RE: IP Inspect

From: Justin Menga (Justin.Menga@xxxxxxxxxxxxxxxxxx)
Date: Mon Dec 04 2000 - 16:46:34 GMT-3

• Next message: Rahmlow, Howard F.: "RE: Multicast"
• Previous message: Kevin Baumgartner: "Re: LSAP Filter"
• Next in thread: Justin Menga: "RE: IP Inspect"
• Maybe reply: Justin Menga: "RE: IP Inspect"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

   
It is really easy once you start to think of traffic in terms of where the
connection is being initiated from. All you need to do is define
access-lists to allow the INITIAL connection request, CBAC will then open up
any required ACLs to allow the return traffic.

The most important thing is that CBAC doesn't do anything filtering wise
without ACLs (it does some application layer inspection). If you external
interface allows all incoming traffic, then all incoming traffic is allowed
in. There is no way for CBAC to stop that traffic, your ACLs stop the
traffic. No ACLs, no security!!

CBAC is kinda like the established keyword, but is a lot smarter. All the
established keyword does is look at the TCP flags (If the flag doesn't
contain SYN flag, well hey it's established). CBAC will check sequence
numbers, etc to ensure the traffic IS part of the allowed connection. CBAC
supports UDP (as best as it can) and also understands more complex protocols
like H.323, FTP, SIP etc.

Another few good commands for your firewall:

no ip source-route
ip access-list extended EXTERNAL
   deny ip 10.0.0.0 0.255.255.255 any
   deny ip 172.16.0.0 0.15.255.255 any
   deny ip 192.168.0.0 0.0.255.255 any
   ...... (your ACLs that you need)
   .......

The ACL above is applied inbound on the external interface and stops
incoming packets spoofing your internal network source addresses (a common
attack is called SMURF). Source routing should always be disabled as
packets should not be able to specify the route to a destination - your
routing topology should control that.

With your ACL's always remember you should let the "GOOD" ICMP diagnostics
in (e.g. unreachables, TTL expired, source quench)

Regards,

Justin Menga MCSE+I CCNP CCSE ASE
WAN Specialist
Computerland New Zealand
PO Box 3631, Auckland
DDI: (+64) 9 360 4864 Mobile: (+64) 25 349 599
mailto: justin.menga@computerland.co.nz

-----Original Message-----
From: Moran, Ed [mailto:morane@telecomsys.com]
Sent: Friday, 1 December 2000 11:42 a.m.
To: 'Justin Menga '; Moran, Ed; 'CCIELAB (E-mail) '
Subject: RE: IP Inspect

 What you have stated are a few of the things that I feel are wrong with it.
I do not know much about the IOS Firewall and that is why I asked the group.
Why would TAC configure such an open firewall? I won't be in the office
until after my lab on December 13th/14th, otherwise I would send you the
complete config to analyze. Thanks, I think I need to reconfigure this
completely.

-----Original Message-----
From: Justin Menga
To: 'Moran, Ed'; CCIELAB (E-mail)
Sent: 11/30/00 5:23 PM
Subject: RE: IP Inspect

Hi,

This configuration is totally wrong - there are no access lists set up
or
applied!!

CBAC is a really great tool that really simplifies how you do
access-lists.
You must define what traffic is going through the firewall. You need to
think about WHO is INITIATING the connection (i.e. INternal or
External).
Typically, there will only be a few connections that are initiated from
the
EXTERNAL network (e.g. smtp, http, ftp, https). You need to define an
access-list that allows these connections IN to the external interface
and
then deny everything else.

e.g.

access-list 100 permit tcp any host 200.200.200.1 eq smtp
access-list 100 deny ip any any
int s0
  ip access-group 100 in

With the above, any host can communicate to 200.200.200.1 on port 25,
but
nothing else will work. Even return traffic to internal hosts will be
blocked - CBAC solves this problem. CBAC monitors internal host
connections
to the outside and puts temporary ACL entries to permit the return
traffic.
You need to specify where CBAC runs and what it is looking at. This is
done
via inspect statements. The inspect statements are also evaluated in
order
from top to bottom, so more specific stuff (e.g. HTTP) should be above
TCP
to utilise the HTTP inspection features. You need to bind it to an
interface as well. This really depends on your traffic flows and if you
have DMZ networks. You can either apply in INBOUND on the internal
interface, or OUTBOUND on the external interface

e.g. The below config allows any internal client to have a TCP or UDP
connection out to the Internet, but only allows an external client to
initiate a telnet session to the Internet router (NOT RECOMMENDED).

ip inspect name Internet cuseeme
ip inspect name Internet ftp
ip inspect name Internet h323
ip inspect name Internet rcmd
ip inspect name Internet realaudio
ip inspect name Internet smtp
ip inspect name Internet streamworks
ip inspect name Internet vdolive
ip inspect name Internet sqlnet
ip inspect name Internet tftp
ip inspect name Internet http java-list 90
ip inspect name Internet tcp
ip inspect name Internet udp

interface FastEthernet1/0
 ip address 191.9.88.16 255.255.0.0
 ip nat inside

interface FastEthernet1/1
 ip address 204.193.110.253 255.255.255.0
 ip nat outside
 ip inspect Internet out
 ip access-group 100 in

access-list 100 permit tcp any host 204.193.110.253 eq telnet
access-list 100 deny ip any any

Regards,

Justin Menga MCSE+I CCNP CCSE ASE
WAN Specialist
Computerland New Zealand
PO Box 3631, Auckland
DDI: (+64) 9 360 4864 Mobile: (+64) 25 349 599
mailto: justin.menga@computerland.co.nz

-----Original Message-----
From: Moran, Ed [mailto:morane@telecomsys.com]
Sent: Friday, 1 December 2000 5:02 a.m.
To: CCIELAB (E-mail)
Subject: IP Inspect

I have a customer with an IOS Firewall Feature Set. TAC helped me setup
the
firewall and this is the config he used.

access-list 90 permit any
ip inspect name Internet tcp
ip inspect name Internet udp
ip inspect name Internet cuseeme
ip inspect name Internet ftp
ip inspect name Internet h323
ip inspect name Internet rcmd
ip inspect name Internet realaudio
ip inspect name Internet smtp
ip inspect name Internet streamworks
ip inspect name Internet vdolive
ip inspect name Internet sqlnet
ip inspect name Internet tftp
ip inspect name Internet http java-list 90

interface FastEthernet1/0
 ip address 191.9.88.16 255.255.0.0
 ip nat inside
 ip inspect Internet out

interface FastEthernet1/1
 ip address 204.193.110.253 255.255.255.0
 ip nat outside
 ip inspect Internet out

Can someone please explain to me why the interfaces both use the "IP
Inspect
Internet out" statemant? If you filter from the Internet, wouldn't you
want
to inspect inbound on interface Fa1/1?

Also, can someone point me to a good reference for the firewall? I am
having
some problems understanding how everything works with it. Checkpoint was
nice with that GUI and "point and click" atmosphere...

Thanks...

E A Moran
Network Engineer
CNE,MCSE,CCNP,CCDP
TeleCommunication Systems
(813)831-6353

• Next message: Rahmlow, Howard F.: "RE: Multicast"
• Previous message: Kevin Baumgartner: "Re: LSAP Filter"
• Next in thread: Justin Menga: "RE: IP Inspect"
• Maybe reply: Justin Menga: "RE: IP Inspect"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Thu Jun 13 2002 - 08:25:58 GMT-3