! filter such that only devices on this network have SNMP access access-list 6 ip permit 144.254.9.0 0.0.0.255 ! configure TACACS+ server and encryption key tacacs-server host 144.254.5.9 tacacs-server key thisisakey ! SNMP access is read-only and can only be accessed by devices ! associated with access-list 6 snmp-server community public RO 6 ! physical console access accessible via staff login and ! appropriate local password - the session times out after ! 2 minutes and 30 seconds of idle time line con 0 exec-timeout 2 30 login authentication staff ! no login prompt and no input access allowed through auxiliary port line aux 0 no exec transport input none ! telnet access requires default authentication (TACACS+) and upon ! successful authentication commands associated with privilege ! level 15 are accessible. The session times out after 2 minutes ! and 30 seconds of inactivity line vty 0 4 Securing the Corporate Network Infrastructure http://wwwin.cisco.com/cpress/cc/td/cpress/internl/dns/ch08.htm (45 of 47) [02/02/2001 17.32.59] exec-timeout 2 30 login authentication default privilege level 15 ! turn on syslog and define console information to be logged service timestamps log datetime localtime show-timezone logging on logging 144.254.5.5 logging console information Switch configuration: hostname Switch ! define Telnet and console authentication to be via TACACS+ set authentication login tacacs enable set authentication enable tacacs enable ! define TACACS+ server and encryption key set tacacs key secretkey set tacacs server 144.254.5.9 ! define syslog logging server and enable system logging messages ! to the current login session set logging server 144.254.5.5 set logging server enable set logging session enable PIX firewall configuration: ! define enable password and Telnet password enable password BjeuCKspwqCc94Ss encrypted Securing the Corporate Network Infrastructure http://wwwin.cisco.com/cpress/cc/td/cpress/internl/dns/ch08.htm (46 of 47) [02/02/2001 17.32.59] passwd nU3DFZzS7jF1jYc5 encrypted ! define TACACS+ server and encryption key tacacs-server host 144.254.5.9 <key> ! no snmp-server location no snmp-server contact ! allow only these hosts to Telnet into the PIX telnet 144.254.7.10 255.255.255.255 ! define syslog messages to be logged and the syslog host syslog output 23.4 syslog host 144.254.5.5 Summary This chapter explained what you should consider to secure your networking infrastructure. It is important to control all device access both physical and logical to ensure that no one can tamper with the network by reconfiguring the devices. General concepts and specific features used in Cisco devices were shown to incorporate additional elements of a security architecture, including integrity, confidentiality, availability, and audit. You must use all these concepts together to obtain the most effective security controls for your network infrastructure. continues continues Posted: Wed Jun 14 11:37:13 PDT 2000 Copyright 1989 - 2000©Cisco Systems Inc. Securing the Corporate Network Infrastructure http://wwwin.cisco.com/cpress/cc/td/cpress/internl/dns/ch08.htm (47 of 47) [02/02/2001 17.32.59] Table of Contents Securing Internet Access Internet Access Architecture External Screening Router Architecture Cisco IOS Filters Standard IP Access Lists Extended Access Lists Named Access Lists Reflexive Access Lists Advanced Firewall Architecture Advanced Packet Session Filtering TCP Protocol Traffic UDP Protocol Traffic Application Content Filtering World Wide Web E-mail and SMTP Other Common Application Protocols Application Authentication/Authorization Encryption Network Address Translation Public Versus Private IP Addresses NAT Functionality Implementation Examples Cisco IOS Firewall Content-Based Access Control Sample IOS Firewall Configuration PIX Firewall with Screening IOS Router PIX Fundamentals Summary 9 Securing Internet Access http://wwwin.cisco.com/cpress/cc/td/cpress/internl/dns/ch09.htm (1 of 56) [02/02/2001 17.33.08] Securing Internet Access This chapter examines how to secure Internet access to the corporate network. This is accomplished using some type of firewall functionality. Firewalls have become an integral component of perimeter network access such as the boundary between the trusted corporate network and the less-trusted Internet. On this perimeter, traffic can be analyzed and controlled according to parameters such as specific applications, addresses, and users, for both incoming traffic from remote users and outgoing traffic to the Internet. Note Constructing a firewall policy for your corporate environment was discussed in Chapter 6, "Design and Implementation of the Corporate Security Policy." If you are new to firewalls, turn to Appendix A, "Sources of Technical Information," and read the books listed under "Firewall Books" to get a good understanding of firewalls and their function. A firewall device should be as impenetrable as possible; therefore, it should be one of the most secure devices in your infrastructure. In this chapter, we'll look at sample firewall design implementations to control Internet access and will refer to features specific to equipment provided by Cisco Systems. The chapter explains how to configure Cisco IOS devices and the Cisco PIX firewall to provide necessary security controls for Internet access. Many of the functions shown can also be used from other products if they are available. All the controls described in Chapter 8, "Securing the Corporate Network Infrastructure," should be used in these devices to provide appropriate security controls. Internet Access Architecture When the decision is made to connect the corporate network to the Internet, it is important to recognize the additional security exposures. In most cases, you make a decision of how open an environment you can tolerate. In a very open environment, you may impose limited restrictions on access; in a more secure environment, you may impose more stringent access controls for traffic entering or leaving the main corporate network. There are many variations on how to design access to the Internet. A common scenario is to construct a firewall between the internal corporate network and the external Internet connection (see Figure 9-1). Figure 9-1: Internet Access with a Firewall Securing Internet Access http://wwwin.cisco.com/cpress/cc/td/cpress/internl/dns/ch09.htm (2 of 56) [02/02/2001 17.33.08] The firewall can be a single device, such as a screening router with limited firewall capabilities. Often, the firewall has at least three interfaces. One of these interfaces is used as a perimeter network to isolate services (such as e-mail, FTP, DNS, and HTTP) offered to Internet users. Internet connections may be restricted solely to these services. This may be a sufficient model for a small corporation. However, the downfall is that if this single device is compromised, the entire network is open to exposure. Another scenario, used most often in large-traffic environments, uses an exterior screening router along with a more robust firewall (see Figure 9-2). Figure 9-2: Internet Access with a Screening Router and a Firewall This second model is much more secure because it offers multiple levels of security to the corporation. The exterior screening router acts as a first-level filter to permit or deny traffic coming in from the Internet to the internal campus. It validates most incoming traffic before passing it on to the firewall. The firewall then provides the more CPU-intensive function of packet-by-packet inspection. In this scenario, it is also effective to include an active audit device that includes network traffic monitoring and intrusion detection on the network segment connecting the firewall to the exterior router. This device can verify adherence to the corporate security policy and can pin-point and isolate any attacks from the Internet to the corporate network or any attacks instigated from your internal network out to the Internet. Note Intrusion detection and active audit capabilities should be incorporated at network perimeter points to provide added security measures and to verify proper traffic behavior. A combination of intrusion detection, active audit, and a firewall at the network perimeter is the best defense against most known attacks. External Screening Router Architecture If your corporate network is small, the screening router model may be a sufficient solution to providing secure access to the Internet. It is possible that the security measures used will not always catch spoofed traffic, but at least it should provide a reasonable level of a basic buffer from the Internet. Note The screening router solution can also be used in larger networks to define a logical separation internally between some sensitive areas of your network for example, using a firewall between the finance building and the rest of a large campus, or using firewalls at all network perimeter points (including dial-in points and branch office connections). Securing Internet Access http://wwwin.cisco.com/cpress/cc/td/cpress/internl/dns/ch09.htm (3 of 56) [02/02/2001 17.33.08] Most screening routers use filtering capabilities to act as a firewall. How filters are created and to what extent they look at traffic is largely vendor dependent. The following sections examine how Cisco IOS routers provide filtering; most other vendors' devices have similar capabilities. Cisco IOS Filters The Cisco IOS software has an extended filtering capability to permit or deny specific traffic from entering or leaving the corporate network. These filters are called access lists. Access lists filter network traffic by controlling whether routed packets are forwarded or blocked at the router's interfaces. Your router examines each packet to determine whether to forward or drop the packet, based on the criteria specified within the access lists. Access list criteria can include the source address of the traffic, the destination address of the traffic, the upper-layer protocol, or other information. Note Sophisticated users can sometimes successfully evade or fool basic access lists because no host-to-host authentication is required. If the access list is inbound, when the router receives a packet, the Cisco IOS software checks the access list's criteria statements for a match. If the packet is permitted, the software continues to process the packet. If the packet is denied, the software discards the packet. If the access list is outbound, after receiving and routing a packet to the outbound interface, the software checks the access list's criteria statements for a match. If the packet is permitted, the software transmits the packet. If the packet is denied, the software discards the packet. Cisco IOS Release 11.1 and later releases introduced substantial changes to IP access lists. These extensions are backward compatible; migrating from a release earlier than Release 11.1 to the current image will convert your access lists automatically. However, previous releases are not upwardly compatible with these changes. Thus, if you save an access list with the current image and then use older software, the resulting access list may not be interpreted correctly. This error can cause severe security problems. Save your old configuration file before booting Release 11.1 or later images. The access lists can be specified for a number of different protocols, as shown here: Router(config)#access-list ? <1-99> IP standard access list <100-199> IP extended access list <200-299> Protocol type-code access list <300-399> DECnet access list <600-699> Appletalk access list <700-799> 48-bit MAC address access list <800-899> IPX standard access list <900-999> IPX extended access list Securing Internet Access http://wwwin.cisco.com/cpress/cc/td/cpress/internl/dns/ch09.htm (4 of 56) [02/02/2001 17.33.08] <1000-1099> IPX SAP access list <1100-1199> Extended 48-bit MAC address access list <1200-1299> IPX summary address access list Because we deal mainly with the IP protocol for Internet access, we will restrict the discussion to IP standard and IP extended access lists. For details on other protocols, refer to the Cisco online documentation. Standard IP Access Lists Standard IP access lists use the source IP addresses for matching operations. The configuration command takes the following syntax: access-list access-list-number {deny | permit} source [source-wildcard] Note The abbreviation any can be used to specify a source and source mask of 0.0.0.0255.255.255.255. The following is an example in which we create a standard access list and apply it to the incoming Internet traffic interface. The access list denies all inbound traffic from the Internet that contains a source address from known reserved RFC addresses and permits any other traffic from the Internet to the corporate campus. access-list 9 deny 127.0.0.0 0.255.255.255 access-list 9 deny 10.0.0.0 0.255.255.255 access-list 9 deny 172.16.0.0 0.240.255.255 access-list 9 deny 192.168.0.0 0.0.255.255 access-list 9 permit any ! ! apply the access-list 9 to the incoming Internet interface interface Serial 0/0 description to the Internet ip address 161.71.73.33 255.255.255.248 ip access-list 9 in Securing Internet Access http://wwwin.cisco.com/cpress/cc/td/cpress/internl/dns/ch09.htm (5 of 56) [02/02/2001 17.33.08] ! outgoing interface Ethernet 1/0 description to the Corporate Network ip address 144.254.1.1 255.255.255.0 Extended Access Lists Extended IP access lists use source and destination addresses for matching operations; they use optional protocol-type information for finer granularity of control. The following command defines an extended IP access list number and its access conditions: access-list access-list-number {deny | permit} protocol source source-wildcard destination destination-wildcard [operator] [operand][precedence precedence] [tos tos] [established] [log] Note The abbreviation host can be used for a specific source and for a specific destination without having to include the source wildcard or the destination wildcard. For IP extended access lists, there are a number of well-known protocols you can define: Router(config)#access-list 101 permit ? <0-255> An IP protocol number eigrp Cisco's Enhanced IGRP routing protocol gre Cisco's GRE tunneling icmp Internet Control Message Protocol igmp Internet Gateway Message Protocol igrp Cisco's IGRP routing protocol ip Any Internet protocol ipinip IP in IP tunneling nos KA9Q NOS-compatible IP over IP tunneling ospf OSPF routing protocol tcp Transmission Control Protocol udp User Datagram Protocol Securing Internet Access http://wwwin.cisco.com/cpress/cc/td/cpress/internl/dns/ch09.htm (6 of 56) [02/02/2001 17.33.08] The most common protocols to filter are the TCP and UDP protocols. For the TCP protocol, the following parameters (operators) can be filtered on: Router(config)#access-list 101 permit tcp any any ? eq Match only packets on a given port number established established Match established connections gt Match only packets with a greater port number log Log matches against this entry lt Match only packets with a lower port number neq Match only packets not on a given port number precedence Match packets with a given precedence value range Match only packets in the given range of port numbers tos Match packets with the given TOS value Here is a list of the more commonly used TCP port numbers (operands): Router(config)#access-list 101 permit tcp any any eq ? <0-65535> Port number bgp Border Gateway Protocol (179) chargen Character generator (19) cmd Remote commands (rcmd, 514) daytime Daytime (13) discard Discard (9) domain Domain Name Service (53) echo Echo (7) exec Exec (rsh, 512) finger Finger (79) ftp File Transfer Protocol (21) ftp-data FTP data connections (used infrequently, 20) gopher Gopher (70) hostname NIC hostname server (101) ident Ident Protocol (113) Securing Internet Access http://wwwin.cisco.com/cpress/cc/td/cpress/internl/dns/ch09.htm (7 of 56) [02/02/2001 17.33.08] [...]... applets will be permitted according to access list 66 , defined later ! in this configuration ! ip inspect name primaryfw cuseeme timeout 360 0 ip inspect name primaryfw ftp timeout 360 0 ip inspect name primaryfw http java-list 51 timeout 360 0 ip inspect name primaryfw rcmd timeout 360 0 http://wwwin .cisco. com/cpress/cc/td/cpress/internl/dns/ch09.htm (30 of 56) [02/02/2001 17.33.08] Securing Internet Access... 101 permit udp any any eq ? Port number biff Biff (mail notification, comsat, 512) bootpc Bootstrap Protocol (BOOTP) client (68 ) bootps Bootstrap Protocol (BOOTP) server (67 ) discard Discard (9) dnsix DNSIX security protocol auditing (195) domain Domain Name Service (DNS, 53) echo Echo (7) http://wwwin .cisco. com/cpress/cc/td/cpress/internl/dns/ch09.htm (8 of 56) [02/02/2001 17.33.08] Securing... Frame Relay to Internet no ip address ip broadcast-address 0.0.0.0 http://wwwin .cisco. com/cpress/cc/td/cpress/internl/dns/ch09.htm (32 of 56) [02/02/2001 17.33.08] Securing Internet Access encapsulation frame-relay IETF no ip route-cache no arp frame-relay bandwidth 56 service-module 56k clock source line service-module 56k network- type dds frame-relay lmi-type ansi ! ! Note that the following interface... such as echo, ! chargen, and discard http://wwwin .cisco. com/cpress/cc/td/cpress/internl/dns/ch09.htm (29 of 56) [02/02/2001 17.33.08] Securing Internet Access no service tcp-small-servers ! hostname imafirewall ! enable secret 5 $1$dLOD$QR.onv68q3326pzM.Zexj1 no service finger no service pad no ip bootp server ! ! set local database authentication username security_ geeks password 7 082C495C0012001E010F02... following three blocks of IP address space for private networks: 10.0.0.0-10.255.255.255 172. 16. 0.0-172.31.255.255 192. 168 .0.0-192. 168 .255.255 The first block is a single class A network number; the second block is a set of 16 contiguous class B network numbers; and the third block is a set of 255 contiguous class C network numbers If a corporation decides to use private addressing, these blocks of addresses... NAT, http://wwwin .cisco. com/cpress/cc/td/cpress/internl/dns/ch09.htm ( 26 of 56) [02/02/2001 17.33.08] Securing Internet Access ensure that the firewall you are using supports the translation of IP addresses within the specific applications you are using Implementation Examples Now let's consider two scenarios: q A Cisco IOS firewall q A PIX firewall used in conjunction with a screening Cisco IOS router... entering the network. ) When CBAC inspection occurs on ! traffic exiting the network, temporary openings will be added to ! access list 111 to allow returning traffic that is part of existing ! sessions ! interface Serial0.1 point-to-point ip unnumbered Ethernet0 ip access-group 111 in no ip route-cache bandwidth 56 no cdp enable frame-relay interface-dlci 16 ! http://wwwin .cisco. com/cpress/cc/td/cpress/internl/dns/ch09.htm... Gopher Application that provides a menu-driven front-end to Internet services HTTP Primary protocol used to implement the WWW Network News Transfer Protocol (NNTP) Protocol used to transmit and receive network news http://wwwin .cisco. com/cpress/cc/td/cpress/internl/dns/ch09.htm (17 of 56) [02/02/2001 17.33.08] Securing Internet Access Pointcast by Pointcast (HTTP) Protocol for viewing news in TV-like fashion... NetBIOS over TCP/IP (NBT) NetBIOS name, datagram, and session services encapsulated within TCP/IP Network Time synchronization Protocol (NTP) Protocol providing time across a network with precise clocks; implemented over TCP and UDP http://wwwin .cisco. com/cpress/cc/td/cpress/internl/dns/ch09.htm (19 of 56) [02/02/2001 17.33.08] Securing Internet Access RAS Remote access service Rexec Protocol that provides... about who is logged on to the local network X11 Windowing system protocol Remote Procedure Call Services Lockmanager (nlockmgr) Protocol used for the transmission of lock requests http://wwwin .cisco. com/cpress/cc/td/cpress/internl/dns/ch09.htm (20 of 56) [02/02/2001 17.33.08] Securing Internet Access Mountd Protocol used for the transmission of file mount requests Network File System (NFS) Protocol . WWW Network News Transfer Protocol (NNTP) Protocol used to transmit and receive network news Securing Internet Access http://wwwin .cisco. com/cpress/cc/td/cpress/internl/dns/ch09.htm (17 of 56) . Access http://wwwin .cisco. com/cpress/cc/td/cpress/internl/dns/ch09.htm (1 of 56) [02/02/2001 17.33.08] Securing Internet Access This chapter examines how to secure Internet access to the corporate network. . at all network perimeter points (including dial-in points and branch office connections). Securing Internet Access http://wwwin .cisco. com/cpress/cc/td/cpress/internl/dns/ch09.htm (3 of 56) [02/02/2001