Difference between revisions of "Netband Project - IOS firewall"

From Teknologisk videncenter
Jump to: navigation, search
(Verificcation)
 
(29 intermediate revisions by 3 users not shown)
Line 1: Line 1:
<accesscontrol>NetBand</accesscontrol>
+
=IOS Firewall Feature set=
 
This page is part of the [[Netband_Project|Netband Project]]
 
This page is part of the [[Netband_Project|Netband Project]]
  
Line 10: Line 10:
 
[[Image:Netband-cbac.jpg|thumb|none|600px|CBAC]]
 
[[Image:Netband-cbac.jpg|thumb|none|600px|CBAC]]
 
===Configuration===
 
===Configuration===
 +
*Note: The router only keeps track of the configured protocols. Unconfigured protocols are allowed through without inspection or tracking if the interface acls permit
 
<pre> ip inspect audit-trail  
 
<pre> ip inspect audit-trail  
 
  ip inspect name iosfw ftp
 
  ip inspect name iosfw ftp
 
  ip inspect name iosfw tcp
 
  ip inspect name iosfw tcp
 
  ip inspect name iosfw udp
 
  ip inspect name iosfw udp
  ip inspect name iosfw http audit-trail on
+
  ip inspect name iosfw http
 
  ip inspect name iosfw https
 
  ip inspect name iosfw https
 
!
 
!
Line 28: Line 29:
 
</pre>
 
</pre>
  
===Verificcation===
+
===Verification===
  
 
<pre>B1rt1#sh ip inspect sessions
 
<pre>B1rt1#sh ip inspect sessions
Line 40: Line 41:
 
<pre>Apr 27 10:22:06.521: %FW-6-SESS_AUDIT_TRAIL_START: Start http session: initiator (10.2.1.10:3898) -- responder (195.137.194.128:80)
 
<pre>Apr 27 10:22:06.521: %FW-6-SESS_AUDIT_TRAIL_START: Start http session: initiator (10.2.1.10:3898) -- responder (195.137.194.128:80)
 
Apr 27 10:22:18.044: %FW-6-SESS_AUDIT_TRAIL: Stop http session: initiator (10.2.1.10:3898) sent 1247 bytes -- responder (195.137.194.128:80) sent 144791 bytes
 
Apr 27 10:22:18.044: %FW-6-SESS_AUDIT_TRAIL: Stop http session: initiator (10.2.1.10:3898) sent 1247 bytes -- responder (195.137.194.128:80) sent 144791 bytes
 +
 +
Apr 27 10:48:36.770: %FW-6-SESS_AUDIT_TRAIL_START: Start tcp session: initiator (10.2.1.10:3958) -- responder (192.168.1.1:23)
 +
Apr 27 10:49:30.769: %FW-6-SESS_AUDIT_TRAIL: Stop tcp session: initiator (10.2.1.10:3958) sent 74 bytes -- responder (192.168.1.1:23) sent 255 bytes
 
</pre>
 
</pre>
  
==Intrusion Detection Protection (IDS)==
+
==Intrusion Prevention System (IPS)==
 +
*See [[Netband Project - IOS ips |Netband Project - IOS ips]] for further information and configuration
 +
 
 +
==Authentication Proxy (Incomplete)==
 +
*can be used to authenticate and authorize
 +
<pre>aaa authorization auth-proxy default group RTP
 +
ip auth-proxy auth-proxy-banner
 +
ip auth-proxy auth-cache-time 10
 +
ip auth-proxy name auth_proxy_acl http
 +
!
 +
ip auth-proxy auth_proxy_acl
  
==Authentication Proxy==
+
</pre>
  
 
==Port to Application Mapping (PAM)==
 
==Port to Application Mapping (PAM)==
 +
*customize TCP or UDP port numbers for network services or applications.
 +
*information in the PAM table enables CBAC supported services to run on nonstandard ports
 +
*allows cbac to track user customized ports
 +
===Configuration===
 +
<pre>ip port-map http port tcp 8001 description Alternative http port
 +
...
 +
ip inspect name iosfw http
 +
...
 +
</pre>
 +
*The same port can be mapped to different services on different hosts
 +
<pre>access-list 10 permit 10.2.1.10
 +
access-list 20 permit 10.2.1.11
 +
ip port-map http port 8001 list 10
 +
ip port-map http ftp 8001 list 20
 +
</pre>
 +
*User-defined port map
 +
<pre>ip port-map user-streaming port tcp 8000 description Custom Video Streaming port
 +
...
 +
ip inspect name iosfw user-streaming
 +
...
 +
</pre>
 +
 +
===Verification===
 +
<pre>B1rt1#sh ip port-map http
 +
Default mapping:  http                tcp port 80                        system defined
 +
Default mapping:  http                tcp port 8001                      user defined
 +
</pre>
 +
<pre>B1rt1#sh ip port-map
 +
...
 +
Default mapping:  user-streaming      tcp port 8000                      user defined
 +
...
 +
</pre>
 +
 
==External Links==
 
==External Links==
 
[http://www.cisco.com/en/US/docs/ios/sec_data_plane/configuration/guide/sec_cfg_content_ac_ps6350_TSD_Products_Configuration_Guide_Chapter.html Cisco IOS Security Configuration Guide]
 
[http://www.cisco.com/en/US/docs/ios/sec_data_plane/configuration/guide/sec_cfg_content_ac_ps6350_TSD_Products_Configuration_Guide_Chapter.html Cisco IOS Security Configuration Guide]
 +
[[Category:network]][[Category:CCNP]][[category:students]][[category:CCNP4]]

Latest revision as of 06:40, 13 May 2009

IOS Firewall Feature set

This page is part of the Netband Project

Context Based Access Control (CBAC)

  • filters TCP and UDP packets based on application-layer protocol session information.
  • more flexible than access control lists, that checks packets at the network layer, or at most, the transport layer
  • inspects packet sequence numbers in TCP connections
  • detects unusually high rates of new connections and issue alert messages.
  • creates temporary openings in the return acl to allow traffic back in.
CBAC

Configuration

  • Note: The router only keeps track of the configured protocols. Unconfigured protocols are allowed through without inspection or tracking if the interface acls permit
 ip inspect audit-trail 
 ip inspect name iosfw ftp
 ip inspect name iosfw tcp
 ip inspect name iosfw udp
 ip inspect name iosfw http
 ip inspect name iosfw https
!
interface FastEthernet0/0
 description OUTSIDE
 ip inspect iosfw out
 ip access-group 101 in
!
 access-list 101 permit udp any eq isakmp any eq isakmp
 access-list 101 permit esp any any
 access-list 101 permit tcp any any eq 22
 access-list 101 deny   ip any any log

Verification

B1rt1#sh ip inspect sessions
Established Sessions
 Session 65E14830 (10.2.1.10:3935)=>(195.137.194.128:80) http SIS_OPEN
 Session 65E15310 (10.2.1.10:3936)=>(195.137.194.128:80) http SIS_OPEN
 Session 65E15058 (10.2.1.10:3937)=>(195.137.194.128:80) http SIS_OPEN
 Session 65E155C8 (10.2.1.10:3934)=>(195.137.194.128:80) http SIS_OPEN
  • Syslog audit trail
Apr 27 10:22:06.521: %FW-6-SESS_AUDIT_TRAIL_START: Start http session: initiator (10.2.1.10:3898) -- responder (195.137.194.128:80)
Apr 27 10:22:18.044: %FW-6-SESS_AUDIT_TRAIL: Stop http session: initiator (10.2.1.10:3898) sent 1247 bytes -- responder (195.137.194.128:80) sent 144791 bytes

Apr 27 10:48:36.770: %FW-6-SESS_AUDIT_TRAIL_START: Start tcp session: initiator (10.2.1.10:3958) -- responder (192.168.1.1:23)
Apr 27 10:49:30.769: %FW-6-SESS_AUDIT_TRAIL: Stop tcp session: initiator (10.2.1.10:3958) sent 74 bytes -- responder (192.168.1.1:23) sent 255 bytes

Intrusion Prevention System (IPS)

Authentication Proxy (Incomplete)

  • can be used to authenticate and authorize
aaa authorization auth-proxy default group RTP
ip auth-proxy auth-proxy-banner
ip auth-proxy auth-cache-time 10
ip auth-proxy name auth_proxy_acl http
!
ip auth-proxy auth_proxy_acl

Port to Application Mapping (PAM)

  • customize TCP or UDP port numbers for network services or applications.
  • information in the PAM table enables CBAC supported services to run on nonstandard ports
  • allows cbac to track user customized ports

Configuration

ip port-map http port tcp 8001 description Alternative http port
...
ip inspect name iosfw http
...
  • The same port can be mapped to different services on different hosts
access-list 10 permit 10.2.1.10
access-list 20 permit 10.2.1.11
ip port-map http port 8001 list 10
ip port-map http ftp 8001 list 20
  • User-defined port map
ip port-map user-streaming port tcp 8000 description Custom Video Streaming port
...
ip inspect name iosfw user-streaming
...

Verification

B1rt1#sh ip port-map http
Default mapping:  http                 tcp port 80                         system defined
Default mapping:  http                 tcp port 8001                       user defined
B1rt1#sh ip port-map
...
Default mapping:  user-streaming       tcp port 8000                       user defined
...

External Links

Cisco IOS Security Configuration Guide