IOS Firewall

IOS Firewall• IOS: Cisco’s Internetwork Operating System (the primary system running on Cisco’s routers)

• IOS Firewall: a stateful packet-filter firewall that runs on a router, providing firewall capabilities

• CBAC: Context-Based Access Control (at the core of the IOS Firewall functionality

Network Security 2

IOS Firewall Features

• Major subsystems:– SPI: Stateful Packet Inspection– CBAC: Context-Based Access Control– IOS IPS: Intrusion Prevention System– User-level authentication– PAM: Port-to-Application Mapping– NAT– ZFW: Zone-Based Policy Firewall

• Other security features:– IPsec, AAA support, ACLs, …

T. A. Yang

Network Security 3

CBAC (Context-Based Access Control)• Replaced by ZFW (Zone-based Policy

Firewall)• Implement packet filtering on a Cisco

router (similar to ASA on Cisco PIX)

• Three basic functionalities:1. Dynamic modification of the extended

access lists– To allow connections initiated from the inside

2. Inspection of the application/transport level protocols ~= multimedia support in PIX

3. Control of the number/length of sessionsT. A. Yang

Network Security 4

CBAC Functions

1. Dynamic traffic filtering (based on upper-layer protocols)

– In principle, only traffic that originates from the trusted network and goes out to the untrusted network are allowed.

– Set up ACLs to open holes for inbound access to inside servers

– Set up the router to inspect outbound packets

T. A. Yang

Network Security 5

CBAC Functions

T. A. Yang

2. Application-aware traffic inspection– Keep track of the associated sessions i.e., a

stateful packet filter

• Maintains TCP and UDP connections, which provide necessary info to perform deep packet inspection in the payload for malicious activities

Network Security 6

CBAC Functions3. Alerts and audit trails

– Real-time event alerts • SYSLOG notification messages

– Enhanced audit trails • for all the session information maintained in the state

table• Uses SYSLOG to track all network transactions• Record information such as source/destination host

addresses, ports used, the total number of transmitted bytes with time stamps, etc.

• Good for session-based reporting, anomaly identification, …

T. A. Yang

Network Security 7

How does IOS maintain session state information?

• State Information Structure (SIS)– A SIS is created for each logical session.– The SIS uniquely identifies a connection

using the IP and the port#.– When necessary, other info such as TCP

connection state, TCP sequence number, etc. are also maintained.

– The SIS is deleted when the associated session/connection is terminated.

T. A. Yang

CBAC Mechanisms, 1/4

• Packet inspection– Per-protocol inspection– ACL filtering (inbound, outbound) is performed first

before CBAC inspection– Track sequence numbers in all TCP packets

• Timeout and threshold values– determine when to drop sessions that do not become

fully established (aka embryonic sessions)1. # of half-open TCP or UDP sessions

2. # of half-open sessions based on time

3. # of per-host half-open TCP sessions

T. A. Yang Network Security 8


• The session state table maintains SIS entries– Sample SIS entry: Session 25A4E53 (10.1.1.1:11006) => (20.1.1.1:23) tcp SIS_OPEN

– Return traffic are permitted back through the firewall only if an entry in the state table indicates that the packet belongs to a permissible session.

• UDP connections– Examine the UDP packet and determine whether it is similar to

the UDP packet exited earlier– Returning UDP packets are checked within the idle timeout

period to ensure they have the corresponding source/destination IP addresses and port numbers



• Dynamic ACL entries– Dynamically adds and removes ACL entries at the firewall

interfaces– For traffic originated inside, an ACL entry is temporarily added

(so returned traffic for that session may be inspected)

• Embryonic (half-open) sessions– Monitors the total number of half-open connections and the rate

of session establishment attempts for both TCP and UDP– Controlling the number of embryonic connections helps prevent

DoS attacks– When the number of embryonic connections exceeds the specific

threshold, CBAC will delete subsequent half-open sessions as required to accommodate new incoming connections



• Per-Host DoS Prevention– For TCP traffic only– When the number of half-open TCP connections

exceeds the threshold, CBAC blocks all subsequent connections to that host for the specified block-time

prevent SYNC flood


Two modes of inspections

• Single-channel, or generic, TCP/UDP inspection– The return traffic must have the same

source/destination IP address and port numbers– Must be within the sequence number window

• Application-specific inspection– Takes precedence over the generic inspection– Many application-layer protocols are supported (CU-

SeeMe, FTP, H.323, HTTP, ICMP, …)


Network Security 13

Other CBAC functionality

• Out-of-sequence TCP packets are dropped.• TCP packets with invalid sequence numbers

are dropped.• The reassembly of IP packets is not supported

(as in PIX firewall).• Does not inspect packets originated by the IOS

Firewall router.• ICMP packets are not inspected. (They are

manually managed using static ACLs).• ICMP unreachable packets are ignored.

T. A. Yang

Zone-Based Policy Firewall (ZFW)• After IOS release 12.4(6)T• Switched from the interface-based inspection model (as

in CBAC) to a zone-based inspection model

• Changes– Traffic passing through an interface do not need to be inspected

the same way (as in interface-based model)– Interfaces are assigned to zones– Policy inspection is applied to traffic moving btwn zones

• Benefits– Higher granularity– Flexibility– scalability


Network Security 15

Features of IOS Firewall

• Transport Layer Inspection• Application Layer Inspection• Filtering for Invalid Commands• Java Blocking• Safeguarding against DoS attacks• Fragment handling

T. A. Yang

IOS Firewall

Documents

Transcript of IOS Firewall