© 1999, Cisco Systems, Inc. 9-1 Configuring a Cisco Perimeter Router Chapter 9
© 1999, Cisco Systems, Inc. MCNS v Objectives Upon completion of this chapter, you will be able to perform the following tasks: Identify perimeter security problems and solutions Identify Cisco IOS TM software perimeter security features Configure a Cisco router as a perimeter router to protect Internet access from common security threats based on a case study network design
© 1999, Cisco Systems, Inc. MCNS v CA Server PIX Firewall Web Surfer Remote Branch Internet Web Server Protected DMZ Dirty DMZ NetRanger Sensor Dialup R2 NAS ClientServer Campus Router Bastion Host SMTP Server DNS Server IS NetRanger Director NetSonar Dialup Client Sales XYZ Company Perimeter Security Plan Bastion Host R1 Perimeter Router Internet NT Server: CiscoSecure, Web, FTP, TFTP, Syslog Server
© 1999, Cisco Systems, Inc. MCNS v © 1999, Cisco Systems, Inc Perimeter Security Problems and Solutions
© 1999, Cisco Systems, Inc. MCNS v Problem: Internet Access Security Risks Eavesdropping Denial of service Unauthorized access Data manipulation Session replay/hijacking Rerouting attacks Malicious destruction Lack of legal IP addresses Perimeter Router Firewall Bastion Host: Web Server FTP Server Web Surfer Internet
© 1999, Cisco Systems, Inc. MCNS v Solution: Cisco Perimeter Router Security Eavesdropping Control TCP/IP services Cisco Encryption Technology IPSec Encryption Unauthorized access CiscoSecure PIX Firewall and Cisco Router AAA ACL filtering Lock and Key security Data manipulation ACL filtering Session replay Control TCP/IP services Rerouting attacks Peer router authentication Static Routes Denial of service TCP Intercept Malicious destruction ACL filtering Lack of internal IP addresses NAT PAT Perimeter Router
© 1999, Cisco Systems, Inc. MCNS v Cisco Perimeter Router Features First line of defense Flexible configuration Lower cost than other firewalls Harnesses power of Cisco IOS software Cisco IOS Firewall feature set Perimeter Router Firewall Bastion Host: Web Server FTP Server Web Surfer Internet
© 1999, Cisco Systems, Inc. MCNS v © 1999, Cisco Systems, Inc Problems: Eavesdropping and Session Replay
© 1999, Cisco Systems, Inc. MCNS v Control TCP/IP Services Block SNMP from the outside access-list 101 deny udp any any eq snmp Disable proxy arp: no ip proxy-arp Disable IP source routing: no ip source-route Disable echo, finger replies no service finger no service tcp-small-servers no service udp-small-servers
© 1999, Cisco Systems, Inc. MCNS v © 1999, Cisco Systems, Inc Problem: Eavesdropping
© 1999, Cisco Systems, Inc. MCNS v Encrypts traffic between specific networks, subnets, or address/port pairs Specific to protocol, but media/interface independent Need not be supported by intermediate network devices Independent of intermediate topology A to HR ServerEncrypted All Other TrafficClear Network-Layer Encryption A B HR Server Server D
© 1999, Cisco Systems, Inc. MCNS v © 1999, Cisco Systems, Inc Problems: Unauthorized access, data manipulation, and malicious destruction
© 1999, Cisco Systems, Inc. MCNS v Securing PerimeterInbound Filter packets with internal address as source Filter packets with RFC-reserved addresses as source Filter bootp, TFTP, and traceroute Allow TCP connections initiated from internal network Allow all other incoming connections to DMZ servers only Perimeter Router Internet
© 1999, Cisco Systems, Inc. MCNS v Securing Perimeter–Outbound Allow only packets with source address of internal network to Internet Filter any IP addresses that are not allowed out as defined by security policy Perimeter Router Internet
© 1999, Cisco Systems, Inc. MCNS v Overview of Access List Types Reflexive Access Lists Time-of-Day Access Lists Context-Based Access Control (CBAC) Dynamic (Lock and Key)
© 1999, Cisco Systems, Inc. MCNS v © 1999, Cisco Systems, Inc Problem: Lack of Legal IP Addresses
© 1999, Cisco Systems, Inc. MCNS v Perimeter Router NAT Hides internal IP addressing Internet-connected campus independent of Internet address limitations Internet access from unregistered clients without expensive renumbering Internet Translate Addresses Campus Unregistered Client Arbitrary Addresses
© 1999, Cisco Systems, Inc. MCNS v Perimeter Router PAT Provides additional IP address expansion One IP address used for up to 64,000 hosts (theoretical limit) Remaps different port numbers to single IP address Securehides source address of clients using single IP address from the perimeter router 64,000 Hosts (theoretical limit) One IP Address Used Internet
© 1999, Cisco Systems, Inc. MCNS v © 1999, Cisco Systems, Inc Problem: Rerouting attacks
© 1999, Cisco Systems, Inc. MCNS v Routing Protocol Authentication MD5 authentication secures routing updates Supported routing protocols –Enhanced IGRP –OSPF –RIPv2 –BGP Signs Route Updates Signature Route Updates Verifies Signature Campus
© 1999, Cisco Systems, Inc. MCNS v MD5 Authentication: EIGRP Router B Router A MD5 Router B ip authentication mode eigrp 1 md5 ip authentication key-chain eigrp 1 mcns key chain mcns key 1 key-string accept-lifetime infinite send-lifetime 04:00:00 Jan :00:00 Jan exit Router B ip authentication mode eigrp 1 md5 ip authentication key-chain eigrp 1 mcns key chain mcns key 1 key-string accept-lifetime infinite send-lifetime 04:00:00 Jan :00:00 Jan exit Router A ip authentication mode eigrp 1 md5 ip authentication key-chain eigrp 1 mcns key chain mcns key 1 key-string accept-lifetime infinite send-lifetime Jan infinite exit Router A ip authentication mode eigrp 1 md5 ip authentication key-chain eigrp 1 mcns key chain mcns key 1 key-string accept-lifetime infinite send-lifetime Jan infinite exit
© 1999, Cisco Systems, Inc. MCNS v © 1999, Cisco Systems, Inc Problem: Denial of Service attacks
© 1999, Cisco Systems, Inc. MCNS v SYN Flooding Description Connection requests without return ACK Server allocates resources (memory buffers) for each request Server runs out of resources and crashes or hangs SYN (May I talk to you?) SYN, ACK (Yes) (This port is left in open state) SYN (On many more ports)
© 1999, Cisco Systems, Inc. MCNS v Solution: TCP Intercept Tracks, intercepts, and validates TCP connection requests Two modes: intercept and monitor Connection Transferred Connection Established Request Intercepted
© 1999, Cisco Systems, Inc. MCNS v © 1999, Cisco Systems, Inc Problem: Need firewall functions in routers
© 1999, Cisco Systems, Inc. MCNS v Cisco IOS Firewall Feature Set Enhanced Security for the Intelligent Internet Context-Based Access Control (CBAC) –Secure, per-application filtering –Support for advanced protocols (H.323, SQLnet, RealAudio, etc.) Control downloading of Java applets Denial-of-service detection and prevention Real-time alerts TCP/UDP transaction logs Configuration and management
© 1999, Cisco Systems, Inc. MCNS v © 1999, Cisco Systems, Inc Lock and Key Security Overview
© 1999, Cisco Systems, Inc. MCNS v Lock and Key Security Overview Internet Authorized User Corporate Site Nonauthorized User
© 1999, Cisco Systems, Inc. MCNS v © 1999, Cisco Systems, Inc Chapter References
© 1999, Cisco Systems, Inc. MCNS v Chapter References Cisco Security Solutions Web Page Increasing Security on IP Networks htm Cisco Security Configuration Guide, Chapter II The Cisco IOS TCP Intercept Product Bulletin
© 1999, Cisco Systems, Inc. MCNS v © 1999, Cisco Systems, Inc Lab Exercise Configuring a Cisco Perimeter Router
© 1999, Cisco Systems, Inc. MCNS v Lab Objectives Upon completion of this lab, you will be able to perform the following tasks: Configure a Cisco router as a perimeter router to protect Internet access from common security threats based on a case study network design Given packet filtering rules, develop access lists to allow or prevent specified network services through a perimeter router, given a case study network design
© 1999, Cisco Systems, Inc. MCNS v PIXX Firewall Protected DMZ Dirty DMZ X.0 /24.2 Outside X.0/24.1 DMZ Inside.3 NASX IS.1 10.X.2.1 /24 10.X.2.2 to 10.X.2.10 /24 Windows NT PC NT1 NT Server: CiscoSecure NT, IIS FTP and Web Server Cisco Security Manager, Syslog Server, TFTP Server.4 Instructor NT Server: FTP, HTTP, CA / X.1 /30 PerimeterX Router 10.X.1.0 /24 Bastion Host: Web Server FTP Server.3 Sales Dialup Frame Relay (Internet) Telco Simulator 100X MCNS Lab Environment Generic.1.2 X = POD #
© 1999, Cisco Systems, Inc. MCNS v © 1999, Cisco Systems, Inc Summary
© 1999, Cisco Systems, Inc. MCNS v Summary Cisco IOS software features implement perimeter router security to prevent: EavesdroppingRerouting attacks Unauthorized accessData manipulation Session replayDenial of service Malicious destruction NAT and PAT hide internal addresses and provide perimeter router security when IP address space is limited
© 1999, Cisco Systems, Inc. MCNS v © 1999, Cisco Systems, Inc Review Questions
© 1999, Cisco Systems, Inc. MCNS v Review Questions 1. What are the Cisco IOS software features useful for implementing perimeter security? A. Cisco IOS Firewall feature set B. Standard and extended access lists C. NAT D. PAT E. TCP Intercept to control SYN DoS attacks F.Lock and Key security
© 1999, Cisco Systems, Inc. MCNS v Review Questions (cont.) 2. What features are included in the Cisco IOS Firewall feature set? A. Context-based access lists B. Java blocking C. DoS detection and prevention D. Audit trail E. Real-time alerts F. ConfigMaker support
© 1999, Cisco Systems, Inc. MCNS v Review Questions (cont.) 3. Which Cisco IOS software commands would you use on a perimeter router to block echo and finger inquiries from the Internet? A. no service tcp-small-servers B. no service udp-small-servers C. no service finger commands 4. Write an access list that will allow traffic to a Web server on the XYZ Company DMZ. A. access list 110 permit tcp any host eq www
© 1999, Cisco Systems, Inc. MCNS v Review Questions (cont.) 5. What are some limitations of using access lists for network security? A.Cannot detect data attacks such as viruses, worms, or Trojan horses B.Cannot completely protect against denial-of-service attacks C.Access lists are difficult to maintain
© 1999, Cisco Systems, Inc. MCNS v Do Not Delete Blank for Document Pagination