I have R1, R2, and R3, and I want to use NBAR to effectively help create a security policy that I can apply to R2.
I consider R2's fa0/1 the inside network and R2's s0/1/0 the outside network. I want to prevent inside users from accessing the bittorrent and edonkey protocols, and from downloading .exe files from HTTP sites.
To accomplish this, I'll create a class-map on R2 for matching any of the relevant traffic, create a policy-map which will call the class-map and drop the traffic, and then apply that policy-map to the outside interface of R2.
R2(config)#class-map match-any CLASS_PROTECT
R2(config-cmap)#match protocol bittorrent
R2(config-cmap)#match protocol edonkey
R2(config-cmap)#match protocol http url *.exe
I'll then create a policy-map for dropping the traffic matched in the class-map.
R2(config-cmap)#policy-map POLICY_DROP_CLASS_PROTECT
R2(config-pmap)#class CLASS_PROTECT
R2(config-pmap-c)#drop
I will now apply the policy-map to the outside interface.
R2(config-pmap)#int s0/1/0
R2(config-if)#service-policy input POLICY_DROP_CLASS_PROTECT
I won't simulate bittorrent or edonkey, but I will verify that the policy is filtering out .exe files.
I'll connect to R3 and create a file with an extension of .exe, and set the ip http path
R3#copy run slot0:/test.exe
Destination filename [test.exe]?
2278 bytes copied in 1.144 secs (1991 bytes/sec)
R3#dir slot0:
Directory of slot0:/
1 -rw- 38845972 Jun 4 2002 01:34:54 -05:00 c3725-adventerprisek9-mz.124-25c.bin
2 -rw- 2278 Sep 12 2011 18:00:24 -05:00 test.exe
257531904 bytes total (218681344 bytes free)
R3#config terminal
Enter configuration commands, one per line. End with CNTL/Z.
R3(config)#ip http path slot0:/
I'll first test that I can copy the IOS image from R3 to R1.
R1#copy http://jason:cisco@10.1.23.3/c3725-adventerprisek9-mz.124-25c.bin null:
Loading http://***********@10.1.23.3/c3725-adventerprisek9-mz.124-25c.bin !!!!!!!!!!!!!!!!!!!!
This behaves as expected.
Now I'll attempt to move the .exe file.
R1#copy http://jason:cisco@10.1.23.3/test.exe null:
%Error opening http://jason:cisco@10.1.23.3/test.exe (I/O error)
Access is not allowed as expected.
Great Article
ReplyDeleteNetwork Security Final Year Project Ideas
Project Centers in Chennai
JavaScript Training in Chennai
JavaScript Training in Chennai