Wednesday, January 30, 2008

CCIE R&S CBAC FireWall

One of my major weakness until recently was security, security is the one topic that can kill you if you do not know what you are doing or if you are not careful enough to lookinto the small details. in the past when I came to a task I would attack it straight ahead and not thinking what it can do to other things I did before or what I need to do in the next task, I worked in a task by task strategy, today as I grown :-) I learned that nothing especially in real life is not presented to you in a step by step manner, you always need to gather all the information and sort it your self like a puzzle, some time the puzzle is small and easy some time you cant find the middle piece to complete your puzzle. so my advice to you is take the exam as a puzzle put all the parts in front of you (mean read all and draw basic topology accordingly) and build your puzzle from bottom up (piece by piece) if you cant find a piece then skip you will find it later. Now with that analogy the Security is one of those last pieces in your puzzle that can brake your entire puzzle so you can decide either to leave one piece out or to start rearrange everything (not recommended). With that in mind I would like to talk here on CBAC or the IOS Firewall, the basic Idea is very similar to reflexive ACL but with enhanced support of features and application. What Do we need for the firewall to work: 1) We Must have an ACL - the ACL will be in most of the cases (for the R&S CCIE) on the outside interface and it will have a Deny all statement, now that was a hard issue for me to grasp at first I said to my self what the hell do I need the Firewall to use a ACL?! isn’t that already build into the firewall, well no! the Firewall is "inspecting" traffic as it go out or come in but the ACL define what to be denied from coming into the Router, so that mean only traffic that is coming from inside the network to outside is allowed back in and traffic that is trying to come from outside need to stay out unless there is a permit statement. 2) We need to define and inspect rules and that is another thing that you need to be careful, as if you only set a rule to inspect icmp that mean that only icmp traffic from your network to the outside and back will be allowed, if you will try to browse the internet without setting an inspect rule your traffic will not be inspected and therefore not been allowed back in!!! Now here is my home router example: I start by defign the traffic that I am using from in --> out ip inspect name HOME-FW sip <- My Voip service need to be up ip inspect name HOME-FW snmp <- I have Snmp Server to monitor the networks I maintain ip inspect name HOME-FW http <- a man need to surf :-) ip inspect name HOME-FW https <- some time need to use a secure web browsing ip inspect name HOME-FW dns <- well I do not want to use IP for all my surfing so I need name resolve server access ip inspect name HOME-FW smtp <- need to sent out mail ip inspect name HOME-FW pop3 <- mail in ip inspect name HOME-FW ssh <- all my servers using SSH (linux RHES) ip inspect name HOME-FW icmp <- Pings ip inspect name HOME-FW telnet <- Some of the router I manage are old or do not have SSH ip inspect name HOME-FW udp <- miscellaneous traffic ip inspect name HOME-FW tcp <- miscellaneous traffic ! ip access-list extended ACCESS-CONTROL permit icmp any any echo-reply <- that I am using as the traffic from the router it self is not inspected so if I will not permit it then I will not babble to ping from the router, the same go for the traceroute permit icmp any any time-exceeded permit icmp any any port-unreachable permit udp x.x.x.80 0.0.0.15 any eq snmptrap <- I have in my home a Snmp Server and to allow traps from outside to come in I need a permit permit udp x.x.x.80 0.0.0.15 any eq 5060 <- although I enabled SIP in the inspection rule calls that are originated from outside in need to be permitted as only traffic inspected from inside to outside is permited permit udp host x.x.x.83 any range 10000 20000 <- that is for the RTP, it is not really needed but for the "obscure" bugs that can happen I rather permit it then loose a call. deny ip any any log-input <- the log-input is for tracing attackers always good to have. ! interface Dialer0 <-- that is my outside interface .. ip access-group ACCESS-CONTROL in .. ! interface Vlan16 <-- that is my inside interface .. ip inspect HOME-FW in .. !

This is In response to the comment posted: The ACL has no direct relation to the CBAC firewall, it is there to prevent traffic coming into your network from the outside, the inspection rule is there to inspect traffic going out from your network. if the ACL was not there the traffic would have been inspected but still people would able to go into your network. so if you want to block traffic you must have ACL but if you inspect traffic then even if there is a deny statement on the outside interface traffic is allowed to return. so the short answer CBAC is not inspecting the ACL, CBAC is inspecting what you tell him on the inspection rule.

4 comments:

Dragan said...

Good text man...I also have some problems to figure out these feature CBAC. I mean I understand it and in same time not. Now just one question: when you put access-list on outside interface and denied something is CBAC going to inspect that? I think no...is that ok? And is scenario with input interface oposite to this one? I mean you have to permit something and then it is going to be CBAC-ed (good expresion :) )

Best regards,
Dragan

Alex S. said...

Good afternoon Shiran,
I work for Train Signal (www.trainsignal.com), a small IT company based in Chicago that specializes in creating video training on Windows, Cisco and VMWare networking topics.
I came across your My CCIE Training Guide blog while doing some marketing research for our Cisco Courses, and am very impressed. I enjoyed reading several of your posts and found them to be quite informative. I am contacting you today to see if you would be interested in taking a look at our new CCNA video training course (as well as our various CCNP courses if you desire). We are always looking for some feedback on our training courses and we would love to work with someone with as much expertise and passion as you have on this subject.

I think these courses would appeal to your target audience, as they are highly regarded by our customers and taught by a CCIE. They would be very helpful to anybody aiming for their CCNA, CCNP and eventually the CCIE. If you would like to take a look at our training, we will send you a copy of any of our Cisco courses for free. Also, feel free to look at our website for some more information regarding our company or our training products @ www.trainsignal.com. Thank you for your time and I look forward to hearing from you soon.
Sincerely,
Alex

cciep3 said...

Hi Alex

I realy appriciate the complements, you didnt left any email or other conntact detials so if you see this, currently I started a new job so I do not have much time but I would love to review and give you my point of view from the client prospective.

you can conntact me trough the linkedin under my profile.

Alex S. said...

Shiran,

I apologize for not leaving my contact info....Please e-mail me address where I can send the CCNA course....
Alex
Alex Skinger
Director of Corporate Sales
Train Signal - IT Training Products
www.trainsignal.com
www.trainsignaltraining.com
alex@trainsignal.com
p. 888-229-5055 (toll-free)
p. 847-776-8800 (Chicago Area & International)
f. 847-776-8801