Professional Documents
Culture Documents
Securing Networks
with Cisco Routers
and Switches
Volume 3
Version 2.0
Student Guide
Editorial, Production, and Web Services: 02.06.07
DISCLAIMER WARRANTY: THIS CONTENT IS BEING PROVIDED AS IS. CISCO MAKES AND YOU RECEIVE NO WARRANTIES IN
CONNECTION WITH THE CONTENT PROVIDED HEREUNDER, EXPRESS, IMPLIED, STATUTORY OR IN ANY OTHER PROVISION OF
THIS CONTENT OR COMMUNICATION BETWEEN CISCO AND YOU. CISCO SPECIFICALLY DISCLAIMS ALL IMPLIED
WARRANTIES, INCLUDING WARRANTIES OF MERCHANTABILITY, NON-INFRINGEMENT AND FITNESS FOR A PARTICULAR
PURPOSE, OR ARISING FROM A COURSE OF DEALING, USAGE OR TRADE PRACTICE. This learning product may contain early release
content, and while Cisco believes it to be accurate, it falls subject to the disclaimer above.
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
Table of Contents
Volume 3
Adaptive Threat Defense
Overview
Module Objectives
5-1
5-1
5-1
5-3
5-3
5-3
5-4
5-5
5-6
5-6
5-7
5-7
5-7
5-7
5-7
5-8
5-8
5-9
5-9
5-11
5-11
5-12
5-12
5-13
5-13
5-15
5-15
5-15
5-16
5-16
5-17
5-18
5-18
5-19
5-19
5-21
5-22
5-22
5-23
5-25
5-25
5-25
5-26
5-27
5-29
5-30
5-31
5-32
5-33
5-34
5-34
5-35
5-36
5-39
5-44
5-45
Java Blocking
IP Packet Fragmentation Inspection
Example Configurations
Application Firewall Policy
Application Policy for HTTP
Next Step
Application Firewall Policy for Instant Messaging (IM)
Verifying Application Firewall Configuration
Granular Protocol Inspection
System-Defined Port Mapping
User-Defined Port Mapping
Verifying PAM Configuration
Applying the Inspection Rule to an Interface
Audit Trails and Logging
Verifying Cisco IOS Classic Firewall
Removing Cisco IOS Classic Firewall
Summary
References
5-49
5-50
5-51
5-57
5-58
5-64
5-65
5-70
5-71
5-71
5-73
5-76
5-77
5-79
5-81
5-83
5-84
5-85
5-87
Overview
Objectives
Legacy Stateful Inspection
Cisco IOS Zone-Based Policy Firewall Overview
Configuration Model
General Rules
Basic Topology
DMZ Topology
Zones
Security Zones
Zoning Rules
Zone Pairs
Security Zone Firewall Policies
Class Maps for Cisco IOS Zone-Based Policy Firewalls
Policy Maps for Cisco IOS Zone-Based Policy Firewalls
Hierarchical Policy Maps
Parameter Maps
Configuring a Cisco IOS Zoned-Based Policy Firewall
Creating Security Zones and Zone Pairs
Configuring a Class Map for a Layer 3 and Layer 4 Firewall Policy
Creating a Policy Map for a Layer 3 and Layer 4 Firewall Policy
Configuring Cisco IOS Zone-Based Policy Firewall Parameter Maps
Attaching a Policy Map to a Zone Pair
Configuration Examples
Verifying Cisco IOS Zone-Based Policy Firewall
Summary
References
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
5-87
5-87
5-88
5-89
5-91
5-91
5-93
5-94
5-96
5-96
5-98
5-100
5-102
5-104
5-109
5-112
5-113
5-115
5-116
5-118
5-120
5-121
5-122
5-123
5-130
5-131
5-131
5-133
5-133
5-133
5-134
5-139
5-140
5-144
5-145
5-150
5-151
5-153
5-156
5-157
2007 Cisco Systems, Inc.
5-159
5-162
5-162
5-163
Overview
Objectives
Cisco IOS IPS
Features and Benefits
Origin of Cisco IOS Firewall IPS
Signature Micro-Engines
Signatures and SDFs
Built-in Signatures
Signature Actions
Signature Definition Files
Deploying IOS IPS
Cisco IOS Firewall IPS Configuration
Installing the Cisco IOS IPS Signatures
Merging Built-In Signatures with the 128MB.sdf File
Attaching a Policy to a Signature
Creating IPS Rules
Applying an IPS Rule at an Interface
IP Virtual Reassembly
Example
Configure Logging via Syslog or SDEE
SDEE Overview
Storing SDEE Events in the Buffer
Upgrading to the Latest SDF
Verifying IPS Configuration
clear Commands
debug Commands
Summary
References
5-207
Overview
Objectives
Company ABC Secured
Summary
Module Summary
References
5-163
5-163
5-164
5-166
5-167
5-168
5-172
5-173
5-174
5-177
5-179
5-182
5-183
5-185
5-188
5-190
5-192
5-193
5-194
5-195
5-196
5-197
5-199
5-200
5-204
5-205
5-206
5-206
5-207
5-207
5-208
5-210
5-211
5-211
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
iii
iv
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
Module 5
Module Objectives
Upon completing this module, you will be able to install, configure, and troubleshoot Cisco
IOS Firewall features, including Cisco IOS Classic Firewall Cisco IOS Firewall authentication
proxy, Zone-based Policy Firewall, and Cisco IOS IPS on a Cisco router. This ability includes
being able to meet these objectives:
Describe the main features of the Cisco IOS Firewall feature set
Configure Cisco IOS classic firewall, GPI, and an application policy firewall
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
5-2
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
Lesson 1
Objectives
Upon completing this lesson, you will be able to describe the main features of the Cisco IOS
Firewall feature set. This ability includes being able to meet these objectives:
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
Firewalls
This topic describes the basic functions of a firewall.
Firewalls
Branch
Office
Corporate
Headquarters
Router with
Firewall
DMZ
Corporate
Resources
Research and
Development
Partner
SNRS v2.05-2
Firewalls are networking devices that control access to the network assets of your organization.
Firewalls are positioned at the entrance points into your network. If your network has multiple
entrance points, you must position a firewall at each point to provide effective network access
control.
Firewalls are often placed in between the internal network and an external network such as the
Internet. With a firewall between your network and the Internet, all traffic coming from the
Internet must pass through the firewall before entering your network.
Firewalls can also be used to control access to a specific part of your network. For example,
you can position firewalls at all of the entry points into a research and development network to
prevent unauthorized access to proprietary information.
The most basic function of a firewall is to monitor and filter traffic. Firewalls can be simple or
elaborate, depending on your network requirements. Simple firewalls are usually easier to
configure and manage. However, you might require the flexibility of a more elaborate firewall.
Cisco IOS Software provides an extensive set of security features, allowing you to configure a
simple or elaborate firewall, according to your particular requirements. You can configure a
Cisco device as a firewall if the device is positioned appropriately at a network entry point.
5-4
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
IOS Firewall
Deploy:
As an Internet Firewall
Between groups on internal network
As a VPN end point from branches
Between partner network and corporate
Features:
Cisco IOS Software Stateful Packet Inspection
Protection Against Attack
Alerts and Audit Trails
Authentication Proxy
Support for NAT and Port-to-Application Mapping (PAM)
SNRS v2.05-3
The Cisco IOS Firewall feature set combines existing Cisco IOS Firewall technology and the
Cisco IOS classic firewall. When you configure the Cisco IOS Firewall on your Cisco router,
you turn your router into an effective, robust firewall.
The Cisco IOS Firewall features are designed to prevent unauthorized external individuals from
gaining access to your internal network and to block attacks on your network, while at the same
time allowing authorized users to access network resources.
You can use the Cisco IOS Firewall features to configure your Cisco IOS router as one of the
following:
A firewall between your company network and the networks of your company partners
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
5-5
Classic firewall
Authentication proxy
Cisco IOS IPS
ACLs
Standard and extended
Lock-and-key (Dynamic ACLs)
Reflexive
TCP Intercept
PAM
NAT
Security server support
RADIUS, TACACS+, Kerberos
User authentication and authorization
SNRS v2.05-4
The Cisco IOS Firewall is a security-specific option for Cisco IOS Software. It integrates
robust firewall functionality, authentication proxy, and intrusion prevention for every network
perimeter, and enriches existing Cisco IOS security capabilities. It adds greater depth and
flexibility to existing Cisco IOS security solutions, such as authentication, encryption, and
failover, by delivering state-of-the-art security features, such as stateful, application-based
filtering; dynamic per-user authentication and authorization; defense against network attacks;
Java blocking; and real-time alerts. When combined with Cisco IOS IP Security (IPsec)
software and other Cisco IOS Software-based technologies, such as Layer 2 Tunneling Protocol
(L2TP) tunneling and quality of service (QoS), the Cisco IOS Firewall provides a complete,
integrated virtual private network (VPN) solution.
To create a firewall customized to fit the security policy of your organization, you should
determine which Cisco IOS Firewall features are appropriate, and configure those features. At a
minimum, you must configure basic traffic filtering to provide a basic firewall. The sections
that follow examine Cisco IOS classic firewall, Cisco IOS Firewall authentication proxy, and
Cisco IOS IPS, but you can also configure your Cisco networking device to function as a
firewall by using the Cisco IOS Firewall features discussed next.
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
To configure a basic firewall, you should at a minimum configure basic traffic filtering. You
should configure basic ACLs for all network protocols that will be routed through your
firewall, such as IP, Internetwork Packet Exchange (IPX), AppleTalk, and so forth.
Reflexive ACLs
Reflexive ACLs filter IP traffic so that TCP or UDP session traffic is only permitted through
the firewall if the session originated from within the internal network.
Note
You would only configure reflexive ACLs when not using Context-Based Access Control
(CBAC).
TCP Intercept
TCP Intercept protects TCP servers within your network from TCP SYN-flooding attacks, a
type of denial of service (DoS) attack.
Note
You would only configure TCP Intercept when not using CBAC.
Port-to-Application Mapping
Port-to-Application Mapping (PAM) is a feature of Cisco IOS Firewall. PAM allows you to
customize TCP or UDP port numbers for network services or applications. PAM uses this
information to support network environments that run services using ports that are different
from the registered or well-known ports associated with an application. The information in the
PAM table enables Cisco IOS classic firewall supported services to run on nonstandard ports.
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
5-7
Some applications use embedded IP addresses in such a way that it is impractical for a NAT
device to translate them. These applications may not work transparently or at all through a
NAT device. NAT does not work with the application layer protocols, such as remote
procedure call (RPC), VDOLive, or SQL*Net redirected. (NAT does work with SQL*Net
bequeathed.) Do not configure NAT on networks that will carry traffic for these incompatible
protocols.
TACACS+
RADIUS
Kerberos
You can use any of these security servers to store a database of user profiles. To gain access
into your firewall or to gain access through the firewall into another network, users must enter
authentication information (such as a username and password), which is matched against the
information on the security server. When users pass authentication, they are granted access
according to their specified privileges.
5-8
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
Internet
SNRS v2.05-5
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
5-9
Cisco IOS classic firewall intelligently filters TCP and UDP packets based on application layer
protocol session information. It can inspect traffic for sessions that originate on any interface of
the router. Cisco IOS classic firewall inspects traffic that travels through the firewall to
discover and manage state information for TCP and UDP sessions. This state information is
used to create temporary openings in the ACLs of the firewall to allow return traffic and
additional data connections for permissible sessions.
A new feature introduced in Cisco IOS Release 12.3(4)T is the Firewall ACL Bypass feature,
which allows a packet to avoid redundant ACL checks by allowing the firewall to permit the
packet on the basis of existing inspection sessions instead of dynamic ACLs. Thus, input and
output dynamic ACL searches are eliminated, improving the overall throughput performance of
the base engine. After the firewall is configured for inspection, ACL bypassing is performed by
default
Inspecting packets at the application layer and maintaining TCP and UDP session information
provides Cisco IOS classic firewall with the ability to detect and prevent certain types of
network attacks, such as TCP SYN-flooding attacks. Cisco IOS classic firewall also inspects
packet sequence numbers in TCP connections to see if they are within expected rangesCisco
IOS classic firewall drops any suspicious packets. Additionally, Cisco IOS classic firewall can
detect unusually high rates of new connections and issue alert messages. Cisco IOS classic
firewall inspection can help protect against certain DoS attacks involving fragmented IP
packets.
5-10
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
SNRS v2.05-6
Authentication Proxy
The Cisco IOS Firewall authentication proxy feature allows network administrators to apply
specific security policies on a per-user basis. Previously, user identity and related authorized
access was associated with a user IP address, or a single security policy had to be applied to an
entire user group or subnetwork. Now, users can be identified and authorized on the basis of
their per-user policy, and access privileges tailored on an individual basis are possible, as
opposed to a general policy applied across multiple users. Per-user policies can be downloaded
dynamically to the router from a TACACS+ or RADIUS authentication server using Cisco IOS
software authentication, authorization, and accounting (AAA) services.
Users can log into the network or access the Internet via HTTP, secure HTTP (HTTPS), FTP,
and Telnet, and their specific access profiles will automatically be downloaded. Appropriate
dynamic individual access privileges are available as required, protecting the network against
more general policies applied across multiple users. Authentication and authorization can be
applied to the router interface in either direction to secure inbound or outbound extranet,
intranet, and Internet usage.
The authentication proxy is compatible with other Cisco IOS security features, such as NAT,
IPsec encryption, and VPN client software.
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
5-11
Internet
SNRS v2.05-7
5-12
Deny traffic from the source IP address of the attacker for a specified amount of time
Deny traffic on the connection for which the signature was seen for a specified amount of
time
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
Summary
This topic summarizes the key points that were discussed in this lesson.
Summary
Firewalls are networking devices that control access to network
assets of your organization.
The Cisco IOS Firewall feature set combines existing Cisco IOS
Firewall technology and Cisco IOS Classic Firewall.
The Cisco IOS Firewall is a security-specific option for Cisco IOS
Software.
Cisco IOS classic firewall intelligently filters TCP and UDP
packets based on applicationlayer protocol session information.
The Cisco IOS Firewall authentication proxy feature allows
network administrators to apply specific security policies on a peruser basis.
The Cisco IOS IPS acts as an in-line intrusion detection sensor.
SNRS v2.05-8
References
For additional information, refer to this resource:
Cisco Systems, Inc. Cisco IOS Security Configuration Guide, Release 12.4
http://www.cisco.com/en/US/partner/products/ps6350/products_configuration_guide_book091
86a008043360a.html
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
5-13
5-14
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
Lesson 2
Objectives
Upon completing this lesson, you will be able to configure Cisco IOS classic firewall), GPI,
and an application policy firewall. This ability includes being able to meet these objectives:
Describe how to configure audit trails and logging for Cisco IOS classic firewall
List the commands used to verify and troubleshoot Cisco IOS classic firewall configuration
and operation
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
SNRS v2.05-2
Cisco IOS classic firewall works to provide network protection on multiple levels using the
following functions:
Traffic filtering
Traffic inspection
Intrusion prevention
Traffic Filtering
Cisco IOS classic firewall intelligently filters TCP and User Datagram Protocol (UDP) packets
based on application layer protocol session information. You can configure Cisco IOS classic
firewall to permit specified TCP and UDP traffic through a firewall only when the connection
is initiated from within the network that you want to protect. Cisco IOS classic firewall can
inspect traffic for sessions that originate from either side of the firewall, and Cisco IOS classic
firewall can be used for intranet, extranet, and Internet perimeters of your network.
Without Cisco IOS classic firewall, traffic filtering is limited to access control list (ACL)
implementations that examine packets at the network layer, or at most, the transport layer.
However, Cisco IOS classic firewall examines not only network layer and transport layer
information but also examines the application layer protocol information (such as FTP
connection information) to learn about the state of the session. This allows for the support of
protocols that involve multiple channels created as a result of negotiations in the control
channel. Most of the multimedia protocols and some other protocols (such as FTP, RPC, and
SQL*Net) involve multiple channels.
5-16
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
Using Cisco IOS classic firewall, Java blocking can be configured to filter HTTP traffic based
on the server address or to completely deny access to Java applets that are not embedded in an
archived or compressed file. With Java, you must protect against the risk of users inadvertently
downloading destructive applets into your network. To protect against this risk, you could
require all users to disable Java in their browser. If this is not an acceptable solution, you can
create a Cisco IOS classic firewall inspection rule to filter Java applets at the firewall. This
allows users to download only applets residing within the firewall and trusted applets from
outside the firewall. For extensive content filtering of Java, ActiveX, or virus scanning, you
might want to consider purchasing a dedicated content filtering product.
Traffic Inspection
Cisco IOS classic firewall inspects traffic that travels through the firewall to discover and
manage state information for TCP and UDP sessions. This state information is used to create
temporary openings in the firewall to allow return traffic and additional data connections for
permissible sessions.
Inspecting packets at the application layer, and maintaining TCP and UDP session information,
provides Cisco IOS classic firewall with the ability to detect and prevent certain types of
network attacks such as TCP SYN-flooding attacks. A TCP SYN-flooding attack occurs when
a network attacker floods a server with a barrage of requests for connection and does not
complete the connection. The resulting volume of half-open connections can overwhelm the
server, causing it to deny service to valid requests. Network attacks that deny access to a
network device are called denial of service (DoS) attacks.
Cisco IOS classic firewall helps to protect against DoS attacks in other ways. Cisco IOS classic
firewall inspects packet sequence numbers in TCP connections to see if they are within
expected rangesCisco IOS classic firewall drops any suspicious packets. You can also
configure Cisco IOS classic firewall to drop half-open connections, which require firewall
processing and memory resources to maintain. Additionally, Cisco IOS classic firewall can
detect unusually high rates of new connections and issue alert messages.
Cisco IOS classic firewall can help by protecting against certain DoS attacks involving
fragmented IP packets. Even though the firewall prevents an attacker from making actual
connections to a given host, the attacker can disrupt services provided by that host.
An attacker can overwrite the fragment offset in the noninitial IP fragment packets. When the
firewall reassembles the IP fragments, it might create wrong IP packets, causing the memory to
overflow or your system to crash.
An attacker can also make the fragment size small enough to force Layer 4 (TCP and UDP)
header fields into the second fragment. Thus, the ACL rules that have been configured for those
fields will not match.
In addition, an attacker can continuously send a large number of incomplete IP fragments,
causing the firewall to lose CPU processing power and memory while trying to reassemble the
bad packets.
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
5-17
5-18
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
10.0.6.12
5
ACL
Port
3575
ACL
7
Fa0/0
Port
80
6
S0
10.0.1.12
router(config)# ip access-list 104 deny ip any any
router(config)# ip access-list 103 permit http any any
router(config)# ip inspect name FWRULE tcp
router(config)# interface S0
router(config-if)# ip access-group 103 out
router(config-if)# ip access-group 104 in
router(config-if)# ip inspect FWRULE out
router# show ip inspect sessions
Established Sessions
Session 641721A8 (10.0.1.12:3575)=>(10.0.6.12:80) http SIS_OPEN
Attacker
SNRS v2.05-3
Cisco IOS Classic Firewall uses Stateful Packet Inspection (SPI) to inspect traffic and create
temporary openings at firewall interfaces. These openings are created when specified traffic
exits your internal network through the firewall. The openings allow returning traffic (that
would normally be blocked) and additional data channels to enter your internal network back
through the firewall. The traffic is allowed back through the firewall only if it is part of the
same session as the original traffic that triggered Cisco IOS classic firewall when exiting
through the firewall.
SPI or CBAC?
SPI was originally introduced as a feature called Context-Based Access Control (CBAC). Prior
to CBAC, Cisco IOS Software's only packet-filtering mechanism was the access control list
(ACL). CBAC greatly enhanced the packet filtering capability of ACLs by introducing stateful
filtering capability. The early Cisco IOS Firewall capability was occasionally perceived as a
"glorified" ACL. This misconception is partly due to the fact that ACL monitoring commands
were used to monitor CBAC activity, as well as the fact that inspection used (and still uses)
ACLs to filter traffic, permitting desired traffic, while blocking unwanted, potentially harmful
traffic. However, CBAC substantially augments an ACL's capability for restricting traffic.
CBAC monitors several attributes in TCP connections, UDP sessions, and Internet Control
Message Protocol (ICMP) dialogue to ensure that the only traffic allowed through a firewall
ACL is the return traffic for dialogue that was originated on the private side of the firewall.
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
5-19
Cisco IOS SPI can be described as a mechanism to discover "good" connections that originate
on the secure (trusted) side of the firewall, and watch for and allow the return traffic that
correlates with these connections. Connections originating on the unsecure (untrusted) side of
the firewall are not allowed to reach the secure network, as controlled by an ACL facing the
unsecure network as shown in the figure above.
Many changes have been made to CBAC to enhance its capability and increase performance.
Inspection of some protocols has been enhanced to ensure protocol compliance or offer
application-level service filtering. Beginning in Cisco IOS Software Release 12.3(4)T, the ACL
Bypass feature introduced substantial improvements in performance and significant changes to
the stateful inspection architecture. CBAC had outgrown its original, basic function and was
renamed Cisco IOS Stateful Packet Inspection to more accurately reflect the feature's
capability. CBAC is frequently still used synonymously with Stateful Packet Inspection, but the
CBAC name does not reflect the full feature set offered by Cisco IOS SPI.
SPI inspects the packet after it passes the inbound ACL of an input interface if the ip inspect
in command is applied, or after the outbound ACL of the output interface if the ip inspect
out command is used. Therefore, outbound traffic must be permitted by input ACLs facing the
source and outbound ACLs facing the destination.
5-20
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
(5 matches)
ACL Bypass improves firewall performance for two reasons. SPI is able to maintain a more
efficient list to track active sessions, reducing the time required for session setup and
verification. Also, return traffic is not subjected to ACLs on the return path, so when return
traffic finds a matching entry in the session table, it is shunted past the ACLs in the packet path,
reducing the CPU overhead the packet incurs as it moves through the router's processing.
Note
3. The packet is inspected by Cisco IOS classic firewall to determine and record information
about the state of the packet connection. This information is recorded in a new state table
entry created for the new connection.
Note
If the packet application (HTTP) was not configured for Cisco IOS classic firewall inspection,
the packet would simply be forwarded out the external interface at this point without being
inspected by Cisco IOS classic firewall.
4. The Firewall ACL Bypass feature allows a packet to avoid redundant access control list
(ACL) checks by allowing the firewall to permit the packet on the basis of existing
inspection sessions instead of dynamic ACLs. Because a matching inspection session is
often found in the beginning of IP processing, the input and output dynamic ACL searches
are no longer necessary and can be eliminated.
5. The outbound packet is forwarded out of the interface.
6. Later, an inbound return packet reaches the interface. This packet is part of the same HTTP
connection previously established with the outbound packet and is permitted
7. The permitted inbound packet is inspected by Cisco IOS Classic Firewall, and the
connection's state table entry is updated as necessary.
8. Any additional inbound or outbound packets that belong to the connection are inspected to
update the state table entry and they are forwarded through the interface.
9. When the connection terminates or times out, the connection's state table entry is deleted.
Cisco IOS Firewall inspects packets after input and output ACL checks. When inspecting, the
advanced firewall engine may insert or remove the ACL items associated with a session,
depending upon its state and context.
2007 Cisco Systems, Inc.
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
5-21
After the firewall is configured for inspection, ACL bypassing is performed by default
Because input and output dynamic ACLs are no longer necessary, the need for IOS Classic
Firewall to create dynamic ACLs on the interface is eliminated. Following are some benefits of
this feature:
Before ACL bypassing was implemented, a packet could be subjected to as many as three
redundant searches. Specifically:
Each dynamic ACL that IOS Classic Firewall creates corresponds to a single inspection
session. Thus, a matching dynamic ACL entry for a given packet implies that a matching
inspection session exists and that the packet should be permitted through the ACL. Because a
matching inspection session is often found in the beginning of IP processing, the input and
output dynamic ACL searches are no longer necessary and can be eliminated.
ACL bypassing subjects the packet to one search (the inspection session search) during its
processing path through the router. When a packet is subjected to a single inspection session
search before the ACL checks, the packet is matched against the list of session identifiers that
already exist on the interface. Session identifiers (SIDs) keep track of the source and
destination IP addresses and ports of the packets and on which interface the packet arrived.
Since ACL bypassing is performed by default. You should configure inspection as you would
normally.
OR
This access list permits all packets that you want to allow to exit the network, including packets
you want to be inspected by IOS Classic Firewall. In the example, HTTP packets were
permitted.
5-22
An inbound extended IP access list is applied to the external interface. This access list
denies any traffic to be inspected by IOS Classic Firewall. When IOS Classic Firewall is
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
triggered with an outbound packet it checks the state table to see if the traffic is part of a
valid existing session.
Caution
If the inbound ACL on the external interface had been configured to permit all traffic, Cisco
IOS classic firewall would be creating pointless openings in the firewall for packets that
would be permitted anyway.
Throughout this lesson, the terms inbound and outbound are used to describe the direction
of traffic relative to the router interface on which Cisco IOS classic firewall is applied. For
example, if a Cisco IOS classic firewall inspection rule is applied inbound on interface E0,
packets entering interface E0 from the network will be inspected. If a Cisco IOS classic firewall
inspection rule is applied outbound on interface E0, packets leaving interface E0 to the network
will be inspected. This is similar to the way ACLs work.
For example, consider a Cisco IOS classic firewall inspection rule named FWRULE, and
suppose that rule is applied inbound at interface E0 with the following commands:
router(config)# interface Fa0/0
router(config-if)# ip inspect FWRULE in
This command causes Cisco IOS classic firewall to inspect the packets coming into this
interface from the network. If a packet is attempting to initiate a session, Cisco IOS classic
firewall will then determine if this protocol is allowed, create a Cisco IOS classic firewall
session, add the appropriate ACLs to allow return traffic, and do any needed content inspection
on any future packets for this session.
The terms input and output are used to describe the interfaces at which network traffic
enters or exits the firewall router. A packet enters the firewall router via the input interface, is
inspected by the firewall software, and then exits the router via the output interface.
In the figure, the inbound ACL at S0 is configured to block HTTP traffic, and there is no
outbound ACL configured at E0. When the connection request for the HTTP session of user X
passes through the firewall, Cisco IOS classic firewall creates a temporary opening in the
inbound ACL at S0 to permit returning HTTP traffic for the HTTP session of user X.
Packet Inspection
With Cisco IOS classic firewall, you specify which protocols you want to be inspected, and you
specify an interface and interface direction (in or out) where inspection originates. Only
specified protocols will be inspected by Cisco IOS classic firewall.
Packets entering the firewall are inspected by Cisco IOS classic firewall only if they first pass
the inbound ACL at the input interface or the outbound ACL at the output interface, or both. If
a packet is denied by the ACL, the packet is simply dropped and not inspected by Cisco IOS
classic firewall.
Cisco IOS classic firewall inspection tracks sequence numbers in all TCP packets, and drops
those packets with sequence numbers that are not within expected ranges.
Cisco IOS classic firewall inspection recognizes application-specific commands (such as illegal
SMTP commands) in the control channel, and detects and prevents certain application-level
attacks.
2007 Cisco Systems, Inc.
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
5-23
When Cisco IOS classic firewall suspects an attack, the DoS feature can take several actions:
Cisco IOS classic firewall uses timeout and threshold values to manage session state
information, helping to determine when to drop sessions that do not become fully established.
Setting timeout values for network sessions helps prevent DoS attacks by freeing system
resources, dropping sessions after a specified amount of time. Setting threshold values for
network sessions helps prevent DoS attacks by controlling the number of half-opened sessions,
which limits the amount of system resources applied to half-opened sessions. When a session is
dropped, Cisco IOS classic firewall sends a reset message to the devices at both endpoints
(source and destination) of the session. When the system under DoS attack receives a reset
command, it releases, or frees, processes and resources related to that incomplete session.
Cisco IOS classic firewall provides three thresholds against DoS attacks:
It can send a reset message to the endpoints of the oldest half-opened session, making
resources available to service newly arriving synchronization (SYN) packets.
In the case of half-opened TCP-only sessions, Cisco IOS classic firewall blocks all SYN
packets temporarily for the duration configured by the threshold value. When the router
blocks a SYN packet, the TCP three-way handshake is never initiated, which prevents the
router from using memory and processing resources needed for valid connections.
DoS detection and prevention requires that you create a Cisco IOS classic firewall inspection
rule and apply that rule on an interface. The inspection rule must include the protocols that you
want to monitor against DoS attacks. For example, if you have TCP inspection enabled on the
inspection rule, Cisco IOS classic firewall can track all TCP connections to watch for DoS
attacks. If the inspection rule includes FTP protocol inspection but not TCP inspection, Cisco
IOS classic firewall tracks only FTP connections for DoS attacks.
5-24
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
State Tables
A state table maintains session state information. Whenever a packet is inspected, a state table
is updated to include information about the state of the packet connection. Return traffic will be
permitted back through the firewall only if the state table contains information indicating that
the packet belongs to a permissible session. Inspection controls the traffic that belongs to a
valid session and forwards the traffic it does not know. When return traffic is inspected, the
state table information is updated as necessary.
Multimedia applications
Oracle support
Use Cisco IOS classic firewall for these applications if you want the application traffic to be
permitted through the firewall only when the traffic session is initiated from a particular side of
the firewall (usually from the protected internal network).
In many cases, you will configure Cisco IOS classic firewall in one direction only at a single
interface, which causes traffic to be permitted back into the internal network only if the traffic
is part of a permissible (valid, existing) session. This is a typical configuration for protecting
your internal networks from traffic that originates on the Internet.
You can also configure Cisco IOS classic firewall in two directions at one or more interfaces.
Cisco IOS classic firewall is configured in two directions when the networks on both sides of
the firewall should be protected, such as with extranet or intranet configurations, and to protect
against DoS attacks. For example, if the firewall is situated between the networks of two
partner companies, you might wish to restrict traffic in one direction for certain applications,
and restrict traffic in the opposite direction for other applications.
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
5-25
Supported Protocols
This section lists the protocols supported by Cisco IOS classic firewall.
Supported Protocols
TCP
SQL*Net
UDP
RPC
FTP
TFTP
CUseeMe
Other multimedia
Microsoft NetShow
SMTP
StreamWorks
VDOLive
SNRS v2.05-4
You can configure Cisco IOS classic firewall to inspect the following types of sessions:
All TCP sessions, regardless of the application layer protocol (sometimes called singlechannel or generic TCP inspection)
All UDP sessions, regardless of the application layer protocol (sometimes called singlechannel or generic UDP inspection)
You can also configure Cisco IOS classic firewall to specifically inspect certain application
layer protocols. The following application layer protocols can all be configured for Cisco IOS
classic firewall:
FTP
TFTP
SMTP
5-26
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
SQL*Net
Microsoft NetShow
StreamWorks
VDOLive
Refer to the latest Cisco IOS documentation for the latest list of supported protocols.
When a protocol is configured for Cisco IOS classic firewall, that protocol traffic is inspected,
state information is maintained, and, in general, packets are allowed back through the firewall
only if they belong to a permissible session.
RTSP and H.323v2 inspection allows clients on a protected network to receive data associated
with a multimedia session from a server on an unprotected network.
RTSP Support
RTSP is the Internet Engineering Task Force (IETF) standards-based protocol (RFC 2326) for
control over the delivery of data with real-time properties such as audio and video streams. It is
useful for large-scale broadcasts and audio or video on demand streaming, and is supported by
a variety of vendor products for streaming audio and video multimedia, including Cisco IP/TV,
RealNetworks RealAudio G2 Player, and Apple QuickTime 4 software.
RFC 2326 allows RTSP to run over either UDP or TCP, though Cisco IOS classic firewall
currently supports only TCP-based RTSP. RTSP establishes a TCP-based control connection,
or channel, between the multimedia client and server. RTSP uses this channel to control
commands such as play and pause between the client and server. These control commands
and responses are text-based and are similar to HTTP.
RTSP typically relies on a UDP-based data transport protocol such as standard Real-Time
Transport Protocol (RTP) to open separate channels for data and for RTP Control Protocol
(RTCP) messages. RTP and RTCP channels occur in pairs, with RTP being an even-numbered
port, and RTCP being the next consecutive port. Understanding the relationship of RTP and
RTCP is important for verifying session information using Cisco IOS classic firewall show
commands.
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
5-27
The RTSP client uses TCP port 554 or 8554 to open a multimedia connection with a server.
The data channel or data control channel (using RTCP) between the client and the server is
dynamically negotiated between the client and the server using any of the high UDP ports
(1024 to 65536).
Cisco IOS classic firewall uses this port information along with connection information from
the client to create dynamic ACL entries in the firewall. As TCP or UDP connections are
terminated, Cisco IOS classic firewall removes these dynamic entries from the appropriate
ACLs.
Cisco IOS classic firewall support for RTSP includes the following data transport modes:
Standard RTP: RTP is an IETF standard (RFC 1889) supporting delivery of real-time data
such as audio and video. RTP uses the RTCP for managing the delivery of the multimedia
data stream. This is the normal mode of operation for Cisco IP/TV and Apple QuickTime 4
software.
Interleaved (tunnel mode): In this mode, RTSP uses the control channel to tunnel RTP or
RDT traffic.
H.323 Support
Cisco IOS classic firewall support for H.323 inspection includes H.323v2 and H.323 version 1
(H.323v1). H.323v2 provides additional options over H.323v1, including a fast start option.
The fast start option minimizes the delay between the time that a user initiates a connection and
the time that the user gets the data (voice, video). H.323v2 inspection is backward-compatible
with H.323v1.
With H.323v1, after a TCP connection is established between the client and server (H.225
channel), a separate channel for media control (H.245 channel) is opened through which
multimedia channels for audit and video are further negotiated.
The H.323v2 client opens a connection to the server that is listening on port 1720. The data
channel between the client and the server is dynamically negotiated using any of the high UDP
ports (1024 to 65536).
Cisco IOS classic firewall uses this port information along with connection information from
the client to create dynamic ACL entries in the firewall. As TCP or UDP connections are
terminated, Cisco IOS classic firewall removes these dynamic entries from the appropriate
ACLs.
5-28
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
Cisco IOS classic firewall is available only for IP traffic. Only TCP and UDP packets are
inspected. (Other IP traffic, such as ICMP, cannot be inspected with Cisco IOS classic
firewall and should be filtered with basic ACLs instead.)
If you reconfigure your ACLs when you configure Cisco IOS classic firewall, be aware that
if your ACLs block TFTP traffic into an interface, you will not be able to netboot over that
interface.
Note
This is not a Cisco IOS classic firewall-specific limitation, but is part of existing ACL
functionality.
Packets with the firewall as the source or destination address are not inspected by Cisco
IOS classic firewall.
H.323v2 and RTSP protocol inspection supports only the following multimedia clientserver applications:
Cisco IP/TV
Apple QuickTime 4
FTP Traffic
Following are some restrictions to be noted when configuring for FTP inspection:
With FTP, Cisco IOS classic firewall does not allow third-party connections (three-way
FTP transfer).
When Cisco IOS classic firewall inspects FTP traffic, it only allows data channels with the
destination port in the range of 1024 to 65535.
Cisco IOS classic firewall will not open a data channel if the FTP client-server
authentication fails.
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
5-29
SNRS v2.05-5
Cisco IOS classic firewall also generates real-time alerts and audit trails based on events
tracked by the firewall. Enhanced audit trail features use syslog to track all network
transactions, recording time stamps, source host, destination host, ports used, and the total
number of transmitted bytes, for advanced, session-based reporting.
Real-time alerts send syslog error messages to central management consoles upon detecting
suspicious activity. Using Cisco IOS classic firewall inspection rules, you can configure alerts
and audit trail information on a per-application protocol basis. For example, if you want to
generate audit trail information for HTTP traffic, you can specify that in the Cisco IOS classic
firewall rule covering HTTP inspection.
5-30
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
SNRS v2.05-6
Configuring Cisco IOS classic firewall can be simple or as complex as the security
requirements of the network requires. There are several basic tasks required to configure IOS
classic firewall.
To configure Cisco IOS classic firewall, you must perform the following tasks:
1. Determine the internal, external, and demilitarized zone (DMZ) interface (or interfaces).
2. Identify traffic allowed out of the network.
3. Configure ACLs on the interface (or interfaces).
4. Define the inspection rules.
5. Apply the inspection rule to an interface.
6. Configure logging and audit trails.
One configuration is the least complex, offering the easiest configuration, requiring little
knowledge of network usage patterns, but offering little network use control. The other
configuration is the preferred application of Cisco IOS SPI, offering better network policy
control and tighter security, but requiring a better grasp of network protocol usage. These tasks
will be examined in the following sections.
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
5-31
SNRS v2.05-7
For Cisco IOS classic firewall to work properly, you need to make sure that you have IP ACLs
configured appropriately and applied at the appropriate interfaces.
Follow these three general rules when evaluating your IP ACLs at the firewall:
Start with a basic configuration: A basic initial configuration allows all network traffic to
flow from the protected networks to the unprotected networks, while blocking network
traffic from any unprotected networks.
Permit Cisco IOS classic firewall traffic to leave the network through the firewall: All
ACLs that evaluate traffic leaving the protected network should permit traffic that will be
inspected by Cisco IOS classic firewall. For example, if HTTP will be inspected by Cisco
IOS classic firewall, HTTP traffic should be permitted on all ACLs that apply to traffic
leaving the network.
Use extended ACLs to deny Cisco IOS classic firewall return traffic entering the
network through the firewall: For temporary openings to be created in an ACL, the ACL
must be an extended ACL. So wherever you have ACLs that will be applied to returning
traffic, you must use extended ACLs. The ACLs should deny Cisco IOS classic firewall
return traffic because Cisco IOS classic firewall will open up temporary holes in the ACLs.
(You want traffic to be normally blocked when it enters your network.)
Note
5-32
If your firewall only has two connections, one to the internal network and one to the external
network, using all inbound ACLs on the external interface works well. This is because
packets are stopped before they get a chance to affect the router itself.
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
Use the following guidelines for configuring the initial firewall ACLs:
Do not configure an ACL for traffic from the protected networks to the unprotected
networks (meaning that all traffic from the protected networks can flow through the
interface).
This helps to simplify firewall management by reducing the number of ACLs applied at the
interfaces. Of course this assumes a high level of trust for the users on the protected
networks, and it assumes there are no malicious users on the protected networks who might
launch attacks from the inside. You can fine-tune network access for users on the protected
networks as you gain experience with ACL configuration and the operation of the firewall.
Configure an ACL that includes entries permitting certain ICMP traffic from unprotected
networks.
While an ACL that denies all IP traffic not part of a connection inspected by Cisco IOS
classic firewall seems most secure, it is not practical for normal operation of the router. The
router expects to see ICMP traffic from other routers in the network. Additionally, if ICMP
traffic is not inspected by Cisco IOS classic firewall (meaning specific entries are needed in
the ACL to permit return traffic for ICMP commands). For example, a user on a protected
network uses the ping command to get the status of a host on an unprotected network;
without entries in the ACL that permit echo-reply messages, the user on the protected
network gets no response to the ping command.
Include ACL entries to permit the following ICMP messages:
Echo reply: Outgoing ping commands require echo-reply messages to come back.
Packet-too-big: Path maximum transmission unit (MTU) discovery requires packettoo-big messages to come back.
Add an ACL entry denying any network traffic from a source address matching an address
on the protected network.
Note
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
5-33
Add an entry denying broadcast messages with a source address of 255.255.255.255. This
entry helps to prevent broadcast attacks.
By default, the last entry in an extended ACL is an implicit denial of all IP traffic not
specifically allowed by other entries in the ACL.
If you have an outbound IP ACL at the external interface, the ACL can be a standard or
extended ACL. This outbound ACL should permit traffic that you want to be inspected by
Cisco IOS classic firewall. If traffic is not permitted, it will not be inspected by Cisco IOS
classic firewall, but will be simply dropped.
The inbound IP ACL at the external interface must be an extended ACL. This inbound
ACL should deny traffic that you want to be inspected by Cisco IOS classic firewall. (Cisco
IOS classic firewall will create temporary openings in this inbound ACL as appropriate to
permit only return traffic that is part of a valid, existing session.)
5-34
If you have an inbound IP access list at the internal interface (or an outbound IP access list
at external interface(s), these access lists can be either a standard or extended access list.
These access lists should permit traffic that you want to be inspected by IOS Classic
Firewall. If traffic is not permitted, it will not be inspected by IOS Classic Firewall, but will
be simply dropped.
The outbound IP access list at the internal interface (or an inbound IP access list at the
external interface) must be extended access lists. These access lists should deny traffic that
you want to be inspected by IOS Classic Firewall. IOS Classic Firewall will create
temporary openings in these outbound access lists as appropriate to permit only return
traffic that is part of a valid, existing session.) You do not necessarily need to configure an
extended access list at both the outbound internal interface and the inbound external
interface, but at least one is necessary to restrict traffic flowing through the firewall into the
internal protected network.
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
SNRS v2.05-8
After you configure global timeouts and thresholds, you must define an inspection rule. The
inspection rule specifies which IP traffic (which application layer protocols) will be inspected
by Cisco IOS classic firewall at an interface.
Normally, you define only one inspection rule. The only exception might occur if you want to
enable Cisco IOS classic firewall in two directions as described earlier in the When and Where
to Configure Cisco IOS Classic Firewall subtopic. For Cisco IOS classic firewall configured
in both directions at a single firewall interface, you should configure two inspection rules, one
for each direction.
An inspection rule should specify each desired application layer protocol and generic TCP or
generic UDP if desired. The inspection rule consists of a series of statements each listing a
protocol and specifying the same inspection rule name.
Inspection rules include options for controlling alert and audit trail messages and for checking
IP packet fragmentation.
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
5-35
router(config)#
router(config)#
router(config)#
router(config)#
router(config)#
router(config)#
router(config)#
router(config)#
router(config)#
ip
ip
ip
ip
ip
ip
ip
ip
ip
inspect
inspect
inspect
inspect
inspect
inspect
inspect
inspect
inspect
SNRS v2.05-9
Cisco IOS Stateful Packet Inspection maintains counters of the number of "half-open" TCP
connections, as well as the total connection rate through the firewall and IPS software. These
half-open connections are TCP connections that have not completed the SYN-SYN/ACK-ACK
handshake that is always used by TCP peers to negotiate the parameters of their mutual
connection. Cisco IOS Firewall also regards UDP sessions with traffic in only one direction as
"half-open", as nearly all applications that use UDP for transport will acknowledge reception of
data. UDP sessions without acknowledgement are likely indicative of DoS activity, or attempts
to connect between two hosts where one of the hosts has become unresponsive. Some malicious
individuals write worms or viruses that infect multiple hosts on the Internet, then attempt to
overwhelm specific Internet servers with a SYN attack, in which large numbers of SYN
connections are sent to a server by multiple hosts on the public Internet or within an
organization's private network. SYN attacks represent a hazard to Internet servers, as servers'
connection table can be loaded with "bogus" SYN connection attempts that arrive faster than
the server can deal with the new connections. This is called a "Denial-of-Service" attack, as the
large number of connections in the victim server's TCP connection list prevents legitimate users
from gaining access to the victim Internet servers.
Cisco IOS Stateful Packet Inspection provides protection from DoS attack as a default when an
inspection rule is applied. The DoS protection is enabled on the interface, in the direction in
which the firewall is applied, for the protocols that the firewall policy is configured to inspect.
DoS protection is only enabled on network traffic if the traffic enters or leaves an interface with
inspection applied in the same direction of the traffic's initial movement. Cisco IOS Firewall
inspection provides several adjustable values to protect against DoS attacks. These settings
5-36
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
have default values that may interfere with proper network operation if they are not configured
for the appropriate level of network activity in networks where connection rates will exceed the
defaults:
ip inspect tcp max-incomplete host value (default 50) [block-time minutes (default 0)]
These parameters allow you to configure the points at which your firewall router's DoS
protection begins to take effect. When your router's DoS counters exceed the default or
configured values, the router will reset one old half-open connection for every new connection
that exceeds the configured max-incomplete or one-minute high values, until the number of
half-open sessions drops below the max-incomplete low values. The router will send a syslog
message if logging is enabled, and if Intrusion Protection System (IPS) is configured on the
router, the firewall router will send a DoS signature message via SDEE. If the DoS parameters
are not adjusted to your network's normal behavior, normal network activity may trigger the
DoS protection mechanism, causing application failures, poor network performance, and high
CPU utilization on the Cisco IOS Firewall router.
While you cannot "disable" your firewall's DoS protection, you can adjust the DoS protection
so that it will not take effect unless a very large number of half-open connections are present in
your firewall router's Stateful Inspection session table.
This topic also discusses how to configure the following global timeouts and thresholds:
Cisco IOS classic firewall uses timeouts and thresholds to determine how long to manage state
information for a session, and to determine when to drop sessions that do not become fully
established. These timeouts and thresholds apply globally to all sessions.
You can use the default timeout and threshold values, or you can change to values more
suitable to your security requirements. You should make any changes to the timeout and
threshold values before you continue configuring Cisco IOS classic firewall.
Use the ip inspect tcp synwait-time global configuration command to define how long the
software will wait for a TCP session to reach the established state before dropping the session.
Use the no form of this command to reset the timeout to the default.
The syntax of the ip inspect tcp synwait-time command is as follows:
ip inspect tcp synwait-time seconds
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
5-37
Syntax Description
seconds
Specifies how long the software will wait for a TCP session to
reach the established state before dropping the session; the
default is 30 seconds.
Use the ip inspect tcp finwait-time global configuration command to define how long a TCP
session will continue to be managed after the firewall detects a FIN exchange. Use the no form
of this command to reset the timeout to default.
The syntax of the ip inspect tcp finwait-time command is as follows:
ip inspect tcp finwait-time seconds
Syntax Description
seconds
Use the ip inspect tcp idle-time global configuration command to specify the TCP idle timeout
(the length of time that a TCP session will continue to be managed when there is no activity).
Use the no form of this command to reset the timeout to the default.
Use the ip inspect udp idle-time global configuration command to specify the UDP idle
timeout (the length of time that a UDP session will continue be managed when there is no
activity). Use the no form of this command to reset the timeout to the default.
The syntax for the ip inspect {tcp | udp} idle-time commands is as follows:
ip inspect {tcp | udp} idle-time seconds
Syntax Description
seconds
Use the ip inspect dns-timeout global configuration command to specify the DNS idle timeout
(the length of time that a DNS name lookup session will still be managed after no activity). Use
the no form of this command to reset the timeout to the default.
The syntax for the ip inspect dns-timeout command is as follows:
router(config)# ip inspect dns-timeout seconds
Syntax Description
seconds
5-38
Specifies the length of time that a DNS name lookup session will
continue to be managed when there is no activity; the default is 5
seconds.
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
Half-Open Sessions
An unusually high number of half-opened sessions (either absolute or measured as the arrival
rate) could indicate that a DoS attack is occurring. For TCP, half-opened means that the session
has not reached the established statethe TCP three-way handshake has not yet been
completed. For UDP, half-opened means that the firewall has detected no return traffic.
Cisco IOS classic firewall measures both the total number of existing half-opened sessions and
the rate of session establishment attempts. Both TCP and UDP half-opened sessions are
counted in the total number and rate measurements. Measurements are made once a minute.
When the number of existing half-opened sessions rises above a threshold (set by the maxincomplete high number command), Cisco IOS classic firewall will go into aggressive mode
and delete half-opened sessions as required to accommodate new connection requests. The
software continues to delete half-opened requests as necessary, until the number of existing
half-opened sessions drops below another threshold (set by the max-incomplete low number
command).
Use the ip inspect max-incomplete high command in global configuration mode to define the
number of existing half-opened sessions that will cause the software to start deleting halfopened sessions. Use the no form of this command to reset the threshold to the default.
The syntax for the ip inspect max-incomplete high command is as follows:
ip inspect max-incomplete high number
Syntax Description
high number
Use the ip inspect max-incomplete low command in global configuration mode to define the
number of existing half-opened sessions that will cause the software to stop deleting halfopened sessions. Use the no form of this command to reset the threshold to the default.
The syntax for the ip inspect max-incomplete low command is as follows:
ip inspect max-incomplete low number
Syntax Description
low number
When the rate of new connection attempts rises above a threshold (set by the one-minute high
number command), the software will delete half-opened sessions as required to accommodate
new connection attempts. The software continues to delete half-opened sessions as necessary,
until the rate of new connection attempts drops below another threshold (set by the one-minute
low number command). The rate thresholds are measured as the number of new session
connection attempts detected in the most recent one-minute sample period. The firewall router
reviews the one-minute rate on an ongoing basis. This means that the router reviews the rate
more frequently than once a minute and that it does not keep deleting half-opened sessions for
1 minute after a DoS attack has stoppedit will be less time.
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
5-39
Use the ip inspect one-minute high command in global configuration mode to define the rate
of new unestablished sessions that will cause the software to start deleting half-opened
sessions. Use the no form of this command to reset the threshold to the default.
The syntax for the ip inspect one-minute high command is as follows:
ip ip inspect one-minute high number [vrf vrf-name]
Syntax Description
high number
Use the ip inspect one-minute low command in global configuration mode to define the rate of
the new unestablished TCP sessions that will cause the software to stop deleting half-opened
sessions. Use the no form of this command to reset the threshold to the default.
The syntax for the ip inspect one-minute low command is as follows:
ip inspect one-minute low number
Syntax Description
low number
5-40
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
SNRS v2.05-10
An unusually high number of half-opened sessions with the same destination host address could
indicate that a DoS attack is being launched against the host. Whenever the number of halfopened sessions with the same destination host address rises above a threshold (set by the maxincomplete host number command), the software will delete half-opened sessions according to
one of the following methods:
If the timeout set by the block-time minutes command is 0 (the default), the software
deletes the oldest existing half-opened session for the host for every new connection
request to the host. This process ensures that the number of half-opened sessions to a given
host will never exceed the threshold.
If the timeout set by the block-time minutes command is greater than 0, the software
deletes all existing half-opened sessions for the host and then blocks all new connection
requests to the host. The software will continue to block all new connection requests until
the block time expires.
The software also sends syslog messages whenever the value specified by the max-incomplete
host number command is exceeded, and when blocking of connection initiations to a host starts
or ends.
The global values specified for the threshold and blocking time apply to all TCP connections
inspected by Cisco IOS classic firewall.
Use the ip inspect tcp max-incomplete host global configuration command to specify
threshold and blocking time values for TCP host-specific DoS detection and prevention. Use
the no form of this command to reset the threshold and blocking time to the default values.
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
5-41
The syntax for the ip inspect tcp max-incomplete host command is as follows:
ip inspect tcp max-incomplete host number block-time minutes
Syntax Description
host number
block-time minutes
All the available Cisco IOS classic firewall timeouts and thresholds are listed in Timeout and
Threshold Values table, along with the corresponding command and default value.
5-42
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
Default Value
30 seconds
5 seconds
3600 seconds (1
hour)
30 seconds
5 seconds
500 half-open
sessions per minute
400 half-open
sessions per minute
50 existing half-open
TCP sessions; 0
minutes
1 The global TCP and UDP idle timeouts can be overridden for the sessions of specified application layer protocols'.
2 See the section on half-open sessions in this lesson.
3 Whenever the max-incomplete host threshold is exceeded, the software will drop half-open sessions differently
depending on whether the block-time timeout is zero or a positive nonzero number. If the block-time timeout is
zero, the software will delete the oldest existing half-open session for the host for every new connection request
to the host and will let the SYN packet through. If the block-time timeout is greater than zero, the software will
delete all existing half-open sessions for the host, and then block all new connection requests to the host. The
software will continue to block all new connection requests until the block-time expires.
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
5-43
SNRS v2.05-11
You can configure TCP and UDP inspection to permit TCP and UDP packets to enter the
internal network through the firewall, even if the application layer protocol is not configured to
be inspected. However, TCP and UDP inspection do not recognize application-specific
commands and, therefore, might not permit all return packets for an application, particularly if
the return packets have a different port number from the previous exiting packet.
5-44
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
Use the ip inspect inspection-name TCP|UDP command to do general TCP and UDP
inspection.
ip inspect name inspection-name {TCP | UDP} [alert {on | off}] [audittrail {on | off}][router-traffic][timeout seconds]
Syntax Description
router-traffic
This enables the firewall to perform generic TCP and UDP inspection without getting too
granular with the inspection rule.
One of the most beneficial features of Cisco IOS classic firewall is that it can do layer 7
application layer inspection.
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
5-45
Syntax Description
This argument names the set of inspection rules. If you want to
add a protocol to an existing set of rules, use the same
inspection name as the existing set of rules.
inspection-name
protocol
timeout seconds
In general, if you configure inspection for an application layer protocol, packets for that
protocol should be permitted to exit the firewall (by configuring the correct ACL), and packets
for that protocol will only be allowed back in through the firewall if they belong to a valid
existing session. Each protocol packet is inspected to maintain information about the session
state.
Following are the protocol keywords for application-layer protocols.
Application Layer Protocol Keyword Examples
5-46
Keyword
Protocol
appfw
Application firewall
cuseeme
CUseeMe
smtp | esmtp
SMTP or ESMTP
ftp
FTP
imap
http
Java
h323
H.323
netshow
Microsoft NetShow
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
pop3
realaudio
RealAudio
rpc
RPC
sip
SIP
Smtp | esmtp
SMTP or ESMTP
skinny
streamworks
StreamWorks
sqlnet
SQL*Net
tftp
TFTP
rcmd
vdolive
VDOLive
user-10
Note
All applications that appear under the show ip port-map command are supported.
Syntax Description
http
java-list access-list
urlfilter
Syntax Description
smtp | esmtp
max-data number
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
5-47
Syntax Description
fragment
max number
timeout seconds
(fragmentation)
Syntax Description
parameter max-sessions
number
Syntax Description
user-10
5-48
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
Java Blocking
This section covers Java blocking.
SNRS v2.05-14
Java applet filtering distinguishes between trusted and untrusted applets by relying on a list of
external sites that you designate as friendly. If an applet is from a friendly site, the firewall
allows the applet through. If the applet is not from a friendly site, the applet will be blocked.
(Alternately, you could permit applets from all external sites except for those you specifically
designate as hostile.)
To block all Java applets except for applets from friendly locations, use the following
commands in global configuration mode:
Step 1
Step 2
Note
Cisco IOS classic firewall does not detect or block encapsulated Java applets. Therefore,
Java applets that are wrapped or encapsulated, such as applets in .zip or .jar format, are not
blocked at the firewall. Cisco IOS classic firewall also does not detect or block applets
loaded from FTP, Gopher, HTTP on a nonstandard port, and so forth.
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
5-49
Note
Java blocking forces a strict order on TCP packets. To properly verify that Java applets are
not in the response, a firewall will drop any TCP packet that is out of order. Because the
networknot the firewalldetermines how packets are routed, the firewall cannot control
the order of the packets; the firewall can only drop and retransmit all TCP packets that are
not in order.
5-50
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
Example Configurations
This topic describes example firewall configurations for two different topologies.
Basic Topology
Internal
Network
External
Network
E0
S0
Internet
Traffic Entering
Traffic
Exiting
SNRS v2.05-15
The complexity of configurations depend on the topology and security requirements of the
network. Topologies range from simple two interface networks to multiple interfaces with a
DMZ and extranets to remote partners and branch offices. The firewall is most commonly used
with one of two basic network topologies.
If you will be configuring IOS Classic Firewall in two directions, you should configure IOS
Classic Firewall in one direction first, using the appropriate "internal" and "external" interface
designations. When you configure IOS Classic Firewall in the other direction, the interface
designations will be swapped.
"Internal" refers to the side where sessions must originate for their traffic to be permitted
through the firewall. "External" refers to the side where sessions cannot originate (sessions
originating from the external side will be blocked).
Note
IOS Classic Firewall can be configured in two directions at one or more interfaces. Configure
IOS Classic Firewall in two directions when the networks on both sides of the firewall require
protection, such as with extranet or intranet configurations, and for protection against DoS
attacks.
Use the sample topologies in this section to decide whether to configure IOS Classic Firewall
on an internal or external interface.
In the figure above, IOS Classic Firewall would be configured for the external interface Serial
0. This prevents specified protocol traffic from entering the firewall and the internal network,
unless the traffic is part of a session initiated from within the internal network.
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
5-51
SNRS v2.05-16
This is an example of the simplest configuration for a two interface firewall. Notice that there is
no ACL controlling what traffic exits the network.
This least complex SPI configuration uses a "deny any" ACL facing the unsecure network, and
offers limited capability to restrict network usage to a limited application list. This prevents
hosts on the unsecure network from sending traffic to the secure network, but also blocks return
traffic on legitimate, internally originated connections. To facilitate the return of legitimate
traffic, you will need to configure a simple inspection set and apply it to inbound traffic on the
internal interface, or to the outbound traffic on the external interface.
Most Internet traffic can be inspected by "inspect tcp", "inspect udp", and "inspect icmp". This
permits the most common Internet traffic, including Web browsing, e-mail applications, file
transfer, remote-console and remote-desktop applications, instant messaging, and peer-to-peer
file transfer applications. Certain applications that use a secondary data channel, such as voice
applications or streaming media applications, may require that you configure the protocolspecific inspection for that particular service, such as "inspect ftp", "inspect skinny", or "inspect
h.323". If you set up Cisco IOS Stateful Inspection and find that one of your network
applications that must traverse the firewall stops working, you should consult the product's
documentation or knowledgebase and determine if the software vendor offers documentation
specific to setting up a Cisco IOS Firewall.
5-52
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
External
Network
Internet
E0
S0
Traffic Entering
DMZ
Traffic Exiting
DNS
Server
Web
Server
SNRS v2.05-17
In this figure and in the examples below, IOS Classic Firewall is configured for the internal
interface Ethernet 0, a DMZ interface E1, and an external interface (S1). This allows external
traffic to access the services in the DMZ, such as HTTP or DNS services, but prevents
specified protocol traffic from entering the internal network - unless the traffic is part of a
session initiated from within the internal network.
5-53
ip
ip
ip
ip
ip
ip
ip
ip
ip
ip
ip
ip
inspect
inspect
inspect
inspect
inspect
inspect
inspect
inspect
inspect
inspect
inspect
inspect
name
name
name
name
name
name
name
name
name
name
name
name
IN_to_OUT
IN_to_OUT
IN_to_OUT
IN_to_OUT
IN_to_OUT
IN_to_OUT
IN_to_OUT
OUT_to_IN
OUT_to_IN
OUT_to_IN
OUT_to_IN
OUT_to_IN
smtp
ftp
tcp
udp
sqlnet
realaudio
h323
tcp
ftp
vdolive
netshow
h323
IN_to_OUT is configured for traffic destined for the internet or the DMZ.
Inspection is configured inbound on the inside interface (Fa0/0)
OUT_to_IN is setup for traffic heading from the internet. This traffic can
go ONLY to the DMZ. Inspection is configured inbound on the outside
interface (S0)
2007 Cisco Systems, Inc. All rights reserved.
SNRS v2.05-18
The example above specifies the protocols to be inspected using two different inspection rules
that will be applied to two interfaces.
The IN_to_OUT inspection rule instructs the firewall to inspect smtp, ftp, tcp, usdp, sqlnet,
realausdio, and H323 coming from the internal network that is exiting.
The OUT_to_IN inspection rule will inspect traffic coming from the Internet and bound for the
DMZ.
5-54
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
access-list
access-list
access-list
access-list
access-list
access-list
access-list
access-list
access-list
access-list
access-list
access-list
101
111
112
112
112
112
112
121
121
121
121
121
eq
eq
eq
eq
eq
eq
eq
eq
eq
eq
eq
domain
www
ftp
smtp
1755
1720
www
ftp
smtp
1755
1720
SNRS v2.05-19
The example above defines the access lists that will be applied to the appropriate interfaces to
control access in and out of the network.
Note the following:
ACL 101 is usually called the lock down ACL because it should deny all traffic that is
not being inspected to enter the network. ACL 101 will be applied to the internal interface
in the outbound direction in this case.
ACL 111 is applied to the DMZ interface in the inbound direction. ACL 111 allows DNS
traffic from the web server in the DMZ to the Internet.
ACL 112 is applied to the DMZ interface in the outbound direction. ACL 112 allows traffic
from the Internet to the DMZ.
ACL 121 is applied to inbound traffic on the outside interface (s0/0). ACL 121 corresponds
to acl 112, it allows internet traffic inspected by the firewall to the server on the DMZ.
5-55
Lock-down
ACL
firewall inspection
for internally
generated traffic
DNS traffic
SNRS v2.05-20
The two inspection rules and all of the ACLs are applied to the appropriate interfaces in the
example above.
Note the following:
5-56
Interface Fa0/0 (the inside interface) has ACL 101 applied outbound and the inspection rule
applied inbound.
Interface Serial 0 (the outside interface) has ACL 121 applied inbound from Internet and
the inspection rule also applied inbound.
Interface Fa0/1 (the DMZ interface) has no inspection rule applied but has two ACLs
applied both inbound and outbound to restrict access to and from the Internet and the DMZ.
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
Application Firewall
router(config)# appfw policy-name <policy-name>
router(cfg-appfw-policy)# application [http | im {aol|yahoo|msb}]
SNRS v2.05-21
The application firewall uses static signatures to detect security violations. A static signature is
a collection of parameters that specifies which protocol conditions must be met before an action
is taken. (For example, a signature may specify that an HTTP data stream containing the
power-on self-test [POST] method must reset the connection.) These protocol conditions and
reactions are defined by the end user via a command-line interface (CLI) to form an application
firewall policy (also known as a security policy).
5-57
SNRS v2.05-22
This example shows how to define the HTTP application firewall policy "mypolicy." This
policy includes all supported HTTP policy rules. After the policy is defined, it is applied to the
inspection rule "firewall," which will inspect all HTTP traffic entering the FastEthernet0/0
interface.
HTTP uses port 80 to transport Internet web services that are commonly used on the network
and rarely challenged with regard to their legitimacy and conformance to standards. Because
port 80 traffic is typically allowed through the network without being challenged, many
application developers are leveraging HTTP traffic as an alternative transport protocol in which
to enable their application to travel through or even bypass the firewall.
Most firewalls provide only packet filtering capabilities that simply permit or deny port 80
traffic without inspecting the data stream; the Cisco IOS application firewall for HTTP
performs packet inspection as follows:
Detects HTTP connections that are not authorized within the scope of the security policy
configuration
If the packet is not in compliance with the HTTP protocol, it will be dropped, the connection
will be reset, and a syslog message will be generated, as appropriate.
5-58
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
Allowing specific traffic targeted for port 80 to traverse the firewall: The traffic is
inspected for protocol conformance and for the types of HTTP commands that are allowed
or disallowed.
Denying specific traffic targeted for port 80 that does not comply with HTTP traffic
standards: The firewall is enabled to drop the packet, reset the connection, and send a
syslog message, as appropriate.
audit-trail
content-length
content-type-verification
max-header-length
max-uri-length
port-misuse
request-method
strict-http
timeout
transfer-encoding
Define an application firewall policy and put the router in application firewall policy
configuration mode.
router(config)# appfw policy-name policy-name
5-59
Step 2
Put the router in application firewall protocol configuration and begin configuring
HTTP inspection parameters.
router(cfg-appfw-policy)# application protocol
Syntax Description
protocol
Step 3
im {aol | yahoo | msn}: Traffic for the specified instant messenger application will
be inspected.
Allow HTTP messages to pass through the firewall or to reset the TCP connection or
to generate an alarm when HTTP noncompliant traffic is detected.
router(cfg-appfw-policy-http)# strict-http action {reset |
allow} [alarm]
Syntax Description
action
reset
This keyword sends a TCP reset notification to the client or server if the HTTP
message fails the mode inspection.
allow
alarm
(Optional) This keyword generates system logging (syslog) messages for the
given action.
Step 4
Permit or deny HTTP traffic through the firewall on the basis of message size.
router(cfg-appfw-policy-http)# content-length {min bytes max
bytes | min bytes | max bytes} action {reset | allow} [alarm]
Syntax Description
min bytes
This sets the minimum content length, in bytes, allowed per message. (Number of
bytes range: 0 to 65,535.)
max bytes
This sets the maximum content length, in bytes, allowed per message. (Number
of bytes range: 0 to 65,535.)
action
Messages whose size do not meet the minimum or exceed the maximum number
of bytes are subject to the specified action (reset or allow).
reset
This keyword sends a TCP reset notification to the client or server if the HTTP
message fails the mode inspection.
allow
alarm
(Optional) This keyword generates system logging (syslog) messages for the
given action.
If this command is not enabled, message size is not considered when permitting or denying
HTTP messages.
All messages exceeding the specified content-length range will be subjected to the configured
action (reset or allow).
5-60
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
Step 5
Permit or deny HTTP traffic through the firewall on the basis of content message
type.
router(cfg-appfw-policy-http)# content-type-verification
[match-req-resp] action {reset | allow} [alarm]
Syntax Description
match-req-resp
action
Messages that match the specified content type are subject to the
specified action (reset or allow).
reset
allow
alarm
Step 6
Verify that the content type of the message header is listed as a supported
content type
Verify that the content type of the header matches the content of the message
data or entity body portion of the message
Permit or deny HTTP traffic on the basis of the message header length.
router(cfg-appfw-policy-http)# max-header-length request bytes
response bytes action {reset | allow} [alarm]
Syntax Description
request bytes
response bytes
action
Messages that exceed the maximum size are subject to the specified
action (reset or allow).
reset
allow
alarm
All message header lengths exceeding the configured maximum size will be subjected to the
specified action (reset or allow).
Step 7
Permit or deny HTTP traffic on the basis of the uniform resource identifier (URI)
length in the request message.
router(cfg-appfw-policy-http)# max-uri-length bytes action
{reset | allow} [alarm]
5-61
Syntax Description
bytes
action
Messages that exceed the maximum URI length are subject to the specified
action (reset or allow).
reset
This keyword sends a TCP reset notification to the client or server if the
HTTP message fails the mode inspection.
allow
alarm
(Optional) This keyword generates system logging (syslog) messages for the
given action.
Permit or deny HTTP traffic according to either the request methods or the extension
methods.
router(cfg-appfw-policy-http)# request-method {rfc rfc-method
| extension extension-method} action {reset | allow} [alarm]
Syntax Description
rfc
This keyword specifies that the supported methods of RFC 2616, Hypertext
Transfer ProtocolHTTP/1.1, are to be used for traffic inspection.
rfc-method
Any one of the following RFC 2616 methods can be specified: connect,
default, delete, get, head, options, post, put, trace.
extension
This keyword specifies that the extension methods are to be used for traffic
inspection.
extension-method
Any one of the following extension methods can be specified: copy, default,
edit, getattribute, getproperties, index, lock, mkdir, move, revadd,
revlabel, revlog, save, setattribute, startrev, stoprev, unedit, unlock.
action
Methods and extension methods outside of the specified method are subject
to the specified action (reset or allow).
reset
This keyword sends a TCP reset notification to the client or server if the
HTTP message fails the mode inspection.
allow
alarm
(Optional) This keyword generates system logging (syslog) messages for the
given action.
If a given method is not specified, all methods and extension methods are supported with the
reset alarm action.
Only methods configured by the request-method command are allowed thorough the firewall;
all other HTTP traffic is subjected to the specified action (reset or allow).
Step 9
Permit or deny HTTP traffic through the firewall on the basis of specified
applications in the HTTP message.
router(cfg-appfw-policy-http)# port-misuse {p2p | tunneling |
im | default} action {reset | allow}[alarm]
5-62
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
Syntax Description
p2p
This keyword sets the following peer-to-peer protocol applications that are
subject to inspection: Kazaa and Gnutella.
tunneling
This keyword sets the following tunneling applications that are subject to
inspection: HTTPPort/HTTPHost, GNU HTTP tunnel, GoToMyPC, FireThru,
Http-tunnel.com Client.
im
default
action
Applications detected within the HTTP messages that are outside of the
specified application are subject to the specified action (reset or allow).
reset
This keyword sends a TCP reset notification to the client or server if the
HTTP message fails the mode inspection.
allow
alarm
If this command is not enabled, HTTP messages are permitted through the firewall if any of the
applications are detected within the message.
Step 10
Permit or deny HTTP traffic according to the specified transfer encoding of the
message.
router(cfg-appfw-policy-http)# transfer-encoding type {chunked
| compress | deflate | gzip | identity | default} action
{reset | allow} [alarm]
Syntax Description
chunked
compress
deflate
ZLIB format defined in RFC 1950, ZLIB Compressed Data Format Specification
version 3.3, combined with the deflate compression mechanism described in RFC
1951, DEFLATE Compressed Data Format Specification version 1.3
gzip
identity
default
action
Encoding types outside of the specified type are subject to the specified action
(reset or allow)
reset
Sends a TCP reset notification to the client or server if the HTTP message fails
the mode inspection
allow
alarm
(Optional) Generates system logging (syslog) messages for the given action
If a given type is not specified, all transfer-encoding types are supported with the reset alarm
action.
Step 11
Specify the elapsed length of time before an inactive connection is torn down. (This
command overrides the global TCP idle timeout value for HTTP traffic).
5-63
Syntax Description
seconds
If this command is not issued, the default value specified via the ip inspect tcp idle-time
command will be used.
Step 12
Next Step
After you have successfully defined an application policy for HTTP traffic inspection, you
must apply the policy to an inspection rule. After that, the inspection rule must be applied to an
interface.
Syntax Description
appfw
policy-name
Step 2
After applying the HTTP application policy to an inspection rule, you can apply the rule to an
interface.
5-64
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
SNRS v2.05-23
This example shows how to configure the application firewall policy "my-im-policy," which
allows text-chat for Yahoo! instant messenger users and blocks instant messenger traffic for all
other users.
The Application Firewall for Instant Message Traffic Enforcement feature enables users to
define and enforce a policy that specifies which instant messaging (IM) traffic types are
allowed into the network. Thus, the following additional functionality can also be enforced:
Deep packet inspection of the payload, looking for services such as text chat
Cisco IOS application firewall has been enhanced to support instant native messenger
application policies. Thus, the Cisco IOS Firewall can now detect and prohibit user connections
to IM servers for the AOL Instant Messenger (AIM), Yahoo! Messenger, and MSN Messenger
IM services. This functionality controls all connections for supported services, including text,
voice, video, and file transfer capabilities. The three applications can be individually denied or
permitted. Each service may be individually controlled so that text chat service is allowed, and
voice, file transfer, video, and other services are restricted. This functionality augments existing
application inspection capability to control IM application traffic that has been disguised as
HTTP (web) traffic.
5-65
Prerequisites
Before defining and enabling an application policy for IM traffic, you must have already
properly configured your router with a DNS server IP address via the ip domain lookup
command and the ip name-server command.
The IP address of the DNS server configured on the Cisco IOS router must be the same as that
configured on all PCs connecting to the IM servers from behind the Cisco IOS Firewall.
Note
If at least one DNS name was not specified for resolution under any of the application
policies for IM protocols (AOL, Yahoo!, or MSN), you do not need to configure the DNS
server IP address in the Cisco IOS router.
alert
audit trail
server
service
timeout
Define an application firewall policy and put the router in application firewall policy
configuration mode.
router(config)# appfw policy-name policy-name
Step 2
Put the router in application firewall protocol configuration mode and begin
configuring IM inspection parameters.
router(cfg-appfw-policy)# application protocol
Syntax Description
protocol
im {aol | yahoo | msn}: Traffic for the specified IM application will be inspected.
This command puts the router in application firewall protocol configuration mode.
Step 3
If this command is not issued, the default value specified via the ip inspect audit-trail
command will be used.
5-66
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
Step 4
Syntax Description
permit
deny
name string
This is the name of DNS server for which traffic will be permitted
(and inspected) or denied.
The same server name cannot appear under two different IM
applications; however, the same name can appear under two
different policies within the same IM application. Each entry will
accept only one DNS name.
ip-address
ip-address
This is the IP address of the DNS server for which traffic will be
permitted (and inspected) or denied.
range ip-address-start
ip-address-end
This is the range of DNS server IP addresses for which traffic will
be permitted (and inspected) or denied.
Note
The server command helps the IM application engine to recognize the port-hopping IM traffic
and to enforce the security policy for that IM application; thus, if this command is not issued,
the security policy cannot be enforced if IM applications use port-hopping techniques.
To deploy IM traffic enforcement policies effectively, it is recommended that you issue the
appropriate server command.
Note
To configure more than one set of servers, you can issue the server command multiple times
within an IM application policy. Multiple entries are treated cumulatively.
The server command (with the name keyword) internally resolves the DNS name of the server.
This command sends DNS queries multiple times to gather all possible IP addresses for the IM
servers, which return different IP addresses at different times in response to DNS queries of the
same names. It uses the Time to Live (TTL) field found in DNS responses to refresh its cache.
After a certain period, the DNS cache in IM applications stabilize.
Note
It is recommended that you allow a couple of minutes for the DNS cache to populate with
the IM server IP addresses before the IM traffic reaches the Cisco IOS Firewall.
5-67
Issue the server deny command and list all the server names and IP addresses to which you
want to deny access.
Issue the server permit command and list all the server names and IP addresses that you
want inspected; thereafter, issue the service default reset command, which will deny
access to all services.
Issue the server deny command to block access to any site given its DNS name. For
example, to block all access to a gambling site, you can configure server deny name
www.noaccess.com.
Note
Step 5
The first option is the preferred method because it performs slightly better than the second
option.
(Optional) Specify the elapsed length of time before an inactive connection is torn
down.
router(cfg-appfw-policy-aim)# timeout seconds
Syntax Description
Available timeout range: 5 to 43,200 (12 hours)
seconds
If this command is not issued, the default value specified via the ip inspect tcp idle-time
command will be used.
Note
Step 6
Syntax Description
default
Matches all services that are not explicitly configured under the application
Note: It is recommended that when an IM application is allowed, always specify the
default option for the IM application.
text-chat
action
allow
reset
alarm
5-68
Generates an alarm message when the specified service is encountered over the
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
connection
If the command is not configured, the default is service default action reset.
If the service default command is not specified for an application, the action is considered
reset by the system.
When the reset keyword is used, the connection is reset if TCP is used, and the packet is
dropped if UDP is used. When dropping a packet from a UDP connection, the session will not
be immediately deleted; instead, the session will time out to prevent additional sessions from
being immediately created.
The alarm keyword can be specified alone or with the allow or reset keywords; however, the
allow or reset keywords are mutually exclusive.
Step 7
(Optional) Enable message logging when events, such as the start of a text chat, begin.
router(cfg-appfw-policy-aim)# alert on
router(cfg-appfw-policy-aim)# alert {on | off}
Syntax Description
on
off
If this parameter is not configured, the global setting for the ip inspect alert-off command will
take effect.
Next Step
After you have successfully defined an application policy for IM traffic inspection, you must
apply the policy to an inspection rule. After that, the inspection rule must be applied to an
interface.
Applying an IM Traffic Application Policy to a Firewall for Inspection
To apply an HTTP application policy to an inspection rule, use the following procedure
followed by applying the inspection rule to an interface:
Step 1
Syntax Description
appfw
policy-name
After applying the IM application policy to an inspection rule, you can apply the rule to an
interface.
5-69
SNRS v2.05-24
Use the following command to display application firewall policy configuration information:
show appfw {configuration | dns cache} [policy policy-name]
Syntax Description
configuration
dns cache
policy policy-name
5-70
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
SNRS v2.05-25
The Cisco IOS Firewall performs inspections for TCP and UDP traffic. For example, TCP
inspections include Telnet traffic (port 23, by default) and all other applications on TCP such as
HTTP, e-mail, M chatter, and so on. Therefore, there is no easy way to inspect Telnet traffic
alone and deny all other TCP traffic.
The GPI feature allows you to specify TCP or UDP ports using the PAM table. As a result, the
Cisco IOS Firewall can restrict traffic inspections to specific applications, thereby permitting a
higher degree of granularity in selecting which protocols are to be permitted and denied.
The ip port-map command associates TCP or UDP port numbers with applications or services,
establishing a table of default port mapping information at the firewall. This information is used
to support network environments that run services using ports that are different from the
registered or well-known ports associated with a service or application.
The port mapping information in the PAM table is of one of three types:
System-defined
User-defined
Host-specific
5-71
You can delete or modify system-defined port mapping information. Use the no form of the
command for deletion and the regular form of the command to remap information to another
application.
You can also add new port numbers to system-defined applications. However, for some systemdefined applications such as HTTP and SMTP, in which the firewall inspects deeper into
packets, their protocol (UDP or TCP) cannot be changed from that defined in the system. In
those instances, error messages display.
System-Defined Port Mapping Examples
Application Name
Well-Known or
Registered Port
Number
Protocol Description
cuseeme
7648
CUseeMe
exec
512
ftp
21
h323
1720
http
80
HTTP
rlogin
513
Remote login
msrpc
135
Microsoft RPC
netshow
1755
Microsoft NetShow
real-audio-video
7070
sccp
2000
SCCP
smtp
25
SMTP
sql-net
1521
SQL*NET
streamworks
1558
StreamWorks
sunrpc
111
SUN RPC
tftp
69
TFTP
vdolive
7000
VDOLive
Note
5-72
You can override system-defined entries for a specific host or subnet using the list acl-num
option in the ip port-map command.
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
SNRS v2.05-26
Network applications that use nonstandard ports require user-defined entries in the mapping
table. You will use the ip port-map command to create default user-defined entries in the PAM
table.
Note
These entries automatically appear as an option for the ip inspect name command to
facilitate the creation of inspection rules.
You can specify up to five separate port numbers for each port map in a single entry. You can
also specify a port range in a single entry. However, you may not specify both single port
numbers and port ranges in the same entry.
Caution
If you try to map an application to a system-defined port, a message appears warning you of
a mapping conflict. Delete the system-defined entry before mapping it to another application.
Deleted system-defined mappings appear in the running-configuration in their no ip portmap form.
Use the no form of the ip port-map command to delete user-defined entries from the PAM
table. To remove a single mapping, use the no form of the command with all its parameters.
5-73
If you assign the same port number to a new application, the new entry replaces the
existing entry and it no longer appears in the running configuration. You receive a message
about the remapping.
You cannot specify a port number that is in a range assigned to another application;
however, you can specify a range that takes over one singly allocated port or that fully
overlaps another range.
Configuring PAM
Use the ip port-map command to map a port to an application.
ip port-map appl-name port [tcp | udp] [port_num | from begin_port_num
to end_port_num] [list acl-num] [description description_string]
Syntax Description
appl-name
Specifies the name of the application with which to apply the port
mapping
An application name can contain an underscore (_) or a hyphen (-).
An application can also be system-defined or user-defined.
However, a user-defined application must have the prefix user- in it;
for example, user-payroll, user-sales, or user-10. Otherwise, the
following error message appears: "Unable to add port-map entry.
Names for user-defined applications must start with 'user-'."
port
tcp | udp
port_num
from begin_port_num to
end_port_num
5-74
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
list acl-num
description
description_string
5-75
snmp
system defined
Default mapping:
echo
tcp port 7
system defined
Default mapping:
echo
udp port 7
system defined
Default mapping:
telnet
tcp port 23
system defined
Default mapping:
wins
system defined
SNRS v2.05-27
Syntax Description
appl-name
(Optional) Specifies the name of the application to which to apply the port
mapping
port port-num
detail
The example shows that ftp is mapped to port 21 by the system, but it has been remapped to
port 1000 for a specific host.
5-76
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
SNRS v2.05-28
After you define an inspection rule, you apply that rule to an interface.
Normally, you apply only one inspection rule to one interface. The only exception might occur
if you want to enable Cisco IOS classic firewall in two directions as described earlier. For
Cisco IOS classic firewall configured in both directions at a single firewall interface, you
should apply two rules, one for each direction.
If you are configuring Cisco IOS classic firewall on an external interface, apply the rule to
outbound traffic.
If you are configuring Cisco IOS classic firewall on an internal interface, apply the rule to
inbound traffic.
Use the ip inspect interface configuration command to apply a set of inspection rules to an
interface. Use the no form of this command to remove the set of rules from the interface.
The syntax for the ip inspect command is as follows:
ip inspect inspection-name {in | out }
5-77
Syntax Description
5-78
inspection-name
in
out
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
SNRS v2.05-29
Turn on logging and audit trail to provide a record of network access through the firewall,
including illegitimate access attempts, and inbound and outbound services.
Follow this procedure to configure logging and audit trail functions:
Step 1
Add the date and time to syslog and audit trail messages.
router(config)# service timestamps log datetime
Step 2
Specify the hostname or IP address of the host where you want to send syslog
messages.
router(config)# logging ip-address
Step 3
Step 4
(Optional) Limit messages logged to the syslog servers based on severity. The
default is level 7 (informational).
router(config)# logging trap level
Step 5
5-79
Disabling Alerts
To disable IOS classic firewall alert messages, use the ip inspect alert-off command in global
configuration mode. To enable IOS classic firewall alert messages, use the no form of this
command.
5-80
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
show Commands
Router#
show
show
show
show
show
ip
ip
ip
ip
ip
inspect
inspect
inspect
inspect
inspect
name inspection-name
config
interfaces
session [detail]
all
SNRS v2.05-30
You can view and verify Cisco IOS classic firewall configuration, status, statistics, and session
information by using one or more of the following commands
show ip inspect config: Shows the complete Cisco IOS classic firewall inspection
configuration
show ip inspect session [detail]: Shows existing sessions that are currently being tracked
and inspected by Cisco IOS classic firewall
show ip inspect all: Shows all Cisco IOS classic firewall configuration and all existing
sessions that are currently being tracked and inspected by Cisco IOS classic firewall
In most cases, you can tell whether Cisco IOS classic firewall is inspecting network traffic
properly because network applications are working as expected. In some cases, however, you
might want to verify Cisco IOS classic firewall operation. For example, to verify RTSP or
H.323 inspection, initiate an RTSP-based application or H.323-based application through the
firewall. Use the show ip inspect session and show ip access lists commands to verify Cisco
IOS classic firewall operation. These commands display the dynamic ACL entries and the
established connections for a multimedia session.
5-81
debug Commands
Router#
debug
debug
debug
debug
debug
ip
ip
ip
ip
ip
inspect
inspect
inspect
inspect
inspect
function-trace
object-creation
object-deletion
events
timers
Protocol-specific debug
SNRS v2.05-31
Use the debug ip inspect command in EXEC mode to display messages about Cisco IOS
classic firewall events. The no form of this command disables debugging output.
The syntax for the debug ip inspect command is as follows:
debug ip inspect {function-trace | object-creation | object-deletion |
events | timers | protocol | detailed}
Syntax Description
5-82
function-trace
object-creation
object-deletion
events
timers
protocol
This argument displays messages about Cisco IOS classic firewallinspected protocol events, including details about the protocol
packets.
detailed
Use this form of the command in conjunction with other Cisco IOS
classic firewall debugging commands. It displays detailed
information for all other enabled Cisco IOS classic firewall
debugging.
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
SNRS v2.05-32
Use the no ip inspect command to remove the entire Cisco IOS classic firewall configuration,
to reset all global timeouts and thresholds to their defaults, to delete all existing sessions, and to
remove all associated dynamic ACLs. This command has no other arguments, keywords,
default behavior, or values.
5-83
Summary
This topic summarizes the key points that were discussed in this lesson.
Summary
Cisco IOS classic firewall works to provide network protection on
multiple levels.
Cisco IOS classic firewall uses SPI to inspect traffic and create
temporary openings at firewall interfaces.
There are several basic tasks required to configure Cisco IOS
classic firewall.
For classic firewall to work properly, you need to make sure that
you have IP ACLs configured appropriately and applied at the
appropriate interfaces.
An inspection rule specifies what IP traffic will be inspected by
Cisco IOS Classic Firewall.
The complexity of configurations depend on the topology and
security requirements of the network.
SNRS v2.05-33
Summary (Cont.)
The application firewall uses static signatures to detect security
violations.
GPI allows you to specify TCP or UDP ports using the PAM table.
After you define an inspection rule, you apply this rule to an
interface.
Turn on logging and audit trail to provide a record of network
access through the firewall.
You can view and verify Cisco IOS classic firewall configuration,
status, statistics, and session information.
Use the no ip inspect command to remove the Cisco IOS classic
firewall configuration.
5-84
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
SNRS v2.05-34
References
For additional information, refer to these resources:
Cisco Systems, Inc. Cisco IOS Security Configuration Guide, Release 12.4.:
http://www.cisco.com/en/US/partner/products/ps6350/products_configuration_guide_book
09186a008043360a.html
Cisco Systems, Inc. Cisco IOS Security Command Reference, Release 12.4T:
http://www.cisco.com/en/US/partner/products/ps6441/products_configuration_guide_book
09186a008049e249.html
5-85
5-86
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
Lesson 3
Objectives
Upon completing this lesson, you will be able to configure a Cisco IOS zone-based policy
firewall on a Cisco router. This ability includes being able to meet these objectives:
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
SNRS v2.05-2
The older Cisco IOS stateful inspection process suffered from some limitations, including the
following:
5-88
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
Private
DMZ DMZ Policy
Private
Policy
Public DMZ
Policy
Untrusted
DMZ
Internet
PrivatePublic
Policy
SNRS v2.05-3
Cisco IOS Release 12.4(6)T introduced a new configuration model for the Cisco IOS Firewall
feature set. This new Cisco IOS zone-based policy firewall offers intuitive policies for multiple
interface routers, increased granularity of firewall policy application, and a default deny-all
policy that prohibits traffic between firewall zones until an explicit policy is applied to allow
desirable traffic.
Nearly all firewall features implemented prior to Cisco IOS Release 12.4(6)T are supported in
the new zone-based policy inspection interface, including the following:
Application inspection
Virtual private network (VPN) routing and forwarding (VRF)-aware Cisco IOS Firewall
URL filtering
Service lists can be combined with network and host address lists.
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
5-89
DMZ Private
Policy
Private DMZ
Policy
Public DMZ
Policy
IP address/subnet/ACL
TCP/UDP/ICMP
DMZ
Trusted
Internet
Application service
Application-specific
policy
Untrusted
Private Public
Policy
SNRS v2.05-4
Multiple traffic classes and actions are applied per zone pair.
Protocols
Application services
Application-specific policies
Cisco IOS zone-based policy firewall generally improves Cisco IOS performance for most
firewall inspection activities.
Cisco IOS zone-based policy firewall changes the firewall from the older interface-based model
to a more flexible, more easily understood zone-based configuration model. Interfaces are
assigned to zones, and an inspection policy is applied to traffic moving between the zones.
Interzone policies offer considerable flexibility and granularity, so different inspection policies
can be applied to multiple host groups connected to the same router interface.
Firewall policies are configured with the Cisco Policy Language, which employs a hierarchical
structure to define inspection for network protocols and the groups of hosts to which the
inspection will be applied.
5-90
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
Configuration Model
Cisco IOS zone-based policy firewall completely changes the way you configure a Cisco IOS
Firewall.
The first major change to the firewall configuration is the introduction of zone-based
configuration. Cisco IOS Firewall is the first Cisco IOS Software threat defense feature to
implement a zone configuration model. Other features might adopt the zone model over time.
The classical Cisco IOS Firewall stateful inspection and Context-Based Access Control
(CBAC) interface-based configuration model employing the ip inspect command set will be
maintained for a period of time, but few, if any, new features will be configurable with the
classic command-line interface (CLI). The Cisco IOS zone-based policy firewall does not use
the stateful inspection or CBAC commands.
Note
The two configuration models can be used concurrently on routers, but not combined on
interfaces; an interface cannot be configured as a security zone member and configured for
IP inspection simultaneously.
Zones establish the security borders of your network. A zone defines a boundary where traffic
is subjected to policy restrictions as it crosses to another region of your network. The Cisco IOS
zone-based policy firewall default policy between zones is deny all. If no policy is explicitly
configured, all traffic moving between zones is blocked. This is a significant departure from the
stateful inspection model, in which traffic was implicitly allowed until explicitly blocked with
an ACL.
The second major change is the introduction of a new configuration policy language known as
Cisco Policy Language. Users familiar with the Cisco IOS Software Modular quality of service
(QoS) CLI (MQC) might recognize the format being similar to the use of class maps by QoS to
specify which traffic will be affected by the action applied in a policy map.
General Rules
The membership of router network interfaces in zones is subject to several rules governing
interface behavior, as is the traffic moving between zone member interfaces.
All traffic to and from a given interface is implicitly blocked when the interface is assigned
to a zone, excepting traffic to and from other interfaces in the same zone, and traffic to any
interface on the router.
Traffic is implicitly allowed to flow by default among interfaces that are members of the
same zone.
To permit traffic to and from a zone member interface, a policy allowing or inspecting
traffic must be configured between that zone and any other zone.
The self zone is the only exception to the default deny-all policy. All traffic to any router
interface is allowed until traffic is explicitly denied.
Traffic cannot flow between a zone member interface and any interface that is not a zone
member. Pass, inspect, and drop actions can only be applied between two zones.
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
5-91
5-92
Interfaces that have not been assigned to a zone function as classical router ports and might
still use classical stateful inspection or CBAC configuration.
If it is required that an interface on the box not be part of the zoning or firewall policy, it
might still be necessary to put that interface in a zone and configure a pass all policy (sort
of a dummy policy) between that zone and any other zone to which traffic flow is desired.
From the preceding it follows that, if traffic is to flow among all of the interfaces in a
router, all the interfaces must be part of the zoning model (each interface must be a member
of one zone or another).
The only exception to the preceding deny-by-default approach is the traffic to and from the
router, which will be permitted by default. An explicit policy can be configured to restrict
such traffic.
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
Basic Topology
This section describes a basic topology using Cisco IOS zone-based policy firewall.
Basic Firewall
The private zone must reach the Internet, with access to HTTP,
SMTP, and DNS services.
The Internet should not have any inbound access.
HTTP
SMTP
DNS
Untrusted
Trusted
VLAN
1
Fa0
Internet
No
Access
SNRS v2.05-5
One interface connected to a private LAN that must be able to reach the public Internet
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
5-93
DMZ Topology
This section describes the basic demilitarized zone (DMZ) topology using Cisco IOS zonebased policy firewall.
DMZ Topology
Network consists of three zones:
Internet zone: Internet
DMZ zone: 64.96.112.0/24
Private zone: Private network, 10.0.1.0/24
HTTP Server
64.96.112.55
Public DMZ
Policy
DMZ
Internet
e1
Private
Internet
e0
s0
Private Internet
Policy
SNRS v2.05-6
One interface connected to a private LAN that must not be accessible from the public
Internet
One interface connected to an Internet service DMZ, where a web server, Domain Name
System (DNS) server, and e-mail server must be accessible to the public Internet
Each interface in this network will be assigned to its own zone, although you might want to
allow varying access from the public Internet to specific hosts in the DMZ and varying
application use policies for hosts in the protected LAN.
In the example, each zone holds only one interface. If an additional interface is added to the
private zone, the hosts connected to the new interface in the zone would be able to pass traffic
to all hosts on the existing interface in the same zone. Additionally, the traffic of local hosts to
hosts in other zones would be similarly affected by existing policies.
5-94
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
5-95
Zones
This topic describes zones, security zones, and zone pairs.
Security Zones
E2
Not in Any
Security
Zones
S4
E0
Zone Z1
Zone Z2
S3
E1
Security
Zones
SNRS v2.05-7
A security zone is a group of interfaces that have similar functions or features. Security zones
provide a way for you to specify where a Cisco IOS Firewall is applied.
For example, on a router, interfaces Ethernet 0 and Ethernet 1 may be connected to the local
LAN. These two interfaces are similar because they represent the internal network, so they can
be grouped into a zone for firewall configurations.
Traffic between interfaces in the same zone is not be subjected to any policy. The traffic passes
freely.
Note
Security Zones
A security zone is a group of interfaces to which a policy can be applied.
Grouping interfaces into zones involves two steps:
5-96
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
When an interface is a member of a security zone, all traffic to and from that interface (except
traffic going to the router or initiated by the router) is dropped. To permit traffic to and from a
zone member interface, you must make that zone part of a zone pair and then apply a policy to
that zone pair. If the policy permits traffic (via inspect or pass actions), traffic can flow
through the interface.
By default, traffic flows among interfaces that are members of the same zone.
For traffic to flow among all the interfaces in a router, all the interfaces must be a member of
one security zone or another.
Note
Traffic flows freely between interfaces E0 and E1 because they are members of the same
security zone (Z1).
If no policies are configured, traffic will not flow between any other interfaces (for
example, E0 and S3, E1 and S3).
Traffic can flow between E0 or E1 and S3 only when an explicit policy permitting traffic is
configured between zone Z1 and zone Z2.
Traffic can never flow between E2 and E0, E1, or S3 because E2 is not part of any security
zone.
5-97
Zoning Rules
This section summarizes the zoning rules.
SNRS v2.05-8
If one interface is in a zone, and another interface is not in a zone, traffic may never flow
between them.
Traffic will not flow between two interfaces until a policy is defined to allow the traffic, if
the two interfaces are in two different zones.
5-98
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
An interface cannot be part of a zone and legacy inspection policy at the same time.
When an interface is a member of a security zone, all traffic to and from that interface is
blocked unless you configure an explicit interzone policy on a zone pair involving that
zone.
Traffic cannot flow between an interface that is a member of a security zone and an
interface that is not a member of a security zone, because a policy can be applied only
between two zones.
For traffic to flow among all the interfaces on a router, all the interfaces must be members
of one security zone or another. This is particularly important because after you make an
interface a member of a security zone, a policy action (such as inspect or pass) must
explicitly allow packets. Otherwise, packets are dropped.
If an interface on a router cannot be part of a security zone or firewall policy, you may have
to put that interface in a security zone and configure a pass all policy (that is, a dummy
policy) between that zone and other zones to which a traffic flow is desired.
An ACL cannot be applied between security zones and zone pairs. Include the ACL
configuration in a class map, and use policy maps to drop traffic.
You can configure policies between security zones whose member interfaces are in
separate VRFs. However, traffic may not flow between these VRFs if the configuration
does not allow it.
If traffic does not flow between VRFs (because route leaking between VRFs is not
configured), the policy across the VRFs is not executed. This is a misconfiguration on the
routing side, not on the policy side.
Traffic between interfaces in the same security zone is not subjected to any policy; the
traffic passes freely.
The source and the destination zones in a zone pair must be a member of a security zone.
The same zone cannot be defined as both the source and the destination.
5-99
Zone Pairs
This section covers zone pairs.
E2
Not in Any
Security
Zones
S4
E0
Zone Z1
Zone Z2
S3
E1
SNRS v2.05-9
A zone pair allows you to specify a unidirectional firewall policy between two security zones.
To define a zone pair, use the zone-pair security command. The direction of the traffic is
specified by specifying a source and destination zone. The source and destination zones of a
zone pair must be security zones. The same zone cannot be defined as both the source and the
destination.
When an interface is configured to be a zone member, the hosts connected to the interface are
included in the zone, but traffic flowing to and from the router interfaces is not controlled by
the zone policies. Instead, all of the IP interfaces on the router are automatically made part of
the self zone when the Cisco IOS zone-based policy firewall is configured. To control IP traffic
moving to the router interfaces from the various zones on a router, policies must be applied to
block or allow and inspect traffic between the zone and the router self zone, and vice versa.
If desired, you can select the default self zone as either the source or the destination zone. The
self zone is a system-defined zone. It does not have any interfaces as members. A zone pair that
includes the self zone, along with the associated policy, applies to traffic directed to the router
or traffic generated by the router. It does not apply to traffic through the router.
The most common usage of firewalls is to apply them to traffic through a router, therefore, you
usually need at least two zones (that is, you cannot use the self zone).
To permit traffic between zone member interfaces, you must configure a policy permitting (or
inspecting) traffic between that zone and another zone.
To attach a firewall policy map to the target zone pair, use the service-policy type inspect
command.
5-100
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
The Security Zone Pairs figure shows the application of a firewall policy to traffic flowing
from zone Z1 to zone Z2, which means that the ingress interface for the traffic is a member of
zone Z1 and the egress interface is a member of zone Z2.
If there are two zones and you require policies for traffic going in both directions (from Z1 to
Z2 and Z2 to Z1), you must configure two zone pairs (one for each direction).
If a policy is not configured between a pair of zones, traffic is dropped. However, it is not
necessary to configure a zone pair and a service policy solely for return traffic. Return traffic is
allowed, by default, if a service policy permits the traffic in the forward direction. In the
example, it is not mandatory that you configure a zone pair source Z2 destination Z1 solely for
allowing return traffic from Z2 to Z1. The service policy on the Z1-Z2 zone pair takes care of
this.
5-101
Specifying Policy
Applies Cisco Policy Language framework
Based on existing MQC framework in Cisco IOS Software
Only three constructs:
Class-map specifies interesting traffic via match conditions.
Policy-map associates actions with the above-specified traffic.
Parameter-map specifies operating parameters for the
classification and action application.
SNRS v2.05-10
You will use the Cisco Policy Language framework to build Cisco IOS zone-based policy
firewall policies.
There are three main constructs involved when dictating Cisco IOS zone-based policy firewall
policies:
Class-map: A class is a way of identifying a set of packets based on its contents using
match conditions. Normally, you define a class so that you can apply an action on the
identified traffic that reflects a policy. A class is designated via class maps.
The class-map command creates a class map to be used for matching packets to a specified
class. Packets arriving at the targets (such as the input interface, output interface, or zone
pair), determined by how the service-policy command is configured, are checked against
the match criteria configured for a class map to determine if the packet belongs to that
class.
Policy-map: Policy maps associate actions with traffic classified by class maps. An action
is a specific functionality. It typically is associated with a traffic class. For example,
inspect, drop, and pass, are actions.
The policy-map command creates or modifies a policy map that can be attached to one or
more targets to specify a service policy. Use the policy-map command to specify the name
of the policy map to be created, added to, or modified before you can configure policies for
classes whose match criteria are defined in a class map.
5-102
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
The parameter-map type command allows you to specify parameters that control the behavior
of actions and match criteria specified under a policy map and a class map, respectively.
There are currently three types of parameter maps:
An inspect parameter map is optional. If you do not configure a parameter map, the software
uses default parameters. Parameters associated with the inspect action apply to all nested
actions (if any). If parameters are specified in both the top and lower levels, those in the lower
levels override those in the top levels.
A parameter map is required for URL filtering (via the url filter action in a Layer 3 or Layer 4
policy map and the url filter parameter map).
5-103
SNRS v2.05-11
MQC class maps have numerous match criteria; firewalls have fewer match criteria. Firewall
class maps have the type of inspect; this information controls what shows up under firewall
class maps.
Class maps define the traffic that the firewall selects for policy application. Layer 4 class maps
sort the traffic based on criteria.
A class map uses the match-any or match-all logical qualifiers to determine how a packet is
matched against the filters in the class map.
You will use three types of filters:
5-104
match <protocol-name>: The Layer 4 protocols (TCP, UDP, and ICMP) and application
services such as HTTP, Simple Mail Transfer Protocol (SMTP), DNS, and so on; any wellknown or user-defined service known to Port-to-Application Mapping (PAM) may be
specified.
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
Class-maps can apply match-any or match-all operators to determine how to apply the
match criteria. If match-any is specified, traffic must meet only one of the match criteria in
the class map. If match-all is specified, traffic must match all of the class map criteria to
belong to that particular class.
If traffic might meet multiple criteria, match criteria must be applied in order from more
specific to less specific. For example, consider the following class map:
class-map type inspect match-any my-test-cmap
match protocol http
match protocol tcp
HTTP traffic must encounter the match protocol http statement first to be sure that the traffic
will be handled by the service-specific capabilities of HTTP inspection. If the match lines
were reversed so that traffic encountered the match protocol tcp statement before it were
compared to the match protocol http statement, the traffic would simply be classified as TCP
traffic and inspected according to the capabilities of the TCP inspection component of the
firewall. This would be a problem for certain services such as FTP, TFTP, and several
multimedia and voice signaling services such as H.323, session initiation protocol (SIP),
Skinny, Real-Time Streaming Protocol (RTSP), and others. These services require additional
inspection capabilities to recognize the more complex activities of these services.
Class maps can apply an ACL as one of the match criteria for policy application. If the only
match criteria of a class map is an ACL and the class map is associated with a policy map
applying the inspect action, the router will apply inspection for all known services (according
to the show ip port-map command). Thus, the ACL must apply the restriction to limit traffic to
specific desired types. Note that the PAM list only includes application services such as HTTP,
NetBIOS, H.323, DNS, and so on. If a service is not known to PAM, it will not be inspected.
The PAM list tends to include more services with each passing Cisco ISO Software release;
therefore check the port map list to be certain that your services are known to the firewall
software.
5-105
Specifies traffic that is bound for any of the three protocols listed
R1(config)# class-map type inspect match-any c2
R1(config-cmap)# match protocol http
R1(config-cmap)# match protocol ftp
R1(config-cmap)# match protocol smtp
Specifies traffic that is bound for any of the three protocols in c2 and that
also matches ACL 199
R1(config)# class-map type inspect match-all c3
R1(config-cmap)# match access-group 199
R1(config-cmap)# match class c2
2007 Cisco Systems, Inc. All rights reserved.
SNRS v2.05-12
A Layer 3 or Layer 4 policy map is sufficient for the basic inspection of traffic.
The example shows how to configure three class maps with various match criteria.
After creating your class maps, you might create an inspect policy map to specify that packets
will be inspected. Here is an example:
router(config)# policy-map type inspect policy-map-name
router(config-pmap)# class type inspect class-map-name
router(config-pmap-c)# inspect
5-106
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
SNRS v2.05-13
HTTP
SMTP
5-107
5-108
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
Inspect
Monitor outbound traffic according to permit or deny policy
Anticipate return traffic according to session table entries
Drop any traffic that is not specifically inspected
(class-default traffic)
SNRS v2.05-14
A policy is an association of traffic classes and actions. It specifies what actions should be
performed on the defined traffic classes. An action is a specific function, and it is typically
associated with a traffic class. For example, inspect, pass, and drop are actions.
Cisco IOS zone-based policy firewall provides three actions for traversing traffic from one zone
to another:
Drop: This is the default action for all traffic. Also, a policy map can be configured to drop
unwanted traffic. Traffic that is assigned to the drop action is blocked by the Cisco IOS
zone-based policy firewall, and an ICMP host unreachable message is returned to the
host that sent the dropped traffic.
Pass: This action allows the router to forward traffic from one zone to another. The pass
action does not track the state of connections or sessions within the traffic; pass only allows
the traffic in one direction. A corresponding policy must be applied to allow return traffic
to pass in the opposite direction. The pass action is useful for protocols such as IP Security
(IPsec) Encapsulating Security Payload (ESP), IPsec Authentication Header (AH), Internet
Security Association and Key Management Protocol (ISAKMP), and other inherently
secure protocols with predictable behavior, but most application traffic is better handled in
the Cisco IOS zone-based policy firewall with the inspect action.
Inspect: The inspect action offers state-based traffic control. If, for example, traffic from
the private zone to the Internet zone in the earlier sample network is inspected, the router
will maintain the connection or session information for TCP and UDP traffic; therefore, the
router will permit return traffic sent from Internet zone hosts in reply to private zone
connection requests. The inspect action also offers the capability to provide application
inspection and control for certain service protocols that might carry vulnerable or sensitive
application traffic.
5-109
SNRS v2.05-15
Policy types used for Cisco IOS zone-based policy firewall include Layer 3, Layer 4, and Layer
7 policies. Your choice of Layer 3, Layer 4, and Layer 7 policy will depend on the network
security policies.
In general, please note the following:
5-110
A Layer 3 and Layer 4 policy is called a top-level policy, which can be attached to a zone
pair.
A Layer 7 policy map provides application-level inspection of traffic. It is usually used for
more granular control of application layer protocols such as HTTP, SMTP, and others.
A Layer 3 and 4 policy is sufficient for basic inspection. A Layer 7 policy is sufficient for a
more granular control of application layer protocols; however it must be nested with a
Layer 3/Layer 4 top-level policy.
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
SNRS v2.05-16
A Layer 7 policy map is more protocol specific. The options depend on the protocol.
Currently, Layer 7 policies can be configured for the following protocols: HTTP, SMTP,
POP3, IMAP, and RPC
The Layer 7 policy cannot be directly attached to a zone pair. It must be attached to the toplevel policy using the service-policy command.
The class map in the top-level policy must have a match protocol filter and it must match
the protocol in the Layer 7 policy map.
One Layer 7 policy map may be used with multiple classes and policies.
5-111
Hierarchy
L7
HTTP sessions
with URL length
>500
HTTP
policy
Layer 7 policy
action: Reset
reset
class-map type inspect match-all http-traffic
L3/L4
top
level
policy
Aggregate HTTP
traffic matching ACL
199 at top level
Specify deep-packet
HTTP inspection
SNRS v2.05-17
To create a Layer 7 policy map, specify the protocol in the applicable policy-map type inspect
command. For example, to create a Layer 7 HTTP policy map, use the policy-map type
inspect http command.
If you do not specify a protocol name (for example, you use the policy-map type inspect
command), you will be creating a Layer 3 or Layer 4 policy map, which can only be an inspect
type policy map.
A Layer 7 policy map must be contained in a Layer 3 or Layer 4 policy map; it cannot be
attached directly to a target. To attach a Layer 7 policy map to a top-level policy map, use the
service policy inspect command and specify the application name (that is, HTTP, IMAP,
POP3, SMTP, or Sun RPC). The parent class for a Layer 7 policy should have an explicit
match criterion that matched only one Layer 7 protocol before the policy is attached. The
policy map can include class maps only of the same type.
If the Layer 7 policy map is in a lower level, you must specify the inspect action at the parent
level for a Layer 7 policy map.
5-112
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
Parameter Maps
Specify parameters such as old inspect cli
R1(config)# parameter-map type inspect myparams
R1(config-profile)# alert on
R1(config-profile)# audit-trail on
R1(config-profile)# max-incomplete high 1000
R1(config-profile)# tcp idle-time 360
R1(config-profile)# exit
-------- Then apply to policy map ------------R1(config)# policy-map type inspect mypolicy
R1(config-pmap)# class type inspect c1
R1(config-pmap-c)# inspect myparams
R1(config-pmap-c)# end
SNRS v2.05-18
Parameter Maps
A parameter map allows you to specify parameters that control the behavior of actions and
match criteria specified under a policy map and a class map, respectively.
The four current types of parameter maps are as follows:
Inspect parameter map: An inspect parameter map is optional. If you do not configure a
parameter map, the software uses default parameters. Parameters associated with the
inspect action apply to all nested actions (if any). If parameters are specified in both the top
and lower levels, those in the lower levels override those in the top levels.
URL filter parameter map: A parameter map is required for URL filtering (via the URL
filter action in a Layer 3 or Layer 4 policy map and the URL filter parameter map).
Mitigation parameter map: A parameter map is required for an instant messaging (IM)
application (Layer 7) policy map.
TMS (TIDP Based Mitigation Services ) parameter map: The TMS type parameter map
is a container for TMS protocol-specific configuration parameters.
After you enter the parameter-map type inspect command, you can enter the following
subcommands:
alert {on | off}: Turns on Cisco IOS stateful packet inspection alert messages
5-113
5-114
tcp finwait-time seconds: Specifies how long a TCP session will be managed after the
Cisco IOS Firewall detects a FIN exchange
tcp max-incomplete host threshold [block-time minutes}: Specifies the threshold and
blocking time values for TCP host-specific DoS detection and prevention
tcp synwait-time seconds: Specifies how long the software will wait for a TCP session to
reach the established state before dropping the session
udp idle-time seconds: Configures the timeout of UDP sessions going through the firewall
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
Fa
0/0
SNRS v2.05-19
There are several steps required to configure a Cisco IOS zone-based policy firewall. The
following procedure can be used to configure a Cisco IOS zone-based policy firewall. The
sequence of steps is not important, but some events must be completed in order. For instance,
you must configure a class map before you assign a class map to a policy map. Similarly, you
cannot assign a policy map to a zone pair until you have configured the policy. If you try to
configure a section that relies on another portion of the configuration that you have not
configured, the router will respond with an error message.
To set up a Cisco IOS zone-based policy firewall, follow these steps:
Step 1
Identify the interfaces to include in security zones. Identify interfaces that face the
Internet, the corporate LAN, and the DMZ. Interfaces that share the same function
should be grouped into the same security zones.
Step 2
Determine the flow of traffic needed between zones. Determine what traffic is
necessary and in which direction.
Step 3
Step 4
Step 5
Step 6
Step 7
5-115
SNRS v2.05-20
5-116
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
Syntax Description
zone-name
It is recommended that you create at least two security zones so that you can create a zone pair.
If you create only one zone, you can use the default system-defined self zone. The self zone
cannot be used for traffic going through a router.
Assign an interface to the security zone (as discussed here). You now need to assign
an interface to a security zone that belongs to a zone pair.
Syntax Description
zone-name
The zone-member security command puts an interface into a security zone. When an interface
is in a security zone, all traffic to and from that interface (except traffic going to the router or
initiated by the router) is dropped by default. To permit traffic through an interface that is a
zone member, you must make that zone part of a zone pair to which you apply a policy. If the
policy permits traffic (via inspect or pass actions), traffic can flow through the interface.
Syntax Description
zone-pair-name
source source-zonename
destination
destination-zone-name
self
5-117
This command creates a zone pair, which permits a unidirectional firewall policy between a
pair of security zones.
If you created only one zone, you can use the system-defined default zone (self) as part of a
zone pair. Such a zone pair and its associated policy apply to traffic directed to the router or
generated by the router. It does not affect traffic through the router.
You can specify the self keyword for the source or destination, but not for both. You cannot
modify or unconfigure the self zone.
SNRS v2.05-21
Create a Layer 3 or Layer 4 inspect type class map and enter class map configuration
mode.
router(config)# class-map type inspect [match-any | match-all]
class-map-name
Syntax Description
match-any |
match-all
(Optional) Determines how packets are evaluated when multiple match criteria exist
Packets must meet one of the match criteria (match-any) or all of the match criteria (matchall) to be considered a member of the class.
Note: The match-all keyword is available only with Layer 3, Layer 4, and HTTP type class
maps.
class-map-name
5-118
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
You can configure a top-level (Layer 3 or Layer 4) class map, which allows you to identify the
traffic stream at a high level, by issuing the match access-group and match protocol
commands. These class maps cannot be used to classify traffic at the application level (the
Layer 7 level).
Step 2
Configure the match criteria for a class map based on the ACL name or number.
router(config-cmap)# match access-group {access-group | name
access-group-name}
Syntax Description
access-group
Numbered ACL whose contents are used as the match criteria against which
packets are checked to determine if they belong to this class
An ACL number can be a number from 1 to 2699.
name accessgroup-name
Named ACL whose contents are used as the match criteria against which packets
are checked to determine if they belong to this class
The name can be a maximum of 40 alphanumeric characters.
The match access-group command specifies a numbered or named ACL whose contents are
used as the match criteria against which packets are checked to determine if they belong to the
class specified by the class map.
Step 3
Configure the match criteria for a class map on the basis of a specified protocol.
router(config-cmap)# match protocol protocol-name
Syntax Description
protocolname
The match protocol command specifies the name of a protocol to be used as the match criteria
against which packets are checked to determine if they belong to the class specified by the class
map.
If you enter the match protocol (zone) command under the class-map type inspect command,
the PAMs are honored when the protocol field in the packet is matched against this command.
All the port mappings configured in PAM appear under this.
Step 4
(Optional) Specify a previously defined class as the match criteria for a class map.
router(config-cmap)# match class-map class-map-name
Syntax Description
class-map-name
The only method of including both match-any and match-all characteristics in a single traffic
class is to use the match class-map command. To combine match-any and match-all
characteristics into a single class, a traffic class created with the match-any instruction must
use a class configured with the match-all instruction as a match criterion (through the match
class-map command), or vice versa.
5-119
You can also use the match class-map command to nest traffic classes within one another,
saving users the overhead of re-creating a new traffic class when most of the information exists
in a previously configured traffic class.
SNRS v2.05-22
Step 1
If you are creating an inspect type policy map, note that only the following actions are
allowed: drop, inspect, police, pass, service-policy, and urlfilter.
Create a Layer 3 and Layer 4 inspect type policy map and enter policy map
configuration mode.
router(config)# policy-map type inspect policy-map-name
Step 2
Step 3
5-120
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
SNRS v2.05-23
Step 2
Step 3
Step 4
router(config-profile)# parameter
5-121
Step 2
Syntax Description
policy-map-name
Use the service-policy type inspect command to attach a policy map and its associated actions
to a zone pair. Enter this command after entering the zone-pair security command.
5-122
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
Configuration Examples
This section shows some examples of Cisco IOS zone-based policy firewall configurations.
SNRS v2.05-24
5-123
SNRS v2.05-25
This example shows how to drop specific trafficfor example, from a compromised host.
5-124
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
parameters for
inspection
!
policy-map type inspect snrspolicy
Inspect action with
class type inspect inspect-traffic
specified optional
inspect snrsparams
parameters
!
zone-pair security in-out source in-zone dest out-zone
service-policy type inspect snrspolicy
!
SNRS v2.05-26
This example shows how to adjust some of the inspection parameters using a parameter map.
5-125
Private-Internet-DMZ
!
class-map type inspect insp-traffic
match protocol http
match protocol icmp
match protocol tcp
class-map type inspect match-all myhttp
match access-group 199
match protocol http
!
policy-map type inspect p-inout
class type inspect insp-traffic
inspect
policy-map type inspect webtraffic
class type inspect myhttp
inspect
!
zone-pair security priv-internet source private destination internet
service-policy type inspect p-inout
zone-pair security internet-dmz source internet destination dmz
service-policy type inspect webtraffic
!
access-list 199 permit tcp any host 172.16.1.10
2007 Cisco Systems, Inc. All rights reserved.
SNRS v2.05-27
This example shows a basic DMZ configuration. It shows policies for the inside-to-Internet and
the Internet-to-DMZ traffic flows.
5-126
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
SMTP InspectionBasic
!
class-map type inspect c1
match protocol smtp
!
policy-map type inspect mypolicy
class type inspect c1
inspect
SNRS v2.05-28
This example shows a basic SMTP inspection policy. This model exhibits the same behavior as
the old ip inspect name command and holds true for all protocols in the PAM table.
5-127
!
class-map type inspect c1
match protocol smtp
!
parameter-map type inspect snrsparams
alert on
audit-trail on
tcp idle-time 360
!
policy-map type inspect snrspolicy
class type inspect c1
inspect snrsparams
!
SNRS v2.05-29
This example shows how to inspect SMTP and adjust some of the parameters for SMTP
inspection. The audit-trail, alert, and timeout keywords are part of the parameter-map (type
inspect) command.
5-128
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
SMTPwith DPI
!
class-map type inspect smtp huge-mails
match data-length gt 100000
!
Layer 7
policy-map type inspect smtp snrssmtp-policy
Policy
class type inspect smtp huge-mails
reset
!
class-map type inspect c1
match protocol smtp
!
Layer
policy-map type inspect snrspolicy
3/Layer 4
Policy
class type inspect c1
inspect
Basic
inspection
service-policy inspect smtp snrssmtp-policy
!
More application-level
control (via Layer 7/DPI
policy-map)
2007 Cisco Systems, Inc. All rights reserved.
SNRS v2.05-30
This example shows how to apply DPI using a Layer 7 policy map nested with a top-level
Layer 3/Layer 4 policy.
5-129
Verification Commands
show zone security
show zone-pair security
show policy-map type inspect
show policy-map type inspect zone-pair sessions
Examines the firewall state table
show class-map type inspect
SNRS v2.05-31
Cisco IOS zone-based policy firewall introduces new commands to view policy configuration
and monitor firewall activity.
Display zone descriptions and the interfaces contained in a specified zone using the show zone
security [<zone-name>] command.
When the zone name is not included, the command displays the information of all the zones
configured.
To display the source zone, destination zone, and policy attached to the zone pair, use the
show zone-pair security [source <source-zone-name>] [destination <destination-zonename>] command.
When no source or destination is specified, all the zone pairs with source, destination, and the
associated policy are displayed. When only the source or destination zone is mentioned, all the
zone pairs that contain this zone as the source or destination are displayed.
To display a specified policy map, use the show policy-map type inspect [<policy-map-name>
[class <class-map-name>]] command.
When the name of a policy map is not specified, it displays all policy maps of type inspect
(including Layer 7 policy maps that contain a subtype).
5-130
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
Summary
This topic summarizes the key points that were discussed in this lesson.
Summary
The older Cisco IOS stateful inspection process suffered from some
limitations.
The new Cisco IOS Zone-based policy firewall offers intuitive policies for
multiple-interface routers, increased granularity of firewall policy
application, and a default deny-all policy.
A security zone is a group of interfaces that have similar functions or
features and a zone-pair allows you to specify a unidirectional firewall
policy between two security zones.
Policies are defined using:
Class maps to specify traffic
Policy maps to define actions
There are several steps required to configure a Cisco IOS zone-based
policy firewall.
Cisco IOS based policy zone firewall introduces new commands to view
policy configuration and monitor firewall activity.
2007 Cisco Systems, Inc. All rights reserved.
SNRS v2.05-32
References
For additional information, refer to these resources:
Cisco Systems, Inc. Cisco IOS Software Releases 12.4 T: Zone-Based Policy Firewall.
http://www.cisco.com/en/US/products/ps6441/products_feature_guide09186a008060f6dd.h
tml.
Cisco Systems, Inc. Cisco IOS Software Releases 12.4 Mainline: Zone-Based Policy
Firewall Design Guide.
http://www.cisco.com/en/US/products/ps6350/products_feature_guide09186a008072c6e3.
html#wp1066679
5-131
5-132
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
Lesson 4
Objectives
Upon completing this lesson, you will be able to configure Cisco IOS Firewall authentication
proxy on a Cisco router. This ability includes being able to meet these objectives:
Describe how system administrators can use Cisco IOS Firewall authentication proxy to
allow specific security policies on a per-user basis for TACACS+ and RADIUS servers
Describe how to provide authentication and authorization for the Cisco IOS Firewall
authentication proxy using Cisco Secure ACS for Windows
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
SNRS v2.05-2
The Cisco IOS Firewall authentication proxy feature enables network administrators to apply
specific security policies on a per-user basis. Authentication proxy provides dynamic, per-user
authentication and authorization, authenticating users with industry standard TACACS+ and
RADIUS authentication protocols. Previously, user identity and related authorized access were
associated with a user IP address, or a single security policy had to be applied to an entire user
group or subnet. Now, users can be identified and authorized on the basis of their per-user
policy, and access privileges can be tailored on an individual basis, as opposed to a general
policy applied across multiple users. Authenticating and authorizing connections by users
provides more robust protection against network attacks.
Auth-prox can provide authentication and authorization for the following protocols.
HTTP
HTTPS
FTP
Telnet
5-134
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
Web
Server
Client
Host
Internet
FTP
Server
Telnet
Server
Client
Host
2007 Cisco Systems, Inc. All rights reserved.
SNRS v2.05-3
With the authentication proxy feature, users can log in to the network or access the Internet via
HTTP, secure HTTP (HTTPS), FTP, or Telnet, and their specific access profiles are
automatically retrieved and applied from a Cisco Secure Access Control Server (ACS) or other
RADIUS or TACACS+ authentication server. The user profiles are active only when there is
active traffic from the authenticated users.
The Cisco IOS Firewall authentication proxy is compatible with other Cisco IOS security
features such as Network Address Translation (NAT), Context-Based Access Control (CBAC),
IP Security (IPsec) encryption, and Cisco Virtual Private Network (VPN) Client.
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
5-135
Login screen
SNRS v2.05-4
When a user initiates an HTTP, HTTPS, FTP, or Telnet session through the firewall, it triggers
the Cisco IOS Firewall authentication proxy. The Cisco IOS Firewall authentication proxy first
checks to see whether the user has been authenticated. If a valid authentication entry exists for
the user, the session is allowed and no further intervention is required by the Cisco IOS
Firewall authentication proxy. If no entry exists, the Cisco IOS Firewall authentication proxy
responds to the connection request by prompting the user for a username and password.
Users must successfully authenticate with the authentication server by entering a valid
username and password. If the authentication succeeds, the user authorization profile is
retrieved from the authentication, authorization, and accounting (AAA) server. The Cisco IOS
Firewall authentication proxy uses the information in this profile to create dynamic access
control entries (ACEs) and add them to the inbound (input) access control list (ACL) of an
input interface, and to the outbound (output) ACL of an output interface if an output ACL
exists at the interface. By doing this, the firewall allows authenticated users access to the
network as permitted by the authorization profile.
If the authentication fails, the authentication proxy reports the failure to the user and prompts
the user for a configurable number of retries. If the user fails to authenticate after five attempts,
the user must wait two minutes and initiate another HTTP session to trigger authentication
proxy.
The login page is refreshed each time the user makes requests to access information from a web
server.
The authentication proxy customizes each of the access list entries in the user profile by
replacing the source IP addresses in the downloaded access list with the source IP address of
the authenticated host.
At the same time that dynamic ACEs are added to the interface configuration, the
authentication proxy sends a message to the user confirming that the login was successful.
5-136
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
The authentication proxy sets up an inactivity (idle) timer for each user profile. As long as there
is activity through the firewall, new traffic initiated from the user host does not trigger the
Cisco IOS Firewall authentication proxy, and all authorized user traffic is permitted access
through the firewall.
If the idle timer expires, the Cisco IOS Firewall authentication proxy removes the user profile
information and dynamic ACL entries. When this happens, traffic from the client host is
blocked. The user must initiate another HTTP, HTTPS, FTP, or Telnet connection to trigger the
Cisco IOS Firewall authentication proxy.
5-137
TACACS+
Cisco Secure
ACS for Windows
NT/2000
Cisco Secure
ACS UNIX
RADIUS
Cisco Secure
ACS for Windows
NT/2000
TACACS+
Freeware
Cisco Secure
ACS UNIX
Lucent
SNRS v2.05-5
The Cisco IOS Firewall authentication proxy supports the following AAA protocols and
servers:
5-138
TACACS+
TACACS+ freeware
RADIUS
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
Outside
Inside
Web,
FTP, or
Telnet
Server
User
User
AAA
Server
SNRS v2.05-6
Apply the Cisco IOS Firewall authentication proxy in the inward direction at any interface on
the router where you want per-user authentication and authorization. Applying the Cisco IOS
Firewall authentication proxy inward at an interface causes it to intercept the initial connection
request from a user before that request is subjected to any other processing by the firewall. If
the user fails to authenticate with the AAA server, the connection request is dropped.
How you apply the Cisco IOS Firewall authentication proxy depends on your security policy.
For example, you can block all traffic through an interface and enable the Cisco IOS Firewall
authentication proxy feature to require authentication and authorization for all user-initiated
HTTP, HTTPS, FTP, or Telnet connections. Users are authorized for services only after
successful authentication with the AAA server. The Cisco IOS Firewall authentication proxy
feature also enables you to use standard ACLs to specify a host or group of hosts whose initial
HTTP, HTTPS, FTP, or Telnet traffic triggers the proxy.
The figure shows two cases:
The outbound Cisco IOS Firewall authentication proxy applied at the inside interface
The inbound Cisco IOS Firewall authentication proxy applied at the outside interface
5-139
SNRS v2.05-7
To support the Cisco IOS Firewall authentication proxy, configure the AAA authorization
auth-proxy service on the Cisco Secure ACS for Windows AAA server. This action creates a
new section in the Group Setup window in which user profiles can be created. It does not
interfere with other types of services that the AAA server may have.
This lesson uses the Cisco Secure ACS for Windows (using the TACACS+ protocol) as an
example of how to configure the AAA server.
Complete the following steps to add authorization rules for specific services in the Cisco
Secure ACS for Windows:
5-140
Step 1
Step 2
Step 3
Scroll down in the TACACS+ Services window until you find the New Services
group box.
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
Step 4
Note
Step 5
Enter auth-proxy in the first empty Service field next to the check box that you just
checked and click Submit. For HTTP or HTTPS authentication, the corresponding
Protocol field should be empty. For FTP and Telnet authentication, enter ip in the
Protocol field.
Step 6
Step 7
5-141
Check the
auth-proxy.
Check the
Custom attributes
checkbox.
5-142
SNRS v2.05-8
Step 8
In the navigation bar, click Group Setup. The Group Setup window opens.
Step 9
Choose your group from the drop-down menu and click Edit Settings.
Step 10
Scroll down in the Group Setup window until you find the newly created auth-proxy
service.
Step 11
Step 12
Step 13
Using the proxyacl#n format described in the discussion that follows, enter ACLs in
the field below the Custom Attributes check box. These ACLs will be applied after
the user authenticates.
Step 14
Enter the privilege level of the user (must be 15 for all users) using the format
shown in the discussion that follows.
Step 15
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
tcp
icmp
tcp
tcp
tcp
any
any
any
any
any
any eq 443
host 172.30.0.50
any eq ftp
any eq smtp
any eq telnet
HTTPS
SNRS v2.05-9
Use the proxyacl#n attribute when configuring the ACLs in the profile. The proxyacl#n
attribute is for both RADIUS and TACACS+ attribute-value pairs. The ACLs in the user profile
on the AAA server must have permit access commands only. Set the source address to any in
each of the user profile ACL entries. The source address in the ACLs is replaced with the
source IP address of the host making the authentication proxy request when the user profile is
downloaded to the firewall.
The syntax of the ACLs to enter in the Custom Attributes field is as follows:
proxyacl#n=permit protocol any {any | host ip_addr | ip_addr
wildcard_mask} [eq auth_service]
protocol
any
host ip_addr
ip_addr wildcard
mask
IP address and wildcard mask for a network that users can access
eq auth_service
Use the priv-lvl=15 command to configure the privilege level of the authenticated user. The
privilege level must be set to 15 for all users.
5-143
SNRS v2.05-10
There are several tasks required to configure Cisco IOS Firewall authentication proxy.
To configure the Cisco IOS Firewall authentication proxy feature, perform the following tasks:
5-144
Configure AAA
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
AAA Configuration
This section describes how to configure the Cisco IOS Firewall to work with a AAA server .
Enable AAA
router(config)# aaa new-model
router(config)# aaa authentication login default group tacacs+
router(config)# aaa authorization auth-proxy default group tacacs+
SNRS v2.05-11
To configure the router to communicate with the Cisco Secure ACS server, you must configure
AAA and specify the TACCAS+ or RADIUS server addresses and key used for communication
with the Cisco Secure ACS server.
Use the aaa new-model global configuration command to enable the AAA access control
system. Use the no form of this command to disable the AAA access control model.
Note
After you have enabled AAA, TACACS and extended TACACS commands are no longer
available. If you initialize AAA functionality and later decide to use TACACS or extended
TACACS, issue the no version of this command and then enable the version of TACACS
that you want to use.
This command has no arguments and by default, the aaa new-model command is not enabled.
To set AAA authentication, use the aaa authentication login global configuration command.
Use the no form of this command to disable AAA authentication.
The syntax of the aaa authentication login command is as follows:
aaa authentication login default method1 [method2]
5-145
Syntax Description
method1, method2
To set AAA authorization, use the aaa authorization auth-proxy global configuration
command. Use the no form of this command to disable AAA authorization.
The syntax of the aaa authorization auth-proxy command is as follows:
aaa authorization auth-proxy default method1 [method2]
Syntax Description
method1, method2
5-146
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
SNRS v2.05-12
To specify the IP address of a TACACS+ server, use the tacacs-server host global
configuration command. Use the no form of this command to delete the specified IP address.
You can use multiple tacacs-server host commands to specify additional servers. The Cisco
IOS Firewall software searches for servers in the order in which you specify them.
The syntax of the tacacs-server host command is as follows:
tacacs-server host ip_addr
Syntax Description
ip_addr
To set the authentication encryption key used for all TACACS+ communications between the
Cisco IOS Firewall router and the AAA server, use the tacacs-server key global configuration
command. Use the no form of this command to disable the key.
Note
The key entered must match the key used on the AAA server. All leading spaces are
ignored; spaces within and at the end of the key are not. If you use spaces in your key, do
not enclose the key in quotation marks unless the quotation marks themselves are part of
the key.
Syntax Description
string
5-147
SNRS v2.05-13
To specify the IP address of a RADIUS server, use the radius-server host global configuration
command. Use the no form of this command to delete the specified IP address. You can use
multiple radius-server host commands to specify additional servers. The Cisco IOS Firewall
software searches for servers in the order in which you specify them.
The syntax of the radius-server host command is as follows:
radius-server host ip_addr
Syntax Description
ip_addr
To set the authentication encryption key used for all RADIUS communications between the
Cisco IOS Firewall router and the AAA server, use the radius-server key global configuration
command. Use the no form of this command to disable the key.
Note
The key entered must match the key used on the AAA server. All leading spaces are
ignored; spaces within and at the end of the key are not. If you use spaces in your key, do
not enclose the key in quotation marks unless the quotation marks themselves are part of
the key.
Syntax Description
string
5-148
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
AAA Server
SNRS v2.05-14
All traffic requiring authentication and authorization should be denied by the router using
extended ACLs. Upon successful authentication, dynamic ACEs will be inserted into the ACLs
to permit only the traffic authorized by the user profile. The Cisco IOS Firewall authentication
proxy customizes each of the ACEs in the user profile by replacing the source IP addresses in
the downloaded ACL with the source IP address of the authenticated host.
An extended ACL should be applied to the inbound direction of the interface that is configured
for proxy authentication. All other ACLs that restrict traffic in the direction of authenticated
traffic flow should be extended ACLs so that proxy authentication can dynamically update the
ACEs as necessary to permit authorized traffic to pass.
Note
Proxy authentication does not update ACLs blocking the return traffic. If traffic in the
opposite direction must be restricted, use static ACLs to manually permit return traffic for
authorized traffic. Preferably, use CBAC to dynamically create ACLs to securely permit
return traffic for proxy-authenticated sessions.
If the AAA server resides on the same interface where proxy authentication is configured, you
need to configure and apply an ACL to permit TACACS+ or RADIUS traffic from the AAA
server to the Cisco IOS Firewall.
Use the following guidelines when writing the extended ACL:
To permit AAA server communication, create an ACE where the source address is the
AAA server and the destination address is the interface where the AAA server resides.
You may want to permit some traffic without requiring authentication, such as ICMP or
routing updates.
Apply the extended ACL to the inbound direction of the interface where proxy
authentication is configured.
5-149
SNRS v2.05-15
To use the Cisco IOS Firewall authentication proxy with HTTP and HTTPS, use the ip http
server and ip http secure-server commands to enable the HTTP servers on the router and the
ip http authentication aaa command to make the HTTP server use AAA for authentication.
The syntax of the ip http server command is as follows:
ip http server
HTTP-initiated sessions normally exchange the username and password in cleartext; this
exchange is encrypted when using HTTPS.
To use the Cisco IOS Firewall authentication proxy with HTTPS, use the ip http secure-server
command to enable the HTTP server on the router and the ip http authentication aaa
command to make the HTTP server use AAA for authentication.
The syntax of the ip http secure-server command is as follows:
5-150
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
ip http secure-server
SNRS v2.05-16
Here are some of the tasks to configure the Cisco IOS Firewall authentication proxy parameters
on the router:
To set the Cisco IOS Firewall authentication proxy inactivity timeout value (the length of time
that an authentication cache entry, along with its associated dynamic user ACL, is managed
after a period of inactivity), use the ip auth-proxy inactivity-timer global configuration
command. To set the default value, use the no form of this command. The inactivity-timer
keyword replaces the auth-cache-time command in earlier Cisco IOS Software releases; some
versions support both commands. Use this command to set the global idle timeout value for the
Cisco IOS Firewall authentication proxy. You must set the value of the inactivity-timer min
option to a higher value than the idle timeout of any CBAC protocols. Otherwise, when the
Cisco IOS Firewall authentication proxy removes the user profile along with the associated
dynamic user ACLs, there might be some idle connections monitored by CBAC. Removing
these user-specific ACLs could cause those idle connections to stop responding. If the CBAC
idle timeout value is shorter, CBAC resets these connections when the CBAC idle timeout
expires, which is before the Cisco IOS Firewall authentication proxy removes the user profile.
5-151
The absolute-timer min option allows users to configure a window during which the Cisco
IOS Firewall authentication proxy on the enabled interface is active. Once the absolute timer
expires, the Cisco IOS Firewall authentication proxy will be disabled regardless of any activity.
The global absolute timeout value can be overridden by the local (per protocol) value, which is
enabled via the ip auth-proxy name command. The absolute timer is turned off by default, and
the Cisco IOS Firewall authentication proxy is enabled indefinitely.
The syntax of the ip auth-proxy command is as follows:
ip auth-proxy {inactivity-timer min | absolute-timer min}
Syntax Description
inactivity-timer min
absolute-timer min
To create a Cisco IOS Firewall authentication proxy rule, use the ip auth-proxy name global
configuration command.
This command creates a named authentication proxy rule, and it allows you to associate that
rule with an access control list (ACL), providing control over which hosts use the
authentication proxy. The rule is applied to an interface on a router using the ip auth-proxy
command.
Use the inactivity-timer min option to override the global the authentication proxy cache timer.
This option provides control over timeout values for specific authentication proxy rules. The
authentication proxy cache timer monitors the length of time (in minutes) that an authentication
cache entry, along with its associated dynamic user access control list, is managed after a
period of inactivity. When that period of inactivity (idle time) expires, the authentication entry
and the associated dynamic access lists are deleted.
Use the list option to associate a set of specific IP addresses or a named ACL with the ip authproxy name command.
Use the no form of this command with a rule name to remove the authentication proxy rules. If
no rule is specified, the no form of this command removes all the authentication rules on the
router, and disables the proxy at all interfaces.
Note
5-152
You must use the aaa authorization auth-proxy command together with the ip auth-proxy
name command. Together these commands set up the authorization policy to be retrieved
by the firewall.
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
Syntax Description
auth-proxy-name
ftp
http
telnet
inactivity-timer
min
absolute-timer
min
service-policy
type tag
service-policyname
(Optional) This is the name of the control plane tag service policy that is
configured using the policy-map type control tag {policy-map-name}
command, keyword, and argument. This policy map is used to apply the
actions on the host when a tag is received.
Syntax Description
auth-proxy-name
This argument specifies the name of the authentication proxy rule to apply to
5-153
Note
5-154
A proxy authentication rule can consist of multiple statements, each specifying a different
authentication type (HTTP, FTP, or Telnet). This configuration supports proxy authentication
for multiple applications (HTTP, HTTPS, FTP, and Telnet) at the same time.
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
SNRS v2.05-17
You can associate a Cisco IOS Firewall authentication proxy rule with an ACL, providing
control over which hosts use the Cisco IOS Firewall authentication proxy. To create a Cisco
IOS Firewall authentication proxy rule with ACLs, use the ip auth-proxy name global
configuration command with the list acl option. To remove the authentication proxy rules, use
the no form of this command.
The syntax of the ip auth-proxy name with ACLs command is as follows:
ip auth-proxy name auth-proxy-name http list {acl-num | acl-name}
Syntax Description
auth-proxyname
This argument associates a name with a Cisco IOS Firewall authentication proxy
rule. Enter a name of up to 16 alphanumeric characters.
list acl-num
| acl-name
5-155
Example
This topic examines an example of an auth-proxy configuration..
Example
Apply ACL 102 to
block all inbound
traffic except from
the AAA server
Apply auth-prox,
ACL 105, and IOS
Classic Firewall
Host A
10.0.1.12
S0
E0
WWW
10.0.6.10
Internet
R1
S0
E0
R2
(Firewall)
AAA
10.0.6.12
SNRS v2.05-18
5-156
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
Router 2 Configuration
Configure AAA for the
authentication proxy
SNRS v2.05-19
The example above is for the firewall router. In this example, the firewall router is router 2.
Configure the HTTP server and set the HTTP server authentication method to AAA.
5-157
eq tacacs
Create ACL 102 to
block all traffic
inbound on interface
E0 except for traffic
from the AAA
server.
Create ACL 105 to
block all traffic inbound
on interface Serial0.
Permit only IP protocol
traffic
SNRS v2.05-20
5-158
Allow TACACS+ and RADIUS communication between the AAA servers and the
router.
Apply the classic firewall inspection rule, the appropriate ACL, and the authentication
proxy rule at interface Serial0
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
SNRS v2.05-21
Several commands are available to verify and test Cisco IOS Firewall authentication proxy
configuration and operation.
Use the show ip auth-proxy command to display the authentication proxy entries, the running
Cisco IOS Firewall authentication proxy configuration, or the Cisco IOS Firewall
authentication proxy statistics.
The syntax of the show ip auth-proxy command is as follows:
show ip auth-proxy {cache | configuration | statistics}
Syntax Description
cache
This keyword lists the host IP address, the source port number, the timeout value
for the Cisco IOS Firewall authentication proxy, and the state for connections
using the Cisco IOS Firewall authentication proxy. If the authentication proxy
state is HTTP_ESTAB, the user authentication was successful.
configuration
This keyword displays all of the Cisco IOS Firewall authentication proxy rules
configured on the router.
statistics
This keyword displays all of the router statistics related to the Cisco IOS Firewall
authentication proxy.
5-159
debug Commands
router(config)#
debug ip auth-proxy ftp
debug ip auth-proxy function-trace
debug ip auth-proxy http
debug ip auth-proxy object-creation
debug ip auth-proxy object-deletion
debug ip auth-proxy tcp
debug ip auth-proxy telnet
debug ip auth-proxy timer
SNRS v2.05-22
There are several debug commands useful in troubleshooting the Cisco IOS Firewall
authentication proxy.
The syntax of the debug ip auth-proxy command is as follows:
debug ip auth-proxy {ftp | function-trace | http | object-creation |
object-deletion | tcp | telnet | timer}
Syntax Description
5-160
ftp
Displays FTP events related to the Cisco IOS Firewall authentication proxy
function-trace
http
Displays HTTP events related to the Cisco IOS Firewall authentication proxy
object-creation
object-deletion
Displays deletion of cache entries for the Cisco IOS Firewall authentication
proxy
tcp
Displays TCP events related to the Cisco IOS Firewall authentication proxy
telnet
timer
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
SNRS v2.05-23
Syntax Description
*
Clears all Cisco IOS Firewall authentication proxy entries, including user profiles and
dynamic ACLs
ip_addr
Clears the Cisco IOS Firewall authentication proxy entries, including user profiles and
dynamic ACLs, for the specified IP address
5-161
Summary
This topic summarizes the key points that were discussed in this lesson.
Summary
The Cisco IOS Firewall authentication proxy feature enables
network administrators to apply specific security policies on
a per-user basis for TACACS+ and RADIUS servers.
To support the authentication proxy, configure the AAA
authorization auth-proxy service on the Cisco Secure
ACS for Windows.
To configure authentication proxy, you must:
Configure AAA support
Create an authentication proxy rule
Apply the rule to an interface
SNRS v2.05-24
References
For additional information, refer to this resource:
5-162
Cisco Systems, Inc. Cisco IOS Security Configuration Guide, Release 12.4:
http://www.cisco.com/en/US/partner/products/ps6350/products_configuration_guide_book
09186a008043360a.html
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
Lesson 5
Objectives
Upon completing this lesson, you will be able to configure Cisco IOS IPS on a Cisco router.
This ability includes being able to meet these objectives:
Describe the features, functions, limitations, and applications of Cisco IOS IPS
Describe signature micro engines
Describe signatures and signature definition files
Describe IOS IPS deployment options
Describe how to configure Cisco IOS Firewall IPS on a router
Describe how to configure logging for IPS
Describe the steps to upgrade to the latest SDF
Describe how to test and verify Cisco IOS IPS configuration and operation
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
Attack
Alarm
2
Network Management
Console
Reset Connection
Drop Packet
SNRS v2.05-2
In today's business environment, network intruders and attackers can come from both outside
and inside the network. They can launch denial-of-service (DoS) attacks or distributed denialof-service (DDoS) attacks; attack Internet connections; and exploit network and host
vulnerabilities. At the same time, Internet worms and viruses can spread across the world in a
matter of minutes. There is often no time to wait for human intervention-the network itself must
possess the intelligence to instantaneously recognize and mitigate these attacks, threats,
exploits, worms, and viruses.
Cisco IOS IPS, with in-line intrusion prevention capabilities, is the first in the industry to
provide an in-line, deep packet inspection-based IPS solution that helps enable Cisco routers to
effectively mitigate a wide range of network attacks without compromising traffic forwarding
performance. Armed with the intelligence to accurately identify, classify, and stop malicious or
damaging traffic in real time, Cisco IOS IPS is a core component of the Cisco Self-Defending
Network, enabling the network to protect itself. This technology uses Cisco IPS Sensor
Software and signatures. Because Cisco IOS IPS is in line, it can drop traffic, send an alarm, or
reset a connection, enabling the router to respond immediately to security threats.
Cisco IOS IPS capabilities include the ability to dynamically load and enable selected IPS
signatures in real time, support for more than 1500 signatures supported by Cisco IPS Sensor
platforms, and the ability for a user to modify an existing signature or create a new signature to
address newly discovered threats.
5-164
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
The Cisco IOS IPS acts as an in-line intrusion prevention sensor. It watches packets and
sessions as they flow through the router, scanning each packet to match any of the IPS
signatures. When it detects suspicious activity, it responds before network security can be
compromised and logs the event through Cisco IOS syslog or SDEE. The network
administrator can configure Cisco IOS IPS to choose the appropriate response to various
threats.
When packets in a session match a signature, the Cisco IOS IPS can take any of the following
actions, as appropriate:
Send an alarm to a syslog server or a centralized management interface
Drop the packet
Reset the connection
Deny traffic for a particular source address
Deny traffic for a particular connection (session)
Cisco developed its Cisco IOS Software-based intrusion prevention capabilities with flexibility
in mind, so that individual signatures could be disabled in case of false positives. Generally, it
is preferable to enable both the Cisco IOS Firewall and Cisco IOS IPS to support network
security policies. However, each of these features can be enabled independently and on
different router interfaces.
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
5-165
Features
Uses the underlying routing infrastructure
Ubiquitous protection of network assets
Inline deep packet inspection
Software based inline intrusion prevention sensor
IPS signature support
Signature based packet scanning, uses same set of signatures as
IDS Sensor platform
Dynamic signature update (no need to update IOS Image)
Customized signature support
Variety of event actions configurable per-signature basis
Parallel signature scanning
Named and numbered extended ACL support
SNRS v2.05-3
This discussion covers some of the features and benefits of Cisco IOS IPS.
5-166
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
Named and numbered extended access control list (ACL) support: In Cisco IOS
Software releases earlier than Cisco IOS Release 12.3(8)T, only standard, numbered ACLs
were supported. Cisco IOS IPS now supports both named and numbered extended ACLs by
using either the ip ips ips-name list acl command or the ip ips signature signature-id list
acl-list command.
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
5-167
Signature Micro-Engines
This topic describes signature micro-engines.
SNRS v2.05-4
An SME is a component of Cisco IOS IPS that supports signatures in a certain category.
Customized for the protocol and fields it is designed to inspect, each engine defines a set of
legal parameters that have allowable ranges or sets of values. The SMEs look for malicious
activity in a specific protocol. Signatures can be defined for any of the supported SMEs using
the parameters offered by those microengines. Packets are scanned by the microengines that
understand the protocols contained in the packet.
A regular expression is a systematic way to specify a search for a pattern in a series of bytes.
When a signature engine is built (building refers to loading an SME on the router when Cisco
IOS IPS is enabled on the interface), it may compile one or more regular expressions.
Compiling a regular expression requires more memory than the final storage of the regular
expression-important information to know when considering loading and merging new
signatures.
Cisco IOS IPS also introduces the concept of parallel scanning. All the signatures in a given
microengine are scanned in parallel, rather than serially. Each SME extracts values from the
packet and passes portions of the packet to the regular expression engine. The regular
expression engine can search for multiple patterns at the same time (in parallel). To facilitate
this parallel scanning, after loading a new SDF, Cisco IOS IPS builds the SMEs by compiling
all the signatures in each SME for parallel scanning. Parallel scanning increases efficiency,
resulting in higher throughput.
5-168
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
Each engine categorizes a group of signatures, and each signature detects patterns of misuse in
network traffic. For example, all HTTP signatures are grouped under the HTTP engine.
Signatures contained within the SDF are handled by a variety of SMEs. The SDF typically
contains signature definitions for multiple engines. The SME typically corresponds to the
protocol in which the signature occurs and looks for malicious activity in that protocol.
A packet is processed by several SMEs. Each SME scans for various conditions that can lead to
a signature pattern match. When an SME scans the packets, it extracts certain values, searching
for patterns within the packet via the regular expression engine.
Here is a table of SMEs that are supported by Cisco IOS IPS.
SMEs Supported by Cisco IOS IPS
SME
Description
ATOMIC.L3.IP
ATOMIC.ICMP
ATOMIC.IPOPTIONS
ATOMIC.UDP
ATOMIC.TCP
SERVICE.DNS
SERVICE.RPC
SERVICE.SMTP
SERVICE.HTTP
SERVICE.FTP
STRING.TCP
STRING.UDP
STRING.ICMP
MULTI-STRING
OTHER
Atomic Engines
Atomic engines do not store persistent data across packets; instead, they can fire an alarm from
the analysis of a single packet. Therefore, the basic features of these engines do not require
attachment to a nonglobal StorageKey-they use the StorageKey xxxx. Because atomic engines
have no storage, they are essentially 1:1 signatures. Each atomic engine has discriminators
specialized to its protocol.
2007 Cisco Systems, Inc.
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
5-169
ATOMIC.L3.IP is a general-purpose Layer 3 inspector. It can handle data length and protocol
number comparisons, and it has some hooks for fragment and partial Internet Control Message
Protocol (ICMP) comparisons.
ATOMIC.ICMP is specialized to Layer 4. It has many parameters, some with both a single
value and a minimum and maximum for the boundaries. All the single parameters can be used
together in a signature, but it is not practical. It does not have any required parameters.
ATOMIC.UDP is specialized to Layer 4. It is a simple engine with basic capabilities to
interrogate ports and packet lengths. It does not have required parameters.
ATOMIC.IPOPTIONS is a simple engine that decodes Layer 3 options.
ATOMIC.TCP specializes in Layer 4 TCP packets and has basic TcpFlags/Mask comparisons
along with port filters and the SinglePacketRegex.
Service Engines
Service engines analyze Layer 5+ traffic between two hosts. These signatures are 1:1 signatures
that track persistent data on the stream (AaBb) for TCP or QUAD (AaBb) for User Datagram
Protocol (UDP). The engines decode and interpret the Layer 5+ payload in a manner similar to
that for the live service. A full-service-like decode may not be necessary if the partial decode
provides adequate information to inspect the signatures. The engines decode enough of the data
to make the signature determinations but do not decode more than is needed, minimizing CPU
and memory load.
Service engines have common characteristics, such as using the output from the stream
processor, but each engine has specific knowledge of the service that it is inspecting. Service
engines supplement the capabilities of the generic string engine, specializing in algorithms
where using the string engine is inadequate or undesirable.
The purpose of the service decode is to mimic the interpretation of the live server of the Layer
5+ payload. These interpretations are used primarily in the determination of signatures, as the
decoded fields are compared to the signature parameters.
As the engine is decoding, errors with bad payloads can occur. These error conditions are
linked to different kinds of signatures, known as protocol violations or error traps, which occur
when the engine is decoding the payload and an error occurs because of a malformation in the
payload that violates the rules of the service protocol. An error trap handles this malfunction in
the analysis code. Specifying the trap conditions that map to signatures is done by using the
normal parameters, such as the SERVICE.FTP with BadPort. In some cases, these trap
conditions can be combined to form a signature that results when multiple trap conditions are
encountered. However, in most cases, the trap conditions have a 1:1 mapping to the trap
signatures.
5-170
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
String Engines
The string engine is a generic-based pattern-matching inspection engine for ICMP, TCP, and
UDP. The string engine uses a regular expression engine that can combine multiple patterns
into a single pattern-matching table, allowing for a single search through the data. There are
three string engines: STRING.ICMP, STRING.TCP, and STRING.UDP.
Multi-String Engine
The multi-string engine inspects Layer 4 protocol packets in a flexible manner. This engine also
supports Trend Labs network virus signatures normally deployed to Cisco IOS IPS through the
Cisco Incident Control System (ICS).
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
5-171
Built-in Signatures
135 Signatures
Built-in signatures is the last resort when router loads signatures.
Can be turned off using CLI no ip ips sdf builtin
Cisco recommend to use pre-tuned SDF files attack-drop.sdf,
128MB.sdf and 256MB.sdf.
Built-in signatures will NOT be supported in 12.4(PI5)T when IOS
IPS supports 5.x format.
SNRS v2.05-5
The total number of signatures supported by Cisco IOS IPS routers depends on the Cisco
IOS Software release and the signature distribution package version.
In Cisco IOS Software Release 12.3(14)T, Cisco IOS IPS added support for three STRING
engines-STRING.TCP, STRING.UDP, and STRING.ICMP. Adding these engines resulted in a
large number of new signatures being supported on Cisco IOS IPS routers. As of signature
package IOS-S250.zip, the total number of signatures supported by Cisco IOS Software
Release 12.3(14)T or later is 1685 (out of a total of 1972 signatures in the S250 file). Because
of this and other IPS enhancements, Cisco recommends running Cisco IOS Software Release
12.4(4)T or later when using Cisco IOS IPS.
5-172
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
Cisco IOS IPS can also scan the contents of IP fragments, thereby protecting the network from
fragmented attacks. The solution detects both atomic signatures in a single packet and
composite signatures spread into a sequence of packets. Detection of most composite signatures
requires stateful inspection of multiple packets (keeping state information across packets of a
particular session between a source-destination pair). Both Cisco IOS IPS and Cisco IOS
Firewall use the same session table. For example, if an HTTP request is initiated from the
corporate network to the Internet, the return traffic may be compromised, so Cisco IOS IPS
maintains the state of the entire session.
Currently, Cisco IOS IPS supports more than 1600 signatures. These signatures are part of the
common set of signatures that Cisco IPS Sensors support, helping to ensure that all Cisco
products use a common resource and are available for download from Cisco.com. Additionally,
Cisco IOS IPS has the ability to download IPS signatures without the need for a Cisco IOS
software image update. Typically, new signatures are released every two weeks, with
emergency signature updates posted as needed. The signatures are posted to Cisco.com at:
http://www.cisco.com/cgi-bin/tablebuild.pl/ios-sigup.
Built-in Signatures
Cisco IOS IPS has 135 built-in signatures available in the Cisco IOS software image. The builtin signatures are hard-coded into the Cisco IOS software image for backward compatibility.
Each signature can be set to send an alarm, drop the connection, or reset the connection.
As shown in the example below, built-in signatures are loaded if no location has been
configured for the signature definition files. You can disable built-in signatures using the no ip
ips sdf builtin command.
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
5-173
Signature Actions
This section describes the actions that are taken in response to a matched signature.
Signature Actions
Alarm
Send alarm via Syslog and SDEE
Reset
Applys to TCP connection. Send reset to both peers
Drop
Drops the packet
DenyAttackerInline
Blocks the attackers source IP address completely.
No connection can be established from the attacker to the
router until the shun time expires (this is set by the user).
DenyFlowInline
Blocks the appropriate TCP flow from the attacker. Other
connections from the attacker can be established to the router
2007 Cisco Systems, Inc. All rights reserved.
SNRS v2.05-6
The Cisco IOS IPS acts as an inline sensor, watching packets as they traverse the router
interfaces and acting upon them in a definable fashion. When a packet matches a signature, or a
number of packets in a session match a signature, the Cisco IOS IPS may perform the following
configurable actions:
Send an alarm to a syslog server or a centralized management interface
Drop the packet
Reset the connection
Deny traffic from the source IP address of the attacker for a specified amount of time
Deny traffic on the connection for which the signature was seen for a specified amount of
time
Each action is enabled on a per-signature basis. Each signature has an action assigned by
default, based on the severity of the signature. Alarm sends a notification about the attack via
syslog or SDEE protocol. TCP reset is effective for TCP-based connections and sends a reset
to both the source and destination addresses. For example, in case of a half-open SYN attack,
Cisco IOS IPS can reset the TCP connections. Drop discards the packet without sending a
reset. By default, the 132 built-in signatures are set to alarm only.
5-174
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
Each signature can be set to send an alarm, drop the attack (offending) packets, deny the
attacker, deny the attack flow, or reset the connection. Each action is enabled on a per-signature
basis using Cisco SDM or the CiscoWorks Management Center for IPS Sensors-there is no CLI
command to tune signature parameters. Each signature has an action assigned by default, based
on the severity of the signature. "Alarm" sends a notification about the attack through syslog or
SDEE. "TCP reset" is effective for TCP-based connections and sends a reset to both the source
and destination addresses. For example, in case of a half-open SYN attack, Cisco IOS IPS can
reset the TCP connections. "Drop" discards the packet without sending a reset. By default, the
132 built-in signatures are set to "alarm" only. Cisco recommends using "drop and reset" in
conjunction with alarm. "DenyAttackerInline" blocks the attacker's source IP address
completely. No connection can be established from the attacker to the router until the shun time
expires (this time is set by the user). "DenyFlowInLine" blocks the appropriate TCP flow from
the attacker. Other connections from the attacker can be established to the router.
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
5-175
No more locations
Built-in Enabled?
NO
NO
Fail
closed?
YES
Load SDF from next
available location
Packet
passed unscanned
YES
Packet Dropped!
Success?
NO
YES
Build Sig Engines
Engine build
success?
YES
NO
Previous engine
exist?
YES
NO
Put engine in
Inactive state
Use previous
engine sigs
SNRS v2.05-7
This figure shows the process followed when signatures are loaded. The process goes as
follows:
Step 1
The router looks for a location that was configured using the ip ips sdf location
command.
Step 2
5-176
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
SNRS v2.05-8
The SDF is integral to Cisco IOS IPS. The SDF is an Extensible Markup Language (XML) file
with a definition of each signature along with relevant configurable actions. Cisco IOS Firewall
IPS reads in the SDF, parses the XML, and populates its internal tables with the information
necessary to detect each signature. The SDF contains the signature definition and configuration.
Actions such as alarm, drop, or reset can be selected for individual signatures within the SDF.
The SDF can be modified so that the router will detect only specific signatures; as a result, it
can contain all or a subset of the signatures supported in Cisco IOS IPS. The user specifies the
location of the SDF. The SDF can reside on the local flash file system (recommended) or on a
remote server. Remote servers can be accessed via TFTP, FTP, Secure Copy Protocol (SCP), or
Remote Copy Protocol (RCP).
An SDF contains definitions for each signature that it contains. The signatures are preset with
actions to mitigate the attack by dropping the packet and resetting the connection, if applicable.
After signatures are loaded and compiled onto a router running Cisco IOS IPS, IPS can begin
detecting the new signatures immediately.
If the Cisco IOS IPS-enabled router is configured to scan packets using the SDF, it gets
signature and engine information from the SDF. All or a subset of the routers in a network can
use the same SDF or a different SDF, depending on the requirements of the network. Some
routers may allow for activating more signatures than routers with less memory.
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
5-177
Cisco IOS IPS ships with one of two preconfigured SDFs: 128MB.sdf (340 sigs)or 256MB.sdf
(572 sigs). At least one of these files should be available in flash memory on all Cisco IOS IPSenabled routers. These SDFs contain the latest high-fidelity (low false positives) worm, virus,
instant messaging, and peer-to-peer blocking signatures for detecting security threats, allowing
easier deployment and signature management for the user. These two SDFs contain signatures
that are supported by the newly introduced string engines, namely, STRING.TCP,
STRING.UDP, and STRING.ICMP.
Users can append or modify signatures from the pre-built SDFs according to their needs. For
example, the Nimda virus can be detected by loading and enabling the following signatures
from the attack-drop.sdf SDF:
Signature ID: 5081:0 WWW WinNT cmd.exe access
Signature ID: 5114:2 WWW IIS Unicode attack
Signature ID: 5326:0 root.exe access
The number of signatures that can be loaded on a router is a function of the amount of memory
(DRAM) available on the router.
The SDF can then be loaded directly from flash memory into the Cisco IOS IPS. If flash
memory is erased, the SDF may also be erased. Thus, if you are copying a Cisco IOS image to
flash memory and are prompted to erase the contents of flash memory before copying the new
image, you might risk erasing the SDF. If this occurs, the router will refer to the built-in
signatures within the Cisco IOS image. The SDF can also be downloaded onto your router from
Cisco.com.
5-178
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
Finance
International
Sales Offices
Mainframe
WAN
Campus
Backbone
VPN
Suppliers
Accounting
Internet
Intranet Servers
2007 Cisco Systems, Inc. All rights reserved.
SNRS v2.05-9
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
5-179
5-180
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
Issues to Consider
Memory use and performance impact
Limited persistent storage
CPU-intensive
Updated signature coverage
More than 1500 common attacks
SNRS v2.05-10
The following are issues to consider when implementing Cisco IOS IPS:
Memory usage and performance impact: The performance impact of intrusion
prevention depends on the number of signatures enabled, the level of traffic on the router,
the router platform, and other individual features enabled on the router (for example,
encryption). Because this router is being used as a security device, no packet is allowed to
bypass the security mechanisms. The IPS process in the router sits directly in the packet
path and, therefore, searches each packet for signature matches. In some cases, the entire
packet needs to be searched, and state information and even application state and awareness
must be maintained by the router. With sufficient memory, Cisco IOS IPS supports more
than 1500 signatures, but one major remaining concern is how many signatures various
router platforms can actually support, given memory and platform constraints. The number
of signatures and engines supported depends only on the memory available. The prebuilt
SDFs have the optimum combination of signatures for all standard memory configurations,
providing a good starting point.
Updated signature coverage: The Cisco IOS IPS now identifies more than 1500 of the
most common attacks, using signatures to detect patterns of misuse in network traffic.
These intrusion prevention signatures were chosen from a broad cross section of intrusion
prevention signatures. The signatures represent severe breaches of security and the most
common network attacks and information-gathering scans.
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
5-181
Configuration Tasks
Install Cisco IOS Firewall IPS on the router:
Specify location of SDF.
Create an IPS rule.
Attach a policy to a signature (optional).
Apply IPS rule at an interface.
Configure logging via syslog or SDEE.
Verify the configuration.
SNRS v2.05-11
5-182
Step 1
Step 2
Step 3
Step 4
Step 5
Step 6
Verify the configuration. This includes using the available show, clear, and debug
commands for the Cisco IOS IPS.
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
SNRS v2.05-12
This procedure allows you to load the default, built-in signatures or signatures from the SDF
(128MB.sdf or 256MB.sdf), but not both. If you want to merge the two signature files, you
must load the default, built-in signatures as described in this topic. Then, you can merge the
default signatures with the SDF.
Use the procedure given in this topic to install the latest Cisco IOS IPS signatures on a router
for the first time.
To specify a location for the SDF use the ip ips sdf location url command.
router(config)#
Syntax Description
url
autosave
(Optional) Specifies that the router will save a new SDF to the specified location
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
5-183
If there is no SDF location configured, by default, Cisco IOS IPS will try to load from built-in
signatures. When failed, it will go to a failed state. The traffic passing is controlled by the failclosed configuration in this state.
When you specify the ip ips sdf location command, the signatures are not loaded until the
router is rebooted or until the Cisco IOS IPS is applied to an interface (via the ip ips
command). If Cisco IOS IPS is already applied to an interface, the signatures are not loaded. If
Cisco IOS IPS cannot load the SDF, an error message is issued and the router uses the built-in
Cisco IOS IPS signatures.
You can also specify the copy ips-sdf command to load an SDF from a specified location.
Unlike the ip ips sdf location command, the signatures are loaded immediately after the copy
ips-sdf command is entered.
When you specify the autosave keyword, the router saves a new SDF to the specified location
when signatures are loaded using either the copy command or an external management
platform such as Cisco SDM, IPS Management Center (IPSMC) or Cisco Incident Control
Server (ICS). You can specify multiple autosave locations. The router will attempt to save to all
autosave locations. The URL must have proper write access permissions.
5-184
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
Merging Signatures
router# copy flash:128MB.sdf ips-sdf
router# copy ips-sdf flash:snrs-signatures.sdf
router# configure terminal
router(config)# ip ips sdf location flash:snrs-signatures.sdf
router(config)# interface fastEthernet 0/1
router(config-if)# no ip ips SNRS-IPS in
*Apr 8 14:05:38.243:%IPS-2-DISABLED:IPS removed from all interfaces - IPS
disabled
SNRS v2.05-13
You may want to merge the built-in signatures with a new SDF in flash memory if the built-in
signatures are not providing your network with adequate protection from security threats by
using the copy command.
Issue the copy url ips-sdf command to load the SDF in the router from the location specified
via the url argument. When the new SDF is loaded, it is merged with the SDF that is already
loaded in the router, unless the /erase keyword is issued, which overwrites the current SDF
with the new SDF.
Cisco IOS Intrusion Prevention System (IPS) will attempt to retrieve the SDF from each
specified location in the order in which they were configured in the startup configuration. If
Cisco IOS IPS cannot retrieve the signatures from any of the specified locations, the built-in
signatures will be used.
If the no ip ips sdf built-in command is used, Cisco IOS IPS will fail to load. IPS will then rely
on the configuration of the ip ips fail command to either fail open or fail closed.
To merge signature files, complete these steps.
Step 1
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
5-185
Syntax Description
/erase
url
The SDF will merge with the signatures that are already loaded in the router, unless the /erase
keyword is issued. The /erase keyword replaces the built-in signatures with the SDF.
Note
The SDF location is not saved in the configuration. The next time the router is reloaded, it
will refer to a previously specified SDF location in the configuration or it will load the built-in
signatures.
Whenever signatures are replaced or merged, the router prompt is suspended while the
signature engines for the newly added or merged signatures are being built. The router prompt
will be available again after the engines are built.
Depending on your platform and how many signatures are being loaded, building the engine
can take up to several seconds. It is recommended that you enable logging messages to monitor
the engine building status.
The ip sdf ips location command can also be used to load the SDF. However, unlike the copy
ips-sdf command, this command does not force and immediately load the signatures.
Signatures are not loaded until the router reboots or IPS is initially applied to an interface (via
the ip ips command).
Step 2
5-186
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
Syntax Description
url
If you want to load the SDF in the router, the url argument specifies the
location in which to search for the SDF.
If you are saving the SDF, the url argument represents the location in
which the SDF is saved after it has been generated.
Regardless of what option the URL is used for, available URL locations
are as follows:
This command saves the SDF that was loaded in the previous step to a specified location.
Note
Step 3
The SDF location will not be saved unless this command is issued.
Configure the router to load the new file the next time IPS is started.
router(config)# ip ips sdf location url
Step 4
Reinitialize the IPS by removing the IPS rule set and reapplying the rule set.
router(config)# interface interface-id
router(config-if)# no ip ips ips-name [ in | out ]
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
5-187
SNRS v2.05-14
To attach a policy to a signature, use the ip ips signature command in global configuration
mode. If the policy disabled a signature, use the no form of this command to re-enable the
signature. If the policy attached an ACL to the signature, use the no form of this command to
remove the ACL.
router(config)# ip ips signature signature-id {delete |
disable | list acl-list}
Syntax Description
signature-id
delete
disable
list acl-list
This command allows you to set three policies to accomplish the following:
Delete a signature
Disable the audit of a signature
Qualify the audit of a signature with an ACL
If you are attaching an ACL to a signature, you also need to create an IPS rule with the ip ips
name command and apply it to an interface with the ip ips command.
5-188
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
Disabling a Signature
You may want to disable a signature (or set of signatures) if your deployment scenario deems
the signatures unnecessary.
To instruct the router to scan for a given signature but not take any action if the signature is
detected, use the ip ips signature command in global configuration mode. To re-enable a
signature, use the no form of this command.
router(config)# ip ips signature signature-id [sub-signatureid] disable [list acl- list]
Syntax Description
signature-id [sub-signatureid]
list acl-list
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
5-189
SNRS v2.05-15
Specify an IPS rule using the ip ips name command. You will apply this rule to an interface
later.
Note
The IPS does not load the signatures until the rule is applied to an interface via the ip ips
command.
Syntax Description
ips-name
list acl
(Optional) Specifies an extended or standard ACL to filter the traffic that will be
scanned.
Note: All traffic that is permitted by the ACL is subject to inspection by the IPS.
Traffic that is denied by the ACL is not inspected by the IPS.
5-190
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
Example
router(config)# ip ips sdf location flash:128MB.sdf
router(config)# ip ips fail closed
router(config)# ip ips name SNRS-IPS
router(config)# interface FastEthernet0/1
router(config-if)# ip address 172.30.1.2 255.255.255.0
router(config-if)# ip virtual-reassembly
router(config-if)# ip ips SNRS-IPS in
router(config-if)# end
*Jan 28 01:18:04.664: %IPS-6-SDF_LOAD_SUCCESS: SDF loaded
successfully from flash:128MB.sdf
. . . messages ommited ...........
*Jan 28 01:18:30.452: %IPS-6-ENGINE_BUILDING: ATOMIC.L3.IP - 5
signatures - 15 of 15 engines
SNRS v2.05-18
Normally, all signatures within the SDF are reported, if detected as in this slide. Note that
disabled signatures have a N in the On column.
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
5-191
SNRS v2.05-17
To apply an IPS rule to an interface, use the ip ips command in interface configuration mode.
To remove an IPS rule from an interface direction, use the no form of this command.
router(config-if)# ip ips ips-name {in | out}
Syntax Description
ips-name
in
out
5-192
The router prompt disappears while the signatures are loading and the signature engines
are building. It will reappear after these tasks are complete. Depending on your platform and
how many signatures are being loaded, building the signature engine can take several
minutes. It is recommended that you enable logging messages so that you can monitor the
engine building status.
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
IP Virtual Reassembly
A buffer overflow attack can occur when an attacker continuously sends a large number of
incomplete IP fragments, causing the firewall to lose time and memory while trying to
reassemble the fake packets.
IP virtual reassembly is an interface feature that when turned on, will automatically reassemble
fragmented packets coming into the router through that interface. Cisco recommends that you
enable "ip virtual-assembly" on all interfaces where traffic comes into the router.
To enable virtual fragment reassembly (VFR) on an interface, use the ip virtual-reassembly
command in interface configuration mode. To disable VFR on an interface, use the no form of
this command.
router(config-if)# ip virtual-reassembly [max-reassemblies
number] [max-fragments number] [timeout seconds] [dropfragments]
Syntax Description
max-reassemblies
number
max-fragments
number
timeout seconds
drop-fragments
(Optional) Enables the VFR to drop all fragments that arrive on the configured
interface. By default, this function is disabled.
The max-reassemblies number option and the max-fragments number option allow you to
configure maximum threshold values to avoid a buffer overflow attack and to control memory
usage.
In addition to configuring the maximum threshold values, each IP datagram is associated with a
managed timer. If the IP datagram does not receive all of the fragments within the specified
time (which can be configured via the timeout seconds option), the timer will expire and the IP
datagram (and all of its fragments) will be dropped.
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
5-193
Example
This is an example of a completed basic configuration of IOS IPS.
Example
router(config)# ip ips sdf location flash:128MB.sdf
router(config)# ip ips fail closed
router(config)# ip ips name SNRS-IPS
router(config)# interface FastEthernet0/1
router(config-if)# ip address 172.30.1.2 255.255.255.0
router(config-if)# ip virtual-reassembly
router(config-if)# ip ips SNRS-IPS in
router(config-if)# end
*Jan 28 01:18:04.664: %IPS-6-SDF_LOAD_SUCCESS: SDF loaded
successfully from flash:128MB.sdf
. . . messages ommited ...........
*Jan 28 01:18:30.452: %IPS-6-ENGINE_BUILDING: ATOMIC.L3.IP - 5
signatures - 15 of 15 engines
SNRS v2.05-18
This example shows the basic configuration necessary to load the 128MB.sdf file onto a router
running Cisco IOS IPS. Note that the configuration is almost the same as when you load the
default signatures onto a router, except for the ip ips sdf location command, which specifies
the 128MB.sdf file. Cisco IOS IPS starts loading signatures when the very first IPS rule is
enabled on an interface.
5-194
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
Network
Management
Console
Alarm
SDEE Protocol
Alert
Syslog
Syslog
Server
SNRS v2.05-19
As of Cisco IOS Release 12.3(11)T, Cisco IOS IPS provides two methods to report IPS
intrusion alerts: Cisco IOS logging (syslog) and SDEE. Use the procedure described in this
topic to enable SDEE to report IPS intrusion alerts.
Note
Effective as of Cisco IOS Release 12.3(11)T, the Post Office Protocol (POP) is no longer
supported.
Cisco IOS Software now supports the SDEE protocol. SDEE is a new standard that specifies
the format of messages and protocols used to communicate events generated by security
devices. SDEE is flexible, so that all vendors can support address compatibility. This allows
mixed IPS vendor environments to have one network management alert interface. TruSecure
Corporation (ICSA Labs) is currently proposing SDEE as the unified industry protocol format
for communicating with network management applications. SDEE uses a pull mechanism:
Requests come from the network management application, and the IPS appliance or IPS router
responds. SDEE utilizes HTTP and XML to provide a standardized interface. The Cisco IOS
IPS router will still send IPS alerts via syslog.
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
5-195
SNRS v2.05-20
SDEE Overview
SDEE is an application layer communication protocol that is used to exchange IPS messages
between IPS clients and IPS servers.
SDEE is always running, but it does not receive and process events from IPS unless SDEE
notification is enabled. If it is not enabled and a client sends a request, SDEE will respond with
a fault response message, indicating that notification is not enabled.
Benefits
Here are some of the benefits of SDEE:
Vendor interoperability: SDEE will become the standard format for all vendors to
communicate events to a network management application. This lowers the cost of
supporting proprietary vendor formats and potentially multiple network management
platforms.
Secured transport: The use of HTTP over Secure Sockets Layer (SSL) or secure (HTTPS)
ensures that data is secured as it traverses the network.
5-196
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
SNRS v2.05-21
When SDEE notification is enabled (via the ip ips notify sdee command), 200 events can
automatically be stored in the buffer. When SDEE notification is disabled, all stored events are
lost. A new buffer is allocated when the notifications are re-enabled.
When specifying the size of an events buffer, note the following functionality:
It is circular. When the end of the buffer is reached, the buffer starts overwriting the earliest
stored events. (If overwritten events have not yet been reported, you receive a buffer
overflow notice.)
If a new, smaller buffer is requested, all events that are stored in the previous buffer are
lost.
If a new, larger buffer is requested, all existing events are saved.
Note
SDEE messages are transported over HTTP or HTTPS to communicate with management
applicationsCisco SDM, IPS. To use SDEE, the HTTP and HTTPS server must be
enabled (via the ip http server and the ip http secure-server command). If the HTTP and
HTTPS server is not enabled, the router cannot respond to the SDEE clients because it
cannot see the requests.
To specify the method of event notification, use the ip ips notify command in global
configuration mode. To disable event notification, use the no form of this command.
router(config)# ip ips notify [log | sdee]
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
5-197
Syntax Description
log
sdee
Note
5-198
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
Instructs the router to drop all packets until the signature engine is
built and ready to scan traffic
2007 Cisco Systems, Inc. All rights reserved.
SNRS v2.05-22
An important part of IPS is keeping up with the latest attack signatures. This example creates
an IPS rule, instructs the router not to load the built-in signatures, and to drop all packets until
the signature engine is built and ready to scan traffic. Use the information in this topic to
replace the existing signatures in your router with the latest IPS signature file.
The latest SDF file can be found at http://www.cisco.com/cgi-bin/tablebuild.pl/ios-sigup.
Follow these steps to load the latest SDF:
Step 1
Step 2
Step 3
Specify the location where the router will load the SDF.
Step 4
By default, the built-in signatures are configured to be loaded. Optionally, they can
be turned off using the no ip ips sdf builtin command.
Step 5
(Optional) Instructs the router to drop all packets until the signature engine is built
and ready to scan traffic. By default, all packets are passed without being scanned
while the signature engine is being built or if the signature engine fails to build.
Step 6
Step 7
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
5-199
Verifying IPS
R1# show ip ips configuration
Configured SDF Locations:
flash:128MB.sdf
Builtin signatures are enabled but not loaded
Last successful SDF load time: 12:10:43 CST Oct 30 2006
IPS fail closed is disabled
Fastpath ips is enabled
Quick run mode is enabled
Event notification through syslog is enabled
Event notification through SDEE is enabled
Total Active Signatures: 303
Total Inactive Signatures: 0
Signature 50000:0 disable
Signature 50000:1 disable
Signature 50000:2 disable
IPS Rule Configuration
IPS name SNRS-IPS
Interface Configuration
Interface FastEthernet0/1
Inbound IPS rule is SNRS-IPS
Outgoing IPS rule is not set
SNRS v2.05-23
There are several commands available to verify and troubleshoot IPS configuration and
operation. Commands used to verify and troubleshoot IPS include the show, clear, and debug
commands.
To display IPS information such as configured sessions and signatures, use the show ip ips
command.
router# show ip ips {[all] [configuration] [interfaces] [name
name] [statistics [reset]] [sessions [details]] [signatures
[details]]}
Syntax Description
all
configuration
interfaces
Statistics [reset]
Displays information such as the number of packets audited and the number of
alarms sent
The optional reset keyword resets the sample output to reflect the latest
statistics.
name name
Sessions [details]
5-200
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
Use the show ip ips configuration command in EXEC mode to display additional
configuration information, including default values that may not be displayed using the show
running-config command.
SNRS v2.05-24
This is an example of the show ip ips signatures command. It verifies signature configuration,
such as signatures that have been disabled.
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
5-201
SNRS v2.05-25
Use the show ip ips interfaces command to display the interface configuration.
5-202
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
SNRS v2.05-24
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
5-203
clear Commands
This section describes the clear commands.
clear Commands
router#
SNRS v2.05-27
To disable Cisco IOS IPS, remove all intrusion detection configuration entries, and release
dynamic resources, use the clear ip ips configuration command in EXEC mode.
router# clear ip ips configuration
To reset statistics on packets analyzed and alarms sent, use the clear ip ips statistics command
in privileged EXEC mode.
router# clear ip ips statistics
To clear SDEE events or subscriptions, use the clear ip sdee command in privileged EXEC
mode.
router# clear ip sdee {events | subscriptions}
Syntax Description
events
subscriptions
Because subscriptions are properly closed by the Cisco IOS IPS client, this command is
typically used only to help with error recovery.
5-204
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
debug Commands
This section covers IPS debug commands.
debug Commands
router#
router#
router#
router#
router#
router#
router#
router#
router#
router#
router#
router#
router#
router#
debug
debug
debug
debug
debug
debug
debug
debug
debug
debug
debug
debug
debug
debug
ip
ip
ip
ip
ip
ip
ip
ip
ip
ip
ip
ip
ip
ip
ips
ips
ips
ips
ips
ips
ips
ips
ips
ips
ips
ips
ips
ips
timers
object-creation
object-deletion
function trace
detailed
ftp-cmd
ftp-token
icmp
ip
rpc
smtp
tcp
tftp
udp
SNRS v2.05-28
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
5-205
Summary
This topic summarizes the key points that were discussed in this lesson.
Summary
The Cisco IOS IPS acts as an inline intrusion prevention sensor.
An SME is a component of Cisco IOS IPS that supports
signatures in a certain category.
Cisco IOS IPS contains 135 built-in signatures but can be loaded
with over 1500 signatures from signature definition files.
Cisco IOS IPS has two main deployment scenarios.
Several tasks are required to configure Cisco IOS IPS on a router.
Alert logging for IOS IPS can be done with Syslog and SDEE.
An important part of IPS is keeping up with the latest attack
signatures.
There are several commands available to verify and troubleshoot
IPS configuration and operation.
SNRS v2.05-29
References
For additional information, refer to these resources:
Cisco Systems, Inc. Configuring Cisco IOS Intrusion Prevention System (IPS).:
http://www.cisco.com/en/US/products/ps6441/products_configuration_guide_chapter09186
a00804a842f.html
Cisco Systems, Inc. Cisco IOS Security Configuration Guide, Release 12.4T:
http://www.cisco.com/en/US/partner/products/ps6441/products_configuration_guide_book
09186a008049e249.html
Cisco Systems, Inc. Cisco IOS Security Command Reference, Release 12.4T.
http://cisco.com/en/US/products/ps6441/products_command_reference_book09186a00804
97056.html.
5-206
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
Lesson 6
Objectives
Upon completing this lesson, you will be able to describe the security features you have
implemented to protect a network. This ability includes being able to meet these objectives:
Describe the changes that you have made to the security of the network of Company ABC
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
Headquarters
Access
Attacks
Remote traffic is
secure with
secured
connectivity.
Clients are
proper
DHCP
addresses,
thanks to
DHCP
snooping.
Reconnaissance
Attacks
DHCP
Spoofing
Attacks
PCs
Laptops
Telecommuters
No one is gaining
access to network
thanks to Cisco IBNS
DHCP, Domain
Name System,
Active Directory
Servers
Web
Servers
No exploits are
disrupting performance
thanks to Network
Foundation Protection
SNRS v2.05-2
The following technologies that you have implemented have secured the network of Company
ABC:
Layer 2 security
Port security
DHCP snooping
Secured connectivity
5-208
Site-to-site
Using PKI
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
5-209
Summary
This topic summarizes the key points that were discussed in this lesson.
Summary
Company ABC is now secured from the attacks that it was
undergoing.
5-210
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
SNRS v2.05-3
Module Summary
This topic summarizes the key points that were discussed in this module.
Module Summary
The Cisco IOS Firewall feature set combines existing
Cisco IOS Firewall technology and the Cisco IOS classic
firewall.
Cisco IOS classic firewall works to provide network protection
on multiple levels.
Cisco IOS zone-based policy firewall generally improves Cisco
IOS performance for most firewall inspection activities.
The Cisco IOS Firewall authentication proxy feature enables
network administrators to apply specific security policies on a
per-user basis.
The Cisco IOS IPS acts as an in-line intrusion prevention
sensor.
Company ABC is now secured from the attacks that it was
undergoing.
SNRS v2.05-1
The Cisco IOS Firewall feature set includes an extensive set of tools to secure a network. Some
of the features of Cisco IOS firewall that were discussed are:
Auth-prox
IOS IPS
References
For additional information, refer to these resources:
Cisco Systems, Inc. Cisco IOS Security Configuration Guide, Release 12.4
http://www.cisco.com/en/US/partner/products/ps6350/products_configuration_guide_book
09186a008043360a.html
Cisco Systems, Inc. Cisco IOS Security Command Reference, Release 12.4T:
http://www.cisco.com/en/US/partner/products/ps6441/products_configuration_guide_book
09186a008049e249.html
Cisco Systems, Inc. Cisco IOS Software Releases 12.4 T: Zone-Based Policy Firewall.
http://www.cisco.com/en/US/products/ps6441/products_feature_guide09186a008060f6dd.h
tml
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
5-211
5-212
Cisco Systems, Inc. Cisco IOS Software Releases 12.4 Mainline: Zone-Based Policy
Firewall Design Guide.
http://www.cisco.com/en/US/products/ps6350/products_feature_guide09186a008072c6e3.
html#wp1066679
Cisco Systems, Inc. Configuring Cisco IOS Intrusion Prevention System (IPS).:
http://www.cisco.com/en/US/products/ps6441/products_configuration_guide_chapter09186
a00804a842f.html
Cisco Systems, Inc. Cisco IOS Security Command Reference, Release 12.4T.
http://cisco.com/en/US/products/ps6441/products_command_reference_book09186a00804
97056.html
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.