IOS firewall if the
packets are not specifically denied by an ACL.
 Cisco IOS Firewall permits or denies specified TCP and UDP
traffic through a firewall.
 A state table is maintained with session information.
 ACLs are dynamically created or deleted.
 Cisco IOS Firewall protects against DoS attacks.
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco IOS Authentication Proxy
 HTTP, HTTPS, FTP, and Telnet authentication
 Provides dynamic, per-user authentication and authorization via
TACACS+ and RADIUS protocols
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco IOS IPS
 Acts as an inline intrusion prevention sensor—traffic goes through the
sensor
 When an attack is detected, the sensor can perform any of these actions:
Alarm: Send an alarm to SDM or syslog server.
Drop: Drop the packet.
Reset: Send TCP resets to terminate the session.
Block: Block an attacker IP address or session for a specified time.
 Identifies 700+ common attacks
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco IPS Signature Actions
Action
Description
Alarm
Generates an alert that can be logged to the logging
destinations or via Security Device Event Exchange
(SDEE)
Drop
Drops the packet
Reset
Resets the TCP connection by sending TCP RST
packets to both the sender and receiver
Block attacker
Blocks all communications from the offending IP
address for a specified time
Block connection
Blocks the offending TCP or UDP session for a
specified time
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco IOS ACLs Revisited
 ACLs provide traffic filtering by these criteria:
Source and destination IP addresses
Source and destination ports
 ACLs can be used to implement a filtering firewall
leading to these security shortcomings:
Ports opened permanently to allow traffic, creating a security
vulnerability.
The ACLs do not work with applications that negotiate ports
dynamically.
 Cisco IOS Firewall addresses these shortcomings of
ACLs.
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco IOS Firewall TCP Handling
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco IOS Firewall UDP Handling
© 2006 Cisco Systems, Inc. All rights reserved.
How Cisco IOS Firewall Works
© 2006 Cisco Systems, Inc. All rights reserved.
Timeout and Threshold Values
Value
Description
Timeout values for TCP
and UDP sessions
Helps prevent DoS attacks by freeing system
resources. Timeouts can be set separately for TCP
and UDP.
Threshold values for TCP
sessions
• Helps prevent DoS attacks by controlling the
number of half-opened sessions, limiting the
amount of system resources that are applied to
half-opened sessions.
• When a session is dropped, the firewall sends a
reset message to the devices at both endpoints
(source and destination) of the session.
• When the system under DoS attack receives a
reset command, the system releases, or frees
processes and resources that are related to that
incomplete session. Thresholds are configured
only for TCP.
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco IOS Firewall Supported Protocols
 Regardless of the application layer protocol, Cisco IOS Firewall
will inspect:
All TCP sessions
All UDP connections
 Enhanced stateful inspection of application layer protocols
Outgoing requests to the Internet, and responses
from the Internet are allowed.
X
Incoming requests from the
Internet are blocked.
© 2006 Cisco Systems, Inc. All rights reserved.
Alerts and Audit Trails
 Cisco IOS Firewall generates real-time alerts and audit
trails.
 Audit trail features use syslog to track all network
transactions.
 With Cisco IOS Firewall inspection rules, you can
configure alerts and audit trail information on a perapplication protocol basis.
© 2006 Cisco Systems, Inc. All rights reserved.
Summary
 The Cisco IOS Firewall software offers a full set of security
features that can be implemented to provide security for a network.
 The DMZ is an ideal place to host services to enable inside users
to connect to the outside perimeter. The DMZ approach is the most
popular and commonly used modern architecture.
 Firewalls can be based on packet filtering, application layer
gateways or stateful packet filtering.
 The Cisco IOS Firewall Feature Set is a security-specific option for
Cisco IOS software that is available in select security Cisco IOS
images.
 The Cisco IOS Firewall Feature Set integrates robust firewall
functionality, authentication proxy, and intrusion prevention.
© 2006 Cisco Systems, Inc. All rights reserved.
Q and A
© 2006 Cisco Systems, Inc. All rights reserved.
Resources
 Cisco IOS Firewall Design Guide
http://www.cisco.com/en/US/partner/products/sw/secursw/ps10
18/products_implementation_design_guide09186a00800fd670.
html
© 2006 Cisco Systems, Inc. All rights reserved.
Module 6: Cisco IOS
Threat Defense
Features
Lesson 6.2: Implementing Cisco IOS Firewalls
© 2006 Cisco Systems, Inc. All rights reserved.
Objectives
 Describe the steps needed to configure a network
firewall using Cisco IOS.
 Explain how to determine which interfaces should be
configured with firewall commands.
 Explain where to place Access Control Lists in order to
filter traffic.
 Describe how to configure inspection rules for
application protocols.
 Describe how to verify and troubleshoot firewall
configurations.
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco IOS Firewall Configuration Tasks Using
the CLI
 Pick an interface: internal or external.
 Configure IP ACLs at the interface.
 Define inspection rules.
 Apply inspection rules and ACLs to interfaces.
 Test and verify.
© 2006 Cisco Systems, Inc. All rights reserved.
Configuring an External Interface
Internal
Network
External
Network
Serial 1
Internet
Traffic exiting
Traffic entering
Simple Topology — Configuring an External Interface
© 2006 Cisco Systems, Inc. All rights reserved.
Configuring an Internal Interface
Internal
Network
External
Network
Internet
Ethernet 0
Access allowed
Traffic exiting
Traffic entering
Web
Server
DMZ
Simple Topology — Configuring an Internal Interface
© 2006 Cisco Systems, Inc. All rights reserved.
DNS
Server
Access Control Lists Filter Traffic
Host A
X
Host B
Human
Resources
Network
© 2006 Cisco Systems, Inc. All rights reserved.
Research and
Development
Network
IP ACL Configuration Guidelines
Rule 1
Start with a basic configuration.
Rule 2
Permit traffic the Cisco IOS Firewall is to inspect.
Rule 3
Use extended ACLs to filter traffic from unprotected
sources.
Rule 4
Set up antispoofing protection.
Rule 5
Deny broadcast attacks.
Rule 6
Deny any traffic not already included in previous
configuration.
© 2006 Cisco Systems, Inc. All rights reserved.
Set Audit Trails and Alerts
Router(config)#
ip inspect audit-trail
• Enables the delivery of audit trail messages using syslog
Router(config)#
no ip inspect alert-off
• Enables real-time alerts
Router(config)#logging on
Router(config)#logging host 10.0.0.3
Router(config)#ip inspect audit-trail
Router(config)#no ip inspect alert-off
© 2006 Cisco Systems, Inc. All rights reserved.
Define Inspection Rules for Application
Protocols
Router(config)#
ip inspect name inspection-name protocol [alert
{on|off}] [audit-trail {on|off}] [timeout seconds]
• Defines the application protocols to inspect
• Will be applied to an interface:
– Available protocols are tcp, udp, icmp, smtp, esmtp,
cuseeme, ftp, ftps, http, h323, netshow, rcmd, realaudio,
rpc, rtsp, sip, skinny, sqlnet, tftp, vdolive, and so on.
– Alert, audit-trail, and timeout are configurable per protocol
and override global settings.
Router(config)#ip inspect name FWRULE smtp alert on audit-trail on timeout 300
Router(config)#ip inspect name FWRULE ftp alert on audit-trail on timeout 300
© 2006 Cisco Systems, Inc. All rights reserved.
ip inspect name Parameters
Parameter
Description
inspection-name
Names the set of inspection rules. If you want to add a protocol to an
existing set of rules, use the same inspection name for the rules.
protocol
The protocol to inspect.
alert {on | off}
(Optional) For each inspected protocol, the generation of alert
messages can be set to on or off. If no option is selected, alerts are
generated based on the setting of the ip inspect alert-off command.
audit-trail {on | off}
(Optional) For each inspected protocol, the audit-trail option can be
set to on or off. If no option is selected, audit trail messages are
generated based on the setting of the ip inspect audit-trail
command.
timeout seconds
(Optional) Specify the number of seconds for a different idle timeout
to override the global TCP or UDP idle timeouts for the specified
protocol. This timeout overrides the global TCP and UDP timeouts but
does not override the global Domain Name Service (DNS) timeout.
© 2006 Cisco Systems, Inc. All rights reserved.
Inspection Rules for Application Protocols
Example 1:
Users on access list 10 are allowed to download
Java applets:
ip inspect name PERMIT_JAVA http java-list 10
access-list 10 permit 144.224.10.0 0.0.0.255
access-list 10 any
Example 2:
Telling Cisco IOS Firewall what to inspect:
ip
ip
ip
ip
ip
ip
inspect
inspect
inspect
inspect
inspect
inspect
name
name
name
name
name
name
© 2006 Cisco Systems, Inc. All rights reserved.
in2out
in2out
in2out
in2out
in2out
in2out
rcmd
ftp
tftp
tcp timeout 43200
http
udp
ip inspect Parameters and Guidelines
Router(config-if)#
ip inspect inspection-name {in | out}
• Applies the named inspection rule to an interface
Parameter
Description
inspection-name
Names the set of inspection rules
in
Applies the inspection rules to inbound traffic
out
Applies the inspection rules to outbound traffic
 On the interface where traffic initiates:
Apply ACL on the inward direction that permits only wanted traffic.
Apply rule on the inward direction that inspects wanted traffic.
 On all other interfaces, apply ACL on the inward direction that
denies all unwanted traffic.
© 2006 Cisco Systems, Inc. All rights reserved.
Example: Two-Interface Firewall
ip inspect name OUTBOUND tcp
ip inspect name OUTBOUND udp
ip inspect name OUTBOUND icmp
!
interface FastEthernet0/0
ip access-group OUTSIDEACL in
!
interface FastEthernet0/1
ip inspect OUTBOUND in
ip access-group INSIDEACL in
!
ip access-list extended OUTSIDEACL
permit icmp any any packet-too-big
deny ip any any log
!
ip access-list extended INSIDEACL
permit tcp any any
permit udp any any
permit icmp any any
© 2006 Cisco Systems, Inc. All rights reserved.
Example: Three-Interface Firewall
interface FastEthernet0/0
ip inspect OUTSIDE in
ip access-group OUTSIDEACL in
!
interface FastEthernet0/1
ip inspect INSIDE in
ip access-group INSIDEACL in
!
interface FastEthernet0/2
ip access-group DMZACL in
!
ip inspect name INSIDE tcp
ip inspect name OUTSIDE tcp
!
ip access-list extended OUTSIDEACL
permit tcp any host 200.1.2.1 eq 25
permit tcp any host 200.1.2.2 eq 80
permit icmp any any packet-too-big
deny ip any any log
!
ip access-list extended INSIDEACL
permit tcp any any eq 80
permit icmp any any packet-too-big
deny ip any any log
!
ip access-list extended DMZACL
permit icmp any any packet-too-big
deny ip any any log
© 2006 Cisco Systems, Inc. All rights reserved.
Verifying Cisco IOS Firewall
Router#
show
show
show
show
show
show
ip
ip
ip
ip
ip
ip
inspect
inspect
inspect
inspect
inspect
inspect
name inspection-name
config
interfaces
session [detail]
statistics
all
• Displays inspections, interface configurations, sessions, and
statistics
Router#show ip inspect session
Established Sessions
Session 6155930C (10.0.0.3:35009)=>(172.30.0.50:34233) tcp SIS_OPEN
Session 6156F0CC (10.0.0.3:35011)=>(172.30.0.50:34234) tcp SIS_OPEN
Session 6156AF74 (10.0.0.3:35010)=>(172.30.0.50:5002) tcp SIS_OPEN
© 2006 Cisco Systems, Inc. All rights reserved.
Troubleshooting Cisco IOS Firewall
Router#
debug
debug
debug
debug
debug
debug
ip
ip
ip
ip
ip
ip
inspect
inspect
inspect
inspect
inspect
inspect
function-trace
object-creation
object-deletion
events
timers
detail
• General debug commands
Router#
debug ip inspect protocol
• Protocol-specific debug
© 2006 Cisco Systems, Inc. All rights reserved.
Summary
 The main feature of the Cisco IOS Firewall has always been its
stateful inspection.
 An ACL can allow one host to access a part of your network and
prevent another host from accessing the same area.
 Use access lists in "firewall" routers that you position between your
internal network and an external network such as the Internet. You
can also use access lists on a router positioned between two parts
of your network, to control traffic entering or exiting a specific part
of your internal network.
 An inspection rule should specify each desired application layer
protocol that the Cisco IOS Firewall will inspect, as well as generic
TCP, UDP, or Internet Control Message Protocol (ICMP), if
desired.
 Use the ip inspect name command in global configuration mode
to define a set of inspection rules.
© 2006 Cisco Systems, Inc. All rights reserved.
Q and A
© 2006 Cisco Systems, Inc. All rights reserved.
Resources
 Cisco IOS Firewall Introduction
http://cisco.com/en/US/partner/products/sw/secursw/ps1018/ind
ex.html
 Cisco IOS Firewall Support
http://cisco.com/en/US/partner/products/sw/secursw/ps1018/tsd
_products_support_series_home.html
 Cisco IOS Firewall Design Guides
http://cisco.com/en/US/partner/products/sw/secursw/ps1018/pro
ducts_implementation_design_guides_list.html
© 2006 Cisco Systems, Inc. All rights reserved.
Module 6: Cisco IOS
Threat Defense
Features
Lesson 6.3: Basic and Advanced Firewall Wizards
© 2006 Cisco Systems, Inc. All rights reserved.
Objectives
 Describe the Security Device Manager (SDM) and how
it is used in firewall configuration.
 Describe using the Basic and Advanced Firewall wizard
in SDM to configure a firewall.
 Explain how to review and modify the configuration
generated by the SDM.
 Explain how to enable logging in order to view firewall
activity within SDM.
© 2006 Cisco Systems, Inc. All rights reserved.
Basic and Advanced Firewall Wizards
 SDM offers configuration wizards to simplify Cisco IOS
Firewall configuration.
 Two configuration wizards
exist:
Basic Firewall Configuration
wizard:
Supports two interface types
(inside and outside)
Applies predefined rules
Advanced Firewall Configuration
wizard:
Supports more interfaces
(Inside, Outside, and DMZ)
Applies predefined or custom
rules
© 2006 Cisco Systems, Inc. All rights reserved.
Configuring a Basic Firewall
1
2
3
4
© 2006 Cisco Systems, Inc. All rights reserved.
Basic Firewall Interface Configuration
© 2006 Cisco Systems, Inc. All rights reserved.
Basic Firewall Configuration Summary and
Deployment
© 2006 Cisco Systems, Inc. All rights reserved.
Reviewing the Basic Firewall for the
Originating Traffic
© 2006 Cisco Systems, Inc. All rights reserved.
Reviewing the Basic Firewall for the Returning
Traffic
© 2006 Cisco Systems, Inc. All rights reserved.
Resulting Basic Firewall Inspection Rule
Configuration
Router#show running-config | include ip inspect name
ip inspect name SDM_LOW cuseeme
ip inspect name SDM_LOW dns
ip inspect name SDM_LOW ftp
ip inspect name SDM_LOW h323
ip inspect name SDM_LOW https
ip inspect name SDM_LOW icmp
ip inspect name SDM_LOW imap
ip inspect name SDM_LOW pop3
ip inspect name SDM_LOW netshow
ip inspect name SDM_LOW rcmd
ip inspect name SDM_LOW realaudio
ip inspect name SDM_LOW rtsp
ip inspect name SDM_LOW esmtp
ip inspect name SDM_LOW sqlnet
ip inspect name SDM_LOW streamworks
ip inspect name SDM_LOW tftp
ip inspect name SDM_LOW tcp
ip inspect name SDM_LOW udp
ip inspect name SDM_LOW vdolive
© 2006 Cisco Systems, Inc. All rights reserved.
Resulting Basic Firewall ACL Configuration
Router#show
access-list
access-list
access-list
access-list
access-list
access-list
access-list
access-list
access-list
access-list
access-list
access-list
access-list
access-list
access-list
access-list
access-list
access-list
access-list
running-config | include access-list
100 remark autogenerated by SDM firewall configuration
100 remark SDM_ACL Category=1
100 deny
ip 200.0.0.0 0.0.0.3 any
100 deny
ip host 255.255.255.255 any
100 deny
ip 127.0.0.0 0.255.255.255 any
100 permit ip any any
101 remark autogenerated by SDM firewall configuration
101 remark SDM_ACL Category=1
101 deny
ip 10.1.1.0 0.0.0.255 any
101 permit icmp any host 200.0.0.1 echo-reply
101 permit icmp any host 200.0.0.1 time-exceeded
101 permit icmp any host 200.0.0.1 unreachable
101 deny
ip 10.0.0.0 0.255.255.255 any
101 deny
ip 172.16.0.0 0.15.255.255 any
101 deny
ip 192.168.0.0 0.0.255.255 any
101 deny
ip 127.0.0.0 0.255.255.255 any
101 deny
ip host 255.255.255.255 any
101 deny
ip host 0.0.0.0 any
101 deny
ip any any log
© 2006 Cisco Systems, Inc. All rights reserved.
Resulting Basic Firewall Interface
Configuration
Router#show running-config | begin interface
interface FastEthernet0/0
description $FW_INSIDE$
ip address 10.1.1.1 255.255.255.0
ip access-group 100 in
!
interface Serial0/0/0
description $FW_OUTSIDE$
ip address 200.0.0.1 255.255.255.252
ip access-group 101 in
ip verify unicast reverse-path
ip inspect SDM_LOW out
!
<...rest of output removed...>
© 2006 Cisco Systems, Inc. All rights reserved.
Configuring Interfaces on an Advanced
Firewall
1
2
3
4
© 2006 Cisco Systems, Inc. All rights reserved.
Advanced Firewall Interface Configuration
© 2006 Cisco Systems, Inc. All rights reserved.
Advanced Firewall DMZ Service Configuration
© 2006 Cisco Systems, Inc. All rights reserved.
Advanced Firewall DMZ Service Configuration:
TCP
© 2006 Cisco Systems, Inc. All rights reserved.
Advanced Firewall DMZ Service Configuration:
UDP
© 2006 Cisco Systems, Inc. All rights reserved.
Advanced Firewall DMZ Service Configuration:
Configured Services
© 2006 Cisco Systems, Inc. All rights reserved.
Advanced Firewall Security Policy
© 2006 Cisco Systems, Inc. All rights reserved.
Advanced Firewall Protocols and Applications
© 2006 Cisco Systems, Inc. All rights reserved.
Advanced Firewall Protocols and Applications
(Cont.)
© 2006 Cisco Systems, Inc. All rights reserved.
Advanced Firewall Protocols and Applications
(Cont.)
© 2006 Cisco Systems, Inc. All rights reserved.
Advanced Firewall Inspection Parameters
© 2006 Cisco Systems, Inc. All rights reserved.
Advanced Firewall Security Policy Selection
© 2006 Cisco Systems, Inc. All rights reserved.
Advanced Firewall Configuration Summary
and Deployment
© 2006 Cisco Systems, Inc. All rights reserved.
Resulting Advanced Firewall Inspection Rule
Configuration
Router#show running-config | include ip inspect name
ip inspect name appfw_100 tcp audit-trail on
ip inspect name appfw_100 udp
ip inspect name appfw_100 ftp
ip inspect name dmzinspect tcp
ip inspect name dmzinspect udp
© 2006 Cisco Systems, Inc. All rights reserved.
Resulting Advanced Firewall ACL
Configuration
Router#show
access-list
access-list
access-list
access-list
access-list
access-list
access-list
access-list
access-list
access-list
access-list
access-list
access-list
access-list
access-list
access-list
access-list
access-list
access-list
access-list
access-list
access-list
access-list
access-list
access-list
access-list
running-config | include access-list
100 remark autogenerated by SDM firewall configuration
100 remark SDM_ACL Category=1
100 deny
ip 200.0.0.0 0.0.0.3 any
100 deny
ip 192.168.0.0 0.0.0.255 any
100 deny
ip host 255.255.255.255 any
100 deny
ip 127.0.0.0 0.255.255.255 any
100 permit ip any any
101 remark autogenerated by SDM firewall configuration
101 remark SDM_ACL Category=1
101 deny
ip any any log
102 remark autogenerated by SDM firewall configuration
102 remark SDM_ACL Category=1
102 deny
ip 192.168.0.0 0.0.0.255 any
102 deny
ip 10.1.1.0 0.0.0.255 any
102 permit icmp any host 200.0.0.1echo-reply
102 permit icmp any host 200.0.0.1 time-exceeded
102 permit icmp any host 200.0.0.1 unreachable
102 permit tcp any host 192.168.0.2 eq www
102 permit udp any host 192.168.0.3 eq isakmp
102 deny
ip 10.0.0.0 0.255.255.255 any
102 deny
ip 172.16.0.0 0.15.255.255 any
102 deny
ip 192.168.0.0 0.0.255.255 any
102 deny
ip 127.0.0.0 0.255.255.255 any
102 deny
ip host 255.255.255.255 any
102 deny
ip host 0.0.0.0 any
102 deny
ip any any log
© 2006 Cisco Systems, Inc. All rights reserved.
Resulting Advanced Firewall Interface
Configuration
Router#show running-config | begin interface
interface FastEthernet0/0
description $FW_INSIDE$
ip address 10.1.1.1 255.255.255.0
ip access-group 100 in
ip inspect appfw_100 in
!
interface FastEthernet0/1
description $FW_DMZ$
ip address 192.168.0.1 255.255.255.0
ip access-group 101 in
ip inspect dmzinspect out
!
interface Serial0/0/0
description $FW_OUTSIDE$
ip address 200.0.0.1 255.255.255.252
ip access-group 102 in
ip verify unicast reverse-path
!
<...rest of the output removed...>
© 2006 Cisco Systems, Inc. All rights reserved.
Preparing for Firewall Activity Viewing
1
4
3
5
6
2
© 2006 Cisco Systems, Inc. All rights reserved.
Viewing Firewall Log
1
2
© 2006 Cisco Systems, Inc. All rights reserved.
Summary
 Cisco Security Device Manager (SDM), a configuration
and management tool for Cisco IOS routers that use a
GUI, offers a simple method to set up the Cisco IOS
Firewall.
 The Basic Firewall Configuration wizard applies
default access rules to both inside and outside
interfaces, applies default inspection rules to the
outside interface, and enables IP unicast reverse path
forwarding (uRPF) on the outside interface.
 The Advanced Firewall Configuration wizard applies
default or custom access rules, as well as default or
custom inspection rules, to inside, outside, and DMZ
interfaces. The Advanced Firewall Configuration wizard
also enables IP unicast reverse-path forwarding on the
outside interface.
© 2006 Cisco Systems, Inc. All rights reserved.
Q and A
© 2006 Cisco Systems, Inc. All rights reserved.
Resources
 Cisco Router and Security Device Manager Introduction
http://cisco.com/en/US/partner/products/sw/secursw/ps5318/ind
ex.html
 Cisco Router and Security Device Manager Support
http://cisco.com/en/US/partner/products/sw/secursw/ps5318/tsd
_products_support_series_home.html
 Cisco Router and Security Device Manager User
Guides
http://cisco.com/en/US/partner/products/sw/secursw/ps5318/pro
ducts_user_guide_list.html
© 2006 Cisco Systems, Inc. All rights reserved.
Module 6: Cisco IOS
Threat Defense
Features
Lesson 6.4: Introducing Cisco IOS IPS
© 2006 Cisco Systems, Inc. All rights reserved.
Objectives
 Compare and contrast Intrusion Detection Systems and
Intrusion Protection Systems.
 Describe the Cisco IPS products and technologies.
 Define IDS and IPS types and options.
 Compare Network Based and Host Based IPS systems
(HIPS and NIPS).
© 2006 Cisco Systems, Inc. All rights reserved.
Intrusion Detection System
 IDS is a passive device:
Traffic does not pass through the
IDS device.
Typically uses only one
promiscuous interface.
 IDS is reactive:
IDS generates an alert to notify the
manager of malicious traffic.
 Optional active response:
Further malicious traffic can be
denied with a security appliance or
router.
TCP resets can be sent to the
source device.
© 2006 Cisco Systems, Inc. All rights reserved.
Intrusion Protection System
 IPS is an active device:
All traffic passes through IPS.
IPS uses multiple interfaces.
 Proactive prevention:
IPS denies all malicious traffic.
IPS sends an alert to the
management station.
© 2006 Cisco Systems, Inc. All rights reserved.
Combining IDS and IPS
 IPS actively blocks offending traffic:
Should not block legitimate data
Only stops “known malicious traffic”
Requires focused tuning to avoid connectivity disruption
 IDS complements IPS:
Verifies that IPS is still operational
Alerts you about any suspicious data except “known good
traffic”
Covers the “gray area” of possibly malicious traffic that IPS did
not stop
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco IOS IPS Products and Technologies
 Cisco IOS IPS uses a blend of Cisco IDS and IPS
products:
Cisco IDS Series appliances
Cisco Catalyst Series IDS services modules
Cisco network module hardware IDS appliances
 Cisco IOS IPS uses a blend of technologies:
Profile-based intrusion detection
Signature-based intrusion detection
Protocol analysis-based intrusion detection
© 2006 Cisco Systems, Inc. All rights reserved.
IDS and IPS Types and Options
Criteria
Type
Deployment
Options
Approaches
to Identifying
Malicious
Traffic
Description
Network-based
Network sensors scan traffic that is destined to many
hosts.
Host-based
Host agent monitors all operations within an operating
system.
Signature-based
A vendor provides a customizable signature database.
Policy-based
Policy definition and description is created.
Anomaly-based
“Normal” and “abnormal” traffic is defined.
Honeypot-based
Sacrificial host is set up to lure the attacker.
© 2006 Cisco Systems, Inc. All rights reserved.
Network-Based and Host-Based IPS
 NIPS: Sensor appliances are connected
to network segments to monitor many
hosts.
 HIPS: Centrally managed software
agents are installed on each host.
CSAs defend the protected hosts and report to
the central management console.
HIPS provides individual host detection and
protection.
HIPS does not require special hardware.
© 2006 Cisco Systems, Inc. All rights reserved.
Comparing HIPS and NIPS
 Application-level encryption protection
 Policy enhancement (resource control)
 Web application protection
 Buffer overflow
 Network attack and reconnaissance prevention
 DoS prevention
© 2006 Cisco Systems, Inc. All rights reserved.
NIPS Features
 Sensors are network appliances that you tune for
intrusion detection analysis:
The operating system is “hardened.”
The hardware is dedicated to intrusion detection analysis.
 Sensors are connected to network segments. A single
sensor can monitor many hosts.
 Growing networks are easily protected:
New hosts and devices can be added without adding sensors.
New sensors can be easily added to new networks.
© 2006 Cisco Systems, Inc. All rights reserved.
NIDS and NIPS Deployment
© 2006 Cisco Systems, Inc. All rights reserved.
Signature-Based IDS and IPS
 Observes and blocks or alarms if a known malicious event is
detected:
Requires a database of known malicious patterns.
The database must be continuously updated.
© 2006 Cisco Systems, Inc. All rights reserved.
Policy-Based IDS and IPS
!
 Observes and blocks or alarms if an event outside the
configured policy is detected
 Requires a policy database
© 2006 Cisco Systems, Inc. All rights reserved.
!
Anomaly-Based IDS and IPS
 Observes and blocks or alarms if an event outside known normal
behavior is detected:
Statistical versus nonstatistical anomaly detection
Requires a definition of “normal”
© 2006 Cisco Systems, Inc. All rights reserved.
Honeypot-Based IDS and IPS
 Observes a special system and alarms if any activity is
directed at the system:
The special system is a trap for attackers and not used for
anything else.
The special system is well-isolated from the system’s
environment.
The system is typically used as IDS, not IPS.
© 2006 Cisco Systems, Inc. All rights reserved.
Signature Categories
 Four types of signatures:
Exploit signatures match specific known attacks.
Connection signatures match particular protocol traffic.
String signatures match string sequences in data.
DoS signatures match DoS attempts.
 Signature selection is based on:
Type of network protocol
Operating system
Service
Attack type
 Number of available signatures:
About 1500 for IPS sensors, 1200 for IOS IPS
© 2006 Cisco Systems, Inc. All rights reserved.
Exploit Signatures
Application
 DNS reconnaissance and DoS
 Worms, viruses, Trojan horses,
adware, malware
Presentation
Session
Transport
Network
Data Link
Physical
© 2006 Cisco Systems, Inc. All rights reserved.
 Port sweeps
 Port scans
 TCP SYN attack
 Fragmentation attacks
 IP options
 ICMP reconnaissance and DoS
Signature Examples
ID
Name
Description
1101
Unknown IP
Protocol
1307
TCP Window
Size Variation
This signature triggers when an IP datagram is
received with the protocol field set to 134 or
greater.
This signature will fire when the TCP window
varies in a suspect manner.
3002
TCP SYN Port
Sweep
This signature triggers when a series of TCP
SYN packets have been sent to a number of
different destination ports on a specific host.
3227
WWW HTML
Script Bug
This signature triggers when an attempt is made
to view files above the HTML root directory.
© 2006 Cisco Systems, Inc. All rights reserved.
Summary
 The intrusion detection system (IDS) is a software- or hardwarebased solution that passively listens to network traffic.
 An intrusion prevention system (IPS) is an active device in the
traffic path that listens to network traffic and permits or denies
flows and packets into the network.
 In a network-based system, or network intrusion prevention system
(NIPS), the IPS analyses individual packets that flow through a
network.
 In a host-based system, a host-based intrusion prevention system
(HIPS) examines the activity on each individual computer or host.
 IDS and IPS uses any one of four approaches to identifying
malicious traffic:
Signature-based
Policy-based
Anomaly-based
Honeypot-based
© 2006 Cisco Systems, Inc. All rights reserved.
Q and A
© 2006 Cisco Systems, Inc. All rights reserved.
Resources
 Cisco Intrusion Prevention System
http://cisco.com/en/US/partner/products/sw/secursw/ps2113/ind
ex.html
 Cisco Intrusion Prevention System Support
http://cisco.com/en/US/partner/products/sw/secursw/ps2113/tsd
_products_support_series_home.html
© 2006 Cisco Systems, Inc. All rights reserved.
Module 6: Cisco IOS
Threat Defense
Features
Lesson 6.5: Configuring Cisco IOS IPS
© 2006 Cisco Systems, Inc. All rights reserved.
Objectives
 Identify the features of the Cisco IOS Intrusion
Protection System (IPS).
 Explain the purpose of .SDF files.
 Describe methods for installing and configuring IPS on
Cisco routers.
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco IOS IPS SDFs
 A Cisco IOS router acts as an in-line intrusion
prevention sensor.
 Signature databases:
Built-in (100 signatures embedded in Cisco IOS software)
SDF files (can be downloaded from Cisco.com):
Static (attack-drop.sdf)
Dynamic (128MB.sdf, 256MB.sdf)—based on installed RAM
 Configuration flexibility:
Load built-in signature database, SDF file, or even merge
signatures to increase coverage
Tune or disable individual signatures
© 2006 Cisco Systems, Inc. All rights reserved.
Downloading Signatures from Cisco.com
attack-drop.sdf
SDF contains 82
high-fidelity
signatures,
providing
customers with
security threat
detection.
When loaded, those
signatures fit into
the 64-MB router
memory.
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco IOS IPS Alarms: Configurable Actions
 Send an alarm to a syslog server or a centralized
management interface (syslog or SDEE).
 Drop the packet.
 Reset the connection.
 Block traffic from the source IP address of the attacker
for a specified amount of time.
 Block traffic on the connection on which the signature
was seen for a specified amount of time.
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco IOS IPS Alarm Considerations
 Alarms can be combined with reactive actions.
 SDEE is a communication protocol for IPS message
exchange between IPS clients and IPS servers:
More secure than syslog
Reports events to the SDM
 When blocking an IP address, beware of IP spoofing:
May block a legitimate user
Especially recommended where spoofing is unlikely
 When blocking a connection:
IP spoofing less likely
Allows the attacker to use other attack methods
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco IOS IPS Configuration Steps
 Configure basic IPS settings:
Specify SDF location.
Configure failure parameter.
Create an IPS rule and, optionally, combine the rule with a filter.
Apply the IPS rule to an interface.
 Configure enhanced IPS settings:
Merge SDFs.
Disable, delete, and filter selected signatures.
Reapply the IPS rule to the interface.
 Verify the IPS configuration.
Note
The default command ip ips sdf builtin does not appear in this IPS
configuration example because the configuration specifies the default builtin SDF.
© 2006 Cisco Systems, Inc. All rights reserved.
Basic IPS Settings Configuration
Router# show running-config | begin ips
! Drop all packets until IPS is ready for scanning
ip ips fail closed
! IPS rule definition
ip ips name SECURIPS list 100
!
...
interface Serial0/0
ip address 172.31.235.21 255.255.255.0
! Apply the IPS rule to interface in inbound direction
ip ips SECURIPS in
...
© 2006 Cisco Systems, Inc. All rights reserved.
Enhanced IPS Settings Configuration
! Merge built-in SDF with attack-drop.sdf, and copy to flash
Router# copy flash:attack-drop.sdf ips-sdf
Router# copy ips-sdf flash:my-signatures.sdf
Router# show runnning-config | begin ips
! Specify the IPS SDF location
ip ips sdf location flash:my-signatures.sdf
ip ips fail-closed
! Disable sig 1107, delete sig 5037, filter sig 6190 with ACL 101
ip ips signature 1107 0 disable
ip ips signature 5037 0 delete
ip ips signature 6190 0 list 101
ip ips name SECURIPS list 100
...
interface Serial0/0
ip address 172.31.235.21 255.255.255.0
! Reapply the IPS rule to take effect
ip ips SECURIPS in
...
© 2006 Cisco Systems, Inc. All rights reserved.
Verifying Cisco IOS IPS Configuration
Router# show ip ips configuration
Configured SDF Locations:
flash:my-signatures.sdf
Builtin signatures are enabled but not loaded
Last successful SDF load time: 13:45:38 UTC Jan 1 2006
IPS fail closed is enabled
...
Total Active Signatures: 183
Total Inactive Signatures: 0
Signature 6190:0 list 101
Signature 1107:0 disable
IPS Rule Configuration
IPS name SECURIPS
acl list 100
Interface Configuration
Interface Serial0/0
Inbound IPS rule is SECURIPS
Outgoing IPS rule is not set
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco IOS IPS SDM Configuration Tasks
 Tasks included in the IPS Policies wizard:
Quick interface selection for rule deployment
Identification of the flow direction
Dynamic signature update
Quick deployment of default signatures
Validation of router resources before signature deployment
 Signature customization available in the SDM IPS Edit
menu:
Disable
Delete
Modify parameters
© 2006 Cisco Systems, Inc. All rights reserved.
Launching the IPS Policies Wizard
1
4
2
3
Select
IPS.
© 2006 Cisco Systems, Inc. All rights reserved.
Customization
options.
Launch the wizard
with the default
signature parameters.
IPS Policies Wizard Overview
© 2006 Cisco Systems, Inc. All rights reserved.
Adding an SDF Location
Optionally, use
built-in signatures
as backup.
© 2006 Cisco Systems, Inc. All rights reserved.
Add SDF
location.
Selecting an SDF Location
Select location
from flash.
Select location
from network.
© 2006 Cisco Systems, Inc. All rights reserved.
Current SDF Location
© 2006 Cisco Systems, Inc. All rights reserved.
Viewing the IPS Policies Wizard Summary
© 2006 Cisco Systems, Inc. All rights reserved.
Verifying IPS Deployment
1
2
3
4
© 2006 Cisco Systems, Inc. All rights reserved.
IPS Policies
© 2006 Cisco Systems, Inc. All rights reserved.
Global Settings
© 2006 Cisco Systems, Inc. All rights reserved.
Viewing All SDEE Messages
Select message
type for viewing.
© 2006 Cisco Systems, Inc. All rights reserved.
Viewing SDEE Status Messages
Status messages report
the engine states.
© 2006 Cisco Systems, Inc. All rights reserved.
Viewing SDEE Alerts
Signatures fire
SDEE alerts.
© 2006 Cisco Systems, Inc. All rights reserved.
Selecting a Signature
Edit signature.
© 2006 Cisco Systems, Inc. All rights reserved.
Editing a Signature
Click to edit.
Select severity.
© 2006 Cisco Systems, Inc. All rights reserved.
Disabling a Signature Group
2
3
Select All.
1
Select category.
4
© 2006 Cisco Systems, Inc. All rights reserved.
Disable.
Verifying the Tuned Signatures
© 2006 Cisco Systems, Inc. All rights reserved.
Summary
 The Cisco IOS IPS acts as an in-line intrusion detection
sensor, watching packets and sessions as they flow
through the router and scanning each packet to match
any of the Cisco IOS IPS signatures.
 IPS can be configured via IOS command line or using
the SDM.
 The SDM provides a wide range of configuration
capabilities for Cisco IOS IPS.
 SDM offers the IPS Policies wizard to expedite
deploying the default IPS settings. The wizard provides
configuration steps for interface and traffic flow
selection, SDF location, and signature deployment.
© 2006 Cisco Systems, Inc. All rights reserved.
Q and A
© 2006 Cisco Systems, Inc. All rights reserved.
Resources
 Configuring Cisco IOS IPS Using Cisco SDM and CLI
http://cisco.com/en/US/products/ps6634/products_white_paper0
900aecd8043bc32.shtml
© 2006 Cisco Systems, Inc. All rights reserved.
© 2006 Cisco Systems, Inc. All rights reserved.