|
0:00:13
|
In our next section here we are going to look at two other security features for the IOS firewall
|
|
0:00:18
|
which are the TCP intercept
|
|
0:00:20
|
and the Content Based Access Control or CBAC
|
|
0:00:24
|
which is the successor to the reflexive access list
|
|
0:00:27
|
but the precursor to the zone based firewall
|
|
0:00:33
|
Now TCP intercept is
|
|
0:00:35
|
similar to the other features that we saw on the asa firewall
|
|
0:00:38
|
thats used for the TCP normalization
|
|
0:00:41
|
which is mainly designed to prevent
|
|
0:00:43
|
TCP syn flood attacks or denial of Service attacks
|
|
0:00:46
|
that are based on the three way handshake of TCP
|
|
0:00:51
|
Now as we talked about before
|
|
0:00:53
|
specifically the three portions of the handshake are the client
|
|
0:00:56
|
sending the syn
|
|
0:00:58
|
the server replying with the syn and the acknowledgement
|
|
0:01:02
|
then the client not fully opening the session by sending the final acknowledgement
|
|
0:01:07
|
or the end of this is the half open connection or the embryonic session
|
|
0:01:13
|
the problem with this is that the server's TCP stack itself
|
|
0:01:17
|
is only going to support a finite number of connections
|
|
0:01:20
|
depending on the individual implementation
|
|
0:01:23
|
So of its server supports, even lets say a 100,000 connections
|
|
0:01:27
|
its doesn't takes that long for a host to generate thousand different syn packets
|
|
0:01:32
|
in order to try to keep all them half open
|
|
0:01:35
|
So TCP intercept is designed to prevent this
|
|
0:01:39
|
in two different possible ways
|
|
0:01:41
|
one is called the intercept mode
|
|
0:01:43
|
in which the router in between
|
|
0:01:45
|
the client and the server is going to proxy for all of the connections
|
|
0:01:49
|
and then only send the TCP session to the server
|
|
0:01:52
|
after the client has completed the three way handshake
|
|
0:01:57
|
Now the other mode which is
|
|
0:01:59
|
more commonly implemented is the watch mode
|
|
0:02:02
|
in which the router is just going to passively monitor the session between the client and the server
|
|
0:02:08
|
and if it does not fully get to the establish state
|
|
0:02:10
|
its going to send a TCP reset to the server
|
|
0:02:14
|
in order to allow to delete the half open session
|
|
0:02:19
|
Now the configuration of this feature is very straight forward
|
|
0:02:22
|
the only thing that we need to do is define
|
|
0:02:25
|
what are the particular host that the router is going to protect
|
|
0:02:29
|
and we do this by defining an access list
|
|
0:02:31
|
and applying it as an ip TCP intercept list
|
|
0:02:36
|
so if we have a web server at the address 10.0.0.100
|
|
0:02:40
|
we simply need a standard access list
|
|
0:02:42
|
or an extended access list that could be matching a particular port value
|
|
0:02:46
|
than which is applied as the TCP intercept list
|
|
0:02:51
|
we would then define the mode
|
|
0:02:53
|
whether we are running in intercept or watch mode
|
|
0:02:57
|
where typically watch mode is better
|
|
0:02:59
|
because the router doesn't have to maintain the state
|
|
0:03:02
|
of all of the TCP sessions
|
|
0:03:05
|
So on a real design, typically you would not want to run in a intercept mode
|
|
0:03:10
|
because then you are taking your denial of service attack
|
|
0:03:12
|
that was going against the server
|
|
0:03:14
|
and you are basically moving it down to the router CPU
|
|
0:03:18
|
with the watch mode the router doesn't necessarily need to maintain all of the states
|
|
0:03:22
|
it just watching for the half open sessions
|
|
0:03:25
|
then after the particular time expires, it sends the reset back to the server
|
|
0:03:30
|
and this is going to be based on the
|
|
0:03:32
|
TCP intercept watch timeout
|
|
0:03:36
|
so this particular option
|
|
0:03:38
|
as the name implies, this is only going to be used when
|
|
0:03:42
|
we are in the watch mode as opposed to the intercept mode
|
|
0:03:48
|
Now once we are watching the traffic
|
|
0:03:51
|
or if we are proxing forward and doing the actual intercept
|
|
0:03:54
|
there is three different thresholds, or excuse me
|
|
0:03:57
|
two different types of thresholds that the router can use
|
|
0:04:00
|
which are the maximum number of incomplete sessions
|
|
0:04:04
|
or the one minute connection raid for the sessions
|
|
0:04:09
|
So once we go above these thresholds, either a total number or
|
|
0:04:14
|
a number for the pass minute
|
|
0:04:16
|
once we go above the high threshold
|
|
0:04:18
|
then we start deleting the old sessions
|
|
0:04:22
|
so this is when we start to go into what is called the aggressive mode of the intercept
|
|
0:04:27
|
then finally once we go back to below the low threshold
|
|
0:04:30
|
thats when we start to
|
|
0:04:32
|
to allow the connections back in
|
|
0:04:37
|
Now the documentation for this
|
|
0:04:40
|
is going to be similar to the other ones, its under the 12.4T command reference
|
|
0:04:44
|
the 12.4T configuration guide
|
|
0:04:49
|
then down to securing the data plane
|
|
0:04:55
|
and configuring TCP intercept to prevent denial of service attack
|
|
0:05:00
|
So you will see here, when you look at the configuration example
|
|
0:05:03
|
there is really not much that you would do with this feature
|
|
0:05:06
|
So there is example of just two lines of syntax, just the access list
|
|
0:05:10
|
and then the application of the intercept list
|
|
0:05:16
|
Now typically where we will see the supplied instead
|
|
0:05:20
|
is with the Content Based Access Control feature or CBAC
|
|
0:05:25
|
where CBAC is similar to the reflex of access list
|
|
0:05:30
|
but it adds true state-full inspection
|
|
0:05:32
|
to the IOS firewall
|
|
0:05:34
|
because like the Modular Policy Framework on the asa
|
|
0:05:37
|
it does an application level inspection
|
|
0:05:41
|
now as this relates to the TCP intercept
|
|
0:05:44
|
we will see that these intercept thresholds the
|
|
0:05:47
|
maximum incomplete
|
|
0:05:49
|
the one minute high the one minute lows
|
|
0:05:52
|
these are going to be applied additionally to content based access control
|
|
0:05:59
|
now we will see that we are going to be performing protocol specifically inspection
|
|
0:06:06
|
for the application level protocols
|
|
0:06:09
|
which is going to be based on the protocol specific port number
|
|
0:06:13
|
so by default for example we are going to be looking at HTTP sessions that are going to port 80
|
|
0:06:18
|
now for some reasons we are running these protocols on nonstandard ports
|
|
0:06:23
|
we will need to define in the port mapping table
|
|
0:06:26
|
specifically what port value we want the firewall to listen for
|
|
0:06:31
|
so we are running our server on port 81
|
|
0:06:34
|
for HTTP
|
|
0:06:36
|
we are going to need to tell it to listen for port 81 in addition to port 80
|
|
0:06:45
|
next thing we are going to do do is define inspection rule
|
|
0:06:48
|
this is going to watch the traffic as it leaves the network
|
|
0:06:53
|
then like the reflexive accesses we can apply this either on the interface
|
|
0:06:58
|
or out on the interface
|
|
0:07:01
|
now we are going to switch to direction that we use it in
|
|
0:07:04
|
its automatically going to open up a hole in an access list in the opposite direction
|
|
0:07:10
|
so similar to our
|
|
0:07:12
|
previous example if we look back at our topology
|
|
0:07:16
|
if we were to configure CBAC on router 1
|
|
0:07:21
|
we could inspect the traffic as it comes in on the inside interface
|
|
0:07:27
|
or as it goes out on the outside interface
|
|
0:07:32
|
but regard this which case CBAC is going to
|
|
0:07:36
|
watch the traffic as it comes back in
|
|
0:07:40
|
so essentially outside in
|
|
0:07:43
|
then determine whether the traffic should be permitted or denied
|
|
0:07:49
|
so we do still need a specific access list thats going to be applied on the reverse direction
|
|
0:07:54
|
that is going to deny the traffic
|
|
0:07:57
|
that is not matched by the CBAC rule
|
|
0:08:04
|
so lets take a look at a basic example of this
|
|
0:08:07
|
we are going to take the similar logic that we had configured on router 1 before
|
|
0:08:11
|
with the reflexive access list
|
|
0:08:13
|
but now we are going to apply this with the
|
|
0:08:17
|
with the CBAC
|
|
0:08:18
|
so we are going to be watching traffic as it leaves
|
|
0:08:22
|
the frame in the interface thats connected to router 2
|
|
0:08:26
|
then as it comes back in
|
|
0:08:27
|
we are either going to permit or deny it
|
|
0:08:29
|
depending on whether the traffic was inspected
|
|
0:08:32
|
by the state table
|
|
0:08:35
|
now if we look at the show ip port map
|
|
0:08:39
|
this is going to show us the default mappings
|
|
0:08:42
|
that the inspection engine is usyng for these individual protocols
|
|
0:08:47
|
so if we look at for example HTTP here
|
|
0:08:51
|
its going to say that this is using TCP port 80 by default
|
|
0:08:56
|
and we could see that a lot of these are application level inspections
|
|
0:08:59
|
that its not just generic TCP
|
|
0:09:02
|
or just generic UDP
|
|
0:09:05
|
its specific application level ports
|
|
0:09:15
|
if we do want to change these
|
|
0:09:18
|
this is going to be again with the ip port map command in global config
|
|
0:09:23
|
so if a HTTP inspection
|
|
0:09:27
|
is not using TCP port 80 I could say its
|
|
0:09:30
|
on port 80
|
|
0:09:32
|
but then its also may be port 81
|
|
0:09:35
|
so now when I say ip inspect HTTP
|
|
0:09:38
|
its going to look now only for the TCP port 80 but its going to look at the port 81
|
|
0:09:44
|
now for the actual rule
|
|
0:09:47
|
the ip inspect we give it a name we say that this is CBAC rule
|
|
0:09:52
|
this is similar to defining
|
|
0:09:55
|
the reflexive access list so ip inspect the actual keyword name
|
|
0:09:59
|
per byte name
|
|
0:10:00
|
then we want to list whats the particular application we want to inspect
|
|
0:10:05
|
now we could do generic ones we could just say TCP
|
|
0:10:09
|
UDP
|
|
0:10:11
|
UDP and ICMP
|
|
0:10:14
|
or we could do application level inspections
|
|
0:10:17
|
like HTTP
|
|
0:10:20
|
and depending on the version you will see that
|
|
0:10:23
|
it has some
|
|
0:10:24
|
the higher the version and higher the platform here the more
|
|
0:10:27
|
random the matters are going to be like for in this
|
|
0:10:30
|
particular example you could do bittorent inspection
|
|
0:10:36
|
so once we have the particular rule to find
|
|
0:10:39
|
we show run include inspect
|
|
0:10:46
|
then we are going to watch the traffic as it leaves the network
|
|
0:10:49
|
so in this case this is on serial 0/0.12
|
|
0:10:53
|
ip inspect
|
|
0:10:56
|
the rules name is CBAC_rule
|
|
0:11:04
|
and I want to apply this
|
|
0:11:06
|
as it goes out
|
|
0:11:07
|
that interface so ip inspect CBAC rule out
|
|
0:11:11
|
now on the reverse path
|
|
0:11:13
|
for the traffic coming back in
|
|
0:11:16
|
right now there is no access list that is denying traffic
|
|
0:11:19
|
so really the inspection rule is not going to do anything
|
|
0:11:22
|
I would still need
|
|
0:11:23
|
ip access list extended that is outside in
|
|
0:11:28
|
outside in
|
|
0:11:31
|
that says
|
|
0:11:34
|
deny ip any any
|
|
0:11:37
|
and we will log this traffic
|
|
0:11:40
|
so now I am going to know if there is particular flows that I am dropping that I do not want to drop
|
|
0:11:45
|
the log message is going to tell me
|
|
0:11:48
|
where do I need make an exception for either at the CBAC rules
|
|
0:11:51
|
or for the traffic coming back in with the access list
|
|
0:11:57
|
so then if the interface level here not only do we have the inspection rule applied out
|
|
0:12:02
|
with the ip inspect CBAC rule out
|
|
0:12:05
|
I also want ip access group
|
|
0:12:08
|
outside in
|
|
0:12:12
|
is applied inbound
|
|
0:12:17
|
now again if we look at our routing design
|
|
0:12:22
|
router 1 is using ospf
|
|
0:12:25
|
as its igp on this interface
|
|
0:12:28
|
and we can see from the log message immediately we start to drop this control plane packet as it comes in
|
|
0:12:35
|
so just like the reflexive list we do need to account for this
|
|
0:12:39
|
I would then need to go to my
|
|
0:12:41
|
ip access list extended
|
|
0:12:44
|
and say for outside in
|
|
0:12:48
|
I need to permit ospf
|
|
0:12:53
|
now you will see that some of the protocols do support inspection already
|
|
0:12:58
|
if we say ip inspect name
|
|
0:13:03
|
so ip inspect name
|
|
0:13:06
|
is CBAC_rule
|
|
0:13:11
|
ospf does not have an inspection
|
|
0:13:13
|
eigrp does not
|
|
0:13:18
|
router does ably this is the rip process
|
|
0:13:22
|
because this is the UDP
|
|
0:13:24
|
bgp does
|
|
0:13:26
|
because it is using TCP
|
|
0:13:29
|
but for the protocols that are using their own transport
|
|
0:13:32
|
much of the time the inspection engine does not
|
|
0:13:35
|
support that
|
|
0:13:38
|
ok another one that does not support would be esp
|
|
0:13:45
|
so we would have to maintain an account for that if there was
|
|
0:13:49
|
an ipsec vpn that is going through
|
|
0:13:51
|
the firewall
|
|
0:13:55
|
so documentation wise if you look under that
|
|
0:13:58
|
configuration guide that is the securing the data plane
|
|
0:14:03
|
under the context based access control
|
|
0:14:07
|
it will show you what are the specific application level inspections
|
|
0:14:13
|
so for example the HTTP inspection engine
|
|
0:14:17
|
this is similar to what we saw on the asa
|
|
0:14:22
|
that we could do like url inspection with this
|
|
0:14:26
|
but its assuming that we have the application level gateway and order to do this
|
|
0:14:31
|
so its supportive for everything
|
|
0:14:33
|
anything that its not supportive for we would have to do a manual
|
|
0:14:36
|
exception with the access list
|
|
0:14:41
|
so now if we look at the show access list
|
|
0:14:44
|
we see on the outside in list I manually allow the ospf
|
|
0:14:51
|
for the other flows
|
|
0:14:53
|
but say now we go the pc on the inside
|
|
0:14:58
|
and we do web browsing out to
|
|
0:15:01
|
router 2
|
|
0:15:07
|
we should now see when we look at the
|
|
0:15:10
|
show ip inspect sessions
|
|
0:15:14
|
that router is going to know about this particular
|
|
0:15:17
|
session well HTTP session
|
|
0:15:20
|
now as I mentioned before
|
|
0:15:23
|
every time the
|
|
0:15:25
|
the server or the client issues a request
|
|
0:15:28
|
the HTTP get
|
|
0:15:30
|
thats a new TCP session from the client to the server
|
|
0:15:34
|
its not a constant session that is open
|
|
0:15:37
|
similar to like a telnet session
|
|
0:15:40
|
so as these are open and closed
|
|
0:15:43
|
the inspection engine just like the modular policy framework or the asa
|
|
0:15:47
|
knows how is the web session supposed to start with a 3 way handshake
|
|
0:15:52
|
then if it ends with the TCP fin
|
|
0:15:55
|
or the TCP reset
|
|
0:15:57
|
it knows to delete the session from the session table
|
|
0:16:03
|
if we were to go to the windows
|
|
0:16:07
|
box here lets do a telnet lets say after router 2
|
|
0:16:12
|
and lets generate a bunch of traffic will say show tech support
|
|
0:16:18
|
when we look at router 1
|
|
0:16:20
|
and look at the sessions
|
|
0:16:25
|
we see we know about the telnet sessions thats coming from
|
|
0:16:28
|
the host on the inside
|
|
0:16:30
|
and its going out to router 2
|
|
0:16:33
|
if we look at the show access list
|
|
0:16:36
|
notice that we are not
|
|
0:16:38
|
putting temporary entries
|
|
0:16:40
|
in the acl
|
|
0:16:43
|
this is more similar to the modular policy framework or the asa
|
|
0:16:46
|
where we have this separate session table
|
|
0:16:51
|
now once this session ends
|
|
0:16:56
|
if I were to go to
|
|
0:16:58
|
the windows box and type exit
|
|
0:17:01
|
so right now if we look at the sessions we see that its still on the open
|
|
0:17:05
|
if I exit here
|
|
0:17:08
|
this is going to send the TCP fin
|
|
0:17:11
|
to say that the session is done
|
|
0:17:12
|
now its gonna leave the table
|
|
0:17:15
|
the same would be true
|
|
0:17:17
|
if I were to do a ping
|
|
0:17:19
|
if we ping out to router 2
|
|
0:17:24
|
when we look at the sessions this is only going to exist in the session table temporarily
|
|
0:17:30
|
as we hear the ICMP echo go out
|
|
0:17:33
|
and then have the reply come back in
|
|
0:17:38
|
so the different applications inspections are going to be a little bit different
|
|
0:17:42
|
we can see that the ICMP was not as exact as the TCP
|
|
0:17:45
|
because it is not a connection oriented protocol
|
|
0:17:49
|
there is nothing specifically in there that says my icp session is done with you
|
|
0:17:52
|
or my voice over ip phone call for UDP is done with you
|
|
0:17:56
|
for TCP since it is connection oriented it is explicit
|
|
0:18:00
|
we are saying I want to open the session
|
|
0:18:02
|
the server says either yes you can open it or no you cannot
|
|
0:18:06
|
then when we are done the server either says I am done with your session or the client says I am done with the session
|
|
0:18:12
|
now there is question here how does the CBAC application
|
|
0:18:15
|
CBAC inspection engine know where the return traffic will arrive
|
|
0:18:20
|
if there were multiple interfaces with
|
|
0:18:23
|
multiple access lists
|
|
0:18:26
|
now the key is that the inspection occurs
|
|
0:18:29
|
on the reverse path input
|
|
0:18:32
|
its going to occur before the access list is checked
|
|
0:18:37
|
so if we were to look at our design lets say for example that we are going to do this
|
|
0:18:42
|
type of inspection
|
|
0:18:44
|
on
|
|
0:18:47
|
we are going to do this inspection on router 2
|
|
0:18:49
|
where we will say that we have multiple outside interfaces this is outside interface 1
|
|
0:18:54
|
and this is outside interface 2
|
|
0:18:58
|
here this is the inside
|
|
0:19:00
|
now from the acs server when I browse out
|
|
0:19:05
|
lets say hit the web-server servers on router 3
|
|
0:19:08
|
then I hit the web-server servers on router 1
|
|
0:19:10
|
when the return traffic comes back in
|
|
0:19:14
|
we are not putting temporary entries in the acl
|
|
0:19:17
|
we are looking at the session table
|
|
0:19:22
|
so the session table is global to the router its not bound to an individual interface
|
|
0:19:27
|
this is why its more flexible as to the direction of the inspection
|
|
0:19:31
|
because with the reflexive list
|
|
0:19:33
|
we have to apply the
|
|
0:19:35
|
the inspection out and then the access list to allow it back in the reverse direction
|
|
0:19:40
|
let CBAC deals with multiple interfaces or multiple security zones a little bit better
|
|
0:19:47
|
so lets try to same on out ???/
|
|
0:19:49
|
this out
|
|
0:19:51
|
on router 2 with these multiple interfaces
|
|
0:19:53
|
so lets say that we have
|
|
0:19:56
|
an ip inspect rule
|
|
0:19:59
|
we will say rule 1
|
|
0:20:07
|
rule 1 says just TCP
|
|
0:20:09
|
UDP and ICMP
|
|
0:20:15
|
now router 2 is going to do the inspection
|
|
0:20:18
|
a little bit differently than we did on router 1
|
|
0:20:20
|
instead of doing it out
|
|
0:20:23
|
instead of doing it out the outside interfaces
|
|
0:20:25
|
we are going to do it in on the inside
|
|
0:20:32
|
so this is router 2 fa0/0 will say ip inspect
|
|
0:20:37
|
rule 1 in
|
|
0:20:40
|
then we will have 2 separate access list ip access list
|
|
0:20:44
|
extended outside
|
|
0:20:47
|
1 in
|
|
0:20:50
|
that says permit ospf
|
|
0:20:53
|
any any
|
|
0:20:56
|
and outside 2 in
|
|
0:21:00
|
where we will say that this is outside 1 this is outside 2
|
|
0:21:19
|
so on router 2 is linked to router 1 we Will say ip access group
|
|
0:21:22
|
outside 1 in in
|
|
0:21:26
|
on the link to router 3
|
|
0:21:34
|
outside 2
|
|
0:21:36
|
in
|
|
0:21:45
|
now on router 1 I am going to remove its
|
|
0:21:48
|
filtering configuration
|
|
0:21:50
|
so I want to be able to test this in multiple direction
|
|
0:21:53
|
so on router 1 I will say no
|
|
0:21:56
|
access group and no ip inspect
|
|
0:22:00
|
on both router 1 and router 3
|
|
0:22:03
|
I am going to run the web-service
|
|
0:22:05
|
so we will say it is ip HTTP server
|
|
0:22:10
|
on router 1 and on router 3
|
|
0:22:16
|
so what I now want to see on router 2
|
|
0:22:19
|
and lets look at the debug list lets say debug ip inspect
|
|
0:22:26
|
lets say inspection advance
|
|
0:22:30
|
so now from the
|
|
0:22:32
|
the aaa server
|
|
0:22:37
|
that is on the inside
|
|
0:22:41
|
inside on the network so from router 2's perspective this host is on the inside
|
|
0:22:46
|
lets browse out
|
|
0:22:52
|
lets browse out to-wards router 1 and router 2
|
|
0:23:04
|
lets go to 200.0.01
|
|
0:23:15
|
and on router 2 lets look at the show log
|
|
0:23:20
|
says we are debugging to the console
|
|
0:23:24
|
and the show debug we are debugging
|
|
0:23:27
|
inspect special events thats when I say lets say debug ip inspect
|
|
0:23:38
|
protocol TCP
|
|
0:23:44
|
so lets connect to router 3
|
|
0:23:56
|
so we can see the actual
|
|
0:23:58
|
protocol communication between them
|
|
0:24:01
|
where
|
|
0:24:04
|
first we are at the TCP syn
|
|
0:24:07
|
that came from
|
|
0:24:09
|
came from the inside 10.0.0.100 going to router 3
|
|
0:24:14
|
router 3 then replies back with the syn ack
|
|
0:24:18
|
so this is what
|
|
0:24:20
|
this is what the inspection engine was expecting
|
|
0:24:24
|
then the windows machine replies back with the ack now the session is open
|
|
0:24:29
|
hey notice you look at the keyword here it says that
|
|
0:24:32
|
right now the session is closed
|
|
0:24:34
|
hey we are starting to open it we are starting to open it we get past the 3 way handshake now lets open
|
|
0:24:40
|
so the push
|
|
0:24:41
|
and the acknowledgement this is where they are actually exchanging data
|
|
0:24:45
|
we get to the fin
|
|
0:24:47
|
now they know to close the session
|
|
0:24:50
|
and eventually its going to get deleted from the session table
|
|
0:24:53
|
so if we show ip inspect
|
|
0:24:56
|
sessions right now its not going to show there
|
|
0:24:59
|
because the session open and closed
|
|
0:25:01
|
but regard this which direction we go if we go to router 1
|
|
0:25:07
|
or we go to router 3
|
|
0:25:11
|
neither of those access lists are going to get hit
|
|
0:25:17
|
so actually I should have another list that says deny any any and then log
|
|
0:25:22
|
but it doesn't matter which direction is the outside interface
|
|
0:25:27
|
because it already knows that the state engine should be processed first before the access list
|
|
0:25:34
|
so its an issue of the order of operations
|
|
0:25:36
|
with the reflexive list
|
|
0:25:38
|
normally the way it works is that
|
|
0:25:41
|
when the traffic goes out
|
|
0:25:45
|
we have to use the same
|
|
0:25:48
|
reflexive list on that individual link
|
|
0:25:52
|
but the CBAC session table is global to the router so we are saying
|
|
0:25:56
|
the traffic left that direction
|
|
0:25:58
|
send it to the state table
|
|
0:26:01
|
it is so the state table has whatever the entries lets keep in track of the stuff
|
|
0:26:05
|
so when traffic returns
|
|
0:26:08
|
we are always checking the state table first
|
|
0:26:11
|
if its not already there then we would check the input access list on the link
|
|
0:26:18
|
now where this becomes a problem though
|
|
0:26:20
|
is that we have different type of security levels or different security zones on the interfaces
|
|
0:26:27
|
because just like on the asa
|
|
0:26:30
|
the inspection is not really a relationship between 2 different interfaces or 2 between 2 different zones
|
|
0:26:36
|
its simply a direction of traffic flow on the link
|
|
0:26:40
|
so what this means
|
|
0:26:42
|
is that if I had the router
|
|
0:26:44
|
that had the inside interface
|
|
0:26:48
|
so this is connected to my normal inside host
|
|
0:26:51
|
it has some sort of outside interface so may be this is my t1 linked to the service provider
|
|
0:26:56
|
and then I have another LAN thats on the inside this is my DMZ
|
|
0:27:01
|
so may be this is where my public web-servers are
|
|
0:27:04
|
may be my mail servers are here
|
|
0:27:06
|
so I want a policy
|
|
0:27:09
|
thats going to allow my inside host to get to the outside
|
|
0:27:13
|
and also for them to get to the DMZ
|
|
0:27:16
|
but only with web and mail
|
|
0:27:18
|
then likewise I am going to want my
|
|
0:27:21
|
outside host to build a gate to the DMZ
|
|
0:27:24
|
but only with the web and the mail
|
|
0:27:30
|
so the problem that we get into
|
|
0:27:33
|
is that if I apply an inspection
|
|
0:27:36
|
that is
|
|
0:27:38
|
in on the inside interface
|
|
0:27:42
|
this is going to affect traffic that goes from inside to out
|
|
0:27:47
|
and its going to affect traffic that goes from inside to DMZ
|
|
0:27:52
|
now if I were to apply inspection
|
|
0:27:55
|
outside out
|
|
0:27:57
|
this is going to catch my inside out traffic
|
|
0:28:00
|
its going to catch my DMZ outside traffic
|
|
0:28:03
|
but its not going to catch my inside DMZ
|
|
0:28:08
|
now its not that impossible to engineer this
|
|
0:28:12
|
its just that the logic of the syntax and the logic of the relationship between the interfaces
|
|
0:28:16
|
gets more complex with CBAC when you have 3 or more security zones
|
|
0:28:21
|
and this is really the problem that the zone based policy firewall was introduced to fix
|
|
0:28:27
|
because behind the scenes when we are doing these application inspections
|
|
0:28:32
|
with the CBAC engine
|
|
0:28:34
|
so this inspection here
|
|
0:28:35
|
this is the same exact thing that zone based policy firewall works or uses
|
|
0:28:40
|
so the inspection code behind the scenes is the same processes that were running
|
|
0:28:45
|
zone based firewalls just a different syntax engine
|
|
0:28:49
|
that allows us to do separate
|
|
0:28:52
|
associations of the different security zones
|
|
0:28:56
|
well with designs like this
|
|
0:28:59
|
where there is multiple outside or there is multiple inside
|
|
0:29:03
|
or there is 3 or more interfaces that are of different security levels
|
|
0:29:07
|
then it gets fairly complex to try to implement this with the CBAC syntax
|
|
0:29:13
|
now for other advanced options
|
|
0:29:16
|
in the feature
|
|
0:29:18
|
we can control the port mappings
|
|
0:29:21
|
that the applications are matching when we say inspect HTTP or inspect sip
|
|
0:29:27
|
we can remap these not only on a protocol basis
|
|
0:29:31
|
but also on a per host basis
|
|
0:29:35
|
so if I have one server thats running lets say java tomcat thats listening at port 80/80
|
|
0:29:41
|
I could say for this specific server for HTTP I want you to use port 8080
|
|
0:29:46
|
but then for my other servers
|
|
0:29:49
|
I am going to use this standard port now
|
|
0:29:54
|
we can also do session logging
|
|
0:29:56
|
through its known as the auto trail
|
|
0:29:59
|
thats going to show us when was this session open when was the session closed
|
|
0:30:04
|
so more so than like a syslog log message we do on the access list
|
|
0:30:09
|
it also allows us to do a lot of learning
|
|
0:30:13
|
for any type of protocol violation
|
|
0:30:17
|
so if here if anyone is trying to do some sort of like malformed TCP attack
|
|
0:30:22
|
then its going to log that automatically
|
|
0:30:27
|
now one other thing thats different from CBAC versus the reflexive list
|
|
0:30:32
|
is that we can configure it
|
|
0:30:34
|
to watch some of the routers locally generate traffic by default
|
|
0:30:40
|
where with the reflexive list
|
|
0:30:42
|
any of the locally generated traffic whether it is the routing protocol
|
|
0:30:46
|
if it was a ping if it was a telnet
|
|
0:30:48
|
we would always have to manually allow that back
|
|
0:30:51
|
in on the outside interface
|
|
0:30:55
|
but in the case of CBAC we can tell it for certain types of traffic
|
|
0:30:59
|
like for ICMP for example
|
|
0:31:01
|
we could say
|
|
0:31:03
|
ip inspect rule 2
|
|
0:31:06
|
is going to ip inspect name rule 2
|
|
0:31:11
|
is going to inspect ICMP
|
|
0:31:15
|
but also look at the routers locally originated traffic
|
|
0:31:20
|
so this would be traffic from the router or traffic to the router
|
|
0:31:24
|
that we could do the same thing for TCP router traffic
|
|
0:31:27
|
which would be like our bgp peerings
|
|
0:31:30
|
or may be in the case of multicast and mstp peering
|
|
0:31:34
|
which is the multicast source distribution protocol
|
|
0:31:39
|
we can have UDP router traffic
|
|
0:31:41
|
so in the case of like mkls this would be a labelled distribution protocol
|
|
0:31:46
|
for both UDP and TCP
|
|
0:31:49
|
but again this is not going to catch everything
|
|
0:31:52
|
so any type of control plane protocol that uses its own transport
|
|
0:31:56
|
like eigrp ospf pim
|
|
0:31:59
|
those type of messages are not going to be inspected by the CBAC rules
|
|
0:32:04
|
but some of these we can when we say router traffic at the end of them
|
|
0:32:10
|
ok there is a question here the access list you can apply to the inspect name
|
|
0:32:14
|
firewall acl is that to ignore
|
|
0:32:18
|
or not inspect the traffic is this when you say
|
|
0:32:34
|
whats the specific syntax you are talking about
|
|
0:32:53
|
some of these will be different depending on the individual application
|
|
0:32:58
|
just like in the case of the asa
|
|
0:33:00
|
like you could see here there is a different inspection engine here for HTTP
|
|
0:33:03
|
where we can call a url filter list
|
|
0:33:06
|
we can call a
|
|
0:33:08
|
a java list
|
|
0:33:10
|
which just does the basic
|
|
0:33:12
|
filtering based on the web payload
|
|
0:33:15
|
and looks for the
|
|
0:33:18
|
and looks for the HTML tag
|
|
0:33:21
|
that is related to java
|
|
0:33:27
|
so if I say ip inspect name
|
|
0:33:30
|
firewall then add an access list on the same command line say right here
|
|
0:34:09
|
lets take a look at the command reference for this
|
|
0:34:16
|
so lets turn to the main documentation page
|
|
0:34:20
|
lets go down to
|
|
0:34:23
|
to products to IOS
|
|
0:34:25
|
regular IOS
|
|
0:34:27
|
12.4 12.4t
|
|
0:34:30
|
then reference guides
|
|
0:34:34
|
command references this would be under security
|
|
0:34:41
|
then ip inspect
|
|
0:34:54
|
so if you look at the ip inspect name command
|
|
0:34:57
|
you'll see some more detail on
|
|
0:35:01
|
what the particular inspections are
|
|
0:35:03
|
like you can see here for web filtering there is the java list
|
|
0:35:15
|
unless you are talking about the ip port mapping
|
|
0:35:19
|
which is
|
|
0:35:22
|
this syntax here is that what you were asking about
|
|
0:35:24
|
ip port map for the list
|
|
0:35:29
|
or its for ips we will come back to that later when we get to prevention
|
|
0:35:34
|
we will look a bit on the router
|
|
0:35:36
|
oh yes that would be used for
|
|
0:35:38
|
an exception
|
|
0:35:39
|
of who you would not want to run the ips for
|
|
0:35:42
|
so in the case of the ips sensor
|
|
0:35:45
|
that would be like your
|
|
0:35:48
|
in which they call up there its like an exemption where you
|
|
0:35:53
|
its you will never block hosts
|
|
0:35:55
|
where if someone tries to trigger signature against them
|
|
0:35:59
|
it would be like your management station that you actually use for the icm in order to
|
|
0:36:03
|
to manage the device
|
|
0:36:07
|
now as I mentioned before the CBAC does
|
|
0:36:10
|
integrate TCP intercept as well
|
|
0:36:12
|
but it only supports the watch mode
|
|
0:36:16
|
so when you look at the ip inspect sub command these things like the maximum incomplete sessions
|
|
0:36:21
|
the 1 minute maximums
|
|
0:36:23
|
the total number of per hosts
|
|
0:36:25
|
and then the TCP syn way time
|
|
0:36:28
|
this would be the timer that the router is going to wait for
|
|
0:36:31
|
the session to get completely open
|
|
0:36:33
|
before it sends the reset to the server
|
|
0:36:38
|
so this is always going to be on you cannot
|
|
0:36:40
|
disable unless you really set like the maximum incomplete to the maximum value
|
|
0:36:45
|
typically this is what you would want
|
|
0:36:48
|
that you are protecting the host that you are also doing the inspection for
|
|
0:36:53
|
now there is a couple of different ways that you can actually apply this design
|
|
0:36:57
|
where the way that we looked at it
|
|
0:36:59
|
was your protecting the users on the inside
|
|
0:37:02
|
that are sending those traffic out
|
|
0:37:04
|
where
|
|
0:37:05
|
the traffic is inspected as it leaves
|
|
0:37:08
|
or may be they are only allowing certain types of protocols like
|
|
0:37:11
|
clear text web dns
|
|
0:37:14
|
they are making sure that it actually can forms that individual
|
|
0:37:18
|
application inspection is supposed to be
|
|
0:37:21
|
so for the returning traffic inbound
|
|
0:37:24
|
its going to be blocked and thus we are checking the
|
|
0:37:27
|
the state table
|
|
0:37:29
|
now the other way that we could do this
|
|
0:37:32
|
is to protect to the servers on the public segment
|
|
0:37:35
|
so like in that 3 zone design i was mentioning
|
|
0:37:39
|
we could have the
|
|
0:37:41
|
the host and the DMZ
|
|
0:37:43
|
and as traffic is going towards them
|
|
0:37:46
|
doing inspection
|
|
0:37:48
|
that is going to match only in the specific ports
|
|
0:37:53
|
if the webservers are listening at port 80
|
|
0:37:55
|
not only what I have the inspection rule
|
|
0:37:58
|
in that direction
|
|
0:38:00
|
but also I would have an access list that is permitting port 80
|
|
0:38:03
|
deny the other traffic
|
|
0:38:04
|
and then I could combine this with the
|
|
0:38:07
|
the TCP intercept behaviour
|
|
0:38:09
|
and then the protocol enforcement which is going to be like
|
|
0:38:12
|
that you are not using invalid HTTP headers
|
|
0:38:15
|
or that for
|
|
0:38:17
|
dns you are not doing some sort of malformed formed type packet attack
|
|
0:38:21
|
so the same type of logic that we can use with the zone firewall
|
|
0:38:25
|
is used with the CBAC
|
|
0:38:27
|
is just a different logic for the
|
|
0:38:30
|
the syntax
|
