Cisco young fighter course: protect the perimeter with a router
Without pretending to be complete, I will try to describe the technologies that can be used to protect the perimeter.
We will consider iOS with a firewall feature set. This set of features, as a rule, is in all iOS (in which there is encryption), except for the most basic one.
So, let a cisco router stand on the edge of our network, which is designed to ensure the security of our internal resources.
We protect traffic.
First of all, it makes sense to cut unnecessary traffic in the simplest and coarsest way - access lists.
Access Control Lists (ACLs, Access Control List) for the IP protocol - on cisco routers are standard (check only the source ip address and allow or block traffic through this parameter) andextended (check source and destination addresses, transmission protocol, source and destination ports, as well as other header fields of IP, TCP, UDP and other protocols).
The order of the lines in the access list is very important, because these lines are checked in order, and as soon as a match is found, the packet will either be skipped or destroyed
At the end of any ACL, invisibly “deny everything” is definitely worth it, so the packet will not slip past the ACL.
Access lists are numbered and named. I recommend using named with semantic names.
Examples:
access-list 1 permit 192.168.1.0 0.0.0.255
access-list 101 permit ip any 192.168.1.0 0.0.0.255
ip access-list standard TEST
permit host 1.2.3.4
ip access-list extended TEST2
permit tcp any 10.1.1.0 0.0.0.255 eq http
permit tcp any 10.1.1.0 0.0.0.255 eq https
permit udp any 10.1.1.0 0.0.0.255 eq 53
permit ip any 10.1.1.0 0.0.0.255 dscp cs5
Access lists are templates that can be used both to filter traffic and as a selection criterion for other technologies. For example, access lists define "interesting" traffic for encryption, for NAT, for QoS, etc.
The access list itself does nothing until it is applied to any technology. For example, to filter the traffic on the interface for input or output, the ACL is used with the ip access-group <ACL name> {in | out} command
It is traditionally recommended to hang the so-called anti-spoofing ACLs on the external interface, i.e. Preventing attacks from fake addresses.
Example:
ip access-list ex ANTISPOOFING
deny ip host 0.0.0.0 any
deny ip 10.0.0.0 0.255.255.255 any
deny ip 172.16.0.0 0.15.255.255 any
deny ip 192.168.0.0 0.0.255.255 any
deny ip host 255.255.255.255 any
deny ip 224.0.0.0 15.255.255.255 any
permit ip any any
Important: with this ACL you have to be very careful if you work with encrypted IPSec tunnels. The fact is that the ACL hanging on the input of the interface checks first the header of the encrypted packet, and then the header of the decrypted one.
Therefore, the prohibition of traffic from private networks (10, 172, 192) can disrupt the operation of the tunnel.
So, we cut unnecessary traffic. It's time to do some firewalling. It is necessary to provide internal Internet users, but not to let unauthorized connections from outside to inside. Cisco routers are able to be stateful firewall sessions.
If your tasks are simple, there are no dedicated security zones, there is no announcement of services outside, then it is easiest to use a basic firewall.
To do this, create an ip inspect rule, describe the protocols that you want to process and remember sessions, attach this rule to the interface and ... that’s all :) The router will remember the sessions that were initiated from the inside, and only those packets that “pass through” ordered. " If the incoming packet does not correspond to any session, then the router further checks the ACL hanging on the interface for the presence of an allow rule for this packet.
Config example:
Ro (config) # ip inspect name FW tcp
Ro (config) # ip inspect name FW udp
Ro (config) # ip inspect name FW icmp
Ro (config) # ip inspect name FW ftp
Ro (config) # ip inspect name FW sip
TCP - listens to TCP session.
UDP - listens to UDR sessions.
the remaining lines include wiretapping and processing of the corresponding protocol, because its work is more complicated than just skipping the
response packet of a TCP / UDP session. For example, the FTP protocol has one service channel through which coordination and authentication takes place, and data is transmitted through a completely different channel, with the session trying to initiate from the outside and the router will not miss it. And if you enable inspection, the router eavesdrops on the service session, finds out on which ports the server and client have agreed to send data, and this session will also be placed in the list of allowed.
Let f0 / 0 be the external one, and f0 / 1 be the internal interface
Ro (config) # int f0 / 1
Ro (config-if) # ip inspect FW in
The rule is hung on the input of the internal or output of the external interface, i.e. in the directionto EXIT traffic outside .
A strict ACL hangs on the external interface, which misses almost nothing from the outside, for example
Ro (config) # ip access-l ex STRICT
Ro (config-ex-nacl) # deny ip any any
Ro (config) # int f0 / 0
Ro ( config-if) # ip access-g STRICT in
In the given variant, only those packets that were requested from the inside will go outside.
There is a subtlety: ACL STRICT simultaneously prohibits all traffic to the router itself, because By default, router traffic does not fall into the inspected. To inspect router traffic, add
Ro (config) # ip inspect name FW router
If the tasks are complex, you need to create different security zones (demilitarized zones, DMZ), flexibly configure the operation of protocols between these zones, then it is better to use the so-called zone-based firewall. I will not describe it here, because it is no longer for a young fighter :)
How else can you protect traffic passing through the router?
intrusion prevention system (IPS), intermediate authentication (cut-through proxy), protocol evaluation (ip nbar technology), queuing (QoS).
I’ll tell you more about them. Later :)
Sergey Fedorov
We will consider iOS with a firewall feature set. This set of features, as a rule, is in all iOS (in which there is encryption), except for the most basic one.
So, let a cisco router stand on the edge of our network, which is designed to ensure the security of our internal resources.
We protect traffic.
First of all, it makes sense to cut unnecessary traffic in the simplest and coarsest way - access lists.
Access Control Lists (ACLs, Access Control List) for the IP protocol - on cisco routers are standard (check only the source ip address and allow or block traffic through this parameter) andextended (check source and destination addresses, transmission protocol, source and destination ports, as well as other header fields of IP, TCP, UDP and other protocols).
The order of the lines in the access list is very important, because these lines are checked in order, and as soon as a match is found, the packet will either be skipped or destroyed
At the end of any ACL, invisibly “deny everything” is definitely worth it, so the packet will not slip past the ACL.
Access lists are numbered and named. I recommend using named with semantic names.
Examples:
access-list 1 permit 192.168.1.0 0.0.0.255
access-list 101 permit ip any 192.168.1.0 0.0.0.255
ip access-list standard TEST
permit host 1.2.3.4
ip access-list extended TEST2
permit tcp any 10.1.1.0 0.0.0.255 eq http
permit tcp any 10.1.1.0 0.0.0.255 eq https
permit udp any 10.1.1.0 0.0.0.255 eq 53
permit ip any 10.1.1.0 0.0.0.255 dscp cs5
Access lists are templates that can be used both to filter traffic and as a selection criterion for other technologies. For example, access lists define "interesting" traffic for encryption, for NAT, for QoS, etc.
The access list itself does nothing until it is applied to any technology. For example, to filter the traffic on the interface for input or output, the ACL is used with the ip access-group <ACL name> {in | out} command
It is traditionally recommended to hang the so-called anti-spoofing ACLs on the external interface, i.e. Preventing attacks from fake addresses.
Example:
ip access-list ex ANTISPOOFING
deny ip host 0.0.0.0 any
deny ip 10.0.0.0 0.255.255.255 any
deny ip 172.16.0.0 0.15.255.255 any
deny ip 192.168.0.0 0.0.255.255 any
deny ip host 255.255.255.255 any
deny ip 224.0.0.0 15.255.255.255 any
permit ip any any
Important: with this ACL you have to be very careful if you work with encrypted IPSec tunnels. The fact is that the ACL hanging on the input of the interface checks first the header of the encrypted packet, and then the header of the decrypted one.
Therefore, the prohibition of traffic from private networks (10, 172, 192) can disrupt the operation of the tunnel.
So, we cut unnecessary traffic. It's time to do some firewalling. It is necessary to provide internal Internet users, but not to let unauthorized connections from outside to inside. Cisco routers are able to be stateful firewall sessions.
If your tasks are simple, there are no dedicated security zones, there is no announcement of services outside, then it is easiest to use a basic firewall.
To do this, create an ip inspect rule, describe the protocols that you want to process and remember sessions, attach this rule to the interface and ... that’s all :) The router will remember the sessions that were initiated from the inside, and only those packets that “pass through” ordered. " If the incoming packet does not correspond to any session, then the router further checks the ACL hanging on the interface for the presence of an allow rule for this packet.
Config example:
Ro (config) # ip inspect name FW tcp
Ro (config) # ip inspect name FW udp
Ro (config) # ip inspect name FW icmp
Ro (config) # ip inspect name FW ftp
Ro (config) # ip inspect name FW sip
TCP - listens to TCP session.
UDP - listens to UDR sessions.
the remaining lines include wiretapping and processing of the corresponding protocol, because its work is more complicated than just skipping the
response packet of a TCP / UDP session. For example, the FTP protocol has one service channel through which coordination and authentication takes place, and data is transmitted through a completely different channel, with the session trying to initiate from the outside and the router will not miss it. And if you enable inspection, the router eavesdrops on the service session, finds out on which ports the server and client have agreed to send data, and this session will also be placed in the list of allowed.
Let f0 / 0 be the external one, and f0 / 1 be the internal interface
Ro (config) # int f0 / 1
Ro (config-if) # ip inspect FW in
The rule is hung on the input of the internal or output of the external interface, i.e. in the directionto EXIT traffic outside .
A strict ACL hangs on the external interface, which misses almost nothing from the outside, for example
Ro (config) # ip access-l ex STRICT
Ro (config-ex-nacl) # deny ip any any
Ro (config) # int f0 / 0
Ro ( config-if) # ip access-g STRICT in
In the given variant, only those packets that were requested from the inside will go outside.
There is a subtlety: ACL STRICT simultaneously prohibits all traffic to the router itself, because By default, router traffic does not fall into the inspected. To inspect router traffic, add
Ro (config) # ip inspect name FW router
If the tasks are complex, you need to create different security zones (demilitarized zones, DMZ), flexibly configure the operation of protocols between these zones, then it is better to use the so-called zone-based firewall. I will not describe it here, because it is no longer for a young fighter :)
How else can you protect traffic passing through the router?
intrusion prevention system (IPS), intermediate authentication (cut-through proxy), protocol evaluation (ip nbar technology), queuing (QoS).
I’ll tell you more about them. Later :)
Sergey Fedorov