Cisco VPN Partner Technical Development Module : IOS Router Security Features APAC Channels Technical Operations © 2003, Cisco Systems, Inc All rights reserved VPN Roadshow Topics • IOS Firewall (CBAC) ã IOS IDS â 2003, Cisco Systems, Inc All rights reserved VPN Roadshow Cisco IOS Firewall Context-Based Access Control (CBAC) © 2003, Cisco Systems, Inc All rights reserved VPN Roadshow Cisco IOS Firewall Overview Cisco IOS Firewall Feature Set is a suite of powerful security features for Cisco IOS routers, including: • • • • • • • • • Context-Based Access Control (CBAC) Authentication proxy Intrusion detection Denial-of-service detection and prevention Network Address Translation hides internal network from the outside for enhanced security Time-based access lists defines security policy by time of day and day of week Real-time alerts, Audit trail and Event logging Redundancy/fail-over traffic is automatically routed to a backup router if a failure occurs VPNs, IPSec encryption, and QoS support Key platforms: Cisco 800, 900, 1400, 1600, 1700, 2500, 2600, 3600, 7100, 7200, and 7500 routers © 2003, Cisco Systems, Inc All rights reserved VPN Roadshow Context-Based Access Control (CBAC) Firewall Overview • Packets are inspected entering the firewall by CBAC if they are not specifically denied by an ACL • CBAC creates temporary openings in ACL at firewall interfaces for specified exiting traffic – A state table is maintained with session information – Opening allows returning traffic and additional data to enter – CBAC only allows traffic back that is part of the original same session • CBAC permits or denies specified TCP and UDP traffic through a firewall • ACLs are dynamically created or deleted • Provides Denial of Service detection and prevention TCP Internet UDP © 2003, Cisco Systems, Inc All rights reserved VPN Roadshow Context-Based Access Control (CBAC) Overview Cisco IOS ACLs • Provide traffic filtering by – Source and destination IP addresses – Source and destination ports • Can be used to implement a filtering firewall – Ports are opened permanently to allow traffic, creating a security vulnerability – Do not work with applications that negotiate ports dynamically CBAC • • • • • Inspects and monitors control channels of connections Can specify which protocol is inspected Recognizes application- specific commands Configurable attack responses Handles multichannel applications and uses sequence numbers © 2003, Cisco Systems, Inc All rights reserved VPN Roadshow How CBAC Works Control traffic is inspected by the CBAC rule ip inspect name FWRULE tcp CBAC creates a dynamic ACL allowing return traffic back through the firewall access-list 102 permit TCP host 172.30.1.50 eq 23 host 10.0.0.3 eq 2447 Port 2447 CBAC continues to inspect control traffic and dynamically creates and removes ACLs as required by the application It also monitors and protects against applicationspecific attacks © 2003, Cisco Systems, Inc All rights reserved Port 23 CBAC detects when an application terminates or times out and removes all dynamic ACLs for that session VPN Roadshow Supported Protocols • • • • • • TCP (single channel) UDP (single channel) RPC FTP TFTP UNIX R-commands (such as rlogin, rexec, and rsh) • SMTP • HTTP (Java blocking) © 2003, Cisco Systems, Inc All rights reserved • • • • Java SQL*Net RTSP (such as RealNetworks) H.323 (such as NetMeeting, ProShare, CUSeeMe) • Other multimedia – Microsoft NetShow – StreamWorks – VDOLive VPN Roadshow CBAC Configuration • Enable audit trails and alerts • Set global timeouts and thresholds • Define Port-to-Application Mapping (PAM) • Define inspection rules • Apply inspection rules and ACLs to interfaces • Test and verify © 2003, Cisco Systems, Inc All rights reserved VPN Roadshow Alerts and Audit Trails • CBAC generates real-time alerts and audit trails – Automatic alerts generated when attack prevention enabled – Alerts configurable via syslog management tool • Audit trail features use Syslog to track all network transactions • With CBAC inspection rules, you can configure alerts and audit trail information on a per-application protocol basis – Examples include: Denial-of-Service (DoS) attacks, SMTP command attacks, or denied Java applet © 2003, Cisco Systems, Inc All rights reserved VPN Roadshow Configuration Tasks • Initialize IOS Firewall IDS on the router • Configure, disable, or exclude signatures • Create and apply audit rules • Verify the configuration • Add the IOS Firewall IDS router to the Director or Syslog server © 2003, Cisco Systems, Inc All rights reserved VPN Roadshow Initializing the Cisco IOS Firewall IDS Initializing the Cisco IOS Firewall IDS on the router includes: • Set Notification Type – SYSLOG server – Routers PostOffice Parameters (for CSIDD) – Director’s PostOffice Parameters (for CSIDD) • Set the Protected Network ã Set the Notification Queue Size â 2003, Cisco Systems, Inc All rights reserved VPN Roadshow Set Notification Type Router (config)# ip audit notify {nr-director|log} • Sets notification type – nr-director sends messages in PostOffice format to the CSIDD or sensor – log sends messages in SYSLG format to routers console or SYSLOG server Router(config)# ip audit notify nr-director Router(config)# ip audit notify log © 2003, Cisco Systems, Inc All rights reserved VPN Roadshow Set the Protected Network Router (config)# ip audit po protected ip-addr [to ip-addr] • Specifies address or address range on the protected network • Has no impact on intrusion detection functionality, and is used only in log records (IN and OUT direction fields) Router(config)# ip audit po protected 10.0.0.1 to 10.0.0.254 © 2003, Cisco Systems, Inc All rights reserved VPN Roadshow Set the Notification Queue Size Router (config)# ip audit po max-events num-of-events • Sets the maximum number of alarms saved in the router queue • The default is 100 alarms • Caution, the router has limited persistent storage; if the queue fills, alarms are lost on FIFO basis • The reliability versus memory trade-off is that each alarm uses 32 KB of memory Router(config)# ip audit po max-events 300 © 2003, Cisco Systems, Inc All rights reserved VPN Roadshow Configure Spam Attack Router (config)# ip audit smtp spam num-of-recipients • Specifies the number of mail recipients over which a spam attack is suspected (signature identification 3106) • The default is 250 Router(config)# ip audit smtp spam 350 © 2003, Cisco Systems, Inc All rights reserved VPN Roadshow Cisco IOS IDS: DoS Prevention • Cisco IOS Software maintains a list of connection attempts through configured services when CBAC and Cisco IOS IDS are configured • If configured thresholds for unfinished connections are exceeded, RST will be sent to host requesting connection ip inspect max-incomplete high ip inspect max-incomplete low Defaults for n1 and n2 are 500 and 400, respectively © 2003, Cisco Systems, Inc All rights reserved VPN Roadshow Disable Signatures Globally Router (config)# ip audit signature sig-id disable • Specifies signatures that will not be audited • Keeps specific signatures from alarming • Performance reasons • Prevent normal traffic from generating false alarms • Refer to Cisco IOS Security Configuration Guide for the complete list of signatures Router(config)# Router(config)# Router(config)# Router(config)# © 2003, Cisco Systems, Inc All rights reserved ip ip ip ip audit audit audit audit signature signature signature signature 1004 1006 3102 3104 disable disable disable disable VPN Roadshow Packet Auditing Process • Step 1—Set the default actions for information and attack signatures • Step 2—Create an audit rule: – Signatures to audit—Information, attack – Actions to take—Alarm, reset, drop • Step 3—Apply the audit rule to an interface: – Inbound—Audit packets before ACLs discard them – Outbound—No auditing of the packets discarded by ACLs • Step 4—Packets are audited – 1—IP – 2—ICMP, TCP, or UDP – 3—Application • Step 5—Upon signature match, execute user-configured actions © 2003, Cisco Systems, Inc All rights reserved VPN Roadshow Step 1—Set the Default Actions for Information and Attack Signatures Router (config)# ip audit info action [alarm] [drop] [reset] • Sets default actions for information signatures Router(config)# ip audit info action alarm Router (config-if)# ip audit attack action [alarm] [drop] [reset] • Sets default actions for attack signatures Router(config-if)# ip audit attack action alarm drop reset © 2003, Cisco Systems, Inc All rights reserved VPN Roadshow Steps and 3—Create and Apply an IDS Audit Router (config)# ip audit name audit-name {info|attack} [action [alarm] [drop] [reset]] • Specifies audit name, signature type, and actions Router(config)# ip audit name AUDIT1 info action alarm Router(config)# ip audit name AUDIT1 attack action alarm drop reset Router (config-if)# ip audit audit-name {in|out} • Applies audit to interface Router(config)# interface e0 Router(config-if)# ip audit AUDIT1 in © 2003, Cisco Systems, Inc All rights reserved VPN Roadshow show Commands Router# Router# Router# Router# show show show show ip ip ip ip audit audit audit audit statistics configuration interface debug • Displays various statistics, configurations, interface configurations, and debug flags © 2003, Cisco Systems, Inc All rights reserved VPN Roadshow debug Commands Router# Router# Router# Router# Router# Router# Router# Router# Router# Router# Router# Router# Router# Router# debug debug debug debug debug debug debug debug debug debug debug debug debug debug ip ip ip ip ip ip ip ip ip ip ip ip ip ip audit audit audit audit audit audit audit audit audit audit audit audit audit audit timers object-creation object-deletion function trace detailed ftp-cmd ftp-token icmp ip rpc smtp tcp tftp udp • Instead of no, undebug may be used © 2003, Cisco Systems, Inc All rights reserved VPN Roadshow Summary • The Cisco IOS Firewall IDS package is a smaller version of the IDS Sensor located within IOS routers • The two types of signature implementations used by the Cisco IOS Firewall IDS are Atomic and Compound • You need to create and apply audit rules to the IDS configuration • You need to select the attack signatures for IDS monitoring • You need to verify the Cisco IOS Firewall IDS configuration using debug commands • You may add a Cisco IOS Firewall IDS router to a Syslog server © 2003, Cisco Systems, Inc All rights reserved VPN Roadshow ...Topics ã IOS Firewall (CBAC) ã IOS IDS â 2003, Cisco Systems, Inc All rights reserved VPN Roadshow Cisco IOS Firewall Context-Based Access Control (CBAC) ©... Cisco Systems, Inc All rights reserved VPN Roadshow Cisco IOS Firewall Overview Cisco IOS Firewall Feature Set is a suite of powerful security features for Cisco IOS routers, including: • • • • •... occurs VPNs, IPSec encryption, and QoS support Key platforms: Cisco 800, 900, 1400, 1600, 170 0, 2500, 2600, 3600, 71 00, 72 00, and 75 00 routers © 2003, Cisco Systems, Inc All rights reserved VPN Roadshow