5.2 Cisco IOS firewalls and NAT
5.2.a CBAC
http://www.cisco.com/c/en/us/support/docs/security/ios-firewall/13814-32.htmlhttp://packetlife.net/blog/2009/mar/10/ios-context-based-access-control-cbac/
Filters TCP & UDP based on application layer protocol session information. Does deep packet inspection.
ip inspect name MyCBAC ftp ip inspect name MyCBAC smtp ip inspect name MyCBAC tcp int fa0/0 ip inspect MyCBAC inAlso need ACL
5.2.b Zone-based firewall
Stateful firewall - Creates zones instead of ACLs. Interfaces assigned to zones, security policies assigned to traffic between zones. Zones are security borders. Default policy between zones is deny all. Can drop, pass or inspect traffic passing between zoneshttp://www.cisco.com/c/en/us/support/docs/security/ios-firewall/98628-zone-design-guide.html
Supports Stateful packet inspection, VRF-aware, URL filtering, DoS mitigation
http://packetlife.net/blog/2012/jan/30/ios-zone-based-firewall/
zone security Zone1 zone security Zone2 int fa0/0 zone-member security Zone1 int fa0/1 zone member security Zone2 zone-pair security Zone1->Zone2 source Zone1 destination Zone2 policy-map type inspect trusted class class-default pass zone-pair security Zone1->Zone2 service-policy type inspect trusted
5.2.c Port-to-application mapping
http://www.cisco.com/en/US/products/sw/iosswrel/ps1835/products_configuration_guide_chapter09186a00800ca7c8.htmlPAM - Enables CBAC-supported applications to be run on non-standard ports. Customize TCP or UDP port numbers for network services or applications. Establishes table of default port-to-application mapping at the firewall.
User-Defined Port Mapping - can specify range of ports, saved with default mapping information.
Host-Specific Port mapping- port mapping for specific hosts or subnets.Can map HTTP on port 8000 to one host, and Telnet on 8000 to different host.
When to use:
to apply non-standard port number for a service or application
specific hsot or subnet uses a port for an app that is different to default in PAM table
different hosts use same port number for different applications
5.2.d Identity-based firewalling
See previous post about IDFW. Links in to Microsoft AD...
5.3 Cisco Intrusion Prevention Systems (IPS)
5.4 Cisco IOS IPS
http://www.cisco.com/c/en/us/td/docs/security/ips/7-0/configuration/guide/cli/cliguide7.htmlhttp://www.cisco.com/c/en/us/td/docs/security/ips/7-0/configuration/guide/cli/cliguide7/cli_signature_engines.html#wp1138148
Supports standardized regex.
Inline or Promiscuous
Analysis engine - packet analysis & alert detection - create virtual sensors in Analysis engine.
sensors receive data from monitored streams. Virtual sensor is a collection of data defined by set of configuration policies. Default is vs0.
MainApp - initializes system, stops/starts other applications. Contains:
- ctlTransSource - allows sensors to send control transactions
- Event Store - stores IPS events
- InterfaceApp - handles bypass & physical settings, defines paired interfaces
- Logger - writes all log messages
- Attack Response Controller (ARC) - manages remote network devices to provide blocking capabilities. Creates and applies ACLs on controlled network devices, or shun command on firewalls
- NotificationApp - sends SNMP traps
- Web Server (SDEE) - web interface
- AuthenticationApp
SensorApp - analysis engine - packet capture & analysis:
- Time processor
- Deny filters processor
- Signature Event Action processor - does resets, IP log, deny packets/flow/attacker, alert, block host/connection, generate SNMP trap, capture trigger packet
- Statistics processor
- L2 processor
- Database processor
- Fragment reassembly processor
- Stream reassembly processor
- Signature analysis processor
- Slave dispatch processor
CollaborationApp - interfaces MainApp & SensorApp
CLI - user roles:
Viewer - can view configurations and events - no modification
Operator - can view everything & modify signature tuning, virtual sensor definition, managed router, their user passwords
Administrator
Service - can only use bash shell - only one service account
Signature engines:
AIC - analysis of web traffic, and FTP
Atomic - L3&L4 attributes, standard regex
- Atomic ARP
- Atomic IP Advanced - IPv6 L3 & ICMPv6 L4
- Atomic IP - IP protocol packets & L4 transport protocols
- Atomic IPv6 - Detects two IOS vulnerabilities that are simulated by malformed IPv6 traffic. Inspects ND protocols types 133/134/135/136/137
Cannot detect L4 field if packets are fragmented so L4 identifier does not appear in first packet
Cannot detect L4 attacks in flows w/ packets fragmented by IPv6 (no fragment reassembly)
Cannot detect attacks w/ tunnelled flows
Limited checks provided for fragmentation header
AIM IPS and NME IPS do not support IPv6 features
Anomaly detection does not support IPv6 traffic - only IPv4
Rate limiting & blocking not supported for IPv4 traffic
Fixed - parallel regular expression matches up to a fixed depth - ICMP, TCP, UDP
Flood - detects floods - flood Host & Flood Net.
Meta - Defines events
Multi String - L4 matching several strings for one signature - inspects stream-based TCP, UDP & ICMP
Normalizer - RFC compliance. Cannot add custom signatures, but can tune existing
Service
- DNS
- FTP
- Generic
- H225
- HTTP
- IDENT
- MSRPC
- MSSQL
- NTP
- P2P
- RPC
- SMB Advanced
- SNMP
- SSH
- TNS
State - searches strings
String - search on regex - Sweep & Sweep other TCP
Traffic Anomaly - detects worms
Traffic ICMP - detects TFN2k, LOKI and DDOS
Trojan - BO2K & TFN2K and UDP
Event Actions:
Alert & Log Actions
produce-alert - writes evIDsAlert to Event Store
produce-verbose-alert - includes encoded dump
log-attacker-packets - starts IP logging w/ attacker address
log-victim-packets - starts IP logging w/ victim address
log-pair-packets - does both of the above (inline only)
request-snmp-trap - sends request to NotificationApp
Deny Actions
deny-packet-inline - does not transmit this packet
deny-connection-inline - does not transmit this packet & future packets on TCP flow
deny-attacker-victiom-pair-inline - attacker/victim pair
deny-attacker-service-pair-inline - attacker/port pair
deny-attacker-inline - does not transmit this packet & future packets from attacker for specific period of time - uses dACL
modify-packet-inline - modifies packet to remove ambiguity - see normalizer
Other Actions
request-block-connection - requests ARC to block connection
request-block-host - Requests ARC block attacker host
request-rate-limit
reset-tcp-connection - TCP resets