Generic TCP and UDP Inspection

Any application layer protocol that is inspected will take precedence over the TCP or UDP packet inspection. For example, if inspection is configured for FTP, all control channel information will be recorded in the state table, and all FTP traffic will be permitted back through the firewall if the control channel information is valid for the state of the FTP session. The fact that TCP inspection is configured is irrelevant. With TCP and UDP inspection, packets entering the network must exactly...

Legacy Cisco IOS Stateful Inspection

Multiple inspection policies and ACLs on several interfaces in a router make it difficult to correlate the policies that will be applied to traffic between multiple interfaces. Very little inspection policy granularity - Policies could not be tied to a host group or subnet with an ACL. All traffic through a given interface was subject to the same inspection. Classical stateful inspection relies too heavily on ACLs. 2007 Cisco Systems, Inc. All rights reserved. SNRS V2.0 5-2 The older Cisco IOS...

Builtin Signatures

Built-in signatures is the last resort when router loads signatures. Can be turned off using CLI 'no ip ips sdf builtin' Cisco recommend to use pre-tuned SDF files - attack-drop.sdf, 128MB.sdf and 256MB.sdf. Built-in signatures will NOT be supported in 12.4(PI5)T when IOS IPS supports 5.x format. 2007 Cisco Systems, Inc. All rights reserved. SNRS v2.C 5-5 A signature detects patterns of misuse in network traffic. IPS signatures are released in the form of S-files, which are lists of signatures...

Cisco IOS Classic Firewall Restrictions

Cisco IOS classic firewall has the following restrictions Cisco IOS classic firewall is available only for IP traffic. Only TCP and UDP packets are inspected. (Other IP traffic, such as ICMP, cannot be inspected with Cisco IOS classic firewall and should be filtered with basic ACLs instead.) If you reconfigure your ACLs when you configure Cisco IOS classic firewall, be aware that if your ACLs block TFTP traffic into an interface, you will not be able to netboot over that interface. Note This is...

Authentication Proxy Rules with ACLs

Router(config) access-list 10 permit 10.0.0.0 0.0.0.255 router(config) ip auth-proxy name aprule http list 10 router(config) interface fastEthernet0 0 router(config-if) ip auth-proxy APRULE Creates an authorization proxy rule with an ACL 2007 Cisco Systems, Inc. All rights reserved. SNRS v2.0 5-11 You can associate a Cisco IOS Firewall authentication proxy rule with an ACL, providing control over which hosts use the Cisco IOS Firewall authentication proxy. To create a Cisco IOS Firewall...

Apply an IPS Rule at an Interface

Applies an IPS rule at an interface 2007 Cisco Systems, Inc. All rights reserved.SNRS v2.0 5-17 To apply an IPS rule to an interface, use the ip ips command in interface configuration mode. To remove an IPS rule from an interface direction, use the no form of this command. router(config-if) ip ips ips-name in out By default, IPS signatures are not applied to an interface or direction. The ip ips command loads the SDF onto the router and builds the signature engines when IPS is applied to the...

Applying Authprox to an Interface

Use the ip auth-proxy command to enable the named authentication proxy rule at the firewall interface. Traffic passing through the interface from hosts with an IP address matching the standard access list and protocol type (HTTP, FTP, or Telnet) is intercepted for authentication if no corresponding authentication cache entry exists. If no access list is defined, the authentication proxy intercepts traffic from all hosts whose connection initiating packets are received at the configured...

Attaching a Policy Map to a Zone Pair

To attach a policy map to a zone pair, follow these steps. Step 1 Enter zone pair configuration mode. router(config) zone-pair security zone-pair-name source zonel destination zone2 Step 2 Attach a firewall policy map to the zone pair. router(config-sec-zone-pair) service-policy type inspect policy-map-name The name can be a maximum of 40 alphanumeric characters. Use the service-policy type inspect command to attach a policy map and its associated actions to a zone pair. Enter this command...

Attaching a Policy to a Signature

This section describes how to attach a policy to a signature. Attach a Policy to a Given Signature (Optional) router(config) ip ips signature 6500 list 99 router(config) ip ips signature 1000 disable Associates an access list with a signature Disables signature 1000 in the SDF 2007 Cisco Systems, Inc. All rights resewed. SNRS v2.0 5-14 To attach a policy to a signature, use the ip ips signature command in global configuration mode. If the policy disabled a signature, use the no form of this...

Authentication Proxy

The Cisco IOS Firewall authentication proxy feature allows network administrators to apply specific security policies on a per-user basis. Previously, user identity and related authorized access was associated with a user IP address, or a single security policy had to be applied to an entire user group or subnetwork. Now, users can be identified and authorized on the basis of their per-user policy, and access privileges tailored on an individual basis are possible, as opposed to a general...

Authentication Proxy Configuration

Create the authentication proxy rule Apply the Cisco IOS Firewall authentication proxy rule to an interface Verify the Cisco IOS Firewall authentication proxy 2007 Cisco Systems, Inc. All rights reserved SNRS V2.0 5-1C There are several tasks required to configure Cisco IOS Firewall authentication proxy. To configure the Cisco IOS Firewall authentication proxy feature, perform the following tasks Configure the Cisco IOS Firewall authentication proxy Verify the Cisco IOS Firewall authentication...

Apply an Inspection Rule to an Interface

Router(config) interface fastEthernet0 0 router(config-if) ip inspect FWRULE in Applies the inspection rule to interface e0 0 in inward direction 2007 Cisco Systems, Inc. All rights reseived. SNRS V2.0 5-28 After you define an inspection rule, you apply that rule to an interface. Normally, you apply only one inspection rule to one interface. The only exception might occur if you want to enable Cisco IOS classic firewall in two directions as described earlier. For Cisco IOS classic firewall...

IP Virtual Reassembly

A buffer overflow attack can occur when an attacker continuously sends a large number of incomplete IP fragments, causing the firewall to lose time and memory while trying to reassemble the fake packets. IP virtual reassembly is an interface feature that when turned on, will automatically reassemble fragmented packets coming into the router through that interface. Cisco recommends that you enable ip virtual-assembly on all interfaces where traffic comes into the router. To enable virtual...

Granular Protocol Inspection

GPI allows you to configure any port number for an application protocol. Cisco IOS classic firewall uses PAM to determine the application configured for a port. 2007 Cisco Systems, Inc. All rights reserved. SNRS V2.0 5-25 The Cisco IOS Firewall performs inspections for TCP and UDP traffic. For example, TCP inspections include Telnet traffic (port 23, by default) and all other applications on TCP such as HTTP, e-mail, M chatter, and so on. Therefore, there is no easy way to inspect Telnet...

Creating Security Zones and Zone Pairs

You need two security zones to create a zone pair. However, you can also create only one security zone and use a system-defined security zone called self. Note If you select a self zone, you cannot configure inspect policing. 1. Create at least one security zone. 2. Assign interfaces to security zones. Before you create zones, think about what should constitute the zones. The general guideline is that you should group together interfaces that are similar when they are viewed from a security...

Cisco IOS Firewall IPS Configuration

This topic describes how to configure Cisco IOS Firewall IPS on a router. This topic describes how to configure Cisco IOS Firewall IPS on a router. Install Cisco IOS Firewall IPS on the router Attach a policy to a signature (optional). Configure logging via syslog or SDEE. 2007 Cisco Systems, Inc. All rights reserved. Several tasks are required to configure Cisco IOS IPS on a router. To configure the Cisco IOS IPS on a router and to have it report alarms to a syslog server or to Cisco SDM,...

Three Interface Configuration with DMZ

Router(config) router(config) router(config) router(config) router(config) router(config) router(config) router(config) router(config) router(config) router(config) router(config) IN_to_OUT smtp IN_to_OUT ftp IN_to_OUT tcp IN_to_OUT udp IN_to_OUT sqlnet IN_to_OUT realaudio IN_to_OUT h323 OUT_to_IN tcp OUT_to_IN ftp OUT_to_IN vdolive OUT_to_IN netshow OUT to IN h323 IN_to_OUT is configured for traffic destined for the internet or the DMZ. Inspection is configured inbound on the inside interface...

Set Global Timers

Router(config) ip auth-proxy inactivity-timer 120 router(config) ip auth-proxy name APRULE http router(config) interface fastEthernet0 0 router(config-if) ip auth-proxy aprule Authentication inactivity timer in minutes (default 60 minutes) Creates an authorization proxy rule Applies an authorization proxy rule to an interface - For outbound authentication, apply to inside interface - For inbound authentication, apply to outside interface 2007 Cisco Systems, Inc. All rights reserved. SNRS...

Application Layer Protocol Inspection

To define a set of inspection rules, enter the ip inspect name command for each protocol that you want the Cisco IOS classic firewall to inspect, using the same inspection name. Give each set of inspection rules a unique inspection name, which should not exceed the 16-character limit. Define either one or two sets of rules per interface you can define one set to examine both inbound and outbound traffic, or you can define two sets one for outbound traffic and one for inbound traffic. To define...

How Cisco IOS Classic Firewall Works

This section describes a sample sequence of events that occurs when Cisco IOS classic firewall is configured at an external interface that connects to an external network such as the Internet. In this example, a TCP packet exits the internal network through the external interface of the firewall. The TCP packet is the first packet of a HTTP session, and TCP is configured for Cisco IOS classic firewall inspection. 1. User X initiates a HTTP session and the packet reaches the external interface...

When and Where to Configure Cisco IOS Classic Firewall

Configure Cisco IOS classic firewall at firewalls protecting internal networks. Such firewalls should be Cisco routers with the Cisco IOS Firewall feature set. Use Cisco IOS classic firewall when the firewall will be passing traffic such as the following Standard TCP and UDP Internet applications Use Cisco IOS classic firewall for these applications if you want the application traffic to be permitted through the firewall only when the traffic session is initiated from a particular side of the...

Student Guide

Editorial, Production, and Web Services 02.06.07 Cisco Systems, Inc. 170 West Tasman Drive San Jose, CA 95134-1706 USA www.cisco.com Tel 408 526-4000 800 553-NETS (6387) Fax 408 527-0883 Cisco Systems International BV Haarlerbergpark Haarlerbergweg 13-19 1101 CH Amsterdam The Netherlands www-europe.cisco.com Tel +31 0 8000200791 Fax +31 0 20 357 1100 Cisco Systems, Inc. 168 Robinson Road 28-01 Capital Tower Singapore 068912 www.cisco.com Tel +65 6317 7777 Fax +65 6317 7799 Cisco has more than...

How Classic Firewall Works

I licvvail U3C9 MVjl_ uyjjc router(config) ip access-list 104 deny ip any any router(config) ip access-list 103 permit http any any router(conf ig) ip inspect name FWRULE tcp router(config) interface S0 router(config-if) ip access-group 103 out router(config-if) ip access-group 104 in router(config-if) ip inspect FWRULE out router show ip inspect sessions Established Sessions Session 641721A8 (10.0.1.12 3575) > (10.0.6.12 80) http SIS_OPEN 2007 Cisco Systems, Inc. All rights reserved....

Layer 7 classmap type inspect Command

Examines SMTP traffic for large packets R1(config) R1(config-R1(config-R1(config) R1(config-R1(config-R1(config) R1(config-R1(config-R1(config- class-map type inspect smtp huge-mails cmap) match data-length gt 100000 --- policy-map type inspect pmap) class type inspect pmap-c) reset pmap-c) exit pmap) exit class-map type inspect c cmap) match protocol smtp cmap) exit policy-map type inspect mypolicy pmap) class type inspect c1 pmap-c) inspect pmap-c) service-policy smtp mysmtp-policy 2007 Cisco...

SPI or CBAC

Cisco IOS SPI can be described as a mechanism to discover good connections that originate on the secure (trusted) side of the firewall, and watch for and allow the return traffic that correlates with these connections. Connections originating on the unsecure (untrusted) side of the firewall are not allowed to reach the secure network, as controlled by an ACL facing the unsecure network as shown in the figure above. Many changes have been made to CBAC to enhance its capability and increase...

Port to Application Mapping

Router(config) ip port-map http port 8080 Maps a port number to an application router(config) access-list 110 permit 10.0.1.12 router(config) ip port-map http port 8080 list 110 Maps a port number to an application for a given host - Host 10.0.1.12 uses port 8080 for http services router(config) access-list 110 permit 10.0.1.0 0.0.0.255 router(config) ip port-map http port 8080 list 110 Maps a port number to an application for a given network 2007 Cisco Systems, Inc. All rights reserved. SNRS...

Enable Audit Trails and Alerts

Router(config) service timestamps log datetime router(config) logging 10.0.0.3 router(config) logging facility syslog router(config) logging trap 7 router(config) ip inspect audit-trail Turn on logging and audit trail to provide a record of network access through the firewall, including illegitimate access attempts, and inbound and outbound services. Follow this procedure to configure logging and audit trail functions Step 1 Add the date and time to syslog and audit trail messages....

Half Opened Connection Limits by Host

Ip inspect tcp max-incomplete host number block-time minutes This command defines the number of half-opened TCP sessions with the same host destination address that can exist at a time before the Cisco IOS classic firewall starts deleting half-open sessions to the host. After the number of half-opened connections to a given host is exceeded, the software deletes half-opened sessions on that host in the following manner - If the block time is 0, the oldest half-opened session is deleted, per new...

Half Open Sessions

An unusually high number of half-opened sessions (either absolute or measured as the arrival rate) could indicate that a DoS attack is occurring. For TCP, half-opened means that the session has not reached the established state the TCP three-way handshake has not yet been completed. For UDP, half-opened means that the firewall has detected no return traffic. Cisco IOS classic firewall measures both the total number of existing half-opened sessions and the rate of session establishment attempts....

Zoning Rules Summary

If two interfaces are not in zones, traffic flows freely between them. If one interface is in a zone, and another interface is not in a zone, traffic may never flow between them. If two interfaces are in two different zones, traffic will not flow between the interfaces until a policy is defined to allow the traffic. 2007 Cisco Systems, Inc. All rights reserved SNRS V2.0 5-8 Zoning rules may be summarized as follows Traffic flows freely between interfaces that are not in a zone. If one...

Application Firewall Policy for HTTP

Router(config) appfw policy-name HTTP-Policy router(cfg-appfw-policy) application http router(cfg-appfw-policy-http) strict-http action allow alarm router(cfg-appfw-policy-http) content-length maximum 1 action allow alarm router(cfg-appfw-policy-http) content-type-verification match-req-rsp action allow alarm router(cfg-appfw-policy-http) max-header-length request 1 response 1 action allow alarm router(cfg-appfw-policy-http) max-uri-length 1 action allow alarm router(cfg-appfw-policy-http)...

Application Firewall Policy for Instant Messaging IM

Router(config) appfw policy-name IM-Policy router(cfg-appfw-policy) application im yahoo router(cfg-appfw-policy-ymsgr) server permit name scs.msg.yahoo.com router(cfg-appfw-policy-ymsgr) server permit name scsa.msg.yahoo.com router(cfg-appfw-policy-ymsgr) server permit name scsb.msg.yahoo.com router(cfg-appfw-policy-ymsgr) server permit name scsc.msg.yahoo.com router(cfg-appfw-policy-ymsgr) service text-chat action allow router(cfg-appfw-policy-ymsgr) service default action reset...

Signature Definition File SDF

A SDF contains all or a subset of the signatures supported by Cisco IPS. An IPS loads the signatures contained in the SDF and scans incoming traffic for matching signatures. The IPS enforces the policy defined in the signature action. Cisco IPS uses the SDF to populates internal tables with the information necessary to detect each signature. The SDF can be saved on the router flash memory. SDFs are downloaded from cisco.com. 2007 Cisco Systems, Inc. All rights reserved. SNRS v2.0-5-E The SDF...

Configuring a Cisco IOS Zone Based Policy Firewall

Identify interfaces that share the same function security and group them into the same security zones. 2. Determine the required traffic flow between zones in both directions. 4. Set up zone pairs for any policy other than deny all. 5. Define class maps to describe traffic between zones. 6. Associate class maps with policy maps to define actions applied to specific policies. There are several steps required to configure a Cisco IOS zone-based policy firewall. The following procedure can be used...