how-to block ads
|
| | | | FAQ Revisions | Editors: skj  , Covenant , aryoba , Phraxos
Last modified on 2008-07-17 16:04:07
| |
|
|
40.0 Security·Are there Free authentication packages for TACACS or RADIUS to secure my router?
·How do I secure a Cisco router from the Internet?
·Protect my network! How do I do that using Cisco IOS?
·Securing access to routers with AAA commands
·Securing access to ASA/PIX Firewall with AAA commands
·Utilizing my router as a firewall. How do I do it?
·Between GRE/IPSEC and IPSEC VPN tunnels
| | | Yes, there are. They might be UNIX-based software though :)
For those Windows administrators that try to integrate these UNIX-based authentication software with Active Directory, you need to run Samba. Check out the following link for sample configuration.
FreeRADIUS PEAP Authentication + Cisco AP + Windows XP + Windows AD Authentication
This FAQ courtesy of rolande .
 show feedback form
 close
by nozero edited by aryoba
last modified: 2008-04-21 09:03:48 | | | Recommended Global and Interface Configurations
•Disable all non-essential services and features
•no service pad
•no ip finger
•no ip bootp server
•IOS versions 12.x and higher auto disable certain features like no tcp-small-servers; no udp-small-servers; and ip http-server
•no ip source-route
•Enable global security features
•service password-encryption (automatically encrypts configured passwords)
•service timestamps debug datetime msec localtime show-timezone
•service timestamps log datetime msec localtime show-timezone
•service tcp-keepalives-in
•logging buffered <50000> debugging
•logging console warnings (if you don't log, you can't trace problems)
• enable secret (enables the strongest password encryption on the enable password)
•no cdp run (if you don't need cdp at all)
•Disable the following features per interface
•no ip redirects
•no ip unreachables
•no ip directed-broadcast
•no ip proxy-arp
•no cdp enable (for exterior facing interfaces)
•make sure all other interfaces not being used are administratively shutdown
•Enabling additional features
•ip subnet-zero (enables networks on the 0 boundary)
•ip classless (allows for CIDR netmasks)
•enable access-lists per interface as necessary to restrict the traffic to only required communication (see the links above for info regarding access-list configuration)
interface fastethernet 1/0
ip access-group 101 out
ip access-group 102 in
•clock timezone (an accurate clock makes security logs more useful with timestamps)
•clock summer-time recurring
•NTP is the key to a synchronized clock which is highly recommended for accurate timestamping of log entries
ntp master
ntp update-calendar
ntp server
•snmp-server community RO 10 (secures snmp control by access list 10)
•Add ip addresses of only the hosts that need snmp access to the router to access-list 10
•Use the banner command to state the obvious precuations upon login as a legal disclaimer
banner motd ^CC
You Access Restricted Equipment
All Activities are Monitored and Logged
Unauthorized Use Prohibited
By Accessing, You Are Agree Your Activities to be Monitored and Logged
^C
•Console configuration - use exec-timeout to logout idle users after 5 minutes
line con 0
exec-timeout 5 0
password 7 <######>
login authentication no_tacacs
transport input none
line aux 0
exec-timeout 5 0
password 7 <#######>
login authentication test
modem InOut
transport input all
stopbits 1
speed 19200
flowcontrol hardware
line vty 0 4
exec-timeout 5 0
password 7 <########>
login authentication test
transport input telnet
•IOS version
•Make sure you are running a version of IOS that is stable and is patched
for all of the most latest network bugs, especially the recent SSH and SNMP vulnerabilities.
Cisco Internet Inbound Access List
The following is a commented example of an Access List configuration
for a router that acts as a "choke" device on the inside or outside of
a true firewall device. The ! signifies a commented line in Cisco's
notation. Non-commented lines are the actual configuration syntax as it
would be entered on the Cisco router.
The information supplied in this configuration is in no way guaranteed
or supported by the author to "secure" your network. This is meant to provide
an example of generally accepted configuration practices when securing
routers that provide access to untrusted networks.
This access-list should be applied inbound on your choke router to what
is considered your external or outside interface. In most cases, for routers
outside your firewall this will be some sort of WAN interface like a serial port,
BRI interface, frame relay sub-interface, or ATM PVC. This filters traffic that
is coming from the Internet or untrusted network "inbound" on the external
interface connecting to the Internet.
! Deny all standard external spoofing attacks and log all attempts
! from illegal addresses, your external block, and reserved space
! For obvious reasons, non-routable Internet addresses should not be allowed to
! come inbound. A favorite of hackers is to spoof private source addresses or
! even masquerade as public addresses on your own external networks.
!
deny ip 192.168.0.0 0.0.255.255 any log-input
deny ip 172.16.0.0 0.15.255.255 any log-input
deny ip 10.0.0.0 0.255.255.255 any log-input
deny ip 127.0.0.0 0.255.255.255 any log-input
deny ip 255.0.0.0 0.255.255.255 any log-input
deny ip 224.0.0.0 31.255.255.255 any log-input
deny ip host 0.0.0.0 any log-input
deny ip any log-input
deny ip host any log-input
!Deny any abusive networks here...
!
deny ip xxx.xxx.xxx.xxx 0.0.0.255 any log-input
! The commands below are all for routers being used as a firewall device.
! If you plan on using another device for a firewall, then do not add any other
! configuration lines except for the following:
! permit ip any any
! If you plan on using your router as your only firewall device you can permit
! or deny particular services as outlined below. The following are only examples.
! There are hundreds of services and non-standard configurations you may need to
! allow based on your indivdual requirements. If you do not have the budget
! for a true firewall such as a PIX, Checkpoint or Netscreen, you should still use
! a router that is sized properly to do the job you need. A Cisco 2620 or 2640
! should have plenty of CPU for Reflexive Access lists and Content Based Access
! Control for a full T-1 worth of traffic. The other key component is RAM. Allow for
! a minimum of 32MB or 64MB if possible. If your budget is still an issue, you are
! probably better off building a firewall using a PC server (under $1000) with 2
! network cards using Linux or NetBSD and IPChains firewall software. You can get a
! lot more mileage out of a machine like that than a low-end Cisco router which
! really wasn't designed for that purpose anyway.
!
! Include the inbound Reflexive Access-Lists if you are using this function
!
! *WARNING* Reflexive Access Lists are CPU and memory intensive on your router.
! Make sure that your hardware is properly sized to support your volume of traffic.
!
! For further explanation of these services and port numbers please refer to
! documentation for the specific protocols.
!
evaluate alliptraffic
! If you need to host any inbound services behind your router then the following
! config may help you out with some example setups.
! Allow outside ftp sessions inbound
!
permit tcp any host eq 21
! Allow ftp to work from inside your network (requires port 20 to be open
! for incoming data session)
!
permit tcp any eq 20 host gt 1024
! Allow auth/identd traffic for smtp mail and for other client apps
!
permit tcp any host eq 113
permit tcp any host eq 113
! Allow smtp traffic inbound to mail servers
!
permit tcp any host eq smtp
! Allow http traffic inbound to all web servers
!
permit tcp any host eq www
! Allow SSL traffic inbound to all SSL servers
!
permit tcp any host eq 443
! Allow Microsoft PPTP/VPN sessions to connect inbound and log control channel
!
permit tcp any host eq 1723 log-input
permit tcp any host eq 1731
permit gre any host
! Allow only certain remote addresses to perform tcp DNS transfers from
! specific DNS servers for secondary DNS service and log each connection
!
permit tcp host host eq domain log-input
! Allow inbound client DNS requests to all DNS servers
!
permit udp any host eq domain
! Allow DNS resolution from the router's serial port for testing purposes
!
permit udp any eq 53 host
! Allow time synchronization to occur on router from ISP
!
permit udp any eq ntp host eq ntp
! Allow only particular types of icmp packets inbound to
! maintain integrity of data flow and sanity and for troubleshooting etc.
!
permit icmp any net-unreachable
permit icmp any host-unreachable
permit icmp any port-unreachable
permit icmp any packet-too-big
permit icmp any administratively-prohibited
permit icmp any source-quench
permit icmp any ttl-exceeded
permit icmp any echo-reply
! Deny all other ICMP explicitly so it isn't logged
!
deny icmp any any
! Deny all other ip traffic explicitly and log it.
!
deny ip any any log-input
Cisco Internet Outbound Access List
The following is a commented example of an Access List configuration
for a router that acts as a "choke" device on the inside or outside of
a true firewall device. The ! signifies a commented line in Cisco's
notation. Non-commented lines are the actual configuration syntax as it
would be entered on the Cisco router.
The information supplied in this configuration is in no way guaranteed
or supported by the author to "secure" your network. This is meant to provide
an example of generally accepted configuration practices when securing
routers that provide access to untrusted networks.
This access-list should be applied inbound on your choke router to what
is considered your internal or inside interface. In most cases, this will be some
sort of ethernet interface. This filters traffic that is going towards the Internet
or untrusted network "inbound on that interface.
! Deny RFC 1918 private source addresses from going outbound. It is not wise
! to let packets leak outside your network with your internal address information.
! This is the primary way that hackers learn about the configuration of private
! networks. These packets can not be responded to anyway, since these networks are
! not routable on the Internet. they would only be reachable if you are using NAT on a
! device beyond this point in the network to translate to a publicly routable address.
!
deny ip 192.168.0.0 0.0.255.255 any log-input
deny ip 172.16.0.0 0.15.255.255 any log-input
deny ip 10.0.0.0 0.255.255.255 any log-input
! Keep any errant request for private addresses inside your network
! Just in case your internal routing table for some reason does not contain a route
! that should be internal, and clients follow your default route toward the Internet
! for requests that should stay inside your network. This is another way that hackers
! can find out about your internal network is watching for internal requests that
! accidentally get routed out to a public device that they can capture traffic from.
!
deny ip any 192.168.0.0 0.0.255.255 log-input
deny ip any 172.16.0.0 0.15.255.255 log-input
deny ip any 10.0.0.0 0.255.255.255 log-input
! Deny all netbios traffic going outbound since this is one of the top 3 most hacked
! or attacked protocols on the Internet. Users should not access netbios services on
! the Internet since it can very easily compromise NT Domain security and architecture.
!
deny udp any any eq netbios-ns
deny udp any any eq netbios-dgm
deny udp any any eq netbios-ss
! Permit everything else from the "external network" and build the
! reflexive access list alliptraffic with a timeout of 120 seconds
!
! This command allows all other traffic to pass through the interface and
! uses an IOS feature set called Reflexive Access Lists to build a dynamic
! access list for return traffic coming inbound from the Internet. That way a
! command can be appended to an inbound access list to evaluate inbound packets against
! "allowed" return traffic to sessions started from inside your network.
!
! *WARNING* This command is CPU and memory intensive on your router depending on the
! volume of traffic flowing through the interface. I recommend at least a 2610 series
! router with 32MB RAM minimum to support a full T-1 with this configuration.
!
permit ip any reflect alliptraffic timeout 120
deny ip any any log
! If this router is not being used as a firewall but more for just a choke device
! to enhance the security in front of or behind a firewall the following commands should
! replace the above commands... You should specifically define your networks that should
! be allowed to go outbound and then deny everything else explicitly.
!
permit ip any
deny ip any any log
Additional Links to Resources
show feedback form
close
by rolande edited by aryoba
last modified: 2008-01-06 05:32:45 | | | The key of securing network using Cisco IOS is a combination of implementing three factors: ACL (Access List), CBAC (Context Based Access Control), and IDS/IPS (Intrusion Prevention System). Therefore keep in mind that to get the ultimate network security using Cisco IOS, you need to implement all the three and not just one or two factors since those three factors are to complement each other.
There is a little discussion of Reflexive Access List, where was considered a sophisticated IOS-based Firewall until CBAC came along. If you wish, you can just skip the Reflexive Access List discussion and go straight to CBAC discussion; since it is recommended to deploy CBAC instead of the "obsolete" Reflexive Access List.
Note that with the new Zone-Based Firewall features, Cisco IOS configuration looks similar as ASA 5500 firewall. Therefore now you have option to implement Zone-Based Firewall and IDS/IPS features on your router instead of ACL, CBAC, and IDS/IPS.
Please note that some of the features listed may not be supported by your IOS. Ascertain whether your IOS can support the feature that you require or download one from the software upgrade centre at CCO.
Also note that this is NOT meant to be a tutorial on network protection but more of an overview on the most common methods of protection.
1. ACL (Access List)
Access control lists (ACLs) provide basic filtering capabilities. They can be configured for all routed network protocols (IP, AppleTalk, etc.) to filter the packets of those protocols as the packets pass through a router.
ACLs can PREVENT and ALLOW certain traffic from entering or exiting a network. They filter traffic by controlling whether routed packets are forwarded or blocked at the router’s interfaces. Your router examines each packet to determine whether to forward or drop the packet, on the basis of the criteria you specified within the ACLs.
Access list criteria could be the source address of the traffic, the destination address of the traffic, the upper-layer protocol (session, presentation or application layer), or other information.
Following FAQ utilizes ACL and basic principles of TCP/IP to create simple but quite effective firewall.
»Cisco Forum FAQ »Basic Internet Firewall ACL for Routers without IOS image Firewall feature
Note that that such firewall is "static" (not flexible) and might not always work in any situation.
Reflexive Access Lists
Reflexive access lists allow IP packets to be filtered based on session information, which is a layer in the OSI model. The session layer establishes, manages, and terminates communication sessions between presentation layer entities. Communication sessions consist of service requests and service responses that occur between applications located in different network devices. The reflexive access lists are able to filter packets on these request and responses.
Reflexive access lists can be used to permit IP traffic for sessions originating from within the local network but to deny IP traffic for sessions that originated outside of the same network. Hence, only if the local network initiated a session or a request, will it be allowed back.
When do I configure a reflexive access list?
Reflexive access lists are normally configured on border routers, which are routers that stand on the boundary between the internal and external network (internet or another internal network). They are also often routers with the firewall feature set.
How does it work?
A reflexive access list is activated when a new session is initiated from inside your network, with a packet traveling to the external network. When triggered, the reflexive access list generates a new, temporary entry, which will permit traffic to enter your network if it is part of the session. If the traffic is not part of the session, it will not be permitted to enter your network.
For example, if an outbound TCP packet is forwarded outside of your network, and this packet is the first packet of a TCP session, then a new, temporary reflexive access list entry will be created. This entry is added to the reflexive access list, which applies to inbound traffic so the firewall will not block the responding packet.
What are the drawbacks of reflexive access lists?
Reflexive access lists do not work with some applications that use port numbers that change during a session. For example, if the port numbers for a return packet are different from the originating packet, the return packet will be denied, even if the packet is actually part of the same session.
The TCP application of FTP is an example of an application with changing port numbers. With reflexive access lists, if you start an FTP request from within your network, the request will not complete. Instead, you must use Passive FTP when originating requests from within your network.
This is where CBAC come to play since the CBAC is considered the more advanced firewall (stateful firewall).
2. CBAC (Context Based Access Control)
What is context based access control?
Context based access control (CBAC), intelligently filters TCP and UDP packets based on application layer and session layer information. You can configure CBAC to permit specified TCP and UDP traffic through a firewall only when the connection is initiated from within the network you want to protect. CBAC can inspect traffic for sessions that originate from either side of the firewall, and CBAC can be used for intranet, extranet, and Internet perimeters of your network.
Without CBAC, traffic filtering is limited to access list implementations that examine packets at the network layer, or at most, the transport layer. However, CBAC examines not only network layer and transport layer information but also examines the application-layer protocol information (such as FTP connection information) to learn about the state of the session. This allows support of protocols that involve multiple channels. Most of the multimedia protocols as well as some other protocols (such as FTP, RPC, and SQL*Net) involve multiple channels.
Finding Out Your Internal Private IP Address Even When Behind NAT Box
Following is a nice illustration. When your network is behind a NAT/PAT box, then you think that people in the Internet will never know your internal (private) IP address, correct? Wrong!
By using Java (HTTP application) people in the Internet are still able to detect and find out your internal IP addresses. Such Java program may be implemented by ISP that do not allow you to NAT/PAT your public Internet address without paying additional fee for each additional PC or machine. The Java program may be also deployed by hackers.
Click on this link (and scroll down) to see if this Internet website can reveal your internal private IP address
http://www.auditmypc.com/anonymous-surfing.asp
Using HTTP option in the CBAC, you can block incoming HTTP traffic (including Java) from unknown or untrusted network. Check out the following thread for detail story.
»[HELP] Can't hide internal IP on SOHO 97
How does it work?
CBAC inspects traffic that travels through the firewall from the internal network to discover and manage state information for TCP and UDP sessions. This state information is used to create temporary openings in the firewall’s access lists to allow return traffic and additional data connections for permissible sessions.
When do I employ CBAC?
You can use CBAC when your firewall will be restricting passing traffic consisting of:
* Standard TCP and UDP Internet applications
* HTTP-based applications including Instant Messaging (i.e. AOL, Yahoo, and MSN IM)
* Multimedia applications
* Oracle support
Please note with the new 12.4 IOS train, more applications are supported. Following is a list that supported under 12.4 IOS train.
802-11-iapp IEEE 802.11 WLANs WG IAPP
ace-svr ACE Server/Propagation
aol America-Online
appfw Application Firewall
appleqtc Apple QuickTime
bgp Border Gateway Protocol
bliff Bliff mail notification
bootpc Bootstrap Protocol Client
bootps Bootstrap Protocol Server
cddbp CD Database Protocol
cifs CIFS
cisco-fna Cisco FNATIVE
cisco-net-mgmt cisco-net-mgmt
cisco-svcs cisco license/perf/GDP/X.25/ident svcs
cisco-sys Cisco SYSMAINT
cisco-tdp Cisco TDP
cisco-tna Cisco TNATIVE
citrix Citrix IMA/ADMIN/RTMP
citriximaclient Citrix IMA Client
clp Cisco Line Protocol
creativepartnr Creative Partnr
creativeserver Creative Server
cuseeme CUSeeMe Protocol
daytime Daytime (RFC 867)
dbase dBASE Unix
dbcontrol_agent Oracle dbControl Agent po
ddns-v3 Dynamic DNS Version 3
dhcp-failover DHCP Failover
discard Discard port
dns Domain Name Server
dnsix DNSIX Securit Attribute Token Map
echo Echo port
entrust-svc-handler Entrust KM/Admin Service Handler
entrust-svcs Entrust sps/aaas/aams
esmtp Extended SMTP
exec Remote Process Execution
fcip-port FCIP
finger Finger
fragment IP fragment inspection
ftp File Transfer Protocol
ftps FTP over TLS/SSL
gdoi GDOI
giop Oracle GIOP/SSL
gopher Gopher
gtpv0 GPRS Tunneling Protocol Version 0
gtpv1 GPRS Tunneling Protocol Version 1
h323 H.323 Protocol (e.g, MS NetMeeting, Intel Video Phone)
h323callsigalt h323 Call Signal Alternate
h323gatestat h323gatestat
hp-alarm-mgr HP Performance data alarm manager
hp-collector HP Performance data collector
hp-managed-node HP Performance data managed node
hsrp Hot Standby Router Protocol
http HTTP Protocol
https Secure Hypertext Transfer Protocol
ica ica (Citrix)
icabrowser icabrowser (Citrix)
icmp ICMP Protocol
ident Authentication Service
igmpv3lite IGMP over UDP for SSM
imap IMAP Protocol
imap3 Interactive Mail Access Protocol 3
imaps IMAP over TLS/SSL
ipass IPASS
ipsec-msft Microsoft IPsec NAT-T
ipx IPX
irc Internet Relay Chat Protocol
irc-serv IRC-SERV
ircs IRC over TLS/SSL
ircu IRCU
isakmp ISAKMP
iscsi iSCSI
iscsi-target iSCSI port
kazaa KAZAA
kerberos Kerberos
kermit kermit
l2tp L2TP/L2F
ldap Lightweight Directory Access Protocol
ldap-admin LDAP admin server port
ldaps LDAP over TLS/SSL
login Remote login
lotusmtap Lotus Mail Tracking Agent Protocol
lotusnote Lotus Note
microsoft-ds Microsoft-DS
ms-cluster-net MS Cluster Net
ms-dotnetster Microsoft .NETster Port
ms-sna Microsoft SNA Server/Base
ms-sql Microsoft SQL
ms-sql-m Microsoft SQL Monitor
msexch-routing Microsoft Exchange Routing
mysql MySQL
n2h2server N2H2 Filter Service Port
ncp-tcp NCP (Novell)
net8-cman Oracle Net8 Cman/Admin
netbios-dgm NETBIOS Datagram Service
netbios-ns NETBIOS Name Service
netbios-ssn NETBIOS Session Service
netshow Microsoft NetShow Protocol
netstat Variant of systat
nfs Network File System
nntp Network News Transport Protocol
ntp Network Time Protocol
oem-agent OEM Agent (Oracle)
oracle Oracle
oracle-em-vp Oracle EM/VP
oraclenames Oracle Names
orasrv Oracle SQL*Net v1/v2
parameter Specify inspection parameters
pcanywheredata pcANYWHEREdata
pcanywherestat pcANYWHEREstat
pop3 POP3 Protocol
pop3s POP3 over TLS/SSL
pptp PPTP
pwdgen Password Generator Protocol
qmtp-tcp Quick Mail Transfer Protocol
r-winsock remote-winsock
radius RADIUS & Accounting
rcmd R commands (r-exec, r-login, r-sh)
rdb-dbs-disp Oracle RDB
realaudio Real Audio Protocol
realsecure ISS Real Secure Console Service Port
router Local Routing Process
rpc Remote Prodedure Call Protocol
rsvd-tcp RSVD
rsvp-encap RSVP ENCAPSULATION-1/2
rsvp_tunnel RSVP Tunnel
rtc-pm-port Oracle RTC-PM port
rtelnet Remote Telnet Service
rtsp Real Time Streaming Protocol
send-tcp SEND
shell Remote command
sip SIP Protocol
sip-tls SIP-TLS
skinny Skinny Client Control Protocol
sms SMS RCINFO/XFER/CHAT
smtp Simple Mail Transfer Protocol
snmp Simple Network Management Protocol
snmptrap SNMP Trap
socks Socks
sqlnet SQL Net Protocol
sqlserv SQL Services
sqlsrv SQL Service
ssh SSH Remote Login Protocol
sshell SSLshell
ssp State Sync Protocol
streamworks StreamWorks Protocol
stun cisco STUN
syslog SysLog Service
syslog-conn Reliable Syslog Service
tacacs Login Host Protocol (TACACS)
tacacs-ds TACACS-Database Service
tarantella Tarantella
tcp Transmission Control Protocol
telnet Telnet
telnets Telnet over TLS/SSL
tftp TFTP Protocol
time Time
timed Time server
tr-rsrb cisco RSRB
ttc Oracle TTC/SSL
udp User Datagram Protocol
uucp UUCPD/UUCP-RLOGIN
vdolive VDOLive Protocol
vqp VQP
webster Network Disctionary
who Whois service
wins Microsoft WINS
x11 X Window System
xdmcp XDM Control Protocol
CBAC can be used to allow the application’s traffic through the firewall but only when it is initiated from the protected network.
CBAC is often configured in one direction on a single interface, which will validate the traffic, ensuring it is part of a valid session. This configuration is employed to protect the local network from the Internet.
CBAC can also be used in two directions on one or more interfaces. This method is often employed when networks on both sides of the router needs to be protected. For example, if the firewall is situated between two departments’ networks, CBAC can restrict the traffic of one department’s applications in one direction and restrict traffic in the opposite direction for the other department’s applications.
What are the drawbacks of CBAC?
"If you don’t ask, you don’t get" is the paradigm here. CBAC does not provide intelligent filtering for ALL protocols. It only works for the protocols that you SPECIFY, hence if a protocol is not specified, the ACL will determine its fate.
CBAC is available only for IP protocol traffic. Only TCP and UDP packets are inspected. Other IP traffic, such as ICMP, cannot be inspected with CBAC and should be filtered with basic access lists instead.
If you reconfigure your access lists when you configure CBAC, be aware that if your access lists block TFTP traffic into an interface, you will not be able to netboot over that interface.
Packets with the firewall as the source or destination address are not inspected by CBAC.
CBAC ignores ICMP Unreachable messages. To let specific ICMP traffic to enter, you need to configure the ACL to allow.
H.323 V2 and RTSP protocol inspection supports only the following multimedia client-server applications: Cisco IP/TV, RealNetworks RealAudio G2 Player, Apple QuickTime 4. However with there are more application supported when running 12.4 IOS train as shown previously.
With FTP, CBAC does not allow third-party connections (three-way FTP transfer). Further; when CBAC inspects FTP traffic, it only allows data channels with the destination port in the range of 1024 to 65535. Also, CBAC will not open a data channel if the FTP client-server authentication fails. Therefore when there is a need to have FTP traffic, create ACL to permit such traffic.
CBAC uses less than approximately 600 bytes of memory per connection. There is also a slight amount of additional processing that occurs whenever packets are inspected. Because of the memory and processing usage, you should use CBAC only when your router can handle such work.
Sometimes CBAC must evaluate long access lists, which might have presented a negative impact to performance. However, this impact is avoided, because CBAC evaluates access lists using an accelerated method (CBAC hashes access lists and evaluates the hash).
CBAC does not protect network attacks initiated from within the local network unless the packets travel through the router that employs CBAC for protection. CBAC can only protect against intrusions/attacks that travel through the router.
When you need to protect such network attacks, then you need implement additional security perimeter such as deploy necessary ACL on inside interfaces of the router. Basic logic is that open only necessary ports and protocol; and close others. For the "necessary open" protocol or port guarding, you then need to run IDS/IPS.
What is required for me to undertake reflexive access list and context based access control?
Reflexive access lists can be configured on most IOS feature sets.
CBAC requires the firewall feature set.
3. Zone-Based Firewall
The new Zone-Based Firewall is replacing the previous Stateful IOS-Based Firewall (the CBAC). Zone-Based Firewall is pretty much similar to PIX/ASA OS 7.0 firewall configuration. Check out the following links for details.
Cisco IOS Zone-Based Policy Firewall
Zone-Based Policy Firewall Design and Application Guide
Zone-Based Policy Firewall Design Guide
Cisco IOS Firewall Q&A
Zone-Based Policy Firewall - Introduction and Implementation
4. IDS/IPS (Intrusion Prevention System)
There are prerequisites to properly run Cisco IOS IPS on routers
* Your router IOS version should be at least 12.3(8)T
* Your router IOS feature should be either Advanced Enterprise, Advanced IP Security, or IP Security with IPS
* Your router DRAM is at least 128MB
* There is Signature Detection File (*.sdf) stored in your router, either in flash memory, PCMCIA inside one of the router's slot, Compact Flash, or similar
SDF (Signature Detection File)
* SDF is basically a reference point for router to perform the IPS function
* The IPS functions available are atomic (IP and TCP inspections), service (HTTP, Mail, etc.)
* Detail description on each IPS function is available on the Cisco links below (the SDF and Configuring Cisco IPS)
* You have a choice to either create your own SDF or download from Cisco
* Should you decide to download from Cisco, you need to have proper Smartnet contract
* When you download from Cisco, you can choose either the 128MB.sdf for Basic IPS or the 256MB.sdf for Advanced IPS features
* 128MB.sdf requires at least 128MB DRAM and 256MB.sdf requires at least 256MB DRAM
* In case your router is 870, 1800, 2800, 3800, or other current router models, there should be the 128MB.sdf already stored on the router's flash memory
Note:
* Make sure that the router CPU and memory can handle the workload
* As illustration, 2610XM router with 256MB DRAM and 48MB Flash can jump from 0-1% normal CPU utilization to 99% CPU utilization when running Advanced 256MB.sdf
* For small network environment, the minimal router should be 1841 or similar to properly run Cisco IOS IPS
* You can check out the following FAQ to verify your router CPU power
»Cisco Forum FAQ »Cisco Equipment Performance (per pps and Mbps)
Sample Configuration
ip ips sdf location flash:256MB.sdf
ip ips name MYIPS
!
interface GigabitEthernet0/1
ip address 10.1.1.16 255.255.255.0
ip ips MYIPS in
duplex full
speed 100
media-type rj45
no negotiation auto
Assumption:
* There is 256MB.sdf on the router flash memory
* The IPS will investigate incoming traffic under such router interface
Check out the following link for more info
1. General Info
»www.cisco.com/en/US/products/ps6···ome.html
2. SDF and Configuring Cisco IPS
»www.cisco.com/en/US/products/ps6···3cf.html
SAMPLE CONFIGURATION
1. CBAC Combination Configuration
»Cisco Forum FAQ »Sample IOS Firewall (CBAC) router configuration
»Cisco Forum FAQ »Sample Configuration of ACL-CBAC-IDS/IPS-IPSec VPN on router
2. Official Cisco IOS IDS/IPS Deployment Guide
»www.cisco.com/en/US/products/ps6···57.shtml
3. IDS/IPS Configuration in Action
»www.cisco.com/en/US/products/ps6···32.shtml
4. More IOS Firewall Sample Configuration
»www.cisco.com/en/US/products/sw/···ist.html
5. Official Cisco IOS Firewall Design Guide and Sample Implementation
»www.cisco.com/en/US/products/sw/···670.html
6. Zone-Based Firewall Sample Configuration
»Cisco Forum FAQ »Zone-Based Firewall Sample Configuration
This FAQ brought to you by: LoneBandit & Rhodium_uk
Disclaimer:
The above is a summary of Reflexive Access Lists and CBAC. For more information on the capabilities, limitations and syntax of the commands, please consult the CCO.
The authors do not hold any responsibility for any decisions or actions that may arise from this FAQ.
This document is not endorsed by CISCO.
show feedback form
close
by Covenant edited by aryoba
last modified: 2008-02-06 11:40:11 | | | The following AAA commands are applicable not only to routers, but any Cisco gears that are running IOS image (IOS-based gears) such as switches and wireless AP devices.
1. AAA commands using local credential
username [ENTER USERNAME HERE] secret 0 [ENTER YOUR PASSWORD HERE]
aaa new-model
aaa authentication login default group local
aaa authentication enable default group local
aaa authorization console
aaa authorization exec default group local if-authenticated
aaa authorization commands 15 default if-authenticated
2. AAA commands with external TACACS server
username [ENTER USERNAME HERE] secret 0 [ENTER YOUR PASSWORD HERE]
tacacs-server host [ENTER TACACS SERVER IP ADDRESS HERE] key 0 [ENTER THE SECRET KEY HERE]
aaa new-model
aaa authentication login default group tacacs+ local
aaa authentication enable default group tacacs+ local
aaa authorization console
aaa authorization exec default group tacacs+ local if-authenticated
aaa authorization commands 15 default if-authenticated
aaa accounting exec default start-stop group tacacs+
aaa accounting commands 15 default start-stop group tacacs+
aaa accounting connection default start-stop group tacacs+
Note:
When the TACACS+ server fails, router will authenticate using local credential.
username [ENTER USERNAME HERE] secret 0 [ENTER YOUR PASSWORD HERE]
enable secret 0 [ENTER ENABLE MODE PASSWORD HERE]
tacacs-server host [ENTER TACACS SERVER IP ADDRESS HERE] key 0 [ENTER THE SECRET KEY HERE]
aaa new-model
aaa authentication login default group tacacs+ enable
aaa authentication enable default group tacacs+ enable
aaa authorization console
aaa authorization exec default group tacacs+ local if-authenticated
aaa authorization commands 15 default if-authenticated
aaa accounting exec default start-stop group tacacs+
aaa accounting commands 15 default start-stop group tacacs+
aaa accounting connection default start-stop group tacacs+
Note:
When the TACACS+ server fails, router will authenticate using enable password
show feedback form
close
by Covenant edited by aryoba
last modified: 2008-06-24 21:47:28 | | | PIX Firewall running OS version 6.3
1. Using Local Credential
username [ENTER USERNAME HERE] password [ENTER ADMIN PASSWORD HERE] privilege 15
aaa-server LOCAL protocol local
aaa authentication telnet console LOCAL
aaa authentication ssh console LOCAL
aaa authentication enable console LOCAL
aaa authorization command LOCAL
2. Using External TACACS+ Server
enable password [ENTER ENABLE MODE PASSWORD HERE]
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server TACACS+ (inside) host [ENTER TACACS+ SERVER IP ADDRESS HERE] [ENTER SECRET KEY HERE] timeout 10
aaa authentication telnet console TACACS+
aaa authentication ssh console TACACS+
aaa authentication enable console TACACS+
aaa authorization command TACACS+
Note:
When TACACS+ server fails, the PIX Firewall uses enable password to authenticate access.
ASA or PIX Firewall running OS version 7.0 or newer
1. Using Local Credential
username [ENTER USERNAME HERE] password [ENTER ADMIN PASSWORD HERE] privilege 15
aaa-server LOCAL protocol local
aaa authentication telnet console LOCAL
aaa authentication ssh console LOCAL
aaa authentication enable console LOCAL
aaa authorization command LOCAL
2. Using External TACACS+ Server
username [ENTER USERNAME HERE] password [ENTER ADMIN PASSWORD HERE] privilege 15
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server TACACS+ (inside) host [ENTER TACACS+ SERVER IP ADDRESS HERE] [ENTER SECRET KEY HERE] timeout 10
aaa-server LOCAL protocol local
aaa authentication http console TACACS+ LOCAL
aaa authentication ssh console TACACS+ LOCAL
aaa authentication telnet console TACACS+ LOCAL
aaa authentication enable console TACACS+ LOCAL
aaa authorization command TACACS+ LOCAL
aaa accounting enable console TACACS+
aaa accounting ssh console TACACS+
aaa accounting telnet console TACACS+
aaa accounting command privilege 15 TACACS+
Note:
When TACACS+ server fails, the PIX Firewall uses local credential to authenticate access.
show feedback form
close
by aryoba
last modified: 2008-06-24 21:48:58 | | | Okay, you've got your router up and running and now you want to utilize the firewall feature. Following are sample configurations
»Cisco Forum FAQ »Sample IOS Firewall (CBAC) router configuration
»Cisco Forum FAQ »Sample Configuration of ACL-CBAC-IDS/IPS-IPSec VPN on router
Some discussions
»Cisco 831 hardened config example?
Terms and Definitions
»Cisco Forum FAQ »Protect my network! How do I do that using Cisco IOS?
Please note that the router sample configurations assume the IOS image has Firewall (FW) feature support. When this is not applicable to your router, check out following FAQ:
»Cisco Forum FAQ »Basic Internet Firewall ACL for Routers without IOS image Firewall feature
show feedback form
close
by aryoba
last modified: 2008-01-06 05:40:23 | | | Suggested prerequisite reading
»Cisco Forum FAQ »Setting Up Private Site-To-Site Connections
Introduction
IPSec VPN tunnel is one way of setting up private site-to-site connection by utilizing public network (the Internet). Since it is utilizing public network, there would be no need to have dedicated physical circuit to interconnect the sites, hence requiring low cost to setup while maintain private and secure connection.
With site-to-site IPSec VPN, there is a IP routing in place to interconnect multiple subnet. This IP routing could be static routing or dynamic routing. In a small network where there is only one path connecting two sites, then static routing should be sufficient. When there are multiple paths connecting two sites, then dynamic routing (i.e. EIGRP, OSPF) and/or load balancing (either per-packet or per-destination) should be used to have optimal connection.
Note that IPSec tunnelling technology is only able to support static routes and basic IP interconnection. When there are more advance IP interconnections needed; such as running Novell IPX, dynamic routing, and load balancing between the sites; then IPSec tunnelling itself is unable to support. For such advance IP interconnections, GRE tunnelling is the choice. The downside of GRE tunnelling is that GRE tunnel is less-secure tunnel compared to IPSec tunnel.
Should you decide to have advance IP interconnection support while maintain secure connection over public network, the workaround is to run GRE over IPSec. IPSec will then be encrypting the GRE tunnel securely and GRE tunnel will be providing the advance IP interconnection support.
Some Discussions
said by gramzster:
--------------------------------------------------------------------------------
I do have a quick question, When I was looking through the example configurations on the Cisco site, it seemed that GRE was what I wanted to try to configure, since it supported routing protocols. Does this type of IPSEC tunnel also support routing protocols? (basically, what's the difference between a GRE tunnel, and this type of tunnel?)
--------------------------------------------------------------------------------
In a nutshell, the VPN tunnel never forwards the routing broadcasts through the tunnels. Neither do they send the routing updates. To send the routing updates (so that the remote location can learn the network on the local side) you must use GRE over IPSec. With this feature, the routing updates are first encapsulated over a new GRE packet and then forwarded through the VPN (IPSec) tunnel. This is useful and required if you are using OSPF, RIP, EIGRP in your internal network and need to build a routing tunnel.
--------------------------------------------------------------------------------
Here's some more detail and links/differences between a pure IPSec vpn tunnel and a GRE over IPSec tunnel:
Pure IPSec vpn tunnel
=====================
In a pure IPSec vpn tunnel, only ip traffic is encrypted/decrypted.
If you have non ip traffic, example, ipx, then it is not able to go into the vpn tunnel.
OSPF, EIGRP, are not transferred in the tunnel.
The urls below might be helpful for you about IPSec,
An Introduction to IP Security (IPSec) Encryption
http://www.cisco.com/en/US/netsol/ns110/ns170/ns172/ns334/networking_solutions_design_guide_chapter09186a008017e272.html
http://www.cisco.com/en/US/products/sw/secursw/ps2133/products_user_guide_chapter09186a00800d9f4c.html
GRE over IPSec vpn tunnel
=========================
In a GRE over IPSec vpn tunnel, the original packet whether ip, ipx, etc... is first going to be GRE encapsulated and then this packet is then subjected to IPSec encapsulation.
Therefore, in a GRE over IPSec tunnel, all routing traffic (ip and non ip) can be routed through because when the original packet (ip/non ip) is GRE encapsulated, then it will have an ip header (as defined by the GRE tunnel (normally the tunnel interface ip addresses)) then the IPSec protocol can understand the ip packet and and can therefore be able to encapsulate the GRE packet to make it GRE over IPSec.
please visit the urls below for more info.,
http://www.cisco.com/en/US/tech/tk583/tk372/technologies_tech_note09186a00800946ba.shtml
http://www.cisco.com/en/US/tech/tk583/tk372/technologies_tech_note09186a0080094865.shtml
--------------------------------------------------------------------------------
Sample Configurations
»Cisco Forum FAQ »Various Site-to-Site IPSec VPN: Cisco, Juniper, Checkpoint, Sonicwall, Zywall
»Cisco Forum FAQ »Private Routing over VPN: GRE over IP Sec
Last but not least, here's another link for a sample config. which uses GRE/IPSEC, CBAC and NAT but I am sure that you will be able to remove the CBAC if you do not want it.
Hope that helps.
Configuring Router-to-Router IPsec (Pre-shared Keys) on GRE Tunnel with IOS Firewall and NAT
This FAQ brought to you by this post http://www.dslreports.com/forum/remark,8108888~root=equip,cis~mode=flat#8176897 by Covenant .
show feedback form
close
by nozero edited by aryoba
last modified: 2008-05-27 16:24:05 |
|
