Tuesday, September 13, 2011

Basic NBAR (Filtering with IOS Part 5)

I have R1, R2, and R3, and I want to use NBAR to effectively help create a security policy that I can apply to R2.

I consider R2's fa0/1 the inside network and R2's s0/1/0 the outside network. I want to prevent inside users from accessing the bittorrent and edonkey protocols, and from downloading .exe files from HTTP sites.

To accomplish this, I'll create a class-map on R2 for matching any of the relevant traffic, create a policy-map which will call the class-map and drop the traffic, and then apply that policy-map to the outside interface of R2.

R2(config)#class-map match-any CLASS_PROTECT
R2(config-cmap)#match protocol bittorrent
R2(config-cmap)#match protocol edonkey 
R2(config-cmap)#match protocol http url *.exe

I'll then create a policy-map for dropping the traffic matched in the class-map.

R2(config-cmap)#policy-map POLICY_DROP_CLASS_PROTECT
R2(config-pmap)#class CLASS_PROTECT

I will now apply the policy-map to the outside interface.

R2(config-pmap)#int s0/1/0
R2(config-if)#service-policy input POLICY_DROP_CLASS_PROTECT

I won't simulate bittorrent or edonkey, but I will verify that the policy is filtering out .exe files.

I'll connect to R3 and create a file with an extension of .exe, and set the ip http path

R3#copy run slot0:/test.exe
Destination filename [test.exe]? 

2278 bytes copied in 1.144 secs (1991 bytes/sec)
R3#dir slot0:
Directory of slot0:/

    1  -rw-    38845972   Jun 4 2002 01:34:54 -05:00  c3725-adventerprisek9-mz.124-25c.bin
    2  -rw-        2278  Sep 12 2011 18:00:24 -05:00  test.exe

257531904 bytes total (218681344 bytes free)
R3#config terminal 
Enter configuration commands, one per line.  End with CNTL/Z.
R3(config)#ip http path slot0:/

I'll first test that I can copy the IOS image from R3 to R1.

R1#copy http://jason:cisco@ null:
Loading http://***********@ !!!!!!!!!!!!!!!!!!!!

This behaves as expected.

Now I'll attempt to move the .exe file.

R1#copy http://jason:cisco@ null:
%Error opening http://jason:cisco@ (I/O error)

Access is not allowed as expected.