From: Justin Menga (Justin.Menga@xxxxxxxxxxxxxxxxxx)
Date: Tue Dec 05 2000 - 05:56:37 GMT-3
Sorry, you're right, I think the logic is more like if the ACK flag is
present....
-----Original Message-----
From: Tony Olzak [mailto:aolzak@buckeye-express.com]
Sent: Tuesday, December 05, 2000 3:38 PM
To: Justin Menga; 'Moran, Ed'; 'CCIELAB (E-mail) '
Subject: Re: IP Inspect
Actually,
If it did not allow anything with SYN set, you would never get back the
initial ACK in response to your first packet.
TCP Handshaking:
Host1---------SYN--->Host2
Host1<--SYN/ACK---Host2
Host1-----ACK------->Host2
Tony
----- Original Message -----
From: "Justin Menga" <Justin.Menga@computerland.co.nz>
To: "'Moran, Ed'" <morane@telecomsys.com>; "Justin Menga"
<Justin.Menga@computerland.co.nz>; "'CCIELAB (E-mail) '"
<ccielab@groupstudy.com>
Sent: Monday, December 04, 2000 2:46 PM
Subject: RE: IP Inspect
> It is really easy once you start to think of traffic in terms of where the
> connection is being initiated from. All you need to do is define
> access-lists to allow the INITIAL connection request, CBAC will then open
up
> any required ACLs to allow the return traffic.
>
> The most important thing is that CBAC doesn't do anything filtering wise
> without ACLs (it does some application layer inspection). If you external
> interface allows all incoming traffic, then all incoming traffic is
allowed
> in. There is no way for CBAC to stop that traffic, your ACLs stop the
> traffic. No ACLs, no security!!
>
> CBAC is kinda like the established keyword, but is a lot smarter. All the
> established keyword does is look at the TCP flags (If the flag doesn't
> contain SYN flag, well hey it's established). CBAC will check sequence
> numbers, etc to ensure the traffic IS part of the allowed connection.
CBAC
> supports UDP (as best as it can) and also understands more complex
protocols
> like H.323, FTP, SIP etc.
>
> Another few good commands for your firewall:
>
> no ip source-route
> ip access-list extended EXTERNAL
> deny ip 10.0.0.0 0.255.255.255 any
> deny ip 172.16.0.0 0.15.255.255 any
> deny ip 192.168.0.0 0.0.255.255 any
> ...... (your ACLs that you need)
> .......
>
> The ACL above is applied inbound on the external interface and stops
> incoming packets spoofing your internal network source addresses (a common
> attack is called SMURF). Source routing should always be disabled as
> packets should not be able to specify the route to a destination - your
> routing topology should control that.
>
> With your ACL's always remember you should let the "GOOD" ICMP diagnostics
> in (e.g. unreachables, TTL expired, source quench)
>
> Regards,
>
> Justin Menga MCSE+I CCNP CCSE ASE
> WAN Specialist
> Computerland New Zealand
> PO Box 3631, Auckland
> DDI: (+64) 9 360 4864 Mobile: (+64) 25 349 599
> mailto: justin.menga@computerland.co.nz
>
>
> -----Original Message-----
> From: Moran, Ed [mailto:morane@telecomsys.com]
> Sent: Friday, 1 December 2000 11:42 a.m.
> To: 'Justin Menga '; Moran, Ed; 'CCIELAB (E-mail) '
> Subject: RE: IP Inspect
>
>
> What you have stated are a few of the things that I feel are wrong with
it.
> I do not know much about the IOS Firewall and that is why I asked the
group.
> Why would TAC configure such an open firewall? I won't be in the office
> until after my lab on December 13th/14th, otherwise I would send you the
> complete config to analyze. Thanks, I think I need to reconfigure this
> completely.
>
> -----Original Message-----
> From: Justin Menga
> To: 'Moran, Ed'; CCIELAB (E-mail)
> Sent: 11/30/00 5:23 PM
> Subject: RE: IP Inspect
>
> Hi,
>
> This configuration is totally wrong - there are no access lists set up
> or
> applied!!
>
> CBAC is a really great tool that really simplifies how you do
> access-lists.
> You must define what traffic is going through the firewall. You need to
> think about WHO is INITIATING the connection (i.e. INternal or
> External).
> Typically, there will only be a few connections that are initiated from
> the
> EXTERNAL network (e.g. smtp, http, ftp, https). You need to define an
> access-list that allows these connections IN to the external interface
> and
> then deny everything else.
>
> e.g.
>
> access-list 100 permit tcp any host 200.200.200.1 eq smtp
> access-list 100 deny ip any any
> int s0
> ip access-group 100 in
>
> With the above, any host can communicate to 200.200.200.1 on port 25,
> but
> nothing else will work. Even return traffic to internal hosts will be
> blocked - CBAC solves this problem. CBAC monitors internal host
> connections
> to the outside and puts temporary ACL entries to permit the return
> traffic.
> You need to specify where CBAC runs and what it is looking at. This is
> done
> via inspect statements. The inspect statements are also evaluated in
> order
> from top to bottom, so more specific stuff (e.g. HTTP) should be above
> TCP
> to utilise the HTTP inspection features. You need to bind it to an
> interface as well. This really depends on your traffic flows and if you
> have DMZ networks. You can either apply in INBOUND on the internal
> interface, or OUTBOUND on the external interface
>
> e.g. The below config allows any internal client to have a TCP or UDP
> connection out to the Internet, but only allows an external client to
> initiate a telnet session to the Internet router (NOT RECOMMENDED).
>
> ip inspect name Internet cuseeme
> ip inspect name Internet ftp
> ip inspect name Internet h323
> ip inspect name Internet rcmd
> ip inspect name Internet realaudio
> ip inspect name Internet smtp
> ip inspect name Internet streamworks
> ip inspect name Internet vdolive
> ip inspect name Internet sqlnet
> ip inspect name Internet tftp
> ip inspect name Internet http java-list 90
> ip inspect name Internet tcp
> ip inspect name Internet udp
>
> interface FastEthernet1/0
> ip address 191.9.88.16 255.255.0.0
> ip nat inside
>
> interface FastEthernet1/1
> ip address 204.193.110.253 255.255.255.0
> ip nat outside
> ip inspect Internet out
> ip access-group 100 in
>
> access-list 100 permit tcp any host 204.193.110.253 eq telnet
> access-list 100 deny ip any any
>
>
> Regards,
>
> Justin Menga MCSE+I CCNP CCSE ASE
> WAN Specialist
> Computerland New Zealand
> PO Box 3631, Auckland
> DDI: (+64) 9 360 4864 Mobile: (+64) 25 349 599
> mailto: justin.menga@computerland.co.nz
>
>
> -----Original Message-----
> From: Moran, Ed [mailto:morane@telecomsys.com]
> Sent: Friday, 1 December 2000 5:02 a.m.
> To: CCIELAB (E-mail)
> Subject: IP Inspect
>
>
> I have a customer with an IOS Firewall Feature Set. TAC helped me setup
> the
> firewall and this is the config he used.
>
> access-list 90 permit any
> ip inspect name Internet tcp
> ip inspect name Internet udp
> ip inspect name Internet cuseeme
> ip inspect name Internet ftp
> ip inspect name Internet h323
> ip inspect name Internet rcmd
> ip inspect name Internet realaudio
> ip inspect name Internet smtp
> ip inspect name Internet streamworks
> ip inspect name Internet vdolive
> ip inspect name Internet sqlnet
> ip inspect name Internet tftp
> ip inspect name Internet http java-list 90
>
> interface FastEthernet1/0
> ip address 191.9.88.16 255.255.0.0
> ip nat inside
> ip inspect Internet out
>
> interface FastEthernet1/1
> ip address 204.193.110.253 255.255.255.0
> ip nat outside
> ip inspect Internet out
>
> Can someone please explain to me why the interfaces both use the "IP
> Inspect
> Internet out" statemant? If you filter from the Internet, wouldn't you
> want
> to inspect inbound on interface Fa1/1?
>
> Also, can someone point me to a good reference for the firewall? I am
> having
> some problems understanding how everything works with it. Checkpoint was
> nice with that GUI and "point and click" atmosphere...
>
> Thanks...
>
> E A Moran
> Network Engineer
> CNE,MCSE,CCNP,CCDP
> TeleCommunication Systems
> (813)831-6353
>
This archive was generated by hypermail 2.1.4 : Thu Jun 13 2002 - 08:25:58 GMT-3