Stupid Router Tricks: September 2011

Friday, September 23, 2011

Basic TCL script for reachability testing

I have R1, R2, R3, and R4. I have a simple configuration where R2 is bridging R1 and R3, with a serial link to R4. I want to use a TCL ping script to quickly verify full reachability.

First, I'll visit each router and view the assigned IP addresses.

R1#show ip interface brief | exclude unassigned
Interface IP-Address OK? Method Status Protocol
FastEthernet0/0 10.1.13.1 YES manual up up
Loopback0 10.0.1.1 YES manual up up
R1#

R2#show ip interface brief | exclude unassigned
Interface IP-Address OK? Method Status Protocol
Serial0/1/0 10.1.24.2 YES manual up up
BVI1 10.1.13.2 YES manual up up
Loopback0 10.0.2.2 YES manual up up
R2#

R3#show ip interface brief | exclude unassigned
Interface IP-Address OK? Method Status Protocol
FastEthernet0/0 10.1.13.3 YES manual up up
Loopback0 10.0.3.3 YES manual up up
R3#

R4#show ip interface brief | exclude unassigned
Interface IP-Address OK? Method Status Protocol
Serial0/0 10.1.24.4 YES manual up up
Loopback0 10.0.4.4 YES manual up up
R4#

Now that I have all the IP addresses, I will add them to a notepad as a TCL script so that I can copy and paste into a router when I want to connect reachability.

tclsh
foreach ip {
10.1.13.1
10.0.1.1
10.1.24.2
10.1.13.2
10.0.2.2
10.1.13.3
10.0.3.3
10.1.24.4
10.0.4.4
} {ping $ip
}

I can keep this in notepad, and copy and paste it whenever I want to test reachability.

Here's the result of pasting it onto R1.

R1(tcl)#foreach ip {
+>(tcl)#10.1.13.1
+>(tcl)#10.0.1.1
+>(tcl)#10.1.24.2
+>(tcl)#10.1.13.2
+>(tcl)#10.0.2.2
+>(tcl)#10.1.13.3
+>(tcl)#10.0.3.3
+>(tcl)#10.1.24.4
+>(tcl)#10.0.4.4
+>(tcl)#} {ping $ip
+>(tcl)#}

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.13.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.0.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/5 ms
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.24.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.13.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.0.2.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.13.3, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.0.3.3, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.24.4, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/3/4 ms
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.0.4.4, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/3/4 ms
R1(tcl)#

Thursday, September 22, 2011

Cisco IOS IPS (Filtering with IOS Part 10)

R2 will serve as the IPS preventing specific traffic between R1 and R3.

To begin with IOS IPS, I must download the IPS files from Cisco.com
http://tools.cisco.com/support/downloads/go/Model.x?mdfid=281442967&mdfLevel=Software%20Family&treeName=Security&modelName=Cisco%20IOS%20Intrusion%20Prevention%20System%20Feature%20Software&treeMdfId=268438162
and the public crypto key used by IOS IPS http://download-sj.cisco.com/cisco/ciscosecure/ids/sigup/5.0/ios/realm-cisco.pub.key.txt

Next, I will create a directory on R2 to store the IPS signature files and configurations.

R2#mkdir IPS
Create directory filename [IPS]?
Created dir flash:/IPS
R2#dir
Directory of flash:/

1 -rw- 38765296 Jul 12 2010 18:57:38 +00:00 c2800nm-advsecurityk9-mz.124-24.T3.bin
15 drw- 0 Sep 23 2011 03:10:14 +00:00 IPS

64016384 bytes total (25243648 bytes free)
R2#

Now I'll copy the contents of the key realm-cisco.pub.key.txt to R2 to configure the crypto key used by IOS IPS.

R2#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
R2(config)#crypto key pubkey-chain rsa
R2(config-pubkey-chain)# named-key realm-cisco.pub signature
Translating "realm-cisco.pub"

R2(config-pubkey-key)# key-string
Enter a public key as a hexidecimal number ....

R2(config-pubkey)# 30820122 300D0609 2A864886 F70D0101 01050003 82010F00 3082010A 02820101
R2(config-pubkey)# 00C19E93 A8AF124A D6CC7A24 5097A975 206BE3A2 06FBA13F 6F12CB5B 4E441F16
R2(config-pubkey)# 17E630D5 C02AC252 912BE27F 37FDD9C8 11FC7AF7 DCDD81D9 43CDABC3 6007D128
R2(config-pubkey)# B199ABCB D34ED0F9 085FADC1 359C189E F30AF10A C0EFB624 7E0764BF 3E53053E
R2(config-pubkey)# 5B2146A9 D7A5EDE3 0298AF03 DED7A5B8 9479039D 20F30663 9AC64B93 C0112A35
R2(config-pubkey)# FE3F0C87 89BCB7BB 994AE74C FA9E481D F65875D6 85EAF974 6D9CC8E3 F0B08B85
R2(config-pubkey)# 50437722 FFBE85B9 5E4189FF CC189CB9 69C46F9C A84DFBA5 7A0AF99E AD768C36
R2(config-pubkey)# 006CF498 079F88F8 A3B3FB1F 9FB7B3CB 5539E1D1 9693CCBB 551F78D2 892356AE
R2(config-pubkey)# 2F56D826 8918EF3C 80CA4F4D 87BFCA3B BFF668E9 689782A5 CF31CB6E B4B094D3
R2(config-pubkey)# F3020301 0001
R2(config-pubkey)# quit
R2(config-pubkey-key)# exit
R2(config-pubkey-chain)# exit
R2(config)#

Now, I'll create a rule name that will be used on an interface, point IOS IPS to the directory that will contain the IPS signature files, and enable IPS SDEE and log notifications. Note that SDEE notifications will not work unless ip http server is enabled.

R2(config)#ip ips name IOSIPS
R2(config)#ip ips config location flash:IPS
R2(config)#ip ips notify sdee
R2(config)#ip ips notify log
R2(config)#ip http server

To prevent running out R2's memory, I'll configure IOS IPS to only enable the IOS IPS basic signatures.

R2(config)#ip ips signature-category
R2(config-ips-category)#category all
R2(config-ips-category-action)#retired true
R2(config-ips-category-action)#category ios_ips basic
R2(config-ips-category-action)#retired false
R2(config-ips-category-action)#exit
R2(config-ips-category)#exit
Do you want to accept these changes? [confirm]
R2(config)#

Now I'll enable the rule on the fa0/1 interface

R2(config)#interface fa0/1
R2(config-if)#ip ips IOSIPS in
R2(config-if)#ip ips IOSIPS out
*Sep 23 04:35:02.891: %IPS-6-ENGINE_BUILDS_STARTED: 04:35:02 UTC Sep 23 2011
*Sep 23 04:35:02.891: %IPS-6-ENGINE_BUILDING: atomic-ip - 3 signatures - 1 of 13 engines
*Sep 23 04:35:02.903: %IPS-6-ENGINE_READY: atomic-ip - build time 12 ms - packets for this engine will be scanned
*Sep 23 04:35:02.903: %IPS-6-ALL_ENGINE_BUILDS_COMPLETE: elapsed time 12 ms

To load the IOS IPS signature file I downloaded earlier, I created an FTP server at 192.168.1.1 and connected to it with R2's VLAN2 interface, 192.168.1.2. I'll use FTP to copy the file with the parameter "idconf". This parameter initiates the compliing process once the copy is complete.

R2#copy ftp://jason:cisco@192.168.1.71/IOS-S595-CLI.pkg idconf
Loading IOS-S595-CLI.pkg !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
[OK - 13572723/4096 bytes]

*Sep 23 04:38:37.959: %IPS-6-ENGINE_BUILDS_STARTED: 04:38:37 UTC Sep 23 2011
*Sep 23 04:38:37.967: %IPS-6-ENGINE_BUILDING: multi-string - 228 signatures - 1 of 13 engines
*Sep 23 04:38:38.795: %IPS-6-ENGINE_READY: multi-string - build time 828 ms - packets for this engine will be scanned
*Sep 23 04:38:38.819: %IPS-6-ENGINE_BUILDING: service-http - 914 signatures - 2 of 13 engines
*Sep 23 04:38:41.855: %IPS-6-ENGINE_READY: service-http - build time 3036 ms - packets for this engine will be scanned
*Sep 23 04:38:41.915: %IPS-6-ENGINE_BUILDING: string-tcp - 2441 signatures - 3 of 13 engines
*Sep 23 04:38:53.723: %IPS-6-ENGINE_READY: string-tcp - build time 11808 ms - packets for this engine will be scanned
*Sep 23 04:38:53.731: %IPS-6-ENGINE_BUILDING: string-udp - 79 signatures - 4 of 13 engines
*Sep 23 04:38:53.883: %IPS-6-ENGINE_READY: string-udp - build time 152 ms - packets for this engine will be scanned
*Sep 23 04:38:53.883: %IPS-6-ENGINE_BUILDING: state - 39 signatures - 5 of 13 engines
*Sep 23 04:38:54.139: %IPS-6-ENGINE_READY: state - build time 256 ms - packets for this engine will be scanned
*Sep 23 04:38:54.235: %IPS-6-ENGINE_BUILDING: atomic-ip - 424 signatures - 6 of 13 engines
*Sep 23 04:38:55.963: %IPS-6-ENGINE_READY: atomic-ip - build time 1728 ms - packets for this engine will be scanned
*Sep 23 04:38:56.051: %IPS-6-ENGINE_BUILDING: string-icmp - 3 signatures - 7 of 13 engines
*Sep 23 04:38:56.051: %IPS-6-ENGINE_READY: string-icmp - build time 0 ms - packets for this engine will be scanned
*Sep 23 04:38:56.051: %IPS-6-ENGINE_BUILDING: service-ftp - 3 signatures - 8 of 13 engines
*Sep 23 04:38:56.071: %IPS-6-ENGINE_READY: service-ftp - build time 20 ms - packets for this engine will be scanned
*Sep 23 04:38:56.075: %IPS-6-ENGINE_BUILDING: service-rpc - 78 signatures - 9 of 13 engines
*Sep 23 04:38:56.275: %IPS-6-ENGINE_READY: service-rpc - build time 200 ms - packets for this engine will be scanned
*Sep 23 04:38:56.275: %IPS-6-ENGINE_BUILDING: service-dns - 39 signatures - 10 of 13 engines
*Sep 23 04:38:56.335: %IPS-6-ENGINE_READY: service-dns - build time 56 ms - packets for this engine will be scanned
*Sep 23 04:38:56.335: %IPS-6-ENGINE_BUILDING: normalizer - 9 signatures - 11 of 13 engines
*Sep 23 04:38:56.339: %IPS-6-ENGINE_READY: normalizer - build time 4 ms - packets for this engine will be scanned
*Sep 23 04:38:56.343: %IPS-6-ENGINE_BUILDING: service-smb-advanced - 63 signatures - 12 of 13 engines

*Sep 23 04:38:57.819: %IPS-6-ENGINE_READY: service-smb-advanced - build time 1476 ms - packets for this engine will be scanned

*Sep 23 04:38:57.819: %IPS-6-ENGINE_BUILDING: service-msrpc - 36 signatures - 13 of 13 engines
*Sep 23 04:38:58.151: %IPS-6-ENGINE_READY: service-msrpc - build time 332 ms - packets for this engine will be scanned
*Sep 23 04:38:58.151: %IPS-6-ALL_ENGINE_BUILDS_COMPLETE: elapsed time 20192 ms
R2#

I can verify the 6 signature files in the IPS directory:

R2#dir flash:IPS
Directory of flash:/IPS/

4 -rw- 565829 Sep 23 2011 04:39:24 +00:00 R2-sigdef-default.xml
5 -rw- 255 Sep 23 2011 04:35:02 +00:00 R2-sigdef-delta.xml
6 -rw- 9482 Sep 23 2011 04:36:44 +00:00 R2-sigdef-typedef.xml
7 -rw- 90856 Sep 23 2011 04:36:52 +00:00 R2-sigdef-category.xml
8 -rw- 304 Sep 23 2011 04:35:04 +00:00 R2-seap-delta.xml
9 -rw- 491 Sep 23 2011 04:35:04 +00:00 R2-seap-typedef.xml

64016384 bytes total (24551424 bytes free)

I can verify the ip ips complied signature count.

R2#show ip ips signature count

Cisco SDF release version S595.0
Trend SDF release version V0.0

Signature Micro-Engine: service-http: Total Signatures 914
service-http enabled signatures: 178
service-http retired signatures: 859
service-http compiled signatures: 55
service-http obsoleted signatures: 4

Signature Micro-Engine: string-tcp: Total Signatures 2441
string-tcp enabled signatures: 645
string-tcp retired signatures: 2315
string-tcp compiled signatures: 126
string-tcp obsoleted signatures: 35

Signature Micro-Engine: string-udp: Total Signatures 79
string-udp enabled signatures: 0
string-udp retired signatures: 73
string-udp compiled signatures: 6
string-udp obsoleted signatures: 2

Signature Micro-Engine: state: Total Signatures 39
state enabled signatures: 1
state retired signatures: 28
state compiled signatures: 11

Signature Micro-Engine: atomic-ip: Total Signatures 424
atomic-ip enabled signatures: 105
atomic-ip retired signatures: 403
atomic-ip compiled signatures: 21
atomic-ip obsoleted signatures: 2

Signature Micro-Engine: string-icmp: Total Signatures 3
string-icmp enabled signatures: 0
string-icmp retired signatures: 3

Signature Micro-Engine: service-ftp: Total Signatures 3
service-ftp enabled signatures: 1
service-ftp retired signatures: 2
service-ftp compiled signatures: 1

Signature Micro-Engine: service-rpc: Total Signatures 78
service-rpc enabled signatures: 44
service-rpc retired signatures: 54
service-rpc compiled signatures: 24

Signature Micro-Engine: service-dns: Total Signatures 39
service-dns enabled signatures: 26
service-dns retired signatures: 16
service-dns compiled signatures: 23
service-dns obsoleted signatures: 1

Signature Micro-Engine: normalizer: Total Signatures 9
normalizer enabled signatures: 8
normalizer retired signatures: 1
normalizer compiled signatures: 8

Signature Micro-Engine: service-smb-advanced: Total Signatures 63
service-smb-advanced enabled signatures: 47
service-smb-advanced retired signatures: 49
service-smb-advanced compiled signatures: 14
service-smb-advanced obsoleted signatures: 1

Signature Micro-Engine: service-msrpc: Total Signatures 36
service-msrpc enabled signatures: 16
service-msrpc retired signatures: 31
service-msrpc compiled signatures: 5
service-msrpc obsoleted signatures: 1

Total Signatures: 4356
Total Enabled Signatures: 1225
Total Retired Signatures: 4058
Total Compiled Signatures: 298
Total Obsoleted Signatures: 47

R2#

Show ip ips signatures will give details on each signature.

R2#sh ip ips signatures

Cisco SDF release version S595.0
Trend SDF release version V0.0

En - possible values are Y, Y*, N, or N*
Y: signature is enabled
N: enabled=false in the signature definition file
*: retired=true in the signature definition file
Cmp - possible values are Y, Ni, Nr, Nf, or No
Y: signature is compiled
Ni: signature not compiled due to invalid or missing parameters
Nr: signature not compiled because it is retired
Nf: signature compile failed
No: signature is obsoleted
Action=(A)lert, (D)eny, (R)eset, Deny-(H)ost, Deny-(F)low
Trait=alert-traits EC=event-count AI=alert-interval
GST=global-summary-threshold SI=summary-interval SM=summary-mode
SW=swap-attacker-victim SFR=sig-fidelity-rating Rel=release

Signature Micro-Engine: multi-string: Total Signatures 228
multi-string enabled signatures: 154
multi-string retired signatures: 224
multi-string compiled signatures: 4
multi-string obsoleted signatures: 1
SigID:SubID En Cmp Action Sev Trait EC AI GST SI SM SW SFR Rel
----------- -- ---- ------ --- ----- ---- ---- ----- --- -- -- --- ---
50013:5 N* Nr ADR MED 0 1 0 0 0 FA N 100 S480
50013:4 N* Nr ADR MED 0 1 0 0 0 FA N 100 S480
50013:3 N* Nr ADR MED 0 1 0 0 0 FA N 100 S480
50013:2 N* Nr ADR MED 0 1 0 0 0 FA N 100 S480
50013:1 N* Nr ADR MED 0 1 0 0 0 FA N 100 S480
50013:0 N* Nr ADR MED 0 1 0 0 0 FA N 100 S480
50012:3 Y* Nr ADR MED 0 1 0 0 0 FA N 100 S480
50012:2 Y* Nr ADR MED 0 1 0 0 0 FA N 100 S480
50012:1 Y* Nr ADR MED 0 1 0 0 0 FA N 100 S480
50012:0 Y* Nr ADR MED 0 1 0 0 0 FA N 100 S480

R2#

Part 1
Part 2
Part 3
Part 4
Part 5
Part 6
Part 7
Part 8
Part 9
Part 10

Transparent Zone-Based Firewall (Filtering with IOS Part 9)

I have R1, R2, R3, and R4. I want to use Transparent Zone-Based Firewall to help create a security policy that I can apply to R2.

These are the similar requirements as the write up done previously, but this time with Transparent Zone-Based Firewall.

R2's Fa0/1 is connected to R1 and is considered the INSIDE network. R2's Fa0/0 is connected to R3 and is considered the OUTSIDE network. R2's Se0/1/0 will connect to R4's S0/1. R1 and R3's FastEthernet interfaces are part of the 10.1.13.0/24 network, which requires R2 to bridge between the two interfaces.

I want to allow R1 to access R3's http service, but not be allowed to telnet to R3. I want R3 to be allowed to telnet to R1, but not be allowed to access R1's http service. I want both R1 and R3 to be able to access R4.

The is in place with all relevant interfaces enabled.

With ZFW, I first need to create the zones. In this case, I only need INSIDE and OUTSIDE.

R2(config)#zone security INSIDE
R2(config-sec-zone)#zone security OUTSIDE

Next I will classify the traffic. In this case, I need classes to match INSIDE to OUTSIDE, and OUTSIDE to INSIDE.

R2(config)#class-map type inspect match-any CMAP_INSIDE_TO_OUTSIDE
R2(config-cmap)#match protocol http
R2(config-cmap)#match protocol icmp
R2(config-cmap)#class-map type inspect match-any CMAP_OUTSIDE_TO_INSIDE
R2(config-cmap)#match protocol telnet
R2(config-cmap)#match protocol icmp

With the traffic classified, the next step is to create policy-maps.

R2(config)#policy-map type inspect PMAP_INSIDE_TO_OUTSIDE
R2(config-pmap)#class CMAP_INSIDE_TO_OUTSIDE
R2(config-pmap-c)#inspect
R2(config-pmap-c)#policy-map type inspect PMAP_OUTSIDE_TO_INSIDE
R2(config-pmap)#class CMAP_OUTSIDE_TO_INSIDE
R2(config-pmap-c)#inspect

Now I'll apply the policies to zone-pairs.

R2(config)#zone-pair security ZP_INSIDE_TO_OUTSIDE source INSIDE destination OUTSIDE
R2(config-sec-zone-pair)#service-policy type inspect PMAP_INSIDE_TO_OUTSIDE
R2(config-sec-zone-pair)#exit
R2(config)#zone-pair security ZP_OUTSIDE_TO_INSIDE source OUTSIDE destination INSIDE
R2(config-sec-zone-pair)#service-policy type inspect PMAP_OUTSIDE_TO_INSIDE

Next I'll assign the interfaces to their zones.

R2(config)#interface fa0/0
R2(config-if)#zone security OUTSIDE
R2(config-if)#interface fa0/1
R2(config-if)#zone security INSIDE

At this point, I should be able to ping, open an http session, but not telnet from R1 to R3.

R1#ping 10.1.13.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.13.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/4 ms

Pings are good.

R1#copy http://jason:cisco@10.1.13.3/test.txt null:
Loading http://***********@10.1.13.3/test.txt !
1753 bytes copied in 0.689 secs (2544 bytes/sec)

HTTP works.

R1#telnet 10.1.13.3
Trying 10.1.13.3 ...
% Connection timed out; remote host not responding

Telnet does not.

Now I'll try the same from R3 to R1. I should be able to ping, telnet, but not establish http sessions from R3 to R1.

R3#ping 10.1.13.1

User Access Verification

Password:
R1>exit

[Connection to 10.1.13.1 closed by foreign host]

Telnet is good.

R3#copy http://jason:cisco@10.1.13.1/test.txt null:
%Error opening http://jason:cisco@10.1.13.1/test.txt (I/O error)

As expected, HTTP does not.

From R2 I'll open an http session to R3 and on R2 I'll show policy-map type inspect zone-pair ZP_INSIDE_TO_OUTSIDE sessions.

R2#show policy-map type inspect zone-pair ZP_INSIDE_TO_OUTSIDE sessions

policy exists on zp ZP_INSIDE_TO_OUTSIDE
Zone-pair: ZP_INSIDE_TO_OUTSIDE

Service-policy inspect : PMAP_INSIDE_TO_OUTSIDE

Class-map: CMAP_INSIDE_TO_OUTSIDE (match-any)
Match: protocol http
4 packets, 96 bytes
30 second rate 0 bps
Match: protocol icmp
2 packets, 160 bytes
30 second rate 0 bps

Inspect

Number of Established Sessions = 1
Established Sessions
Session 667A7840 (10.1.13.1:51298)=>(10.1.13.3:80) http:tcp SIS_OPEN
Created 00:00:02, Last heard 00:00:02
Bytes sent (initiator:responder) [0:0]

Class-map: class-default (match-any)
Match: any
Drop
12 packets, 288 bytes

With http:tcp SIS_OPEN, I can see that the connection is reflected here.

From R1 or R3 I can ping R4. R4 can also ping both R1 and R3.

R1#ping 10.1.24.4

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.24.4, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/3/4 ms

R3#ping 10.1.24.4

Zone-Based Firewall Policy (Filtering with IOS Part 8)

I have R1, R2, R3, R4 and R5. I want to use Zone-Based Firewall Policy to create a security policy that I can apply to R2.

I want R2's Fa0/0 and Fa0/1 interfaces to serve as the INSIDE interfaces, Se0/0/0 to serve as the EXTRANET interface, and Se0/1/0 to serve as the OUTSIDE interface. With the Fa0/0 and Fa0/1 interfaces in the same zone, I won't have to configure any rule allowing traffic between them, as interfaces in the same zone will allow traffic to pass by default. I am simulating a web server in the EXTRANET zone on R4. I want to allow HTTP and ICMP access from the INSIDE zone to the EXTRANET zone, as well as from the OUTSIDE zone to the EXTRANET zone. Additionally, I want the INSIDE zone to be able to telnet to R4. I want to allow access for TCP, UDP, TELNET, HTTP, and ICMP from the INSIDE zone to the OUTSIDE zone, but prevent access from downloading .exe files.

Like previous IP Inspect and TCP Intercept configurations, I want to use a parameter-map to control the timeout for TCP connections after a SYN packet and no further data to 5 seconds, the max-incomplete low of 5, and high of 10, with a one minute low of 10 and a high of 20.I want to rate limit traffic from the OUTSIDE to the web server on the EXTRANET zone to 128000 bytes per second.

When using Zone-Based Firewall, traffic directed to the router will be allowed by default, but I can limit this by applying a policy to a zone-pair between a specified source and the self zone. In my case, I want to allow the EIGRP routing protocol traffic along with ICMP to be allowed to any of R2's interfaces, except for the INSIDE interfaces, where I want to additionally allow telnet traffic for management.

All routers are running EIGRP with AS 1.

I'll start by creating the zones on R2.

R2(config)#zone security OUTSIDE
R2(config-sec-zone)#zone security INSIDE
R2(config-sec-zone)#zone security EXTRANET

On R4 I'll enable the HTTP server, set the ip http path, and create a user.

R4(config)#ip http server
R4(config)#ip http path flash:
R4(config)#username jason password cisco

On R2, I'll classify the traffic for the INSIDE and OUTSIDE to the EXTRANET zone

R2(config)#class-map type inspect match-any CMAP_TO_EXTRANET
R2(config-cmap)#match protocol http
R2(config-cmap)#match protocol icmp

Since I want to also allow telnet to R4 on the EXTRANET from the INSIDE zone, I'll create another class-map to match this traffic.

R2(config-ext-nacl)#class-map type inspect match-any CMAP_INSIDE_TO_EXTRANET_MGMT
R2(config-cmap)#match protocol telnet

On R2, I'll classify the traffic for the INSIDE to OUTSIDE zones.

R2(config-if)#class-map type inspect match-any CMAP_INSIDE_TO_OUTSIDE
R2(config-cmap)#match protocol tcp
R2(config-cmap)#match protocol udp
R2(config-cmap)#match protocol telnet
R2(config-cmap)#match protocol icmp

In order to block .exe files from being downloaded, I will have to create a separate class-map which only specifies the http traffic.

R2(config)#class type inspect CMAP_INSIDE_TO_OUTSIDE_HTTP
R2(config-cmap)#match protocol http

In order to block .exe files from being downloaded, I will create a parameter-map matching the regex pattern for .exe.

R2(config)#parameter-map type regex PARAM_DROP_EXE
R2(config-profile)#pattern .*\.([Ee][Xx][Ee])

I'll create another parameter-map to help protect the web server in the EXTRANET zone from TCP related attacks.

R2(config)#parameter-map type inspect PARAM_PROTECT_TCP
R2(config-profile)#tcp synwait-time 5
R2(config-profile)#max-incomplete low 5
R2(config-profile)#max-incomplete high 10
R2(config-profile)#one-minute low 10
R2(config-profile)#one-minute high 20

I'll reference the regex parameter-map in a class.

R2(config)#class-map type inspect http CMAP_BLOCK_EXE
R2(config-cmap)#match request uri regex PARAM_DROP_EXE

From the OUTSIDE and EXTRANET zones I will limit traffic going to the self zone to routing protocol and ICMP traffic . I'll create an ACL to match the EIGRP traffic. Note:Some routing protocols can be matched directly within the class-map, others such as EIGRP require an ACL to be matched reference the EIGRP ACL and match the it in a class-map.

R2(config)#ip access-list extended ACL_EIGRP
R2(config-ext-nacl)#permit eigrp any any
R2(config-ext-nacl)#exit
R2(config)#class-map type inspect match-any CMAP_TO_SELF
R2(config-cmap)#match access-group name ACL_EIGRP
R2(config-cmap)#match protocol icmp

I'll also add an additional class-map to self for the INSIDE zone.

R2(config)#class-map type inspect match-any CMAP_INSIDE_TO_SELF
R2(config-cmap)#match access-group name ACL_EIGRP
R2(config-cmap)#match protocol icmp
R2(config-cmap)#match protocol telnet

At this point, all traffic should be classified.

Now, I'll create the policy-maps to define what should happen to the traffic.

Rate limiting can be done with QoS, but I'll apply a police statement to this policy map (type inspect) along with the PARAM_PROTECT_TCP parameter-map. This approach can be useful since once this is applied to a zone-pair, and it would automatically be in use if another interface were added to the OUTSIDE zone.

I'll start with INSIDE and OUTSIDE to EXTRANET.

R2(config)#policy-map type inspect PMAP_OUTSIDE_TO_EXTRANET
R2(config-pmap)#class type inspect CMAP_TO_EXTRANET
R2(config-pmap-c)#inspect PARAM_PROTECT_TCP
R2(config-pmap-c)#police rate 128000 burst 16000

I'll create another policy-map for the INSIDE to EXTRANET traffic. I could have assigned the same policy-map in use for the OUTSIDE to EXTRANET zones, but in this case, I want to create another policy-map and also pass telnet and EIGRP traffic from the INSIDE to EXTRANET zone.

R2(config)#policy-map type inspect PMAP_INSIDE_TO_EXTRANET
R2(config-pmap)#class type inspect CMAP_INSIDE_TO_EXTRANET_MGMT
R2(config-pmap-c)#inspect
R2(config-pmap-c)#class type inspect CMAP_TO_EXTRANET
R2(config-pmap-c)#inspect

I'll create a a policy-map for INSIDE to OUTSIDE traffic, and call the class-maps I created for allowed traffic, and disallowed traffic. I'll start with creating a policy-map (type inspect http), and nest the class-map that was created to block .exe files, and set an action of reset. This will then be nested in the main policy-map for INSIDE to OUTSIDE traffic. It's important to understand the order that the "class type inspect" statements are added are the order that they are ran. Since http is a tcp protocol, if I add the class containing the "match protocol tcp" statement before the class containing the "service-policy http" statement, then it would be allowed instead of reset.

R2(config)#policy-map type inspect http PMAP_BLOCK_EXE
R2(config-pmap)#class type inspect http CMAP_BLOCK_EXE
R2(config-pmap-c)#reset
R2(config-pmap-c)#policy-map type inspect PMAP_INSIDE_TO_OUTSIDE
R2(config-pmap)#class type inspect CMAP_INSIDE_TO_OUTSIDE_HTTP
R2(config-pmap-c)#inspect
R2(config-pmap-c)#service-policy http PMAP_BLOCK_EXE
R2(config-pmap)#class type inspect CMAP_INSIDE_TO_OUTSIDE
R2(config-pmap-c)#inspect

Now I'll create the policy maps for the self zone traffic.

R2(config)#policy-map type inspect PMAP_TO_SELF
R2(config-pmap)#class CMAP_TO_SELF
R2(config-pmap-c)#pass
R2(config-pmap-c)#policy-map type inspect PMAP_INSIDE_TO_SELF
R2(config-pmap)#class CMAP_INSIDE_TO_SELF

At this point, all traffic is classified, and policy-maps have been configured for all classes.

Now I'll create zone pairs and apply the respective policies. I'll create a zone-pair for INSIDE to EXTRANET, OUTSIDE to EXTRANET, INSIDE to OUTSIDE, INSIDE to self, EXTRANET to self, and OUTSIDE to self.

R2(config)#zone-pair security ZP_INSIDE_TO_EXTRANET source INSIDE destination EXTRANET
R2(config-sec-zone-pair)#service-policy type inspect PMAP_INSIDE_TO_EXTRANET
R2(config-sec-zone-pair)#exit
R2(config)#$zone-pair security ZP_OUTSIDE_TO_EXTRANET source OUTSIDE destination EXTRANET
R2(config-sec-zone-pair)#service-policy type inspect PMAP_OUTSIDE_TO_EXTRANET
R2(config-sec-zone-pair)#exit
R2(config)#zone-pair security ZP_INSIDE_TO_OUTSIDE source INSIDE destination OUTSIDE
R2(config-sec-zone-pair)#service-policy type inspect PMAP_INSIDE_TO_OUTSIDE
R2(config-sec-zone-pair)#exit
R2(config)#zone-pair security ZP_INSIDE_TO_SELF source INSIDE destination self
R2(config-sec-zone-pair)#service-policy type inspect PMAP_INSIDE_TO_SELF
R2(config-sec-zone-pair)#exit
R2(config)#$zone-pair security ZP_EXTRANET_TO_SELF source EXTRANET destination self
R2(config-sec-zone-pair)#service-policy type inspect PMAP_TO_SELF
R2(config-sec-zone-pair)#exit
R2(config)#zone-pair security ZP_OUTSIDE_TO_SELF source OUTSIDE destination self
R2(config-sec-zone-pair)#service-policy type inspect PMAP_TO_SELF
R2(config-sec-zone-pair)#exit

Now that the zone-pairs have been created, I will assign the interfaces to their respective zones.

R2(config)#interface fa0/1
R2(config-if)#zone security INSIDE
R2(config-if)#exit
R2(config)#interface fa0/0
R2(config-if)#zone security INSIDE
R2(config-if)#exit
R2(config)#interface se0/0/0
R2(config-if)#zone security EXTRANET
R2(config-if)#exit
R2(config)#interface se0/1/0
R2(config-if)#zone security OUTSIDE
R2(config-if)#end
R2#

This completes the configuration.

Now I'll verify that the configuration is operational.

First I'll verify that the zones have been applied and the correct interfaces have been assigned

R2#show zone security
zone self
Description: System defined zone

zone OUTSIDE
Member Interfaces:
Serial0/1/0

zone EXTRANET
Member Interfaces:
Serial0/0/0

zone INSIDE
Member Interfaces:
FastEthernet0/1
FastEthernet0/0

Next, I'll verify that the zone-pairs exist, that the correct source and destination zones have been referenced, and that the correct service-policy has been applied to each pair.

R2#show zone-pair security
Zone-pair name ZP_INSIDE_TO_EXTRANET
Source-Zone INSIDE Destination-Zone EXTRANET
service-policy PMAP_INSIDE_TO_EXTRANET
Zone-pair name ZP_OUTSIDE_TO_EXTRANET
Source-Zone OUTSIDE Destination-Zone EXTRANET
service-policy PMAP_OUTSIDE_TO_EXTRANET
Zone-pair name ZP_INSIDE_TO_OUTSIDE
Source-Zone INSIDE Destination-Zone OUTSIDE
service-policy PMAP_INSIDE_TO_OUTSIDE
Zone-pair name ZP_INSIDE_TO_SELF
Source-Zone INSIDE Destination-Zone self
service-policy PMAP_INSIDE_TO_SELF
Zone-pair name ZP_EXTRANET_TO_SELF
Source-Zone EXTRANET Destination-Zone self
service-policy PMAP_TO_SELF
Zone-pair name ZP_OUTSIDE_TO_SELF
Source-Zone OUTSIDE Destination-Zone self
service-policy PMAP_TO_SELF

I'll verify that all EIGRP neighborships still exist.

R2#show ip eigrp neighbors
IP-EIGRP neighbors for process 1
H Address Interface Hold Uptime SRTT RTO Q Seq
(sec) (ms) Cnt Num
0 10.1.12.1 Fa0/1 13 1d00h 3 200 0 9
3 10.1.25.5 Se0/1/0 13 1d00h 8 200 0 9
2 10.1.24.4 Se0/0/0 152 1d00h 55 330 0 5
1 10.1.23.3 Fa0/0 12 1d00h 9 200 0 6

Although there were no rules configured for the two inside interfaces to communication with each other, I'll verify that I can ping and telnet between them.

From R1 to R3:

R1#ping 10.1.23.3

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.23.3, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms
R1#telnet 10.1.23.3
Trying 10.1.23.3 ... Open

User Access Verification

Password:
R3>exit

[Connection to 10.1.23.3 closed by foreign host]

From R3 to R1:

R3#ping 10.1.12.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.12.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/3/4 ms
R3#telnet 10.1.12.1
Trying 10.1.12.1 ... Open

User Access Verification

Password:
R1>

This works as expected.

Next I'll verify that the INSIDE to EXTRANET communication is working correctly. I should be able to ping and telnet to R4, and R5 should be able to ping, but NOT telnet. I'll use the loopback address to communicate to the web server on R4.

R1 to R4:

R1#ping 10.1.24.4

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.24.4, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 56/57/61 ms
R1#telnet 10.0.4.4
Trying 10.0.4.4 ... Open

User Access Verification

Password:
R4>

R5 to R4:

R5#ping 10.1.24.4

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.24.4, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 68/71/72 ms
R5#telnet 10.0.4.4
Trying 10.0.4.4 ...
% Connection timed out; remote host not responding

This works as expected, but I should be able to access the web service on R4 from R5. I'll test copying a .txt file, as well as a .exe file. Note that they will both be allowed as the configuration to block .exe files is not applied to this zone-pair.

R5#copy http://jason:cisco@10.0.4.4/test.txt null:
Loading http://***********@10.0.4.4/test.txt !
1784 bytes copied in 0.604 secs (2954 bytes/sec)
R5#
R5#copy http://jason:cisco@10.0.4.4/test.exe null:
Loading http://***********@10.0.4.4/test.exe !
51 bytes copied in 0.224 secs (228 bytes/sec)
R5#

Now I'll test from the INSIDE to the OUTSIDE. I should be able to gain access to the web server running on R5, but I should not be able to access the .exe file.

R1#ping 10.1.25.5

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.25.5, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 12/15/16 ms
R1#copy http://jason:cisco@10.1.25.5/test.txt null:
Loading http://***********@10.1.25.5/test.txt !
2278 bytes copied in 0.252 secs (9040 bytes/sec)

This works as expected. Transferring a .exe file should result in an I/O error.

R1#copy http://jason:cisco@10.1.25.5/test.exe null:
%Error opening http://jason:cisco@10.1.25.5/test.exe (I/O error)

As mentioned previously in the policy-map for PMAP_INSIDE_TO_OUTSIDE, I could encounter an undesirable result if I ordered the classes differently. If I add the CMAP_INSIDE_TO_OUTSIDE_HTTP class after the CMAP_INSIDE_TO_OUTSIDE class, then the inspect statement under the CMAP_INSIDE_TO_OUTSIDE class would allow http traffic, including .exe files since I have tcp listed within that class. I'll change the order and see if I can copy the test.exe file.

R2(config-pmap)#exit
R2(config)#policy-map type inspect PMAP_INSIDE_TO_OUTSIDE
R2(config-pmap)#no class type inspect CMAP_INSIDE_TO_OUTSIDE_HTTP
R2(config-pmap)#class type inspect CMAP_INSIDE_TO_OUTSIDE_HTTP
R2(config-pmap-c)#inspect
R2(config-pmap-c)#service-policy http PMAP_BLOCK_EXE
R2(config-pmap-c)#do show run | section policy-map type inspect PMAP_INSIDE_TO_OUTSIDE
policy-map type inspect PMAP_INSIDE_TO_OUTSIDE
class type inspect CMAP_INSIDE_TO_OUTSIDE
inspect
class type inspect CMAP_INSIDE_TO_OUTSIDE_HTTP
inspect
service-policy http PMAP_BLOCK_EXE
class class-default
drop

Note that the class CMAP_INSIDE_TO_OUTSIDE_HTTP is now ordered after the class CMAP_INSIDE_TO_OUTSIDE. Now I'll attempt to copy a .exe file to R1 from R5.

R1#copy http://jason:cisco@10.1.25.5/test.exe null:
Loading http://***********@10.1.25.5/test.exe !
2278 bytes copied in 0.240 secs (9492 bytes/sec)

It is allowed as expected.

I currently have a telnet session open initiated from R1 to R5. I want to view statistics related to this on the firewall. I'll use show policy-map type inspect zone-pair security PMAP_INSIDE_TO_OUTSIDE sessions:

R2#show policy-map type inspect zone-pair ZP_INSIDE_TO_OUTSIDE sessions

policy exists on zp ZP_INSIDE_TO_OUTSIDE
Zone-pair: ZP_INSIDE_TO_OUTSIDE

Service-policy inspect : PMAP_INSIDE_TO_OUTSIDE

Class-map: CMAP_INSIDE_TO_OUTSIDE_HTTP (match-any)
Match: protocol http
1 packets, 24 bytes
30 second rate 0 bps

Inspect

Class-map: CMAP_INSIDE_TO_OUTSIDE (match-any)
Match: protocol tcp
1 packets, 24 bytes
30 second rate 0 bps
Match: protocol udp
0 packets, 0 bytes
30 second rate 0 bps
Match: protocol telnet
0 packets, 0 bytes
30 second rate 0 bps
Match: protocol icmp
0 packets, 0 bytes
30 second rate 0 bps

Inspect

Number of Established Sessions = 1
Established Sessions
Session 66826980 (10.1.12.1:30755)=>(10.0.5.5:23) tcp SIS_OPEN
Created 00:05:19, Last heard 00:03:06
Bytes sent (initiator:responder) [49:1078]

Class-map: class-default (match-any)
Match: any
Drop
0 packets, 0 bytes
R2#

I can see the related class-maps, and since there is a session established, I can see the source and destination with the indicator of SIS_OPEN (Stateful Inspection Subroutine or Session Inspection Subroutine.)

Part 1
Part 2
Part 3
Part 4
Part 5
Part 6
Part 7
Part 8
Part 9
Part 10

Wednesday, September 21, 2011

Transparent Cisco IOS Firewall (Filtering with IOS Part 7)

I have R1, R2, R3, and R4. I want to use Transparent Cisco IOS Firewall to help create a security policy that I can apply to R2.

R2's Fa0/1 is connected to R1 and is considered the INSIDE network. R2's Fa0/0 is connected to R3 and is considered the OUTSIDE network. R2's Se0/1/0 will connect to R4's S0/1. R1 and R3's FastEthernet interfaces are part of the 10.1.13.0/24 network, which requires R2 to bridge between the two interfaces.

I want to allow R1 to access R3's http service, but not be allowed to telnet to R3. I want R3 to be allowed to telnet to R1, but not be allowed to access R1's http service. I want both R1 and R3 to be able to access R4.

Since R1 and R3 are both on the same subnet, my first step is to configure bridging on R2. I will apply the bridge group to the two FastEthernet interfaces, enable a BVI interface, and assign it an IP address on the 10.1.13.0/24 network.

R2(config)#bridge 1 protocol ieee
R2(config)#interface fa0/0
R2(config-if)#bridge-group 1
R2(config-if)#interface fa0/0
R2(config-if)#bridge-group 1
R2(config-if)#bridge irb
R2(config)#bridge 1 route ip
R2(config)#interface bvi1
R2(config-if)#ip address 10.1.13.2 255.255.255.0
R2(config-if)#no shut

I'll verify the bridge is operational:

R2#show ip interface brief | inc BVI
BVI1 10.1.13.2 YES manual up up
R2#show bridge

Total of 300 station blocks, 298 free
Codes: P - permanent, S - self

Bridge Group 1:

Address Action Interface Age RX count TX count
000d.2846.5f60 forward FastEthernet0/0 0 33392 2831
000c.31ef.3de0 forward FastEthernet0/1 0 33801 3226
R2#

The fa0/0 and fa0/1 interfaces are already enabled on R2 with no ip addresses assigned, and there have been no rules configured to filter any traffic. At this point, I should be able to ping between R1 and R3.

R1#ping 10.1.13.3

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.13.3, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms
R1#

Next I'll write the ip inspect rules for the OUTSIDE and INSIDE interfaces.

R2(config)#ip inspect name INSIDE http
R2(config)#ip inspect name INSIDE icmp
R2(config)#ip inspect name OUTSIDE telnet
R2(config)#ip inspect name OUTSIDE icmp

I will also need to write ACLs for the INSIDE and OUTSIDE interfaces to allow access for the INSIDE to R3 on TCP 80 as well as sending echo and echo replies. I also want to allow access for the OUTSIDE to telnet to R1 as well as sending echo and echo replies.

R2(config)#ip access-list extended INSIDE_LIST
R2(config-ext-nacl)# permit tcp any host 10.1.13.3 eq www
R2(config-ext-nacl)# permit icmp any host 10.1.13.3 echo
R2(config-ext-nacl)# permit icmp any host 10.1.13.3 echo-reply
R2(config-ext-nacl)# deny ip any host 10.1.13.3
R2(config-ext-nacl)# permit ip any any
R2(config-ext-nacl)#ip access-list extended OUTSIDE_LIST
R2(config-ext-nacl)# permit tcp any host 10.1.13.1 eq telnet
R2(config-ext-nacl)# permit icmp any host 10.1.13.1 echo
R2(config-ext-nacl)# permit icmp any host 10.1.13.1 echo-reply
R2(config-ext-nacl)# deny ip any host 10.1.13.1
R2(config-ext-nacl)# permit ip any any

Now I'll apply the ip inspect rules and ACLs to the correct interfaces in the correct directions.

R2(config)#interface fa0/0
R2(config-if)#ip access-group OUTSIDE_LIST in
R2(config-if)#ip inspect INSIDE out
R2(config-if)#interface fa0/1
R2(config-if)#ip access-group OUTSIDE_LIST in
R2(config-if)#ip inspect OUTSIDE out

This completes the configuration.

R1 should still be able to ping R3.

R1#ping 10.1.13.3

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.24.4, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms

But, R1 should not be able to telnet to R2 due to the ACL applied to R2's fa0/1.
R1:

R1#telnet 10.1.13.3
Trying 10.1.13.3 ...
% Connection timed out; remote host not responding

Since telnet is allowed for R3 to R1, I'll apply debug ip inspect l2-transparent packets on R2 and see some of the result

R3#telnet 10.1.13.1
Trying 10.1.13.1 ... Open

User Access Verification

Password:
The resulting Debug on R2:

As expected the ACL allows the sending traffic. The debug should show the result of the return traffic.

R2#debug ip inspect l2-transparent packets
INSPECT L2 firewall debugging is on

*Sep 22 04:03:55.229: L2FW*:insp_l2_fast_inspection: pak 659EA0BC, input-interface FastEthernet0/0, output-interface FastEthernet0/1

*Sep 22 04:03:55.229: L2FW*:Src 10.1.13.3 dst 10.1.13.1 protocol tcp
*Sep 22 04:03:55.229: TBAP: Check AuthProxy is configured on idb=FastEthernet0/0 path=1 linktype=38
*Sep 22 04:03:55.229: L2FW:Input ACL check SUCCESS
*Sep 22 04:03:55.229: L2FW:Output ACL is not configured or ACL is bypassed
*Sep 22 04:03:55.229: L2FW:L2 header length(initiator->responder) is 14
*Sep 22 04:03:55.229: L2FW:info_start is NULL for init->rsp
*Sep 22 04:03:55.229: L2FW*:insp_l2_fast_inspection returning INSP_L2_OK
*Sep 22 04:03:55.229: L2FW*:CCE FW l2 fast returning INSP_L2_OK
*Sep 22 04:03:55.229: TBAP: Check if AP return traffic (fast path) foroutput idb=FastEthernet0/1 IP->prot=6

*Sep 22 04:03:55.233: L2FW*:insp_l2_fast_inspection: pak 65BDC430, input-interface FastEthernet0/1, output-interface FastEthernet0/0

With the telnet session open, I will verify that a session is open and being inspected.

R2#show ip inspect sessions detail

Established Sessions

Session 662947E0 (10.1.13.3:33012)=>(10.1.13.1:23) telnet SIS_OPEN

Created 00:00:32, Last heard 00:00:29

Bytes sent (initiator:responder) [37:74]

In SID 10.1.13.1[23:23]=>10.1.13.3[33012:33012] on ACL OUTSIDE_LIST (11 matches)

Part 1
Part 2
Part 3
Part 4
Part 5
Part 6
Part 7
Part 8
Part 9
Part 10

Wednesday, September 14, 2011

Context Based Access Control, feat. TCP Intercept (Filtering with IOS Part 6)

I have R1, R2, and R3, and I want to use CBAC to effectively help create a security policy that I can apply to R2.

I consider R2's fa0/1 the inside network and R2's s0/1/0 the outside network.

I want to use Context Based Access Control when allowing the inside segment access to services on the outside segment, and to inspect TCP, UDP, HTTP, Telnet, ICMP and TFTP traffic. I want to collect audit statistics on TFTP traffic and have a UDP session inactivity timeout of 20 seconds. For the HTTP inspected traffic I do not want to allow Java applets to be downloaded from R3 with the host address of 10.0.3.3. For Telnet traffic, I want to ensure traffic is inspected while using TCP port 33 to connect from R1 to R3 by adding to R2's port-maps. I want to allow the inside segment to receive responses when using traceroute. I will assume a maximum of 2000 sessions open concurrently, and will adjust the CBAC hash table from its default 1024, to 2048. I want to allow the outside segment access to TCP 80 on R1, allow my routing protocol, disallow ping responses, and I want to configure TCP intercept with CBAC.

Before I begin the CBAC configuration steps, I want to visit the TCP Intercept feature and verify its operation; as CBAC incorporates this feature into its operation.

The TCP intercept feature works as it's described; it intercepts TCP connections. In my scenario, R1 is hosting HTTP services, and R2 will be configured to intercept TCP SYN packets when R3 attempts to make a connection to R1. TCP intercept can be configured to be the middle man in the 3 way handshake, or observe the handshake process. In either case, I can configure R2 to drop half open connections by dropping the connection itself, or by sending reset (RST) messages on the protected server's behalf.

I'll configure R2 to protect the web server on R2, operate in intercept mode with a connection-timeout of 5 seconds. Additionally, I will set the router to begin dropping packets, oldest first, when maximum number of half open connections equals 10 and continue to drop until the half open connections reaches 5. Furthermore, I want to protect against SYN flood attacks by dropping SYN packets when the rate of 20 per minute occur, and to resume once that rate has lessened to 10 per minute.

R2(config)#access-list 101 permit ip any host 10.1.12.1
R2(config)#ip tcp intercept list 101
R2(config)#ip tcp intercept mode intercept
R2(config)#ip tcp intercept connection-timeout 5
R2(config)#ip tcp intercept max-incomplete low 5 high 10
R2(config)#ip tcp intercept drop-mode oldest
R2(config)#ip tcp intercept one-minute low 10 high 20

Note that ah ACL is required to identify traffic when using TCP intercept.

Now I'll debug ip tcp intercept on R2 and attempt to connect to R1 from R3 with telnet on TCP port 80.

R2#deb ip tcp intercept
TCP intercept debugging is on
R2#
*Sep 13 17:20:59.302: INTERCEPT: new connection (10.1.23.3:25978 SYN -> 10.1.12.1:80)
*Sep 13 17:20:59.302: INTERCEPT(*): (10.1.23.3:25978 <- ACK+SYN 10.1.12.1:80)
*Sep 13 17:20:59.310: INTERCEPT: 1st half of connection is established (10.1.23.3:25978 ACK -> 10.1.12.1:80)
*Sep 13 17:20:59.310: INTERCEPT(*): (10.1.23.3:25978 SYN -> 10.1.12.1:80)
*Sep 13 17:20:59.314: INTERCEPT: client packet dropped in SYNSENT (10.1.23.3:25978 -> 10.1.12.1:80)
*Sep 13 17:20:59.314: INTERCEPT: 2nd half of connection established (10.1.23.3:25978 <- ACK+SYN 10.1.12.1:80)
*Sep 13 17:20:59.314: INTERCEPT(*): (10.1.23.3:25978 ACK -> 10.1.12.1:80)
*Sep 13 17:20:59.318: INTERCEPT(*): (10.1.23.3:25978 <- WINDOW 10.1.12.1:80)
*Sep 13 17:21:04.313: INTERCEPT: ESTAB timing out (10.1.23.3:25978 <-> 10.1.12.1:80)
*Sep 13 17:21:04.313: INTERCEPT(*): (10.1.23.3:25978 <- RST 10.1.12.1:80)
*Sep 13 17:21:04.313: INTERCEPT(*): (10.1.23.3:25978 RST -> 10.1.12.1:80)

It behaves as expected and resets the session at 5 seconds.

I'll prevent ACKs from returning to R3

R2(config)#access-list 102 deny tcp any any established
R2(config)#access-list 102 permit ip any any
R2(config)#int s0/1/0
R2(config-if)#ip access-group 102 in

I'll attept another connect to R1 from R3, and debug ip tcp intercept on R2.

*Sep 13 17:37:20.828: INTERCEPT: new connection (10.1.23.3:37362 SYN -> 10.1.12.1:80)
*Sep 13 17:37:20.832: INTERCEPT(*): (10.1.23.3:37362 <- ACK+SYN 10.1.12.1:80)
*Sep 13 17:37:21.828: INTERCEPT(*): SYNRCVD retransmit 1 (10.1.23.3:37362 <- ACK+SYN 10.1.12.1:80)
*Sep 13 17:37:23.828: INTERCEPT(*): SYNRCVD retransmit 2 (10.1.23.3:37362 <- ACK+SYN 10.1.12.1:80)
*Sep 13 17:37:27.828: INTERCEPT(*): SYNRCVD retransmit 3 (10.1.23.3:37362 <- ACK+SYN 10.1.12.1:80)
*Sep 13 17:37:35.827: INTERCEPT(*): SYNRCVD retransmit 4 (10.1.23.3:37362 <- ACK+SYN 10.1.12.1:80)
*Sep 13 17:37:51.826: INTERCEPT: SYNRCVD retransmitting too long (10.1.23.3:37362 <-> 10.1.12.1:80)
*Sep 13 17:37:51.826: INTERCEPT(*): (10.1.23.3:37362 <- RST 10.1.12.1:80)

R2 attepts to retransmit R1's SYN-ACK until the exponential timer expires when the connection is reset.

With that, I'll remove the previous ip tcp intercept commands, and move on to configure R2 as a stateful firewall with CBAC.

CBAC only inspects TCP and UDP traffic. If other services need to be filtered I must use an access-lists instead.

The difference between reflexive ACLs and CBAC is that reflexive ACLs rely on the return traffic being a mirror of the sent traffic, where CBAC will use an application inspection engine per application to inspect traffic, and is aware of the application's conversation.

I'll create an inspection rule called CBAC for TCP, UDP, HTTP, Telnet, and ICMP traffic. As mentioned before, since UDP is connectionless, there will be no FIN packet to finish sessions, so I'll configure a UDP session inactivity timeout of 20 seconds. Also, I will create an ACL to tie the HTTP inspection to allow Java applets from only the host address of 10.0.3.3.

R2(config)#access-list 10 permit host 10.0.3.3
R2(config)#ip inspect name CBAC tcp
R2(config)#ip inspect name CBAC udp audit-trail on timeout 20
R2(config)#ip inspect name CBAC http java-list 10
R2(config)#ip inspect name CBAC telnet
R2(config)#ip inspect name CBAC icmp

As mentioned some telnet traffic could use destination TCP port 33, I will map TCP 33 to telnet so that it is inspected as well.

R2(config)#ip port-map telnet port 33
R2(config)#do show ip port-map | include user
Default mapping: telnet tcp port 33 user defined

According to Cisco recommendations, I should try to maintain a 1:1 ratio between the number of sessions and the size of the hash table. By default there are 1024 buckets. Since I will have a maximum number of concurrent sessions of 2000, I will double the number of the default bucket size.

R2(config)#ip inspect hashtable-size 2048

I will create an ACL allowing TCP 80, UDP 520, time-exceeded, and port-unreachable icmp messages from the outside, apply it to the outside interface, and configure no ip unreachables.

R2(config)#ip inspect hashtable-size 2048
R2(config)#ip access-list extended OUTSIDE_IN
R2(config-ext-nacl)#permit tcp any host 10.1.12.1 eq 80
R2(config-ext-nacl)#permit udp any host 10.1.23.2 eq 520
R2(config-ext-nacl)#permit icmp any any time-exceeded
R2(config-ext-nacl)#permit icmp any any port-unreachable
R2(config-ext-nacl)#int s0/1/0
R2(config-if)#ip access-group OUTSIDE_IN in
R2(config-if)#no ip unreachables

CBAC has tcp intercept features. Similar to what I configured initially, I want to configure a connection-timeout of 5 seconds. Additionally, I will configure the router to drop sessions when the maximum number of half open connections equals 10 and continue to drop until the half open connections reaches 5. Furthermore, I want to protect against SYN flood attacks by dropping SYN packets when the rate of 20 per minute occur, and to resume once that rate has lessened to 10 per minute. Previously with tcp inspect, I was given the ability to choose how half open sessions were dropped, either oldest first or random. This is not configurable with CBAC. According to Cisco: "When the router's DoS counters exceed the default or configured values, the router will reset one old half-open connection for every new connection that exceeds the configured max-incomplete or one-minute high values, until the number of half-open sessions drops below the max-incomplete low values."

R2(config)#ip inspect tcp synwait-time 5
R2(config)#ip inspect max-incomplete low 5
R2(config)#ip inspect max-incomplete high 10
R2(config)#ip inspect one-minute low 10
R2(config)#ip inspect one-minute high 20

To verify that the inspection rule has been applied to to correct interface and direction, I will use show ip inspect interfaces.

R2#show ip inspect interfaces
Interface Configuration
Interface Serial0/1/0
Inbound inspection rule is not set
Outgoing inspection rule is CBAC
tcp alert is off audit-trail is off timeout 3600
udp alert is off audit-trail is on timeout 20
http java-list 10 alert is off audit-trail is off timeout 3600
telnet alert is off audit-trail is off timeout 3600
icmp alert is off audit-trail is off timeout 10
Inbound access list is OUTSIDE_IN
Outgoing access list is not set

R2#

I can also verify the configuration with show ip inspect config

R2#show ip inspect config
Session audit trail is disabled
Session alert is disabled
one-minute (sampling period) thresholds are [10 : 20] connections
max-incomplete sessions thresholds are [5 : 10]
max-incomplete tcp connections per host is unlimited. Block-time 0 minute.
tcp synwait-time is 5 sec -- tcp finwait-time is 5 sec
tcp idle-time is 3600 sec -- udp idle-time is 30 sec
tcp reassembly queue length 16; timeout 5 sec; memory-limit 1024 kilo bytes
dns-timeout is 5 sec
Inspection Rule Configuration
Inspection name CBAC
tcp alert is off audit-trail is off timeout 3600
udp alert is off audit-trail is on timeout 20
http java-list 10 alert is off audit-trail is off timeout 3600
telnet alert is off audit-trail is off timeout 3600
icmp alert is off audit-trail is off timeout 10

Note as also shown in the output of show ip inspect interfaces, ICMP has a timeout of 10 seconds.

I'll send a continous ping from R1 to R3.

R1#ping 10.1.23.3 rep 1000000

Type escape sequence to abort.
Sending 1000000, 100-byte ICMP Echos to 10.1.23.3, timeout is 2 seconds:
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

With the pings sending, I will verify ICMP is being inspected on R2.

R2#show ip inspect sessions
Established Sessions
Session 663100C8 (10.1.12.1:8)=>(10.1.23.3:0) icmp SIS_OPEN

I'll break the continuous ping, and after 10 seconds, the session is no longer open.

R2#show ip inspect sessions

R2#

Audit trail was configured on for TFTP. When I attempt to tftp a file from R3 to R1, I can see the AUDIT messages on R2.

*Sep 13 18:42:39.239: %FW-6-SESS_AUDIT_TRAIL_START: Start tftp session: initiator (10.1.12.1:56509) -- responder (10.1.23.3:69)

*Sep 13 18:43:09.320: %FW-6-SESS_AUDIT_TRAIL: Stop tftp session: initiator (10.1.12.1:56509) sent 45 bytes -- responder (10.1.23.3:69) sent 0 bytes

Part 1
Part 2
Part 3
Part 4
Part 5
Part 6
Part 7
Part 8
Part 9
Part 10

Tuesday, September 13, 2011

Basic NBAR (Filtering with IOS Part 5)

I have R1, R2, and R3, and I want to use NBAR to effectively help create a security policy that I can apply to R2.

I consider R2's fa0/1 the inside network and R2's s0/1/0 the outside network. I want to prevent inside users from accessing the bittorrent and edonkey protocols, and from downloading .exe files from HTTP sites.

To accomplish this, I'll create a class-map on R2 for matching any of the relevant traffic, create a policy-map which will call the class-map and drop the traffic, and then apply that policy-map to the outside interface of R2.

R2(config)#class-map match-any CLASS_PROTECT
R2(config-cmap)#match protocol bittorrent
R2(config-cmap)#match protocol edonkey
R2(config-cmap)#match protocol http url *.exe

I'll then create a policy-map for dropping the traffic matched in the class-map.

R2(config-cmap)#policy-map POLICY_DROP_CLASS_PROTECT
R2(config-pmap)#class CLASS_PROTECT
R2(config-pmap-c)#drop

I will now apply the policy-map to the outside interface.

R2(config-pmap)#int s0/1/0
R2(config-if)#service-policy input POLICY_DROP_CLASS_PROTECT

I won't simulate bittorrent or edonkey, but I will verify that the policy is filtering out .exe files.

I'll connect to R3 and create a file with an extension of .exe, and set the ip http path

R3#copy run slot0:/test.exe
Destination filename [test.exe]?

2278 bytes copied in 1.144 secs (1991 bytes/sec)
R3#dir slot0:
Directory of slot0:/

1 -rw- 38845972 Jun 4 2002 01:34:54 -05:00 c3725-adventerprisek9-mz.124-25c.bin
2 -rw- 2278 Sep 12 2011 18:00:24 -05:00 test.exe

257531904 bytes total (218681344 bytes free)
R3#config terminal
Enter configuration commands, one per line. End with CNTL/Z.
R3(config)#ip http path slot0:/

I'll first test that I can copy the IOS image from R3 to R1.

R1#copy http://jason:cisco@10.1.23.3/c3725-adventerprisek9-mz.124-25c.bin null:
Loading http://***********@10.1.23.3/c3725-adventerprisek9-mz.124-25c.bin !!!!!!!!!!!!!!!!!!!!

This behaves as expected.

Now I'll attempt to move the .exe file.

R1#copy http://jason:cisco@10.1.23.3/test.exe null:
%Error opening http://jason:cisco@10.1.23.3/test.exe (I/O error)

Access is not allowed as expected.

Part 1
Part 2
Part 3
Part 4
Part 5
Part 6
Part 7
Part 8
Part 9
Part 10