The course of the young soldier cisco: protect the perimeter of the router
Without pretending to be complete, I will try to describe technologies that can be used to protect the perimeter.
We will consider IOS with the firewall feature set. This set of features, as a rule, exists in all IOSs (in which there is encryption), except the most basic one.
So, let cisco router, which is designed to ensure the security of our internal resources, is on the edge of our network.
')
Protecting traffic.
First of all, it makes sense to cut unnecessary traffic in the simplest and most rude way - access lists.
Access lists (ACL, Access Control List) for IP protocol - on cisco routers there are standard (check only the source ip address and allow or prohibit the traffic through this parameter) and extended (check source and destination addresses, transfer protocol, source and destination ports) , as well as other header fields IP, TCP, UDP and other protocols).
The order of the lines in the access list is very important, since these strings are checked in order and as soon as a match is found, the packet will either be skipped or destroyed
At the end of any ACL, there certainly is an invisible “deny all”, so the packet will not slip past the ACL.
Access lists are numbered and named. I recommend to use named with semantic names.
Examples:
access-list 1 permit 192.168.1.0 0.0.0.255
access-list 101 permit ip any 192.168.1.0 0.0.0.255
ip access-list standard TEST
permit host 1.2.3.4
ip access-list extended TEST2
permit tcp any 10.1.1.0 0.0.0.255 eq http
permit tcp any 10.1.1.0 0.0.0.255 eq https
permit udp any 10.1.1.0 0.0.0.255 eq 53
permit ip any 10.1.1.0 0.0.0.255 dscp cs5
Access lists are templates that can be used to filter traffic as well as selection criteria for other technologies. For example, access lists define “interesting” traffic for encryption, for NAT, for QoS, etc.
By itself, the access list does nothing until it is applied to any technology. For example, to filter traffic on an interface to an input or output, an ACL is used by the command
ip access-group <ACL name> {in | out}
Traditionally, it is recommended to hang up the so-called anti-spoofing ACL on the external interface, i.e. preventing attacks from forged addresses.
Example:
ip access-list ex ANTISPOOFING
deny ip host 0.0.0.0 any
deny ip 10.0.0.0 0.255.255.255 any
deny ip 172.16.0.0 0.15.255.255 any
deny ip 192.168.0.0 0.0.255.255 any
deny ip host 255.255.255.255 any
deny ip 224.0.0.0 15.255.255.255 any
permit ip any any
Important: with such an ACL, you need to be very careful if you are working with encrypted IPSec tunnels. The fact is that the ACL, which hangs on the input of the interface, first checks the header of the encrypted packet, and then the decrypted header.
Therefore, the prohibition of traffic from private networks (10, 172, 192) can disrupt the operation of the tunnel.
So, cut unnecessary traffic. It's time to do firewalling. It is necessary to provide internal users with Internet, but not to let unauthorized connections from outside to inside. Cisco routers can be stateful firewalls.
If your tasks are simple, there are no dedicated security zones, there is no announcement of services outside, then the easiest way is to use the basic firewall.
To do this, create an ip inspect rule, describe those protocols that you want to process and memorize sessions, attach this rule to the interface and ... everything :) The router will memorize those sessions that were initiated from the inside, and skip only those packets from the outside that ordered. If the incoming packet does not match any session, then the router then checks the ACL, which is hanging on the interface, for the presence of an allow rule for this packet.
Config example:
Ro (config) # ip inspect name FW tcp
Ro (config) # ip inspect name FW udp
Ro (config) # ip inspect name FW icmp
Ro (config) # ip inspect name FW ftp
Ro (config) # ip inspect name FW sip
TCP - listens to TCP sessions.
UDP - listens to a UDR session.
the remaining lines include wiretapping and processing of the corresponding protocol, since his work is harder than just skipping
response packet TCP / UDP session. For example, the FTP protocol has one service channel through which coordination and authentication takes place, and the data is transmitted through a completely different channel, and the session tries to be initiated outside and the router will not miss it. And if you enable inspection, the router will overhear the session, find out which ports the server and client have agreed to send data on and will also put this session on the allowed list.
Let f0 / 0 be external and f0 / 1 be internal interface
Ro (config) # int f0 / 1
Ro (config-if) # ip inspect FW in
The rule is hung on the input of the internal or output of the external interface in direction to EXIT traffic out .
A strict ACL hangs on the external interface that skips almost nothing outside, for example
Ro (config) # ip access-l ex STRICT
Ro (config-ex-nacl) # deny ip any any
Ro (config) # int f0 / 0
Ro (config-if) # ip access-g STRICT in
In the above version, only those packages that were requested from the inside will pass through.
There is a subtlety: ACL STRICT will simultaneously block all traffic to the router itself, since By default, the traffic of the router does not fall into the inspected. To inspect the router traffic you need to add
Ro (config) # ip inspect name FW router
If the tasks are complex, you need to create different security zones (demilitarized zones, DMZ), flexibly adjust the operation of the protocols between these zones, then it is better to use the so-called zone-based firewall. I will not describe it here, because it is no longer for a young fighter :)
What else can protect the traffic passing through the router?
intrusion prevention system (IPS), intermediate authentication (cut-through proxy), protocol evaluation (ip nbar technology), creation of queues (QoS).
I will tell about them in more detail. Later :)
Sergey Fedorov
We will consider IOS with the firewall feature set. This set of features, as a rule, exists in all IOSs (in which there is encryption), except the most basic one.
So, let cisco router, which is designed to ensure the security of our internal resources, is on the edge of our network.
')
Protecting traffic.
First of all, it makes sense to cut unnecessary traffic in the simplest and most rude way - access lists.
Access lists (ACL, Access Control List) for IP protocol - on cisco routers there are standard (check only the source ip address and allow or prohibit the traffic through this parameter) and extended (check source and destination addresses, transfer protocol, source and destination ports) , as well as other header fields IP, TCP, UDP and other protocols).
The order of the lines in the access list is very important, since these strings are checked in order and as soon as a match is found, the packet will either be skipped or destroyed
At the end of any ACL, there certainly is an invisible “deny all”, so the packet will not slip past the ACL.
Access lists are numbered and named. I recommend to use named with semantic names.
Examples:
access-list 1 permit 192.168.1.0 0.0.0.255
access-list 101 permit ip any 192.168.1.0 0.0.0.255
ip access-list standard TEST
permit host 1.2.3.4
ip access-list extended TEST2
permit tcp any 10.1.1.0 0.0.0.255 eq http
permit tcp any 10.1.1.0 0.0.0.255 eq https
permit udp any 10.1.1.0 0.0.0.255 eq 53
permit ip any 10.1.1.0 0.0.0.255 dscp cs5
Access lists are templates that can be used to filter traffic as well as selection criteria for other technologies. For example, access lists define “interesting” traffic for encryption, for NAT, for QoS, etc.
By itself, the access list does nothing until it is applied to any technology. For example, to filter traffic on an interface to an input or output, an ACL is used by the command
ip access-group <ACL name> {in | out}
Traditionally, it is recommended to hang up the so-called anti-spoofing ACL on the external interface, i.e. preventing attacks from forged addresses.
Example:
ip access-list ex ANTISPOOFING
deny ip host 0.0.0.0 any
deny ip 10.0.0.0 0.255.255.255 any
deny ip 172.16.0.0 0.15.255.255 any
deny ip 192.168.0.0 0.0.255.255 any
deny ip host 255.255.255.255 any
deny ip 224.0.0.0 15.255.255.255 any
permit ip any any
Important: with such an ACL, you need to be very careful if you are working with encrypted IPSec tunnels. The fact is that the ACL, which hangs on the input of the interface, first checks the header of the encrypted packet, and then the decrypted header.
Therefore, the prohibition of traffic from private networks (10, 172, 192) can disrupt the operation of the tunnel.
So, cut unnecessary traffic. It's time to do firewalling. It is necessary to provide internal users with Internet, but not to let unauthorized connections from outside to inside. Cisco routers can be stateful firewalls.
If your tasks are simple, there are no dedicated security zones, there is no announcement of services outside, then the easiest way is to use the basic firewall.
To do this, create an ip inspect rule, describe those protocols that you want to process and memorize sessions, attach this rule to the interface and ... everything :) The router will memorize those sessions that were initiated from the inside, and skip only those packets from the outside that ordered. If the incoming packet does not match any session, then the router then checks the ACL, which is hanging on the interface, for the presence of an allow rule for this packet.
Config example:
Ro (config) # ip inspect name FW tcp
Ro (config) # ip inspect name FW udp
Ro (config) # ip inspect name FW icmp
Ro (config) # ip inspect name FW ftp
Ro (config) # ip inspect name FW sip
TCP - listens to TCP sessions.
UDP - listens to a UDR session.
the remaining lines include wiretapping and processing of the corresponding protocol, since his work is harder than just skipping
response packet TCP / UDP session. For example, the FTP protocol has one service channel through which coordination and authentication takes place, and the data is transmitted through a completely different channel, and the session tries to be initiated outside and the router will not miss it. And if you enable inspection, the router will overhear the session, find out which ports the server and client have agreed to send data on and will also put this session on the allowed list.
Let f0 / 0 be external and f0 / 1 be internal interface
Ro (config) # int f0 / 1
Ro (config-if) # ip inspect FW in
The rule is hung on the input of the internal or output of the external interface in direction to EXIT traffic out .
A strict ACL hangs on the external interface that skips almost nothing outside, for example
Ro (config) # ip access-l ex STRICT
Ro (config-ex-nacl) # deny ip any any
Ro (config) # int f0 / 0
Ro (config-if) # ip access-g STRICT in
In the above version, only those packages that were requested from the inside will pass through.
There is a subtlety: ACL STRICT will simultaneously block all traffic to the router itself, since By default, the traffic of the router does not fall into the inspected. To inspect the router traffic you need to add
Ro (config) # ip inspect name FW router
If the tasks are complex, you need to create different security zones (demilitarized zones, DMZ), flexibly adjust the operation of the protocols between these zones, then it is better to use the so-called zone-based firewall. I will not describe it here, because it is no longer for a young fighter :)
What else can protect the traffic passing through the router?
intrusion prevention system (IPS), intermediate authentication (cut-through proxy), protocol evaluation (ip nbar technology), creation of queues (QoS).
I will tell about them in more detail. Later :)
Sergey Fedorov
To be continued...
Source: https://habr.com/ru/post/60492/
All Articles