1 / 21

Implementing Secure Converged Wide Area Networks (ISCW)

Implementing Secure Converged Wide Area Networks (ISCW). Module 6: Cisco IOS Threat Defense Features. Module 6: Cisco IOS Threat Defense Features. Lesson 6.2: Implementing Cisco IOS Firewalls. Objectives. Describe the steps needed to configure a network firewall using Cisco IOS.

rafal
Download Presentation

Implementing Secure Converged Wide Area Networks (ISCW)

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Implementing Secure Converged Wide Area Networks (ISCW) Module 6: Cisco IOS Threat Defense Features

  2. Module 6: Cisco IOS Threat Defense Features Lesson 6.2: Implementing Cisco IOS Firewalls

  3. Objectives • Describe the steps needed to configure a network firewall using Cisco IOS. • Explain how to determine which interfaces should be configured with firewall commands. • Explain where to place Access Control Lists in order to filter traffic. • Describe how to configure inspection rules for application protocols. • Describe how to verify and troubleshoot firewall configurations.

  4. Cisco IOS Firewall Configuration Tasks Using the CLI • Pick an interface: internal or external. • Configure IP ACLs at the interface. • Define inspection rules. • Apply inspection rules and ACLs to interfaces. • Test and verify.

  5. Internal Network External Network Traffic exiting Traffic entering Serial 1 Internet Configuring an External Interface Simple Topology — Configuring an External Interface

  6. Web Server DNS Server Traffic exiting Traffic entering Configuring an Internal Interface Internal Network External Network Internet Ethernet 0 Access allowed DMZ Simple Topology — Configuring an Internal Interface

  7. Host B Access Control Lists Filter Traffic Host A X Human Resources Network Research and Development Network

  8. IP ACL Configuration Guidelines

  9. Set Audit Trails and Alerts Router(config)# ip inspect audit-trail • Enables the delivery of audit trail messages using syslog Router(config)# no ip inspect alert-off • Enables real-time alerts Router(config)#logging on Router(config)#logging host 10.0.0.3 Router(config)#ip inspect audit-trail Router(config)#no ip inspect alert-off

  10. Define Inspection Rules for Application Protocols Router(config)# ip inspect name inspection-nameprotocol [alert {on|off}] [audit-trail {on|off}] [timeout seconds] • Defines the application protocols to inspect • Will be applied to an interface: • Available protocols are tcp, udp, icmp, smtp, esmtp, cuseeme, ftp, ftps, http, h323, netshow, rcmd, realaudio, rpc, rtsp, sip, skinny, sqlnet, tftp, vdolive, and so on. • Alert,audit-trail,and timeout are configurable per protocol and override global settings. Router(config)#ip inspect name FWRULE smtp alert on audit-trail on timeout 300 Router(config)#ip inspect name FWRULE ftp alert on audit-trail on timeout 300

  11. ip inspect name Parameters

  12. Inspection Rules for Application Protocols ip inspect name PERMIT_JAVA http java-list 10 access-list 10 permit 144.224.10.0 0.0.0.255 access-list 10 any • Example 1: • Users on access list 10 are allowed to download Java applets: • Example 2: • Telling Cisco IOS Firewall what to inspect: ip inspect name in2out rcmd ip inspect name in2out ftp ip inspect name in2out tftp ip inspect name in2out tcp timeout 43200 ip inspect name in2out http ip inspect name in2out udp

  13. ip inspect Parameters and Guidelines Router(config-if)# ip inspect inspection-name {in | out} • Applies the named inspection rule to an interface • On the interface where traffic initiates: • Apply ACL on the inward direction that permits only wanted traffic. • Apply rule on the inward direction that inspects wanted traffic. • On all other interfaces, apply ACL on the inward direction that denies all unwanted traffic.

  14. Example: Two-Interface Firewall ip inspect name OUTBOUND tcp ip inspect name OUTBOUND udp ip inspect name OUTBOUND icmp ! interface FastEthernet0/0 ip access-group OUTSIDEACL in ! interface FastEthernet0/1 ip inspect OUTBOUND in ip access-group INSIDEACL in ! ip access-list extended OUTSIDEACL permit icmp any any packet-too-big deny ip any any log ! ip access-list extended INSIDEACL permit tcp any any permit udp any any permit icmp any any

  15. Example: Three-Interface Firewall interface FastEthernet0/0 ip inspect OUTSIDE in ip access-group OUTSIDEACL in ! interface FastEthernet0/1 ip inspect INSIDE in ip access-group INSIDEACL in ! interface FastEthernet0/2 ip access-group DMZACL in ! ip inspect name INSIDE tcp ip inspect name OUTSIDE tcp ! ip access-list extended OUTSIDEACL permit tcp any host 200.1.2.1 eq 25 permit tcp any host 200.1.2.2 eq 80 permit icmp any any packet-too-big deny ip any any log ! ip access-list extended INSIDEACL permit tcp any any eq 80 permit icmp any any packet-too-big deny ip any any log ! ip access-list extended DMZACL permit icmp any any packet-too-big deny ip any any log

  16. Verifying Cisco IOS Firewall Router# show ip inspect name inspection-name show ip inspect config show ip inspect interfaces show ip inspect session [detail] show ip inspect statistics show ip inspect all • Displays inspections, interface configurations, sessions, and statistics Router#show ip inspect session Established Sessions Session 6155930C (10.0.0.3:35009)=>(172.30.0.50:34233) tcp SIS_OPEN Session 6156F0CC (10.0.0.3:35011)=>(172.30.0.50:34234) tcp SIS_OPEN Session 6156AF74 (10.0.0.3:35010)=>(172.30.0.50:5002) tcp SIS_OPEN

  17. Troubleshooting Cisco IOS Firewall Router# debug ip inspect function-trace debug ip inspect object-creation debug ip inspect object-deletion debug ip inspect events debug ip inspect timers debug ip inspect detail • General debug commands Router# debug ip inspect protocol • Protocol-specific debug

  18. Summary • The main feature of the Cisco IOS Firewall has always been its stateful inspection. • An ACL can allow one host to access a part of your network and prevent another host from accessing the same area. • Use access lists in "firewall" routers that you position between your internal network and an external network such as the Internet. You can also use access lists on a router positioned between two parts of your network, to control traffic entering or exiting a specific part of your internal network. • An inspection rule should specify each desired application layer protocol that the Cisco IOS Firewall will inspect, as well as generic TCP, UDP, or Internet Control Message Protocol (ICMP), if desired. • Use the ip inspect name command in global configuration mode to define a set of inspection rules.

  19. Q and A

  20. Resources • Cisco IOS Firewall Introduction • http://cisco.com/en/US/partner/products/sw/secursw/ps1018/index.html • Cisco IOS Firewall Support • http://cisco.com/en/US/partner/products/sw/secursw/ps1018/tsd_products_support_series_home.html • Cisco IOS Firewall Design Guides • http://cisco.com/en/US/partner/products/sw/secursw/ps1018/products_implementation_design_guides_list.html

More Related