© 2007 Cisco Systems, Inc. All rights reserved.SNRS v Adaptive Threat Defense Configuring Cisco IOS Classic Firewall

© 2007 Cisco Systems, Inc. All rights reserved.SNRS v Cisco IOS Classic Firewall Overview Traffic Filtering Traffic Inspection Alerts and Audit Trails

© 2007 Cisco Systems, Inc. All rights reserved.SNRS v How Classic Firewall Works 1 UserX initiates a HTTP session. 4 Classic Firewall uses ACL Bypass to bypass multiple ACL checks Port 3575 Port Fa0/0 S0 router(config)# ip access-list 104 deny ip any any router(config)# ip access-list 103 permit http any any router(config)# ip inspect name FWRULE tcp router(config)# interface S0 router(config-if)# ip access-group 103 out router(config-if)# ip access-group 104 in router(config-if)# ip inspect FWRULE out router# show ip inspect sessions Established Sessions Session A8 ( :3575)=>( :80) http SIS_OPEN Attacker 23 Traffic inspected after passing ACLs 5 67 ACL

© 2007 Cisco Systems, Inc. All rights reserved.SNRS v Supported Protocols TCP UDP RPC FTP TFTP UNIX r commands (such as rlogin, rexec, and rsh) SMTP HTTP (Java blocking) SQL*Net RTSP (such as Real Networks) H.323 (such as NetMeeting, ProShare) CUseeMe Other multimedia –Microsoft NetShow –StreamWorks –VDOLive

© 2007 Cisco Systems, Inc. All rights reserved.SNRS v Alerts and Audit Trails Cisco IOS classic firewall generates real-time alerts and audit trails. Audit trail features use syslog to track all network transactions. With Cisco IOS classic firewall inspection rules, you can configure alerts and audit trail information on a per-application protocol basis.

© 2007 Cisco Systems, Inc. All rights reserved.SNRS v IOS Classic Firewall Configuration Identify traffic that will be allowed out through the firewall. –Be sure ACLs permit legitimate traffic from the secure network to the unsecure network. Configure ACLs to block traffic from the unsecure network. Create inspection rules. –Set global timeouts and thresholds DoS Protection –Define inspection rules Generic TCP and UDP Application Layer Inspection –Granular Protocol Inspection (GPI) –Java Blocking IP Packet Fragmentation Application Firewall –For HTTP –For IM Apply the rule inbound to the inside interface or outbound to the outside interface. Configure audit trails and logging.

© 2007 Cisco Systems, Inc. All rights reserved.SNRS v Configuring IP Access Lists Start with a basic configuration Permit Cisco IOS classic firewall traffic to leave the network Use extended ACLs to deny Cisco IOS classic firewall return traffic entering the network

© 2007 Cisco Systems, Inc. All rights reserved.SNRS v Defining Inspection Rules Global Timeouts and Thresholds Configure Generic TCP and UDP Inspection Configure application layer protocol inspection Configure Java blocking Configure IP packet fragmentation inspection

© 2007 Cisco Systems, Inc. All rights reserved.SNRS v router(config)# ip inspect max-incomplete high 300 router(config)# ip inspect max-incomplete low 50 router(config)# ip inspect one-minute high number router(config)# ip inspect one-minute low number router(config)# ip inspect tcp synwait-time 60 router(config)# ip inspect tcp finwait-time 60 router(config)# ip inspect tcp idle-time 360 router(config)# ip inspect udp idle-time 360 router(config)# ip inspect dns-timeout 300 Tuning DoS Protection

© 2007 Cisco Systems, Inc. All rights reserved.SNRS v ip inspect tcp max-incomplete host number block-time minutes Half-Opened Connection Limits by Host This command defines the number of half-opened TCP sessions with the same host destination address that can exist at a time before the Cisco IOS classic firewall starts deleting half-open sessions to the host. After the number of half-opened connections to a given host is exceeded, the software deletes half-opened sessions on that host in the following manner: –If the block time is 0, the oldest half-opened session is deleted, per new connection request, to allow new connections. –If the block time is greater than 0, all half-opened sessions are deleted, and new connections to the host are not allowed during the specified block time. router(config )#

© 2007 Cisco Systems, Inc. All rights reserved.SNRS v Inspection Rules for Generic TCP and UDP Inspection router(config)# ip inspect name FWRULE tcp alert on audit-trail on timeout 300 router(config)# ip inspect name FWRULE udp alert on audit-trail on timeout 300

© 2007 Cisco Systems, Inc. All rights reserved.SNRS v Defines the application protocols to inspect Will be applied to an interface –alert, audit-trail, and timeout configurable per protocol and override global settings router(config)# ip inspect name FWRULE smtp alert on audit-trail on timeout 300 router(config)# ip inspect name FWRULE ftp alert on audit- trail on timeout 300 Inspection Rules for Application Layer Protocols

© 2007 Cisco Systems, Inc. All rights reserved.SNRS v router(config)# ip access-list 10 deny router(config)# ip access-list 10 permit router(config)# ip inspect name FWRULE http java-list 10 alert on audit-trail on timeout 300 Controls Java blocking with a standard ACL Inspection Rules for Java

© 2007 Cisco Systems, Inc. All rights reserved.SNRS v Router(config)# ip access-list 10 deny Router(config)# ip access-list 10 permit Router(config)# ip inspect name FWRULE http java-list 10 alert on audit-trail on timeout 300 Controls Java blocking with a standard ACL Inspection Rules for Java ip inspect name inspection-name http java-list acl-num [alert {on|off}] [audit-trail {on|off}] [timeout seconds] Router(config )#

© 2007 Cisco Systems, Inc. All rights reserved.SNRS v Basic Topology External Network Internal Network S0E0 Internet Traffic Entering Traffic Exiting

© 2007 Cisco Systems, Inc. All rights reserved.SNRS v Simple Two Interface Configuation R1(config)# access-list 101 deny ip any any R1(config)# ip inspect name SNRSFW tcp R1(config)# ip inspect name SNRSFW udp R1(config)# ip inspect name SNRSFW icmp Apply ACL to Outside interface. R1(config)# interface fastEthernet 0/1 R1(config-if)# ip access-group 101 in Apply rule: Outbound to the Outside interface R1(config)# interface fastEthernet 0/1 R1(config-if)# ip inspect SNRSFW out OR Inbound to the Inside interface. R1(config)# interface fastEthernet 0/0 R1(config-if)# ip inspect SNRSFW in Deny all traffic from outside network Inspect TCP, UDP, and ICMP

© 2007 Cisco Systems, Inc. All rights reserved.SNRS v Topology with DMZ External Network Internal Network S0 E0 Internet Web Server DNS Server Access Allowed to DMZ DMZ Traffic Entering Traffic Exiting

© 2007 Cisco Systems, Inc. All rights reserved.SNRS v Three Interface Configuration with DMZ router(config)# ip inspect name IN_to_OUT smtp router(config)# ip inspect name IN_to_OUT ftp router(config)# ip inspect name IN_to_OUT tcp router(config)# ip inspect name IN_to_OUT udp router(config)# ip inspect name IN_to_OUT sqlnet router(config)# ip inspect name IN_to_OUT realaudio router(config)# ip inspect name IN_to_OUT h323 router(config)# ip inspect name OUT_to_IN tcp router(config)# ip inspect name OUT_to_IN ftp router(config)# ip inspect name OUT_to_IN vdolive router(config)# ip inspect name OUT_to_IN netshow router(config)# ip inspect name OUT_to_IN h323 IN_to_OUT is configured for traffic destined for the internet or the DMZ. Inspection is configured inbound on the inside interface (Fa0/0) OUT_to_IN is setup for traffic heading from the internet. This traffic can go ONLY to the DMZ. Inspection is configured inbound on the outside interface (S0)

© 2007 Cisco Systems, Inc. All rights reserved.SNRS v Three Interface Configuration with DMZ (Cont.) router(config)# access-list 101 deny ip any any router(config)# access-list 111 permit udp host any eq domain router(config)# access-list 112 permit tcp any host eq www router(config)# access-list 112 permit tcp any host eq ftp router(config)# access-list 112 permit tcp any host eq smtp router(config)# access-list 112 permit tcp any host eq 1755 router(config)# access-list 112 permit tcp any host eq 1720 router(config)# access-list 121 permit tcp any host eq www router(config)# access-list 121 permit tcp any host eq ftp router(config)# access-list 121 permit tcp any host eq smtp router(config)# access-list 121 permit tcp any host eq 1755 router(config)# access-list 121 permit tcp any host eq 1720 ACL 101 locks down traffic heading to the inside. ACL 111 permits DNS requests from the DNS server on the DMZ. ACL 112 permits internet traffic inspected by the firewall destined to the DMZ. ACL 121 corresponds to acl 112. it allows internet traffic inspected by the firewall to the server on the DMZ.

© 2007 Cisco Systems, Inc. All rights reserved.SNRS v Three Interface Configuration with DMZ (Cont.) Fa0/0 is the inside interface to the Corp network. router(config)# interface fastEthernet0/0 router(config-if)# ip address router(config-if)# ip access-group 101 out router(config-if)# ip inspect IN_to_OUT in S0/0 is the interface closest to the internet. The outside interface. router(config)# interface Serial0 router(config-if)# ip address router(config-if)# ip access-group 121 in router(config-if)# ip inspect OUT_to_IN in Fa0/1 is the DMZ interface. router(config)# interface fastEthernet0/1 router(config-if)# ip address router(config-if)# ip access-group 111 in router(config-if)# ip access-group 112 out Lock-down ACL firewall inspection for internally generated traffic allows internet initiated traffic firewall inspection for traffic coming from the internet DNS traffic allows specific traffic to the DMZ server.

© 2007 Cisco Systems, Inc. All rights reserved.SNRS v Application Firewall router(config)# appfw policy-name router(cfg-appfw-policy)# application [http | im {aol|yahoo|msb}]

© 2007 Cisco Systems, Inc. All rights reserved.SNRS v Application Firewall Policy for HTTP router(config)# appfw policy-name HTTP-Policy router(cfg-appfw-policy)# application http router(cfg-appfw-policy-http)# strict-http action allow alarm router(cfg-appfw-policy-http)# content-length maximum 1 action allow alarm router(cfg-appfw-policy-http)# content-type-verification match-req-rsp action allow alarm router(cfg-appfw-policy-http)# max-header-length request 1 response 1 action allow alarm router(cfg-appfw-policy-http)# max-uri-length 1 action allow alarm router(cfg-appfw-policy-http)# port-misuse default action allow alarm router(cfg-appfw-policy-http)# request-method rfc default action allow alarm router(cfg-appfw-policy-http)# request-method extension default action allow alarm router(cfg-appfw-policy-http)# transfer-encoding type default action allow alarm router(config)# ip inspect name FW appfw HTTP-Policy router(config)# ip inspect name FW http router(config)# interface FastEthernet0/0 router(config-if)# ip inspect firewall in

© 2007 Cisco Systems, Inc. All rights reserved.SNRS v Application Firewall Policy for Instant Messaging (IM) router(config)# appfw policy-name IM-Policy router(cfg-appfw-policy)# application im yahoo router(cfg-appfw-policy-ymsgr)# server permit name scs.msg.yahoo.com router(cfg-appfw-policy-ymsgr)# server permit name scsa.msg.yahoo.com router(cfg-appfw-policy-ymsgr)# server permit name scsb.msg.yahoo.com router(cfg-appfw-policy-ymsgr)# server permit name scsc.msg.yahoo.com router(cfg-appfw-policy-ymsgr)# service text-chat action allow router(cfg-appfw-policy-ymsgr)# service default action reset router(cfg-appfw-policy-ymsgr)# exit router(cfg-appfw-policy)# application im aol router(cfg-appfw-policy-aim)# server deny name login.oscar.aol.com router(cfg-appfw-policy-aim)# exit router(cfg-appfw-policy)# application im msn router(cfg-appfw-policy-msnmsgr)# server deny name messenger.hotmail.com router(config)# ip inspect name FW appfw IM-POLICY router(config)# interface FastEthernet0/0 router(config-if)# ip inspect FW in

© 2007 Cisco Systems, Inc. All rights reserved.SNRS v Verifying Application Firewall router# show appfw configuration router# show appfw dns cache router# show appfw policy HTTP-Policy Displays application firewall policy information

© 2007 Cisco Systems, Inc. All rights reserved.SNRS v Granular Protocol Inspection GPI allows you to configure any port number for an application protocol. Cisco IOS classic firewall uses PAM to determine the application configured for a port.

© 2007 Cisco Systems, Inc. All rights reserved.SNRS v router(config)# ip port-map http port 8080 Maps a port number to an application router(config)# access-list 110 permit router(config)# ip port-map http port 8080 list 110 router(config)# access-list 110 permit router(config)# ip port-map http port 8080 list 110 Maps a port number to an application for a given network Port to Application Mapping Maps a port number to an application for a given host –Host uses port 8080 for http services

© 2007 Cisco Systems, Inc. All rights reserved.SNRS v router# show ip port-map Default mapping: snmp udp port 161 system defined Default mapping: echo tcp port 7 system defined Default mapping: echo udp port 7 system defined Default mapping: telnet tcp port 23 system defined Default mapping: wins tcp port 1512 system defined Shows all port mapping information Shows port mapping information for a given application Verifying PAM Configuration router# show ip port-map ftp Default mapping: ftp port 21 system defined Host specific: ftp port 1000 in list 10 user

© 2007 Cisco Systems, Inc. All rights reserved.SNRS v router(config)# interface fastEthernet0/0 router(config-if)# ip inspect FWRULE in Applies the inspection rule to interface e0/0 in inward direction Apply an Inspection Rule to an Interface

© 2007 Cisco Systems, Inc. All rights reserved.SNRS v router(config)# service timestamps log datetime router(config)# logging router(config)# logging facility syslog router(config)# logging trap 7 router(config)# ip inspect audit-trail Enable Audit Trails and Alerts

© 2007 Cisco Systems, Inc. All rights reserved.SNRS v show ip inspect name inspection-name show ip inspect config show ip inspect interfaces show ip inspect session [detail] show ip inspect all Displays Classic Firewall configurations, interface configurations, and sessions show Commands Router # Router# sh ip inspect session Established Sessions Session C ( :35009)=>( :34233) tcp SIS_OPEN Session 6156F0CC ( :35011)=>( :34234) tcp SIS_OPEN Session 6156AF74 ( :35010)=>( :5002) tcp SIS_OPEN

© 2007 Cisco Systems, Inc. All rights reserved.SNRS v debug Commands debug ip inspect function-trace debug ip inspect object-creation debug ip inspect object-deletion debug ip inspect events debug ip inspect timers Router# General debug commands debug ip inspect protocol router(config)# Protocol-specific debug

© 2007 Cisco Systems, Inc. All rights reserved.SNRS v router(config)# no ip inspect Removes entire Classic Firewall configuration Resets all global timeouts and thresholds to the defaults Deletes all existing sessions Remove Classic Firewall Configuration

© 2007 Cisco Systems, Inc. All rights reserved.SNRS v Summary Cisco IOS classic firewall works to provide network protection on multiple levels. Cisco IOS classic firewall uses SPI to inspect traffic and create temporary openings at firewall interfaces. There are several basic tasks required to configure Cisco IOS classic firewall. For classic firewall to work properly, you need to make sure that you have IP ACLs configured appropriately and applied at the appropriate interfaces. An inspection rule specifies what IP traffic will be inspected by Cisco IOS Classic Firewall. The complexity of configurations depend on the topology and security requirements of the network.

© 2007 Cisco Systems, Inc. All rights reserved.SNRS v Summary (Cont.) The application firewall uses static signatures to detect security violations. GPI allows you to specify TCP or UDP ports using the PAM table. After you define an inspection rule, you apply this rule to an interface. Turn on logging and audit trail to provide a record of network access through the firewall. You can view and verify Cisco IOS classic firewall configuration, status, statistics, and session information. Use the no ip inspect command to remove the Cisco IOS classic firewall configuration.

© 2007 Cisco Systems, Inc. All rights reserved.SNRS v