Demonstration: context-based access control (configuration of IOS Firewall)

Demonstration: configuration of the context-based Access Control IOS Firewall)

Join the group for technical exchange and Q & amp; A: 1952289

Cisco IOS Firewall is an important security feature of Cisco IOS systems. It is integrated into Cisco routers as a security feature. Although the IOS Firewall is only a feature set of the IOS system, it is not inferior to some professional firewalls in the security market. Cisco's IOS-based firewall components include: access Control List, dynamic access control list, log system, real-time alarm, audit system, intrusion detection system, context-based Intelligent Access Control List and NAT translation system for regular packet filtering. This book mainly discusses the context-based Intelligent Detection Control List CBAC In the IOS Firewall components. Because the IOS-based firewall is a feature set of routers and has powerful functions, it has a high cost effectiveness, setting the IOS-based firewall on different subnet boundaries is a good suggestion.

Understand the working principle of CBAC Based on Cisco IOS Firewall

In the past, standard access lists and extended access lists were used. Both forms of lists are static ACL filtering methods. Without human intervention, the system cannot dynamically adjust the filtering entries in the ACL list based on actual changes. However, in practice, more flexible methods are often needed to improve system security. Therefore, we provide an Advanced Access Control List in Cisco's security solutions to meet such requirements. The basic elements of the Advanced Access Control List are that the entries in the access control list are automatically created and deleted without administrator intervention. For example, reflected Access Control list, dynamic Access Control list, environment-Based Access Control CBACContext-Based Access Control, etc, the access mechanism is provided by creating a channel when no configuration is modified. These channels are generally created to respond to access requests sent from the internal network to the external network. When the Session of the channel is terminated or the idle time of the channel exceeds a set value, the channel will be closed. The working principle is shown in Figure 10.29. We recommend that you deny all traffic to the internal network on the external interface of the firewall when you start CBAC, so that all the active connections sent from the Internet to the internal network are rejected, of course, these active connection sessions also include attack traffic.

650) this. width = 650; "src =" http://www.bkjia.com/uploads/allimg/131227/160AGK0-0.png "title =" 1.png" alt = "002628855.png"/>

Step 1:First, the host in the internal network initiates an active connection request for a service to the external network.

Step 2:The vro of the Cisco IOS Firewall is started to audit Outbound Connections sent from the internal network. According to the security adaptive algorithm of the Cisco IOS Firewall, the serial numbers used to reorganize TCP packets are disrupted, and records the initial flag status of TCP packets.

Step 3: The target address of the IOS-based firewall to connect to the external network.

Step 4:The response data returned by the external network is sent to the IOS Firewall. Under normal circumstances, the external interface of the IOS Firewall should be to reject all traffic actively flowing from the external network to the firewall.

Step 5:In this case, the IOS-based firewall checks the outbound audit status of the previous connection to check whether the data conforms to the internal network actively initiated and the external network responds to the internal connection. The validity of the Data "connection status" and "connection tag" will be included. If the detection succeeds, the IOS-based Firewall opens a temporary session tunnel on the external network interface to return data to the internal network. This session tunnel is executed before the access control list of the external network interface takes effect, and takes precedence over the regular access control list.

Step 6:The IOS-based firewall returns data to the internal network host.

Note: CBACContext-Based Access Control is only a typical application of the IOS Firewall technology, a complete IOS Firewall, it also includes intrusion detection, Denial-of-Service attack detection, blocking Java programs, real-time alarm and audit tracking, event logging, NAT, and other applications. Therefore, CBAC cannot be regarded as a complete IOS Firewall, this is a misunderstanding.

CBACWhat is the difference between ACL and self-anti-ACL?

Based on the above description of the working principle of CBAC, it looks similar to the working principle of Self-anti-ACL. So what are their differences? CBAC enhances security on the basis of the application layer protocol, and intelligently identifies sessions, especially application layer protocols that change ports during session negotiation, such as active FTP, in this regard, the self-reverse ACL cannot identify active FTP, but CBAC can. In addition, CBAC can configure more security component functions to work collaboratively, such: java applets filter, set the number of TCP half-open sessions, UDP timeout, and provide monitoring and message sending functions. For these functions, pure self-reverse ACL cannot meet the requirements, in short, CBAC is more powerful than self-reverse ACL in Security Association, more intelligent in recognition, more extensive in control and filtering methods.

Demonstration: basic configurations of Cisco IOS Firewall

Demonstration objectives:Basic configuration of the CBAC Control List on the Cisco IOS Firewall.

Demo environment:The demo environment is shown in Figure 10.30.

650) this. width = 650; "src =" http://www.bkjia.com/uploads/allimg/131227/160AI359-1.png "title =" 2.png" alt = "002852603.png"/>

Demonstration Background:In the environment shown in, configure the IOS-based firewall function cbac on the vro to divide the network into non-secure areas of the external network); internal network security areas ); then, all TCP, UDP, and ICMP traffic is rejected on the external interface based on the IOS Firewall Router. the connectivity of the internal and external networks is tested before CBAC is started, finally, after starting CBAC, test the connectivity of the internal and external networks to understand the working process and application effects of CBAC. In this process, you need to pay attention to the application direction of CBAC on the interface.

Demo steps:

Step 1:Complete the basic configurations required by the experiment, and then configure the CBAC function based on the Cisco IOS Firewall. The specific configurations include the configuration of the interface IP address and the start of the routing protocol, and deny all TCP, UDP, and ICMP traffic to the firewall's E1/0 interface. This interface is the CBAC's external network interface. The specific configuration is as follows:

Basic configurations on the IOS Firewall:

Interface Ethernet1/0

Ip address172.16.1.1 255.255.255.0

Ip access-group 101 in

InterfaceEthernet1/1

Ip address172.16.2.1 255.255.255.0

Access-list 101 denytcp any

Access-list 101 denyudp any

Access-list 101 denyicmp any

Note: At this time, all TCP, UDP, and ICMP traffic of the 172.16.1.0/24 subnet cannot enter the subnet of 172.16.2.0/24, because the access control list deny on the E1/0 interface of the IOS Firewall rejects all the above traffic. If the host is pinged to 172.16.1.3 on the 172.16.2.0/24 subnet, the host will not be pinged. Because the ICMP request traffic in the 172.16.2.0/24 subnet can reach the 172.16.1.0/24 subnet, although there is no access control list to limit any traffic in the 172.16.2.0 subnet to cross the IOS Firewall and actively flow to the 172.16.1.0 subnet. However, the access control list of the E1/0 interface of the IOS Firewall finally responds the deny 172.16.1.0/24 subnet to the ICMP response traffic of 172.16.2.0.

Step 2:Configure the IOS Firewall and apply it to the outbound direction of E1/0. The configuration is as follows:

Configuration of CBAC:

IOS_FW (config) # ipinspect name IOS_FW icmp * Audit ICMP traffic

IOS_FW (config) # ipinspect name IOS_FW tcp * Audit TCP traffic

IOS_FW (config) # ipinspect name IOS_FW udp * Audit UDP traffic

IOS_FW (config) # interface Ethernet1/0

IOS_FW (config-if) # ip inspect IOS_FW out * indicates the CBAC application direction

IOS_FW (config-if) # ip access-group 101 in

The command ip inspect nameIOS_FW configures the CBAC Control List name as "IOS_FW "; ip inspect name IOS_FW icmp, ip inspect nameIOS_FW tcp, and ip inspect name IOS_FW udp indicate that the Firewall Based on IOS will audit ICMP, TCP, and UDP traffic; ip inspect IOS_FW out indicates that the audit function is applied to the external network interface of the E1/0 interface of the router. Note that the audit direction of the demonstration environment on the E1/0 interface of the router is "Out ". Users who configure the Cisco IOS Firewall for the first time may have the following questions: "The CBAC function should be applied to the external interface of the E1/0 firewall of the IOS Firewall, to defend against external attacks. But why is it applied to the outbound direction of the E1/0 interface ?" What I want to answer is: do not think of CBAC as a regular access control list. CBAC must first audit the traffic sent from the internal network to the external network, and use it as the security rule returned to the internal network. The audit results must be recorded here as a prerequisite, then, the CBAC application direction is "Out" of E1/0 of IOS Firewall or "In" of E1/1 ". You can clearly understand this principle by selecting the correct reference point, as shown in Figure 10.31. After completing the configuration in step 2, ping the host on the 172.16.2.0/24 subnet to host 172.16.1.3 again. If CBAC is not configured incorrectly, ping the host again.

650) this. width = 650; "src =" http://www.bkjia.com/uploads/allimg/131227/160AJ629-2.png "title =" 3.png" alt = "003013859.png"/>

Step 3:Think about it: "Why can the internal network host be pinged to the host on the 172.16.2.0/24 subnet after the second step is configured ?" This is because the Cisco IOS-based firewall CBAC creates a temporary session tunnel for it. Here, you can use the "show ip inspect sessions detail" command to view session information, as shown in Figure 10.32. If, at this time, the internal network of 172.16.1.0 is actively accessed from the external network of 172.16.2.0, the traffic for these active accesses will be denied by CBAC, unless, the ACL101 explicitly states the traffic permitted to access the internal network.

650) this. width = 650; "src =" http://www.bkjia.com/uploads/allimg/131227/160AI9E-3.png "title =" 4.png" alt = "003056154.png"/>

Note: In addition to being able to audit ICMP, TCP, and UDP traffic in the above instances, CBAC can also audit more important network traffic and programs based on the IP protocol.

The various applications and network protocols listed in Table 10.32 are common technical standards for modern enterprise networks, but the entire Cisco IOS Firewall-based defensive and audit functions are not limited to these, it has a wider application space and has real-time audit behaviors for Internet access traffic, such as filtering websites and Java scripts, for details, refer to the detailed documentation on CBAC configuration on the CD.

650) this. width = 650; "src =" http://www.bkjia.com/uploads/allimg/131227/160AIa9-4.png "style =" float: none; "title =" 5.png" alt = "003227373.png"/>

650) this. width = 650; "src =" http://www.bkjia.com/uploads/allimg/131227/160AK204-5.png "style =" float: none; "title =" 6.png" alt = "003227170.png"/>

This article is from the "unknown Christ" blog. For more information, contact the author!