lildeezul
02-24-2009, 09:52 PM
Cisco has implemented firewall Features in its Current IOS.
Lets define some of the IOS threat Defense Features.
There are three types of filtering:
Statless Packet filtering- Uses ACL's to control traffic based on address, ports, and protocol. This is a static feature and not very flexible.
Application layer gateway - works like a proxy server, and intervenes packets between the source and destination, so that these devices aren't actually communicating directly with each other, this is a good model in a DMZ environment.
Stateful Packet filtering - uses ACLS's to control traffic, but also maintains a session table to know the state of the connection to determine access. This is good for TCP traffic, but UDP has no mechanism of connection-oriented therefore, Stateful packet filtering doesn't work well for UDP based applications.
This is Where CISCO IOS Firewall (CBAC) comes into play.
The Cisco IOS firewall permits/denies TCP and UDP traffic. It maintains state or session tables that monitors the connection and dynamically modifies the outside ACL to allow inspected packets in. IOS firewall ( CBAC) also protects against DDOS and DOS attacks.
The Cisco IOS firewall contains Three sets or features;
The Firewall - inspects traffic, modifies ACL's, maintains a state table
Authentication Proxy - provides authentication through AAA features via TACACS+ or RADIUS servers.
IPS - intrusion prevention system that matches signatures again malicious traffic and does eighter of the following : drop ,alarm, block source ip, block connection, or TCP reset.
Cisco IOS Firewall Configuration
Step 1: Choose an interface to inspect
Apply ACL and inspection rules in the inbound direction on untrusted interfaces.
Step 2: Configure an ACL
Example to allow SMTP and HTTP inbound to their respective servers:
ip access-list extended FROM_OUTSIDE
permit tcp any host 10.0.24.89 eq 25
permit tcp any host 10.0.22.103 eq 80
deny ip any any log
Step 3: Define the inspection rules
Router(config)# ip inspect name <name> <protocol> [alert {on | off}]
[audit-trail {on | off}] [timeout <seconds>]
The default timeout between alerts is 10 seconds.
Step 4: Apply the ACL and inspection rule
Enable audit trail tracking via syslog:
Router(config)# ip inspect audit-trail
Router(config)# logging on
To turn on real-time alerts (default):
Router(config)# no ip inspect alert-off
Apply the ACL and inspect rule:
Router(config)# ip access-group FROM_OUTSIDE in
Router(config)# ip inspect SMTP-AND-HTTP in
Step 5: Verify the configuration
show ip inspect [name <name> | config | interface | session | statistics | all]
debug ip inspect ...
*config by Jeremy
-Marcus
Lets define some of the IOS threat Defense Features.
There are three types of filtering:
Statless Packet filtering- Uses ACL's to control traffic based on address, ports, and protocol. This is a static feature and not very flexible.
Application layer gateway - works like a proxy server, and intervenes packets between the source and destination, so that these devices aren't actually communicating directly with each other, this is a good model in a DMZ environment.
Stateful Packet filtering - uses ACLS's to control traffic, but also maintains a session table to know the state of the connection to determine access. This is good for TCP traffic, but UDP has no mechanism of connection-oriented therefore, Stateful packet filtering doesn't work well for UDP based applications.
This is Where CISCO IOS Firewall (CBAC) comes into play.
The Cisco IOS firewall permits/denies TCP and UDP traffic. It maintains state or session tables that monitors the connection and dynamically modifies the outside ACL to allow inspected packets in. IOS firewall ( CBAC) also protects against DDOS and DOS attacks.
The Cisco IOS firewall contains Three sets or features;
The Firewall - inspects traffic, modifies ACL's, maintains a state table
Authentication Proxy - provides authentication through AAA features via TACACS+ or RADIUS servers.
IPS - intrusion prevention system that matches signatures again malicious traffic and does eighter of the following : drop ,alarm, block source ip, block connection, or TCP reset.
Cisco IOS Firewall Configuration
Step 1: Choose an interface to inspect
Apply ACL and inspection rules in the inbound direction on untrusted interfaces.
Step 2: Configure an ACL
Example to allow SMTP and HTTP inbound to their respective servers:
ip access-list extended FROM_OUTSIDE
permit tcp any host 10.0.24.89 eq 25
permit tcp any host 10.0.22.103 eq 80
deny ip any any log
Step 3: Define the inspection rules
Router(config)# ip inspect name <name> <protocol> [alert {on | off}]
[audit-trail {on | off}] [timeout <seconds>]
The default timeout between alerts is 10 seconds.
Step 4: Apply the ACL and inspection rule
Enable audit trail tracking via syslog:
Router(config)# ip inspect audit-trail
Router(config)# logging on
To turn on real-time alerts (default):
Router(config)# no ip inspect alert-off
Apply the ACL and inspect rule:
Router(config)# ip access-group FROM_OUTSIDE in
Router(config)# ip inspect SMTP-AND-HTTP in
Step 5: Verify the configuration
show ip inspect [name <name> | config | interface | session | statistics | all]
debug ip inspect ...
*config by Jeremy
-Marcus