CCSP SelfStudy CCSP CSI: Exam Certification Guide, Second Edition [Electronic resources]

Tebyan

نسخه متنی -صفحه : 290/ 138
نمايش فراداده

  • Using the Cisco IOS Firewall Router in Small Networks

    This section details the implementation and configuration of the Cisco IOS Firewall router in the small network standalone model. The Cisco IOS Firewall router provides all of the required functionality in a single device, including a stateful firewall, IDS services, filtering, and WAN connectivity.

    This section highlights the security aspects of the Cisco IOS Firewall configuration and does not include general router configuration nor WAN connectivity details. Details on the configuration changes of this router in a branch scenario are discussed in subsequent sections of the chapter. The primary features and configuration examples that are presented in this section cover the following:

    • Cisco IOS Firewall configuration

    • IDS configuration

    • VPN configuration

    • Internal traffic filtering

    • Public services traffic filtering

    • Public traffic filtering

    Cisco IOS Firewall Implementation

    The implementation of the Cisco IOS stateful firewall is implemented as follows:

    Step 1.

    Because the router is configured with a public services segment or demilitarized zone (DMZ), two separate sets of firewall inspection rules need to be configured. The first set is configured for traffic from the inside of the firewall that is destined for the Internet or the DMZ. The second set is set up for traffic from the Internet that is destined for the DMZ only.

    The following commands configure the router's firewall inspection rules for transmissions from inside the firewall to the Internet or DMZ:

    ip inspect name IN_FW tcp
ip inspect name IN_FW udp
ip inspect name IN_FW ftp
ip inspect name IN_FW smtp
ip inspect name IN_FW sqlnet
ip inspect name IN_FW realaudio
ip inspect name IN_FW h323

    The following commands configure the router's firewall inspection rules for Internet-to-DMZ transmissions:

    ip inspect name OUT_FW tcp
ip inspect name OUT_FW udp
ip inspect name OUT_FW ftp
ip inspect name OUT_FW h323

    NOTE

    Not all of the available firewall inspection rules are shown in the previous examples. Inspection rules can be amended as required.

    Step 2.

    These two rule sets are then applied to their respective interfaces where they inspect the traffic that is transiting those interfaces.

    The IN_FW inspection rule set is applied to the inside interface of the router by using the command ip inspect IN_FW in. The OUT _FW inspection rule set is applied to the outside interface of the router by using the command ip inspect OUT_FW in.

    IDS Implementation

    The implementation of basic Cisco IOS IDS services and reporting to the syslog server is achieved in the Cisco IOS Firewall router by following these steps:

    Step 1.

    Define the IDS rules:

    ip audit notify log
ip audit po max-events 100
ip audit name IDS info action alarm
ip audit name IDS attack action alarm drop reset

    Step 2.

    Apply the IDS rules to each interface that requires monitoring by using the command ip audit IDSin .

    VPN Implementation

    The implementation of VPN connectivity in the small network to remote branches is achieved by following these steps:

    Step 1.

    Define the cryptographic policy and preshared key that are required for the connection:

    crypto isakmp policy 10
encr 3des
authentication pre-share
group 5
crypto isakmp key crypto-key address peer-address

    Step 2.

    Define the cryptographic transform set that is to be used for the VPN connection:

    crypto ipsec transform-set transform-set-name esp-3des esp-sha-hmac

    Step 3.

    Define the crypto map:

    crypto map crypto-map-name 10 ipsec-isakmp
set peer peer-IP-address
set transform-set transform-set-name
match address 110

    Step 4.

    Define the traffic that is to be encrypted by using an ACL. This can be for both user and management traffic:

    access-list 110 permit traffic-to-be-encrypted

    Step 5.

    Assign the crypto map to the outside interface:

    crypto map crypto-map-name

    Internal Traffic Filtering

    By using an inbound ACL, you can filter traffic that is entering from the inside interface. This filtering is applied to the inside interface by using the command ip access-group 120 in. You should consider using the following common access list definitions.

    Allow ssh management access to the public services network devices:

    access-list 120 permit tcp host management-host-IP host 
PS-device-IP eq 22

    Allow internal user access to the public services, such as web and FTP services:

    access-list 120 permit tcp internal-network host 
public-server-IP eq http
access-list 120 permit tcp internal-network host 
public-server-IP eq ftp

    Allow the internal mail server to communicate with the public mail server:

    access-list 120 permit tcp host internal-mail-server-IP host 
public-mail-server-IP eq smtp

    Allow the internal Domain Name System (DNS) server to communicate with the public DNS server:

    access-list 120 permit udp host internal-DNS-IP host 
public-DNS-IP eq domain

    Allow outbound Internet Control Message Protocol (ICMP) traffic:

    access-list 120 permit icmp any any

    Deny all other access to the public services segment:

    access-list 120 deny ip any public-services-network

    Allow the router to synchronize time:

    access-list 120 permit udp host time-server-IP host
 router-inside-IP eq ntp

    Allow management access to the router:

    access-list 120 permit tcp management-server-IP host 
router-inside-IP eq 22

    Block access to the outside interface of the router:

    access-list 120 deny ip internal-network host
 outside-router-IP

    Permit all other traffic to the outside:

    access-list 120 permit ip any any

    Block and log any other traffic:

    access-list 120 deny ip any any log

    Public Services Traffic Filtering

    By using an inbound ACL, you can filter traffic that is entering from the public services interface. This filtering is applied to the public services interface by using the command ip access-group 130 in. You should consider using the following common ACL definitions.

    Allow mail services between the public and internal mail servers:

    access-list 130 permit tcp host public-mail-server-IP host
 internal-mail-server-IP eq smtp

    Allow HIDS traffic from the public server to the management server:

    access-list 130 permit tcp host public-server-IP host 
management-server-IP eq 5000

    Allow any network device that is on the public services segment to synchronize time with the router:

    access-list 130 permit udp host PS-network-device-IP host
 internal-time-server-IP eq ntp

    Allow management traffic to flow from public services segment network devices:

    access-list 130 permit ip host PS-network-device-IP host
 management-server-IP

    Deny all other connections to the internal network from the public services segment:

    access-list 130 deny ip any internal-network

    Allow all mail and DNS traffic that originates from the public services server:

    access-list 130 permit tcp host public-server-IP any eq smtp
access-list 130 permit udp host public-server-IP any eq domain

    Block all other traffic and log it:

    access-list 130 deny ip any any log

    Public Traffic Filtering

    You can use an inbound ACL to filter traffic that is entering from the public (Internet) interface. This filtering is applied to the public interfaceby using the command ip access-group 140 in. You should consider the following common ACL definitions.

    If required, allow traffic from remotes sites:

    access-list 140 permit ip remote-site-A-network internal-network
access-list 140 permit ip remote-site-B-network internal-network

    Apply RFC 1918 filtering. If RFC 1918 addresses are used remotely, these rules require modification accordingly.

    access-list 140 deny ip 10.0.0.0 0.255.255.255 any
access-list 140 deny ip 172.16.0.0 0.15.255.255 any
access-list 140 deny ip 192.168.0.0 0.0.255.255 any

    If required, allow IPSec traffic from the remote sites to terminate on the router:

    access-list 140 permit udp host remote-peer-IP host
 router-outside-IP eq isakmp
access-list 140 permit esp host remote-peer-IP host
 router-outside-IP

    NOTE

    In earlier implementations of IPSec and Cisco IOS Firewall, it may be necessary to add an additional entry to the preceding ACL to identify the actual traffic that needs to be encrypted through the VPN on top of those already defined.

    If required, allow management traffic from the remote sites. This can be either a global statement, as shown in the subsequent command, or made more specific by electing to specify services.

    access-list 140 permit ip host remote-router-IP host
 management-server-IP

    Allow access to the services that are available on the public services segment via the public NAT address:

    access-list 140 permit tcp any host public-NAT-IP
 eq ftp
access-list 140 permit tcp any host public-NAT-IP
 eq www
access-list 140 permit tcp any host public-NAT-IP 
eq smtp
access-list 140 permit tcp any host public-NAT-IP 
eq 443
access-list 140 permit udp any host public-NAT-IP 
eq domain

    Deny all other traffic and log it:

    access-list 140 deny ip any any log

    In the next section, you look at the implementation requirements that need to be applied when a PIX Firewall is used in the small network.