I installed a version 12.2 iOS firewall on the Cisco 2514 Series Access router. At that time, the router was also using extended ACLs to filter traffic that was entered from the Internet interface. After disconnecting the cables from the external interface, I sorted and removed the existing ACLs and implemented the following iOS firewall performance.
One common denominator in configuring ACLs and CBAC is the need to install an Internet router at the entrance to the external interface, which avoids the harmful traffic attacks on the Internet by private networks. This configuration is fairly straightforward for those firewalls that allow only the return traffic that originated from the internal connection. To achieve this, I added an extended access list to the interface I was entering, which would block all the traffic I wanted to check:
Router (config) # access-list deny TCP any
Router (config) # access-list deny UDP any
Router (config) # interface serial0
Router (config-if) # Ip Access-group
In previous statements, when applied to a check on an external interface, all TCP and UDP were blocked. This provides a filtering method for checking all incoming TCP and UDP traffic. By applying the access list to an external 101 port, you can ensure that the Internet router is intercepted as soon as it arrives on the Internet. I'm also suspicious. Implement more granular control by specifying specific application layer protocols, just like this example:
Router (config) # access-list-Deny TCP/any-eq SMTP
This description can block all SMTP traffic outside the internal network. In the access list, this should be placed before the previous TCP filtering instructions, otherwise it will not work.
Definition Timeout
The next step in this process is to define timeouts and maximum values when using CBAC to track connections. You can define several different values to enhance CBAC's ability to defend against cyber attacks. In a startup environment, most timeout and maximum settings have a default value that is suspicious to meet the general requirements. Many timeouts and maximum values control how the router responds to Dos attacks. (I'll do a more in-depth discussion of the clock/MAX value at other times.) )
Remember that CBAC does not check ICMP and checks only TCP and UDP. Therefore, you need to increase the corresponding ACL entry to properly limit ICMP. Consider adding these ICMP portals to your ACL. This allows your internal network to ping to the host on the Internet, allowing your router to respond to the correct ICMP traffic.
Until now, we have seen how to configure the portal of the extended access list and apply the configuration of entry flow rules to the external interface. ACLS block all traffic at the inlet and can be inspected with CBAC. I use the default timeout and maximum settings, and I don't make any changes. I recommend that you start with the defaults and then adjust to your needs. If you don't know what the impact of changing these settings will be on the operation of the firewall, it's not a good idea to change the settings rashly. Next, I defined the actual check rule to manage which application layer protocol should be checked. Let's look at the command structure for the check rule.
This is the generic configuration command pattern. Requires you to specify the name, protocol, alert settings, auditing, and timeout value in a very short period of time. Now, let's create one of our own.
I have named the Check-tcp rule, specify protocol detection TCP, and activate alerts and auditing options. The alert and audit trail options are needed. This requires a syslog system to send information. Although that configuration is beyond the scope of this article, I would recommend that you use auditing when logging all firewall activities. Here, I applied the SERIAL1 rule to the external interface, as follows:
Router (config) # Interface Serial1
Router (config-if) # IP Inspect check-tcp out
Please note that I have applied the external traffic detection rules on the outer interface. This will track the headers of the communications initiated by the internal and all external interfaces destined for the Internet or some other external network.
If you encounter any difficulties in configuring CBAC, you can use the following generic command mode to stop configuration and restore all related settings. This does not delete the extended access list that you have configured on the external interface. If you turn off detection, keep in mind that because the access list filters most, if not all, incoming traffic from the external interface, it is very likely that all the communications portals of your private network will be closed. It is easy to turn off the check:
Router (config) # no IP Inspect
This command deletes all instrumentation information in the configuration, including filter rules and the command line applied to the interface.
Now that you no longer need the details of the basic configuration, let's take a look at configuring an Internet firewall router with the ACLs and Cbac check features.
Because access lists are used to receive information on external interfaces, this basic CBAC configuration allows only limited ICMP information to pass through the firewall router. The detection rule is equivalent to Filter1, which allows internal users to connect with the external WWW via HTTP ports and track these connections, open the returned status information, and extend the access list. This applies equally to FTP and SMTP. In the future, if I allow users to use the RealAudio or NetMeeting channel, I can simply use the Add IP inspect name command, where Filter1 is the name.
If you want to change the check rule, you can add or delete a line entry. If you want to add a description, use the IP inspect name command by using the same name as the user-defined rule. If you need to delete a row and use the IP inspect name command in no form, look at the following example:
Router (config) # IP inspect filter1 TCP
Router (config) # no IP inspect filter1 TCP
If you want to check an item in the configuration, you can use the show ip Inspect command to get CBAC installation details. Just like the following:
router# show IP Inspect all
All parameters will display information such as the current check configuration, which is currently connected through the firewall.