© 2007 Cisco Systems, Inc. All rights reserved.SNRS v2.05-1 Adaptive Threat Defense Configuring Cisco IOS Firewall Authentication Proxy.

Презентация:



Advertisements
Похожие презентации
© 2006 Cisco Systems, Inc. All rights reserved.SNRS v Adaptive Threat Defense Examining Cisco IOS Firewall.
Advertisements

© 2006 Cisco Systems, Inc. All rights reserved. SND v Configuring a Cisco IOS Firewall Configuring a Cisco IOS Firewall with the Cisco SDM Wizard.
© 2004, Cisco Systems, Inc. All rights reserved. CSPFA Lesson 8 Object Grouping.
© 2003, Cisco Systems, Inc. All rights reserved. CSPFA Chapter 8 Object Grouping.
© 2004, Cisco Systems, Inc. All rights reserved. CSPFA Lesson 11 Authentication, Authorization, and Accounting.
© 2003, Cisco Systems, Inc. All rights reserved. CSPFA Chapter 3 Cisco PIX Firewall Technology and Features.
© 2003, Cisco Systems, Inc. All rights reserved. CSPFA Chapter 12 Authentication, Authorization, and Accounting.
© 2000, Cisco Systems, Inc. 7-1 Chapter 7 Access Configuration Through the Cisco Secure PIX Firewall.
© 2007 Cisco Systems, Inc. All rights reserved.SNRS v Adaptive Threat Defense Configuring Cisco IOS Classic Firewall.
© 2006 Cisco Systems, Inc. All rights reserved.ISCW v Cisco IOS Threat Defense Features Implementing Cisco IOS Firewalls.
© 2007 Cisco Systems, Inc. All rights reserved.SNRS v Layer 2 Security Examining Layer 2 Attacks.
© 2006 Cisco Systems, Inc. All rights reserved. ICND v Managing IP Traffic with ACLs Scaling the Network with NAT and PAT.
© 2003, Cisco Systems, Inc. All rights reserved. CSPFA Chapter 9 Routing.
© 2006 Cisco Systems, Inc. All rights reserved. ICND v Managing IP Traffic with ACLs Configuring IP ACLs.
© 2006 Cisco Systems, Inc. All rights reserved. BCMSN v Minimizing Service Loss and Data Theft in a Campus Network Understanding Switch Security.
© 2007 Cisco Systems, Inc. All rights reserved.SNRS v Module Summary The Cisco IOS Firewall feature set combines existing Cisco IOS Firewall technology.
© 2006 Cisco Systems, Inc. All rights reserved. ICND v Managing IP Traffic with ACLs Introducing ACLs.
© 2005 Cisco Systems, Inc. All rights reserved. IPTX v Configuring Additional Cisco CallManager Express Features Configuring Cisco CallManager Express.
© 2006 Cisco Systems, Inc. All rights reserved. BSCI v Manipulating Routing Updates Implementing Advanced Cisco IOS Features: Configuring DHCP.
© 2006 Cisco Systems, Inc. All rights reserved.ISCW v Cisco IOS Threat Defense Features Configuring Cisco IOS IPS.
Транксрипт:

© 2007 Cisco Systems, Inc. All rights reserved.SNRS v Adaptive Threat Defense Configuring Cisco IOS Firewall Authentication Proxy

© 2007 Cisco Systems, Inc. All rights reserved.SNRS v What Is the Authentication Proxy? HTTP, HTTPS, FTP, and Telnet authentication Provides dynamic, per-user authentication and authorization via TACACS+ and RADIUS protocols Once authenticated, all types of application traffic can be authorized Works on any interface type for inbound or outbound traffic

© 2007 Cisco Systems, Inc. All rights reserved.SNRS v Using Cisco IOS Firewall Authentication Proxy FTP Server Telnet Server Client Host AAA Server Web Server Client Host Internet

© 2007 Cisco Systems, Inc. All rights reserved.SNRS v Login screen

© 2007 Cisco Systems, Inc. All rights reserved.SNRS v RADIUSTACACS+ Cisco Secure ACS UNIX Cisco Secure ACS for Windows NT/2000 Supported AAA Servers TACACS+ Freeware Lucent Cisco Secure ACS UNIX Cisco Secure ACS for Windows NT/2000

© 2007 Cisco Systems, Inc. All rights reserved.SNRS v Cisco IOS Firewall Applying Authentication Proxy User AAA Server Inside Outside For outbound proxy authentication, enable the Cisco IOS Firewall authentication proxy to intercept inward HTTP, HTTPS, FTP, or Telnet traffic from the inside. For inbound proxy authentication, enable the Cisco IOS Firewall authentication proxy to intercept inward HTTP, HTTPS, FTP, or Telnet traffic from the outside. For outbound proxy authentication, add an ACL to block inward traffic from the inside, except from the AAA server. For inbound proxy authentication, add an ACL to block inward traffic from the outside. User Web, FTP, or Telnet Server

© 2007 Cisco Systems, Inc. All rights reserved.SNRS v Enter the new service: auth-proxy. Create auth-proxy Service in the Cisco Secure ACS

© 2007 Cisco Systems, Inc. All rights reserved.SNRS v Create a User Authorization Profile in the Cisco Secure ACS Check the auth-proxy. Check the Custom attributes checkbox. Enter ACLs to apply after the user authenticates. proxyacl#1=permit tcp any any priv-lvl=15 Enter the privilege level of the user; it must be 15 for all users.

© 2007 Cisco Systems, Inc. All rights reserved.SNRS v proxyacl#1=permit tcp any any eq 443 proxyacl#2=permit icmp any host proxyacl#3=permit tcp any any eq ftp proxyacl#4=permit tcp any any eq smtp proxyacl#5=permit tcp any any eq telnet priv-lvl=15 User Authorization Profiles Defines the allowable protocols, services, and destination addresses. The source address is always any and is replaced in the router with the IP address of host making the request. Privilege level must be set to 15 for all users. HTTPS

© 2007 Cisco Systems, Inc. All rights reserved.SNRS v Authentication Proxy Configuration Configure AAA Configure the HTTP server Create the authentication proxy rule Apply the Cisco IOS Firewall authentication proxy rule to an interface Verify the Cisco IOS Firewall authentication proxy

© 2007 Cisco Systems, Inc. All rights reserved.SNRS v router(config)# aaa new-model router(config)# aaa authentication login default group tacacs+ router(config)# aaa authorization auth-proxy default group tacacs+ Enable AAA Enables AAA functionality on the router

© 2007 Cisco Systems, Inc. All rights reserved.SNRS v Define a TACACS+ Server and Its Key Specifies the TACACS+ server IP address Specifies the TACACS+ server key router(config)# tacacs-server host router(config)# tacacs-server key secretkey

© 2007 Cisco Systems, Inc. All rights reserved.SNRS v Define a RADIUS Server and Its Key Specifies the RADIUS server IP address Specifies the RADIUS server key router(config)# radius-server host router(config)# radius-server key secretkey

© 2007 Cisco Systems, Inc. All rights reserved.SNRS v router(config)# access-list 111 permit tcp host eq tacacs host router(config)# access-list 111 permit icmp any any router(config)# access-list 111 deny ip any any router(config)# interface fastEthernet0/0 router(config-if)# ip access-group 111 in Allow AAA Traffic to the Router Create an ACL to permit TACACS+ traffic from the AAA server to the firewall –Source address = AAA server –Destination address = interface where the AAA server resides May want to permit ICMP Deny all other traffic Apply the ACL to the interface on the side where the AAA server resides AAA Server Router interface

© 2007 Cisco Systems, Inc. All rights reserved.SNRS v router(config)# ip http server router(config)# ip http secure-server router(config)# ip http authentication aaa Enable the Router HTTP or HTTPS Server for AAA Enables the HTTP server on the router –Proxy uses HTTP server for communication with a client Enables the HTTPS server on the router Sets the HTTP server authentication method to AAA

© 2007 Cisco Systems, Inc. All rights reserved.SNRS v Authentication inactivity timer in minutes (default = 60 minutes) Creates an authorization proxy rule Applies an authorization proxy rule to an interface –For outbound authentication, apply to inside interface –For inbound authentication, apply to outside interface Set Global Timers router(config)# ip auth-proxy inactivity-timer 120 router(config)# ip auth-proxy name APRULE http router(config)# interface fastEthernet0/0 router(config-if)# ip auth-proxy aprule

© 2007 Cisco Systems, Inc. All rights reserved.SNRS v Authentication Proxy Rules with ACLs Creates an authorization proxy rule with an ACL router(config)# access-list 10 permit router(config)# ip auth-proxy name aprule http list 10 router(config)# interface fastEthernet0/0 router(config-if)# ip auth-proxy APRULE

© 2007 Cisco Systems, Inc. All rights reserved.SNRS v Example R2 (Firewall) Host A Apply auth-prox, ACL 105, and IOS Classic Firewall Apply ACL 102 to block all inbound traffic except from the AAA server WWW AAA R1 E0 S0 Internet

© 2007 Cisco Systems, Inc. All rights reserved.SNRS v Router 2 Configuration R2(config)# aaa new-model R2(config)# aaa authentication login default group tacacs R2(config)# aaa authorization auth-proxy default group tacacs+ R2(config)# aaa accounting auth-proxy default start-stop group tacacs+ R2(config)# tacacs-server host R2(config)# tacacs-server key cisco R2(config)# radius-server host R2(config)# radius-server key cisco R2(config)# ip inspect name SNRS http R2(config)# ip inspect name SNRS tcp R2(config)# ip inspect name SNRS ftp R2(config)# ip inspect name SNRS smtp R2(config)# ip auth-proxy auth-cache-time 60 R2(config)# ip auth-proxy name SNRS-Proxy http R2(config)# ip http server R2(config)# ip http authentication aaa Configure AAA for the authentication proxy Create the classic firewall inspection rule SNRS Name auth-prox rule and Set the global authentication proxy timeout value

© 2007 Cisco Systems, Inc. All rights reserved.SNRS v Router 2 Configuration (Cont.) R2(config)# access-list 102 permit tcp host eq tacacs host R2(config)# access-list 102 deny tcp any any R2(config)# access-list 102 deny udp any any R2(config)# access-list 102 permit ip any any R2(config)# access-list 105 deny tcp any any R2(config)# access-list 105 deny udp any any R2(config)# access-list 105 permit ip any any R2(config)# interface Serial0 R2(config-if)# ip address R2(config-if)# ip access-group 105 in R2(config-if)# ip inspect SNRS in R2(config-if)# ip auth-proxy SNRS-Proxy R2(config)# interface Ethernet0 R2(config-if)# ip address R2(config-if)# ip access-group 102 in Create ACL 102 to block all traffic inbound on interface E0 except for traffic from the AAA server. Create ACL 105 to block all traffic inbound on interface Serial0. Permit only IP protocol traffic

© 2007 Cisco Systems, Inc. All rights reserved.SNRS v router# show ip auth-proxy cache router# show ip auth-proxy configuration router# show ip auth-proxy watch list Verifying Authentication Proxy Displays statistics, configurations, and cache entries of authentication proxy subsystems

© 2007 Cisco Systems, Inc. All rights reserved.SNRS v debug ip auth-proxy ftp debug ip auth-proxy function-trace debug ip auth-proxy http debug ip auth-proxy object-creation debug ip auth-proxy object-deletion debug ip auth-proxy tcp debug ip auth-proxy telnet debug ip auth-proxy timer debug Commands router(config)#

© 2007 Cisco Systems, Inc. All rights reserved.SNRS v Clear the Cisco IOS Firewall Authentication Proxy Cache clear ip auth-proxy cache {* | ip_addr} router# Clears authentication proxy entries from the router

© 2007 Cisco Systems, Inc. All rights reserved.SNRS v Summary The Cisco IOS Firewall authentication proxy feature enables network administrators to apply specific security policies on a per-user basis for TACACS+ and RADIUS servers. To support the authentication proxy, configure the AAA authorization auth-proxy service on the Cisco Secure ACS for Windows. To configure authentication proxy, you must: –Configure AAA support –Create an authentication proxy rule –Apply the rule to an interface

© 2007 Cisco Systems, Inc. All rights reserved.SNRS v