Difference between revisions of "Netband Project - IOS firewall"
From Teknologisk videncenter
(→Configuration) |
|||
| (39 intermediate revisions by 3 users not shown) | |||
| Line 1: | Line 1: | ||
| − | + | =IOS Firewall Feature set= | |
This page is part of the [[Netband_Project|Netband Project]] | This page is part of the [[Netband_Project|Netband Project]] | ||
| Line 10: | Line 10: | ||
[[Image:Netband-cbac.jpg|thumb|none|600px|CBAC]] | [[Image:Netband-cbac.jpg|thumb|none|600px|CBAC]] | ||
===Configuration=== | ===Configuration=== | ||
| − | <pre> ip inspect name iosfw ftp | + | *Note: The router only keeps track of the configured protocols. Unconfigured protocols are allowed through without inspection or tracking if the interface acls permit |
| + | <pre> ip inspect audit-trail | ||
| + | ip inspect name iosfw ftp | ||
ip inspect name iosfw tcp | ip inspect name iosfw tcp | ||
ip inspect name iosfw udp | ip inspect name iosfw udp | ||
ip inspect name iosfw http | ip inspect name iosfw http | ||
ip inspect name iosfw https | ip inspect name iosfw https | ||
| + | ! | ||
| + | interface FastEthernet0/0 | ||
| + | description OUTSIDE | ||
| + | ip inspect iosfw out | ||
| + | ip access-group 101 in | ||
| + | ! | ||
| + | access-list 101 permit udp any eq isakmp any eq isakmp | ||
| + | access-list 101 permit esp any any | ||
| + | access-list 101 permit tcp any any eq 22 | ||
| + | access-list 101 deny ip any any log | ||
| + | </pre> | ||
| + | |||
| + | ===Verification=== | ||
| + | |||
| + | <pre>B1rt1#sh ip inspect sessions | ||
| + | Established Sessions | ||
| + | Session 65E14830 (10.2.1.10:3935)=>(195.137.194.128:80) http SIS_OPEN | ||
| + | Session 65E15310 (10.2.1.10:3936)=>(195.137.194.128:80) http SIS_OPEN | ||
| + | Session 65E15058 (10.2.1.10:3937)=>(195.137.194.128:80) http SIS_OPEN | ||
| + | Session 65E155C8 (10.2.1.10:3934)=>(195.137.194.128:80) http SIS_OPEN | ||
| + | </pre> | ||
| + | *Syslog audit trail | ||
| + | <pre>Apr 27 10:22:06.521: %FW-6-SESS_AUDIT_TRAIL_START: Start http session: initiator (10.2.1.10:3898) -- responder (195.137.194.128:80) | ||
| + | Apr 27 10:22:18.044: %FW-6-SESS_AUDIT_TRAIL: Stop http session: initiator (10.2.1.10:3898) sent 1247 bytes -- responder (195.137.194.128:80) sent 144791 bytes | ||
| − | + | Apr 27 10:48:36.770: %FW-6-SESS_AUDIT_TRAIL_START: Start tcp session: initiator (10.2.1.10:3958) -- responder (192.168.1.1:23) | |
| − | + | Apr 27 10:49:30.769: %FW-6-SESS_AUDIT_TRAIL: Stop tcp session: initiator (10.2.1.10:3958) sent 74 bytes -- responder (192.168.1.1:23) sent 255 bytes | |
</pre> | </pre> | ||
| − | ==Intrusion | + | ==Intrusion Prevention System (IPS)== |
| + | *See [[Netband Project - IOS ips |Netband Project - IOS ips]] for further information and configuration | ||
| + | |||
| + | ==Authentication Proxy (Incomplete)== | ||
| + | *can be used to authenticate and authorize | ||
| + | <pre>aaa authorization auth-proxy default group RTP | ||
| + | ip auth-proxy auth-proxy-banner | ||
| + | ip auth-proxy auth-cache-time 10 | ||
| + | ip auth-proxy name auth_proxy_acl http | ||
| + | ! | ||
| + | ip auth-proxy auth_proxy_acl | ||
| − | + | </pre> | |
==Port to Application Mapping (PAM)== | ==Port to Application Mapping (PAM)== | ||
| + | *customize TCP or UDP port numbers for network services or applications. | ||
| + | *information in the PAM table enables CBAC supported services to run on nonstandard ports | ||
| + | *allows cbac to track user customized ports | ||
| + | ===Configuration=== | ||
| + | <pre>ip port-map http port tcp 8001 description Alternative http port | ||
| + | ... | ||
| + | ip inspect name iosfw http | ||
| + | ... | ||
| + | </pre> | ||
| + | *The same port can be mapped to different services on different hosts | ||
| + | <pre>access-list 10 permit 10.2.1.10 | ||
| + | access-list 20 permit 10.2.1.11 | ||
| + | ip port-map http port 8001 list 10 | ||
| + | ip port-map http ftp 8001 list 20 | ||
| + | </pre> | ||
| + | *User-defined port map | ||
| + | <pre>ip port-map user-streaming port tcp 8000 description Custom Video Streaming port | ||
| + | ... | ||
| + | ip inspect name iosfw user-streaming | ||
| + | ... | ||
| + | </pre> | ||
| + | |||
| + | ===Verification=== | ||
| + | <pre>B1rt1#sh ip port-map http | ||
| + | Default mapping: http tcp port 80 system defined | ||
| + | Default mapping: http tcp port 8001 user defined | ||
| + | </pre> | ||
| + | <pre>B1rt1#sh ip port-map | ||
| + | ... | ||
| + | Default mapping: user-streaming tcp port 8000 user defined | ||
| + | ... | ||
| + | </pre> | ||
| + | |||
==External Links== | ==External Links== | ||
[http://www.cisco.com/en/US/docs/ios/sec_data_plane/configuration/guide/sec_cfg_content_ac_ps6350_TSD_Products_Configuration_Guide_Chapter.html Cisco IOS Security Configuration Guide] | [http://www.cisco.com/en/US/docs/ios/sec_data_plane/configuration/guide/sec_cfg_content_ac_ps6350_TSD_Products_Configuration_Guide_Chapter.html Cisco IOS Security Configuration Guide] | ||
| + | [[Category:network]][[Category:CCNP]][[category:students]][[category:CCNP4]] | ||
Latest revision as of 07:40, 13 May 2009
Contents
IOS Firewall Feature set
This page is part of the Netband Project
Context Based Access Control (CBAC)
- filters TCP and UDP packets based on application-layer protocol session information.
- more flexible than access control lists, that checks packets at the network layer, or at most, the transport layer
- inspects packet sequence numbers in TCP connections
- detects unusually high rates of new connections and issue alert messages.
- creates temporary openings in the return acl to allow traffic back in.
Configuration
- Note: The router only keeps track of the configured protocols. Unconfigured protocols are allowed through without inspection or tracking if the interface acls permit
ip inspect audit-trail ip inspect name iosfw ftp ip inspect name iosfw tcp ip inspect name iosfw udp ip inspect name iosfw http ip inspect name iosfw https ! interface FastEthernet0/0 description OUTSIDE ip inspect iosfw out ip access-group 101 in ! access-list 101 permit udp any eq isakmp any eq isakmp access-list 101 permit esp any any access-list 101 permit tcp any any eq 22 access-list 101 deny ip any any log
Verification
B1rt1#sh ip inspect sessions Established Sessions Session 65E14830 (10.2.1.10:3935)=>(195.137.194.128:80) http SIS_OPEN Session 65E15310 (10.2.1.10:3936)=>(195.137.194.128:80) http SIS_OPEN Session 65E15058 (10.2.1.10:3937)=>(195.137.194.128:80) http SIS_OPEN Session 65E155C8 (10.2.1.10:3934)=>(195.137.194.128:80) http SIS_OPEN
- Syslog audit trail
Apr 27 10:22:06.521: %FW-6-SESS_AUDIT_TRAIL_START: Start http session: initiator (10.2.1.10:3898) -- responder (195.137.194.128:80) Apr 27 10:22:18.044: %FW-6-SESS_AUDIT_TRAIL: Stop http session: initiator (10.2.1.10:3898) sent 1247 bytes -- responder (195.137.194.128:80) sent 144791 bytes Apr 27 10:48:36.770: %FW-6-SESS_AUDIT_TRAIL_START: Start tcp session: initiator (10.2.1.10:3958) -- responder (192.168.1.1:23) Apr 27 10:49:30.769: %FW-6-SESS_AUDIT_TRAIL: Stop tcp session: initiator (10.2.1.10:3958) sent 74 bytes -- responder (192.168.1.1:23) sent 255 bytes
Intrusion Prevention System (IPS)
- See Netband Project - IOS ips for further information and configuration
Authentication Proxy (Incomplete)
- can be used to authenticate and authorize
aaa authorization auth-proxy default group RTP ip auth-proxy auth-proxy-banner ip auth-proxy auth-cache-time 10 ip auth-proxy name auth_proxy_acl http ! ip auth-proxy auth_proxy_acl
Port to Application Mapping (PAM)
- customize TCP or UDP port numbers for network services or applications.
- information in the PAM table enables CBAC supported services to run on nonstandard ports
- allows cbac to track user customized ports
Configuration
ip port-map http port tcp 8001 description Alternative http port ... ip inspect name iosfw http ...
- The same port can be mapped to different services on different hosts
access-list 10 permit 10.2.1.10 access-list 20 permit 10.2.1.11 ip port-map http port 8001 list 10 ip port-map http ftp 8001 list 20
- User-defined port map
ip port-map user-streaming port tcp 8000 description Custom Video Streaming port ... ip inspect name iosfw user-streaming ...
Verification
B1rt1#sh ip port-map http Default mapping: http tcp port 80 system defined Default mapping: http tcp port 8001 user defined
B1rt1#sh ip port-map ... Default mapping: user-streaming tcp port 8000 user defined ...