Chapter 4: IOS Firewall Feature Set In Brief
The IOS Firewall feature set available for Cisco routers is an add−on component to the Cisco IOS that provides routers with many of the features available to the PIX firewall, thus extending to routers functionality similar to the functionality a separate firewall device provides. When a Cisco router is configured with the Cisco IOS Firewall feature set, it is transformed into an effective, robust featured firewall. The IOS Firewall feature set software has been designed with security services that include access controls, strong authentication, and encryption services, and it maintains all fundamental routing features. It is a value−added option for Cisco IOS software that enforces security policies while maintaining vital traffic flow requirements within the enterprise. The Firewall feature set is currently available for the Cisco 1600, 1720, 2500, 2600, 3600, and 7200 series router platforms.
Some of the key features of the IOS Firewall feature set are listed here:
Context−Based Access Control (CBAC) provides secure IP traffic filtering for each unique session for many applications.
Java blocking protects against malicious Java applets, allowing only applets from identified and trusted sources.
Denial−of−service (DoS) detection and prevention protects resources against common attacks.
Realtime alerts notify administrators during DoS attacks and certain other conditions.
Audit trail mechanisms track sessions by time, source and destination address, ports, and total number of bytes transmitted.
Intrusion detection provides realtime monitoring, interception, and response to network misuse with a set of common attack and probing intrusion detection signatures.
Provides multiservice integration, advanced security for dialup connections, and integrated routing and security at the Internet gateway.
As you can see, the IOS Firewall feature set has an extensive set of features that are designed to help secure an enterprise’s network with robust firewall functionality. This chapter aims to discuss many of the enhanced features the IOS Firewall feature set encompasses. I’ll discuss Context−Based Access Control (CBAC), which examines not only Network layer and Transport layer information, but also the Application layer protocol information to learn about the state of TCP and UDP connections. CBAC maintains connection state information for individual connections. This state information is used to make intelligent decisions about whether packets should be permitted or denied and dynamically creates and deletes temporary openings in the firewall. I’ll discuss Port Application Mapping (PAM), which allows enterprises to customize TCP or UDP port numbers to support network environments that run services using ports that are different from the registered or well−known ports associated with an application. The information in the PAM table enables CBAC−supported services to run on nonstandard ports. I’ll also discuss the IOS Firewall Intrusion Detection System (IDS), which acts as an inline intrusion detection sensor, watching packets and sessions as they flow through the router and scanning each to match any of the IDS signatures.
Context−Based Access Control
Context−Based Access Control was designed for use with multiple protocols that are unable to be processed with access lists. During many types of network attacks, packets that are not part of an existing session are sent to a target machine, or there may be an attempt to inject packets within an existing session. Additionally, devices that are not properly configured can cause interruptions in service by sending inappropriate packets. The CBAC process will stop these types of attacks and problems by inspecting the TCP and UDP sessions. Only packets within sessions that meet certain criteria will be allowed to pass. Packets that are not within recognized sessions or that do not meet the security policy will be dropped.
More often than not, a router will make every attempt to forward a packet toward its destination in the most efficient manner. CBAC changes the forwarding nature by investigating aspects of each packet within the context of its session to determine if the packet or session meets the policy. If the packet or session meets the policy, it will be forwarded. If it does not, it will be discarded, and in some cases, the session will be terminated. To determine this, CBAC adds processes to a router so it will be able to perform the following:
Watch for the start of new sessions and ensure they meet the policy.
Maintain the state information of each session flowing through it by watching flags, sequence numbers, and acknowledgment numbers.
Set up and install dynamic access control lists for permitted sessions.
Close out sessions and remove temporary access control lists that have been terminated.
Closely examine SMTP sessions to allow only a minimum set of permitted commands.
Watch the permitted control sessions (such as FTPcontrol) and allow associated data sessions (such as FTPdata) to pass.
Watch for Java applets within HTTP sessions and block them if the router is configured to do so.
Examine each packet within each session to ensure that it conforms to the current session state.
Maintain a timer after each session’s packet is forwarded and terminate any sessions that have exceeded the session timeout policy.
Watch for signs that a SYN attack is in progress, and if so, reset excessive session requests.
Send out alerts of unexpected events and packets that have been dropped because they don’t meet the policy.
Optionally record time, source, and destination addresses; ports; and the total number of bytes transmitted by each participant at the end of the session.
Each of these security elements uses memory and processing cycles that will decrease normal packet forwarding efficiency of the Cisco IOS software on the router. CBAC uses 600 bytes of memory per connection and CPU resources during the access list inspection process.
Context−Based Access Control Protocol Support
CBAC can be configured to inspect the following protocols:
CBAC can also be configured to specifically inspect certain Application layer protocols. The following Application layer protocols can all be configured for CBAC:
RPC, specifically Sun RPC and Microsoft RPC
When a protocol is configured for CBAC that protocol’s traffic is inspected and all state information is updated and maintained in the state table. Return traffic will be permitted back only through the firewall if the state table contains information indicating that the packet belongs to a permissible session. CBAC controls the traffic that belongs to a valid session. When return traffic is inspected, the state table information is updated as necessary.
Note UDP is a connectionless protocol; therefore, there are no actual “sessions,” so the CBAC process examines particular information within the UDP packet and keeps track of that information. To determine if the packet is part of UDP “session,” the CBAC process compares the information gathered against similar packets received within the idle timeout.