CCSP SelfStudy CCSP CSI: Exam Certification Guide, Second Edition [Electronic resources] نسخه متنی

Using the Cisco IOS Firewall Router in Small Networks

This section details the implementation and configuration of the Cisco IOS Firewall router in the small network standalone model. The Cisco IOS Firewall router provides all of the required functionality in a single device, including a stateful firewall, IDS services, filtering, and WAN connectivity.

This section highlights the security aspects of the Cisco IOS Firewall configuration and does not include general router configuration nor WAN connectivity details. Details on the configuration changes of this router in a branch scenario are discussed in subsequent sections of the chapter. The primary features and configuration examples that are presented in this section cover the following:

• Cisco IOS Firewall configuration

• IDS configuration

• VPN configuration

• Internal traffic filtering

• Public services traffic filtering

• Public traffic filtering

Cisco IOS Firewall Implementation

The implementation of the Cisco IOS stateful firewall is implemented as follows:

ip inspect name IN_FW tcp
ip inspect name IN_FW udp
ip inspect name IN_FW ftp
ip inspect name IN_FW smtp
ip inspect name IN_FW sqlnet
ip inspect name IN_FW realaudio
ip inspect name IN_FW h323

ip inspect name OUT_FW tcp
ip inspect name OUT_FW udp
ip inspect name OUT_FW ftp
ip inspect name OUT_FW h323

The IN_FW inspection rule set is applied to the inside interface of the router by using the command ip inspect IN_FW in. The OUT _FW inspection rule set is applied to the outside interface of the router by using the command ip inspect OUT_FW in.

IDS Implementation

The implementation of basic Cisco IOS IDS services and reporting to the syslog server is achieved in the Cisco IOS Firewall router by following these steps:

ip audit notify log
ip audit po max-events 100
ip audit name IDS info action alarm
ip audit name IDS attack action alarm drop reset

VPN Implementation

The implementation of VPN connectivity in the small network to remote branches is achieved by following these steps:

crypto isakmp policy 10
encr 3des
authentication pre-share
group 5
crypto isakmp key crypto-key address peer-address

crypto ipsec transform-set transform-set-name esp-3des esp-sha-hmac

crypto map crypto-map-name 10 ipsec-isakmp
set peer peer-IP-address
set transform-set transform-set-name
match address 110

access-list 110 permit traffic-to-be-encrypted

crypto map crypto-map-name

Internal Traffic Filtering

By using an inbound ACL, you can filter traffic that is entering from the inside interface. This filtering is applied to the inside interface by using the command ip access-group 120 in. You should consider using the following common access list definitions.

Allow ssh management access to the public services network devices:

access-list 120 permit tcp host management-host-IP host 
PS-device-IP eq 22

Allow internal user access to the public services, such as web and FTP services:

access-list 120 permit tcp internal-network host 
public-server-IP eq http
access-list 120 permit tcp internal-network host 
public-server-IP eq ftp

Allow the internal mail server to communicate with the public mail server:

access-list 120 permit tcp host internal-mail-server-IP host 
public-mail-server-IP eq smtp

Allow the internal Domain Name System (DNS) server to communicate with the public DNS server:

access-list 120 permit udp host internal-DNS-IP host 
public-DNS-IP eq domain

Allow outbound Internet Control Message Protocol (ICMP) traffic:

access-list 120 permit icmp any any

Deny all other access to the public services segment:

access-list 120 deny ip any public-services-network

Allow the router to synchronize time:

access-list 120 permit udp host time-server-IP host
 router-inside-IP eq ntp

Allow management access to the router:

access-list 120 permit tcp management-server-IP host 
router-inside-IP eq 22

Block access to the outside interface of the router:

access-list 120 deny ip internal-network host
 outside-router-IP

Permit all other traffic to the outside:

access-list 120 permit ip any any

Block and log any other traffic:

access-list 120 deny ip any any log

Public Services Traffic Filtering

By using an inbound ACL, you can filter traffic that is entering from the public services interface. This filtering is applied to the public services interface by using the command ip access-group 130 in. You should consider using the following common ACL definitions.

Allow mail services between the public and internal mail servers:

access-list 130 permit tcp host public-mail-server-IP host
 internal-mail-server-IP eq smtp

Allow HIDS traffic from the public server to the management server:

access-list 130 permit tcp host public-server-IP host 
management-server-IP eq 5000

Allow any network device that is on the public services segment to synchronize time with the router:

access-list 130 permit udp host PS-network-device-IP host
 internal-time-server-IP eq ntp

Allow management traffic to flow from public services segment network devices:

access-list 130 permit ip host PS-network-device-IP host
 management-server-IP

Deny all other connections to the internal network from the public services segment:

access-list 130 deny ip any internal-network

Allow all mail and DNS traffic that originates from the public services server:

access-list 130 permit tcp host public-server-IP any eq smtp
access-list 130 permit udp host public-server-IP any eq domain

Block all other traffic and log it:

access-list 130 deny ip any any log

Public Traffic Filtering

You can use an inbound ACL to filter traffic that is entering from the public (Internet) interface. This filtering is applied to the public interfaceby using the command ip access-group 140 in. You should consider the following common ACL definitions.

If required, allow traffic from remotes sites:

access-list 140 permit ip remote-site-A-network internal-network
access-list 140 permit ip remote-site-B-network internal-network

Apply RFC 1918 filtering. If RFC 1918 addresses are used remotely, these rules require modification accordingly.

access-list 140 deny ip 10.0.0.0 0.255.255.255 any
access-list 140 deny ip 172.16.0.0 0.15.255.255 any
access-list 140 deny ip 192.168.0.0 0.0.255.255 any

If required, allow IPSec traffic from the remote sites to terminate on the router:

access-list 140 permit udp host remote-peer-IP host
 router-outside-IP eq isakmp
access-list 140 permit esp host remote-peer-IP host
 router-outside-IP

NOTE

In earlier implementations of IPSec and Cisco IOS Firewall, it may be necessary to add an additional entry to the preceding ACL to identify the actual traffic that needs to be encrypted through the VPN on top of those already defined.

If required, allow management traffic from the remote sites. This can be either a global statement, as shown in the subsequent command, or made more specific by electing to specify services.

access-list 140 permit ip host remote-router-IP host
 management-server-IP

Allow access to the services that are available on the public services segment via the public NAT address:

access-list 140 permit tcp any host public-NAT-IP
 eq ftp
access-list 140 permit tcp any host public-NAT-IP
 eq www
access-list 140 permit tcp any host public-NAT-IP 
eq smtp
access-list 140 permit tcp any host public-NAT-IP 
eq 443
access-list 140 permit udp any host public-NAT-IP 
eq domain

Deny all other traffic and log it:

access-list 140 deny ip any any log

In the next section, you look at the implementation requirements that need to be applied when a PIX Firewall is used in the small network.