Advanced IOS
description
Transcript of Advanced IOS
© 2012 Cisco and/or its affiliates. All rights reserved. BRKSED-3007 Cisco Public
Advanced Cisco IOS Security Features BRKSEC-3007
2
© 2012 Cisco and/or its affiliates. All rights reserved. BRKSED-3007 Cisco Public
About the Speaker: Alexandre M. S. P. Moraes
Joined Cisco as a Systems Engineer in 1998.
Mainly supporting large Public Sector and Enterprise accounts in Brazil.
Coordinator of the Cisco Security team in Brazil for 03 years
Graduated in Electroning Engineering
Areas of Interest: Security/VPN, Routing/Campus Design, MPLS Networks Design, IP Multicast
Author of the book: “Cisco Firewalls: Concepts, Design and Deployment for Cisco Stateful Solutions” (Cisco Press, 2011)
Blog: http://alexandremspmoraes.wordpress.com
CCIE #6063
Routing/Switching
Security
Service Provider
3
© 2012 Cisco and/or its affiliates. All rights reserved. BRKSED-3007 Cisco Public
Housekeeping
We value your feedback- don't forget to complete your online session evaluations after each session & the Overall Conference Evaluation which will be available online from Thursday
Visit the World of Solutions and Meet the Engineer
Visit the Cisco Store to purchase your recommended readings.
Please switch off your mobile phones
After the event don’t forget to visit Cisco Live Virtual: www.ciscolivevirtual.com
4
© 2012 Cisco and/or its affiliates. All rights reserved. BRKSED-3007 Cisco Public
Agenda
Introduction
Zone-based Policy Firewall: Basic Concepts
Zone-based Policy Firewall in action
User-based Firewall features on Cisco IOS
Additional Layers of Security: Advanced Filtering Resources
IPv6 Security Features on IOS
Key Takeways
Warning: This session does not cover subjects such as IOS VPNs or L2 Security
5
© 2012 Cisco and/or its affiliates. All rights reserved. BRKSED-3007 Cisco Public
Branch Office
Corporate Office
Security Services Cisco Zone-Based Firewall
Identity-based Services
Stateless Fiiltering
Content Scanning with Scansafe
Infrastructure Protection
Internet
Private Wan
Cisco ISRs provide lots of integrated services But what about Security ?
Cisco Integrated Services Routers provide many services: Routing, Switching, WLAN, UC, Multicast, Multiple Backup options…
+ Security Connectivity: Flex VPN and GET VPN to fit your connectivity needs
+ Data Plane Security: at appropriate performance levels for the branch
7
© 2012 Cisco and/or its affiliates. All rights reserved. BRKSED-3007 Cisco Public
Basic Questions to be answered
+ =
Can a Router behave as a true stateful firewall ?
Are there any other features that complement stateful inspection ?
Is my ISR Identity-aware ?
Are the ISR Security Features IPv6 Ready ?
8
© 2012 Cisco and/or its affiliates. All rights reserved. BRKSED-3007 Cisco Public
Zone-based Policy Firewall (ZFW)
ZFW1
zone TRUSTED zone UNTRUSTED
Int 1
Int 3
Zone-Policy OUTBOUND
INTERNET
Client1 Server
Int 4
Int 2
Client2
Zone: set of interfaces that share a certain “trust level”
A philosophy change: Firewall policies now define rules between zones (and not between interfaces)
ZFW policies are Unidirectional: Source >> Destination
10
© 2012 Cisco and/or its affiliates. All rights reserved. BRKSED-3007 Cisco Public
%FW-6-DROP_PKT: Dropping icmp session 172.18.1.10:0 172.18.2.20:0 due to No zone-pair between zones with ip ident 0
Interfaces assigned to zones but no zone-pair definition
%FW-6-DROP_PKT: Dropping icmp session 172.17.3.10:0 172.18.1.10:0 due to One of the interfaces not being cfged for zoning with ip ident 0
Source interface not assigned to a zone
%FW-6-DROP_PKT: Dropping icmp session 172.18.2.20:0 172.17.4.10:0 due to policy match failure with ip ident 0
Destination interface not assigned to a zone
ZFW: Easier to implement Default-Deny behavior
11
© 2012 Cisco and/or its affiliates. All rights reserved. BRKSED-3007 Cisco Public
ZFW: Policy Building Blocks
policy-map type inspect BASIC1 class type inspect CLASS1 { inspect | pass | police | drop } […] class type inspect CLASS-N { inspect | pass | police | drop } class class-default { inspect | pass | drop }
class-map type inspect { match-all | match-any } CLASS1 a) match protocol { tcp | udp | icmp }
b) match access-group { name ACL-NAME | ACL-NUM }
c) match class-map CLASS-MAP_NAME
zone-pair security Z1-Z2 source Z1 destination Z2 service-policy type inspect BASIC1
ZFW1
zone security Z1
Int 1 Int 2
Zone-member security Z2 Zone-member security Z1
Z1-Z2 Policy zone security Z2
12
© 2012 Cisco and/or its affiliates. All rights reserved. BRKSED-3007 Cisco Public
Cisco Security Manager and ZFW
Zone-based Firewall Rules
13
© 2012 Cisco and/or its affiliates. All rights reserved. BRKSED-3007 Cisco Public
Zone-based Policy Firewall: Parameter-maps
ZFW1# show parameter-map type inspect default audit-trail off alert on max-incomplete low 2147483647 max-incomplete high 2147483647 one-minute low 2147483647 one-minute high 2147483647 udp idle-time 30 icmp idle-time 10 dns-timeout 5 tcp idle-time 3600 tcp finwait-time 5 tcp synwait-time 30 tcp max-incomplete host 4294967295 block-time 0 sessions maximum 2147483647
parameter-map type inspect TRACKING audit-trail on
parameter-map type inspect global log dropped-packets enable
Good practice: Capitalize the names you assign to policy building blocks. Search within CLI is case-sensitive
Connection logging is turned off by default
15
© 2012 Cisco and/or its affiliates. All rights reserved. BRKSED-3007 Cisco Public
172.18.2.0/24 172.18.1.0/24 .4 .4 ZFW1
OUTBOUND1 Zone Policy
F1 F0
Zone INSIDE Zone OUTSIDE
policy-map type inspect POLICY1 class type inspect TOP-CLASS1 inspect TRACKING class class-default drop log
zone-pair security OUTBOUND1 source INSIDE destination OUTSIDE service-policy type inspect POLICY1
class-map type inspect match-any TOP-CLASS1 match protocol udp match protocol tcp
Connection Setup
Inspecting Outbound Traffic (L4 only)
.20 .10
16
© 2012 Cisco and/or its affiliates. All rights reserved. BRKSED-3007 Cisco Public
172.18.2.0/24 172.18.1.0/24 .4 .4 ZFW1
OUTBOUND1 Zone Policy
F1 F0
Zone INSIDE Zone OUTSIDE
.20 .10
Inspecting Outbound Traffic (L4 only)
ZFW1# show zone security zone self Description: System defined zone zone INSIDE Member Interfaces: FastEthernet1 zone OUTSIDE Member Interfaces: FastEthernet0
ZFW1# show policy-firewall config zone-pair Zone-pair : OUTBOUND1 Source Zone : INSIDE Destination Zone : OUTSIDE Service-policy inspect : POLICY1 Class-map : TOP-CLASS1(match-any) Match protocol udp Match protocol tcp Action : inspect Parameter-map : TRACKING Class-map : class-default(match-any) Match any Action : drop log Parameter-map : Default
Zone-pair
Service-Policy
Class-Map
Parameter-Map
Class-Map
17
© 2012 Cisco and/or its affiliates. All rights reserved. BRKSED-3007 Cisco Public
172.18.2.0/24 172.18.1.0/24 .4 .4 ZFW1
OUTBOUND1 Zone Policy
F1 F0
Zone INSIDE Zone OUTSIDE
.20 .10
Inspecting Outbound Traffic (L4 only)
%FW-6-SESS_AUDIT_TRAIL_START: (target:class)-(OUTBOUND1:TOP-CLASS1): Start tcp session: initiator (172.18.1.10:22374) -- responder (172.18.2.20:23)
ZFW1# show policy-firewall session Established Sessions = 1 Session 498723C0 (172.18.1.10:22374)=>(172.18.2.20:23) tcp SIS_OPEN/TCP_ESTAB Created 00:00:19, Last heard 00:00:12 Bytes sent (initiator:responder) [48:95]
%FW-6-SESS_AUDIT_TRAIL: (target:class)-(OUTBOUND1:TOP-CLASS1):Stop tcp session: initiator (172.18.1.10:22374) sent 54 bytes -- responder (172.18.2.20:23) sent 107 bytes
18
© 2012 Cisco and/or its affiliates. All rights reserved. BRKSED-3007 Cisco Public
172.18.2.0/24 172.18.1.0/24 .4 .4 ZFW1
OUTBOUND1 Zone Policy
F1 F0
Zone INSIDE Zone OUTSIDE
.20 .10
Inspecting Outbound Traffic (L4 only)
%FW-6-DROP_PKT: Dropping icmp session 172.18.1.10:0 172.18.2.20:0 on zone-pair OUTBOUND1 class class-default due to DROP action found in policy-map with ip ident 0
%FW-6-DROP_PKT: Dropping icmp session 172.18.2.20:0 172.18.1.10:0 due to policy match failure with ip ident 0
Inbound connection attempt (no zone-pair defined)
Outbound connection attempt (ICMP blocked by class “class-default”)
19
© 2012 Cisco and/or its affiliates. All rights reserved. BRKSED-3007 Cisco Public
ZFW: Preparing for L3 + L4 Policy
172.18.2.0/24 172.18.1.0/24 .4 .4 ZFW1
F1 F0
Zone INSIDE Zone OUTSIDE
.20 .10 172.22.0.0/16
object-group network INSIDE1 172.18.1.0 255.255.255.0 ! object-group network OUT1 172.22.0.0 255.255.0.0 ! object-group network OUT2 host 172.18.2.20
object-group service SVCS1 tcp eq telnet tcp eq www ! object-group service SVCS2 udp eq ntp
ip access-list extended ACL1 permit object-group SVCS1 object-group INSIDE1 object-group OUT1 permit object-group SVCS2 object-group INSIDE1 object-group OUT2
Network Objects Service Objects
Sample ACL that uses object-groups
20
© 2012 Cisco and/or its affiliates. All rights reserved. BRKSED-3007 Cisco Public
ZFW: L3 + L4 Policy (no more Interface ACLs)
172.18.2.0/24 172.18.1.0/24 .4 .4 ZFW1
F1 F0
Zone INSIDE Zone OUTSIDE
.20 .10 172.22.0.0/16
zone-pair security OUTBOUND2 source INSIDE destination OUTSIDE service-policy type inspect POLICY2
policy-map type inspect POLICY2 class type inspect JOINT1 inspect TRACKING class class-default drop log
class-map type inspect match-all JOINT1 match class-map TOP-CLASS1 match access-group name ACL1
OUTBOUND2 Zone Policy
ip access-list extended ACL1 permit object-group SVCS1 object-group INSIDE1 object-group OUT1 permit object-group SVCS2 object-group INSIDE1 object-group OUT2
21
© 2012 Cisco and/or its affiliates. All rights reserved. BRKSED-3007 Cisco Public
%FW-6-SESS_AUDIT_TRAIL_START: (target:class) (OUTBOUND2:JOINT1): Start udp session: initiator (172.18.1.10:123) -- responder (172.18.2.20:123)
%FW-6-SESS_AUDIT_TRAIL_START: (target:class)-(OUTBOUND2:JOINT1): Start tcp session: initiator (172.18.1.10:31793) -- responder (172.22.22.22:23)
FIREWALL*: NEW PAK 48EE1EE4 (0:172.18.1.10:123) (0:172.22.22.22:123) udp FIREWALL*: DROP feature object 0xAAAA0028 found %FW-6-DROP_PKT: Dropping udp session 172.18.1.10:123 172.22.22.22:123 on zone-pair OUTBOUND2 class class-default due to DROP action found in policy-map with ip ident 0 FIREWALL: ret_val 0 is not PASS_PAK
FIREWALL*: NEW PAK 48EE1EE4 (0:172.18.1.10:12803) (0:172.18.2.20:23) tcp FIREWALL*: DROP feature object 0xAAAA0028 found %FW-6-DROP_PKT: Dropping tcp session 172.18.1.10:12803 172.18.2.20:23 on zone-pair OUTBOUND2 class class-default due to DROP action found in policy-map with ip ident 0 FIREWALL: ret_val 0 is not PASS_PAK
ZFW: Implementing L3 + L4 Policy Examples of Allowed Traffic
Examples of Blocked Traffic due to L3 restrictions
NTP
Telnet
NTP
Telnet
22
© 2012 Cisco and/or its affiliates. All rights reserved. BRKSED-3007 Cisco Public
ZFW, ACLs and NAT
zone-pair security INBOUND2 source OUTSIDE destination INSIDE service-policy type inspect POLICY2
policy-map type inspect POLICY2 class type inspect JOINT2 inspect TRACKING class class-default drop log
class-map type inspect match-all JOINT2 match class-map TOP-CLASS2 match access-group name ACL2
class-map type inspect match-any TOP-CLASS2 match protocol tcp
ip access-list extended ACL2 permit ip 172.18.2.0 0.0.0.255 host 10.5.5.5
ip nat inside source static 10.5.5.5 172.18.2.5
10.5.5.0/24 172.18.2.0/24
.5 .20 ip nat outside ip nat inside ZFW1
NAT
Local Address Space Global Address Space Zone INSIDE Zone OUTSIDE
F0/1.1610 F0/0
Real Translated
INBOUND2 Zone Policy
23
© 2012 Cisco and/or its affiliates. All rights reserved. BRKSED-3007 Cisco Public
ZFW, ACLs and NAT
%IPNAT-6-CREATED: tcp 10.5.5.5:23 172.18.2.5:23 172.18.2.20:15649 172.18.2.20:15649 FIREWALL* sis 49AD2B40: Session Created FIREWALL* sis 49AD2B40: Pak 49182EC8 init_addr (172.18.2.20:15649) resp_addr (10.5.5.5:23) init_alt_addr (172.18.2.20:15649) resp_alt_addr (172.18.2.5:23) FIREWALL* sis 49AD2B40: FO cls 0x4ACDB960 clsgrp 0x10000000, target 0xA0000010, FO 0x49A56880, alert = 1, audit_trail = 1, L7 = Unknown-l7, PAMID = 2
%FW-6-SESS_AUDIT_TRAIL_START: (target:class)-(INBOUND2:JOINT2): Start tcp session: initiator (172.18.2.20:15649) -- responder (10.5.5.5:23)
ZFW1# show policy-firewall session Established Sessions = 1 Session 49AD2B40 (172.18.2.20:15649)=>(10.5.5.5:23) tcp SIS_OPEN/TCP_ESTAB Created 00:00:45, Last heard 00:00:40 Bytes sent (initiator:responder) [48:101]
10.5.5.0/24 172.18.2.0/24
.5 .20 ip nat outside ip nat inside ZFW1
NAT
.4 .4
Local Address Space Global Address Space Zone INSIDE Zone OUTSIDE
F0/1.1610 F0/0
Real Address
Translated Address
Real Address
Real Address
24
© 2012 Cisco and/or its affiliates. All rights reserved. BRKSED-3007 Cisco Public
ZFW: Transparent Mode Operation
ZFW1 R1 R2
10.5.5.0/24
Zone INSIDE Zone OUTSIDE
.1 .2 F0/1.1610 F0/0
OUTBOUND1 Zone Policy
zone-pair security OUTBOUND1 source INSIDE destination OUTSIDE service-policy type inspect POLICY1
class-map type inspect match-any BASIC1 match protocol udp match protocol icmp match protocol tcp
bridge-group1 bridge-group1
policy-map type inspect POLICY1 class type inspect BASIC1 inspect TRACKING class class-default drop log
ZFW1# show policy-firewall session Established Sessions = 1 Session 49AD3240 (10.5.5.1:56643)=>(10.5.5.2:23) tcp SIS_OPEN/TCP_ESTAB Created 00:00:25, Last heard 00:00:13 Bytes sent (initiator:responder) [48:95]
%FW-6-SESS_AUDIT_TRAIL_START: (target:class)-(OUTBOUND1:BASIC1): Start tcp session: initiator (10.5.5.1:56643) -- responder (10.5.5.2:23)
25
© 2012 Cisco and/or its affiliates. All rights reserved. BRKSED-3007 Cisco Public
ZFW1
192.168.2.0/24
Zone WIRED Zone WIRELESS
Fast1 Fast0
WIRELESS AP WLAN Client
.101 .102
zone-pair security INBOUND1 source WIRELESS destination WIRED service-policy type inspect POLICY1
INBOUND1 Zone Policy
policy-map type inspect POLICY1 class type inspect JOINT1 inspect TRACKING class class-default drop log
class-map type inspect match-all JOINT1 match class-map BASIC1 match access-group name ACL1
class-map type inspect match-any BASIC1 match protocol tcp
ip access-list extended ACL1 permit tcp 192.168.2.0 0.0.0.255 host 192.168.2.101 eq 25 permit tcp 192.168.2.0 0.0.0.255 host 192.168.2.102 eq 443
HTTPS SMTP
ZFW: Use Case for Transparent Mode
26
© 2012 Cisco and/or its affiliates. All rights reserved. BRKSED-3007 Cisco Public
zone-pair security OUTBOUND1 source INSIDE destination OUTSIDE service-policy type inspect POLICY1
policy-map type inspect POLICY1 class type inspect L7-CLASS1 inspect TRACKING class class-default drop log
class-map type inspect match-any L7-CLASS1 match protocol ftp
192.168.2.0/24 ZFW1
OUTBOUND1 Zone Policy
.X
Zone INSIDE Zone OUTSIDE
Fast0
Client
ip nat outside ip nat inside
NAT
Global Address Space Local Address Space
Fast1
172.17.11.102
FTP
ip nat outside source static 172.17.11.102 192.168.2.102 add-route
ZFW and L7 Inspection: Use Case 1 FTP inspection within NAT environment
Real Translated
27
© 2012 Cisco and/or its affiliates. All rights reserved. BRKSED-3007 Cisco Public
%IPNAT-6-CREATED: tcp 192.168.2.72:36886 192.168.2.72:36886 192.168.2.102:21 172.17.11.102:21 %FW-6-SESS_AUDIT_TRAIL_START: (target:class)-(OUTBOUND1:L7-CLASS1): Start ftp session: initiator (192.168.2.72:36886) -- responder (172.17.11.102:21)
%IPNAT-6-CREATED: tcp 192.168.2.72:51974 192.168.2.72:51974 192.168.2.102:20 172.17.11.102:20 %FW-6-SESS_AUDIT_TRAIL_START: (target:class)-(OUTBOUND1:L7-CLASS1): Start ftp-data session: initiator (172.17.11.102:20) -- responder (192.168.2.72:51974) %FW-6-SESS_AUDIT_TRAIL: (target:class)-(OUTBOUND1:L7-CLASS1): Stop ftp-data session: initiator (172.17.11.102:20) sent 350 bytes -- responder (192.168.2.72:51974) sent 0 bytes
FTP Control Session
Sample FTP Data Session
192.168.2.0/24 ZFW1
OUTBOUND1 Zone Policy
.X
Zone INSIDE Zone OUTSIDE
Fast0
Client
ip nat outside ip nat inside
NAT
Global Address Space Local Address Space
Fast1
172.17.11.102
FTP
ZFW and L7 Inspection: Use Case 1 FTP inspection within NAT environment
28
© 2012 Cisco and/or its affiliates. All rights reserved. BRKSED-3007 Cisco Public
ZFW1
OUTBOUND1 Zone Policy
.200
Zone INSIDE Zone OUTSIDE
Fast0 Fast1
192.168.2.0/24 172.17.3.0/24
.40
HTTP runs on ports 2002- 2003
zone-pair security OUTBOUND1 source INSIDE destination OUTSIDE service-policy type inspect POLICY1
policy-map type inspect POLICY1 class type inspect HTTP-CLASS inspect TRACKING class class-default drop log
class-map type inspect match-any HTTP-CLASS match protocol http
access-list 1 permit 172.17.3.40 ip port-map http port tcp from 2002 to 2003 list 1
Inspection of HTTP on non-standard ports
ZFW and L7 Inspection: Use Case 2 L7 inspection on non-standard ports
29
© 2012 Cisco and/or its affiliates. All rights reserved. BRKSED-3007 Cisco Public
ZFW1
OUTBOUND1 Zone Policy
.200
Zone INSIDE Zone OUTSIDE
Fast0 Fast1
192.168.2.0/24 172.17.3.0/24
.40
HTTP runs on ports 2002- 2003
ZFW1# show ip port-map http Default mapping: http tcp port 80 system defined Host specific: http tcp port 2002-2003 in list 1 user defined
FIREWALL* sis 84294160: Session Created FIREWALL* sis 84294160: Pak 83CBFCFC init_addr (192.168.2.200:1065) resp_addr (172.17.3.40:2002) init_alt_addr (192.168.2.200:1065) resp_alt_addr (172.17.3.40:2002) FIREWALL* sis 84294160: FO cls 0x84F8EB80 clsgrp 0x10000000, target 0xA0000000, FO 0x849600E0, alert = 1, audit_trail = 1, L7 = http, PAMID = 5 FIREWALL* sis 84294160: Allocating L7 sis extension L4 = tcp, L7 = http, PAMID = 5 %FW-6-SESS_AUDIT_TRAIL_START: (target:class)-(OUTBOUND1:HTTP-CLASS): Start http session: initiator (192.168.2.200:1065) -- responder (172.17.3.40:2002)
L7 = HTTP
HTTP Session
ZFW and L7 Inspection: Use Case 2 L7 inspection on non-standard ports
30
© 2012 Cisco and/or its affiliates. All rights reserved. BRKSED-3007 Cisco Public
ZFW1
OUTBOUND1 Zone Policy
.200
Zone INSIDE Zone OUTSIDE
Fast0 Fast1
HTTP
192.168.2.0/24 172.17.3.0/24
zone-pair security OUTBOUND1 source INSIDE destination OUTSIDE service-policy type inspect POLICY1
policy-map type inspect POLICY1 class type inspect HTTP-CLASS inspect TRACKING service-policy http WEB1 class class-default drop log
class-map type inspect match-any HTTP-CLASS match protocol http
policy-map type inspect http WEB1 class type inspect http HTTP1 reset log
class-map type inspect http match-any HTTP1 match response header set-cookie
Top-level policy-map
Application-specific policy-map
Top-level class-map
Application-specific class-map
.30
ZFW and L7 Inspection: Use Case 3 Filtering on HTTP Response Header
31
© 2012 Cisco and/or its affiliates. All rights reserved. BRKSED-3007 Cisco Public
FIREWALL* sis 84283A40: match-info tocken in cce_sb 849BA240 - class 3221225494; filter 31; val1 0; val2 0; str set-cookie, log on, reset on %APPFW-4-HTTP_HDR_FIELD_REGEX_MATCHED: Header field (set-cookie) matched - resetting session 172.17.3.30:80 192.168.2.200:43005 on zone-pair OUTBOUND1 class HTTP-CLASS appl-class HTTP1
ZFW1
OUTBOUND1 Zone Policy
.200
Zone INSIDE Zone DMZ
Fast0 Fast1
HTTP
192.168.2.0/24 172.17.3.0/24
.30
%FW-6-SESS_AUDIT_TRAIL_START: (target:class)-(OUTBOUND1:HTTP-CLASS): Start http session: initiator (192.168.2.200:43005) -- responder (172.17.3.30:80)
ZFW and L7 Inspection: Use Case 3 Filtering on HTTP Response Header
32
© 2012 Cisco and/or its affiliates. All rights reserved. BRKSED-3007 Cisco Public
10.21.21.0/24 10.20.20.0/24 OUT
Classic IPSec Site-to-Site Tunnel
f0
172.16.201.1 172.16.200.1
21 20 Vlan 10
ZFW
zone DMZ zone VPN
VPN-DMZ Zone Policy
zone-pair security VPN-DMZ source VPN destination DMZ service-policy type inspect INBOUND1
policy-map type inspect INBOUND1 class type inspect OUT1 inspect TRACKING class class-default drop log
class-map type inspect match-all OUT1 match class-map APPS1 match access-group 120
class-map type inspect match-any APPS1 match protocol syslog match protocol ftp match protocol icmp
access-list 120 permit ip 10.20.20.0 0.0.0.255 10.21.21.0 0.0.0.255
Use Case: ZFW and IPSec VPNs Inspecting tunneled traffic
Protocols allowed inside the tunnel
33
© 2012 Cisco and/or its affiliates. All rights reserved. BRKSED-3007 Cisco Public
ZFW: Inspection of Router Traffic System-defined zone “self” includes router addresses
.2 ZFW1 F4.200 172.21.21.0/24
Zone OUTSIDE
.21
Zone self (router addresses)
OUT-SELF Zone Policy
F4.201
10.10.10.1 172.20.20.1
172.22.22.0/24
.2
.22
R1
172.20.20.0/24
R2
zone-pair security OUT-SELF source OUTSIDE destination self service-policy type inspect OUT-FW1
policy-map type inspect OUT-FW1 class type inspect ICMP1 inspect TRACKING class class-default drop log
class-map type inspect match-all ICMP1 match access-group name PING1
ip access-list extended PING1 permit icmp object-group OUT1 object-group RTR-ADDR echo
object-group network RTR-ADDR host 10.10.10.1 host 172.20.20.1
object-group network OUT1 172.20.20.0 255.255.255.0
34
© 2012 Cisco and/or its affiliates. All rights reserved. BRKSED-3007 Cisco Public
.2 ZFW1 F4.200 172.21.21.0/24
Zone OUTSIDE
.21
Zone self (router addresses)
OUT-SELF Zone Policy
F4.201
10.10.10.1 172.20.20.1
172.22.22.0/24
.2
.22
R1
172.20.20.0/24
R2
%FW-6-SESS_AUDIT_TRAIL_START: (target:class)-(OUT-SELF:ICMP1):Start icmp session: initiator (172.20.20.2:0) -- responder (172.20.20.1:0)
%FW-6-DROP_PKT: Dropping icmp session 172.21.21.21:0 172.20.20.1:0 on zone-pair OUT-SELF class class-default due to DROP action found in policy-map with ip ident 0
The default operation of the ZFW is to allow traffic to and from the router interfaces
Special zone called “self” handles router traffic
Policies that involve the “self” zone are unidirectional in nature
ICMP to router address 172.20.20.1 (from a valid source) is permitted
ICMP to router address 172.20.20.1 (from a non acceptable source) is dropped
ZFW: Inspection of Router Traffic System-defined zone “self” includes router addresses
35
© 2012 Cisco and/or its affiliates. All rights reserved. BRKSED-3007 Cisco Public
Control the Addresses allowed to manage the ZFW router
Control the acceptable IPSec peers for the ZFW router
Determine the acceptable peers for IPv6 over v4 tunneling
Control the UC elements (Gateways, Gatekeepers, Call Managers) that can exchange signalling with the ZFW router
Zone Self: Use Cases
36
© 2012 Cisco and/or its affiliates. All rights reserved. BRKSED-3007 Cisco Public
On IOS 12.X releases, traffic between interfaces belonging to the same zone was allowed to pass without inspection.
On IOS 12.X release it was not possible to define Intrazone ZFW policies:
Starting on IOS 15.0(1)M, intrazone traffic is blocked by default
IOS 15.X allows the creation of Intrazone Policies (source and destination of traffic in the same zone)
ZFW2(config)# zone-pair sec INTRAZONE2 source INSIDE destination INSIDE % Same zone cannot be defined as both the source and destination
For Your Reference ZFW: Intrazone Policies
Change in default behavior introduced by IOS 15.X
37
© 2012 Cisco and/or its affiliates. All rights reserved. BRKSED-3007 Cisco Public
ZFW: Sample Intrazone Policy
zone-pair security INTRAZONE1 source INSIDE destination INSIDE service-policy type inspect POLICY2
policy-map type inspect POLICY2 class type inspect TOP-CLASS2 inspect TRACKING class class-default drop log
class-map type inspect match-any TOP-CLASS2 match protocol icmp match protocol udp
10.10.6.0/24 10.10.10.0/24 ZFW1 .1 .1
Zone INSIDE
Fast1 Fast0
INTRAZONE1Zone Policy
.200 .6
NTP Server
38
© 2012 Cisco and/or its affiliates. All rights reserved. BRKSED-3007 Cisco Public
ZFW1# show zone security INSIDE zone INSIDE Member Interfaces: FastEthernet0 FastEthernet1
ZFW1# show zone-pair security Zone-pair name INTRAZONE1 Source-Zone INSIDE Destination-Zone INSIDE service-policy POLICY2
ZFW1# show policy-firewall session Established Sessions = 1 Session 49CFB240 (10.10.6.6:123)=>(10.10.10.200:123) udp SIS_OPEN Created 00:00:29, Last heard 00:00:29 Bytes sent (initiator:responder) [48:48]
10.10.6.0/24 10.10.10.0/24 ZFW1 .1 .1
Zone INSIDE
Fast1 Fast0
INTRAZONE1Zone Policy
.200 .6
NTP Server
ZFW: Sample Intrazone Policy
39
© 2012 Cisco and/or its affiliates. All rights reserved. BRKSED-3007 Cisco Public
Is there a way to grant access on a per-user basis ? Is it possible to control access to any kind of application ? Is there accounting support ? Is this type of control stateful ?
user1
What Resource ?
user2
SRV1 SRV2
Who is the user ?
User-based Access Control
41
© 2012 Cisco and/or its affiliates. All rights reserved. BRKSED-3007 Cisco Public
1. User telnets to Server SRV1
2. Auth-Proxy intercepts packet and presents authentication prompt to user
3. ZFW consults RADIUS Server
4. RADIUS Server replies with Authorization Profile (or Access Reject)
5. User allowed to access Destination Host
172.26.26.0/24 Gateway
Management Network
CS-ACS
End User
172.16.100.0/24
2
Auth-proxy
Prompt
3
4
5
Telnet 172.26.26.26 1
.26
SRV1
.100
F0 F1
Basic Instrumentation for Identity: Auth-Proxy
42
© 2012 Cisco and/or its affiliates. All rights reserved. BRKSED-3007 Cisco Public
Preparing for Auth-Proxy
! *** Instructing the NAS to receive, send and process RADIUS VSAs radius-server vsa send accounting radius-server vsa send authentication ! *** Defining and using an AAA server-group called "RADIUS1" aaa group server radius RADIUS1 server 192.168.1.200 auth-port 1812 acct-port 1813 server-private 192.168.1.200 auth-port 1812 acct-port 1813 key 7 ##### ! aaa authentication login default group RADIUS1 aaa authorization network default group RADIUS1 aaa authorization auth-proxy default group RADIUS1 aaa accounting auth-proxy default start-stop group RADIUS1 ! *** Defining an ACL to be applied to the same interface as Auth-Proxy access-list 100 permit udp host 192.168.1.200 eq 1812 host 192.168.2.1 access-list 100 permit udp host 192.168.1.200 eq 1813 host 192.168.2.1 access-list 100 permit tcp any 172.26.26.0 0.0.0.255 eq telnet ! *** Defining the Auth-Proxy policy to intercept Telnet traffic ip admission name ADMISSION1 proxy telnet ! ***Applying the Auth-Proxy policy to interface F1 (Auth-Proxy incoming interface) interface FastEthernet1 ip access-group 100 in ip admission ADMISSION1
For Your Reference
Auth-Proxy Triggering Protocol
Enabling Auth-Proxy
AAA Server Definitions
43
© 2012 Cisco and/or its affiliates. All rights reserved. BRKSED-3007 Cisco Public
Auth-Proxy in action: Delivering Individual ACEs
! *** Telnet Session is intercepted by Auth-Proxy process (before reaching interface ACL) AUTH-PROXY creates info: cliaddr - 172.16.100.100, cliport - 1562 seraddr - 172.26.26.26, serport - 23 ip-srcaddr 172.16.100.100 pak-srcaddr 0.0.0.0 ! *** NAS (IOS-Router) sends request to CS-ACS and receives individual ACEs (proxyacl) RADIUS(0000000C): Send Access-Request to 192.168.1.200:1812 id 1645/12, len 104 RADIUS: authenticator 73 DC D7 7B 91 B4 61 38 - 4E 65 CB A5 B3 4F AD 9D RADIUS: User-Name [1] 7 "user1" ! […] RADIUS: Received from id 1645/12 192.168.1.200:1812, Access-Accept, len 148 RADIUS: authenticator ED 65 FB F6 64 B9 33 6D - A3 5E B8 5F 14 36 D4 21 RADIUS: Vendor, Cisco [26] 19 RADIUS: Cisco AVpair [1] 13 "priv-lvl=15" RADIUS: Vendor, Cisco [26] 43 RADIUS: Cisco AVpair [1] 37 "proxyacl#1=permit tcp any any eq 22" RADIUS: Vendor, Cisco [26] 43 RADIUS: Cisco AVpair [1] 37 "proxyacl#2=permit tcp any any eq 23"
ACS/Group Settings : GROUP1 [009\001] cisco-av-pair priv-lvl=15 proxyacl#1=permit tcp any any eq 22 proxyacl#2=permit tcp any any eq 23
ACS Definitions
Auth-Proxy Starts
ACEs Received
User Identification
44
© 2012 Cisco and/or its affiliates. All rights reserved. BRKSED-3007 Cisco Public
IOS-FW# show ip auth-proxy cache Authentication Proxy Cache Client Name user1, Client IP 172.16.100.100, Port 1562, timeout 60, Time Remaining 60, state INTERCEPT ! ! *** Details about the current Auth-Proxy session IOS-FW# show epm session ip 172.16.100.100 Admission feature : Authproxy AAA Policies : Proxy ACL : permit tcp any any eq 22 Proxy ACL : permit tcp any any eq 23 ! *** Viewing Dynamic Entries added to the interface ACL IOS-FW# show access-list 100 Extended IP access list 100 permit tcp host 172.16.100.100 any eq 22 (18 matches) permit tcp host 172.16.100.100 any eq telnet (70 matches) 10 permit udp host 192.168.1.200 eq 1812 host 192.168.2.1 (1 match) 20 permit udp host 192.168.1.200 eq 1813 host 192.168.2.1 (1 match) 30 permit tcp any 172.26.26.0 0.0.0.255 eq telnet (2 matches)
User-IP Mapping
ACEs assigned to User
Dynamic Entries on the ACL
Auth-Proxy in action: Delivering Individual ACEs
45
© 2012 Cisco and/or its affiliates. All rights reserved. BRKSED-3007 Cisco Public
Scalabity and Manageability Auth-Proxy with Downloadable ACLs
! *** NAS sends Access Request to CS-ACS and receives name of the DACL to be applied RADIUS(00000006): Send Access-Request to 192.168.1.200:1812 id 1645/4, len 104 RADIUS: authenticator 67 06 F7 BB F1 81 BE 96 - 29 2D C9 24 89 00 2B 31 RADIUS: User-Name [1] 7 "user1" […] RADIUS: Received from id 1645/4 192.168.1.200:1812, Access-Accept, len 124 RADIUS: authenticator 6D 19 94 84 EF C0 28 C3 - EF AB 8E FE 1F E9 7B 28 RADIUS: Vendor, Cisco [26] 19 RADIUS: Cisco AVpair [1] 13 "priv-lvl=15" RADIUS: Vendor, Cisco [26] 62 RADIUS: Cisco AVpair [1] 56 "ACS:CiscoSecure-Defined-ACL=#ACSACL#-IP-DACL1-4aac618d" […] ! *** NAS sends second Access Request using DACL name as username (null password) RADIUS(00000000): Send Access-Request to 192.168.1.200:1812 id 1645/5, len 134 RADIUS: authenticator 94 3C 9D F1 C1 93 25 2A - F3 9E DA C9 B0 15 FC B2 RADIUS: NAS-IP-Address [4] 6 172.21.21.1 RADIUS: User-Name [1] 28 "#ACSACL#-IP-DACL1-4aac618d" RADIUS: Vendor, Cisco [26] 32 RADIUS: Cisco AVpair [1] 26 "aaa:service=ip_admission" RADIUS: Vendor, Cisco [26] 30 RADIUS: Cisco AVpair [1] 24 "aaa:event=acl-download" ! ! *** ACS sends second Response containing the individual entries of the Downloadable ACL RADIUS: Received from id 1645/5 192.168.1.200:1812, Access-Accept, len 179 RADIUS: authenticator 69 A2 A7 BB 15 AF 3C EB - A3 D7 12 F0 F5 04 54 F2 RADIUS: Vendor, Cisco [26] 43 RADIUS: Cisco AVpair [1] 37 "ip:inacl#1=permit tcp any any eq 80" RADIUS: Vendor, Cisco [26] 43 RADIUS: Cisco AVpair [1] 37 "ip:inacl#2=permit icmp any any echo"
User Identification
Name of dACL is received
dACL used as username
Individual ACEs downloaded
46
© 2012 Cisco and/or its affiliates. All rights reserved. BRKSED-3007 Cisco Public
IOS-FW# show ip auth-proxy cache Authentication Proxy Cache Client Name user1, Client IP 172.16.100.100, Port 1085, timeout 60, Time Remaining 60, state INTERCEPT IOS-FW#show epm session ip 172.16.100.100 Admission feature : Authproxy AAA Policies : ACS ACL : xACSACLx-IP-DACL1-4aac618d ! After Auth-Proxy “user1” uses PING and WWW services IOS-FW# show access-list Extended IP access list 100 permit tcp host 172.16.100.100 any eq www (12 matches) permit icmp host 172.16.100.100 any echo (4 matches) 10 permit udp host 192.168.1.200 eq 1812 host 192.168.2.1 (2 matches) 20 permit udp host 192.168.1.200 eq 1813 host 192.168.2.1 (2 matches) 30 permit tcp any 172.26.26.0 0.0.0.255 eq telnet (31 matches) Extended IP access list xACSACLx-IP-DACL1-4aac618d (per-user) 10 permit tcp any any eq www 20 permit icmp any any echo
User-IP Mapping
dACL assigned to User
dACL details
Scalabity and Manageability Auth-Proxy with Downloadable ACLs
47
© 2012 Cisco and/or its affiliates. All rights reserved. BRKSED-3007 Cisco Public
172.26.26.0/24 Gateway ZFW1
Management Network
CS-ACS
End User
172.16.100.0/24
.26
SRV1
1. User telnets to Server
2. Auth-Proxy intercepts packet and prompt is presented to user
3. RADIUS Server sends “supplicant-group” VSA to IOS-FW
4. User to group mapping is created
5. Zone Policy Firewall created on a per-group basis
.100
F0 F1
Zone OUTSIDE Zone INSIDE OUTBOUND1
Zone Policy
Auth-Proxy
User-based Zone Firewall
48
© 2012 Cisco and/or its affiliates. All rights reserved. BRKSED-3007 Cisco Public
ACS/Group Settings : ENG [009\001] cisco-av-pair priv-lvl=15 supplicant-group=ENG RADIUS: Received from id 1645/21 192.168.1.200:1812, Access-Accept, len 93 RADIUS: authenticator 43 A9 2F 23 EC 7F 7B 19 - B5 AF 6D 1B 40 81 85 25 RADIUS: Vendor, Cisco [26] 19 RADIUS: Cisco AVpair [1] 13 "priv-lvl=15" RADIUS: Vendor, Cisco [26] 31 RADIUS: Cisco AVpair [1] 25 "supplicant-group=ENG“ ZFW1# show ip auth-proxy cache Authentication Proxy Cache Client Name user1, Client IP 172.16.100.100, Port 1108, timeout 60, Time Remaining 60, state INTERCEPT ! ZFW1# show epm session ip 172.16.100.100 Admission feature : Authproxy AAA Policies : Supplicant-Group : ENG ! ZFW1# show user-group Usergroup : ENG ------------------------------------------------------------------------ User Name Type Interface Learn Age (min) ------------------------------------------------------------------------ 172.16.100.100 IPv4 FastEthernet1 Dynamic 0
User-based ZFW: Receiving Group Information
ACS Definitions
Router receives “supplicant-group”
Supplicant-group visibility
Local Usergroup information
49
© 2012 Cisco and/or its affiliates. All rights reserved. BRKSED-3007 Cisco Public
User-based ZFW: Leveraging Group Information
class-map type inspect match-all ENG1 match user-group ENG match protocol tcp class-map type inspect match-all ENG2 match user-group ENG match protocol icmp class-map type inspect match-all MKT1 match user-group MKT match protocol tcp ! policy-map type inspect OUT1 class type inspect ENG1 inspect class type inspect ENG2 inspect police rate 32000 burst 6000 class type inspect MKT1 inspect class class-default drop log
User-based Firewall renders Auth-Proxy stateful
!* Defining zones and zone-pairs zone security INSIDE zone security OUTSIDE ! zone-pair security OUTBOUND source INSIDE destination OUTSIDE service-policy type inspect OUT1 ! * Defining an Auth-Proxy policy to intercept Telnet traffic ip admission name ADMISSION1 proxy telnet inactivity-time 60 ! ! * Assigning interfaces to zones and applying the Auth-Proxy policy interface FastEthernet1 ip admission ADMISSION1 zone-member security INSIDE ! interface FastEthernet0 zone-member security OUTSIDE
Matching on “User-group” Zone Definitions
50
© 2012 Cisco and/or its affiliates. All rights reserved. BRKSED-3007 Cisco Public
ISR-EDGE2
Identity Services Engine (ISE)
1
2
3
EHWIC-SW
1. Dot1X process used to obtain user credentials on embedded switch
2. RADIUS Authentication takes place
3. ISE sends Security Group Tag (SGT) as a RADIUS Authorization Attribute
SGT/IP Mapping is available on the ISR device (no matter if user authentication was performed using Dot1X or Auth-Proxy)
New Development – IP/SGT Mapping on ISR G2
51
© 2012 Cisco and/or its affiliates. All rights reserved. BRKSED-3007 Cisco Public
New Development – IP/SGT Mapping on ISR G2
ISR-EDGE1
Identity Services Engine (ISE) 1
2
3 192.168.12.12
1. Auth-Proxy process used to obtain user credentials
2. RADIUS Authentication takes place
3. ISE sends Security Group Tag (SGT) as a RADIUS Authorization Attribute
ISR-EDGE1# show epm session ip 192.168.12.12 Admission feature: AUTHPROXY AAA Policies: SGT: 0004-0
52
© 2012 Cisco and/or its affiliates. All rights reserved. BRKSED-3007 Cisco Public
SXP: SGT Exchange Protocol
ISR-EDGE1 ISR-CENTRAL
ISR-EDGE1# show cts role-based sgt-map all Active IP-SGT Bindings Information IP Address SGT Source =================================== 172.19.37.1 2 INTERNAL 172.19.38.1 2 INTERNAL 192.168.2.25 2 INTERNAL 192.168.10.2 2 INTERNAL 192.168.11.1 2 INTERNAL 192.168.12.1 2 INTERNAL 192.168.12.12 4 LOCAL IP-SGT Active Bindings Summary ==================================== Total number of LOCAL bindings = 1 Total number of INTERNAL bindings = 6 Total number of active bindings = 7
ISR-CENTRAL# show cts role-based sgt-map all Active IP-SGT Bindings Information IP Address SGT Source ==================================== 172.19.37.1 2 SXP 172.19.38.1 2 SXP 192.168.2.25 2 SXP 192.168.10.2 2 SXP 192.168.11.1 2 SXP 192.168.12.1 2 SXP 192.168.12.12 4 SXP IP-SGT Active Bindings Summary ==================================== Total number of SXP bindings = 7 Total number of active bindings = 7
SXP SXP Listener SXP Speaker
53
© 2012 Cisco and/or its affiliates. All rights reserved. BRKSED-3007 Cisco Public
Building ZFW Policies based on Security Group Tags
ISR-CENTRAL
Zone OUTSIDE Zone INSIDE
F0 F1
class-map type inspect match-all EMPLOYEES match class-map CLASS1 match class-map SGT1
class-map type inspect match-any CLASS1 match protocol http match protocol telnet match protocol ssh match protocol icmp
class-map type inspect match-any SGT1 match security-group source tag 3
Hdr Data Incoming Packets
Edge-n
Edge-1
Edge-2
. . .
IP Address SGT
192.168.1.1 3
54
© 2012 Cisco and/or its affiliates. All rights reserved. BRKSED-3007 Cisco Public
TOS (8)
Flags(3) Identification (16) FRAG Offset (13)
SRC IP Address (32)
DST IP Address (32)
Vers(4) Hlen(4) Total Length (16)
TTL (8) Header Checksum (16) Protocol (8)
(IP OPTIONS) (PAD)
32 Bits
Ensure Header
Length is Exactly
Multiple of 32-Bits
IP Header Length, Measured in
4 Bytes (32-bit words)
Total IP Datagram Length. Measured in Octets
(including Payload and Header)
Provide Integrity
of IP Header
Version Number
Time to Live: Decremented 1
unit by each Router along the
Path
Indicates the Upper Layer
Protocol Rsvd (=0) DF MF
Flags Field
Revisiting the IP Header For Your Reference
56
© 2012 Cisco and/or its affiliates. All rights reserved. BRKSED-3007 Cisco Public
How Fragments are created
IP Header
Header 1
Header 2
Header 3
Header 4
600 Bytes
160 Bytes
160 Bytes
160 Bytes
120 Bytes
Original Datagram
Fragment 1
Fragment 2
Fragment 3
Fragment 4
Original 620 600 0x6E81 0 0 0 0 0x0000
Frag 1 180 160 0x6E81 0 0 1 0 0x2000
Frag 2 180 160 0x6E81 0 0 1 160 = 8 x 20 (0x14) 0x2014
Frag 3 180 160 0x6E81 0 0 1 320 = 8 x 40 (0x28) 0x2028
Frag 4 140 120 0x6E81 0 0 0 480 = 8 x 60 (0x3C) 0x003C
Total Length
L3 Data Length
ID Number
Rsvd Bit
DF Bit MF Bit Fragment Offset (Multiple of 8 bytes)
Flags Offset
For Your Reference
57
© 2012 Cisco and/or its affiliates. All rights reserved. BRKSED-3007 Cisco Public
Examples of Fragmentation-based Attacks
Tiny Fragment Attack: employs very small TCP packets, crafted so that a part of the L4 header (for instance including the Flags field) travels in the second fragment. With such an approach the attacker hopes that only the first fragment will be examined and the remaining ones will be allowed through.
Overlapping Fragments Attack: the offset of a certain fragment overlaps with the offset of another. This attack class may be used either with the intent of causing DoS (such as with the UDP Teardrop exploit) or in an attempt to overwrite the data portion of previous fragments in the chain and circumvent defense systems.
Overflowing the Reassembly Buffer: excessive number of incomplete datagrams in the receiving host waiting for reassembly.
For Your Reference
58
© 2012 Cisco and/or its affiliates. All rights reserved. BRKSED-3007 Cisco Public
Handling IP Fragmentation
IOS-FW# show access-list 101 Extended IP access list 101 10 permit tcp any any fragments (1081 matches) 20 permit tcp any any (1082 matches) 30 permit udp any any fragments (360 matches) 40 permit udp any any (361 matches) 50 permit icmp any any fragments 60 permit icmp any any 70 permit ip any any fragments 80 permit ip any any
The keyword ‘fragments’ on IOS ACLs filters non-initial fragments
This kind of ACL may be used to provide quick visibility of types of traffic generating fragments (TCP, UDP, ICMP, etc)
Non-initial frags
59
© 2012 Cisco and/or its affiliates. All rights reserved. BRKSED-3007 Cisco Public
Handling IP Fragmentation Virtual Fragment Reassembly (VFR)
interface FastEthernet1 ip virtual-reassembly max-fragments 3 %IP_VFR-4-TOO_MANY_FRAGMENTS: FastEthernet1: Too many fragments per datagram (more than 3) - sent by 172.18.2.122, destined to 172.18.1.30
interface FastEthernet1 ip virtual-reassembly max-fragments 5 max-reassemblies 100 timeout 8 ! IOS-FW#show ip virtual-reassembly f1 FastEthernet1: Virtual Fragment Reassembly (VFR) is ENABLED... Concurrent reassemblies (max-reassemblies): 100 Fragments per reassembly (max-fragments): 5 Reassembly timeout (timeout): 8 seconds Drop fragments: OFF Current reassembly count:100 Current fragment count:300 Total reassembly count:0 Total reassembly timeout count:53 %IP_VFR-4-FRAG_TABLE_OVERFLOW: FastEthernet1: the fragment table has reached its maximum threshold 100
Frag Table Overflow
Excess Frags/packet
60
© 2012 Cisco and/or its affiliates. All rights reserved. BRKSED-3007 Cisco Public
Filtering based on the IP TTL Field
IOS-FW# show access-list TTL Extended IP access list TTL 10 deny tcp any any ttl lt 30 log (5 matches) 20 deny udp any any ttl lt 30 log 30 deny icmp any any ttl lt 30 log 40 permit tcp any host 172.16.251.251 eq www (2 matches) 50 permit tcp any host 172.16.251.251 eq 443
%SEC-6-IPACCESSLOGP: list TTL denied tcp 172.16.250.202(17002) -> 172.16.251.251(80), 1 packet
IOS-FW# show flow monitor FLEX1 cache aggregate ipv4 source address ipv4 protocol ipv4 ttl Processed 3 flows Aggregated to 3 flows IPV4 SRC ADDR IP PROT IP TTL flows bytes pkts =============== ======= ====== ========== ========== ========== 172.16.250.201 6 37 1 500 1 172.16.250.202 6 12 1 500 1 172.16.250.208 6 50 1 500 1
Denied due to low TTL
Low TTL
61
© 2012 Cisco and/or its affiliates. All rights reserved. BRKSED-3007 Cisco Public
Src port
Sequence #
Acknowledgement #
Window Size
Checksum Urgent Pointer
(TCP Options)
0 15 31
Dest. port
HLEN 4
RSVD 6
FLAGS
URG
ACK
PSH
RST
SYN
FIN
20B
16
Flag Meaning URG Urgent Pointer field is valid ACK Acknowledgment field is valid PSH This Segment requests a push RST Reset the connection SYN Synchronize Sequence numbers FIN End of Byte Stream for Sender
TCP Flags Field
Revisiting the TCP and UDP Headers For Your Reference
Source Port (16) Destination Port(16)
Length (16) UDP Checksum (16)
Data (if any)
0 15 16 32
UDP Datagram
62
© 2012 Cisco and/or its affiliates. All rights reserved. BRKSED-3007 Cisco Public
Filtering based on the TCP Flags field
IOS-FW# show access-list TCPFLAGS Extended IP access list TCPFLAGS 10 deny tcp any any match-all +fin +psh +urg 20 deny tcp any any match-all -ack -fin -psh -rst -syn -urg 30 deny tcp any any match-all +ack +rst 40 permit tcp any any match-all -ack -fin -psh -rst +syn -urg 50 permit tcp any any match-all +ack -fin -psh -rst -syn -urg 60 permit tcp any any match-all +ack +psh -syn -urg 70 permit tcp any any match-all -ack -psh +rst -syn -urg
IOS-FW# show flow monitor FLEX1 cache aggregate transport tcp flags transport destination-port ipv4 destination address Processed 15 flows Aggregated to 4 flows IPV4 DST ADDR TRNS DST PORT TCP FLAGS flows bytes pkts =============== ============= ========= ========== ========== ===== 172.16.251.251 80 0x14 4 640 4 172.16.251.251 80 0x15 4 640 4 172.16.251.251 80 0x16 4 640 4 172.16.251.251 80 0x17 3 480 3
Flags Field Flags = 41 = 0x29 Flags = 00 = 0x00 Flags = 20 = 0x14 Flags = 02 = 0x02 Flags = 16 = 0x10 Flags = 24 = 0x18 Flags = 01 = 0x01
63
© 2012 Cisco and/or its affiliates. All rights reserved. BRKSED-3007 Cisco Public
What if an attack is based on a different header field ?
IOS-FW(config)# load protocol flash:udp.phdf
IOS-FW# show protocols phdf udp Protocol ID: 3 Protocol name: UDP Description: UDP-Protocol Original file name: flash:udp.phdf Header length: 8 Constraint(s): Total number of fields: 5 Field id: 0, source-port, UDP-Source-Port Fixed offset. offset 0 Constant length. Length: 16 Field id: 1, dest-port, UDP-Destination-Port Fixed offset. offset 16 Constant length. Length: 16 Field id: 2, length, UDP-Packet-Length Fixed offset. offset 32 Constant length. Length: 16 Field id: 3, checksum, UDP-Checksum Fixed offset. offset 48 Constant length. Length: 16 Field id: 4, payload-start, UDP-Payload-Start Fixed offset. offset 64 Constant length. Length: 0
Source Port (16) Destination Port(16)
Length (16) UDP Checksum (16)
Data (if any)
0 15 16 32
UDP Datagram
The Flexible Packet Matching (FPM) feature enables you to define advanced filtering based on IP, TCP, UDP and ICMP header fields
64
© 2012 Cisco and/or its affiliates. All rights reserved. BRKSED-3007 Cisco Public
Attack is directed to TCP port 600
Uses a string of 4 bytes containing the word "worm" (or variants)
The attack string is located at a 16 bytes offset from the beginning of the TCP Payload
The attack string may be spread over 10 bytes from the TCP payload start position
Use Case: Flexible Packet Matching Suppose a new attack has the following characteristics…
65
© 2012 Cisco and/or its affiliates. All rights reserved. BRKSED-3007 Cisco Public
FPM Capabilities: TCP Example
IOS-FW(config)# class-map type access-control match-all FPM1 IOS-FW(config-cmap)# match field ? ICMP ICMP-Protocol IP IP-Protocol TCP TCP-Protocol UDP UDP-Protocol layer Match Protocol Layer IOS-FW(config-cmap)# match field TCP ? acknum TCP-Acknowledgement-Number checksum TCP-Checksum-Value control-bits TCP-Control-Bits-Number data-offset TCP-Data-Offset-Number dest-port TCP-Destination-Port ecn TCP-ECN-Number payload-start TCP-Payload-Start reserved TCP-Reserved-Number seqnum TCP-Sequence-Number source-port TCP-Source-Port urgent-pointer TCP-Urgent-Pointer window TCP-Window-Size
TCP Header/Data Fields
66
© 2012 Cisco and/or its affiliates. All rights reserved. BRKSED-3007 Cisco Public
%SEC-6-IPACCESSLOGP: list CLASS1 denied tcp 172.16.210.120(18045) (FastEthernet0/0 ) -> 172.16.211.11(600), 1 packet
Flexible Packet Matching (FPM) in action
class-map type stack match-all IP-TCP match field IP protocol eq 0x6 next TCP
class-map type access-control match-all CLASS1 match field TCP dest-port eq 600 match start TCP payload-start offset 16 size 10 regex ".*[Ww][Oo][Rr][Mm]"
policy-map type access-control POLICY1 class CLASS1 drop log
policy-map type access-control FPM1 class IP-TCP service-policy POLICY1
interface FastEthernet0/0 service-policy type access-control input FPM1
For Your Reference
67
© 2012 Cisco and/or its affiliates. All rights reserved. BRKSED-3007 Cisco Public
Ethernet Packet: 80 bytes Dest Addr: 0012.DAD2.6203, Source Addr: 0000.0000.0000 Protocol: 0x0800 IP Version: 0x4, HdrLen: 0x5, TOS: 0x40 (Prec=Immediate) Length: 66, ID: 0x5208, Flags-Offset: 0x0000 TTL: 60, Protocol: 6 (TCP), Checksum: 0x2EC6 (OK) Source: 172.16.210.105, Dest: 172.16.211.31 TCP Src Port: 8000, Dest Port: 600 Seq #: 0x00000000, Ack #: 0x00000000, Hdr_Len: 5 Flags: 0x02 SYN, Window: 0, Checksum: 0xB9B3 (OK) Urgent Pointer: 0 Data: 0 : 0000 0000 0000 0000 0000 0000 0001 0108 7468 6531 ................the1 20 : 774F 526D 3275 wORm2u
Data: 0 : 0000 0000 0000 0000 0000 0000 0001 0108 774F 526D ................wORm 20 : 4167 6169 6E31 Again1
Data: 0 : 0000 0000 0000 0000 0000 0000 0001 0108 7468 656E ................then 20 : 6577 574F 524D ewWORM
Variant 1 (changing only the Data Portion)
Variant 2 (changing only the Data Portion)
Sample Attacks blocked by FPM For Your Reference
68
© 2012 Cisco and/or its affiliates. All rights reserved. BRKSED-3007 Cisco Public
New Development for ISR G2 Content Scanning with Scansafe for IOS
parameter-map type content-scan global server scansafe primary name proxy2261.scansafe.net port http 8080 https 8080 server scansafe secondary name proxy1363.scansafe.net port http 8080 https 8080 license 0 CD4B25B79D131F08ABCDEFABCDEFFFFF source interface Dialer1 timeout server 30 user-group ciscogroup10 username ciscouser10 server scansafe on-failure block-all
interface Dialer1 ip nat outside content-scan out [ … ]
ISR-G2 Internet
1 2
3
For Your Reference
69
© 2012 Cisco and/or its affiliates. All rights reserved. BRKSED-3007 Cisco Public
IOS# show content-scan summary Primary: 201.94.155.42 (Up)* Secondary: 70.39.231.99 (Up) Interfaces: Dialer1
IOS# show content-scan statistics Current HTTP sessions: 0 Current HTTPS sessions: 0 Total HTTP sessions: 83 Total HTTPS sessions: 8 White-listed sessions: 0 Time of last reset: never
IOS# show content-scan session active Protocol Source Destination Bytes Time HTTP 172.19.99.101:57152 209.222.159.185:80 (1635:331595) 00:00:12 URI: www.maa.org Username/usergroup(s): ciscouser10/ ciscogroup10 HTTP 172.19.99.101:57153 209.222.159.185:80 (2157:53326) 00:00:12 URI: www.maa.org Username/usergroup(s): ciscouser10/ ciscogroup10 HTTP 172.19.99.101:57161 74.125.234.10:80 (1525:833) 00:00:09 URI: www.google-analytics.com Username/usergroup(s): ciscouser10/ ciscogroup10
For Your Reference New Development for ISR G2
Content Scanning with Scansafe for IOS
70
© 2012 Cisco and/or its affiliates. All rights reserved. BRKSED-3007 Cisco Public
Action
ipv6 access-list ACL-NAME {protocol} {deny | permit} { protocol } { src-prefix / prefix-length } {dst-prefix / prefix-length } [ sequence ACE# ]
Protocol Line Number
Sources Destinations
Action
ipv6 access-list ACL-NAME {protocol} {deny | permit} { tcp | udp } { src-prefix / prefix-length } [src-port] {dst-prefix / prefix-length } [dest-port]
Protocol
Sources Destinations
Service
IOS IPv6 ACLs
interface FastEthernet0/0 ipv6 traffic-filter V6-ACL1 in
Associating an IPv6 ACL to an interface
Basic IPv6 ACL
Specifying L4 Information
72
© 2012 Cisco and/or its affiliates. All rights reserved. BRKSED-3007 Cisco Public
V6-FW(config-ipv6-acl)# permit ipv6 any any? auth Match on authentication header dest-option Destination Option header (all types) dest-option-type Destination Option header with type dscp Match packets with given dscp value flow-label Flow label fragments Check non-initial fragments log Log matches against this entry log-input Log matches against this entry, including input mobility Mobility header (all types) mobility-type Mobility header with type reflect Create reflexive access list entry routing Routing header (all types) routing-type Routing header with type sequence Sequence number for this entry time-range Specify a time-range <cr>
IOS IPv6 ACLs: Filtering Options For Your Reference
73
© 2012 Cisco and/or its affiliates. All rights reserved. BRKSED-3007 Cisco Public
ZFW for IPv6: Use Case 1
4 4 ZFW6
F1 F0
Zone INSIDE Zone OUTSIDE
5
2001:db8::/64 2001:db8:0:1111::/64
zone-pair security OUTBOUND1 source INSIDE destination DMZ service-policy type inspect POLICY1
policy-map type inspect POLICY1 class type inspect GENERIC-V6 inspect TRACKING class class-default drop log
class-map type inspect match-any GENERIC-V6 match protocol tcp match protocol udp match protocol icmp
OUTBOUND1 Zone Policy
FIREWALL* sis 49FA6440: Session Created FIREWALL* sis 49FA6440: IPv6 address extention Created FIREWALL* sis 49FA6440: Pak 497651C8 init_addr ([2001:DB8::5]:123) resp_addr ([2001:DB8:0:1111::2]:123) FIREWALL* sis 49FA6440: FO cls 0x489C3100 clsgrp 0x20000000, target 0xA0000000, FO 0x4A91F6C0, alert = 1, audit_trail = 1, L7 = Unknown-l7, PAMID = 0
74
© 2012 Cisco and/or its affiliates. All rights reserved. BRKSED-3007 Cisco Public
ZFW6 2001:db8:0:BBBB::/64
102 1
FTP
1
2001:db8:0:2222::/64
Zone INSIDE Zone OUTSIDE
F0 F1
103
OUTBOUND1Zone Policy
zone-pair security OUTBOUND1 source INSIDE destination OUTSIDE service-policy type inspect POLICY1
policy-map type inspect POLICY1 class type inspect V6-FTP inspect TRACKING class class-default drop log
class-map type inspect match-any V6-FTP match protocol ftp
Application-specific policy supported for FTP (over IPv6)
ZFW for IPv6: Use Case 2
75
© 2012 Cisco and/or its affiliates. All rights reserved. BRKSED-3007 Cisco Public
ZFW6 2001:db8:0:BBBB::/64
102 1
FTP
1
2001:db8:0:2222::/64
Zone INSIDE Zone OUTSIDE
F0 F1
103
OUTBOUND1 Zone Policy
%IPV6_FW-6-SESS_AUDIT_TRAIL_START: (target:class)-(OUTBOUND1:V6-FTP):Start ftp session: initiator ([2001:DB8:0:2222::103]:2510) -- responder ([2001:DB8:0:BBBB::102]:21) %IPV6_FW-6-SESS_AUDIT_TRAIL_START: (target:class)-(OUTBOUND1:V6-FTP):Start ftp-data session: initiator ([2001:DB8:0:BBBB::102]:20) -- responder ([2001:DB8:0:2222::103]:2512) %IPV6_FW-6-SESS_AUDIT_TRAIL: (target:class)-(OUTBOUND1:V6-FTP):Stop ftp-data session initiator ([2001:DB8:0:BBBB::102]:20) sent 39 bytes -- responder ([2001:DB8:0:2222::103]:2512) sent 0 bytes %IPV6_FW-6-SESS_AUDIT_TRAIL: (target:class)-(OUTBOUND1:V6-FTP):Stop ftp session initiator ([2001:DB8:0:2222::103]:2510) sent 147 bytes -- responder ([2001:DB8:0:BBBB::102]:21) sent 418 bytes
ZFW for IPv6: Use Case 2
76
© 2012 Cisco and/or its affiliates. All rights reserved. BRKSED-3007 Cisco Public
IPv4 Backbone
Tunnel (IPv6 over IPv4)
Dual Stack Router
Dual Stack Router
IPv6 Domain 1
Detailed IPv6 Inspection (Dedicated IPv6 Firewall)
IPv6 Transit Network
IPv6 Domain 2
IPv6 Host
IPv6 Host
IPv6 Header IPv6 Data IPv6 Header IPv6 Data IPv4 Header IPv6 Header IPv6 Data
IPv6 Header IPv6 Data IPv4 Header GRE Header
R2
IPv4 Protocol Type = 41
IPv4 Protocol Type = 47 = GRE
IPv6 Header IPv6 Data IPv6 Header IPv6 Data
IPv6 in IPv4
IPv6 over GRE
Native IPv6
Native IPv6
Native IPv6
Native IPv6
ZFW
Firewall Placement: IPv6 Tunneling
Native IPv6 Native IPv6
77
© 2012 Cisco and/or its affiliates. All rights reserved. BRKSED-3007 Cisco Public
Sample IPv6 over IPv4 Static Tunnel
172.22.1.0/24 172.22.2.0/24
Loopback 1 172.22.22.241/32
Loopback 1 172.22.22.242/32
IPv4
ZFW R2 f0/0.1201 f0/0.1202
Static Tunnel (IPv6 over IPv4)
interface Tunnel1 no ip address ipv6 address 2001:DB8:0:1111::1/64 ipv6 enable tunnel source 172.22.22.241 tunnel destination 172.22.22.242 tunnel mode ipv6ip ! ipv6 route 2001:DB8:5555::/64 Tunnel1
ZFW# show interface tunnel 1 | include Tunnel Tunnel1 is up, line protocol is up Hardware is Tunnel Tunnel source 172.22.22.241, destination 172.22.22.242 Tunnel protocol/transport IPv6/IP Tunnel TTL 255 Tunnel transport MTU 1480 bytes
interface Tunnel1 no ip address ipv6 address 2001:DB8:0:1111::2/64 ipv6 enable tunnel source 172.22.22.242 tunnel destination 172.22.22.241 tunnel mode ipv6ip ! ipv6 route 2001:DB8::/64 Tunnel1
2001:DB8::/64 2001:DB8:5555::/64
For Your Reference
78
© 2012 Cisco and/or its affiliates. All rights reserved. BRKSED-3007 Cisco Public
ZFW Use Case 3: Tunneling Scenario
Underlying IPv4 Network
IPv6 over IPv4 Tunnel zone OUTSIDE zone INSIDE
interface Tunnel1 no ip address ipv6 address 2001:DB8:0:1111::1/64 ipv6 enable tunnel source 172.22.22.241 tunnel destination 172.22.22.242 zone-member security OUTSIDE tunnel mode ipv6ip ! ipv6 route 2001:DB8:5555::/64 Tunnel1
ZFW
2001:DB8::/64
2001:DB8:5555::/64
zone-pair security INBOUND1 source OUTSIDE destination INSIDE service-policy type inspect POLICY1
Inspecting the IPv6 Traffic
79
© 2012 Cisco and/or its affiliates. All rights reserved. BRKSED-3007 Cisco Public
Some other security features available for IPv6 Virtual Fragment Reassembly (VFR)
Antispoofing with uRPF
Detailed visibility with Flexible Netflow
flow record FLEXRECORD6 match ipv6 traffic-class match ipv6 protocol match ipv6 source address match ipv6 destination address match transport source-port match transport destination-port match interface input collect routing next-hop address ipv6 collect ipv6 next-header collect ipv6 hop-limit collect ipv6 payload-length collect ipv6 extension map collect ipv6 fragmentation flags collect ipv6 fragmentation offset collect ipv6 fragmentation id collect transport tcp flags collect interface output collect counter bytes collect counter packets
V6-FW# show flow monitor FLEX6 cache aggregate ipv6 source address transport icmp ipv6 type transport icmp ipv6 code Processed 3 flows Aggregated to 3 flows IPV6 SOURCE ADDRESS: 2001:DB8::5 ICMP IPV6 TYPE: 128 ICMP IPV6 CODE: 0 counter flows: 1 counter bytes: 86000 counter packets: 86
flow exporter FLEXNETFLOW destination 192.168.1.114 source FastEthernet0/0 transport udp 2055 ! flow monitor FLEX6 record FLEXRECORD6 exporter FLEXNETFLOW
80
© 2012 Cisco and/or its affiliates. All rights reserved. BRKSED-3007 Cisco Public
IOS Security features are well suited for Branch Deployments
How to build Zone-based Firewall Policies (from basic to advanced)
How to use Identity-based features on IOS, including the user-based ZFW
IOS Software is under constant development and one of its recent features uses SGT/IP Mapping (from the Trustsec architecture) to build more scalable firewall policies.
How to leverage advanced filtering resources such as special-purpose ACLs and Flexible Packet Matching (FPM)
How to use ISR G2 routers to direct traffic to Scansafe Towers for content scanning
What are the IPv6 Security functionalities already available on IOS
Key Takeaways What You learned
81
© 2012 Cisco and/or its affiliates. All rights reserved. BRKSED-3007 Cisco Public
Recommended Reading
82
© 2012 Cisco and/or its affiliates. All rights reserved. BRKSED-3007 Cisco Public
Blog: alexandremspmoraes.wordpress.com
Twitter: alexandre_mspm
83
© 2012 Cisco and/or its affiliates. All rights reserved. BRKSED-3007 Cisco Public
Complete Your Online Session Evaluation Give us your feedback and you
could win fabulous prizes. Winners announced daily.
Receive 20 Passport points for each session evaluation you complete.
Complete your session evaluation online now (open a browser through our wireless network to access our portal) or visit one of the Internet stations throughout the Convention Center.
Don’t forget to activate your Cisco Live Virtual account for access to all session material, communities, and on-demand and live activities throughout the year. Activate your account at the Cisco booth in the World of Solutions or visit www.ciscolive.com.
84
© 2012 Cisco and/or its affiliates. All rights reserved. BRKSED-3007 Cisco Public
Final Thoughts
Get hands-on experience with the Walk-in Labs located in World of Solutions, booth 1042
Come see demos of many key solutions and products in the main Cisco booth 2924
Visit www.ciscoLive365.com after the event for updated PDFs, on-demand session videos, networking, and more!
Follow Cisco Live! using social media: ‒ Facebook: https://www.facebook.com/ciscoliveus
‒ Twitter: https://twitter.com/#!/CiscoLive
‒ LinkedIn Group: http://linkd.in/CiscoLI
85