Professional Documents
Culture Documents
BRKSEC-3007
BRKSEC-3007 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public 3
Agenda
Data Plane Security
Zone Based Firewall
User Based Features
Authentication Proxy
User/Security Group Tagging
High Availability
Network Attack Mitigation
Control Plane Protection
BRKSEC-3007 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public 4
Advanced IOS Security Overview
6
Data Plane Security using Zone Based Firewall
Permit trusted traffic Build a comprehensive security
solution to protect user services
Create application aware policy
Apply QoS and rate limit
Using ZBFW provides standardized
Establish connections limits framework for all security based
Log traffic features
BRKSEC-3007 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public 7
Data Plane Security Identifying Traffic
Ethernet0/0 Ethernet0/1
Internet
HTTP
SMTP
Client
HTTP
SMTP SMTP
SMTP Server
FTP
HTTP Server
BRKSEC-3007 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public 8
See Appendix for complete configuration example
syn, fin, rst, ack Only matches TCP flag IOS-FW(config-ext-nacl)#permit tcp any any ?
ack Match on the ACK bit
Not truly stateful
eq Match only packets on a given port number
fin Match on the FIN bit
established Only matches on ACK and RST flag
match-all Match if all specified flags are present
Not truly stateful
match-any Match if any specified flag is present
rst Match on the RST bit
fragments prevent fragments from entering network
syn Match on the SYN bit
heavy handed prevention of fragmentation attacks established Match established connections
fragments Check non-initial fragments
ttl restrict how far into the network traffic can pass ttl Match packets with given TTL value
prevent control traffic from leaving the network
IOS-FW(config)# ipv6 access-list IN->OUT_IPv6
routing restrict loose source routing
IOS-FW(config-ipv6-acl)#permit any any ?
prevent clients from choosing their routing path
routing Routing header (all types)
BRKSEC-3007 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public 9
Access-group and Access-list Limitations
Ethernet0/0 Ethernet0/1
How do we differentiate ?
Client between Webserver Webserver
Response and Attacker
traffic? ?
Attacker
ip access-list extended IN->OUT ip access-list extended OUT->IN
permit tcp host Client any eq 80 permit tcp any eq 80 host Client
BRKSEC-3007 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public 10
Firewall Basic Functionality
TRUSTED UNTRUSTED
HTTP Request
HTTP Response
Client Webserver
Firewall prevents
malicious traffic from
entering the network by Malicious
tracking connections
Attacker
Internet
BRKSEC-3007 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public 11
Zone Based Firewall
Overview
Recommended IOS Dataplane Security
solution
Policies are applied to zones
Zones are applied to interfaces
Allows for scalable security policy
Zone policies are directional
Matches initial packet of the flow
TCP matches SYN
Non-TCP matches any packet
BRKSEC-3007 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public 12
See Appendix for complete configuration example
Internet
Zone-pairs permit traffic
between two zones source USERS zone-member USERS
Traffic between same zones !
requires policy as well interface Ethernet0/0.100
destination USERS
Traffic is specific to a zone-pair zone-member security USERS
interface Ethernet0/0.200
which allows for directed zone-member security USERS
control Users
interface Ethernet0/0.300
zone-member security USERS
BRKSEC-3007 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public 13
Zone Policy Assignment
Self Zone
Pre-defined zone member Monitoring traffic Routing Protocols
SNMP
Protects traffic to and from router EIGRP
Syslogs OSPF
Traffic sourced or destined to router Netflow BGP
Excludes NAT traffic
Management VPN
traffic ESP
Two differences SSH GRE
1. Cannot configure self zone Telnet NAT-T
HTTP ISAKMP
Pre-defined and available for use Self Zone
2. Reverse functionality of zones
Explicit allow compared to explicit deny
BRKSEC-3007 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public 14
Zone Based Firewall
Configuration Theory
BRKSEC-3007 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public 15
See Appendix for complete configuration example
BRKSEC-3007 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public 16
See Appendix for complete configuration example
Access-list USER_ACL
Access-list USER_ACL + HTTP
HTTP
Match-All
Access-list USER_ACL
Access-list USER_ACL || HTTP
HTTP
Match-Any
BRKSEC-3007 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public 17
Identifying Traffic Mixing and Matching
ip access-list extended USER_ACL
permit ip 192.168.1.0 255.255.255.0
any
BRKSEC-3007 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public 18
Take Action using Policy-Map Builds connections for traffic
Statefully examines the flow
Inspect Allows return packets that
match connection
Preferred action for traffic
Inspect
Drop
BRKSEC-3007 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public 19
Take Action using Policy-Map
Class-maps Order of Operation
Class-maps are policy-map type inspect INTERNET->APPLICATION_PMAP
processed in order class type inspect TCP_TRAFFIC_CMAP
drop
class type inspect SMTP_TRAFFIC_CMAP
Always put more specific inspect
match conditions first
policy-map type inspect INTERNET->APPLICATION_PMAP
class type inspect SMTP_TRAFFIC_CMAP
Order matters when
applying inspect
action/application class type inspect TCP_TRAFFIC_CMAP
inspection drop
BRKSEC-3007 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public 20
See Appendix for complete configuration example
BRKSEC-3007 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public 21
See Appendix for complete configuration example
BRKSEC-3007 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public 22
Apply Action using Zone-Pair
Advanced Inspection Protocol vs Application
Session B251B5C0 (192.168.1.100:14128)=>(4.2.2.2:80) tcp SIS_OPEN/TCP_ESTAB
BRKSEC-3007 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public 23
Out of Order Packet Handling
Application inspection requires packets to arrive in order
Out of Order (OoO) processing queues packets to be ordered
Apr 3 10:40:30.662: %FW-6-DROP_PKT: Dropping tcp session 4.2.2.2:80
10.1.1.1:58899 on zone-pair INSIDE->OUTSIDE_ZP class USERS_CMAP due
to Out-Of-Order Segment with ip ident 0
BRKSEC-3007 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public 25
Data Plane Security using Zone Based Firewall
Permit trusted traffic
Create application aware policy
Apply QoS and rate limit
Establish connections limits
Log firewall traffic
Allow tunneled/VPN traffic
BRKSEC-3007 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public 26
See Appendix for complete configuration example
BRKSEC-3007 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public 30
QoS Policy using Zone Based Firewall
Matched traffic is rate
policy-map type inspect USERS->INTERNET_PMAP limited to the specific value
class type inspect HTTP_CMAP Simple traffic policer
police rate 10000000 burst 250000
class type inspect BITTORRENT_CMAP
police rate 5000000 burst 500000 5Mbps is reserved
for voice traffic
5Mbps +
5Mbps
20Mbp
s
10Mbp
s
BRKSEC-3007 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public 31
Data Plane Security using Zone Based Firewall
Permit trusted traffic
Create application aware policy
Apply QoS and rate limit
Establish connections limits
Log firewall traffic
Allow tunneled/VPN traffic
BRKSEC-3007 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public 32
Enabling Connection Limits for Resource Protection
Resource Limits on IOS
Router has a fixed amount of memory for connections
Connection limitations will prevent DoS attacks from exhausting resources
Protects device
Protects endpoint services
Connection limits can protect:
Memory exhaustion
Limit total number of connections
Idle timer of established and half-open connections
Processor/CPU exhaustion
Limit rate of connection builds
BRKSEC-3007 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public 33
See Appendix for complete configuration example
TCP SYN
60 seconds
TCP RST TCP RST
BRKSEC-3007 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public 34
See Appendix for complete configuration example
1000 connections
1001st
connection
BRKSEC-3007 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public 35
Data Plane Security using Zone Based Firewall
Permit trusted traffic
Create application aware policy
Apply QoS and rate limit
Establish connections limits
Log firewall traffic
Allow tunneled/VPN traffic
BRKSEC-3007 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public 36
See Appendix for complete functionality example
Processor intensive
Interrupt driven messages can cause high CPU
Similar to log keyword on ACLs
Used for troubleshooting
Not recommended for monitoring
%FW-6-SESS_AUDIT_TRAIL_START: (target:class)-(INSIDE->OUTSIDE_ZP:INSIDE->OUTSIDE_CMAP):Start tcp
session: initiator (192.168.1.100:34166) -- responder (4.2.2.2:80)
BRKSEC-3007 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public 38
Data Plane Security using Zone Based Firewall
Permit trusted traffic
Create application aware policy
Apply QoS and rate limit
Establish connections limits
Log firewall traffic
Allow tunneled/VPN traffic
BRKSEC-3007 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public 39
Data Plane Security of Tunneled Traffic using ZBFW
Tunneled traffic can be encrypted
Tunnel traffic is control plane vs Transit traffic is data plane
Tunnels are used to connect remote locations
Connect to all remote locations using a VPN to allow secure connectivity
Traffic should still be subjected to ZBFW because it may not be trusted
BRKSEC-3007 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public 40
ZBFW and Tunneling
A B
X Y
Tunnel
Remote zone depends on
Tunnel configuration
Client Packet VPN Packet Crypto map on interface
SRC A DST B SRC X DST Y VTI
VPN packet is always
sourced from self zone
since it is generated by the
Local Zone Remote Zone Self Zone Internet Zone router
BRKSEC-3007 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public 41
ZBFW and Tunneling Design Considerations
A B
LOCAL X OUTSIDE Y REMOTE
Tunnel
Firewall policies should be applied on device
before encapsulation or encryption occurs
interface WAN
zone-member security OUTSIDE
6in4 tunneling is becoming more common and is
interface Tunnel0
an easy way to circumvent established security
zone-member security REMOTE policies
tunnel mode [ipsec|gre|ipv6ip]
source LOCAL destination REMOTE ZBFW can be used to protect both IPv6 and IPv4
stacks if positioned and deployed correctly
source SELF destination OUTSIDE
BRKSEC-3007 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public 42
Data Plane Security using Zone Based Firewall
Permit trusted traffic
Create application aware policy
Apply QoS and rate limit
Establish connections limits
Log firewall traffic
Allow tunneled/VPN traffic
BRKSEC-3007 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public 43
See Appendix for complete configuration example
Interface
ZBFW NAT QoS VPN
ACL
interface Ethernet0/1
ip access-group name IN_ACL in
zone-member security INSIDE
ip nat inside
service-policy input QoS
crypto map CRYPTO_MAP
BRKSEC-3007 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public 44
Summary of ZBFW features
Feature ZBFW IOS
Access Control Zone members/Zone Pairs Interface access-lists
Stateful Not stateful
Scalable Cannot integrate with VPN
Application Aware Policies Layer 7 inspection policy NBAR using MQC
Integrated into inspection Independent configuration
Utilizes NBAR for matching Not stateful
Quality of Service (QoS) Policing integrated with ZBFW Traffic shaping with interface QoS
policy-map policy
Simple policing Optimizes traffic flow
Monitoring Audit-trail in global parameter- ACL log hits
map Simplified packet counting
Interrupt driven connection Netflow
information Connection oriented packet
counting
BRKSEC-3007 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public 45
User Identity
46
See Appendix for address assignment information
?
Tracking can be done using:
IP address
Username
OS/Application/etc
BRKSEC-3007 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public 47
Types of Authentication
Active Passive Transparent
Router learns user User provides Router learns user
credentials directly credentials to a credentials directly
from Client third-party device from Client
Username and Router learns user Not checked
Definition password are information from against external
verified against third-party device server
ACS/ISE/AD Router just trusts
user information
BRKSEC-3007 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public 48
Authentication Proxy Overview
Client prompted for credentials by login
prompt
Username and password are checked
Local
Radius
Radius can pass down attributes
Downloadable ACL
User Groups
Security Group Tagging
BRKSEC-3007 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public 49
Authentication Proxy Traffic Flow User Challenge
HTTP Connection
I am UserA
ACS
BRKSEC-3007 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public 50
Authentication Proxy Traffic Flow Consult ACS
What should I do
with UserA? Permit UserA,
BUT restrict their access
using this ACL.
Consent Parameter-map
User is forced to accept terms
of use before logging in
Login success only of terms are
accepted
BRKSEC-3007 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public 53
User Group Tagging Consult ACS
What should I do
with UserA? Permit UserA,
BUT mark them with this
Routers will ask the ACS/ISE for group special Cisco user tag.
information of the user
Group information is known as tags/SGT Cisco Avpair:
Router will apply specific configuration Supplicant Group = ENG
based on these tags SGT = 3
Configuration on each router is known as
template ACS
BRKSEC-3007 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public 54
User Group Tagging Traffic Processing
User Groups/SGT render identity features stateful
BRKSEC-3007 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public 56
High Availability
57
See Appendix for complete configuration example
BRKSEC-3007 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public 59
LAN interfaces
interface Ethernet0/0
ip address 10.1.1.1 255.255.255.0
redundancy rii 100
redundancy group 1 ip 10.1.1.3 exclusive
10.1.1.3
interface Ethernet0/0
ip address 10.1.1.2 255.255.255.0
redundancy rii 100
redundancy group 1 ip 10.1.1.3 exclusive
Active
172.16.1.1
Standby
192.168.1.1
Asymmetric Routing
Active
ISP1
Standby
ISP2
63
Attack Security
Tiny Fragment
Buffer Overflow
BRKSEC-3007 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public 64
Identifying Attack Vector
Ethernet0/1 Ethernet0/0
BRKSEC-3007 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public 65
Tracking Source of DoS attacks
Router# show ip cache flow
...
Protocol Total Flows Packets Bytes Packets Active(Sec) Idle(Sec)
-------- Flows /Sec /Flow /Pkt /Sec /Flow /Flow
TCP-WWW 255 0.0 1 64 255.0 4.0 15.5
SYN
SYN+ACK
Intercept ACK
Mode
SYN
SYN+ACK
ACK
SYN
Watch SYN+ACK
Mode ACK
RST RST
BRKSEC-3007 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public 67
IP Fragmentation Attacks
Original Packet IP Header TCP Header Data
TCP
IP Header
Header
Tiny Fragment
TCP
IP Header Data
Header
Fragment 1
IP Header TCP Header
Overlapping Fragments Data
Fragment 2
IP Header
Data
Buffer
Buffer Overflow Fragment 1
IP Header TCP Header
Data
Fragment 2
IP Header
Data
BRKSEC-3007 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public 68
See Appendix for complete configuration example
Ethernet0/1 Ethernet0/0
Fragment 1
IP Header TCP Header
Data
Fragment 2
IP Header
Data
BRKSEC-3007 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public 69
See Appendix for log information
BRKSEC-3007 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public 70
See Appendix for complete configuration example
Spoofing Attacks
Unicast Reverse Path Forwarding
Packet
Src Dst
20.1.1.100 10.1.1.200
Ethernet0/1 Ethernet0/0
BRKSEC-3007 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public 71
Control Plane Security
72
Control Plane Diagram Queue Threshold
Host Port Filter
All traffic that requires special Policing
handling will go through the
routers control plane Transit Policing
Permit
Actions
for
traffic
Rate
Drop
Limit
BRKSEC-3007 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public 75
Control Plane Protection Example
Problem
Router receiving too much traffic to process on
non-listening ports
Solution
Preemptively drop all traffic destined to closed ports
BRKSEC-3007 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public 77
See Appendix for complete configuration example
Traffic destined to any other port on the router will be early dropped
Before CPU processing
BRKSEC-3007 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public 78
Summary
Protect data plane using ZBFW configuration
Application aware features allow deep packet inspection
Logging traffic successfully
Protect router services from resource exhaustion using Control Plane Protection
BRKSEC-3007 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public 79
Recommended Readings
BRKSEC-3007 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public 80
Participate in the My Favorite Speaker Contest
Promote Your Favorite Speaker and You Could be a Winner
Promote your favorite speaker through Twitter and you could win $200 of Cisco
Press products (@CiscoPress)
Send a tweet and include
Your favorite speakers Twitter handle @CiscoTACPodcast
Two hashtags: #CLUS #MyFavoriteSpeaker
You can submit an entry for more than one of your favorite speakers
Dont forget to follow @CiscoLive and @CiscoPress
View the official rules at http://bit.ly/CLUSwin
BRKSEC-3007 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public 81
Complete Your Online Session Evaluation
Give us your feedback and you
could win fabulous prizes. Winners
announced daily.
Complete your session evaluation
through the Cisco Live mobile app
or visit one of the interactive kiosks
located throughout the convention
center.
BRKSEC-3007 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public 82
Continue Your Education
Demos in the Cisco Campus
Walk-in Self-Paced Labs
Table Topics
Meet the Engineer 1:1 meetings
BRKSEC-3007 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public 83
Appendix
86
Firewall Basic Functionality
TRUSTED UNTRUSTED
HTTP Request
HTTP Response
Client Webserver
Firewall prevents
malicious traffic from
entering the network by Malicious
tracking connections
Attacker
Internet
BRKSEC-3007 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public 87
See Appendix for complete configuration example
BRKSEC-3007 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public 88
Zone Based Firewall (ZBFW) Zone Members
zone-member INSIDE zone-member OUTSIDE
! !
Interface Ethernet0/0 Interface Ethernet0/1
zone-member security INSIDE zone-member security OUTSIDE
Trusted Untrusted
Zone Zone
BRKSEC-3007 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public 89
Building Zone-pairs
Database
Users Internet
Application
BRKSEC-3007 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public 90
Building Zone-pairs
Database
Database
Application
Application
BRKSEC-3007 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public 91
See Appendix for complete configuration example
Users Internet
source USERS
destination APPLICATION Zone policies are directional
Application
Initiated traffic matches from
SOURCE to DESTINATION
Return traffic matches existing
connection
ZBFW scales when there are
multiple zone
BRKSEC-3007 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public 92
Intrazone policies
On IOS 12.X releases, traffic between interfaces belonging to the same zone
was allowed to pass without inspection.
On IOS 12.X release it was not possible to define Intrazone ZFW policies:
Starting on IOS 15.0(1)M, intrazone traffic is blocked by default
IOS 15.X allows the creation of Intrazone Policies (source and destination of
traffic in the same zone)
BRKSEC-3007 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public 93
Advanced Topology
BRKSEC-3007 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public 94
Identifying Traffic Class-Map Theory
ip access-list extended USER_ACL
Class-map using permit tcp any any eq 80
Access-list
BRKSEC-3007 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public 95
Identifying Traffic using Class-Map
Examples
ip access-list extended USER_ACL
Example 1 permit ip 192.168.1.0 255.255.255.0 any
ACL matching !
class-map type inspect match-all INSIDE->OUTSIDE_CMAP-1
match access-group name USER_ACL
BRKSEC-3007 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public 96
Applying Policy-map
BRKSEC-3007 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public 97
Inspect Traffic Protocol vs Application
ip access-list extended USER_ACL
permit ip 192.168.1.0 255.255.255.0 any
!
class-map type inspect match-all INSIDE->OUTSIDE_CMAP-1
match access-group name USER_ACL
Session B251B5C0 (192.168.1.100:14128)=>(4.2.2.2:80) tcp SIS_OPEN/TCP_ESTAB
BRKSEC-3007 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public 98
Allowing Inbound Traffic
Zone-pairs are unidirectional
Any traffic must be explicitly allowed in the opposite direction
class-map type inspect SMTP_SERVER_CMAP
match access-list SMTP_SERVER_ACL
match protocol SMTP
BRKSEC-3007 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public 99
Parameter-Map Overview
Router(config)# parameter-map type ?
consent Parameter type consent
content-scan Content-scan parameter-map
inspect inspect parameter-map
ooo TCP out-of-order parameter-map for FW and IPS
protocol-info protocol-info parameter-map
regex regex parameter-map
urlf-glob URLF glob parameter-map
urlfpolicy Parameter maps for urlfilter policy
waas WAAS Parameter Map
BRKSEC-3007 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public 100
Application Layer Inspection HTTP Example
parameter-map type regex BLACK_LIST_PARAM type inspect
General ZBFW
pattern .*cisco.* configuration
Match on ports
class-map type inspect http match-all BLACK_LIST_CMAP and protocols
BRKSEC-3007 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public 101
Content Filtering
BRKSEC-2042 Content Filtering in the Enterprise
Current technologies
WCCP
Scansafe
Old technologies
Websense
Trend Micro Content Scanning
BRKSEC-3007 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public 102
www.cisco.com
Scansafe Content Scanning Request
CWS Packet
CWS Server Webserver
Client Packet
Client Webserver
CWS Redirect Packet
Router CWS Server
Scansafe Proxy
Server
BRKSEC-3007 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public 103
www.cisco.com
Scansafe Content Scanning Response
Server Packet
Webserver Scansafe
Client Packet
Webserver Client
Scansafe Redirect Packet
Scansafe Router
Scansafe Proxy
Server
BRKSEC-3007 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public 104
Content Scanning Configuration
parameter-map type content-scan global
server scansafe primary name proxy2261.scansafe.net port http 8080 https 8080
license 0 ABCDEF1234567890ABCDEFABCDEFFFFF
source interface Ethernet0/0
timeout server 30
user-group CISCOGROUP username CISCOUSER
server scansafe on-failure block-all
BRKSEC-3007 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public 105
Content Scanning Outputs
Router# show content-scan statistics Router# show content-scan summary
Current HTTP sessions: 0 Primary: 201.94.155.42 (Up)*
Current HTTPS sessions: 0 Secondary: 70.39.231.99 (Up)
Total HTTP sessions: 83 Interfaces: Ethernet0/0
Total HTTPS sessions: 8
White-listed sessions: 0
Time of last reset: never
BRKSEC-3007 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public 106
Integrating User Identity with Scansafe
aaa new-model
aaa authentication login default group radius
aaa authorization network default group radius
interface Ethernet0/1
ip address 10.1.1.1 255.255.255.0
ip admission AUTHPROXY
BRKSEC-3007 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public 107
Masking SMTP Messages
Ethernet Header
Source MAC Destination MAC
Mask specific SMTP
messages from
IP Header presented to clients
Source IP Destination IP
Filtering PIPELINING
prevents client from
TCP Header sending batches of
commands without
Source Port Destination Port
waiting for response
from server
SMTP DATA
EHLO
PIPELINING STARTTLS
BRKSEC-3007 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public 108
Application Layer Inspection SMTP Example
BRKSEC-3007 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public 109
Application Layer Inspection SIP Example
BRKSEC-3007 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public 110
Application Based Inspections
IOS-FW(config)# class-map type inspect ?
h323
http
imap Voice inspections
pop3 Controls how calls can be placed
sip Controls how phones can register
smtp
sunrpc eMail inspections
Controls how email can be sent
inspections
Controls how email can be sent
BRKSEC-3007 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public 111
Applying Connection Limits to Traffic
parameter-map type inspect CONN_LIMIT_PARAM
sessions maximum 100
max-incomplete high 1000 low 500
one-minute high 50
one-minute low 25
BRKSEC-3007 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public 112
Logging dropped packets and summarization
Actions Log drop-pkt disable Log drop-pkt disable Log drop-pkt enable Log drop-pkt enable
Log summary disable Log summary enable Log summary disable Log summary enable
Drop Drop and summary logs Drop and summary logs not Drop and summary logs Drop and summary logs
not to be printed to be printed not to be printed not to be printed
Drop log Only drop logs printed Since log option is Only drop logs printed Since log option is
and no summary logs configured with drop action, and summary logs not configured with drop
both the drop and summary printed action, both the drop and
logs for the traffic that summary logs for the
matches the action drop traffic that matches the
log under the class is action drop log under
rinted. the class is printed.
Inspect/zone Drop and summary logs Drop and summary logs not Only drop logs printed and Drop due to inspect action
not printed printed summary logs are not and summary logs are
to non-zone
printed printed
BRKSEC-3007 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public
Logging New Connections
Cannot be applied globally
Enable on a per class-map basis
BRKSEC-3007 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public 114
Monitoring ZBFW Statistics
Router# show policy-firewall stats drop-counters
DROP action found in policy-map 4
BRKSEC-3007 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public 115
ZBFW and VPN
A X Y B
BRKSEC-3007 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public 116
See Appendix for complete configuration example
VPN
Client Packet Crypto map are bound to
interface Ethernet0/0 tunnel terminating interface
SRC A DST B
zone-member security OUTSIDE Original and VPN traffic
crypto-map IPSEC_TUNNEL have same destination zone
VPN Packet
SRC X DST Y
VPN
Client Packet VTI are independent
interface Ethernet0/0 interfaces with their own
SRC A DST B zone member
zone-member security OUTSIDE
Original and VPN traffic
VPN Packet interface Tunnel0 have different destination
SRC X DST Y zone-member security REMOTE zone
tunnel mode ipsec ipv4
6-in-4
Client Packet IPv6 networks can be
interface Ethernet0/0 connected by using a 6in4
SRC AIPv6 DST BIPv6 tunnel
zone-member security OUTSIDE
ZBFW should be configured
IPv6-in-IPv4 Tunnel Packet interface Tunnel0 on the IPv6/IPv4 edge
SRC XIPv4 DST YIPv4 zone-member security REMOTE IPv6 tunneling protocols could
tunnel mode ipv6ip
bypass security policies
BRKSEC-3007 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public 120
Migrating from an Existing Policy
ip access-list extended OUTSIDE-IN
permit tcp any any eq 25
!
interface Ethernet0/0
ip access-group name OUTSIDE-IN
BRKSEC-3007 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public 121
ZBFW configuration example
Zone security INSIDE
Zone security OUTSIDE
!
Interface Ethernet0/0
zone-member security INSIDE
Interface Ethernet0/1
zone-member security OUTSIDE
!
class-map type inspect INSIDE_OUTBOUND_CMAP
match protocol http
!
policy-map type inspect INSIDE_OUTBOUND_PMAP
class INSIDE_OUTBOUND_CMAP
inspect
!
zone-pair security IN2OUT source INSIDE destination OUTSIDE
service-policy type inspect INSIDE_OUTBOUND_PMAP
BRKSEC-3007 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public 122
Stateful Address Assignment
Stateless Address Assignment
BRKSEC-3007 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public 123
Authentication Proxy - Configuration
aaa new-model
aaa authentication login default group radius
aaa authorization network default group radius
aaa authorization auth-proxy default group radius
ip http server
interface Ethernet0/1
ip address 10.1.1.1 255.255.255.0
ip admission AUTHPROXY
BRKSEC-3007 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public 124
Authentication Proxy Traffic Flow Apply Action
1. Interface ACL
2. Consent ACL
3. AuthProxy ACL
BRKSEC-3007 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public 125
Authentication Proxy - Debugs
Mar 23 14:27:54.571: RADIUS/ENCODE(00000015):Orig. component type = Auth Proxy
Mar 23 14:27:54.571: RADIUS(00000015): Config NAS IP: 0.0.0.0
Mar 23 14:27:54.571: RADIUS(00000015): Config NAS IPv6: ::
Mar 23 14:27:54.571: RADIUS/ENCODE(00000015): acct_session_id: 11
Mar 23 14:27:54.571: RADIUS(00000015): sending
Mar 23 14:27:54.575: RADIUS/ENCODE: Best Local IP-Address 14.36.112.40 for Radius-Server 14.36.112.250
Mar 23 14:27:54.575: RADIUS(00000015): Send Access-Request to 14.36.112.250:1645 id 1645/11, len 110
Mar 23 14:27:54.575: RADIUS: authenticator 54 01 93 F4 17 F1 93 7D - EB 44 A3 05 FA 49 79 24
Mar 23 14:27:54.575: RADIUS: User-Name [1] 7 "cisco"
Mar 23 14:27:54.575: RADIUS: User-Password [2] 18 *
Mar 23 14:27:54.575: RADIUS: Service-Type [6] 6 Outbound [5]
Mar 23 14:27:54.575: RADIUS: Vendor, Cisco [26] 29
Mar 23 14:27:54.575: RADIUS: Cisco AVpair [1] 23 "service-type=Outbound"
Mar 23 14:27:54.575: RADIUS: Message-Authenticato[80] 18
Mar 23 14:27:54.575: RADIUS: 53 E1 38 E5 A2 93 DD 40 61 88 99 60 A6 70 2D 2E [ S8@a`p-.]
Mar 23 14:27:54.575: RADIUS: NAS-Port-Type [61] 6 Async [0]
Mar 23 14:27:54.575: RADIUS: NAS-IP-Address [4] 6 14.36.112.40
Mar 23 14:27:54.575: RADIUS(00000015): Sending a IPv4 Radius Packet
Mar 23 14:27:54.575: RADIUS(00000015): Started 5 sec timeout
Mar 23 14:27:54.591: RADIUS: Received from id 1645/11 14.36.112.250:1645, Access-Accept, len 287
Mar 23 14:27:54.591: RADIUS: authenticator C0 07 BB 4F 81 FC B8 33 - CB 2A 22 98 23 C0 6E 58
Mar 23 14:27:54.591: RADIUS: User-Name [1] 7 "cisco"
Mar 23 14:27:54.591: RADIUS: State [24] 40
Mar 23 14:27:54.591: RADIUS: 52 65 61 75 74 68 53 65 73 73 69 6F 6E 3A 30 65 [ReauthSession:0e]
Mar 23 14:27:54.591: RADIUS: 32 34 37 30 66 61 30 30 30 30 30 30 33 35 35 33 [2470fa0000003553]
Mar 23 14:27:54.591: RADIUS: 32 45 45 44 36 44 [ 2EED6D]
Mar 23 14:27:54.591: RADIUS: Class [25] 54
Mar 23 14:27:54.591: RADIUS: 43 41 43 53 3A 30 65 32 34 37 30 66 61 30 30 30 [CACS:0e2470fa000]
Mar 23 14:27:54.591: RADIUS: 30 30 30 33 35 35 33 32 45 45 44 36 44 3A 72 61 [00035532EED6D:ra]
Mar 23 14:27:54.591: RADIUS: 64 61 72 2D 69 73 65 2F 31 38 34 36 39 38 35 36 [dar-ise/18469856]
Mar 23 14:27:54.591: RADIUS: 36 2F 35 34 [ 6/54]
Mar 23 14:27:54.591: RADIUS: Message-Authenticato[80] 18
Mar 23 14:27:54.591: RADIUS: 3E F1 DA B1 22 AB 23 26 12 0E 54 83 2C 96 C1 AF [ >"#&T,]
Mar 23 14:27:54.591: RADIUS: Vendor, Cisco [26] 25
Mar 23 14:27:54.591: RADIUS: Cisco AVpair [1] 19 "shell:priv-lvl=15"
Mar 23 14:27:54.591: RADIUS: Vendor, Cisco [26] 30
Mar 23 14:27:54.591: RADIUS: Cisco AVpair [1] 24 "aaa:event=acl-download"
Mar 23 14:27:54.591: RADIUS: Vendor, Cisco [26] 32
Mar 23 14:27:54.591: RADIUS: Cisco AVpair [1] 26 "aaa:service=ip_admission"
Mar 23 14:27:54.591: RADIUS: Vendor, Cisco [26] 61
Mar 23 14:27:54.591: RADIUS: Cisco AVpair [1] 55 "ACS:CiscoSecure-Defined-ACL=#ACSACL#-IP-dACL-532eed4c"
Mar 23 14:27:54.591: RADIUS(00000015): Received from id 1645/11
BRKSEC-3007 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public 126
Authentication Proxy - Debugs
Mar 23 14:27:54.591: RADIUS/ENCODE(00000000):Orig. component type = Invalid
Mar 23 14:27:54.591: RADIUS(00000000): Config NAS IP: 0.0.0.0
Mar 23 14:27:54.591: RADIUS(00000000): sending
Mar 23 14:27:54.591: RADIUS/ENCODE: Best Local IP-Address 14.36.112.40 for Radius-Server 14.36.112.250
Mar 23 14:27:54.591: RADIUS(00000000): Send Access-Request to 14.36.112.250:1645 id 1645/12, len 133
Mar 23 14:27:54.591: RADIUS: authenticator 86 69 58 02 68 24 B8 7D - 52 A6 74 12 C6 34 5E 85
Mar 23 14:27:54.591: RADIUS: NAS-IP-Address [4] 6 14.36.112.40
Mar 23 14:27:54.591: RADIUS: User-Name [1] 27 "#ACSACL#-IP-dACL-532eed4c"
Mar 23 14:27:54.591: RADIUS: Vendor, Cisco [26] 32
Mar 23 14:27:54.591: RADIUS: Cisco AVpair [1] 26 "aaa:service=ip_admission"
Mar 23 14:27:54.591: RADIUS: Vendor, Cisco [26] 30
Mar 23 14:27:54.591: RADIUS: Cisco AVpair [1] 24 "aaa:event=acl-download"
Mar 23 14:27:54.591: RADIUS: Message-Authenticato[80] 18
Mar 23 14:27:54.591: RADIUS: FA 55 AC 1F E1 57 22 F9 0F 77 4B A6 F4 19 42 5E [ UW"wKB^]
Mar 23 14:27:54.591: RADIUS(00000000): Sending a IPv4 Radius Packet
Mar 23 14:27:54.591: RADIUS(00000000): Started 5 sec timeout
Mar 23 14:27:54.595: RADIUS: Received from id 1645/12 14.36.112.250:1645, Access-Accept, len 327
Mar 23 14:27:54.595: RADIUS: authenticator CD CB 43 D2 51 C4 A2 46 - 80 0C E3 03 10 57 52 4C
Mar 23 14:27:54.595: RADIUS: User-Name [1] 27 "#ACSACL#-IP-dACL-532eed4c"
Mar 23 14:27:54.595: RADIUS: State [24] 40
Mar 23 14:27:54.595: RADIUS: 52 65 61 75 74 68 53 65 73 73 69 6F 6E 3A 30 65 [ReauthSession:0e]
Mar 23 14:27:54.595: RADIUS: 32 34 37 30 66 61 30 30 30 30 30 30 33 36 35 33 [2470fa0000003653]
Mar 23 14:27:54.595: RADIUS: 32 45 45 44 36 44 [ 2EED6D]
Mar 23 14:27:54.595: RADIUS: Class [25] 54
Mar 23 14:27:54.595: RADIUS: 43 41 43 53 3A 30 65 32 34 37 30 66 61 30 30 30 [CACS:0e2470fa000]
Mar 23 14:27:54.595: RADIUS: 30 30 30 33 36 35 33 32 45 45 44 36 44 3A 72 61 [00036532EED6D:ra]
Mar 23 14:27:54.595: RADIUS: 64 61 72 2D 69 73 65 2F 31 38 34 36 39 38 35 36 [dar-ise/18469856]
Mar 23 14:27:54.595: RADIUS: 36 2F 35 35 [ 6/55]
Mar 23 14:27:54.595: RADIUS: Message-Authenticato[80] 18
Mar 23 14:27:54.595: RADIUS: C4 80 ED 58 1A 8C 7E 7A 60 C2 BC 2E 5C CF 66 5B [ X~z`.\f[]
Mar 23 14:27:54.595: RADIUS: Vendor, Cisco [26] 43
Mar 23 14:27:54.595: RADIUS: Cisco AVpair [1] 37 "ip:inacl#1=permit tcp any any eq 80"
Mar 23 14:27:54.595: RADIUS: Vendor, Cisco [26] 44
Mar 23 14:27:54.595: RADIUS: Cisco AVpair [1] 38 "ip:inacl#2=permit tcp any any eq 443"
Mar 23 14:27:54.595: RADIUS: Vendor, Cisco [26] 43
Mar 23 14:27:54.595: RADIUS: Cisco AVpair [1] 37 "ip:inacl#3=permit udp any any eq 53"
Mar 23 14:27:54.595: RADIUS: Vendor, Cisco [26] 38
Mar 23 14:27:54.595: RADIUS: Cisco AVpair [1] 32 "ip:inacl#4=permit icmp any any"
Mar 23 14:27:54.595: RADIUS(00000000): Received from id 1645/12
BRKSEC-3007 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public 127
Authentication Proxy - Outputs
radar-CLUS#show ip admission cache
Authentication Proxy Cache
Client Name cisco, Client IP 14.38.112.250, Port 41699, timeout 60, Time Remaining 60,
state ESTAB
BRKSEC-3007 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public 128
Authentication Proxy with Consent Configuration
ip admission name AUTHPROXY proxy http
ip admission auth-proxy-banner file flash:banner.html
ip admission auth-proxy-banner http ^C You have logged in^C
ip admission name AUTHPROXY consent list 100 param-map CONSENT_PMAP
BRKSEC-3007 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public 129
User Group Tag and Template
User credentials are stored on a central ACS
Each user is bound to a different group
MKT, ENG, FIN, HRC, etc
This is the tag
Routers will ask the ACS for group information of the user
Routers will apply specific action based on the tags
Template is the configuration on each router
BRKSEC-3007 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public 130
Security Group Tagging Active Authentication
What should I do
with UserA? Permit UserA,
BUT mark them with this
Security Group Tagging functionality is Security Group Tag.
similar to Tag/Template configuration
Policies are created using SGT number Cisco Avpair: SGT = 3
instead of tag name
This specific implementation of SGT is
local to the router
SGT information is not exchanged
with other devices ACS
BRKSEC-3007 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public 131
User Group Tagging Active Authentication
UserA = 3
UserB = 4
class-map type inspect INSIDE->OUTSIDE_CMAP
match security-group source tag 4
ACS
BRKSEC-3007 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public 132
High Availability
parameter-map type inspect global
redundancy
redundancy
application redundancy
group 1
name ZBFW_HA interface Ethernet0/0
preempt ip address 10.1.1.1 255.255.255.0
priority 200 ip nat inside
control Ethernet0/2 protocol 1 zone-member security INSIDE
data Ethernet0/2 redundancy rii 100
redundancy group 1 ip 10.1.1.3 exclusive
BRKSEC-3007 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public 133
Verifying High Availability
Router# show redundancy application group 1
Group ID:1
Group Name:ZBFW_HA
RF Domain: btob-one
RF state: ACTIVE
Peer RF state: STANDBY-HOT
BRKSEC-3007 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public 134
Asymmetric Routing
ISP1
redundancy ISP2
application redundancy
group 1
asymmetric-routing interface interface Ethernet0/0
Ethernet0/3 ip address 10.1.1.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
zone-member security INSIDE
redundancy rii 100
redundancy group 1 ip 10.1.1.3 exclusive
redundancy asymmetric-routing enable
BRKSEC-3007 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public 135
DoS Attack Mitigation
BRKSEC-3007 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public 136
TCP Intercept
access-list 101 permit any
!
ip tcp intercept list 101
ip tcp intercept mode intercept
ip tcp intercept drop-mode random
ip tcp intercept max-incomplete low 2000 high 3000
ip tcp intercept one-minute low 1000 high 1500
TCP intercept is enabled because the one minute rate exceeded 1500
embryonic connection attempts
Jan 1 12:00:01 EST: %TCP-6-INTERCEPT: getting aggressive, count (2700/3000) 1 min 100
TCP Intercept was disabled because the one minute rate fell below 900
embryonic connection attempts
Jan 1 12:05:01 EST: %TCP-6-INTERCEPT: calming down, count (1800/2000) 1 min 900
BRKSEC-3007 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public 137
IP Fragmentation Attack Mitigation
IP Virtual Fragment Reassembly (VFR) Logs
Basic features of enabling VFR
VFR-3-OVERLAP_FRAGMENT
VFR-3-TINY_FRAGMENTS
Max-reassemblies
Maximum number of concurrent IP datagrams that can be reassembled
VFR-4_FRAG_TABLE_OVERFLOW
Max-fragments
Maximum number of fragments for the same IP datagram
VFR-4_TOO_MANY_FRAGMENTS
Drop-fragments
Drops all fragments
BRKSEC-3007 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public 138
Spoofing Attack Mitigation
uRPF configuration example
Strict mode
The source address is in the Forwarding Information Base (FIB) and reachable only
through the interface on which the packet was received
Router(config)# interface Ethernet0/1
Router(config-if)# ip verify unicast source reachable-via rx
Loose mode
If the source address is in the FIB and reachable through any interface on the router
Used for asymmetric routing or multi-homed ISP connections
Router(config)# interface Ethernet0/1
Router(config-if)# ip verify unicast source reachable-via any
BRKSEC-3007 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public 139
uRPF Advanced Features
Old configuration (DO NOT USE)
Router(config)# interface Ethernet0/0
Router(config-if)# ip verify unicast reserve-path
Above command was replaced by below command in 12.0(15)S
--------------------------------------------------------
TCP/UDP Portfilter 3/3/0
--------------------------------------------------------
BRKSEC-3007 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public 142
Control Plane Protection
Monitoring Drops
Router#show policy-map type port-filter control-plane all
Control Plane Host
BRKSEC-3007 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public 143
Control Plane Protection Example 2
Problem
SNMP is exhausting control plane resources, preventing the router from executing
certain core functions such as routing and management
Solution
Limit the number of packets allowed on the input queue
BRKSEC-3007 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public 144
Control Plane Protection
Queue Threshold
class-map type queue-treshold match-all SNMP_QUEUE
match protocol snmp Match SNMP
class-map type queue-treshold match-all OTHER_QUEUE
match protocol host-protocols Match all other protocols
!
policy-map type port-filter QUEUELIMIT_PMAP
class SNMP_QUEUE
queue-limit 50 Limit packets to prevent
class-map OTHER_QUEUE oversubscription
queue-limit 150
!
control-plane host Apply to host subinterface
service-policy type queue-limit input QUEUELIMIT_PMAP
BRKSEC-3007 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public 145
See Appendix for complete configuration example
--------------------------------------------------------
Port Queue Threshold 150/30/0
--------------------------------------------------------
BRKSEC-3007 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public 146