Wednesday, January 30, 2008

CCIE R&S CBAC FireWall

One of my major weakness until recently was security, security is the one topic that can kill you if you do not know what you are doing or if you are not careful enough to lookinto the small details. in the past when I came to a task I would attack it straight ahead and not thinking what it can do to other things I did before or what I need to do in the next task, I worked in a task by task strategy, today as I grown :-) I learned that nothing especially in real life is not presented to you in a step by step manner, you always need to gather all the information and sort it your self like a puzzle, some time the puzzle is small and easy some time you cant find the middle piece to complete your puzzle. so my advice to you is take the exam as a puzzle put all the parts in front of you (mean read all and draw basic topology accordingly) and build your puzzle from bottom up (piece by piece) if you cant find a piece then skip you will find it later. Now with that analogy the Security is one of those last pieces in your puzzle that can brake your entire puzzle so you can decide either to leave one piece out or to start rearrange everything (not recommended). With that in mind I would like to talk here on CBAC or the IOS Firewall, the basic Idea is very similar to reflexive ACL but with enhanced support of features and application. What Do we need for the firewall to work: 1) We Must have an ACL - the ACL will be in most of the cases (for the R&S CCIE) on the outside interface and it will have a Deny all statement, now that was a hard issue for me to grasp at first I said to my self what the hell do I need the Firewall to use a ACL?! isn’t that already build into the firewall, well no! the Firewall is "inspecting" traffic as it go out or come in but the ACL define what to be denied from coming into the Router, so that mean only traffic that is coming from inside the network to outside is allowed back in and traffic that is trying to come from outside need to stay out unless there is a permit statement. 2) We need to define and inspect rules and that is another thing that you need to be careful, as if you only set a rule to inspect icmp that mean that only icmp traffic from your network to the outside and back will be allowed, if you will try to browse the internet without setting an inspect rule your traffic will not be inspected and therefore not been allowed back in!!! Now here is my home router example: I start by defign the traffic that I am using from in --> out ip inspect name HOME-FW sip <- My Voip service need to be up ip inspect name HOME-FW snmp <- I have Snmp Server to monitor the networks I maintain ip inspect name HOME-FW http <- a man need to surf :-) ip inspect name HOME-FW https <- some time need to use a secure web browsing ip inspect name HOME-FW dns <- well I do not want to use IP for all my surfing so I need name resolve server access ip inspect name HOME-FW smtp <- need to sent out mail ip inspect name HOME-FW pop3 <- mail in ip inspect name HOME-FW ssh <- all my servers using SSH (linux RHES) ip inspect name HOME-FW icmp <- Pings ip inspect name HOME-FW telnet <- Some of the router I manage are old or do not have SSH ip inspect name HOME-FW udp <- miscellaneous traffic ip inspect name HOME-FW tcp <- miscellaneous traffic ! ip access-list extended ACCESS-CONTROL permit icmp any any echo-reply <- that I am using as the traffic from the router it self is not inspected so if I will not permit it then I will not babble to ping from the router, the same go for the traceroute permit icmp any any time-exceeded permit icmp any any port-unreachable permit udp x.x.x.80 0.0.0.15 any eq snmptrap <- I have in my home a Snmp Server and to allow traps from outside to come in I need a permit permit udp x.x.x.80 0.0.0.15 any eq 5060 <- although I enabled SIP in the inspection rule calls that are originated from outside in need to be permitted as only traffic inspected from inside to outside is permited permit udp host x.x.x.83 any range 10000 20000 <- that is for the RTP, it is not really needed but for the "obscure" bugs that can happen I rather permit it then loose a call. deny ip any any log-input <- the log-input is for tracing attackers always good to have. ! interface Dialer0 <-- that is my outside interface .. ip access-group ACCESS-CONTROL in .. ! interface Vlan16 <-- that is my inside interface .. ip inspect HOME-FW in .. !

This is In response to the comment posted: The ACL has no direct relation to the CBAC firewall, it is there to prevent traffic coming into your network from the outside, the inspection rule is there to inspect traffic going out from your network. if the ACL was not there the traffic would have been inspected but still people would able to go into your network. so if you want to block traffic you must have ACL but if you inspect traffic then even if there is a deny statement on the outside interface traffic is allowed to return. so the short answer CBAC is not inspecting the ACL, CBAC is inspecting what you tell him on the inspection rule.

Monday, January 21, 2008

CCIE Lab San Jose 16 Jan 2008

Ok, I wished to tell you my number after that date but unfurtunetly for me I will need to hold on with that post. so for now I will tell you my expireance, I traveled from Israel to San Francisco California on Jan 12 2008 arrived after painful 18hr flight with a connection in London. Days before the exam I have taken the liberty to relax and sleep as much as I can. The lab Day I have arrived as early as I could at 7am to Tasman Drive 150 bldg C waiting for them to open the doors (yes I am that freek). at about 7:30 they have opened the doors and I waited for the other candidates to arrive, at about 8:15 we where guided to the Lab...(now I cant tell you what happen there as I am obligated to the NDA). What I can tell you is that it was hard but not impossiable I have actually had no problem with the core topics and but I did found the security and qos to be confusing enough to fail me. I certenly learned from this expireance (it was expensive lesson) and hope to not fail on that again, but with no pain there is no gain.