© 2006 Cisco Systems, Inc. All rights reserved.ISCW v Cisco IOS Threat Defense Features Implementing Cisco IOS Firewalls
© 2006 Cisco Systems, Inc. All rights reserved.ISCW v Configuring Cisco IOS Firewall from the CLI
© 2006 Cisco Systems, Inc. All rights reserved.ISCW v Cisco IOS Firewall Configuration Tasks Using the CLI 1. Pick an interface: internal or external. 2. Configure IP ACLs at the interface. 3. Define inspection rules. 4. Apply inspection rules and ACLs to interfaces. 5. Test and verify.
© 2006 Cisco Systems, Inc. All rights reserved.ISCW v Set Audit Trails and Alerts Router(config)#logging on Router(config)#logging host Router(config)#ip inspect audit-trail Router(config)#no ip inspect alert-off Enables the delivery of audit trail messages using syslog ip inspect audit-trail Router(config)# Enables real-time alerts no ip inspect alert-off Router(config)#
© 2006 Cisco Systems, Inc. All rights reserved.ISCW v Define Inspection Rules for Application Protocols ip inspect name inspection-name protocol [alert {on|off}] [audit-trail {on|off}] [timeout seconds] Defines the application protocols to inspect. Will be applied to an interface: –Available protocols are tcp, udp, icmp, smtp, esmtp, cuseeme, ftp, ftps, http, h323, netshow, rcmd, realaudio, rpc, rtsp, sip, skinny, sqlnet, tftp, vdolive, etc. –Alert, audit-trail, and timeout are configurable per protocol, and override global settings. Router(config)# Router(config)#ip inspect name FWRULE smtp alert on audit-trail on timeout 300 Router(config)#ip inspect name FWRULE ftp alert on audit-trail on timeout 300
© 2006 Cisco Systems, Inc. All rights reserved.ISCW v Apply an Inspection Rule to an Interface ip inspect inspection-name {in | out} Applies the named inspection rule to an interface Router(config-if)# Router(config)#interface e0/0 Router(config-if)#ip inspect FWRULE in Applies the inspection rule to interface e0/0 in inward direction
© 2006 Cisco Systems, Inc. All rights reserved.ISCW v Guidelines for Applying Inspection Rules and ACLs to Interfaces On the interface where traffic initiates: –Apply ACL on the inward direction that permits only wanted traffic. –Apply rule on the inward direction that inspects wanted traffic. On all other interfaces, apply ACL on the inward direction that denies all unwanted traffic.
© 2006 Cisco Systems, Inc. All rights reserved.ISCW v Example: Two-Interface Firewall ip inspect name OUTBOUND tcp ip inspect name OUTBOUND udp ip inspect name OUTBOUND icmp ! interface FastEthernet0/0 ip access-group OUTSIDEACL in ! interface FastEthernet0/1 ip inspect OUTBOUND in ip access-group INSIDEACL in ! ip access-list extended OUTSIDEACL permit icmp any any packet-too-big deny ip any any log ! ip access-list extended INSIDEACL permit tcp any any permit udp any any permit icmp any any
© 2006 Cisco Systems, Inc. All rights reserved.ISCW v Example: Three-Interface Firewall interface FastEthernet0/0 ip inspect OUTSIDE in ip access-group OUTSIDEACL in ! interface FastEthernet0/1 ip inspect INSIDE in ip access-group INSIDEACL in ! interface FastEthernet0/2 ip access-group DMZACL in ! ip inspect name INSIDE tcp ip inspect name OUTSIDE tcp ! ip access-list extended OUTSIDEACL permit tcp any host eq 25 permit tcp any host eq 80 permit icmp any any packet-too-big deny ip any any log ! ip access-list extended INSIDEACL permit tcp any any eq 80 permit icmp any any packet-too-big deny ip any any log ! ip access-list extended DMZACL permit icmp any any packet-too-big deny ip any any log
© 2006 Cisco Systems, Inc. All rights reserved.ISCW v Verifying Cisco IOS Firewall show ip inspect name inspection-name show ip inspect config show ip inspect interfaces show ip inspect session [detail] show ip inspect statistics show ip inspect all Displays inspections, interface configurations, sessions, and statistics Router#show ip inspect session Established Sessions Session C ( :35009)=>( :34233) tcp SIS_OPEN Session 6156F0CC ( :35011)=>( :34234) tcp SIS_OPEN Session 6156AF74 ( :35010)=>( :5002) tcp SIS_OPEN Router#
© 2006 Cisco Systems, Inc. All rights reserved.ISCW v Troubleshooting Cisco IOS Firewall debug ip inspect function-trace debug ip inspect object-creation debug ip inspect object-deletion debug ip inspect events debug ip inspect timers debug ip inspect detail General debug commands debug ip inspect protocol Protocol-specific debug Router#
© 2006 Cisco Systems, Inc. All rights reserved.ISCW v Basic and Advanced Firewall Wizards
© 2006 Cisco Systems, Inc. All rights reserved.ISCW v Basic and Advanced Firewall Wizards SDM offers configuration wizards to simplify Cisco IOS Firewall configuration. Two configuration wizards exist: –Basic Firewall Configuration wizard: Supports two interface types (Inside and Outside) Applies predefined rules –Advanced Firewall Configuration wizard: Supports more interfaces (Inside, Outside, and DMZ) Applies predefined or custom rules
© 2006 Cisco Systems, Inc. All rights reserved.ISCW v Configuring a Basic Firewall
© 2006 Cisco Systems, Inc. All rights reserved.ISCW v Configuring a Basic Firewall
© 2006 Cisco Systems, Inc. All rights reserved.ISCW v Basic Firewall Interface Configuration
© 2006 Cisco Systems, Inc. All rights reserved.ISCW v Basic Firewall Configuration Summary and Deployment
© 2006 Cisco Systems, Inc. All rights reserved.ISCW v Reviewing the Basic Firewall for the Originating Traffic
© 2006 Cisco Systems, Inc. All rights reserved.ISCW v Reviewing the Basic Firewall for the Returning Traffic
© 2006 Cisco Systems, Inc. All rights reserved.ISCW v Resulting Basic Firewall Inspection Rule Configuration Router#show running-config | include ip inspect name ip inspect name SDM_LOW cuseeme ip inspect name SDM_LOW dns ip inspect name SDM_LOW ftp ip inspect name SDM_LOW h323 ip inspect name SDM_LOW https ip inspect name SDM_LOW icmp ip inspect name SDM_LOW imap ip inspect name SDM_LOW pop3 ip inspect name SDM_LOW netshow ip inspect name SDM_LOW rcmd ip inspect name SDM_LOW realaudio ip inspect name SDM_LOW rtsp ip inspect name SDM_LOW esmtp ip inspect name SDM_LOW sqlnet ip inspect name SDM_LOW streamworks ip inspect name SDM_LOW tftp ip inspect name SDM_LOW tcp ip inspect name SDM_LOW udp ip inspect name SDM_LOW vdolive
© 2006 Cisco Systems, Inc. All rights reserved.ISCW v Resulting Basic Firewall ACL Configuration Router#show running-config | include access-list access-list 100 remark autogenerated by SDM firewall configuration access-list 100 remark SDM_ACL Category=1 access-list 100 deny ip any access-list 100 deny ip host any access-list 100 deny ip any access-list 100 permit ip any any access-list 101 remark autogenerated by SDM firewall configuration access-list 101 remark SDM_ACL Category=1 access-list 101 deny ip any access-list 101 permit icmp any host echo-reply access-list 101 permit icmp any host time-exceeded access-list 101 permit icmp any host unreachable access-list 101 deny ip any access-list 101 deny ip any access-list 101 deny ip any access-list 101 deny ip any access-list 101 deny ip host any access-list 101 deny ip host any access-list 101 deny ip any any log
© 2006 Cisco Systems, Inc. All rights reserved.ISCW v Resulting Basic Firewall Interface Configuration Router#show running-config | begin interface interface FastEthernet0/0 description $FW_INSIDE$ ip address ip access-group 100 in ! interface Serial0/0/0 description $FW_OUTSIDE$ ip address ip access-group 101 in ip verify unicast reverse-path ip inspect SDM_LOW out !
© 2006 Cisco Systems, Inc. All rights reserved.ISCW v Configuring Interfaces on an Advanced Firewall
© 2006 Cisco Systems, Inc. All rights reserved.ISCW v Configuring Interfaces on an Advanced Firewall
© 2006 Cisco Systems, Inc. All rights reserved.ISCW v Advanced Firewall Interface Configuration
© 2006 Cisco Systems, Inc. All rights reserved.ISCW v Configuring a DMZ on an Advanced Firewall
© 2006 Cisco Systems, Inc. All rights reserved.ISCW v Advanced Firewall DMZ Service Configuration
© 2006 Cisco Systems, Inc. All rights reserved.ISCW v Advanced Firewall DMZ Service Configuration: TCP
© 2006 Cisco Systems, Inc. All rights reserved.ISCW v Advanced Firewall DMZ Service Configuration: UDP
© 2006 Cisco Systems, Inc. All rights reserved.ISCW v Advanced Firewall DMZ Service Configuration (Cont.)
© 2006 Cisco Systems, Inc. All rights reserved.ISCW v Advanced Firewall Security Configuration
© 2006 Cisco Systems, Inc. All rights reserved.ISCW v Advanced Firewall Security Policy
© 2006 Cisco Systems, Inc. All rights reserved.ISCW v Advanced Firewall Protocols and Applications
© 2006 Cisco Systems, Inc. All rights reserved.ISCW v Advanced Firewall Protocols and Applications (Cont.)
© 2006 Cisco Systems, Inc. All rights reserved.ISCW v Advanced Firewall Protocols and Applications (Cont.)
© 2006 Cisco Systems, Inc. All rights reserved.ISCW v Advanced Firewall Inspection Parameters
© 2006 Cisco Systems, Inc. All rights reserved.ISCW v Advanced Firewall Security Policy Selection
© 2006 Cisco Systems, Inc. All rights reserved.ISCW v Complete the Configuration
© 2006 Cisco Systems, Inc. All rights reserved.ISCW v Advanced Firewall Configuration Summary and Deployment
© 2006 Cisco Systems, Inc. All rights reserved.ISCW v Resulting Advanced Firewall Inspection Rule Configuration Router#show running-config | include ip inspect name ip inspect name appfw_100 tcp audit-trail on ip inspect name appfw_100 udp ip inspect name appfw_100 ftp ip inspect name dmzinspect tcp ip inspect name dmzinspect udp
© 2006 Cisco Systems, Inc. All rights reserved.ISCW v Resulting Advanced Firewall ACL Configuration Router#show running-config | include access-list access-list 100 remark autogenerated by SDM firewall configuration access-list 100 remark SDM_ACL Category=1 access-list 100 deny ip any access-list 100 deny ip any access-list 100 deny ip host any access-list 100 deny ip any access-list 100 permit ip any any access-list 101 remark autogenerated by SDM firewall configuration access-list 101 remark SDM_ACL Category=1 access-list 101 deny ip any any log access-list 102 remark autogenerated by SDM firewall configuration access-list 102 remark SDM_ACL Category=1 access-list 102 deny ip any access-list 102 deny ip any access-list 102 permit icmp any host echo-reply access-list 102 permit icmp any host time-exceeded access-list 102 permit icmp any host unreachable access-list 102 permit tcp any host eq www access-list 102 permit udp any host eq isakmp access-list 102 deny ip any access-list 102 deny ip any access-list 102 deny ip any access-list 102 deny ip any access-list 102 deny ip host any access-list 102 deny ip host any access-list 102 deny ip any any log
© 2006 Cisco Systems, Inc. All rights reserved.ISCW v Resulting Advanced Firewall Interface Configuration Router#show running-config | begin interface interface FastEthernet0/0 description $FW_INSIDE$ ip address ip access-group 100 in ip inspect appfw_100 in ! interface FastEthernet0/1 description $FW_DMZ$ ip address ip access-group 101 in ip inspect dmzinspect out ! interface Serial0/0/0 description $FW_OUTSIDE$ ip address ip access-group 102 in ip verify unicast reverse-path !
© 2006 Cisco Systems, Inc. All rights reserved.ISCW v Viewing Firewall Activity
© 2006 Cisco Systems, Inc. All rights reserved.ISCW v Preparing for Firewall Activity Viewing
© 2006 Cisco Systems, Inc. All rights reserved.ISCW v Viewing Firewall Log 1. 2.
© 2006 Cisco Systems, Inc. All rights reserved.ISCW v Summary Cisco IOS Firewall can be configured using the CLI or the SDM. Inspection rules must specify which protocols will be inspected by the firewall engine at an interface. Inspection rules can help protect hosts against certain DoS attacks involving fragmented IP packets. SDM offers configuration wizards to expedite the firewall configuration process. Basic Firewall Configuration wizard supports two interfaces and predefines filter rules. Advanced Firewall Configuration wizard supports three interfaces and customized filter rules. SDM offers monitoring capabilities to view the firewall activity.
© 2006 Cisco Systems, Inc. All rights reserved.ISCW v