Network Security Fundamentals [Electronic resources] نسخه متنی

Case Study

This case study covers methods for protecting the various routers when a telecommuter connects to a branch office. Figure 8-5 is the global setup of Company XYZ, which is used in all case studies throughout this book. Figure 8-6 shows the part of the company that is configured in this example. The site security policy of this company allows users to access the mail and web services in the branch office. Traffic from the telecommuter, except for mail and web services, is blocked at the outside interface. Specific Internet Control Message Protocol (ICMP) control message traffic is permitted through the firewall.

The first important step in this configuration is basic router security. Example 8-11 shows the commands needed for configuring a new router.

Example 8-11. Example of Commands Needed for New Router Configuration

Br_Office(config)#service password-encryption
Br_Office(config)#enable secret 5 $1$HOIZ$YAIIAwsD8Vo7rXAIUMf6D/
Br_Office(config)#no ip domain-lookup
Br_Office(config)#no cdp run
Br_Office(config)#line con 0
Br_Office(config-line)# exec-timeout 2 0
Br_Office(config-line)# password 7 060506324F41
Br_Office(config-line)# login
Br_Office(config-line)#line aux 0
Br_Office(config-line)# exec-timeout 2 0
Br_Office(config-line)# password 7 110A1016141D
Br_Office(config-line)# login
Br_Office(config-line)#line vty 0 4
Br_Office(config-line)# exec-timeout 2 0
Br_Office(config-line)# password 7 110A1016141D
Br_Office(config-line)# login
Br_Office(config-line)#end

The following are configuration changes made to secure the router:

• Configure an enable secret.

• Set a password for all lines (Con, Aux, VTY).

• Turn on the

  service password-encryption to prevent the passwords from being easily read in the configuration file.

• Set the

  exec-timeout for all lines to 2 minutes. With this setting, after 2 minutes of inactivity, the connection is terminated.

• Configure the

  no ip domain-lookup to prevent the router from looking at a DNS server for every unknown name and to disable CDP.

After that you have to create some CBAC inspection rules:

ip inspect name BLOCK tcp
ip inspect name BLOCK ftp
ip inspect name BLOCK smtp
ip inspect name BLOCK h323
ip inspect name ALLOW smtp

One inspection rule is created with the name BLOCK to allow inspection for the specified protocols. Another rule, ALLOW, is created to allow inspection of SMTP traffic.

Access list 101 permits mail and web traffic from any host to the specified server. It denies all other IP protocol traffic except some specific ICMP control traffic. Example 8-12 should make that procedure clear.

Example 8-12. Example of Access List Permission

access-list 101 deny   ip host 255.255.255.255 any
access-list 101 deny   ip 192.168.1.0 0.0.0.255 any
access-list 101 permit icmp any any echo-reply
access-list 101 permit icmp any 192.168.1.0 0.0.0.255 time-exceeded
access-list 101 permit icmp any 192.168.1.0 0.0.0.255 packet-too-big
access-list 101 permit icmp any 192.168.1.0 0.0.0.255 traceroute
access-list 101 permit icmp any 192.168.1.0 0.0.0.255 unreachable
access-list 101 permit tcp any host 192.168.1.20 eq smtp
access-list 101 permit tcp any host 192.168.1.20 eq www

The first line in the access list denies broadcast messages with a source address of 255.255.255.255. This helps to prevent broadcast attacks. The second line adds antispoofing protection by denying traffic with a source address matching a host on the Ethernet interface. Another access list permits certain ICMP traffic, and the last two lines permit mail and web access to the specific server. After that, you must assign the CBAC inspection rules and the access list to an interface. In the example, this interface should be the serial interface on the Branch_Office router.

interface Serial0/0
ip address 168.17.40.10 255.255.255.0
ip access-group 101 in
ip inspect ALLOW in
ip inspect BLOCK out
!

The access list is applied inbound, meaning that it applies to traffic coming in on that interface. Following is the whole configuration file for the Branch Office router:

Br_Office#
sh run 
Building configuration...
Current configuration : 1951 bytes
!
version 12.2
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname Br_Office
!
logging queue-limit 100
enable secret 5 $1$HOIZ$YAIIAwsD8Vo7rXAIUMf6D/
!
memory-size iomem 10
ip subnet-zero
!
!
no ip domain-lookup
!
ip inspect name BLOCK tcp
ip inspect name BLOCK ftp
ip inspect name BLOCK smtp
ip inspect name BLOCK h323
ip inspect name ALLOW smtp
ip audit notify log
ip audit po max-events 100
!
call rsvp-sync
!
!
!
!
interface Ethernet0/0
no ip address
shutdown
half-duplex
!
interface Serial0/0
ip address 168.17.40.10 255.255.255.0
ip access-group 101 in
ip inspect ALLOW in
ip inspect BLOCK out
encapsulation frame-relay
frame-relay map ip 168.17.40.100 605 broadcast
no frame-relay inverse-arp
!
interface TokenRing0/0
no ip address
shutdown
ring-speed 16
!
interface Serial0/1
no ip address
shutdown
!
interface FastEthernet1/0
ip address 192.168.1.254 255.255.255.0
duplex auto
speed auto
!
interface ATM3/0
no ip address
shutdown
no atm ilmi-keepalive
!
ip classless
ip route 0.0.0.0 0.0.0.0 Serial0/0
ip http server
!
access-list 101 deny   ip host 255.255.255.255 any
access-list 101 deny   ip 192.168.1.0 0.0.0.255 any
access-list 101 permit icmp any any echo-reply
access-list 101 permit icmp any 192.168.1.0 0.0.0.255 time-exceeded
access-list 101 permit icmp any 192.168.1.0 0.0.0.255 packet-too-big
access-list 101 permit icmp any 192.168.1.0 0.0.0.255 traceroute
access-list 101 permit icmp any 192.168.1.0 0.0.0.255 unreachable
access-list 101 permit tcp any host 192.168.1.20 eq smtp
access-list 101 permit tcp any host 192.168.1.20 eq www
no cdp run
!
!
voice-port 2/0/0
!
voice-port 2/0/1
!
!
dial-peer cor custom
!
!
!
!
!
line con 0
exec-timeout 2 0
password 7 060506324F41
login
line aux 0
exec-timeout 2 0
password 7 110A1016141D
login
line vty 0 4
exec-timeout 2 0
password 7 110A1016141D
login
!
end