Example configuration of Router

20 Mar

Listing 4.1: Example configuration of Router 3 for CBAC.

access−list 110 permit tcp 192.168.10.0 0.0.0.255 any
access−list 110 permit udp 192.168.10.0 0.0.0.255 any
access−list 110 permit icmp 192.168.10.0 0.0.0.255 any
access−list 110 deny ip any any
access−list 120 permit icmp any 192.168.10.0 0.0.0.255 −
echo−reply
access−list 120 permit icmp any 192.168.10.0 0.0.0.255 −
unreachable
access−list 120 permit icmp any 192.168.10.0 0.0.0.255
admin−prohibited
access−list 120 permit icmp any 192.168.10.0 0.0.0.255 −
packet−too−big
access−list 120 permit icmp any 192.168.10.0 0.0.0.255 −
echo
access−list 120 permit icmp any 192.168.10.0 0.0.0.255 −
time−exceeded
access−list 120 deny ip any any
!
ip inspect name samplecbac ftp
ip inspect name samplecbac smtp
ip inspect name samplecbac tcp
ip inspect name samplecbac fragment max 6000 timeout 8
!
interface FastEthernet0/0
ip address 192.168.10.1 255.255.255.0
ip access−group 110 in
ip inspect samplecbac in
ip inspect samplecbac out
!
interface Serial0/0
ip address 192.168.20.1 255.255.255.0
ip access−group 120 in
!
ip route 0.0.0.0 0.0.0.0 192.168.20.2

Notice that CBAC is performing a more generic TCP and UDP inspection. The access list that permits ICMP traffic, access list 110, is there to permit outbound ICMP traffic that arrives inbound on interface FastEthernet0/0. CBAC does not inspect ICMP traffic but it has to be listed in order to permit the outbound ICMP traffic because of the deny any any statement at the end of the access list. The ip inspect name command configures Router 3 to perform CBAC inspection. At first glance, the CBAC configuration combined with the access lists that are configured on each interface may not seem correct, but remember that CBAC creates temporary access list openings. Referring back to the rules for creating an inbound access list on an interface, the rule states that the access lists should permit traffic that should be inspected by CBAC. If traffic is not permitted, it will not be inspected by CBAC and will be dropped. The temporary openings will be created in access list 120, which is applied to the outside Serial interface.

Looking now at access list 120, you can see that the access list is applied as an inbound access list on interface Serial0/0. Still doesn’t look correct though, does it? Look again at the rules for creating an inbound access list on the external interface. The rule states that an inbound access list applied to the external interface should deny traffic that should be inspected by CBAC. CBAC will create temporary openings in the inbound access list as needed to permit only return traffic that is part of an existing session. Notice that access list 120 permits only ICMP traffic inbound on the Serial interface and denies all other traffic; all traffic that is denied by an access list will be inspected by CBAC, and an opening was created within this access list by the originating traffic.

To view the complete CBAC inspection configuration, you must issue the sh ip inspect config command. The output of this command displays the protocols that should be inspected by CBAC and the associated timeout values for each protocol. Issuing the show ip inspect config command on Router 3 lists the output displayed in Listing 4.2.

Listing 4.2: Output of the show ip inspect command.

Router−3#sh ip inspect config
Session audit trail is disabled Session alert is enabled
one−minute (sampling period) thresholds are [400:500] −
connections
max−incomplete sessions thresholds are [400:500]
max−incomplete tcp connections per host is 50. Block−time 0 −
minute.
tcp synwait−time is 30 sec — tcp finwait−time is 5 sec
tcp idle−time is 3600 sec — udp idle−time is 30 sec
dns−timeout is 5 sec
Inspection Rule Configuration
Inspection name samplecbac
ftp alert is on audit−trail is off timeout 3600
smtp alert is on audit−trail is off timeout 3600
tcp alert is on audit−trail is off timeout 3600
fragment Max 6000 In Use 0 alert is on audit−trail is off timeout −
8
Router−3#

The output of the show ip inspect config command displays many of the configured timeout and threshold values for the CBAC configuration. The first line of the output tells you that CBAC audit trail messages are disabled. The second line shows that session alerting is enabled; use of the show ip inspect config command displays alert messages to the console port of the router. The next six lines display output that pertain to timeout values for CBAC. The inspection rules section is the major output section within the show ip inspect config command and details the inspection name and the protocols that are configured for CBAC operation, the audit trail information, and the configured timeout values for each inspection rule.

You can use the ip inspect audit−trail global configuration command to configure CBAC audit trail messages and display them on the console after each session closes. Audit trail messages help in analyzing problems that are occurring during CBAC operation. The following shows the command issued on Router 3:

Router−3#config t
Router−3(config)#ip inspect audit−trail
Router−3(config)#end
Router−3#

Immediately after the command is issued on Router 3, audit trail information begins to appear on the console. The output of the audit trail messages is shown in Listing 4.3.

Listing 4.3: Audit trail messages on Router 3.

: tcp session initiator (192.168.10.13:38992)sent 22 bytes −
responder (192.168.40.11:25) sent 198 bytes
: ftp session initiator 192.168.10.18:32294) sent 336 bytes −
responder (192.168.129.11:21) sent 495 bytes

After enabling audit trail output and taking a quick glance back at the inspection configuration, you can see that audit trail messages are now enabled. Listing 4.4 shows the updated listing.

Listing 4.4: Updated output from the show ip inspect command.

Router−3#show ip inspect config
Session audit trail is enabled
Session alert is enabled
one−minute (sampling period) thresholds are [400:500] −
connections
max−incomplete sessions thresholds are [400:500] max−incomplete tcp
connections per host is 50. Block−time 0 − minute.
tcp synwait−time is 30 sec – tcp finwait−time is 5 sec
tcp idle−time is 3600 sec – udp idle−time is 30 sec
dns−timeout is 5 sec
Inspection Rule Configuration
Inspection name samplecbac
ftp alert is on audit−trail is on timeout 3600
smtp alert is on audit−trail is on timeout 3600
tcp alert is on audit−trail is on timeout 3600
fragment Maximum 6000 In Use 0 alert is on audit−trail is off −
timeout 8
Router−3#

Changes to any of the global timeout and threshold values described earlier can be made to the configuration, and the change will be reflected in the output of the show ip inspect config.

CBAC can also be configured to perform Java blocking, which will allow into the network Java applets from specified sites on the Internet and deny all others. This type of blocking denies access to Java applets that are not embedded in an archived or compressed file. Referring to Figure 4.3, I will continue with the example from above and configure Router 3 for Java blocking. In Figure 4.3, you can see that three different Web servers have been added to the outside network of Router 3.
The IP addresses of the Web servers are 192.168.100.100, 192.168.200.200, and 192.168.300.300. The security policy of the company is to configure Router 3 such that any Java applet from the Web servers at IP addresses 192.168.100.100 and 192.168.200.200 are permitted and inspected by CBAC, yet the Java applets from the server at IP address 192.168.300.300 are denied. Listing 4.5 shows the configuration needed to configure Router 3 for Java blocking.

access−list 30 permit 192.168.100.100
access−list 30 permit 192.168.200.200
access−list 110 permit tcp 192.168.10.0 0.0.0.255 any
access−list 110 permit udp 192.168.10.0 0.0.0.255 any
access−list 110 permit icmp 192.168.10.0 0.0.0.255 any
access−list 150 permit icmp any 192.168.10.0 0.0.0.255 −
echo−reply
access−list 150 permit icmp any 192.168.10.0 0.0.0.255 −
unreachable
access−list 150 permit icmp any 192.168.10.0 0.0.0.255
admin−prohibited
access−list 150 permit icmp any 192.168.10.0 0.0.0.255 −
packet−too−big
access−list 150 permit icmp any 192.168.10.0 0.0.0.255 −
echo
access−list 150 permit icmp any 192.168.10.0 0.0.0.255 −
time−exceeded
access−list 150 deny ip any any
!
ip inspect name mytest tcp
ip inspect name mytest udp
ip inspect name mytest http java−list 30
ip inspect name mytest fragment max 6000 timeout 8
ip inspect audit−trial
!
interface FastEthernet0/0
ip address 192.168.10.1 255.255.255.0
ip access−group 110 in
!
interface Serial0/0
ip address 192.168.20.1 255.255.255.0
ip access−group 150 in
ip inspect mytest out
ip inspect mytest in

In this example, access−list 30 allows Java from friendly sites at IP addresses 192.168.100.100 and 192.168.200.200 while implicitly denying Java from other sites. The output displayed in Listing 4.6 is sample debug output from the debug ip inspect detail command after attempting to connect to the Web servers on 192.168.100.100, 192.168.200.200, and 192.168.300.300. The debug ip inspect detail displays the output of connection requests from friendly Java Web servers, and it also shows Java being blocked from a nonfriendly Web server. Friendly Web servers are servers that are listed with a permit statement within the access list configuration.

Random Posts

No comments yet

Leave a Reply

You must be logged in to post a comment.