© 1999, Cisco Systems, Inc Configuring Cisco Secure Integrated Software Chapter 10
© 1999, Cisco Systems, Inc. MCNS v Objectives Upon completion of this chapter, you will be able to perform the following tasks: Identify Cisco Secure Integrated Software features Configure Cisco Secure Integrated Software features to secure a case study network
© 1999, Cisco Systems, Inc. MCNS v CA Server PIX Firewall Web Surfer Remote Branch Internet Web Server Protected DMZ Dirty DMZ NetRanger Sensor Dialup R2 NAS ClientServer Campus Router Bastion Host SMTP Server DNS Server IS NetRanger Director NetSonar Dialup Client Sales XYZ Companys IOS FW Plan Bastion Host R1 Perimeter Router Internet NT Server: CiscoSecure, Web, FTP, TFTP, Syslog Server
© 1999, Cisco Systems, Inc. MCNS v © 1999, Cisco Systems, Inc Cisco Secure Integrated Software Feature Set
© 1999, Cisco Systems, Inc. MCNS v Cisco Secure Integrated Software Feature Set Context-Based Access Control –Secure per-application filtering –Control Downloading of Java Applets –Denial-of-Service Detection and Prevention –Real-time Alerts –Transaction Logs –Administration
© 1999, Cisco Systems, Inc. MCNS v Securing Network Perimeter and DMZ with 1605-R and Cisco Secure Integrated Software Feature Set Cisco 1605-R Router with Cisco IOS Firewall Feature Set Users Protected Network Server Micro Webserver zip 100 Micro Webserver Bastion Host Offering Web Services (HTTP, etc.) PublicAccess ISP and Internet
© 1999, Cisco Systems, Inc. MCNS v To maximize security with CSIS, perform the following tasks: Determine the necessary security server support Determine the types of access lists to use and where to use them Decide to use CBAC or not Decide to use NAT or not Decide to use TCP Intercept or not Determine if encryption is needed Planning for CSIS
© 1999, Cisco Systems, Inc. MCNS v Context-Based Access Control Operation User 1 initiates a Telnet session CBAC permits return traffic from User 1s Telnet session CBAC blocks other Telnet traffic User 1 Perimeter Router with CBAC enabled Internet User 1s Telnet session User 1s Telnet session reply Externally-generated Telnet sessions are blocked
© 1999, Cisco Systems, Inc. MCNS v © 1999, Cisco Systems, Inc Configuring Context-Based Access Control
© 1999, Cisco Systems, Inc. MCNS v Pick an Interface: Internal or External 2. Configure IP Access Lists at the Interface 3. Configure Global Timeouts and Thresholds 4. Define an Inspection Rule 5. Apply the Inspection Rule to an Interface 6. Test and verify CBAC Configuring Context-Based Access Control
© 1999, Cisco Systems, Inc. MCNS v Outbound access lists can be standard or extended Inbound access lists must be extended Configuring the External Interface Returning traffic from an internally-generated session is allowed through the firewall S1 External Internal Internet Depending on the ACL statement, Traffic from an externally-generated session can be allowed through or blocked at the firewall
© 1999, Cisco Systems, Inc. MCNS v Inbound access list must be extended Outbound access list can be standard or extended Configuring the Internal Interface E0 OK External Internal Internet Bastion Host: Web Server FTP Server Traffic entering Traffic exiting
© 1999, Cisco Systems, Inc. MCNS v ip inspect tcp synwait-time seconds (30) Time value the software waits for a TCP session to reach the established state ip inspect max-incomplete high number (500) The number of existing half-open sessions that will cause the software to start deleting half-open sessions Managing Timeouts and Thresholds SYN (Can I talk to you?) SYN, ACK (Yes) (This port is left in open state) SYN (On many more ports)
© 1999, Cisco Systems, Inc. MCNS v Define the inspection rules using the following tools: Configure application-layer protocol inspection Configure Java inspection Configure Generic TCP and UDP inspection Defining an Inspection Rule
© 1999, Cisco Systems, Inc. MCNS v Configure the inspection using the following tools: Perimeterx(config)# ip inspect name inspection-name protocol {timeout seconds} Global configuration command Configure CBAC inspection for an application-layer protocol (except for RPC and Java) Timeout option refers to idle time to use instead of TCP or UDP timeouts Configuring Application-Layer Protocol Inspection
© 1999, Cisco Systems, Inc. MCNS v Configure the inspection using the following two commands: Perimeterx(config)# ip access-list standard name permit… deny…Use permit or deny as needed or access-list access-list-number {deny | permit} source [source-wildcard] Perimeterx(config)# ip inspect name inspection-name http [java-list access-list] [timeout seconds] Configuring Java inspection
© 1999, Cisco Systems, Inc. MCNS v Configure the inspection using the following two commands: Perimeterx(config)# ip inspect name inspection name tcp [timeout seconds] Use the same inspection-name as specified for other protocols, to create a single inspection rule. Perimeterx(config)# ip inspect name inspection-name udp [timeout seconds] Use the same inspection-name as specified for other protocols, to create a single inspection rule. Configuring Generic TCP and UDP inspection
© 1999, Cisco Systems, Inc. MCNS v Use the inspection rule from the global command: Perimeterx(config)#ip inspect inception rule outboundrules out Apply the named rule in an interface command: Applying the Inspection Rule to an Interface Perimeterx(config-if)# interface serial0 ip inspect outboundrules out
© 1999, Cisco Systems, Inc. MCNS v © 1999, Cisco Systems, Inc Testing and Verifying CBAC
© 1999, Cisco Systems, Inc. MCNS v Debugging CBAC There are three types of debug commands in this section: Generic Perimeterx(config)# debug ip-inspect function trace Transport Level Perimeterx(config)# debug ip-inspect tcp Application Protocol Perimeterx(config)# debug ip-inspect protocol
© 1999, Cisco Systems, Inc. MCNS v Command Line Interface Advantage: Powerful –commands exist for every parameter in every product –variables allow configuration of timers and counters to meet the specific needs of every enterprise Disadvantages: numerous, complex commands are difficult to remember more commands appear with every new release of IOSSW
© 1999, Cisco Systems, Inc. MCNS v ConfigMaker Advantage: Graphical User Interface –familiar windowed environment with supporting dialog boxes –wizards provide guidance during configuration Disadvantages: limited product support limited configuration parameters
© 1999, Cisco Systems, Inc. MCNS v © 1999, Cisco Systems, Inc Lab Exercise Configuring Cisco CSIS
© 1999, Cisco Systems, Inc. MCNS v Lab Objectives Upon completion of this lab, you will be able to: Configure CSIS Feature Set on Cisco routers to create a secure communication environment based on a case study network design Configure Cisco routers for CBAC: –Determine network design details –Pick an Interface –Configure IP Access Lists at the interface –Define an Inspection Rule –Apply the Inspection Rule to an Interface –Test and verify CBAC on Cisco routers
© 1999, Cisco Systems, Inc. MCNS v PIXX Firewall Protected DMZ Dirty DMZ X.0 /24.2 Outside X.0/24.1 DMZ Inside.3 NASX IS.1 10.X.2.1 /24 10.X.2.2 to 10.X.2.10 /24 Windows NT PC NT1 NT Server: CiscoSecure NT, IIS FTP and Web Server Cisco Security Manager, Syslog Server, TFTP Server.4 Instructor NT Server: FTP, HTTP, CA / X.1 /30 PerimeterX Router 10.X.1.0 /24 Bastion Host: Web Server FTP Server.3 Sales Dialup Frame Relay (Internet) Telco Simulator 100X MCNS Lab Environment Generic.1.2 X = POD #
© 1999, Cisco Systems, Inc. MCNS v © 1999, Cisco Systems, Inc Summary
© 1999, Cisco Systems, Inc. MCNS v Summary After completing this chapter, you should be able to perform the following tasks: Configure CSIS –Pick an Interface –Configure IP Access Lists at the interface –Configure Global Timeouts and Thresholds –Define Inspection Rules –Apply the Inspection Rules to an interface –Test and Verify the CSIS configuration
© 1999, Cisco Systems, Inc. MCNS v Review Questions 1. Define four features of CBAC. A.Secure per-application filtering. B.Support for advanced protocols. C.Control downloading of Java applets. D.DoS detection and prevention. E.Real-time alerts F.TCP/UDP Transaction logs G.Administration
© 1999, Cisco Systems, Inc. MCNS v Place the following configuration steps in the correct order: 1. Pick an interface: Internal or External 2. Configure IP Access Lists at the Interface 3. Configure Global Timeouts and Thresholds 4. Define an inspection rule 5. Apply the Inspection Rule to an Interface 6. Test and verify CBAC. Review Questions (cont.)
© 1999, Cisco Systems, Inc. MCNS v What command would you use to verify CBAC inspection of application protocol inspection of packets? A. debug ip inspect protocol Review Questions (cont.)