Advanced IOS

© 2012 Cisco and/or its affiliates. All rights reserved. BRKSED-3007 Cisco Public

Advanced Cisco IOS Security Features BRKSEC-3007

2


About the Speaker: Alexandre M. S. P. Moraes

Joined Cisco as a Systems Engineer in 1998.

Mainly supporting large Public Sector and Enterprise accounts in Brazil.

Coordinator of the Cisco Security team in Brazil for 03 years

Graduated in Electroning Engineering

Areas of Interest: Security/VPN, Routing/Campus Design, MPLS Networks Design, IP Multicast

Author of the book: “Cisco Firewalls: Concepts, Design and Deployment for Cisco Stateful Solutions” (Cisco Press, 2011)

Blog: http://alexandremspmoraes.wordpress.com

CCIE #6063

Routing/Switching

Security

Service Provider

3


Housekeeping

We value your feedback- don't forget to complete your online session evaluations after each session & the Overall Conference Evaluation which will be available online from Thursday

Visit the World of Solutions and Meet the Engineer

Visit the Cisco Store to purchase your recommended readings.

Please switch off your mobile phones

After the event don’t forget to visit Cisco Live Virtual: www.ciscolivevirtual.com

4


Agenda

Introduction

Zone-based Policy Firewall: Basic Concepts

Zone-based Policy Firewall in action

User-based Firewall features on Cisco IOS

Additional Layers of Security: Advanced Filtering Resources

IPv6 Security Features on IOS

Key Takeways

Warning: This session does not cover subjects such as IOS VPNs or L2 Security

5

Introduction


Branch Office

Corporate Office

Security Services Cisco Zone-Based Firewall

Identity-based Services

Stateless Fiiltering

Content Scanning with Scansafe

Infrastructure Protection

Internet

Private Wan

Cisco ISRs provide lots of integrated services But what about Security ?

Cisco Integrated Services Routers provide many services: Routing, Switching, WLAN, UC, Multicast, Multiple Backup options…

+ Security Connectivity: Flex VPN and GET VPN to fit your connectivity needs

+ Data Plane Security: at appropriate performance levels for the branch

7


Basic Questions to be answered

+ =

Can a Router behave as a true stateful firewall ?

Are there any other features that complement stateful inspection ?

Is my ISR Identity-aware ?

Are the ISR Security Features IPv6 Ready ?

8

Zone-based Policy Firewall Basic Concepts


Zone-based Policy Firewall (ZFW)

ZFW1

zone TRUSTED zone UNTRUSTED

Int 1

Int 3

Zone-Policy OUTBOUND

INTERNET

Client1 Server

Int 4

Int 2

Client2

Zone: set of interfaces that share a certain “trust level”

A philosophy change: Firewall policies now define rules between zones (and not between interfaces)

ZFW policies are Unidirectional: Source >> Destination

10


%FW-6-DROP_PKT: Dropping icmp session 172.18.1.10:0 172.18.2.20:0 due to No zone-pair between zones with ip ident 0

Interfaces assigned to zones but no zone-pair definition

%FW-6-DROP_PKT: Dropping icmp session 172.17.3.10:0 172.18.1.10:0 due to One of the interfaces not being cfged for zoning with ip ident 0

Source interface not assigned to a zone

%FW-6-DROP_PKT: Dropping icmp session 172.18.2.20:0 172.17.4.10:0 due to policy match failure with ip ident 0

Destination interface not assigned to a zone

ZFW: Easier to implement Default-Deny behavior

11


ZFW: Policy Building Blocks

policy-map type inspect BASIC1 class type inspect CLASS1 { inspect | pass | police | drop } […] class type inspect CLASS-N { inspect | pass | police | drop } class class-default { inspect | pass | drop }

class-map type inspect { match-all | match-any } CLASS1 a) match protocol { tcp | udp | icmp }

b) match access-group { name ACL-NAME | ACL-NUM }

c) match class-map CLASS-MAP_NAME

zone-pair security Z1-Z2 source Z1 destination Z2 service-policy type inspect BASIC1

ZFW1

zone security Z1

Int 1 Int 2

Zone-member security Z2 Zone-member security Z1

Z1-Z2 Policy zone security Z2

12


Cisco Security Manager and ZFW

Zone-based Firewall Rules

13

Zone-based Policy Firewall in action


Zone-based Policy Firewall: Parameter-maps

ZFW1# show parameter-map type inspect default audit-trail off alert on max-incomplete low 2147483647 max-incomplete high 2147483647 one-minute low 2147483647 one-minute high 2147483647 udp idle-time 30 icmp idle-time 10 dns-timeout 5 tcp idle-time 3600 tcp finwait-time 5 tcp synwait-time 30 tcp max-incomplete host 4294967295 block-time 0 sessions maximum 2147483647

parameter-map type inspect TRACKING audit-trail on

parameter-map type inspect global log dropped-packets enable

Good practice: Capitalize the names you assign to policy building blocks. Search within CLI is case-sensitive

Connection logging is turned off by default

15


172.18.2.0/24 172.18.1.0/24 .4 .4 ZFW1

OUTBOUND1 Zone Policy

F1 F0

Zone INSIDE Zone OUTSIDE

policy-map type inspect POLICY1 class type inspect TOP-CLASS1 inspect TRACKING class class-default drop log

zone-pair security OUTBOUND1 source INSIDE destination OUTSIDE service-policy type inspect POLICY1

class-map type inspect match-any TOP-CLASS1 match protocol udp match protocol tcp

Connection Setup

Inspecting Outbound Traffic (L4 only)

.20 .10

16


172.18.2.0/24 172.18.1.0/24 .4 .4 ZFW1


F1 F0


.20 .10


ZFW1# show zone security zone self Description: System defined zone zone INSIDE Member Interfaces: FastEthernet1 zone OUTSIDE Member Interfaces: FastEthernet0

ZFW1# show policy-firewall config zone-pair Zone-pair : OUTBOUND1 Source Zone : INSIDE Destination Zone : OUTSIDE Service-policy inspect : POLICY1 Class-map : TOP-CLASS1(match-any) Match protocol udp Match protocol tcp Action : inspect Parameter-map : TRACKING Class-map : class-default(match-any) Match any Action : drop log Parameter-map : Default

Zone-pair

Service-Policy

Class-Map

Parameter-Map

Class-Map

17


172.18.2.0/24 172.18.1.0/24 .4 .4 ZFW1


F1 F0


.20 .10


%FW-6-SESS_AUDIT_TRAIL_START: (target:class)-(OUTBOUND1:TOP-CLASS1): Start tcp session: initiator (172.18.1.10:22374) -- responder (172.18.2.20:23)

ZFW1# show policy-firewall session Established Sessions = 1 Session 498723C0 (172.18.1.10:22374)=>(172.18.2.20:23) tcp SIS_OPEN/TCP_ESTAB Created 00:00:19, Last heard 00:00:12 Bytes sent (initiator:responder) [48:95]

%FW-6-SESS_AUDIT_TRAIL: (target:class)-(OUTBOUND1:TOP-CLASS1):Stop tcp session: initiator (172.18.1.10:22374) sent 54 bytes -- responder (172.18.2.20:23) sent 107 bytes

18


172.18.2.0/24 172.18.1.0/24 .4 .4 ZFW1


F1 F0


.20 .10


%FW-6-DROP_PKT: Dropping icmp session 172.18.1.10:0 172.18.2.20:0 on zone-pair OUTBOUND1 class class-default due to DROP action found in policy-map with ip ident 0

%FW-6-DROP_PKT: Dropping icmp session 172.18.2.20:0 172.18.1.10:0 due to policy match failure with ip ident 0

Inbound connection attempt (no zone-pair defined)

Outbound connection attempt (ICMP blocked by class “class-default”)

19


ZFW: Preparing for L3 + L4 Policy

172.18.2.0/24 172.18.1.0/24 .4 .4 ZFW1

F1 F0


.20 .10 172.22.0.0/16

object-group network INSIDE1 172.18.1.0 255.255.255.0 ! object-group network OUT1 172.22.0.0 255.255.0.0 ! object-group network OUT2 host 172.18.2.20

object-group service SVCS1 tcp eq telnet tcp eq www ! object-group service SVCS2 udp eq ntp

ip access-list extended ACL1 permit object-group SVCS1 object-group INSIDE1 object-group OUT1 permit object-group SVCS2 object-group INSIDE1 object-group OUT2

Network Objects Service Objects

Sample ACL that uses object-groups

20


ZFW: L3 + L4 Policy (no more Interface ACLs)

172.18.2.0/24 172.18.1.0/24 .4 .4 ZFW1

F1 F0


.20 .10 172.22.0.0/16


policy-map type inspect POLICY2 class type inspect JOINT1 inspect TRACKING class class-default drop log

class-map type inspect match-all JOINT1 match class-map TOP-CLASS1 match access-group name ACL1


ip access-list extended ACL1 permit object-group SVCS1 object-group INSIDE1 object-group OUT1 permit object-group SVCS2 object-group INSIDE1 object-group OUT2

21


%FW-6-SESS_AUDIT_TRAIL_START: (target:class) (OUTBOUND2:JOINT1): Start udp session: initiator (172.18.1.10:123) -- responder (172.18.2.20:123)

%FW-6-SESS_AUDIT_TRAIL_START: (target:class)-(OUTBOUND2:JOINT1): Start tcp session: initiator (172.18.1.10:31793) -- responder (172.22.22.22:23)

FIREWALL*: NEW PAK 48EE1EE4 (0:172.18.1.10:123) (0:172.22.22.22:123) udp FIREWALL*: DROP feature object 0xAAAA0028 found %FW-6-DROP_PKT: Dropping udp session 172.18.1.10:123 172.22.22.22:123 on zone-pair OUTBOUND2 class class-default due to DROP action found in policy-map with ip ident 0 FIREWALL: ret_val 0 is not PASS_PAK

FIREWALL*: NEW PAK 48EE1EE4 (0:172.18.1.10:12803) (0:172.18.2.20:23) tcp FIREWALL*: DROP feature object 0xAAAA0028 found %FW-6-DROP_PKT: Dropping tcp session 172.18.1.10:12803 172.18.2.20:23 on zone-pair OUTBOUND2 class class-default due to DROP action found in policy-map with ip ident 0 FIREWALL: ret_val 0 is not PASS_PAK

ZFW: Implementing L3 + L4 Policy Examples of Allowed Traffic

Examples of Blocked Traffic due to L3 restrictions

NTP

Telnet

NTP

Telnet

22


ZFW, ACLs and NAT

zone-pair security INBOUND2 source OUTSIDE destination INSIDE service-policy type inspect POLICY2


class-map type inspect match-all JOINT2 match class-map TOP-CLASS2 match access-group name ACL2

class-map type inspect match-any TOP-CLASS2 match protocol tcp

ip access-list extended ACL2 permit ip 172.18.2.0 0.0.0.255 host 10.5.5.5

ip nat inside source static 10.5.5.5 172.18.2.5

10.5.5.0/24 172.18.2.0/24

.5 .20 ip nat outside ip nat inside ZFW1

NAT

Local Address Space Global Address Space Zone INSIDE Zone OUTSIDE

F0/1.1610 F0/0

Real Translated

INBOUND2 Zone Policy

23


ZFW, ACLs and NAT

%IPNAT-6-CREATED: tcp 10.5.5.5:23 172.18.2.5:23 172.18.2.20:15649 172.18.2.20:15649 FIREWALL* sis 49AD2B40: Session Created FIREWALL* sis 49AD2B40: Pak 49182EC8 init_addr (172.18.2.20:15649) resp_addr (10.5.5.5:23) init_alt_addr (172.18.2.20:15649) resp_alt_addr (172.18.2.5:23) FIREWALL* sis 49AD2B40: FO cls 0x4ACDB960 clsgrp 0x10000000, target 0xA0000010, FO 0x49A56880, alert = 1, audit_trail = 1, L7 = Unknown-l7, PAMID = 2

%FW-6-SESS_AUDIT_TRAIL_START: (target:class)-(INBOUND2:JOINT2): Start tcp session: initiator (172.18.2.20:15649) -- responder (10.5.5.5:23)

ZFW1# show policy-firewall session Established Sessions = 1 Session 49AD2B40 (172.18.2.20:15649)=>(10.5.5.5:23) tcp SIS_OPEN/TCP_ESTAB Created 00:00:45, Last heard 00:00:40 Bytes sent (initiator:responder) [48:101]

10.5.5.0/24 172.18.2.0/24

.5 .20 ip nat outside ip nat inside ZFW1

NAT

.4 .4

Local Address Space Global Address Space Zone INSIDE Zone OUTSIDE

F0/1.1610 F0/0

Real Address

Translated Address

Real Address

Real Address

24


ZFW: Transparent Mode Operation

ZFW1 R1 R2

10.5.5.0/24


.1 .2 F0/1.1610 F0/0



class-map type inspect match-any BASIC1 match protocol udp match protocol icmp match protocol tcp

bridge-group1 bridge-group1

policy-map type inspect POLICY1 class type inspect BASIC1 inspect TRACKING class class-default drop log

ZFW1# show policy-firewall session Established Sessions = 1 Session 49AD3240 (10.5.5.1:56643)=>(10.5.5.2:23) tcp SIS_OPEN/TCP_ESTAB Created 00:00:25, Last heard 00:00:13 Bytes sent (initiator:responder) [48:95]

%FW-6-SESS_AUDIT_TRAIL_START: (target:class)-(OUTBOUND1:BASIC1): Start tcp session: initiator (10.5.5.1:56643) -- responder (10.5.5.2:23)

25


ZFW1

192.168.2.0/24

Zone WIRED Zone WIRELESS

Fast1 Fast0

WIRELESS AP WLAN Client

.101 .102

zone-pair security INBOUND1 source WIRELESS destination WIRED service-policy type inspect POLICY1

INBOUND1 Zone Policy


class-map type inspect match-all JOINT1 match class-map BASIC1 match access-group name ACL1

class-map type inspect match-any BASIC1 match protocol tcp

ip access-list extended ACL1 permit tcp 192.168.2.0 0.0.0.255 host 192.168.2.101 eq 25 permit tcp 192.168.2.0 0.0.0.255 host 192.168.2.102 eq 443

HTTPS SMTP

ZFW: Use Case for Transparent Mode

26



policy-map type inspect POLICY1 class type inspect L7-CLASS1 inspect TRACKING class class-default drop log

class-map type inspect match-any L7-CLASS1 match protocol ftp

192.168.2.0/24 ZFW1


.X


Fast0

Client

ip nat outside ip nat inside

NAT

Global Address Space Local Address Space

Fast1

172.17.11.102

FTP

ip nat outside source static 172.17.11.102 192.168.2.102 add-route

ZFW and L7 Inspection: Use Case 1 FTP inspection within NAT environment

Real Translated

27


%IPNAT-6-CREATED: tcp 192.168.2.72:36886 192.168.2.72:36886 192.168.2.102:21 172.17.11.102:21 %FW-6-SESS_AUDIT_TRAIL_START: (target:class)-(OUTBOUND1:L7-CLASS1): Start ftp session: initiator (192.168.2.72:36886) -- responder (172.17.11.102:21)

%IPNAT-6-CREATED: tcp 192.168.2.72:51974 192.168.2.72:51974 192.168.2.102:20 172.17.11.102:20 %FW-6-SESS_AUDIT_TRAIL_START: (target:class)-(OUTBOUND1:L7-CLASS1): Start ftp-data session: initiator (172.17.11.102:20) -- responder (192.168.2.72:51974) %FW-6-SESS_AUDIT_TRAIL: (target:class)-(OUTBOUND1:L7-CLASS1): Stop ftp-data session: initiator (172.17.11.102:20) sent 350 bytes -- responder (192.168.2.72:51974) sent 0 bytes

FTP Control Session

Sample FTP Data Session

192.168.2.0/24 ZFW1


.X


Fast0

Client

ip nat outside ip nat inside

NAT

Global Address Space Local Address Space

Fast1

172.17.11.102

FTP

ZFW and L7 Inspection: Use Case 1 FTP inspection within NAT environment

28


ZFW1


.200


Fast0 Fast1

192.168.2.0/24 172.17.3.0/24

.40

HTTP runs on ports 2002- 2003


policy-map type inspect POLICY1 class type inspect HTTP-CLASS inspect TRACKING class class-default drop log

class-map type inspect match-any HTTP-CLASS match protocol http

access-list 1 permit 172.17.3.40 ip port-map http port tcp from 2002 to 2003 list 1

Inspection of HTTP on non-standard ports

ZFW and L7 Inspection: Use Case 2 L7 inspection on non-standard ports

29


ZFW1


.200


Fast0 Fast1

192.168.2.0/24 172.17.3.0/24

.40

HTTP runs on ports 2002- 2003

ZFW1# show ip port-map http Default mapping: http tcp port 80 system defined Host specific: http tcp port 2002-2003 in list 1 user defined

FIREWALL* sis 84294160: Session Created FIREWALL* sis 84294160: Pak 83CBFCFC init_addr (192.168.2.200:1065) resp_addr (172.17.3.40:2002) init_alt_addr (192.168.2.200:1065) resp_alt_addr (172.17.3.40:2002) FIREWALL* sis 84294160: FO cls 0x84F8EB80 clsgrp 0x10000000, target 0xA0000000, FO 0x849600E0, alert = 1, audit_trail = 1, L7 = http, PAMID = 5 FIREWALL* sis 84294160: Allocating L7 sis extension L4 = tcp, L7 = http, PAMID = 5 %FW-6-SESS_AUDIT_TRAIL_START: (target:class)-(OUTBOUND1:HTTP-CLASS): Start http session: initiator (192.168.2.200:1065) -- responder (172.17.3.40:2002)

L7 = HTTP

HTTP Session

ZFW and L7 Inspection: Use Case 2 L7 inspection on non-standard ports

30


ZFW1


.200


Fast0 Fast1

HTTP

192.168.2.0/24 172.17.3.0/24


policy-map type inspect POLICY1 class type inspect HTTP-CLASS inspect TRACKING service-policy http WEB1 class class-default drop log

class-map type inspect match-any HTTP-CLASS match protocol http

policy-map type inspect http WEB1 class type inspect http HTTP1 reset log

class-map type inspect http match-any HTTP1 match response header set-cookie

Top-level policy-map

Application-specific policy-map

Top-level class-map

Application-specific class-map

.30

ZFW and L7 Inspection: Use Case 3 Filtering on HTTP Response Header

31


FIREWALL* sis 84283A40: match-info tocken in cce_sb 849BA240 - class 3221225494; filter 31; val1 0; val2 0; str set-cookie, log on, reset on %APPFW-4-HTTP_HDR_FIELD_REGEX_MATCHED: Header field (set-cookie) matched - resetting session 172.17.3.30:80 192.168.2.200:43005 on zone-pair OUTBOUND1 class HTTP-CLASS appl-class HTTP1

ZFW1


.200

Zone INSIDE Zone DMZ

Fast0 Fast1

HTTP

192.168.2.0/24 172.17.3.0/24

.30

%FW-6-SESS_AUDIT_TRAIL_START: (target:class)-(OUTBOUND1:HTTP-CLASS): Start http session: initiator (192.168.2.200:43005) -- responder (172.17.3.30:80)

ZFW and L7 Inspection: Use Case 3 Filtering on HTTP Response Header

32


10.21.21.0/24 10.20.20.0/24 OUT

Classic IPSec Site-to-Site Tunnel

f0

172.16.201.1 172.16.200.1

21 20 Vlan 10

ZFW

zone DMZ zone VPN

VPN-DMZ Zone Policy

zone-pair security VPN-DMZ source VPN destination DMZ service-policy type inspect INBOUND1

policy-map type inspect INBOUND1 class type inspect OUT1 inspect TRACKING class class-default drop log

class-map type inspect match-all OUT1 match class-map APPS1 match access-group 120

class-map type inspect match-any APPS1 match protocol syslog match protocol ftp match protocol icmp

access-list 120 permit ip 10.20.20.0 0.0.0.255 10.21.21.0 0.0.0.255

Use Case: ZFW and IPSec VPNs Inspecting tunneled traffic

Protocols allowed inside the tunnel

33


ZFW: Inspection of Router Traffic System-defined zone “self” includes router addresses

.2 ZFW1 F4.200 172.21.21.0/24

Zone OUTSIDE

.21

Zone self (router addresses)

OUT-SELF Zone Policy

F4.201

10.10.10.1 172.20.20.1

172.22.22.0/24

.2

.22

R1

172.20.20.0/24

R2

zone-pair security OUT-SELF source OUTSIDE destination self service-policy type inspect OUT-FW1

policy-map type inspect OUT-FW1 class type inspect ICMP1 inspect TRACKING class class-default drop log

class-map type inspect match-all ICMP1 match access-group name PING1

ip access-list extended PING1 permit icmp object-group OUT1 object-group RTR-ADDR echo

object-group network RTR-ADDR host 10.10.10.1 host 172.20.20.1

object-group network OUT1 172.20.20.0 255.255.255.0

34


.2 ZFW1 F4.200 172.21.21.0/24

Zone OUTSIDE

.21

Zone self (router addresses)

OUT-SELF Zone Policy

F4.201

10.10.10.1 172.20.20.1

172.22.22.0/24

.2

.22

R1

172.20.20.0/24

R2

%FW-6-SESS_AUDIT_TRAIL_START: (target:class)-(OUT-SELF:ICMP1):Start icmp session: initiator (172.20.20.2:0) -- responder (172.20.20.1:0)

%FW-6-DROP_PKT: Dropping icmp session 172.21.21.21:0 172.20.20.1:0 on zone-pair OUT-SELF class class-default due to DROP action found in policy-map with ip ident 0

The default operation of the ZFW is to allow traffic to and from the router interfaces

Special zone called “self” handles router traffic

Policies that involve the “self” zone are unidirectional in nature

ICMP to router address 172.20.20.1 (from a valid source) is permitted

ICMP to router address 172.20.20.1 (from a non acceptable source) is dropped

ZFW: Inspection of Router Traffic System-defined zone “self” includes router addresses

35


Control the Addresses allowed to manage the ZFW router

Control the acceptable IPSec peers for the ZFW router

Determine the acceptable peers for IPv6 over v4 tunneling

Control the UC elements (Gateways, Gatekeepers, Call Managers) that can exchange signalling with the ZFW router

Zone Self: Use Cases

36


On IOS 12.X releases, traffic between interfaces belonging to the same zone was allowed to pass without inspection.

On IOS 12.X release it was not possible to define Intrazone ZFW policies:

Starting on IOS 15.0(1)M, intrazone traffic is blocked by default

IOS 15.X allows the creation of Intrazone Policies (source and destination of traffic in the same zone)

ZFW2(config)# zone-pair sec INTRAZONE2 source INSIDE destination INSIDE % Same zone cannot be defined as both the source and destination

For Your Reference ZFW: Intrazone Policies

Change in default behavior introduced by IOS 15.X

37


ZFW: Sample Intrazone Policy

zone-pair security INTRAZONE1 source INSIDE destination INSIDE service-policy type inspect POLICY2

policy-map type inspect POLICY2 class type inspect TOP-CLASS2 inspect TRACKING class class-default drop log

class-map type inspect match-any TOP-CLASS2 match protocol icmp match protocol udp

10.10.6.0/24 10.10.10.0/24 ZFW1 .1 .1

Zone INSIDE

Fast1 Fast0

INTRAZONE1Zone Policy

.200 .6

NTP Server

38


ZFW1# show zone security INSIDE zone INSIDE Member Interfaces: FastEthernet0 FastEthernet1

ZFW1# show zone-pair security Zone-pair name INTRAZONE1 Source-Zone INSIDE Destination-Zone INSIDE service-policy POLICY2

ZFW1# show policy-firewall session Established Sessions = 1 Session 49CFB240 (10.10.6.6:123)=>(10.10.10.200:123) udp SIS_OPEN Created 00:00:29, Last heard 00:00:29 Bytes sent (initiator:responder) [48:48]

10.10.6.0/24 10.10.10.0/24 ZFW1 .1 .1

Zone INSIDE

Fast1 Fast0

INTRAZONE1Zone Policy

.200 .6

NTP Server

ZFW: Sample Intrazone Policy

39

User-based Firewall Features on Cisco IOS


Is there a way to grant access on a per-user basis ? Is it possible to control access to any kind of application ? Is there accounting support ? Is this type of control stateful ?

user1

What Resource ?

user2

SRV1 SRV2

Who is the user ?

User-based Access Control

41


1. User telnets to Server SRV1

2. Auth-Proxy intercepts packet and presents authentication prompt to user

3. ZFW consults RADIUS Server

4. RADIUS Server replies with Authorization Profile (or Access Reject)

5. User allowed to access Destination Host

172.26.26.0/24 Gateway

Management Network

CS-ACS

End User

172.16.100.0/24

2

Auth-proxy

Prompt

3

4

5

Telnet 172.26.26.26 1

.26

SRV1

.100

F0 F1

Basic Instrumentation for Identity: Auth-Proxy

42


Preparing for Auth-Proxy

! *** Instructing the NAS to receive, send and process RADIUS VSAs radius-server vsa send accounting radius-server vsa send authentication ! *** Defining and using an AAA server-group called "RADIUS1" aaa group server radius RADIUS1 server 192.168.1.200 auth-port 1812 acct-port 1813 server-private 192.168.1.200 auth-port 1812 acct-port 1813 key 7 ##### ! aaa authentication login default group RADIUS1 aaa authorization network default group RADIUS1 aaa authorization auth-proxy default group RADIUS1 aaa accounting auth-proxy default start-stop group RADIUS1 ! *** Defining an ACL to be applied to the same interface as Auth-Proxy access-list 100 permit udp host 192.168.1.200 eq 1812 host 192.168.2.1 access-list 100 permit udp host 192.168.1.200 eq 1813 host 192.168.2.1 access-list 100 permit tcp any 172.26.26.0 0.0.0.255 eq telnet ! *** Defining the Auth-Proxy policy to intercept Telnet traffic ip admission name ADMISSION1 proxy telnet ! ***Applying the Auth-Proxy policy to interface F1 (Auth-Proxy incoming interface) interface FastEthernet1 ip access-group 100 in ip admission ADMISSION1

For Your Reference

Auth-Proxy Triggering Protocol

Enabling Auth-Proxy

AAA Server Definitions

43


Auth-Proxy in action: Delivering Individual ACEs

! *** Telnet Session is intercepted by Auth-Proxy process (before reaching interface ACL) AUTH-PROXY creates info: cliaddr - 172.16.100.100, cliport - 1562 seraddr - 172.26.26.26, serport - 23 ip-srcaddr 172.16.100.100 pak-srcaddr 0.0.0.0 ! *** NAS (IOS-Router) sends request to CS-ACS and receives individual ACEs (proxyacl) RADIUS(0000000C): Send Access-Request to 192.168.1.200:1812 id 1645/12, len 104 RADIUS: authenticator 73 DC D7 7B 91 B4 61 38 - 4E 65 CB A5 B3 4F AD 9D RADIUS: User-Name [1] 7 "user1" ! […] RADIUS: Received from id 1645/12 192.168.1.200:1812, Access-Accept, len 148 RADIUS: authenticator ED 65 FB F6 64 B9 33 6D - A3 5E B8 5F 14 36 D4 21 RADIUS: Vendor, Cisco [26] 19 RADIUS: Cisco AVpair [1] 13 "priv-lvl=15" RADIUS: Vendor, Cisco [26] 43 RADIUS: Cisco AVpair [1] 37 "proxyacl#1=permit tcp any any eq 22" RADIUS: Vendor, Cisco [26] 43 RADIUS: Cisco AVpair [1] 37 "proxyacl#2=permit tcp any any eq 23"

ACS/Group Settings : GROUP1 [009\001] cisco-av-pair priv-lvl=15 proxyacl#1=permit tcp any any eq 22 proxyacl#2=permit tcp any any eq 23

ACS Definitions

Auth-Proxy Starts

ACEs Received

User Identification

44


IOS-FW# show ip auth-proxy cache Authentication Proxy Cache Client Name user1, Client IP 172.16.100.100, Port 1562, timeout 60, Time Remaining 60, state INTERCEPT ! ! *** Details about the current Auth-Proxy session IOS-FW# show epm session ip 172.16.100.100 Admission feature : Authproxy AAA Policies : Proxy ACL : permit tcp any any eq 22 Proxy ACL : permit tcp any any eq 23 ! *** Viewing Dynamic Entries added to the interface ACL IOS-FW# show access-list 100 Extended IP access list 100 permit tcp host 172.16.100.100 any eq 22 (18 matches) permit tcp host 172.16.100.100 any eq telnet (70 matches) 10 permit udp host 192.168.1.200 eq 1812 host 192.168.2.1 (1 match) 20 permit udp host 192.168.1.200 eq 1813 host 192.168.2.1 (1 match) 30 permit tcp any 172.26.26.0 0.0.0.255 eq telnet (2 matches)

User-IP Mapping

ACEs assigned to User

Dynamic Entries on the ACL

Auth-Proxy in action: Delivering Individual ACEs

45


Scalabity and Manageability Auth-Proxy with Downloadable ACLs

! *** NAS sends Access Request to CS-ACS and receives name of the DACL to be applied RADIUS(00000006): Send Access-Request to 192.168.1.200:1812 id 1645/4, len 104 RADIUS: authenticator 67 06 F7 BB F1 81 BE 96 - 29 2D C9 24 89 00 2B 31 RADIUS: User-Name [1] 7 "user1" […] RADIUS: Received from id 1645/4 192.168.1.200:1812, Access-Accept, len 124 RADIUS: authenticator 6D 19 94 84 EF C0 28 C3 - EF AB 8E FE 1F E9 7B 28 RADIUS: Vendor, Cisco [26] 19 RADIUS: Cisco AVpair [1] 13 "priv-lvl=15" RADIUS: Vendor, Cisco [26] 62 RADIUS: Cisco AVpair [1] 56 "ACS:CiscoSecure-Defined-ACL=#ACSACL#-IP-DACL1-4aac618d" […] ! *** NAS sends second Access Request using DACL name as username (null password) RADIUS(00000000): Send Access-Request to 192.168.1.200:1812 id 1645/5, len 134 RADIUS: authenticator 94 3C 9D F1 C1 93 25 2A - F3 9E DA C9 B0 15 FC B2 RADIUS: NAS-IP-Address [4] 6 172.21.21.1 RADIUS: User-Name [1] 28 "#ACSACL#-IP-DACL1-4aac618d" RADIUS: Vendor, Cisco [26] 32 RADIUS: Cisco AVpair [1] 26 "aaa:service=ip_admission" RADIUS: Vendor, Cisco [26] 30 RADIUS: Cisco AVpair [1] 24 "aaa:event=acl-download" ! ! *** ACS sends second Response containing the individual entries of the Downloadable ACL RADIUS: Received from id 1645/5 192.168.1.200:1812, Access-Accept, len 179 RADIUS: authenticator 69 A2 A7 BB 15 AF 3C EB - A3 D7 12 F0 F5 04 54 F2 RADIUS: Vendor, Cisco [26] 43 RADIUS: Cisco AVpair [1] 37 "ip:inacl#1=permit tcp any any eq 80" RADIUS: Vendor, Cisco [26] 43 RADIUS: Cisco AVpair [1] 37 "ip:inacl#2=permit icmp any any echo"

User Identification

Name of dACL is received

dACL used as username

Individual ACEs downloaded

46


IOS-FW# show ip auth-proxy cache Authentication Proxy Cache Client Name user1, Client IP 172.16.100.100, Port 1085, timeout 60, Time Remaining 60, state INTERCEPT IOS-FW#show epm session ip 172.16.100.100 Admission feature : Authproxy AAA Policies : ACS ACL : xACSACLx-IP-DACL1-4aac618d ! After Auth-Proxy “user1” uses PING and WWW services IOS-FW# show access-list Extended IP access list 100 permit tcp host 172.16.100.100 any eq www (12 matches) permit icmp host 172.16.100.100 any echo (4 matches) 10 permit udp host 192.168.1.200 eq 1812 host 192.168.2.1 (2 matches) 20 permit udp host 192.168.1.200 eq 1813 host 192.168.2.1 (2 matches) 30 permit tcp any 172.26.26.0 0.0.0.255 eq telnet (31 matches) Extended IP access list xACSACLx-IP-DACL1-4aac618d (per-user) 10 permit tcp any any eq www 20 permit icmp any any echo

User-IP Mapping

dACL assigned to User

dACL details

Scalabity and Manageability Auth-Proxy with Downloadable ACLs

47


172.26.26.0/24 Gateway ZFW1

Management Network

CS-ACS

End User

172.16.100.0/24

.26

SRV1

1. User telnets to Server

2. Auth-Proxy intercepts packet and prompt is presented to user

3. RADIUS Server sends “supplicant-group” VSA to IOS-FW

4. User to group mapping is created

5. Zone Policy Firewall created on a per-group basis

.100

F0 F1

Zone OUTSIDE Zone INSIDE OUTBOUND1

Zone Policy

Auth-Proxy

User-based Zone Firewall

48


ACS/Group Settings : ENG [009\001] cisco-av-pair priv-lvl=15 supplicant-group=ENG RADIUS: Received from id 1645/21 192.168.1.200:1812, Access-Accept, len 93 RADIUS: authenticator 43 A9 2F 23 EC 7F 7B 19 - B5 AF 6D 1B 40 81 85 25 RADIUS: Vendor, Cisco [26] 19 RADIUS: Cisco AVpair [1] 13 "priv-lvl=15" RADIUS: Vendor, Cisco [26] 31 RADIUS: Cisco AVpair [1] 25 "supplicant-group=ENG“ ZFW1# show ip auth-proxy cache Authentication Proxy Cache Client Name user1, Client IP 172.16.100.100, Port 1108, timeout 60, Time Remaining 60, state INTERCEPT ! ZFW1# show epm session ip 172.16.100.100 Admission feature : Authproxy AAA Policies : Supplicant-Group : ENG ! ZFW1# show user-group Usergroup : ENG ------------------------------------------------------------------------ User Name Type Interface Learn Age (min) ------------------------------------------------------------------------ 172.16.100.100 IPv4 FastEthernet1 Dynamic 0

User-based ZFW: Receiving Group Information

ACS Definitions

Router receives “supplicant-group”

Supplicant-group visibility

Local Usergroup information

49


User-based ZFW: Leveraging Group Information

class-map type inspect match-all ENG1 match user-group ENG match protocol tcp class-map type inspect match-all ENG2 match user-group ENG match protocol icmp class-map type inspect match-all MKT1 match user-group MKT match protocol tcp ! policy-map type inspect OUT1 class type inspect ENG1 inspect class type inspect ENG2 inspect police rate 32000 burst 6000 class type inspect MKT1 inspect class class-default drop log

User-based Firewall renders Auth-Proxy stateful

!* Defining zones and zone-pairs zone security INSIDE zone security OUTSIDE ! zone-pair security OUTBOUND source INSIDE destination OUTSIDE service-policy type inspect OUT1 ! * Defining an Auth-Proxy policy to intercept Telnet traffic ip admission name ADMISSION1 proxy telnet inactivity-time 60 ! ! * Assigning interfaces to zones and applying the Auth-Proxy policy interface FastEthernet1 ip admission ADMISSION1 zone-member security INSIDE ! interface FastEthernet0 zone-member security OUTSIDE

Matching on “User-group” Zone Definitions

50


ISR-EDGE2

Identity Services Engine (ISE)

1

2

3

EHWIC-SW

1. Dot1X process used to obtain user credentials on embedded switch

2. RADIUS Authentication takes place

3. ISE sends Security Group Tag (SGT) as a RADIUS Authorization Attribute

SGT/IP Mapping is available on the ISR device (no matter if user authentication was performed using Dot1X or Auth-Proxy)

New Development – IP/SGT Mapping on ISR G2

51


New Development – IP/SGT Mapping on ISR G2

ISR-EDGE1

Identity Services Engine (ISE) 1

2

3 192.168.12.12

1. Auth-Proxy process used to obtain user credentials

2. RADIUS Authentication takes place

3. ISE sends Security Group Tag (SGT) as a RADIUS Authorization Attribute

ISR-EDGE1# show epm session ip 192.168.12.12 Admission feature: AUTHPROXY AAA Policies: SGT: 0004-0

52


SXP: SGT Exchange Protocol

ISR-EDGE1 ISR-CENTRAL

ISR-EDGE1# show cts role-based sgt-map all Active IP-SGT Bindings Information IP Address SGT Source =================================== 172.19.37.1 2 INTERNAL 172.19.38.1 2 INTERNAL 192.168.2.25 2 INTERNAL 192.168.10.2 2 INTERNAL 192.168.11.1 2 INTERNAL 192.168.12.1 2 INTERNAL 192.168.12.12 4 LOCAL IP-SGT Active Bindings Summary ==================================== Total number of LOCAL bindings = 1 Total number of INTERNAL bindings = 6 Total number of active bindings = 7

ISR-CENTRAL# show cts role-based sgt-map all Active IP-SGT Bindings Information IP Address SGT Source ==================================== 172.19.37.1 2 SXP 172.19.38.1 2 SXP 192.168.2.25 2 SXP 192.168.10.2 2 SXP 192.168.11.1 2 SXP 192.168.12.1 2 SXP 192.168.12.12 4 SXP IP-SGT Active Bindings Summary ==================================== Total number of SXP bindings = 7 Total number of active bindings = 7

SXP SXP Listener SXP Speaker

53


Building ZFW Policies based on Security Group Tags

ISR-CENTRAL

Zone OUTSIDE Zone INSIDE

F0 F1

class-map type inspect match-all EMPLOYEES match class-map CLASS1 match class-map SGT1

class-map type inspect match-any CLASS1 match protocol http match protocol telnet match protocol ssh match protocol icmp

class-map type inspect match-any SGT1 match security-group source tag 3

Hdr Data Incoming Packets

Edge-n

Edge-1

Edge-2

. . .

IP Address SGT

192.168.1.1 3

54

Additional Layers of Security: Advanced Filtering Resources


TOS (8)

Flags(3) Identification (16) FRAG Offset (13)

SRC IP Address (32)

DST IP Address (32)

Vers(4) Hlen(4) Total Length (16)

TTL (8) Header Checksum (16) Protocol (8)

(IP OPTIONS) (PAD)

32 Bits

Ensure Header

Length is Exactly

Multiple of 32-Bits

IP Header Length, Measured in

4 Bytes (32-bit words)

Total IP Datagram Length. Measured in Octets

(including Payload and Header)

Provide Integrity

of IP Header

Version Number

Time to Live: Decremented 1

unit by each Router along the

Path

Indicates the Upper Layer

Protocol Rsvd (=0) DF MF

Flags Field

Revisiting the IP Header For Your Reference

56


How Fragments are created

IP Header

Header 1

Header 2

Header 3

Header 4

600 Bytes

160 Bytes

160 Bytes

160 Bytes

120 Bytes

Original Datagram

Fragment 1

Fragment 2

Fragment 3

Fragment 4

Original 620 600 0x6E81 0 0 0 0 0x0000

Frag 1 180 160 0x6E81 0 0 1 0 0x2000

Frag 2 180 160 0x6E81 0 0 1 160 = 8 x 20 (0x14) 0x2014

Frag 3 180 160 0x6E81 0 0 1 320 = 8 x 40 (0x28) 0x2028

Frag 4 140 120 0x6E81 0 0 0 480 = 8 x 60 (0x3C) 0x003C

Total Length

L3 Data Length

ID Number

Rsvd Bit

DF Bit MF Bit Fragment Offset (Multiple of 8 bytes)

Flags Offset

For Your Reference

57


Examples of Fragmentation-based Attacks

Tiny Fragment Attack: employs very small TCP packets, crafted so that a part of the L4 header (for instance including the Flags field) travels in the second fragment. With such an approach the attacker hopes that only the first fragment will be examined and the remaining ones will be allowed through.

Overlapping Fragments Attack: the offset of a certain fragment overlaps with the offset of another. This attack class may be used either with the intent of causing DoS (such as with the UDP Teardrop exploit) or in an attempt to overwrite the data portion of previous fragments in the chain and circumvent defense systems.

Overflowing the Reassembly Buffer: excessive number of incomplete datagrams in the receiving host waiting for reassembly.

For Your Reference

58


Handling IP Fragmentation

IOS-FW# show access-list 101 Extended IP access list 101 10 permit tcp any any fragments (1081 matches) 20 permit tcp any any (1082 matches) 30 permit udp any any fragments (360 matches) 40 permit udp any any (361 matches) 50 permit icmp any any fragments 60 permit icmp any any 70 permit ip any any fragments 80 permit ip any any

The keyword ‘fragments’ on IOS ACLs filters non-initial fragments

This kind of ACL may be used to provide quick visibility of types of traffic generating fragments (TCP, UDP, ICMP, etc)

Non-initial frags

59


Handling IP Fragmentation Virtual Fragment Reassembly (VFR)

interface FastEthernet1 ip virtual-reassembly max-fragments 3 %IP_VFR-4-TOO_MANY_FRAGMENTS: FastEthernet1: Too many fragments per datagram (more than 3) - sent by 172.18.2.122, destined to 172.18.1.30

interface FastEthernet1 ip virtual-reassembly max-fragments 5 max-reassemblies 100 timeout 8 ! IOS-FW#show ip virtual-reassembly f1 FastEthernet1: Virtual Fragment Reassembly (VFR) is ENABLED... Concurrent reassemblies (max-reassemblies): 100 Fragments per reassembly (max-fragments): 5 Reassembly timeout (timeout): 8 seconds Drop fragments: OFF Current reassembly count:100 Current fragment count:300 Total reassembly count:0 Total reassembly timeout count:53 %IP_VFR-4-FRAG_TABLE_OVERFLOW: FastEthernet1: the fragment table has reached its maximum threshold 100

Frag Table Overflow

Excess Frags/packet

60


Filtering based on the IP TTL Field

IOS-FW# show access-list TTL Extended IP access list TTL 10 deny tcp any any ttl lt 30 log (5 matches) 20 deny udp any any ttl lt 30 log 30 deny icmp any any ttl lt 30 log 40 permit tcp any host 172.16.251.251 eq www (2 matches) 50 permit tcp any host 172.16.251.251 eq 443

%SEC-6-IPACCESSLOGP: list TTL denied tcp 172.16.250.202(17002) -> 172.16.251.251(80), 1 packet

IOS-FW# show flow monitor FLEX1 cache aggregate ipv4 source address ipv4 protocol ipv4 ttl Processed 3 flows Aggregated to 3 flows IPV4 SRC ADDR IP PROT IP TTL flows bytes pkts =============== ======= ====== ========== ========== ========== 172.16.250.201 6 37 1 500 1 172.16.250.202 6 12 1 500 1 172.16.250.208 6 50 1 500 1

Denied due to low TTL

Low TTL

61


Src port

Sequence #

Acknowledgement #

Window Size

Checksum Urgent Pointer

(TCP Options)

0 15 31

Dest. port

HLEN 4

RSVD 6

FLAGS

URG

ACK

PSH

RST

SYN

FIN

20B

16

Flag Meaning URG Urgent Pointer field is valid ACK Acknowledgment field is valid PSH This Segment requests a push RST Reset the connection SYN Synchronize Sequence numbers FIN End of Byte Stream for Sender

TCP Flags Field

Revisiting the TCP and UDP Headers For Your Reference

Source Port (16) Destination Port(16)

Length (16) UDP Checksum (16)

Data (if any)

0 15 16 32

UDP Datagram

62


Filtering based on the TCP Flags field

IOS-FW# show access-list TCPFLAGS Extended IP access list TCPFLAGS 10 deny tcp any any match-all +fin +psh +urg 20 deny tcp any any match-all -ack -fin -psh -rst -syn -urg 30 deny tcp any any match-all +ack +rst 40 permit tcp any any match-all -ack -fin -psh -rst +syn -urg 50 permit tcp any any match-all +ack -fin -psh -rst -syn -urg 60 permit tcp any any match-all +ack +psh -syn -urg 70 permit tcp any any match-all -ack -psh +rst -syn -urg

IOS-FW# show flow monitor FLEX1 cache aggregate transport tcp flags transport destination-port ipv4 destination address Processed 15 flows Aggregated to 4 flows IPV4 DST ADDR TRNS DST PORT TCP FLAGS flows bytes pkts =============== ============= ========= ========== ========== ===== 172.16.251.251 80 0x14 4 640 4 172.16.251.251 80 0x15 4 640 4 172.16.251.251 80 0x16 4 640 4 172.16.251.251 80 0x17 3 480 3

Flags Field Flags = 41 = 0x29 Flags = 00 = 0x00 Flags = 20 = 0x14 Flags = 02 = 0x02 Flags = 16 = 0x10 Flags = 24 = 0x18 Flags = 01 = 0x01

63


What if an attack is based on a different header field ?

IOS-FW(config)# load protocol flash:udp.phdf

IOS-FW# show protocols phdf udp Protocol ID: 3 Protocol name: UDP Description: UDP-Protocol Original file name: flash:udp.phdf Header length: 8 Constraint(s): Total number of fields: 5 Field id: 0, source-port, UDP-Source-Port Fixed offset. offset 0 Constant length. Length: 16 Field id: 1, dest-port, UDP-Destination-Port Fixed offset. offset 16 Constant length. Length: 16 Field id: 2, length, UDP-Packet-Length Fixed offset. offset 32 Constant length. Length: 16 Field id: 3, checksum, UDP-Checksum Fixed offset. offset 48 Constant length. Length: 16 Field id: 4, payload-start, UDP-Payload-Start Fixed offset. offset 64 Constant length. Length: 0

Source Port (16) Destination Port(16)

Length (16) UDP Checksum (16)

Data (if any)

0 15 16 32

UDP Datagram

The Flexible Packet Matching (FPM) feature enables you to define advanced filtering based on IP, TCP, UDP and ICMP header fields

64


Attack is directed to TCP port 600

Uses a string of 4 bytes containing the word "worm" (or variants)

The attack string is located at a 16 bytes offset from the beginning of the TCP Payload

The attack string may be spread over 10 bytes from the TCP payload start position

Use Case: Flexible Packet Matching Suppose a new attack has the following characteristics…

65


FPM Capabilities: TCP Example

IOS-FW(config)# class-map type access-control match-all FPM1 IOS-FW(config-cmap)# match field ? ICMP ICMP-Protocol IP IP-Protocol TCP TCP-Protocol UDP UDP-Protocol layer Match Protocol Layer IOS-FW(config-cmap)# match field TCP ? acknum TCP-Acknowledgement-Number checksum TCP-Checksum-Value control-bits TCP-Control-Bits-Number data-offset TCP-Data-Offset-Number dest-port TCP-Destination-Port ecn TCP-ECN-Number payload-start TCP-Payload-Start reserved TCP-Reserved-Number seqnum TCP-Sequence-Number source-port TCP-Source-Port urgent-pointer TCP-Urgent-Pointer window TCP-Window-Size

TCP Header/Data Fields

66


%SEC-6-IPACCESSLOGP: list CLASS1 denied tcp 172.16.210.120(18045) (FastEthernet0/0 ) -> 172.16.211.11(600), 1 packet

Flexible Packet Matching (FPM) in action

class-map type stack match-all IP-TCP match field IP protocol eq 0x6 next TCP

class-map type access-control match-all CLASS1 match field TCP dest-port eq 600 match start TCP payload-start offset 16 size 10 regex ".*[Ww][Oo][Rr][Mm]"

policy-map type access-control POLICY1 class CLASS1 drop log

policy-map type access-control FPM1 class IP-TCP service-policy POLICY1

interface FastEthernet0/0 service-policy type access-control input FPM1

For Your Reference

67


Ethernet Packet: 80 bytes Dest Addr: 0012.DAD2.6203, Source Addr: 0000.0000.0000 Protocol: 0x0800 IP Version: 0x4, HdrLen: 0x5, TOS: 0x40 (Prec=Immediate) Length: 66, ID: 0x5208, Flags-Offset: 0x0000 TTL: 60, Protocol: 6 (TCP), Checksum: 0x2EC6 (OK) Source: 172.16.210.105, Dest: 172.16.211.31 TCP Src Port: 8000, Dest Port: 600 Seq #: 0x00000000, Ack #: 0x00000000, Hdr_Len: 5 Flags: 0x02 SYN, Window: 0, Checksum: 0xB9B3 (OK) Urgent Pointer: 0 Data: 0 : 0000 0000 0000 0000 0000 0000 0001 0108 7468 6531 ................the1 20 : 774F 526D 3275 wORm2u

Data: 0 : 0000 0000 0000 0000 0000 0000 0001 0108 774F 526D ................wORm 20 : 4167 6169 6E31 Again1

Data: 0 : 0000 0000 0000 0000 0000 0000 0001 0108 7468 656E ................then 20 : 6577 574F 524D ewWORM

Variant 1 (changing only the Data Portion)

Variant 2 (changing only the Data Portion)

Sample Attacks blocked by FPM For Your Reference

68


New Development for ISR G2 Content Scanning with Scansafe for IOS

parameter-map type content-scan global server scansafe primary name proxy2261.scansafe.net port http 8080 https 8080 server scansafe secondary name proxy1363.scansafe.net port http 8080 https 8080 license 0 CD4B25B79D131F08ABCDEFABCDEFFFFF source interface Dialer1 timeout server 30 user-group ciscogroup10 username ciscouser10 server scansafe on-failure block-all

interface Dialer1 ip nat outside content-scan out [ … ]

ISR-G2 Internet

1 2

3

For Your Reference

69


IOS# show content-scan summary Primary: 201.94.155.42 (Up)* Secondary: 70.39.231.99 (Up) Interfaces: Dialer1

IOS# show content-scan statistics Current HTTP sessions: 0 Current HTTPS sessions: 0 Total HTTP sessions: 83 Total HTTPS sessions: 8 White-listed sessions: 0 Time of last reset: never

IOS# show content-scan session active Protocol Source Destination Bytes Time HTTP 172.19.99.101:57152 209.222.159.185:80 (1635:331595) 00:00:12 URI: www.maa.org Username/usergroup(s): ciscouser10/ ciscogroup10 HTTP 172.19.99.101:57153 209.222.159.185:80 (2157:53326) 00:00:12 URI: www.maa.org Username/usergroup(s): ciscouser10/ ciscogroup10 HTTP 172.19.99.101:57161 74.125.234.10:80 (1525:833) 00:00:09 URI: www.google-analytics.com Username/usergroup(s): ciscouser10/ ciscogroup10

For Your Reference New Development for ISR G2

Content Scanning with Scansafe for IOS

70

IPv6 Security Features on IOS


Action

ipv6 access-list ACL-NAME {protocol} {deny | permit} { protocol } { src-prefix / prefix-length } {dst-prefix / prefix-length } [ sequence ACE# ]

Protocol Line Number

Sources Destinations

Action

ipv6 access-list ACL-NAME {protocol} {deny | permit} { tcp | udp } { src-prefix / prefix-length } [src-port] {dst-prefix / prefix-length } [dest-port]

Protocol

Sources Destinations

Service

IOS IPv6 ACLs

interface FastEthernet0/0 ipv6 traffic-filter V6-ACL1 in

Associating an IPv6 ACL to an interface

Basic IPv6 ACL

Specifying L4 Information

72


V6-FW(config-ipv6-acl)# permit ipv6 any any? auth Match on authentication header dest-option Destination Option header (all types) dest-option-type Destination Option header with type dscp Match packets with given dscp value flow-label Flow label fragments Check non-initial fragments log Log matches against this entry log-input Log matches against this entry, including input mobility Mobility header (all types) mobility-type Mobility header with type reflect Create reflexive access list entry routing Routing header (all types) routing-type Routing header with type sequence Sequence number for this entry time-range Specify a time-range <cr>

IOS IPv6 ACLs: Filtering Options For Your Reference

73


ZFW for IPv6: Use Case 1

4 4 ZFW6

F1 F0


5

2001:db8::/64 2001:db8:0:1111::/64

zone-pair security OUTBOUND1 source INSIDE destination DMZ service-policy type inspect POLICY1

policy-map type inspect POLICY1 class type inspect GENERIC-V6 inspect TRACKING class class-default drop log

class-map type inspect match-any GENERIC-V6 match protocol tcp match protocol udp match protocol icmp


FIREWALL* sis 49FA6440: Session Created FIREWALL* sis 49FA6440: IPv6 address extention Created FIREWALL* sis 49FA6440: Pak 497651C8 init_addr ([2001:DB8::5]:123) resp_addr ([2001:DB8:0:1111::2]:123) FIREWALL* sis 49FA6440: FO cls 0x489C3100 clsgrp 0x20000000, target 0xA0000000, FO 0x4A91F6C0, alert = 1, audit_trail = 1, L7 = Unknown-l7, PAMID = 0

74


ZFW6 2001:db8:0:BBBB::/64

102 1

FTP

1

2001:db8:0:2222::/64


F0 F1

103

OUTBOUND1Zone Policy


policy-map type inspect POLICY1 class type inspect V6-FTP inspect TRACKING class class-default drop log

class-map type inspect match-any V6-FTP match protocol ftp

Application-specific policy supported for FTP (over IPv6)


75


ZFW6 2001:db8:0:BBBB::/64

102 1

FTP

1

2001:db8:0:2222::/64


F0 F1

103


%IPV6_FW-6-SESS_AUDIT_TRAIL_START: (target:class)-(OUTBOUND1:V6-FTP):Start ftp session: initiator ([2001:DB8:0:2222::103]:2510) -- responder ([2001:DB8:0:BBBB::102]:21) %IPV6_FW-6-SESS_AUDIT_TRAIL_START: (target:class)-(OUTBOUND1:V6-FTP):Start ftp-data session: initiator ([2001:DB8:0:BBBB::102]:20) -- responder ([2001:DB8:0:2222::103]:2512) %IPV6_FW-6-SESS_AUDIT_TRAIL: (target:class)-(OUTBOUND1:V6-FTP):Stop ftp-data session initiator ([2001:DB8:0:BBBB::102]:20) sent 39 bytes -- responder ([2001:DB8:0:2222::103]:2512) sent 0 bytes %IPV6_FW-6-SESS_AUDIT_TRAIL: (target:class)-(OUTBOUND1:V6-FTP):Stop ftp session initiator ([2001:DB8:0:2222::103]:2510) sent 147 bytes -- responder ([2001:DB8:0:BBBB::102]:21) sent 418 bytes


76


IPv4 Backbone

Tunnel (IPv6 over IPv4)

Dual Stack Router

Dual Stack Router

IPv6 Domain 1

Detailed IPv6 Inspection (Dedicated IPv6 Firewall)

IPv6 Transit Network

IPv6 Domain 2

IPv6 Host

IPv6 Host

IPv6 Header IPv6 Data IPv6 Header IPv6 Data IPv4 Header IPv6 Header IPv6 Data

IPv6 Header IPv6 Data IPv4 Header GRE Header

R2

IPv4 Protocol Type = 41

IPv4 Protocol Type = 47 = GRE

IPv6 Header IPv6 Data IPv6 Header IPv6 Data

IPv6 in IPv4

IPv6 over GRE

Native IPv6

Native IPv6

Native IPv6

Native IPv6

ZFW

Firewall Placement: IPv6 Tunneling

Native IPv6 Native IPv6

77


Sample IPv6 over IPv4 Static Tunnel

172.22.1.0/24 172.22.2.0/24

Loopback 1 172.22.22.241/32

Loopback 1 172.22.22.242/32

IPv4

ZFW R2 f0/0.1201 f0/0.1202

Static Tunnel (IPv6 over IPv4)

interface Tunnel1 no ip address ipv6 address 2001:DB8:0:1111::1/64 ipv6 enable tunnel source 172.22.22.241 tunnel destination 172.22.22.242 tunnel mode ipv6ip ! ipv6 route 2001:DB8:5555::/64 Tunnel1

ZFW# show interface tunnel 1 | include Tunnel Tunnel1 is up, line protocol is up Hardware is Tunnel Tunnel source 172.22.22.241, destination 172.22.22.242 Tunnel protocol/transport IPv6/IP Tunnel TTL 255 Tunnel transport MTU 1480 bytes

interface Tunnel1 no ip address ipv6 address 2001:DB8:0:1111::2/64 ipv6 enable tunnel source 172.22.22.242 tunnel destination 172.22.22.241 tunnel mode ipv6ip ! ipv6 route 2001:DB8::/64 Tunnel1

2001:DB8::/64 2001:DB8:5555::/64

For Your Reference

78


ZFW Use Case 3: Tunneling Scenario

Underlying IPv4 Network

IPv6 over IPv4 Tunnel zone OUTSIDE zone INSIDE

interface Tunnel1 no ip address ipv6 address 2001:DB8:0:1111::1/64 ipv6 enable tunnel source 172.22.22.241 tunnel destination 172.22.22.242 zone-member security OUTSIDE tunnel mode ipv6ip ! ipv6 route 2001:DB8:5555::/64 Tunnel1

ZFW

2001:DB8::/64

2001:DB8:5555::/64

zone-pair security INBOUND1 source OUTSIDE destination INSIDE service-policy type inspect POLICY1

Inspecting the IPv6 Traffic

79


Some other security features available for IPv6 Virtual Fragment Reassembly (VFR)

Antispoofing with uRPF

Detailed visibility with Flexible Netflow

flow record FLEXRECORD6 match ipv6 traffic-class match ipv6 protocol match ipv6 source address match ipv6 destination address match transport source-port match transport destination-port match interface input collect routing next-hop address ipv6 collect ipv6 next-header collect ipv6 hop-limit collect ipv6 payload-length collect ipv6 extension map collect ipv6 fragmentation flags collect ipv6 fragmentation offset collect ipv6 fragmentation id collect transport tcp flags collect interface output collect counter bytes collect counter packets

V6-FW# show flow monitor FLEX6 cache aggregate ipv6 source address transport icmp ipv6 type transport icmp ipv6 code Processed 3 flows Aggregated to 3 flows IPV6 SOURCE ADDRESS: 2001:DB8::5 ICMP IPV6 TYPE: 128 ICMP IPV6 CODE: 0 counter flows: 1 counter bytes: 86000 counter packets: 86

flow exporter FLEXNETFLOW destination 192.168.1.114 source FastEthernet0/0 transport udp 2055 ! flow monitor FLEX6 record FLEXRECORD6 exporter FLEXNETFLOW

80


IOS Security features are well suited for Branch Deployments

How to build Zone-based Firewall Policies (from basic to advanced)

How to use Identity-based features on IOS, including the user-based ZFW

IOS Software is under constant development and one of its recent features uses SGT/IP Mapping (from the Trustsec architecture) to build more scalable firewall policies.

How to leverage advanced filtering resources such as special-purpose ACLs and Flexible Packet Matching (FPM)

How to use ISR G2 routers to direct traffic to Scansafe Towers for content scanning

What are the IPv6 Security functionalities already available on IOS

Key Takeaways What You learned

81

Advanced IOS

Documents

Transcript of Advanced IOS