Transcript ip inspect alert-off

Implementing Secure
Converged Wide Area
Networks (ISCW)
Module 6: Cisco IOS Threat Defense Features
© 2006 Cisco Systems, Inc. All rights reserved.
Module 6: Cisco IOS
Threat Defense
Features
Lesson 6.2: Implementing Cisco IOS Firewalls
© 2006 Cisco Systems, Inc. All rights reserved.
Objectives
 Describe the steps needed to configure a network
firewall using Cisco IOS.
 Explain how to determine which interfaces should be
configured with firewall commands.
 Explain where to place Access Control Lists in order to
filter traffic.
 Describe how to configure inspection rules for
application protocols.
 Describe how to verify and troubleshoot firewall
configurations.
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco IOS Firewall Configuration Tasks Using
the CLI
 Pick an interface: internal or external.
 Configure IP ACLs at the interface.
 Define inspection rules.
 Apply inspection rules and ACLs to interfaces.
 Test and verify.
© 2006 Cisco Systems, Inc. All rights reserved.
Configuring an External Interface
Internal
Network
External
Network
Serial 1
Internet
Traffic exiting
Traffic entering
Simple Topology — Configuring an External Interface
© 2006 Cisco Systems, Inc. All rights reserved.
Configuring an Internal Interface
Internal
Network
External
Network
Internet
Ethernet 0
Access allowed
Traffic exiting
Traffic entering
Web
Server
DMZ
Simple Topology — Configuring an Internal Interface
© 2006 Cisco Systems, Inc. All rights reserved.
DNS
Server
Access Control Lists Filter Traffic
Host A
X
Host B
Human
Resources
Network
© 2006 Cisco Systems, Inc. All rights reserved.
Research and
Development
Network
IP ACL Configuration Guidelines
Rule 1
Start with a basic configuration.
Rule 2
Permit traffic the Cisco IOS Firewall is to inspect.
Rule 3
Use extended ACLs to filter traffic from unprotected
sources.
Rule 4
Set up antispoofing protection.
Rule 5
Deny broadcast attacks.
Rule 6
Deny any traffic not already included in previous
configuration.
© 2006 Cisco Systems, Inc. All rights reserved.
Set Audit Trails and Alerts
Router(config)#
ip inspect audit-trail
• Enables the delivery of audit trail messages using syslog
Router(config)#
no ip inspect alert-off
• Enables real-time alerts
Router(config)#logging on
Router(config)#logging host 10.0.0.3
Router(config)#ip inspect audit-trail
Router(config)#no ip inspect alert-off
© 2006 Cisco Systems, Inc. All rights reserved.
Define Inspection Rules for Application
Protocols
Router(config)#
ip inspect name inspection-name protocol [alert
{on|off}] [audit-trail {on|off}] [timeout seconds]
• Defines the application protocols to inspect
• Will be applied to an interface:
– Available protocols are tcp, udp, icmp, smtp, esmtp,
cuseeme, ftp, ftps, http, h323, netshow, rcmd, realaudio,
rpc, rtsp, sip, skinny, sqlnet, tftp, vdolive, and so on.
– Alert, audit-trail, and timeout are configurable per protocol
and override global settings.
Router(config)#ip inspect name FWRULE smtp alert on audit-trail on timeout 300
Router(config)#ip inspect name FWRULE ftp alert on audit-trail on timeout 300
© 2006 Cisco Systems, Inc. All rights reserved.
ip inspect name Parameters
Parameter
Description
inspection-name
Names the set of inspection rules. If you want to add a protocol to an
existing set of rules, use the same inspection name for the rules.
protocol
The protocol to inspect.
alert {on | off}
(Optional) For each inspected protocol, the generation of alert
messages can be set to on or off. If no option is selected, alerts are
generated based on the setting of the ip inspect alert-off command.
audit-trail {on | off}
(Optional) For each inspected protocol, the audit-trail option can be
set to on or off. If no option is selected, audit trail messages are
generated based on the setting of the ip inspect audit-trail
command.
timeout seconds
(Optional) Specify the number of seconds for a different idle timeout
to override the global TCP or UDP idle timeouts for the specified
protocol. This timeout overrides the global TCP and UDP timeouts but
does not override the global Domain Name Service (DNS) timeout.
© 2006 Cisco Systems, Inc. All rights reserved.
Inspection Rules for Application Protocols
Example 1:
Users on access list 10 are allowed to download
Java applets:
ip inspect name PERMIT_JAVA http java-list 10
access-list 10 permit 144.224.10.0 0.0.0.255
access-list 10 any
Example 2:
Telling Cisco IOS Firewall what to inspect:
ip
ip
ip
ip
ip
ip
inspect
inspect
inspect
inspect
inspect
inspect
name
name
name
name
name
name
© 2006 Cisco Systems, Inc. All rights reserved.
in2out
in2out
in2out
in2out
in2out
in2out
rcmd
ftp
tftp
tcp timeout 43200
http
udp
ip inspect Parameters and Guidelines
Router(config-if)#
ip inspect inspection-name {in | out}
• Applies the named inspection rule to an interface
Parameter
Description
inspection-name
Names the set of inspection rules
in
Applies the inspection rules to inbound traffic
out
Applies the inspection rules to outbound traffic
 On the interface where traffic initiates:
Apply ACL on the inward direction that permits only wanted traffic.
Apply rule on the inward direction that inspects wanted traffic.
 On all other interfaces, apply ACL on the inward direction that
denies all unwanted traffic.
© 2006 Cisco Systems, Inc. All rights reserved.
Example: Two-Interface Firewall
ip inspect name OUTBOUND tcp
ip inspect name OUTBOUND udp
ip inspect name OUTBOUND icmp
!
interface FastEthernet0/0
ip access-group OUTSIDEACL in
!
interface FastEthernet0/1
ip inspect OUTBOUND in
ip access-group INSIDEACL in
!
ip access-list extended OUTSIDEACL
permit icmp any any packet-too-big
deny ip any any log
!
ip access-list extended INSIDEACL
permit tcp any any
permit udp any any
permit icmp any any
© 2006 Cisco Systems, Inc. All rights reserved.
Example: Three-Interface Firewall
interface FastEthernet0/0
ip inspect OUTSIDE in
ip access-group OUTSIDEACL in
!
interface FastEthernet0/1
ip inspect INSIDE in
ip access-group INSIDEACL in
!
interface FastEthernet0/2
ip access-group DMZACL in
!
ip inspect name INSIDE tcp
ip inspect name OUTSIDE tcp
!
ip access-list extended OUTSIDEACL
permit tcp any host 200.1.2.1 eq 25
permit tcp any host 200.1.2.2 eq 80
permit icmp any any packet-too-big
deny ip any any log
!
ip access-list extended INSIDEACL
permit tcp any any eq 80
permit icmp any any packet-too-big
deny ip any any log
!
ip access-list extended DMZACL
permit icmp any any packet-too-big
deny ip any any log
© 2006 Cisco Systems, Inc. All rights reserved.
Verifying Cisco IOS Firewall
Router#
show
show
show
show
show
show
ip
ip
ip
ip
ip
ip
inspect
inspect
inspect
inspect
inspect
inspect
name inspection-name
config
interfaces
session [detail]
statistics
all
• Displays inspections, interface configurations, sessions, and
statistics
Router#show ip inspect session
Established Sessions
Session 6155930C (10.0.0.3:35009)=>(172.30.0.50:34233) tcp SIS_OPEN
Session 6156F0CC (10.0.0.3:35011)=>(172.30.0.50:34234) tcp SIS_OPEN
Session 6156AF74 (10.0.0.3:35010)=>(172.30.0.50:5002) tcp SIS_OPEN
© 2006 Cisco Systems, Inc. All rights reserved.
Troubleshooting Cisco IOS Firewall
Router#
debug
debug
debug
debug
debug
debug
ip
ip
ip
ip
ip
ip
inspect
inspect
inspect
inspect
inspect
inspect
function-trace
object-creation
object-deletion
events
timers
detail
• General debug commands
Router#
debug ip inspect protocol
• Protocol-specific debug
© 2006 Cisco Systems, Inc. All rights reserved.
Summary
 The main feature of the Cisco IOS Firewall has always been its
stateful inspection.
 An ACL can allow one host to access a part of your network and
prevent another host from accessing the same area.
 Use access lists in "firewall" routers that you position between your
internal network and an external network such as the Internet. You
can also use access lists on a router positioned between two parts
of your network, to control traffic entering or exiting a specific part
of your internal network.
 An inspection rule should specify each desired application layer
protocol that the Cisco IOS Firewall will inspect, as well as generic
TCP, UDP, or Internet Control Message Protocol (ICMP), if desired.
 Use the ip inspect name command in global configuration mode
to define a set of inspection rules.
© 2006 Cisco Systems, Inc. All rights reserved.
Q and A
© 2006 Cisco Systems, Inc. All rights reserved.
Resources
 Cisco IOS Firewall Introduction
http://cisco.com/en/US/partner/products/sw/secursw/ps1018/ind
ex.html
 Cisco IOS Firewall Support
http://cisco.com/en/US/partner/products/sw/secursw/ps1018/tsd
_products_support_series_home.html
 Cisco IOS Firewall Design Guides
http://cisco.com/en/US/partner/products/sw/secursw/ps1018/pro
ducts_implementation_design_guides_list.html
© 2006 Cisco Systems, Inc. All rights reserved.
© 2006 Cisco Systems, Inc. All rights reserved.