Download SlideShare for Android. 15 million presentations at your fingertips  Get the app
×
  • Share
  • Email
  • Embed
  • Like
  • Save
  • Private Content
 
« »
   

Advanced Cisco IOS Security Features (2012 San Diego)

on

  • 1,089 views

This session mainly covers design and deployment for the Zone-based Policy Firewall (from the foundations to advanced policy construction) and Identity-based features ( Downloadable ACLs, User-based ...

This session mainly covers design and deployment for the Zone-based Policy Firewall (from the foundations to advanced policy construction) and Identity-based features ( Downloadable ACLs, User-based Zone Firewall and the brand new SGT Firewall). Throughout the session, typical troubleshooting tools are largely employed to provide insight about feature operations and interactions, thus establishing the linkages between theory and practice. The session also discusses IOS advanced filtering resources such as specialized ACLs and Flexible Packet Matching and brings information about IPv6 Security features already available on IOS. This Session is targeted at network security specialists who want to learn about important security features in the Cisco IOS Router platform and Network engineers who need a better understanding of the Firewall and Identity functionalities available on IOS Routers. It is important to emphasize that this breakout does not cover VPN, L2 Security, IOS IPS or even IOS hardening techniques.

Cisco Live 365: https://www.ciscolive365.com/connect/sessionDetail.ww?SESSION_ID=4375

Statistics

Views

Total Views
1,089
Views on SlideShare
1,082
Embed Views
7

Actions

Likes
0
Downloads
0
Comments
0

1 Embed 7

http://everythingyouwillneed.com 7

Accessibility

Categories

Upload Details

Uploaded via SlideShare as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

    Advanced Cisco IOS Security Features (2012 San Diego) Advanced Cisco IOS Security Features (2012 San Diego) Presentation Transcript

    • Advanced Cisco IOS Security Features BRKSEC-3007BRKSED-3007 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 2
    • About the Speaker: Alexandre M. S. P. Moraes  Joined Cisco as a Systems Engineer in 1998.  Mainly supporting large Public Sector and Enterprise accounts in Brazil.  Coordinator of the Cisco Security team in Brazil for 03 years  Graduated in Electroning Engineering  Areas of Interest: Security/VPN, Routing/Campus Design, MPLS Networks Design, IP Multicast  Author of the book: “Cisco Firewalls: Concepts, Design and Deployment for Cisco Stateful Solutions” (Cisco Press, 2011)  Blog: http://alexandremspmoraes.wordpress.com CCIE #6063 Routing/Switching Security Service ProviderBRKSED-3007 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 3
    • Housekeeping  We value your feedback- dont forget to complete your online session evaluations after each session & the Overall Conference Evaluation which will be available online from Thursday  Visit the World of Solutions and Meet the Engineer  Visit the Cisco Store to purchase your recommended readings.  Please switch off your mobile phones  After the event don’t forget to visit Cisco Live Virtual: www.ciscolivevirtual.comBRKSED-3007 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 4
    • Agenda  Introduction  Zone-based Policy Firewall: Basic Concepts  Zone-based Policy Firewall in action  User-based Firewall features on Cisco IOS  Additional Layers of Security: Advanced Filtering Resources  IPv6 Security Features on IOS  Key Takeways Warning: This session does not cover subjects such as IOS VPNs or L2 SecurityBRKSED-3007 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 5
    • Introduction
    • Cisco ISRs provide lots of integrated servicesBut what about Security ?  Cisco Integrated Services Routers provide many services: Routing, Switching, WLAN, UC, Multicast, Multiple Backup options… Private Corporate Office Wan  + Security Connectivity: Flex VPN and GET VPN to fit your Internet connectivity needs Security Services  + Data Plane Security: at Cisco Zone-Based Firewall appropriate performance levels Identity-based Services for the branch Stateless Fiiltering Content Scanning with Scansafe Infrastructure Protection Branch Office BRKSED-3007 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 7
    • Basic Questions to be answered + = Can a Router behave as a true stateful firewall ? Are there any other features that complement stateful inspection ? Is my ISR Identity-aware ? Are the ISR Security Features IPv6 Ready ? BRKSED-3007 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 8
    • Zone-based Policy FirewallBasic Concepts
    • Zone-based Policy Firewall (ZFW)  Zone: set of interfaces that share a certain “trust level”  A philosophy change: Firewall policies now define rules between zones (and not between interfaces) Int 4 Server Client1 Int 1 ZFW1 Int 3 INTERNET Int 2 Client2 zone TRUSTED Zone-Policy zone UNTRUSTED OUTBOUND ZFW policies are Unidirectional: Source >> DestinationBRKSED-3007 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 10
    • ZFW: Easier to implement Default-Deny behavior Interfaces assigned to zones but no zone-pair definition %FW-6-DROP_PKT: Dropping icmp session 172.18.1.10:0 172.18.2.20:0 due to No zone-pair between zones with ip ident 0 Source interface not assigned to a zone %FW-6-DROP_PKT: Dropping icmp session 172.17.3.10:0 172.18.1.10:0 due to One of the interfaces not being cfged for zoning with ip ident 0 Destination interface not assigned to a zone %FW-6-DROP_PKT: Dropping icmp session 172.18.2.20:0 172.17.4.10:0 due to policy match failure with ip ident 0 BRKSED-3007 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 11
    • ZFW: Policy Building Blocks Zone-member security Z1 Zone-member security Z2 Int 1 ZFW1 Int 2 zone security Z1 Z1-Z2 Policy zone security Z2 zone-pair security Z1-Z2 source Z1 destination Z2 service-policy type inspect BASIC1 policy-map type inspect BASIC1 class type inspect CLASS1 class-map type inspect { match-all | match-any } CLASS1 { inspect | pass | police | drop } a) match protocol { tcp | udp | icmp } b) match access-group { name ACL-NAME | ACL-NUM } […] c) match class-map CLASS-MAP_NAME class type inspect CLASS-N { inspect | pass | police | drop } class class-default { inspect | pass | drop }BRKSED-3007 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 12
    • Cisco Security Manager and ZFW Zone-based Firewall RulesBRKSED-3007 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 13
    • Zone-based Policy Firewall in action
    • Zone-based Policy Firewall: Parameter-maps ZFW1# show parameter-map type inspect default Connection logging is audit-trail off turned off by default alert on max-incomplete low 2147483647 max-incomplete high 2147483647 one-minute low 2147483647 one-minute high 2147483647 udp idle-time 30 icmp idle-time 10 dns-timeout 5 tcp idle-time 3600 tcp finwait-time 5 tcp synwait-time 30 tcp max-incomplete host 4294967295 block-time 0 sessions maximum 2147483647 Good practice: Capitalize the names parameter-map type inspect TRACKING you assign to policy audit-trail on building blocks. Search within CLI is case- parameter-map type inspect global sensitive log dropped-packets enable BRKSED-3007 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 15
    • Inspecting Outbound Traffic (L4 only) F1 F0 .10 .20 172.18.1.0/24 .4 ZFW1 .4 172.18.2.0/24 Connection Setup Zone INSIDE OUTBOUND1 Zone Policy Zone OUTSIDE zone-pair security OUTBOUND1 source INSIDE destination OUTSIDE service-policy type inspect POLICY1 policy-map type inspect POLICY1 class-map type inspect match-any TOP-CLASS1 class type inspect TOP-CLASS1 match protocol udp inspect TRACKING match protocol tcp class class-default drop log BRKSED-3007 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 16
    • Inspecting Outbound Traffic (L4 only) F1 F0 .10 .20 172.18.1.0/24 .4 ZFW1 .4 172.18.2.0/24 OUTBOUND1 Zone OUTSIDE Zone INSIDE Zone Policy ZFW1# show policy-firewall config zone-pair Zone-pair : OUTBOUND1 Zone-pair ZFW1# show zone security Source Zone : INSIDE zone self Destination Zone : OUTSIDE Description: System defined zone Service-policy inspect : POLICY1 Service-Policy zone INSIDE Class-map : TOP-CLASS1(match-any) Member Interfaces: Match protocol udp Class-Map FastEthernet1 Match protocol tcp zone OUTSIDE Action : inspect Member Interfaces: Parameter-map : TRACKING Parameter-Map FastEthernet0 Class-map : class-default(match-any) Match any Class-Map Action : drop log Parameter-map : Default BRKSED-3007 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 17
    • Inspecting Outbound Traffic (L4 only) F1 F0 .10 .20 172.18.1.0/24 .4 ZFW1 .4 172.18.2.0/24 OUTBOUND1 Zone INSIDE Zone OUTSIDE Zone Policy %FW-6-SESS_AUDIT_TRAIL_START: (target:class)-(OUTBOUND1:TOP-CLASS1): Start tcp session: initiator (172.18.1.10:22374) -- responder (172.18.2.20:23) ZFW1# show policy-firewall session Established Sessions = 1 Session 498723C0 (172.18.1.10:22374)=>(172.18.2.20:23) tcp SIS_OPEN/TCP_ESTAB Created 00:00:19, Last heard 00:00:12 Bytes sent (initiator:responder) [48:95] %FW-6-SESS_AUDIT_TRAIL: (target:class)-(OUTBOUND1:TOP-CLASS1):Stop tcp session: initiator (172.18.1.10:22374) sent 54 bytes -- responder (172.18.2.20:23) sent 107 bytesBRKSED-3007 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 18
    • Inspecting Outbound Traffic (L4 only) F1 F0 .10 .20 172.18.1.0/24 .4 ZFW1 .4 172.18.2.0/24 OUTBOUND1 Zone OUTSIDE Zone INSIDE Zone Policy Outbound connection attempt (ICMP blocked by class “class-default”) %FW-6-DROP_PKT: Dropping icmp session 172.18.1.10:0 172.18.2.20:0 on zone-pair OUTBOUND1 class class-default due to DROP action found in policy-map with ip ident 0 Inbound connection attempt (no zone-pair defined) %FW-6-DROP_PKT: Dropping icmp session 172.18.2.20:0 172.18.1.10:0 due to policy match failure with ip ident 0 BRKSED-3007 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 19
    • ZFW: Preparing for L3 + L4 Policy Zone INSIDE Zone OUTSIDE F1 F0 .10 .20 172.22.0.0/16 172.18.1.0/24 .4 ZFW1 .4 172.18.2.0/24 Network Objects Service Objects object-group network INSIDE1 object-group service SVCS1 172.18.1.0 255.255.255.0 tcp eq telnet ! tcp eq www object-group network OUT1 ! 172.22.0.0 255.255.0.0 object-group service SVCS2 ! udp eq ntp object-group network OUT2 host 172.18.2.20 Sample ACL that uses object-groups ip access-list extended ACL1 permit object-group SVCS1 object-group INSIDE1 object-group OUT1 permit object-group SVCS2 object-group INSIDE1 object-group OUT2 BRKSED-3007 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 20
    • ZFW: L3 + L4 Policy (no more Interface ACLs) Zone INSIDE Zone OUTSIDE F1 F0 .10 .20 172.22.0.0/16 172.18.1.0/24 .4 ZFW1 .4 172.18.2.0/24 OUTBOUND2 Zone Policy zone-pair security OUTBOUND2 source INSIDE destination OUTSIDE service-policy type inspect POLICY2 policy-map type inspect POLICY2 class type inspect JOINT1 class-map type inspect match-all JOINT1 inspect TRACKING match class-map TOP-CLASS1 class class-default match access-group name ACL1 drop log ip access-list extended ACL1 permit object-group SVCS1 object-group INSIDE1 object-group OUT1 permit object-group SVCS2 object-group INSIDE1 object-group OUT2BRKSED-3007 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 21
    • ZFW: Implementing L3 + L4 Policy Examples of Allowed Traffic %FW-6-SESS_AUDIT_TRAIL_START: (target:class) (OUTBOUND2:JOINT1): Start udp NTP session: initiator (172.18.1.10:123) -- responder (172.18.2.20:123) %FW-6-SESS_AUDIT_TRAIL_START: (target:class)-(OUTBOUND2:JOINT1): Start tcp Telnet session: initiator (172.18.1.10:31793) -- responder (172.22.22.22:23) Examples of Blocked Traffic due to L3 restrictions FIREWALL*: NEW PAK 48EE1EE4 (0:172.18.1.10:123) (0:172.22.22.22:123) udp FIREWALL*: DROP feature object 0xAAAA0028 found NTP %FW-6-DROP_PKT: Dropping udp session 172.18.1.10:123 172.22.22.22:123 on zone-pair OUTBOUND2 class class-default due to DROP action found in policy-map with ip ident 0 FIREWALL: ret_val 0 is not PASS_PAK FIREWALL*: NEW PAK 48EE1EE4 (0:172.18.1.10:12803) (0:172.18.2.20:23) tcp Telnet FIREWALL*: DROP feature object 0xAAAA0028 found %FW-6-DROP_PKT: Dropping tcp session 172.18.1.10:12803 172.18.2.20:23 on zone-pair OUTBOUND2 class class-default due to DROP action found in policy-map with ip ident 0 FIREWALL: ret_val 0 is not PASS_PAK BRKSED-3007 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 22
    • ZFW, ACLs and NAT Zone INSIDE Local Address Space Global Address Space Zone OUTSIDE NAT F0/0 F0/1.1610 .5 .20 ip nat inside ZFW1 ip nat outside 10.5.5.0/24 172.18.2.0/24 INBOUND2 Zone Policy zone-pair security INBOUND2 source OUTSIDE destination INSIDE service-policy type inspect POLICY2 Real Translated policy-map type inspect POLICY2 class type inspect JOINT2 ip nat inside source static 10.5.5.5 172.18.2.5 inspect TRACKING class class-default drop log class-map type inspect match-any TOP-CLASS2 match protocol tcp class-map type inspect match-all JOINT2 match class-map TOP-CLASS2 ip access-list extended ACL2 match access-group name ACL2 permit ip 172.18.2.0 0.0.0.255 host 10.5.5.5 BRKSED-3007 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 23
    • ZFW, ACLs and NAT Zone INSIDE Local Address Space Global Address Space Zone OUTSIDE NAT F0/0 F0/1.1610 .5 .20 ip nat inside .4 ZFW1 .4 ip nat outside 10.5.5.0/24 172.18.2.0/24 %IPNAT-6-CREATED: tcp 10.5.5.5:23 172.18.2.5:23 172.18.2.20:15649 172.18.2.20:15649 FIREWALL* sis 49AD2B40: Session Created FIREWALL* sis 49AD2B40: Pak 49182EC8 Real Address init_addr (172.18.2.20:15649) resp_addr (10.5.5.5:23) Translated Address init_alt_addr (172.18.2.20:15649) resp_alt_addr (172.18.2.5:23) FIREWALL* sis 49AD2B40: FO cls 0x4ACDB960 clsgrp 0x10000000, target 0xA0000010, FO 0x49A56880, alert = 1, audit_trail = 1, L7 = Unknown-l7, PAMID = 2 %FW-6-SESS_AUDIT_TRAIL_START: (target:class)-(INBOUND2:JOINT2): Start tcp session: initiator (172.18.2.20:15649) -- responder (10.5.5.5:23) Real Address ZFW1# show policy-firewall session Real Address Established Sessions = 1 Session 49AD2B40 (172.18.2.20:15649)=>(10.5.5.5:23) tcp SIS_OPEN/TCP_ESTAB Created 00:00:45, Last heard 00:00:40 Bytes sent (initiator:responder) [48:101]BRKSED-3007 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 24
    • ZFW: Transparent Mode Operation F0/0 F0/1.1610 .1 .2 R1 ZFW1 R2 bridge-group1 bridge-group1 10.5.5.0/24 OUTBOUND1 Zone OUTSIDE Zone INSIDE Zone Policy zone-pair security OUTBOUND1 source INSIDE destination OUTSIDE service-policy type inspect POLICY1 policy-map type inspect POLICY1 class type inspect BASIC1 class-map type inspect match-any BASIC1 inspect TRACKING match protocol udp class class-default match protocol icmp match protocol tcp drop log %FW-6-SESS_AUDIT_TRAIL_START: (target:class)-(OUTBOUND1:BASIC1): Start tcp session: initiator (10.5.5.1:56643) -- responder (10.5.5.2:23) ZFW1# show policy-firewall session Established Sessions = 1 Session 49AD3240 (10.5.5.1:56643)=>(10.5.5.2:23) tcp SIS_OPEN/TCP_ESTAB Created 00:00:25, Last heard 00:00:13 Bytes sent (initiator:responder) [48:95]BRKSED-3007 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 25
    • ZFW: Use Case for Transparent Mode SMTP HTTPS WIRELESS AP WLAN Client .101 .102 Fast1 Fast0 ZFW1 192.168.2.0/24 Zone WIRED Zone WIRELESS INBOUND1 Zone Policy zone-pair security INBOUND1 source WIRELESS destination WIRED service-policy type inspect POLICY1 policy-map type inspect POLICY1 class type inspect JOINT1 inspect TRACKING class class-default class-map type inspect match-any BASIC1 drop log match protocol tcp class-map type inspect match-all JOINT1 ip access-list extended ACL1 match class-map BASIC1 permit tcp 192.168.2.0 0.0.0.255 host 192.168.2.101 eq 25 match access-group name ACL1 permit tcp 192.168.2.0 0.0.0.255 host 192.168.2.102 eq 443 BRKSED-3007 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 26
    • ZFW and L7 Inspection: Use Case 1FTP inspection within NAT environment Local Address Space Global Address Space Client FTP NAT 172.17.11.102 .X Fast1 Fast0 ip nat inside ip nat outside 192.168.2.0/24 ZFW1 Zone INSIDE Zone OUTSIDE OUTBOUND1 Zone Policy zone-pair security OUTBOUND1 source INSIDE destination OUTSIDE service-policy type inspect POLICY1 policy-map type inspect POLICY1 class type inspect L7-CLASS1 class-map type inspect match-any L7-CLASS1 inspect TRACKING match protocol ftp class class-default drop log Real Translated ip nat outside source static 172.17.11.102 192.168.2.102 add-route BRKSED-3007 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 27
    • ZFW and L7 Inspection: Use Case 1FTP inspection within NAT environment Local Address Space Global Address Space Client FTP NAT 172.17.11.102 .X Fast1 Fast0 ip nat inside ip nat outside 192.168.2.0/24 ZFW1 Zone INSIDE Zone OUTSIDE OUTBOUND1 Zone Policy FTP Control Session %IPNAT-6-CREATED: tcp 192.168.2.72:36886 192.168.2.72:36886 192.168.2.102:21 172.17.11.102:21 %FW-6-SESS_AUDIT_TRAIL_START: (target:class)-(OUTBOUND1:L7-CLASS1): Start ftp session: initiator (192.168.2.72:36886) -- responder (172.17.11.102:21) Sample FTP Data Session %IPNAT-6-CREATED: tcp 192.168.2.72:51974 192.168.2.72:51974 192.168.2.102:20 172.17.11.102:20 %FW-6-SESS_AUDIT_TRAIL_START: (target:class)-(OUTBOUND1:L7-CLASS1): Start ftp-data session: initiator (172.17.11.102:20) -- responder (192.168.2.72:51974) %FW-6-SESS_AUDIT_TRAIL: (target:class)-(OUTBOUND1:L7-CLASS1): Stop ftp-data session: initiator (172.17.11.102:20) sent 350 bytes -- responder (192.168.2.72:51974) sent 0 bytes BRKSED-3007 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 28
    • ZFW and L7 Inspection: Use Case 2L7 inspection on non-standard ports HTTP runs on ports 2002- 2003 Fast1 Fast0 .200 .40 ZFW1 192.168.2.0/24 172.17.3.0/24 Zone INSIDE OUTBOUND1 Zone OUTSIDE Zone Policy zone-pair security OUTBOUND1 source INSIDE destination OUTSIDE service-policy type inspect POLICY1 policy-map type inspect POLICY1 class type inspect HTTP-CLASS class-map type inspect match-any HTTP-CLASS inspect TRACKING match protocol http class class-default drop log Inspection of HTTP on non-standard ports access-list 1 permit 172.17.3.40 ip port-map http port tcp from 2002 to 2003 list 1 BRKSED-3007 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 29
    • ZFW and L7 Inspection: Use Case 2L7 inspection on non-standard ports HTTP runs on ports 2002- 2003 Fast1 Fast0 .200 .40 ZFW1 192.168.2.0/24 172.17.3.0/24 Zone INSIDE OUTBOUND1 Zone OUTSIDE Zone Policy ZFW1# show ip port-map http Default mapping: http tcp port 80 system defined Host specific: http tcp port 2002-2003 in list 1 user defined FIREWALL* sis 84294160: Session Created FIREWALL* sis 84294160: Pak 83CBFCFC init_addr (192.168.2.200:1065) resp_addr (172.17.3.40:2002) init_alt_addr (192.168.2.200:1065) resp_alt_addr (172.17.3.40:2002) FIREWALL* sis 84294160: FO cls 0x84F8EB80 clsgrp 0x10000000, target 0xA0000000, FO 0x849600E0, alert = 1, audit_trail = 1, L7 = http, PAMID = 5 FIREWALL* sis 84294160: Allocating L7 sis extension L4 = tcp, L7 = http, PAMID = 5 L7 = HTTP %FW-6-SESS_AUDIT_TRAIL_START: (target:class)-(OUTBOUND1:HTTP-CLASS): Start http session: initiator (192.168.2.200:1065) -- responder (172.17.3.40:2002) HTTP Session BRKSED-3007 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 30
    • ZFW and L7 Inspection: Use Case 3Filtering on HTTP Response Header HTTP Fast1 Fast0 .200 .30 ZFW1 192.168.2.0/24 172.17.3.0/24 Zone INSIDE OUTBOUND1 Zone OUTSIDE Zone Policy zone-pair security OUTBOUND1 source INSIDE destination OUTSIDE service-policy type inspect POLICY1 Top-level policy-map Top-level class-map policy-map type inspect POLICY1 class type inspect HTTP-CLASS class-map type inspect match-any HTTP-CLASS inspect TRACKING match protocol http service-policy http WEB1 class class-default drop log Application-specific policy-map Application-specific class-map policy-map type inspect http WEB1 class-map type inspect http match-any HTTP1 class type inspect http HTTP1 match response header set-cookie reset log BRKSED-3007 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 31
    • ZFW and L7 Inspection: Use Case 3Filtering on HTTP Response Header HTTP Fast1 Fast0 .200 .30 ZFW1 192.168.2.0/24 172.17.3.0/24 Zone INSIDE OUTBOUND1 Zone DMZ Zone Policy %FW-6-SESS_AUDIT_TRAIL_START: (target:class)-(OUTBOUND1:HTTP-CLASS): Start http session: initiator (192.168.2.200:43005) -- responder (172.17.3.30:80) FIREWALL* sis 84283A40: match-info tocken in cce_sb 849BA240 - class 3221225494; filter 31; val1 0; val2 0; str set-cookie, log on, reset on %APPFW-4-HTTP_HDR_FIELD_REGEX_MATCHED: Header field (set-cookie) matched - resetting session 172.17.3.30:80 192.168.2.200:43005 on zone-pair OUTBOUND1 class HTTP- CLASS appl-class HTTP1 BRKSED-3007 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 32
    • Use Case: ZFW and IPSec VPNsInspecting tunneled traffic zone DMZ zone VPN Vlan 10 21 f0 20 ZFW OUT 10.21.21.0/24 10.20.20.0/24 172.16.201.1 172.16.200.1 Classic IPSec Site-to-Site Tunnel VPN-DMZ Zone Policy zone-pair security VPN-DMZ source VPN destination DMZ service-policy type inspect INBOUND1 policy-map type inspect INBOUND1 Protocols allowed inside the tunnel class type inspect OUT1 class-map type inspect match-any APPS1 inspect TRACKING match protocol syslog class class-default match protocol ftp drop log match protocol icmp class-map type inspect match-all OUT1 match class-map APPS1 match access-group 120 access-list 120 permit ip 10.20.20.0 0.0.0.255 10.21.21.0 0.0.0.255 BRKSED-3007 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 33
    • ZFW: Inspection of Router TrafficSystem-defined zone “self” includes router addresses Zone self (router addresses) Zone OUTSIDE 172.22.22.0/24 .22 F4.201 F4.200 172.20.20.0/24 172.21.21.0/24 10.10.10.1 ZFW1 172.20.20.1 .2 R1 .2 .21 R2 OUT-SELF Zone Policy zone-pair security OUT-SELF source OUTSIDE destination self service-policy type inspect OUT-FW1 class-map type inspect match-all ICMP1 policy-map type inspect OUT-FW1 match access-group name PING1 class type inspect ICMP1 inspect TRACKING class class-default drop log ip access-list extended PING1 permit icmp object-group OUT1 object-group RTR-ADDR echo object-group network RTR-ADDR host 10.10.10.1 object-group network OUT1 host 172.20.20.1 172.20.20.0 255.255.255.0 BRKSED-3007 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 34
    • ZFW: Inspection of Router TrafficSystem-defined zone “self” includes router addresses Zone self (router addresses) Zone OUTSIDE 172.22.22.0/24 .22 F4.201 F4.200 172.20.20.0/24 172.21.21.0/24 10.10.10.1 ZFW1 172.20.20.1 .2 R1 .2 .21 R2 OUT-SELF Zone Policy  The default operation of the ZFW is to allow traffic to and from the router interfaces  Special zone called “self” handles router traffic  Policies that involve the “self” zone are unidirectional in nature ICMP to router address 172.20.20.1 (from a valid source) is permitted %FW-6-SESS_AUDIT_TRAIL_START: (target:class)-(OUT-SELF:ICMP1):Start icmp session: initiator (172.20.20.2:0) -- responder (172.20.20.1:0) ICMP to router address 172.20.20.1 (from a non acceptable source) is dropped %FW-6-DROP_PKT: Dropping icmp session 172.21.21.21:0 172.20.20.1:0 on zone-pair OUT-SELF class class-default due to DROP action found in policy-map with ip ident 0 BRKSED-3007 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 35
    • Zone Self: Use Cases  Control the Addresses allowed to manage the ZFW router  Control the acceptable IPSec peers for the ZFW router  Determine the acceptable peers for IPv6 over v4 tunneling  Control the UC elements (Gateways, Gatekeepers, Call Managers) that can exchange signalling with the ZFW routerBRKSED-3007 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 36
    • For YourZFW: Intrazone Policies ReferenceChange in default behavior introduced by IOS 15.X  On IOS 12.X releases, traffic between interfaces belonging to the same zone was allowed to pass without inspection.  On IOS 12.X release it was not possible to define Intrazone ZFW policies: ZFW2(config)# zone-pair sec INTRAZONE2 source INSIDE destination INSIDE % Same zone cannot be defined as both the source and destination  Starting on IOS 15.0(1)M, intrazone traffic is blocked by default  IOS 15.X allows the creation of Intrazone Policies (source and destination of traffic in the same zone) BRKSED-3007 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 37
    • ZFW: Sample Intrazone Policy NTP Server .6 Fast1 Fast0 .200 .1 ZFW1 .1 10.10.6.0/24 10.10.10.0/24 INTRAZONE1Zo Zone INSIDE ne Policy zone-pair security INTRAZONE1 source INSIDE destination INSIDE service-policy type inspect POLICY2 policy-map type inspect POLICY2 class type inspect TOP-CLASS2 class-map type inspect match-any TOP-CLASS2 inspect TRACKING match protocol icmp class class-default match protocol udp drop logBRKSED-3007 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 38
    • ZFW: Sample Intrazone Policy NTP Server .6 Fast1 Fast0 .200 .1 ZFW1 .1 10.10.6.0/24 10.10.10.0/24 INTRAZONE1Zo Zone INSIDE ne Policy ZFW1# show zone security INSIDE ZFW1# show zone-pair security zone INSIDE Zone-pair name INTRAZONE1 Member Interfaces: Source-Zone INSIDE Destination-Zone INSIDE FastEthernet0 service-policy POLICY2 FastEthernet1 ZFW1# show policy-firewall session Established Sessions = 1 Session 49CFB240 (10.10.6.6:123)=>(10.10.10.200:123) udp SIS_OPEN Created 00:00:29, Last heard 00:00:29 Bytes sent (initiator:responder) [48:48]BRKSED-3007 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 39
    • User-based Firewall Features on Cisco IOS
    • User-based Access Control Who is the user ? What Resource ? SRV1 SRV2 user1 user2 Is there a way to grant access on a per-user basis ? Is it possible to control access to any kind of application ? Is there accounting support ? Is this type of control stateful ?BRKSED-3007 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 41
    • Basic Instrumentation for Identity: Auth-Proxy 1 Telnet 172.26.26.26 Auth-proxy SRV1 Prompt End User 2 5 .100 .26 172.16.100.0/24 F1 Gateway F0 172.26.26.0/24 3 CS-ACS Management Network 4 1. User telnets to Server SRV1 2. Auth-Proxy intercepts packet and presents authentication prompt to user 3. ZFW consults RADIUS Server 4. RADIUS Server replies with Authorization Profile (or Access Reject) 5. User allowed to access Destination HostBRKSED-3007 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 42
    • For YourPreparing for Auth-Proxy Reference ! *** Instructing the NAS to receive, send and process RADIUS VSAs radius-server vsa send accounting radius-server vsa send authentication ! *** Defining and using an AAA server-group called "RADIUS1" aaa group server radius RADIUS1 server 192.168.1.200 auth-port 1812 acct-port 1813 server-private 192.168.1.200 auth-port 1812 acct-port 1813 key 7 ##### ! aaa authentication login default group RADIUS1 AAA Server Definitions aaa authorization network default group RADIUS1 aaa authorization auth-proxy default group RADIUS1 aaa accounting auth-proxy default start-stop group RADIUS1 ! *** Defining an ACL to be applied to the same interface as Auth-Proxy access-list 100 permit udp host 192.168.1.200 eq 1812 host 192.168.2.1 access-list 100 permit udp host 192.168.1.200 eq 1813 host 192.168.2.1 access-list 100 permit tcp any 172.26.26.0 0.0.0.255 eq telnet ! *** Defining the Auth-Proxy policy to intercept Telnet traffic ip admission name ADMISSION1 proxy telnet Auth-Proxy Triggering Protocol ! ***Applying the Auth-Proxy policy to interface F1 (Auth-Proxy incoming interface) interface FastEthernet1 ip access-group 100 in Enabling Auth-Proxy ip admission ADMISSION1BRKSED-3007 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 43
    • Auth-Proxy in action: Delivering Individual ACEs ACS/Group Settings : GROUP1 [009001] cisco-av-pair priv-lvl=15 proxyacl#1=permit tcp any any eq 22 ACS Definitions proxyacl#2=permit tcp any any eq 23 ! *** Telnet Session is intercepted by Auth-Proxy process (before reaching interface ACL) AUTH-PROXY creates info: cliaddr - 172.16.100.100, cliport - 1562 seraddr - 172.26.26.26, serport - 23 Auth-Proxy Starts ip-srcaddr 172.16.100.100 pak-srcaddr 0.0.0.0 ! *** NAS (IOS-Router) sends request to CS-ACS and receives individual ACEs (proxyacl) RADIUS(0000000C): Send Access-Request to 192.168.1.200:1812 id 1645/12, len 104 RADIUS: authenticator 73 DC D7 7B 91 B4 61 38 - 4E 65 CB A5 B3 4F AD 9D RADIUS: User-Name [1] 7 "user1" User Identification ! […] RADIUS: Received from id 1645/12 192.168.1.200:1812, Access-Accept, len 148 RADIUS: authenticator ED 65 FB F6 64 B9 33 6D - A3 5E B8 5F 14 36 D4 21 RADIUS: Vendor, Cisco [26] 19 RADIUS: Cisco AVpair [1] 13 "priv-lvl=15" RADIUS: Vendor, Cisco [26] 43 RADIUS: Cisco AVpair [1] 37 "proxyacl#1=permit tcp any any eq 22" ACEs Received RADIUS: Vendor, Cisco [26] 43 RADIUS: Cisco AVpair [1] 37 "proxyacl#2=permit tcp any any eq 23" BRKSED-3007 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 44
    • Auth-Proxy in action: Delivering Individual ACEs IOS-FW# show ip auth-proxy cache Authentication Proxy Cache Client Name user1, Client IP 172.16.100.100, Port 1562, timeout 60, Time Remaining User-IP Mapping 60, state INTERCEPT ! ! *** Details about the current Auth-Proxy session IOS-FW# show epm session ip 172.16.100.100 Admission feature : Authproxy AAA Policies : Proxy ACL : permit tcp any any eq 22 ACEs assigned to User Proxy ACL : permit tcp any any eq 23 ! *** Viewing Dynamic Entries added to the interface ACL IOS-FW# show access-list 100 Extended IP access list 100 Dynamic Entries on the ACL permit tcp host 172.16.100.100 any eq 22 (18 matches) permit tcp host 172.16.100.100 any eq telnet (70 matches) 10 permit udp host 192.168.1.200 eq 1812 host 192.168.2.1 (1 match) 20 permit udp host 192.168.1.200 eq 1813 host 192.168.2.1 (1 match) 30 permit tcp any 172.26.26.0 0.0.0.255 eq telnet (2 matches) BRKSED-3007 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 45
    • Scalabity and ManageabilityAuth-Proxy with Downloadable ACLs ! *** NAS sends Access Request to CS-ACS and receives name of the DACL to be applied RADIUS(00000006): Send Access-Request to 192.168.1.200:1812 id 1645/4, len 104 RADIUS: authenticator 67 06 F7 BB F1 81 BE 96 - 29 2D C9 24 89 00 2B 31 RADIUS: User-Name [1] 7 "user1" User Identification […] RADIUS: Received from id 1645/4 192.168.1.200:1812, Access-Accept, len 124 RADIUS: authenticator 6D 19 94 84 EF C0 28 C3 - EF AB 8E FE 1F E9 7B 28 RADIUS: Vendor, Cisco [26] 19 RADIUS: Cisco AVpair [1] 13 "priv-lvl=15" Name of dACL is received RADIUS: Vendor, Cisco [26] 62 RADIUS: Cisco AVpair [1] 56 "ACS:CiscoSecure-Defined-ACL=#ACSACL#-IP-DACL1-4aac618d" […] ! *** NAS sends second Access Request using DACL name as username (null password) RADIUS(00000000): Send Access-Request to 192.168.1.200:1812 id 1645/5, len 134 RADIUS: authenticator 94 3C 9D F1 C1 93 25 2A - F3 9E DA C9 B0 15 FC B2 RADIUS: NAS-IP-Address [4] 6 172.21.21.1 RADIUS: User-Name [1] 28 "#ACSACL#-IP-DACL1-4aac618d" RADIUS: Vendor, Cisco [26] 32 RADIUS: Cisco AVpair [1] 26 "aaa:service=ip_admission" dACL used as username RADIUS: Vendor, Cisco [26] 30 RADIUS: Cisco AVpair [1] 24 "aaa:event=acl-download" ! ! *** ACS sends second Response containing the individual entries of the Downloadable ACL RADIUS: Received from id 1645/5 192.168.1.200:1812, Access-Accept, len 179 RADIUS: authenticator 69 A2 A7 BB 15 AF 3C EB - A3 D7 12 F0 F5 04 54 F2 RADIUS: Vendor, Cisco [26] 43 RADIUS: Cisco AVpair [1] 37 "ip:inacl#1=permit tcp any any eq 80" RADIUS: Vendor, Cisco [26] 43 Individual ACEs downloaded RADIUS: Cisco AVpair [1] 37 "ip:inacl#2=permit icmp any any echo" BRKSED-3007 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 46
    • Scalabity and ManageabilityAuth-Proxy with Downloadable ACLs IOS-FW# show ip auth-proxy cache Authentication Proxy Cache Client Name user1, Client IP 172.16.100.100, Port 1085, timeout 60, Time User-IP Mapping Remaining 60, state INTERCEPT IOS-FW#show epm session ip 172.16.100.100 Admission feature : Authproxy AAA Policies : ACS ACL : xACSACLx-IP-DACL1-4aac618d dACL assigned to User ! After Auth-Proxy “user1” uses PING and WWW services IOS-FW# show access-list Extended IP access list 100 permit tcp host 172.16.100.100 any eq www (12 matches) permit icmp host 172.16.100.100 any echo (4 matches) 10 permit udp host 192.168.1.200 eq 1812 host 192.168.2.1 (2 matches) 20 permit udp host 192.168.1.200 eq 1813 host 192.168.2.1 (2 matches) 30 permit tcp any 172.26.26.0 0.0.0.255 eq telnet (31 matches) dACL details Extended IP access list xACSACLx-IP-DACL1-4aac618d (per-user) 10 permit tcp any any eq www 20 permit icmp any any echo BRKSED-3007 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 47
    • User-based Zone Firewall Zone INSIDE SRV1 Zone OUTSIDE OUTBOUND1 Zone Policy End User .100 Auth-Proxy .26 172.16.100.0/24 F1 ZFW1 Gateway F0 172.26.26.0/24 Management CS-ACS Network 1. User telnets to Server 2. Auth-Proxy intercepts packet and prompt is presented to user 3. RADIUS Server sends “supplicant-group” VSA to IOS-FW 4. User to group mapping is created 5. Zone Policy Firewall created on a per-group basis BRKSED-3007 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 48
    • User-based ZFW: Receiving Group Information ACS/Group Settings : ENG [009001] cisco-av-pair priv-lvl=15 supplicant-group=ENG ACS Definitions RADIUS: Received from id 1645/21 192.168.1.200:1812, Access-Accept, len 93 RADIUS: authenticator 43 A9 2F 23 EC 7F 7B 19 - B5 AF 6D 1B 40 81 85 25 RADIUS: Vendor, Cisco [26] 19 RADIUS: Cisco AVpair [1] 13 "priv-lvl=15" RADIUS: Vendor, Cisco [26] 31 Router receives “supplicant-group” RADIUS: Cisco AVpair [1] 25 "supplicant-group=ENG“ ZFW1# show ip auth-proxy cache Authentication Proxy Cache Client Name user1, Client IP 172.16.100.100, Port 1108, timeout 60, Time Remaining 60, state INTERCEPT ! ZFW1# show epm session ip 172.16.100.100 Admission feature : Authproxy AAA Policies : Supplicant-group visibility Supplicant-Group : ENG ! ZFW1# show user-group Usergroup : ENG Local Usergroup information ------------------------------------------------------------------------ User Name Type Interface Learn Age (min) ------------------------------------------------------------------------ 172.16.100.100 IPv4 FastEthernet1 Dynamic 0BRKSED-3007 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 49
    • User-based ZFW: Leveraging Group Information Matching on “User-group” Zone Definitions class-map type inspect match-all ENG1 !* Defining zones and zone-pairs match user-group ENG zone security INSIDE match protocol tcp zone security OUTSIDE class-map type inspect match-all ENG2 ! match user-group ENG zone-pair security OUTBOUND source INSIDE destination OUTSIDE match protocol icmp service-policy type inspect OUT1 class-map type inspect match-all MKT1 match user-group MKT ! * Defining an Auth-Proxy policy to intercept Telnet traffic match protocol tcp ip admission name ADMISSION1 proxy telnet inactivity-time 60 ! ! policy-map type inspect OUT1 ! * Assigning interfaces to zones and applying the Auth-Proxy policy class type inspect ENG1 interface FastEthernet1 inspect ip admission ADMISSION1 class type inspect ENG2 zone-member security INSIDE inspect ! police rate 32000 burst 6000 interface FastEthernet0 class type inspect MKT1 zone-member security OUTSIDE inspect class class-default drop log User-based Firewall renders Auth-Proxy stateful BRKSED-3007 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 50
    • New Development – IP/SGT Mapping on ISR G2 Identity Services Engine (ISE) 2 ISR-EDGE2 3 1 EHWIC-SW 1. Dot1X process used to obtain user credentials on embedded switch 2. RADIUS Authentication takes place 3. ISE sends Security Group Tag (SGT) as a RADIUS Authorization Attribute SGT/IP Mapping is available on the ISR device (no matter if user authentication was performed using Dot1X or Auth-Proxy) BRKSED-3007 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 51
    • New Development – IP/SGT Mapping on ISR G2 Identity Services Engine (ISE) 1 2 ISR-EDGE1 192.168.12.12 3 1. Auth-Proxy process used to obtain user credentials 2. RADIUS Authentication takes place 3. ISE sends Security Group Tag (SGT) as a RADIUS Authorization Attribute ISR-EDGE1# show epm session ip 192.168.12.12 Admission feature: AUTHPROXY AAA Policies: SGT: 0004-0 BRKSED-3007 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 52
    • SXP: SGT Exchange Protocol SXP Speaker SXP Listener SXP ISR-EDGE1 ISR-CENTRAL ISR-EDGE1# show cts role-based sgt-map all Active IP-SGT Bindings Information ISR-CENTRAL# show cts role-based sgt-map all Active IP-SGT Bindings Information IP Address SGT Source =================================== IP Address SGT Source 172.19.37.1 2 INTERNAL ==================================== 172.19.38.1 2 INTERNAL 172.19.37.1 2 SXP 192.168.2.25 2 INTERNAL 172.19.38.1 2 SXP 192.168.10.2 2 INTERNAL 192.168.2.25 2 SXP 192.168.11.1 2 INTERNAL 192.168.10.2 2 SXP 192.168.12.1 2 INTERNAL 192.168.11.1 2 SXP 192.168.12.12 4 LOCAL 192.168.12.1 2 SXP 192.168.12.12 4 SXP IP-SGT Active Bindings Summary ==================================== IP-SGT Active Bindings Summary Total number of LOCAL bindings = 1 ==================================== Total number of INTERNAL bindings = 6 Total number of SXP bindings = 7 Total number of active bindings = 7 Total number of active bindings = 7BRKSED-3007 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 53
    • Building ZFW Policies based on Security Group Tags IP Address SGT 192.168.1.1 3 Incoming Packets Edge-n ... Data Hdr Edge-2 ISR-CENTRAL F0 F1 Edge-1 Zone OUTSIDE Zone INSIDE class-map type inspect match-all EMPLOYEES match class-map CLASS1 class-map type inspect match-any CLASS1 match class-map SGT1 match protocol http match protocol telnet match protocol ssh match protocol icmp class-map type inspect match-any SGT1 match security-group source tag 3 BRKSED-3007 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 54
    • Additional Layers of Security:Advanced Filtering Resources
    • For YourRevisiting the IP Header Reference Total IP Datagram Length. IP Header Length, Measured Measured in Octets in (including Payload and 4 Bytes (32-bit words) Header) Version Number 32 Bits Vers(4) Hlen(4) TOS (8) Total Length (16) Provide Integrity Time to Live: Identification (16) Flags(3) FRAG Offset (13) of IP Decremented 1 Header unit by each TTL (8) Protocol (8) Header Checksum (16) Router along the Ensure Path SRC IP Address (32) Header Length is DST IP Address (32) Exactly (IP OPTIONS) (PAD) Multiple Indicates the of 32-Bits Upper Layer Flags Field Protocol Rsvd (=0) DF MF BRKSED-3007 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 56
    • For YourHow Fragments are created Reference Original IP Header 600 Bytes Datagram Fragment 1 Header 1 160 Bytes Fragment 2 Header 2 160 Bytes Fragment 3 Header 3 160 Bytes Fragment 4 Header 4 120 Bytes Total L3 Data ID Rsvd DF Bit MF Bit Fragment Offset Flags Length Length Number Bit (Multiple of 8 bytes) Offset Original 620 600 0x6E81 0 0 0 0 0x0000 Frag 1 180 160 0x6E81 0 0 1 0 0x2000 Frag 2 180 160 0x6E81 0 0 1 160 = 8 x 20 (0x14) 0x2014 Frag 3 180 160 0x6E81 0 0 1 320 = 8 x 40 (0x28) 0x2028 Frag 4 140 120 0x6E81 0 0 0 480 = 8 x 60 (0x3C) 0x003CBRKSED-3007 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 57
    • For Your ReferenceExamples of Fragmentation-based Attacks  Tiny Fragment Attack: employs very small TCP packets, crafted so that a part of the L4 header (for instance including the Flags field) travels in the second fragment. With such an approach the attacker hopes that only the first fragment will be examined and the remaining ones will be allowed through.  Overlapping Fragments Attack: the offset of a certain fragment overlaps with the offset of another. This attack class may be used either with the intent of causing DoS (such as with the UDP Teardrop exploit) or in an attempt to overwrite the data portion of previous fragments in the chain and circumvent defense systems.  Overflowing the Reassembly Buffer: excessive number of incomplete datagrams in the receiving host waiting for reassembly.BRKSED-3007 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 58
    • Handling IP Fragmentation IOS-FW# show access-list 101 Extended IP access list 101 10 permit tcp any any fragments (1081 matches) Non-initial frags 20 permit tcp any any (1082 matches) 30 permit udp any any fragments (360 matches) 40 permit udp any any (361 matches) 50 permit icmp any any fragments 60 permit icmp any any 70 permit ip any any fragments 80 permit ip any any The keyword ‘fragments’ on IOS ACLs filters non-initial fragments This kind of ACL may be used to provide quick visibility of types of traffic generating fragments (TCP, UDP, ICMP, etc)BRKSED-3007 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 59
    • Handling IP FragmentationVirtual Fragment Reassembly (VFR) interface FastEthernet1 ip virtual-reassembly max-fragments 5 max-reassemblies 100 timeout 8 ! IOS-FW#show ip virtual-reassembly f1 FastEthernet1: Virtual Fragment Reassembly (VFR) is ENABLED... Concurrent reassemblies (max-reassemblies): 100 Fragments per reassembly (max-fragments): 5 Reassembly timeout (timeout): 8 seconds Drop fragments: OFF Current reassembly count:100 Current fragment count:300 Total reassembly count:0 Total reassembly timeout count:53 %IP_VFR-4-FRAG_TABLE_OVERFLOW: FastEthernet1: the fragment Frag Table Overflow table has reached its maximum threshold 100 interface FastEthernet1 ip virtual-reassembly max-fragments 3 %IP_VFR-4-TOO_MANY_FRAGMENTS: FastEthernet1: Too many fragments per datagram (more than 3) - sent by 172.18.2.122, destined to 172.18.1.30 Excess Frags/packet BRKSED-3007 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 60
    • Filtering based on the IP TTL Field IOS-FW# show access-list TTL Extended IP access list TTL Denied due to low TTL 10 deny tcp any any ttl lt 30 log (5 matches) 20 deny udp any any ttl lt 30 log 30 deny icmp any any ttl lt 30 log 40 permit tcp any host 172.16.251.251 eq www (2 matches) 50 permit tcp any host 172.16.251.251 eq 443 %SEC-6-IPACCESSLOGP: list TTL denied tcp 172.16.250.202(17002) -> 172.16.251.251(80), 1 packet IOS-FW# show flow monitor FLEX1 cache aggregate ipv4 source address ipv4 protocol ipv4 ttl Processed 3 flows Aggregated to 3 flows IPV4 SRC ADDR IP PROT IP TTL flows bytes pkts =============== ======= ====== ========== ========== ========== 172.16.250.201 6 37 1 500 1 172.16.250.202 6 12 1 500 1 Low TTL 172.16.250.208 6 50 1 500 1 BRKSED-3007 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 61
    • For YourRevisiting the TCP and UDP Headers Reference 0 15 16 31 Src port Dest. port Sequence #20B Acknowledgement # FLAGS HLEN RSVD URG Window Size PSH RST ACK SYN FIN 4 6 Checksum Urgent Pointer TCP Flags Field Flag Meaning (TCP Options) URG Urgent Pointer field is valid ACK Acknowledgment field is valid PSH This Segment requests a push UDP Datagram RST Reset the connection 0 15 16 32 SYN Synchronize Sequence numbers Source Port (16) Destination Port(16) FIN End of Byte Stream for Sender Length (16) UDP Checksum (16) Data (if any)BRKSED-3007 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 62
    • Filtering based on the TCP Flags field IOS-FW# show access-list TCPFLAGS Flags Field Extended IP access list TCPFLAGS 10 deny tcp any any match-all +fin +psh +urg Flags = 41 = 0x29 20 deny tcp any any match-all -ack -fin -psh -rst -syn -urg Flags = 00 = 0x00 30 deny tcp any any match-all +ack +rst Flags = 20 = 0x14 40 permit tcp any any match-all -ack -fin -psh -rst +syn -urg Flags = 02 = 0x02 50 permit tcp any any match-all +ack -fin -psh -rst -syn -urg Flags = 16 = 0x10 60 permit tcp any any match-all +ack +psh -syn -urg Flags = 24 = 0x18 70 permit tcp any any match-all -ack -psh +rst -syn -urg Flags = 01 = 0x01 IOS-FW# show flow monitor FLEX1 cache aggregate transport tcp flags transport destination-port ipv4 destination address Processed 15 flows Aggregated to 4 flows IPV4 DST ADDR TRNS DST PORT TCP FLAGS flows bytes pkts =============== ============= ========= ========== ========== ===== 172.16.251.251 80 0x14 4 640 4 172.16.251.251 80 0x15 4 640 4 172.16.251.251 80 0x16 4 640 4 172.16.251.251 80 0x17 3 480 3 BRKSED-3007 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 63
    • What if an attack is based on a different header field ? IOS-FW(config)# load protocol flash:udp.phdf IOS-FW# show protocols phdf udp UDP Datagram Protocol ID: 3 Protocol name: UDP 0 15 16 32 Description: UDP-Protocol Original file name: flash:udp.phdf Source Port (16) Destination Port(16) Header length: 8 Length (16) UDP Checksum (16) Constraint(s): Total number of fields: 5 Data (if any) Field id: 0, source-port, UDP-Source-Port Fixed offset. offset 0 Constant length. Length: 16 Field id: 1, dest-port, UDP-Destination-Port Fixed offset. offset 16 Constant length. Length: 16 Field id: 2, length, UDP-Packet-Length The Flexible Packet Matching (FPM) Fixed offset. offset 32 feature enables you to define Constant length. Length: 16 advanced filtering based on IP, Field id: 3, checksum, UDP-Checksum Fixed offset. offset 48 TCP, UDP and ICMP header fields Constant length. Length: 16 Field id: 4, payload-start, UDP-Payload-Start Fixed offset. offset 64 Constant length. Length: 0 BRKSED-3007 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 64
    • Use Case: Flexible Packet MatchingSuppose a new attack has the following characteristics…  Attack is directed to TCP port 600  Uses a string of 4 bytes containing the word "worm" (or variants)  The attack string is located at a 16 bytes offset from the beginning of the TCP Payload  The attack string may be spread over 10 bytes from the TCP payload start positionBRKSED-3007 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 65
    • FPM Capabilities: TCP Example IOS-FW(config)# class-map type access-control match-all FPM1 IOS-FW(config-cmap)# match field ? ICMP ICMP-Protocol IP IP-Protocol TCP TCP-Protocol UDP UDP-Protocol layer Match Protocol Layer IOS-FW(config-cmap)# match field TCP ? TCP Header/Data Fields acknum TCP-Acknowledgement-Number checksum TCP-Checksum-Value control-bits TCP-Control-Bits-Number data-offset TCP-Data-Offset-Number dest-port TCP-Destination-Port ecn TCP-ECN-Number payload-start TCP-Payload-Start reserved TCP-Reserved-Number seqnum TCP-Sequence-Number source-port TCP-Source-Port urgent-pointer TCP-Urgent-Pointer window TCP-Window-SizeBRKSED-3007 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 66
    • For Your ReferenceFlexible Packet Matching (FPM) in action class-map type stack match-all IP-TCP match field IP protocol eq 0x6 next TCP class-map type access-control match-all CLASS1 match field TCP dest-port eq 600 match start TCP payload-start offset 16 size 10 regex ".*[Ww][Oo][Rr][Mm]" policy-map type access-control POLICY1 class CLASS1 drop log policy-map type access-control FPM1 class IP-TCP service-policy POLICY1 interface FastEthernet0/0 service-policy type access-control input FPM1 %SEC-6-IPACCESSLOGP: list CLASS1 denied tcp 172.16.210.120(18045) (FastEthernet0/0 ) -> 172.16.211.11(600), 1 packet BRKSED-3007 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 67
    • For YourSample Attacks blocked by FPM Reference Ethernet Packet: 80 bytes Dest Addr: 0012.DAD2.6203, Source Addr: 0000.0000.0000 Protocol: 0x0800 IP Version: 0x4, HdrLen: 0x5, TOS: 0x40 (Prec=Immediate) Length: 66, ID: 0x5208, Flags-Offset: 0x0000 TTL: 60, Protocol: 6 (TCP), Checksum: 0x2EC6 (OK) Source: 172.16.210.105, Dest: 172.16.211.31 TCP Src Port: 8000, Dest Port: 600 Seq #: 0x00000000, Ack #: 0x00000000, Hdr_Len: 5 Flags: 0x02 SYN, Window: 0, Checksum: 0xB9B3 (OK) Urgent Pointer: 0 Data: 0 : 0000 0000 0000 0000 0000 0000 0001 0108 7468 6531 ................the1 20 : 774F 526D 3275 wORm2u Variant 1 (changing only the Data Portion) Data: 0 : 0000 0000 0000 0000 0000 0000 0001 0108 774F 526D ................wORm 20 : 4167 6169 6E31 Again1 Variant 2 (changing only the Data Portion) Data: 0 : 0000 0000 0000 0000 0000 0000 0001 0108 7468 656E ................then 20 : 6577 574F 524D ewWORMBRKSED-3007 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 68
    • For YourNew Development for ISR G2 ReferenceContent Scanning with Scansafe for IOS parameter-map type content-scan global server scansafe primary name proxy2261.scansafe.net port http 8080 https 8080 server scansafe secondary name proxy1363.scansafe.net port http 8080 https 8080 license 0 CD4B25B79D131F08ABCDEFABCDEFFFFF source interface Dialer1 timeout server 30 user-group ciscogroup10 username ciscouser10 server scansafe on-failure block-all interface Dialer1 ip nat outside content-scan out […] 3 2 1 Internet ISR-G2 BRKSED-3007 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 69
    • For YourNew Development for ISR G2 ReferenceContent Scanning with Scansafe for IOS IOS# show content-scan statistics Current HTTP sessions: 0 IOS# show content-scan summary Current HTTPS sessions: 0 Primary: 201.94.155.42 (Up)* Total HTTP sessions: 83 Secondary: 70.39.231.99 (Up) Total HTTPS sessions: 8 Interfaces: Dialer1 White-listed sessions: 0 Time of last reset: never IOS# show content-scan session active Protocol Source Destination Bytes Time HTTP 172.19.99.101:57152 209.222.159.185:80 (1635:331595) 00:00:12 URI: www.maa.org Username/usergroup(s): ciscouser10/ ciscogroup10 HTTP 172.19.99.101:57153 209.222.159.185:80 (2157:53326) 00:00:12 URI: www.maa.org Username/usergroup(s): ciscouser10/ ciscogroup10 HTTP 172.19.99.101:57161 74.125.234.10:80 (1525:833) 00:00:09 URI: www.google-analytics.com Username/usergroup(s): ciscouser10/ ciscogroup10 BRKSED-3007 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 70
    • IPv6 Security Features on IOS
    • IOS IPv6 ACLs Basic IPv6 ACL ipv6 access-list ACL-NAME {protocol} {deny | permit} { protocol } { src-prefix / prefix-length } {dst-prefix / prefix-length } [ sequence ACE# ] Sources Destinations Action Protocol Line Number Specifying L4 Information ipv6 access-list ACL-NAME {protocol} {deny | permit} { tcp | udp } { src-prefix / prefix-length } [src-port] {dst-prefix / prefix-length } [dest-port] Sources Destinations Action Protocol Service Associating an IPv6 ACL to an interface interface FastEthernet0/0 ipv6 traffic-filter V6-ACL1 inBRKSED-3007 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 72
    • IOS IPv6 ACLs: Filtering Options For Your Reference V6-FW(config-ipv6-acl)# permit ipv6 any any? auth Match on authentication header dest-option Destination Option header (all types) dest-option-type Destination Option header with type dscp Match packets with given dscp value flow-label Flow label fragments Check non-initial fragments log Log matches against this entry log-input Log matches against this entry, including input mobility Mobility header (all types) mobility-type Mobility header with type reflect Create reflexive access list entry routing Routing header (all types) routing-type Routing header with type sequence Sequence number for this entry time-range Specify a time-range <cr>BRKSED-3007 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 73
    • ZFW for IPv6: Use Case 1 Zone INSIDE Zone OUTSIDE F1 F0 5 4 ZFW6 4 2001:db8:0:1111::/64 2001:db8::/64 OUTBOUND1 Zone Policy zone-pair security OUTBOUND1 source INSIDE destination DMZ service-policy type inspect POLICY1 policy-map type inspect POLICY1 class-map type inspect match-any GENERIC-V6 class type inspect GENERIC-V6 match protocol tcp inspect TRACKING match protocol udp class class-default match protocol icmp drop log FIREWALL* sis 49FA6440: Session Created FIREWALL* sis 49FA6440: IPv6 address extention Created FIREWALL* sis 49FA6440: Pak 497651C8 init_addr ([2001:DB8::5]:123) resp_addr ([2001:DB8:0:1111::2]:123) FIREWALL* sis 49FA6440: FO cls 0x489C3100 clsgrp 0x20000000, target 0xA0000000, FO 0x4A91F6C0, alert = 1, audit_trail = 1, L7 = Unknown-l7, PAMID = 0BRKSED-3007 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 74
    • ZFW for IPv6: Use Case 2 Zone INSIDE Zone OUTSIDE FTP 103 1 1 102 2001:db8:0:2222::/64 F1 ZFW6 F0 2001:db8:0:BBBB::/64 OUTBOUND1Zo ne Policy zone-pair security OUTBOUND1 source INSIDE destination OUTSIDE service-policy type inspect POLICY1 policy-map type inspect POLICY1 class type inspect V6-FTP class-map type inspect match-any V6-FTP inspect TRACKING match protocol ftp class class-default drop log Application-specific policy supported for FTP (over IPv6)BRKSED-3007 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 75
    • ZFW for IPv6: Use Case 2 Zone INSIDE Zone OUTSIDE FTP 103 1 1 102 2001:db8:0:2222::/64 F1 ZFW6 F0 2001:db8:0:BBBB::/64 OUTBOUND1 Zone Policy %IPV6_FW-6-SESS_AUDIT_TRAIL_START: (target:class)-(OUTBOUND1:V6-FTP):Start ftp session: initiator ([2001:DB8:0:2222::103]:2510) -- responder ([2001:DB8:0:BBBB::102]:21) %IPV6_FW-6-SESS_AUDIT_TRAIL_START: (target:class)-(OUTBOUND1:V6-FTP):Start ftp-data session: initiator ([2001:DB8:0:BBBB::102]:20) -- responder ([2001:DB8:0:2222::103]:2512) %IPV6_FW-6-SESS_AUDIT_TRAIL: (target:class)-(OUTBOUND1:V6-FTP):Stop ftp-data session initiator ([2001:DB8:0:BBBB::102]:20) sent 39 bytes -- responder ([2001:DB8:0:2222::103]:2512) sent 0 bytes %IPV6_FW-6-SESS_AUDIT_TRAIL: (target:class)-(OUTBOUND1:V6-FTP):Stop ftp session initiator ([2001:DB8:0:2222::103]:2510) sent 147 bytes -- responder ([2001:DB8:0:BBBB::102]:21) sent 418 bytesBRKSED-3007 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 76
    • Firewall Placement: IPv6 Tunneling IPv6 IPv4 Backbone IPv6 Dual Stack Dual Stack Host Host Router Router IPv6 Transit IPv6 Domain IPv6 Network 2 Domain 1 R2 ZFW Detailed IPv6 Inspection (Dedicated IPv6 Firewall) Native IPv6 Tunnel (IPv6 over IPv4) Native IPv6 Native IPv6 IPv6 in IPv4 Native IPv6 IPv6 Header IPv6 Data IPv4 Header IPv6 Header IPv6 Data IPv6 Header IPv6 Data IPv4 Protocol Type = 41 Native IPv6 IPv6 over GRE Native IPv6 IPv6 Header IPv6 Data IPv4 Header GRE Header IPv6 Header IPv6 Data IPv6 Header IPv6 Data IPv4 Protocol Type = 47 = GRE BRKSED-3007 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 77
    • For YourSample IPv6 over IPv4 Static Tunnel Reference Loopback 1 Loopback 1 172.22.22.241/32 172.22.22.242/32 IPv4 172.22.1.0/24 172.22.2.0/24 2001:DB8::/64 2001:DB8:5555::/64 f0/0.1201 f0/0.1202 R2 ZFW Static Tunnel (IPv6 over IPv4) interface Tunnel1 interface Tunnel1 no ip address no ip address ipv6 address 2001:DB8:0:1111::1/64 ipv6 address 2001:DB8:0:1111::2/64 ipv6 enable ipv6 enable tunnel source 172.22.22.241 tunnel source 172.22.22.242 tunnel destination 172.22.22.242 tunnel destination 172.22.22.241 tunnel mode ipv6ip tunnel mode ipv6ip ! ! ipv6 route 2001:DB8:5555::/64 Tunnel1 ipv6 route 2001:DB8::/64 Tunnel1 ZFW# show interface tunnel 1 | include Tunnel Tunnel1 is up, line protocol is up Hardware is Tunnel Tunnel source 172.22.22.241, destination 172.22.22.242 Tunnel protocol/transport IPv6/IP Tunnel TTL 255 Tunnel transport MTU 1480 bytes BRKSED-3007 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 78
    • ZFW Use Case 3: Tunneling Scenario zone INSIDE zone OUTSIDE IPv6 over IPv4 Tunnel 2001:DB8::/64 2001:DB8:5555::/64 ZFW Underlying IPv4 Network interface Tunnel1 no ip address ipv6 address 2001:DB8:0:1111::1/64 ipv6 enable Inspecting the IPv6 Traffic tunnel source 172.22.22.241 tunnel destination 172.22.22.242 zone-pair security INBOUND1 source OUTSIDE destination INSIDE zone-member security OUTSIDE service-policy type inspect POLICY1 tunnel mode ipv6ip ! ipv6 route 2001:DB8:5555::/64 Tunnel1 BRKSED-3007 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 79
    • Some other security features available for IPv6 Virtual Fragment Reassembly (VFR) Antispoofing with uRPF Detailed visibility with Flexible Netflow flow record FLEXRECORD6 flow exporter FLEXNETFLOW match ipv6 traffic-class destination 192.168.1.114 match ipv6 protocol source FastEthernet0/0 match ipv6 source address transport udp 2055 match ipv6 destination address ! match transport source-port flow monitor FLEX6 match transport destination-port record FLEXRECORD6 match interface input exporter FLEXNETFLOW collect routing next-hop address ipv6 collect ipv6 next-header V6-FW# show flow monitor FLEX6 cache aggregate ipv6 source collect ipv6 hop-limit address transport icmp collect ipv6 payload-length ipv6 type transport icmp ipv6 code collect ipv6 extension map Processed 3 flows collect ipv6 fragmentation flags Aggregated to 3 flows collect ipv6 fragmentation offset IPV6 SOURCE ADDRESS: 2001:DB8::5 collect ipv6 fragmentation id ICMP IPV6 TYPE: 128 collect transport tcp flags ICMP IPV6 CODE: 0 collect interface output counter flows: 1 collect counter bytes counter bytes: 86000 collect counter packets counter packets: 86 BRKSED-3007 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 80
    • Key TakeawaysWhat You learned  IOS Security features are well suited for Branch Deployments  How to build Zone-based Firewall Policies (from basic to advanced)  How to use Identity-based features on IOS, including the user-based ZFW  IOS Software is under constant development and one of its recent features uses SGT/IP Mapping (from the Trustsec architecture) to build more scalable firewall policies.  How to leverage advanced filtering resources such as special-purpose ACLs and Flexible Packet Matching (FPM)  How to use ISR G2 routers to direct traffic to Scansafe Towers for content scanning  What are the IPv6 Security functionalities already available on IOSBRKSED-3007 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 81
    • Recommended ReadingBRKSED-3007 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 82
    • Blog: alexandremspmoraes.wordpress.com Twitter: alexandre_mspm BRKSED-3007 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 83
    • Complete Your OnlineSession Evaluation Give us your feedback and you could win fabulous prizes. Winners announced daily. Receive 20 Passport points for each session evaluation you complete. Complete your session evaluation online now (open a browser through our wireless network to access our Don’t forget to activate your portal) or visit one of the Internet Cisco Live Virtual account for access to stations throughout the Convention all session material, communities, and on-demand and live activities throughout Center. the year. Activate your account at the Cisco booth in the World of Solutions or visit www.ciscolive.com.BRKSED-3007 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 84
    • Final Thoughts Get hands-on experience with the Walk-in Labs located in World of Solutions, booth 1042 Come see demos of many key solutions and products in the main Cisco booth 2924 Visit www.ciscoLive365.com after the event for updated PDFs, on- demand session videos, networking, and more! ‒ Facebook: https://www.facebook.com/ciscoliveus Follow Cisco Live! using social media: ‒ Twitter: https://twitter.com/#!/CiscoLive ‒ LinkedIn Group: http://linkd.in/CiscoLIBRKSED-3007 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 85
    • BRKSED-3007 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public