Implementing Cisco IOS Firewalls
Configure a Cisco IOS Firewall
Using the CLI Configuring a Cisco IOS firewall using the CLI is simple. You already know how to make and access ACLs. A Cisco IOS firewall allows you to add inspection rules to the interface. An inspection rule is simply another method of ensuring the safety of that interface. The router drops packets that are unsafe in the context of the already established connections. For example, when a TCP inspection rule is added to an interface, a TCP reset (RST) packet is not allowed into the interface unless there has previously been a TCP connection established with the machine sending the reset. When using inspection rules, you must apply an ACL to the interface. Any packet may be rejected by the inspection rule, the ACL, or both. The packet is first examined by the access list. If the packet passes the access list, then the inspection rule is checked next to determine whether that packet may transition the interface. There are five simple steps to implementing inspection rules through the CLI: Step 1 Choose the interface and packet direction to inspect. Step 2 Configure an IP ACL for the interface. Step 3 Define the inspection rules. Step 4 Apply the inspection rules and the ACL to the interface. Step 5 Verify the configuration. Step 1: Choose an Interface and Packet Direction to Inspect Choosing an interface is generally very easy. There are two general guidelines that will help you decide where to apply an ACL and inspection rule. Although every network is different, these two general guidelines will help you decide how and where to apply the ACL and inspection rule: ■ On an interface where untrusted traffic originates: — Apply the ACL on the inbound direction of the interface so that only traffic allowed by the ACL is inspected. — Apply the inspection rule on the inbound direction of the interface so that only traffic considered safe transits the interface. 150x01x.book Page 540 Monday, June 18, 2007 8:52 AM Configure a Cisco IOS Firewall Using the CLI 541 ■ For all other interfaces, apply the ACL on the outbound direction of the interface so that all unwanted traffic is dropped rather than sent over the network. Step 2: Configure an IP ACL for the Interface You must use extended access lists when you are also using inspection rules. If you are not familiar with extended access lists or need to review them, you are encouraged to do so now. A full explanation of extended access lists can be found at Cisco.com. The access list in Example 22-1 would be applied to the outside interface. This access list allows users outside the network to connect to the SMTP server residing at 10.10.1.9 and the HTTP server residing at 10.10.1.15.
Step 3: Define the Inspection Rules
An inspection rule is defined through the ip inspect command, the syntax for which is as follows: [no] ip inspect name inspection-name protocol [alert {on | off}] [timeout seconds] Table 22-2 lists the parameters available for this command. Example 22-1 Extended Access List ip access-list extended acl_from_outside permit tcp any host 10.10.1.9 eq 25 permit tcp any host 10.10.1.15 eq 80 deny ip any any log Table 22-2 ip inspect Command Parameters Parameter Description inspection-name Defines the name of the inspection rule. protocol Defines the protocol to be inspected. There are more than 170 supported protocols, some of which are as follows: TCP, UDP, ICMP, SMTP, ESMTP, SMTP, EMSTP, CUSEEME, FTP, FTPS, HTTP, H323, NETSHOW, RCMD, RealAudio, RPC, RTSP, SIP, SKINNY, SQLNET, TFTP, VDOLive. alert {on | off} Toggles alerts on or off. timeout seconds Defines the time interval in seconds between alert updates (default is 10 seconds). 150x01x.book Page 541 Monday, June 18, 2007 8:52 AM 542 Example 22-2 shows how to define the inspection rules for this example. The preceding example sets the timeout for FTP to 60 seconds. No alerts are sent for FTP. The HTTP setting decreases the timeout to 30 seconds and sends alerts regarding HTTP. Both FTP and HTTP in this example use audit trails. Step 4: Apply the Inspection Rules and the ACL to the Interface Now that the ACL and inspection rules have been defined, you must apply these to the interface. Audit trails will be used, so your first task is to enable audit trails in the global configuration. Alerts have also been chosen. These are simple to set up with the global commands executed in Example 22-3. Now that the global configuration is established, you simply apply the previously defined inspection rules to the individual interface. While you are in the interface configuration mode, you will also apply the ACL to that interface as demonstrated in Example 22-4. The configuration is now complete. The next step is to verify your configuration. Example 22-2 IP Inspection Rules Router(config)#ip inspect name from_outside ftp alert off audit-trail on timeout 60 Router(config)#ip inspect name from_outside http alert on audit-trail on timeout 30 Example 22-3 Global Configuration for Logging and Alerts Router(config)#ip inspect audit-trail ! enables the delivery of audit trail messages using syslog Router(config)#logging on ! turns on logging Router(config)#logging host 10.10.1.20 ! sets out logging server to 10.10.1.20 Router(config)#no ip inspect alert-off ! turns on real-time alerts Example 22-4 Apply Inspection Rules to the Interface Router(config)#int e0/0 Router(config-if)#ip inspect from_outside in Router(config-if)#ip access-group acl_from_outside in Router(config-if)#^z 150x01x.book Page 542 Monday, June 18, 2007 8:52 AM Configure a Cisco IOS Firewall Using the CLI 543 Step 5: Verify the Configuration Verification of the setup is very simple. The show ip inspect command displays how the inspection rules have been configured. The syntax for the show ip inspect command is as follows: show ip inspect [name inspection-name | config | interface | session {detail} | statistics | all] A number of options are available with this command, as described in Table 22-3. The output from this command is simple to understand, as demonstrated in Example 22-5. Example 22-6 shows the output from a show ip inspect all command. Table 22-3 show ip inspect Command Options Parameter Description name inspection-name Displays the configured inspection with the defined inspection name config Displays the entire IP inspection configuration interface Displays the configurations used within the interface mode session Displays sessions that are currently being tracked detail Displays additional details about current sessions statistics Displays statistical information all Displays all information Example 22-5 show ip inspect session Command Output Router#show ip inspect session Established Sessions Session 70A64274 (172.16.1.12:32956)=>(10.10.1.5:25) tcp SIS_OPEN Created 00:00:07, Last heard 00:00:03 Bytes sent (initiator:responder) [137:319] acl created 2 Inbound access-list acl_from_outside applied to interface Ethernet0/0 Example 22-6 show ip inspect all Command Output Router#show ip inspect all Session audit trail is enabled one-minute (sampling period) thresholds are [400:500] connections max-incomplete sessions thresholds are [400:500] max-incomplete tcp connections per host is 50. Block-time 0 minute. tcp synwait-time is 30 sec — tcp finwait-time is 5 sec tcp idle-time is 3600 sec — udp idle-time is 30 sec dns-timeout is 5 sec Inspection Rule Configuration Inspection name inspect_from_outside continues 150x01x.book Page 543 Monday, June 18, 2007 8:52 AM 544 Although debugging IP inspection is beyond the scope of this book, it can be helpful to know a few of the debug commands associated with inspection. Table 22-4 shows the most common debug commands associated with IP inspection and describes their purpose. Configure a Basic Firewall Using SDM SDM provides a graphical interface that allows you to configure security on Cisco routers quickly. The ease of use and automatic features of SDM can be a great benefit to the administrator. When using SDM to configure a basic firewall, you use the same five steps that you used with the CLI, as described in the previous section. However, because you are using a graphical interface, these steps are not easily distinguishable from each other. This section describes how to use SDM to configure a basic firewall. If you have never used SDM before, you will be amazed by how quickly you can complete a simple configuration. The next section describes how to use SDM to configure an advanced firewall. tcp timeout 3600 udp timeout 30 ftp timeout 3600 Interface Configuration Interface Ethernet0 Inbound inspection rule is inspect_from_outside tcp timeout 3600 udp timeout 30 ftp timeout 3600 Outgoing inspection rule is not set Inbound access list is acl_from_outside Outgoing access list is not set Established Sessions Session 25A6E1C (10.3.0.1:46065)=>(10.1.1.9:25) ftp SIS_OPEN Session 25A34A0 (10.1.1.9:20)=>(10.3.0.1:46072) ftp-data SIS_OPEN Table 22-4 debug ip inspect Commands Command Description debug ip inspect function-trace Debugs the functions used by ip inspect debug ip inspect object-creation Debugs the creation of objects used by ip inspect debug ip inspect object-deletion Debugs the deletion of objects used by ip inspect debug ip inspect events Debugs events within ip inspect debug ip inspect timers Debugs timers used in ip inspect debug ip inspect detail Provides detailed debugging of ip inspect Example 22-6 show ip inspect all Command Output (Continued) 150x01x.book Page 544 Monday, June 18, 2007 8:52 AM Configure a Basic Firewall Using SDM 545 After you start SDM, click the Configure button at the top of the window. Next, click Firewall and ACL in the Tasks bar on the left. As Figure 22-1 shows, the default choice is Basic Firewall. Before you click the Launch the Selected Task button, notice the How do I pull-down menu at the bottom of the window. This menu provides help on the most common tasks when using SDM.