Lab 6.2 Configuring CBAC

More documents

Recommendations

Info

Why is this particularly important for UDP protocols On a per-protocol basis, there are other adjustable settings. For instance, you can manipulate CBAC to trigger logging messages based on the matched protocol. This is important for security accounting as well as for debugging purposes. View the options available on a per-protocol basis, using the character. FW(config)# ip inspect name myrules tcp alert Turn on/off alert audit-trail Turn on/off audit trail router-traffic Enable inspection of sessions to/from the router timeout Specify the inactivity timeout time In a secure network, you would likely set up a Syslog server to monitor security information including communication to external networks. Alert and audit trail messages allow holes in the firewall created by CBAC to be monitored and logged for later use. By default, CBAC logs alert messages to the console which can be configured on a per-protocol basis to override the global settings for the alert messages (as shown above). To change the global setting for alerts, use the command ip inspect alert-off. By default, alerts are on. To enable audit-trail messages, use the global command ip inspect audit-trail. By default, audit-trail messages are off. The timeout argument specifies a perprotocol connection timeout period. Add in Internet Control Message Protocol (ICMP) with a timeout time of 5 seconds, HTTP inspection without alerting, and FTP inspection with an audit-trail. ICMP inspection may not work on older IOS releases. FW(config)# ip inspect name myrules icmp timeout 5 FW(config)# ip inspect name myrules http alert off FW(config)# ip inspect name myrules ftp audit-trail on To apply the rule set to an interface, use the interface level command ip inspect name direction. Apply “myrules” to the inside interface on FW with an inbound direction. This means that any traffic initiated from the inside interface going through the router will have IP inspection performed on it. FW(config)# interface serial0/0/0 FW(config-if)# ip inspect myrules in In this scenario, you could also apply it outbound on the outside interface to achieve the same effect. When would this not apply 4 - 8 CCNP: Implementing Secure Converged Wide-area Networks v5.0 - Lab 6-2 Copyright © 2007, Cisco Systems, Inc
Step 5: Block Unwanted Outside Traffic Configure an extended access list to deny any traffic coming in the outside interface. The access list must be extended because CBAC needs to open up temporary holes in it for return traffic and cannot do this with standard access lists. Also have the deny portion of the access-list log packets that are blocked. Apply this access list to be inbound on the outside interface on the firewall. NOTE: If you are using an older IOS release that did not accept ICMP inspection earlier, you may want to add the statement access-list 100 permit icmp any any before the deny statement in this access list to allow all ICMP traffic to go through (since it will not be inspected by CBAC). FW(config)# access-list 100 deny ip any any log FW(config)# interface serial0/0/1 FW(config-if)# ip access-group 100 in Step 6: Verify CBAC Operation Telnet from OUTSIDE to INSIDE. This should fail. OUTSIDE# telnet 172.16.12.1 Trying 172.16.12.1 ... % Destination unreachable; gateway or host down OUTSIDE# In addition, you should see a log message appear on FW. This log message is not from CBAC but instead from the access list denying the packet. FW# *Feb 18 02:11:11.823: %SEC-6-IPACCESSLOGP: list 100 denied tcp 192.168.23.3(0) -> 172.16.12.1(0), 1 packet Now, attempt to telnet from INSIDE to OUTSIDE. Leave the telnet session open so you can verify the connection on FW. INSIDE# telnet 192.168.23.3 Trying 192.168.23.3 ... Open User Access Verification Password: OUTSIDE> On FW, issue the show ip inspect all command to see the configuration and operation of CBAC. Notice the inspected TCP connection between INSIDE and OUTSIDE is listed at the end. FW# show ip inspect all Session audit trail is disabled Session alert is enabled one-minute (sampling period) thresholds are [400:500] connections max-incomplete sessions thresholds are [400:500] 5 - 8 CCNP: Implementing Secure Converged Wide-area Networks v5.0 - Lab 6-2 Copyright © 2007, Cisco Systems, Inc
Page 1 and 2: Lab 6.2 Configuring CBAC Learning O
Page 3: Step 4: Create IP Inspect Rules CBA
Page 7 and 8: attempted, the denied packets from

Lab 6.2 Configuring CBAC

You also want an ePaper? Increase the reach of your titles

Delete template?

Save as template?