Cisco IOS Software Releases 12.0 T

Table Of Contents

Cisco IOS Firewall Feature Set

Feature Summary

Benefits

Platforms

Prerequisites

Supported MIBs and RFCs

Configuration Tasks

Configuration Example

Command Reference

Cisco IOS Firewall Feature Set

---

Feature Summary

The Cisco IOS Firewall feature set is available in Cisco IOS Release 12.0. This document includes information that is new in Cisco IOS Release 12.0(1)T, including a list of supported hardware platforms.

The Cisco IOS Firewall feature set extends the security technology currently available in Cisco IOS software to provide firewall specific capabilities:

• Context-based Access Control (CBAC)

• Java blocking

• Denial-of-service detection and prevention

• Real-time alerts and audit trails

The Cisco IOS Firewall feature set adds advanced filtering capabilities to existing security functionality in Cisco routers. Some existing Cisco IOS security features include packet filtering via Access Control Lists (ACLs), Network Address Translation (NAT), network-layer encryption, and TACACS+ authentication.

For complete information on the firewall feature set, refer to the Cisco IOS Release 12.0 Security Configuration Guide.

Benefits

The information in this section is repeated from the Security Configuration Guide and summarizes the Cisco IOS Firewall feature set security services benefits:

•CBAC provides internal users secure, per-application-based access control for all traffic across perimeters such as between private enterprise networks and the Internet.

•CBAC supports four switching modes: Cisco Express Forwarding (CEF), flow switching, fast switching, and process switching.

•Java blocking protects against unidentified, malicious Java applets.

•Denial-of-service detection and prevention defends and protects router resources against common attacks, checking packet headers and dropping suspicious packets.

•Audit trail details transactions, recording time stamp, source host, destination host, ports, duration, and total number of bytes transmitted.

•Real-time alerts log alerts in case of denial-of-service attacks or other pre-configured conditions.

You can use the Cisco IOS Firewall feature set to configure your Cisco IOS router as:

•An Internet firewall or part of an Internet firewall

•A firewall between groups in your internal network

•A firewall providing secure connections to or from branch offices

•A firewall between your company's network and your company's partners' networks

For a complete description of the Cisco IOS Firewall features, refer to the Security Configuration Guide.

Platforms

The Cisco IOS Firewall feature set is supported on the following platforms:

•Cisco 2600 series

•Cisco 3600 series

Prerequisites

For a complete description of the Cisco IOS Firewall feature set, including configuration instructions, read "Traffic Filtering and Firewalls" in the Security Configuration Guide.

Supported MIBs and RFCs

None.

Configuration Tasks

The tasks required to configure the Cisco IOS Firewall feature set are described in the Security Configuration Guide.

In addition to instructions for configuring specific Cisco IOS Firewall features, the Security Configuration Guide references a number of other security configuration guidelines:

•When setting passwords for privileged access to the firewall, use the enable secret command rather than the enable password command, which does not have as strong an encryption algorithm.

•Put a password on the console port. In authentication, authorization, and accounting (AAA) environments, use the same authentication for the console as for elsewhere. In a non-AAA environment, at a minimum configure the login and password password commands.

•Think about access control before you connect a console port to the network in any way, including attaching a modem to the port. Be aware that a BREAK on the console port might give total control of the firewall, even with access control configured.

•Apply access lists and password protection to all virtual terminal ports. Use access lists to limit who can Telnet to your router.

•Do not enable any local service (such as SNMP or NTP) that you do not use. Cisco Discovery Protocol (CDP) and Network Time Protocol (NTP) are on by default, and you should turn these off if you do not need them.

To turn off CDP, enter the no cdp run global configuration command. To turn off NTP, enter the ntp disable interface configuration command on each interface not using NTP.

If you must run NTP, configure NTP only on required interfaces, and configure NTP to listen only to certain peers.

Any enabled service could present a potential security risk. A determined, hostile party might be able to find creative ways to misuse the enabled services to access the firewall or the network.

For local services that are enabled, protect against misuse. Protect by configuring the services to communicate only with specific peers, and protect by configuring access lists to deny packets for the services at specific interfaces.

•Protect against spoofing: protect the networks on both sides of the firewall from being spoofed from the other side. You could protect against spoofing by configuring input access lists at all interfaces to pass only traffic from expected source addresses, and to deny all other traffic.

You should also disable source routing. For IP, enter the no ip source-route global configuration command. Disabling source routing at all routers can also help prevent spoofing.

•Prevent the firewall from being used as a relay by configuring access lists on any asynchronous Telnet ports.

•Normally, you should disable directed broadcasts for all applicable interfaces on your firewall and on all your other routers. For IP, use the no ip directed-broadcast command. Rarely, some IP networks do require directed broadcasts; if this is the case, do not disable directed broadcasts.

Directed broadcasts can be misused to multiply the power of denial-of-service attacks, because every denial-of-service packet sent is broadcast to every host on a subnet. Furthermore, some hosts have other intrinsic security risks present when handling broadcasts.

•Configure the no ip proxy-arp command to prevent internal addresses from being revealed. (This is important to do if you do not already have NAT configured to prevent internal addresses from being revealed).

•Keep the firewall in a secured (locked) room.

Configuration Example

In this configuration example, a single Cisco 3600 series firewall router is positioned at a branch office. It has four internal networks and two WAN connections to the corporate headquarters. CBAC is configured on the firewall to protect two of the internal networks from potential network threats coming from the WAN side and from less secure internal networks. Anti-spoofing protection is added at each interface with client systems.

---

Note   This example shows a moderately high level of trust by the administrators toward the expected users. Additional protection could be added to this configuration for a situation in a lower level of trust. That configuration would include ICMP filtering statements, significantly more protocol and address control through the use of more restrictive Access Control Lists, and anti-spoofing applied everywhere. This configuration does not contain those additional restrictions since that would detract from the CBAC example.

---

Figure 1 Sample Cisco IOS Firewall Application Environment

The branch office has this sample network configuration:

•Ethernet interface 0/0 supports the Human Resources department servers. This network includes an email (SMTP and POP3) host and a Windows NT server. The Windows NT server is the Primary Domain Controller (PDC) for the Human Resources domain and has a trust relationship with the rest of the company; however, it contains applications and databases that must not be accessed by the rest of the company or the other groups in the branch office. The devices on this LAN are accessible only by users in the Human Resources department on Ethernet interface 0/1. The Mail server must be able to send and receive email (through SMTP sessions) with all other devices. The Windows 95 machines can use this machine as their email server (for sending email through SMTP sessions) and as a repository for accumulating email that they can then download through POP3 sessions. No one else in the company is allowed to form POP3 sessions to any machine on this LAN.

•Ethernet interface 0/1 supports the Windows 95 computers in the Human Resources department. These users must have access to the Human Resources mail servers located on Ethernet interface 0/0 as well as access to the rest of the company. Access to the Windows NT server resources are controlled through the Windows NT permissions assigned to each user in the Windows NT domain.

•Ethernet interface 1/0 supports the branch office web servers, which can be accessed by everyone in the company. These servers use TCP ports 80 (HTTP) and 443 (SHTTP) for inbound web access. This network also includes a backup domain controller (BDC) for the overall domain that is also used as file, print, and service server.

•Ethernet interface 1/1 supports all users who are not in the Human Resources department. These users have no access to the Human Resources department servers, but they can access the other network interfaces and the serial interfaces for WAN connectivity.

Serial interface 0/0 and 0/1 connect to the WAN with T1 links (links to corporate headquarters). In this sample configuration, the Domain Name System (DNS) servers are located somewhere within the rest of the company. Additionally, network management (SNMP) and Telnet sessions are limited to the management network (192.168.55.0), which is located somewhere within the rest of the company across the serial interface.

! ------------------------------------------------------------------

! This first section contains some configuration that is not required

! for CBAC, but illustrates good security practices.

! ------------------------------------------------------------------

!Add this line to get timestamps on the syslog messages.

service timestamps log datetime localtime show-timezone

!

service password-encryption

!

hostname Router1

!

boot system flash c3600-fw3600-l

!

! Configure AAA user authentication.

aaa new-model

aaa authentication login lista tacacs+ enable

!

enable secret 5 <elided>

ip subnet-zero

!

! Disable source routing to help prevent spoofing.

no ip source-route

!

! Set up the domain name and server IP addresses.

ip domain-name example.com

ip name-server 192.168.55.132

ip name-server 192.168.27.32

!

! The audit-trail command enables the delivery of specific CBAC messages 

! through the syslog notification process.

ip inspect audit-trail 

!

! Establish the time-out values for DNS queries. When this idle-timer expires,

! the dynamic ACL entries that were created to permit the reply to a DNS request 

! will be removed and any subsequent packets will be denied.

ip inspect dns-timeout 10

!

!----------------------------------------------------------------------

!The next section includes configuration statements required 

!specifically for CBAC.

!----------------------------------------------------------------------

! Define the CBAC inspection rule "inspect1", allowing the specified protocols to be

! inspected. The first rule enables SMTP specific inspection. SMTP inspection causes

! the exchange of the SMTP session to be inspected for illegal commands. Any packets

! with illegal commands are dropped, and the SMTP session will hang and eventually

! time out.

ip inspect name inspect1 smtp timeout 300

!

! In the next two lines of inspect1, define the maximum time that each of the udp and 

! tcp sessions are allowed to continue without any traffic passing 

! through the router. When these timeouts are reached, the dynamic ACLs that 

! are inserted to permit the returning traffic are removed and subsequent packets

! (possibly even valid ones) will not be permitted.

ip inspect name inspect1 udp timeout 300

ip inspect name inspect1 tcp timeout 300

!

! Define the CBAC inspection rule "inspect2", allowing the specified protocols to be

! inspected. These rules are similar to those used in the inspection rule "inspect1,"

! except that on the interfaces where this rule is applied, SMTP sessions are not 

! expected to go through; therefore, the SMTP rule element is not applied here.

ip inspect name inspect2 udp timeout 300

ip inspect name inspect2 tcp timeout 3600

!

!----------------------------------------------------------------------

! The next section shows the Ethernet interface configuration statements for each 

! interface, including access lists and inspections rules. 

!----------------------------------------------------------------------

! Apply the "inspect1" inspection rule to sessions that are initiated in the outbound 

! direction (toward the LAN) at Ethernet interface 0/0. All packets in these sessions

! will be inspected by CBAC. Provided that network traffic passes the Access Control

! List (ACL) restrictions, traffic is then inspected by CBAC for access through the

! IOS Firewall. Traffic blocked by the access list is not inspected by CBAC. Access

! list 110 is applied to outbound traffic on this interface. 

interface Ethernet0/0

description HR_Server Ethernet

ip address 172.16.110.1 255.255.255.0

ip access-group 110 out

no ip directed-broadcast

no ip proxy-arp

ip inspect inspect1 out

no cdp enable

!

! Apply access list 120 to inbound traffic on Ethernet interface 0/1.

! Applying access list 120 to inbound traffic provides anti-spoofing on this interface

! by dropping traffic with a source address matching the IP address on a network other

! than Ethernet 0/1. The IP helper address lists the IP address of the DHCP server on

! Ethernet interface 1/0. 

interface Ethernet0/1

description HR_client Ethernet

ip address 172.16.120.1 255.255.255.0

ip access-group 120 in

ip helper-address 172.16.130.66

no ip directed-broadcast

no ip proxy-arp

no cdp enable

!

! Apply the "inspect2" inspection rule to sessions that are initiated in the outbound

! direction (toward the LAN) at Ethernet interface 1/0. Provided that network traffic

! passes the Access Control List (ACL) restrictions, traffic is then inspected by CBAC

! through the IOS Firewall. Traffic blocked by the access list is not inspected by

! CBAC. Access list 130 is applied to outbound traffic on this interface. 

interface Ethernet1/0

description Web_server Ethernet

ip address 172.16.130.1 255.255.255.0

ip access-group 130 out

no ip directed-broadcast

no ip proxy-arp

ip inspect inspect2 out

no cdp enable

!

! Apply access list 140 to inbound traffic at Ethernet interface 1/1. This

! provides anti-spoofing on the interface by dropping traffic with a source address

! matching the IP address of a network other than Ethernet 1/1. The IP helper address

! lists the IP address of the DHCP server on Ethernet interface 1/0. 

interface Ethernet1/1

description Everyone_else Ethernet

ip address 172.16.140.1 255.255.255.0

ip access-group 140 in

ip helper-address 172.16.130.66

no ip directed-broadcast

no ip proxy-arp

no cdp enable

!

!----------------------------------------------------------------------

! The next section configures the serial interfaces, including access lists. 

!----------------------------------------------------------------------

! Apply access list 150 to Serial interfaces 0/0. This provides anti-spoofing on the

! serial interface by dropping traffic with a source address matching the IP address

! of a host on Ethernet interface 0/0, 0/1, 1/0, or 1/1.

interface Serial0/0

description T1 to HQ

ip address 192.168.150.1 255.255.255.0

ip access-group 150 in

bandwidth 1544

!

interface Serial1/1

description T1 to HQ

ip address 192.168.160.1 255.255.255.0

ip access-group 150 in

bandwidth 1544

!

! ------------------------------

! Configure routing information.

! -------------------------------

router igrp 109

network 172.16.0.0

network 192.168.150.0

network 192.168.160.0

!

! Define protocol forwarding on the firewall. When you turn on a related command, 

! ip helper-address, you forward every IP broadcast in the ip forward protocol

! command list, including several which are on by default: TFTP (port 69), 

! DNS (port 53), Time service (port 37), NetBIOS Name Server (port 137), 

! NetBIOS Datagram Server (port 138), BOOTP client and server datagrams 

! (ports 67 and 68), and TACACS service (port 49). One common

! application that requires helper addresses is Dynamic Host Configuration

! Protocol (DHCP). DHCP protocol information is carried inside of BOOTP packets. The

! "no ip forward protocol" statements turn off forwarding for the specified protocols.

no ip forward-protocol udp netbios-ns

no ip forward-protocol udp netbios-dgm

no ip forward-protocol udp tacacs 

no ip forward-protocol udp tftp 

ip forward-protocol udp bootpc

!

! Add this line to establish where router SYSLOG messages are sent. This includes the

! CBAC messages. 

logging 192.168.55.131 

!

! ---------------------------------------------------------------

! Define the configuration of each access list. 

! ---------------------------------------------------------------

! Defines Telnet controls in access list 12.

access-list 12 permit 192.168.55.0 0.0.0.255

!

! Defines snmp controls in access list 13. 

access-list 13 permit 192.168.55.12

access-list 13 permit 192.168.55.19

!

! Access list 110 permits TCP and UDP protocol traffic for 

! specific ports and with a source address on Ethernet interface 0/1. The access list

! denies IP protocol traffic with any other source and destination address. The 

! access list permits ICMP access for any source and destination 

! address. Access list 110 is deliberately set up to deny unknown IP protocols 

! because no such unknown protocols will be in legitimate use. Access list

! 110 is applied to outbound traffic at Ethernet interface 0/0. In ACL 110,

! network traffic is being allowed access to the ports on any server on the HR server

! network. In less trusted environments, this can be a security problem; however, you

! can limit access more severely by specifying specific destination addresses in the

! ACL statements.

access-list 110 permit tcp 172.16.120.0 0.0.0.255 any eq smtp

access-list 110 permit tcp 172.16.120.0 0.0.0.255 any eq pop3

access-list 110 permit tcp 172.16.120.0 0.0.0.255 any eq 110

access-list 110 permit udp any any eq 137

access-list 110 permit udp any any eq 138

access-list 110 permit udp any any eq 139

access-list 110 permit icmp any any 

access-list 110 deny ip any any!

!

! Access-list 120 permits TCP, UDP, and ICMP protocol traffic with a source address 

! on Ethernet interface 0/1, but denies all other IP protocol traffic. Access list

! 120 is applied to inbound traffic on Ethernet interface 0/1.

access-list 120 permit tcp 172.16.120.0 0.0.0.255 any

access-list 120 permit udp 172.16.120.0 0.0.0.255 any

access-list 120 permit icmp 172.16.120.0 0.0.0.255 any

access-list 120 deny ip any any

!

! Access list 130 permits TCP, UDP, and ICMP protocol traffic for specific ports and

! with any source and destination address. It opens access to the Web server and to

! all NBT services to the rest of the company, which can be controlled through the

! trust relations on the NT servers. The bootpc entry permits access to the DHCP

! server. Access list 130 denies all other IP protocol traffic. Access list 130 is

! applied to outbound traffic at Ethernet interface 1/0.

access-list 130 permit tcp any any eq www

access-list 130 permit tcp any any eq 443

access-list 130 permit tcp any any eq 110

access-list 130 permit udp any any eq 137

access-list 130 permit udp any any eq 138

access-list 130 permit udp any any eq 139

access-list 130 permit udp any any eq bootpc 

access-list 130 permit icmp any any 

access-list 130 deny ip any any

!

! Access list 140 permits TCP, UDP, and ICMP protocol traffic with a source address on

! Ethernet interface 1/1, and it denies all other IP protocol traffic. Access list 140

! is applied to inbound traffic at Ethernet interface 1/1.

access-list 140 permit tcp 172.16.140.0 0.0.0.255 any

access-list 140 permit udp 172.16.140.0 0.0.0.255 any

access-list 140 permit icmp 172.16.140.0 0.0.0.255 any

access-list 140 deny ip any any

!

! Access list 150 denies IP protocol traffic with a source address on Ethernet 

! interfaces 0/0, 0/1, 1/0, and 1/1, and it permits IP protocol traffic with any other

! source and destination address. Access list 150 is applied to inbound traffic

! on each of the serial interfaces.

access-list 150 deny ip 172.16.110.0 0.0.0.255 any

access-list 150 deny ip 172.16.120.0 0.0.0.255 any

access-list 150 deny ip 172.16.130.0 0.0.0.255 any

access-list 150 deny ip 172.16.140.0 0.0.0.255 any

access-list 150 permit ip any any

!

! Disable Cisco Discovery Protocol.

no cdp run 

!

snmp-server community <elided> ro 13

tacacs-server host 192.168.55.2

tacacs-server key <elided>

!

! -----------------------------------------------------------------------------------

! Configures the router console port and the virtual terminal line interfaces,

! including AAA authentication at login. Authentication is required for users defined

! in "lista." Access-class 12 is applied on each line, restricting Telnet access to

! connections with a source address on the network management network.

! -----------------------------------------------------------------------------------

line console 0

exec-timeout 3 00

login authentication lista

line aux 0

exec-timeout 3 00

login authentication lista

line vty 0

exec-timeout 1 30

login authentication lista

access-class 12 in

line vty 1

exec-timeout 1 30

login authentication lista

access-class 12 in

line vty 2

exec-timeout 1 30

login authentication lista

access-class 12 in

line vty 3

exec-timeout 1 30

login authentication lista

access-class 12 in

line vty 4

exec-timeout 1 30

login authentication lista

access-class 12 in

!

end

Command Reference

None. Cisco IOS Firewall feature set command descriptions are included in the Security Reference Guide.