Advanced IOS Security

Advanced IOS Security
BRKSEC-3007
Rama Darbha, Customer Support Engineer

CCIE #28006
About the Presenter
Rama Darbha
Technical Assistance Center
Firewall and VPN technology groups
7 years experience in network security
CCIE #28006, Security
Guest Lecturer at North Carolina State University
Areas of expertise
IPv6
IOS and IOS-XE security features
Virtual Security
BRKSEC-3007 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public 3
Agenda
Data Plane Security
Zone Based Firewall
User Based Features
Authentication Proxy
User/Security Group Tagging
High Availability
Network Attack Mitigation
Control Plane Protection
Advanced IOS Security Overview
Data Plane Security Control Plane Security

Traffic that passes through the router Infrastructure traffic that maintains a
User and Services traffic network
HTTP traffic to webservers Routing Protocols (BGP, EIGRP, OSPF)
SIP traffic for voice phones Management (SSH, HTTP)
RDP sessions Monitoring (SNMP, Syslogs, NTP)
Through The Box To The Box
BRKSEC-2007 Fundamental IOS Security

Data Plane Security
6
Data Plane Security using Zone Based Firewall
Permit trusted traffic Build a comprehensive security
solution to protect user services
Create application aware policy
Apply QoS and rate limit
Using ZBFW provides standardized
Establish connections limits framework for all security based
Log traffic features
Allow tunneled/VPN traffic

Session will cover design
considerations and the Appendix will
have configuration examples
Data Plane Security Identifying Traffic
Ethernet0/0 Ethernet0/1
Internet
HTTP
SMTP
Client
HTTP
SMTP SMTP
SMTP Server
FTP
HTTP Server
See Appendix for complete configuration example
Access-lists (ACLs) as a Security Solution

IOS-FW(config)# ip access-list extended 100
syn, fin, rst, ack Only matches TCP flag IOS-FW(config-ext-nacl)#permit tcp any any ?
ack Match on the ACK bit
Not truly stateful
eq Match only packets on a given port number
fin Match on the FIN bit
established Only matches on ACK and RST flag
match-all Match if all specified flags are present
Not truly stateful
match-any Match if any specified flag is present
rst Match on the RST bit
fragments prevent fragments from entering network
syn Match on the SYN bit
heavy handed prevention of fragmentation attacks established Match established connections
fragments Check non-initial fragments
ttl restrict how far into the network traffic can pass ttl Match packets with given TTL value
prevent control traffic from leaving the network
IOS-FW(config)# ipv6 access-list IN->OUT_IPv6
routing restrict loose source routing
IOS-FW(config-ipv6-acl)#permit any any ?
prevent clients from choosing their routing path
routing Routing header (all types)
Access-group and Access-list Limitations
How do we differentiate ?
Client between Webserver Webserver
Response and Attacker
traffic? ?
Attacker
ip access-list extended IN->OUT ip access-list extended OUT->IN
permit tcp host Client any eq 80 permit tcp any eq 80 host Client
Firewall Basic Functionality
TRUSTED UNTRUSTED
HTTP Request
HTTP Response
Client Webserver
Firewall prevents
malicious traffic from
entering the network by Malicious
tracking connections
Attacker
SMTP Server SMTP
Internet
Zone Based Firewall
Overview
Recommended IOS Dataplane Security
solution
Policies are applied to zones
Zones are applied to interfaces
Allows for scalable security policy
Zone policies are directional
Matches initial packet of the flow
TCP matches SYN
Non-TCP matches any packet
Default drop policy

Tight security for unreferenced traffic
Zone Policy Assignment and Scalability

Same zone can be assigned source USERS destination INTERNET
to multiple interfaces
Zone-pair policy can be reused
Interface can only be part of
one zone Users
Internet
Zone-pairs permit traffic
between two zones source USERS zone-member USERS
Traffic between same zones !
requires policy as well interface Ethernet0/0.100
destination USERS
Traffic is specific to a zone-pair zone-member security USERS
interface Ethernet0/0.200
which allows for directed zone-member security USERS
control Users
zone-member security USERS
Zone Policy Assignment
Self Zone
Pre-defined zone member Monitoring traffic Routing Protocols
SNMP
Protects traffic to and from router EIGRP
Syslogs OSPF
Traffic sourced or destined to router Netflow BGP
Excludes NAT traffic
Management VPN
traffic ESP
Two differences SSH GRE
1. Cannot configure self zone Telnet NAT-T
HTTP ISAKMP
Pre-defined and available for use Self Zone
2. Reverse functionality of zones
Explicit allow compared to explicit deny
Use to protect management and control plane traffic
Zone Based Firewall
Configuration Theory
Identify traffic Access-list

using class- Protocols
map
Take action Inspect

using Drop
policy-map Pass
Apply action Service policy applied traffic

using Apply action to traffic
zone-pair
Identifying Traffic using Class-maps

Class-maps identify traffic
Access-lists for IP addresses and Class-map
ports
Protocols for Layer 7 matching Class Protocol
Class-maps can be nested
Scalability through reuse
-map
Directed match criteria
Access-list
class-map type inspect match-all USERS_PROTOCOLS

match access-group name USER_ACL
match protocol http
Identifying Traffic using Class-maps

Match-Any vs Match-All
Access-list USER_ACL
Access-list USER_ACL + HTTP
HTTP
Match-All
Access-list USER_ACL
Access-list USER_ACL || HTTP
HTTP
Match-Any
Identifying Traffic Mixing and Matching
ip access-list extended USER_ACL
permit ip 192.168.1.0 255.255.255.0
any
class-map type inspect match-all USERS->INTERNET_CMAP

match class-map USER_PROTOCOLS_CMAP
class-map type inspect match-any USER_PROTOCOLS_CMAP

match protocol http
match protocol ftp
Take Action using Policy-Map Builds connections for traffic
Statefully examines the flow
Inspect Allows return packets that
match connection
Preferred action for traffic
Inspect
Drop Drops packets silently
Drop
Bypasses firewall checks

Pass Return traffic must be
Pass explicitly allowed
Only for customized traffic
Take Action using Policy-Map
Class-maps Order of Operation
Class-maps are policy-map type inspect INTERNET->APPLICATION_PMAP
processed in order class type inspect TCP_TRAFFIC_CMAP
drop
class type inspect SMTP_TRAFFIC_CMAP
Always put more specific inspect
match conditions first
policy-map type inspect INTERNET->APPLICATION_PMAP
class type inspect SMTP_TRAFFIC_CMAP
Order matters when
applying inspect
action/application class type inspect TCP_TRAFFIC_CMAP
inspection drop
Apply Action using Zone-Pair

Apply Policy-map as Service-policy in Zone-pair
policy-map type inspect USERS->INTERNET_PMAP
class type inspect DEVELOPMENT_TRAFFIC_CMAP
pass Customized traffic
class type inspect BLOCK_TRAFFIC_CMAP
drop Drop unwanted traffic
class type inspect ALLOWED_TRAFFIC_CMAP
Enforce stateful
inspect security checks
class class-default
drop Catch-all action
zone-pair security USERS->INTERNET_ZP source USERS destination INTERNET

service-policy type inspect USERS->INTERNET_PMAP

Verifying Traffic on Zone Based Firewall
ZBFW builds a connection for inspected traffic
IOS-FW# show policy-firewall session zone-pair USERS->INTERNET_ZP
Zone-pair: USERS->INTERNET_ZP
Service-policy inspect : USERS->INTERNET_PMAP ZP, SP, PM, CM
Class-map : USERS->INTERNET_CMAP(match-all)
Established Sessions = 1 Total sessions for zone-pair
Session B251B268 (192.168.1.100:59651)=>(4.2.2.2:80) http:tcp SIS_OPEN/TCP_ESTAB
Created 00:00:08, Last heard 00:00:08 Uptime of connection
Bytes sent (initiator:responder) [164:5980]
Class-map : class-default(match-any) Bytes transferred
Uptime and Bytes can be used to verify functionality

Bytes sent are increasing = traffic is flowing successfully
If Last heard is at 00:00:00 = traffic is flowing successfully
Advanced Inspection Protocol vs Application
Session B251B5C0 (192.168.1.100:14128)=>(4.2.2.2:80) tcp SIS_OPEN/TCP_ESTAB
Basic TCP inspection

Whats the
Layer 4 security checks difference?
Stateful tracking of connection
Advanced Layer 7 inspection

Permit or drop traffic based on Layer 7 information
Layer 7 protocol compliance (ie. SIP)
Dynamic opening of child connections (ie. SIP, H323, FTP)
Out of Order Packet Handling
Application inspection requires packets to arrive in order
Out of Order (OoO) processing queues packets to be ordered
Apr 3 10:40:30.662: %FW-6-DROP_PKT: Dropping tcp session 4.2.2.2:80
10.1.1.1:58899 on zone-pair INSIDE->OUTSIDE_ZP class USERS_CMAP due
to Out-Of-Order Segment with ip ident 0
Increasing the OoO size reduces inspection based packet loss
parameter-map type ooo global

tcp reassembly memory limit 1024 Increase to allow
tcp reassembly queue length 16 more OoO packets
tcp reassembly timeout 30
Increase to
compensate for
latency in
retransmission
Port Application Mapping (PAM)
Application inspection ports can be changed or modified
Router(config)# ip port-map http port 8080
Access-lists can be use to limit inspection ports

Used for overlapping inspection ports
Router(config)# ip port-map http port 8888 list 99
View existing ports for application inspection

Router# show ip port-map | i http
Default mapping: http tcp port 80 system defined
Default mapping: http tcp port 8080 user defined
Default mapping: http tcp port 8888 in list 99 user defined
Permit trusted traffic
Establish connections limits
Log firewall traffic
Blocking Websites using Zone Based Firewall

Ethernet Header
Block websites using local URL
filtering Source MAC Destination MAC
Match URLs using a regex

parameter-map IP Header
parameter-map type regex BLACKLIST_URLS Source IP Destination IP
pattern .*cisco.*
pattern .*facebook.* TCP Header
URLs are in the Host field of the Source Port Destination Port
HTTP GET packet
Sending reset is only action HTTP DATA
supported when URL is matched HTTP Request Method
Host URI
Blocking Websites Results
Number of regex is limited

by the device
3925 with 250 URLs
User gets no feedback

Connection is reset
May generate support
calls from end clients
Will not match HTTPS traffic
BRKSEC-2042 Content Filtering in the Enterprise

Content Scanning Configuration

Cloud Web Security (CWS)
CWS integration provides
User identification
URL tracking
interface Ethernet0/0
Stateful TCP/HTTP enforcement ip nat outside
zone-member security OUTSIDE
Preferred solution for content scanning content-scan out

Scalability through offloaded URL filtering
Monitoring through user identification integration
IOS# show content-scan session active
Protocol Source Destination Bytes Time
HTTP 10.1.1.100:57152 209.222.159.185:80 (1635:331595) 00:00:12
URI: www.cisco.com
Username/usergroup(s): ciscouser10/ ciscogroup10
Website visited User Identity integration Total Data transferred

QoS Policy using Zone Based Firewall
Matched traffic is rate
policy-map type inspect USERS->INTERNET_PMAP limited to the specific value
class type inspect HTTP_CMAP Simple traffic policer
police rate 10000000 burst 250000
class type inspect BITTORRENT_CMAP
police rate 5000000 burst 500000 5Mbps is reserved
for voice traffic
5Mbps +
5Mbps
20Mbp
s
10Mbp
s
Enabling Connection Limits for Resource Protection
Resource Limits on IOS
Router has a fixed amount of memory for connections
Connection limitations will prevent DoS attacks from exhausting resources
Protects device
Protects endpoint services
Connection limits can protect:
Memory exhaustion
Limit total number of connections
Idle timer of established and half-open connections
Processor/CPU exhaustion
Limit rate of connection builds
Advanced ZBFW Connection Limits

Timeouts
parameter-map type inspect CONN_TIMEOUT_PARAM
tcp idle-time 18000 Connection timeout
tcp synwait-time 60 Half open session
timeout
ZBFW will send resets to both endpoints once timer expires
TCP SYN
60 seconds
TCP RST TCP RST
Advanced ZBFW Connection Limits

Maximums and Rates
parameter-map type inspect CONN_LIMIT_PARAM
Total sessions allowed
sessions maximum 1000
max-incomplete high 100 low 75 Total half open
sessions with clamping
one-minute high 50
one-minute low 25 Rate of new
connections on device
1000 connections
1001st
connection
See Appendix for complete functionality example
Logging Dropped Packets

Dropped logging is enabled in two ways:
1. Parameter-map globally policy-map type inspect USERS->INTERNET_PMAP
Does not affect drop actions class class-default
2. With drop action drop log
Logs only traffic in class-map
parameter-map type inspect global
log dropped-packets enable
log summary rate 30 flows 256
Dropped packet logging is rate limited after first hit

Logs summarized and rate limited to 256 flows every 30 seconds
Used for troubleshooting, unreliable for global monitoring
%FW-6-DROP_PKT: Dropping tcp session 192.168.1.100:29201 4.2.2.2:81 on zone-
pair INSIDE->OUTSIDE_ZP class class-default due to DROP action found in
policy-map with ip ident 0
Logging New Connections

Logging new connections is not on by default
parameter-map type inspect LOG_CONNECTION_PARAM
audit-trail on
Processor intensive
Interrupt driven messages can cause high CPU
Similar to log keyword on ACLs
Used for troubleshooting
Not recommended for monitoring
%FW-6-SESS_AUDIT_TRAIL_START: (target:class)-(INSIDE->OUTSIDE_ZP:INSIDE->OUTSIDE_CMAP):Start tcp
session: initiator (192.168.1.100:34166) -- responder (4.2.2.2:80)
%FW-6-SESS_AUDIT_TRAIL: (target:class)-(INSIDE->OUTSIDE_ZP:INSIDE->OUTSIDE_CMAP):Stop tcp session:

initiator (192.168.1.100:34166) sent 164 bytes -- responder (4.2.2.2:80) sent 5980 bytes
Data Plane Security of Tunneled Traffic using ZBFW
Tunneled traffic can be encrypted
Tunnel traffic is control plane vs Transit traffic is data plane
Tunnels are used to connect remote locations
Connect to all remote locations using a VPN to allow secure connectivity
Traffic should still be subjected to ZBFW because it may not be trusted
Tunneled traffic Unencapsulated traffic
Self-to-Out zone-pair will identify Inside-to-Tunnel zone-pair will

Tunnel (ESP/GRE/6in4) traffic identify the data plane traffic
Pass as an action Inspect as an action to allow
return traffic through
ZBFW and Tunneling
A B
X Y
Tunnel
Remote zone depends on
Tunnel configuration
Client Packet VPN Packet Crypto map on interface
SRC A DST B SRC X DST Y VTI
VPN packet is always
sourced from self zone
since it is generated by the
Local Zone Remote Zone Self Zone Internet Zone router
ZBFW and Tunneling Design Considerations
A B
LOCAL X OUTSIDE Y REMOTE
IPv6 IPv4 IPv6
Tunnel
Firewall policies should be applied on device
before encapsulation or encryption occurs
interface WAN
6in4 tunneling is becoming more common and is
interface Tunnel0
an easy way to circumvent established security
zone-member security REMOTE policies
tunnel mode [ipsec|gre|ipv6ip]
source LOCAL destination REMOTE ZBFW can be used to protect both IPv6 and IPv4
stacks if positioned and deployed correctly
source SELF destination OUTSIDE
ZBFW Interaction with Other Features
Interface
ZBFW NAT QoS VPN
ACL
ip access-group name IN_ACL in
zone-member security INSIDE
ip nat inside
service-policy input QoS
crypto map CRYPTO_MAP
Summary of ZBFW features
Feature ZBFW IOS
Access Control Zone members/Zone Pairs Interface access-lists
Stateful Not stateful
Scalable Cannot integrate with VPN
Application Aware Policies Layer 7 inspection policy NBAR using MQC
Integrated into inspection Independent configuration
Utilizes NBAR for matching Not stateful
Quality of Service (QoS) Policing integrated with ZBFW Traffic shaping with interface QoS
policy-map policy
Simple policing Optimizes traffic flow
Monitoring Audit-trail in global parameter- ACL log hits
map Simplified packet counting
Interrupt driven connection Netflow
information Connection oriented packet
counting
User Identity
46
See Appendix for address assignment information
User Identity Concepts
What happens when a user moves

within a network?
Effective security policies track

users throughout the network
?
Tracking can be done using:
IP address
Username
OS/Application/etc
Types of Authentication
Active Passive Transparent
Router learns user User provides Router learns user
credentials directly credentials to a credentials directly
from Client third-party device from Client
Username and Router learns user Not checked
Definition password are information from against external
verified against third-party device server
ACS/ISE/AD Router just trusts
user information
Authentication Security Group Do Not Use!

Example Proxy using ACS Tagging using
Browser based Dot1x
NTLM
Authentication Proxy Overview
Client prompted for credentials by login
prompt
Username and password are checked
Local
Radius
Radius can pass down attributes
Downloadable ACL
User Groups
Security Group Tagging
Authentication Proxy Traffic Flow User Challenge
HTTP Connection
Who are you?
I am UserA
ACS
Authentication Proxy Traffic Flow Consult ACS
What should I do
with UserA? Permit UserA,
BUT restrict their access
using this ACL.
ip access-list extended DACL

permit tcp any any eq 80
permit icmp any any
ACS
Authentication Proxy Traffic Flow Apply Action
ip access-list extended UserA_DACL

UserA
ip access-list extended UserB_DACL

UserB permit tcp any any eq 443
permit icmp any any
ACS
Consent Parameter-map
User is forced to accept terms
of use before logging in
Login success only of terms are
accepted
Terms of use can be regularly

updated through on device
HTML file
Legal requirements for certain

environments
User Group Tagging Consult ACS
What should I do
BUT mark them with this
Routers will ask the ACS/ISE for group special Cisco user tag.
information of the user
Group information is known as tags/SGT Cisco Avpair:
Router will apply specific configuration Supplicant Group = ENG
based on these tags SGT = 3
Configuration on each router is known as
template ACS
User Group Tagging Traffic Processing
User Groups/SGT render identity features stateful
UserA class-map type inspect INSIDE->OUTSIDE_CMAP

User Group MKT match user-group MKT
SGT 3 match security-group source tag 3
class-map type inspect INSIDE->OUTSIDE_CMAP

UserB match user-group ENG
User Group ENG match security-group source tag 4
SGT 4
ACS
Security Group Tagging Traffic Path
Passive Authentication Comprehensive SGT requires a
full end-to-end integration
SGT 3
Client = HTTP
SGT 3 Connection
Dot1x class-map type inspect INSIDE->OUTSIDE_CMAP

match security-group source tag 3
All devices need to be

supported platforms on
supported versions
High Availability
57
High Availability (HA)

Device and interface level redundancy ensure no connectivity loss
Traffic must always pass through the Active Device
Configurations are not replicated between units
Example of independent features
Routing tables
Interface configurations
Firewall features
HA control
interface
Traffic is mapped using Redundant Interface Identifier (rii)

Interfaces on units do not have to be the same
Connection Replication
ZBFW1#show policy-firewall session
Session B2704178 (10.1.1.100:52980)=>(203.0.113.100:23) tcp SIS_OPEN/TCP_ESTAB
Created 00:00:31, Last heard 00:00:30
HA State: ACTIVE, RG ID: 1
Established Sessions = 1
Connection state information is replicated across HA control interface

Interfaces are mapped between units using rii number
ZBFW2#show policy-firewall session
Session B2601288 (10.1.1.100:52980)=>(203.0.113.100:23) tcp SIS_OPEN/TCP_ESTAB
Created 00:00:51, Last heard never
HA State: STANDBY, RG ID: 1
Established Sessions = 1
LAN interfaces
ip address 10.1.1.1 255.255.255.0
redundancy rii 100
redundancy group 1 ip 10.1.1.3 exclusive
10.1.1.3
ip address 10.1.1.2 255.255.255.0
redundancy rii 100
Traffic is routed to a VIP address

Active unit always processes traffic
Internet-Router# show ip route
WAN interfaces S* 10.1.1.0/24 [1/0] via 172.16.1.1
via 192.168.1.1
10.1.1.0/24
Active
172.16.1.1
Standby
192.168.1.1
Traffic is routed independently to each unit

Active unit always processes traffic
SLA route tracking ensures traffic is sent to Active unit
Asymmetric Routing
Active
ISP1
Standby
ISP2
Standby forwards traffic to Active across dedicated Asymmetric interface

Source rii is provided so Active knows what zone-pair to process against
Do not route traffic on Asymmetric interface
Potential for routing loops
Network Attack Mitigation
63
Attack Security
Denial of Service IP Fragmentation

Spoofing Attack
Attack Attack
Tiny Fragment
TCP SYN Overlapping Reflection

Flood Fragment Flood
Buffer Overflow
Identifying Attack Vector
Router(config)# interface Ethernet0/1

Router(config-if)# ip access-group 100 in
Router(config-if)# ip flow ingress
config# show access-list 100

Extended IP access list 100
permit icmp any any echo (2 matches)
permit icmp any any echo-reply (2 matches)
permit tcp any any eq www (21374 matches)
Permit udp any any (15 matches)
permit ip any any (45 matches)
Tracking Source of DoS attacks
Router# show ip cache flow
...
Protocol Total Flows Packets Bytes Packets Active(Sec) Idle(Sec)
-------- Flows /Sec /Flow /Pkt /Sec /Flow /Flow
TCP-WWW 255 0.0 1 64 255.0 4.0 15.5
... Single packet per attack
SrcIf SrcIPaddress DstIf DstIPaddress Pr SrcP DstP Pkts

Et0/1 203.0.113.102 Et0/0 10.1.1.10 06 CDF7 0050 1
Et0/1 203.0.113.103 Et0/0 10.1.1.10 06 CDF7 0050 1
Et0/1 203.0.113.104 Et0/0 10.1.1.10 06 CDF7 0050 1
Et0/1 203.0.113.105 Et0/0 10.1.1.10 06 CDF7 0050 1
...
Same TCP
Incrementing attacker IP Same victim IP ports
SYN Flood Attack Mitigation using TCP Intercept
SYN
SYN+ACK
Intercept ACK
Mode
SYN
SYN+ACK
ACK
SYN
Watch SYN+ACK
Mode ACK
RST RST
IP Fragmentation Attacks
Original Packet IP Header TCP Header Data
TCP
IP Header
Header
Tiny Fragment
TCP
IP Header Data
Header
Fragment 1
IP Header TCP Header
Overlapping Fragments Data
Fragment 2
IP Header
Data
Buffer
Buffer Overflow Fragment 1
Data
Fragment 2
IP Header
Data
IP Fragmentation Attack Mitigation

Fragments keyword in ACL
ip access-list extended FRAGMENTS_ACL

deny ip any host 192.168.1.100 fragments
permit tcp any host 192.168.1.100 eq 80
deny ip any any
Fragment 1
Data
Fragment 2
IP Header
Data
See Appendix for log information

IP Virtual Fragment Reassembly (VFR) Configuration
Enabling VFR
Router(config-if)# ip virtual-reassembly in
Restricting the number of concurrent IP datagrams
Router(config-if)# ip virtual-reassembly in max-reassemblies 64
Limiting the number of fragments per IP datagram
Router(config-if)# ip virtual-reassembly in max-fragments 16
Drop all IP fragments
Router(config-if)# ip virtual-reassembly in drop-fragments
Spoofing Attacks
Unicast Reverse Path Forwarding
Packet
Src Dst
20.1.1.100 10.1.1.200
Router# show ip route

C 10.1.1.0/24 directly connected, Ethernet0/0
C 192.168.1.0/24 directly connected, Ethernet0/1
S 20.1.1.0/24 via Ethernet0/0
Control Plane Security
72
Control Plane Diagram Queue Threshold
Host Port Filter
All traffic that requires special Policing
handling will go through the
routers control plane Transit Policing
CEF Exception Policing

This traffic will be processed
by the Route Processor,
leaving the router vulnerable
to resource exhaustion Aggregate
Control Plane
Input Forwarding Path

Control Plane Policing (CPP)
Rate limit traffic to CPU using quality of service (QoS) policy
Permit
Actions
for
traffic
Rate
Drop
Limit
Protect against control plane oversubscription

See Appendix for additional information
Control Plane Protection (CoPPr)
Aggregate Control Plane
Host Transit CEF Exception

Traffic destined to Traffic traversing Traffic redirected to
the router router RP
Management Features that require
Routing Protocols additional processing
Tunnel Traffic Packets with special
attributes
Control Plane Protection Example
Problem
Router receiving too much traffic to process on
non-listening ports
Solution
Preemptively drop all traffic destined to closed ports
Router should only process traffic to open ports

Services for management
Services for monitoring
Ephemeral ports opened for applications
Internet Map of Closed Ports
Port Filtering
class-map type port-filter match-all PORTFILTER_CMAP

match closed-ports Match all closed ports
!
policy-map type port-filter PORTFILTER_PMAP
class PORTFILTER_CMAP
drop Drop any traffic to a closed port
!
control-plane host Apply to host subinterface
service-policy type port-filter input PORTFILTER_PMAP

Viewing Open Ports
Only telnet is enabled on the router
Router#show control-plane host open-ports

Active internet connections (servers and established)
Prot Local Address Foreign Address Service State
tcp *:23 *:0 Telnet LISTEN
Traffic destined to any other port on the router will be early dropped
Before CPU processing
Summary
Protect data plane using ZBFW configuration
Application aware features allow deep packet inspection
Logging traffic successfully
Track users using identity features

Authentication proxy with consent option provides legal enforcement
User groups and SGT allow for stateful user tracking
High Availability of firewall features

LAN and WAN interfaces provide solutions for each routing environment
Asymmetrically routed traffic is supported through traffic redirection
Protect end user services from attacks

Attack defense should depend on the attack vector
Protect router services from resource exhaustion using Control Plane Protection
Recommended Readings
Participate in the My Favorite Speaker Contest
Promote Your Favorite Speaker and You Could be a Winner
Promote your favorite speaker through Twitter and you could win $200 of Cisco
Press products (@CiscoPress)
Send a tweet and include
Your favorite speakers Twitter handle @CiscoTACPodcast
Two hashtags: #CLUS #MyFavoriteSpeaker
You can submit an entry for more than one of your favorite speakers
Dont forget to follow @CiscoLive and @CiscoPress
View the official rules at http://bit.ly/CLUSwin
Complete Your Online Session Evaluation
Give us your feedback and you
could win fabulous prizes. Winners
announced daily.
Complete your session evaluation
through the Cisco Live mobile app
or visit one of the interactive kiosks
located throughout the convention
center.
Dont forget: Cisco Live sessions will be available

for viewing on-demand after the event at
CiscoLive.com/Online
Continue Your Education
Demos in the Cisco Campus
Walk-in Self-Paced Labs
Table Topics
Meet the Engineer 1:1 meetings
Appendix
86
Firewall Basic Functionality
TRUSTED UNTRUSTED
HTTP Request
HTTP Response
Client Webserver
Firewall prevents
malicious traffic from
entering the network by Malicious
tracking connections
Attacker
SMTP Server SMTP
Internet
Zone Policy Assignment and Scalability

zone-member USERS
! source USERS destination INTERNET
interface Ethernet0/0.300 Users
Internet
zone-member INTERNET
!
zone-member security INTERNET
zone-pair security USERS->INTERNET source USERS destination INTERNET

service-policy type inspect USER->INTERNET_PM
Zone Based Firewall (ZBFW) Zone Members
zone-member INSIDE zone-member OUTSIDE
! !
Interface Ethernet0/0 Interface Ethernet0/1
zone-member security INSIDE zone-member security OUTSIDE
Trusted Untrusted
Zone Zone
zone-pair security INSIDE->OUTSIDE_ZP source INSIDE destination OUTSIDE

service-policy type inspect INSIDE->OUTSIDE_PMAP
ZBFW uses zones as the foundation for all policies

The same zone can be applied to multiple interfaces
Each interface can only be part of one zone
Building Zone-pairs
Database
Users Internet
Application
Building Zone-pairs
Database
Database
Users Users Internet Internet
Application
Application
Zone Member Scalability
source USERS Users

destination USERS
Users Internet
source USERS
destination APPLICATION Zone policies are directional
Application
Initiated traffic matches from
SOURCE to DESTINATION
Return traffic matches existing
connection
ZBFW scales when there are
multiple zone
Intrazone policies
On IOS 12.X releases, traffic between interfaces belonging to the same zone
was allowed to pass without inspection.
On IOS 12.X release it was not possible to define Intrazone ZFW policies:
Starting on IOS 15.0(1)M, intrazone traffic is blocked by default
IOS 15.X allows the creation of Intrazone Policies (source and destination of
traffic in the same zone)
zone-pair security APPLICATION->APPLICATION_ZP source APPLICATION

destination APPLICATION
Advanced Topology
zone-pair security USERS->DATABASE_ZP source USERS destination DATABASE

Database
zone-pair security USERS->INTERNET_ZP

Clients source USERS destination INTERNET
Internet
zone-pair security USERS->APPLICATION_ZP source USERS destination APPLICATION

Application
Identifying Traffic Class-Map Theory
Class-map using permit tcp any any eq 80
Access-list
Class-map using protocol HTTP

Protocol
Class-map using class-map USER_PROTOCOLS

Nested
Identifying Traffic using Class-Map
Examples
Example 1 permit ip 192.168.1.0 255.255.255.0 any
ACL matching !
class-map type inspect match-all INSIDE->OUTSIDE_CMAP-1
Example 2 class-map type inspect match-all INSIDE->OUTSIDE_CMAP-2

Protocol matching match protocol http

Example 3 match protocol http
Nexted class-map matching match protocol ftp

!
Applying Policy-map
zone-pair security USERS->DATABASE_ZP source USERS destination DATABASE

Database
service-policy type inspect USERS->DATABASE_PMAP
zone-pair security USERS->INTERNET_ZP

Clients source USERS destination INTERNET
Internet
service-policy type inspect USERS->INTERNET_PMAP
zone-pair security USERS->APPLICATION_ZP source USERS destination APPLICATION

Application
service-policy type inspect USERS->APPLICATION_PMAP
Inspect Traffic Protocol vs Application
permit ip 192.168.1.0 255.255.255.0 any
!
Session B251B5C0 (192.168.1.100:14128)=>(4.2.2.2:80) tcp SIS_OPEN/TCP_ESTAB

match protocol http
!
Allowing Inbound Traffic
Zone-pairs are unidirectional
Any traffic must be explicitly allowed in the opposite direction
class-map type inspect SMTP_SERVER_CMAP
match access-list SMTP_SERVER_ACL
match protocol SMTP
policy-map type inspect INTERNET->APPLICATION_PMAP

class type inspect SMTP_SERVER_CMAP
inspect
class class-default
drop
zone-pair security INTERNET->APPLICATION_ZP source INTERNET destination APPLICATION

service-policy type inspect INTERNET->APPLICATION_PMAP
Parameter-Map Overview
Router(config)# parameter-map type ?
consent Parameter type consent
content-scan Content-scan parameter-map
inspect inspect parameter-map
ooo TCP out-of-order parameter-map for FW and IPS
protocol-info protocol-info parameter-map
regex regex parameter-map
urlf-glob URLF glob parameter-map
urlfpolicy Parameter maps for urlfilter policy
waas WAAS Parameter Map
Application Layer Inspection HTTP Example
parameter-map type regex BLACK_LIST_PARAM type inspect
General ZBFW
pattern .*cisco.* configuration
Match on ports
class-map type inspect http match-all BLACK_LIST_CMAP and protocols
match request header host regex BLACK_LIST_PARAM

type inspect http
Application
policy-map type inspect http BLACK_LIST_PMAP specific ZBFW
class type inspect http BLACK_LIST_CMAP configuration
Match on
reset application
specific header
policy-map type inspect USERS->INTERNET_PMAP information
class type inspect USERS->INTERNET_HTTP_CMAP
inspect
service-policy http BLACK_LIST_PMAP
Content Filtering
BRKSEC-2042 Content Filtering in the Enterprise
Current technologies
WCCP
Scansafe
Old technologies
Websense
Trend Micro Content Scanning
www.cisco.com
Scansafe Content Scanning Request
CWS Packet
CWS Server Webserver
Client Packet
Client Webserver
CWS Redirect Packet
Router CWS Server
Scansafe Proxy
Server
www.cisco.com
Scansafe Content Scanning Response
Server Packet
Webserver Scansafe
Client Packet
Webserver Client
Scansafe Redirect Packet
Scansafe Router
Scansafe Proxy
Server
Content Scanning Configuration
parameter-map type content-scan global
server scansafe primary name proxy2261.scansafe.net port http 8080 https 8080
license 0 ABCDEF1234567890ABCDEFABCDEFFFFF
source interface Ethernet0/0
timeout server 30
user-group CISCOGROUP username CISCOUSER
server scansafe on-failure block-all
interface Ethernet0/1 interface Ethernet0/0

ip nat inside ip nat outside
zone-member security INSIDE zone-member security OUTSIDE
content-scan out

Content Scanning Outputs
Router# show content-scan statistics Router# show content-scan summary
Current HTTP sessions: 0 Primary: 201.94.155.42 (Up)*
Current HTTPS sessions: 0 Secondary: 70.39.231.99 (Up)
Total HTTP sessions: 83 Interfaces: Ethernet0/0
Total HTTPS sessions: 8
White-listed sessions: 0
Time of last reset: never
IOS# show content-scan session active

Protocol Source Destination Bytes Time
HTTP 10.1.1.100:57152 209.222.159.185:80 (1635:331595) 00:00:12
URI: www.cisco.com
Username/usergroup(s): ciscouser10/ ciscogroup10
Integrating User Identity with Scansafe
aaa new-model
aaa authentication login default group radius
aaa authorization network default group radius
aaa group server ldap LDAP_GROUP

server DC01
ldap attribute-map ldap-username-map
map type sAMAccountName username
ldap server DC01
ipv4 192.168.1.100
attribute map ldap-username-map
bind authenticate root-dn CN=Users,DC=cisco,DC=com password cisco
base-dn dc=cisco,dc=com
search-filter user-object-type top
authentication bind-first
ip admission name AUTHPROXY ntlm
ip address 10.1.1.1 255.255.255.0
ip admission AUTHPROXY
Masking SMTP Messages
Ethernet Header
Source MAC Destination MAC
Mask specific SMTP
messages from
IP Header presented to clients
Source IP Destination IP
Filtering PIPELINING
prevents client from
TCP Header sending batches of
commands without
Source Port Destination Port
waiting for response
from server
SMTP DATA
EHLO
PIPELINING STARTTLS
Application Layer Inspection SMTP Example
class-map type inspect smtp match-all SMTP_CMAP Select the

message to be
match reply ehlo PIPELINEING masked
policy-map type inspect smtp SMTP_PMAP Apply the

mask action
class type inspect smtp SMTP_CMAP for the
messages
mask selected above
policy-map type inspect INTERNET->APPLICATIONS_PMAP
class type inspect INTERNET->APPLICATIONS_SMTP_CMAP
inspect
service-policy smtp SMTP_PMAP
Application Layer Inspection SIP Example
class-map type inspect sip match-all SIP_CMAP Identify traffic

that violates
match protocol-violation the SIP RFC
policy-map type inspect sip SIP_PMAP Drop any

packets that
class type inspect sip SIP_CMAP violate RFC
reset
TCP SIP
policy-map type inspect INTERNET->APPLICATIONS_PMAP results in
class type inspect INTERNET->APPLICATIONS_SIP_CMAP RESET packet
UDP SIP
inspect results in
dropped
service-policy sip SIP_PMAP packets
Application Based Inspections
IOS-FW(config)# class-map type inspect ?
h323
http
imap Voice inspections
pop3 Controls how calls can be placed
sip Controls how phones can register
smtp
sunrpc eMail inspections
Controls how email can be sent
inspections
Controls how email can be sent
Applying Connection Limits to Traffic
parameter-map type inspect CONN_LIMIT_PARAM
sessions maximum 100
max-incomplete high 1000 low 500
one-minute high 50
one-minute low 25
policy-map type inspect CLIENT->INTERNET_PMAP

class type inspect CLIENT->INTERNET_CMAP
inspect CONN_LIMIT_PARAM
Logging dropped packets and summarization
Actions Log drop-pkt disable Log drop-pkt disable Log drop-pkt enable Log drop-pkt enable
Log summary disable Log summary enable Log summary disable Log summary enable
Drop Drop and summary logs Drop and summary logs not Drop and summary logs Drop and summary logs
not to be printed to be printed not to be printed not to be printed
Drop log Only drop logs printed Since log option is Only drop logs printed Since log option is
and no summary logs configured with drop action, and summary logs not configured with drop
both the drop and summary printed action, both the drop and
logs for the traffic that summary logs for the
matches the action drop traffic that matches the
log under the class is action drop log under
rinted. the class is printed.
Inspect/zone Drop and summary logs Drop and summary logs not Only drop logs printed and Drop due to inspect action
not printed printed summary logs are not and summary logs are
to non-zone
printed printed
BRKSEC-3007 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public
Logging New Connections
Cannot be applied globally
Enable on a per class-map basis
parameter-map type inspect LOG_CONNECTION_PARAM

audit-trail on
policy-map type inspect USERS->INTERNET_PMAP

class type inspect USER->INTERNET_CMAP
inspect LOG_CONNECTION_PARAM
Monitoring ZBFW Statistics
Router# show policy-firewall stats drop-counters
DROP action found in policy-map 4
Router# show policy-firewall stats all

Global Stats:
Session creations since subsystem startup or last reset 0
Current session counts (estab/half-open/terminating) [0:0:0]
Maxever session counts (estab/half-open/terminating) [0:0:0]
Last session created never
Last statistic reset never
Last session creation rate 0
Maxever session creation rate 0
Last half-open session total 0
ZBFW and VPN
A X Y B
Client Packet VPN Packet

SRC A DST B SRC X DST Y
IP Header ESP Header

IP Protocol 1 SRC A DST B IP Protocol 50 SRC X DST Y
VPN using Crypto-Map

A B
X Y
VPN
Client Packet Crypto map are bound to
interface Ethernet0/0 tunnel terminating interface
SRC A DST B
zone-member security OUTSIDE Original and VPN traffic
crypto-map IPSEC_TUNNEL have same destination zone
VPN Packet
SRC X DST Y
zone-pair security LOCAL->OUTSIDE_ZP source LOCAL destination OUTSIDE

service-policy type inspect LOCAL->REMOTE_PMAP
zone-pair security SELF->OUTSIDE_ZP source SELF destination OUTSIDE

service-policy type inspect SELF->OUTSIDE_ZP
VPN using Virtual Tunnel Interface (VTI)

A B
X Y
VPN
Client Packet VTI are independent
interface Ethernet0/0 interfaces with their own
SRC A DST B zone member
Original and VPN traffic
VPN Packet interface Tunnel0 have different destination
SRC X DST Y zone-member security REMOTE zone
tunnel mode ipsec ipv4
zone-pair security LOCAL->REMOTE_ZP source LOCAL destination REMOTE


IPv6 Tunneling Design Considerations
A B
X Y
IPv6 IPv4 IPv6
6-in-4
Client Packet IPv6 networks can be
interface Ethernet0/0 connected by using a 6in4
SRC AIPv6 DST BIPv6 tunnel
ZBFW should be configured
IPv6-in-IPv4 Tunnel Packet interface Tunnel0 on the IPv6/IPv4 edge
SRC XIPv4 DST YIPv4 zone-member security REMOTE IPv6 tunneling protocols could
tunnel mode ipv6ip
bypass security policies
zone-pair security LOCAL->REMOTE_ZP source LOCAL destination REMOTE


ZBFW and VPN configuration
ip access-list extended VPN_ACL
permit esp any any
permit udp any any eq 500
permit udp any any eq 4500
class-map type inspect match-any VPN_CMAP

match access-group name VPN_ACL
policy-map type inspect SELF->OUTSIDE_PMAP

class type inspect VPN_CMAP
pass

service-policy type inspect SELF->OUTSIDE_PMAP
Migrating from an Existing Policy
ip access-list extended OUTSIDE-IN
!
ip access-group name OUTSIDE-IN
ip access-list extended OUTSIDE-IN

!
class-map type inspect match-any OUTSIDE-IN_CMAP
match access-group name OUTSIDE-IN
!
policy-map type inspect OUTSIDE-IN_CMAP
class type inspect OUTSIDE-IN_CMAP
inspect
!
ZBFW configuration example
Zone security INSIDE
Zone security OUTSIDE
!
Interface Ethernet0/0
Interface Ethernet0/1
!
class-map type inspect INSIDE_OUTBOUND_CMAP
match protocol http
!
policy-map type inspect INSIDE_OUTBOUND_PMAP
class INSIDE_OUTBOUND_CMAP
inspect
!
zone-pair security IN2OUT source INSIDE destination OUTSIDE
service-policy type inspect INSIDE_OUTBOUND_PMAP
Stateful Address Assignment
Stateless Address Assignment
Centralized server performs all Client dynamically takes on

addressing tasks addressing tasks
Assigns IP addresses Chooses own IP address
EUI-64
Keeps track of Client to address
mapping DAD used to avoid address
Provides additional network information duplication
DNS server Additional network information not
Default gateway provided by default
Provided by supporting server
Examples of Stateful Address
protocols Examples of Stateless Address
DHCP protocols
SLAAC (StateLess Address
AutoConfiguration)
Authentication Proxy - Configuration
aaa new-model
aaa authentication login default group radius
aaa authorization network default group radius
aaa authorization auth-proxy default group radius
radius-server vsa send authentication
radius server ISE

address ipv4 192.168.1.100 auth-port 1645 acct-port
1646
key cisco
ip admission name AUTHPROXY proxy http
ip http server
ip address 10.1.1.1 255.255.255.0
ip admission AUTHPROXY
Authentication Proxy Traffic Flow Apply Action
1. Interface ACL
2. Consent ACL
3. AuthProxy ACL
Authentication Proxy - Debugs
Mar 23 14:27:54.571: RADIUS/ENCODE(00000015):Orig. component type = Auth Proxy
Mar 23 14:27:54.571: RADIUS(00000015): Config NAS IP: 0.0.0.0
Mar 23 14:27:54.571: RADIUS(00000015): Config NAS IPv6: ::
Mar 23 14:27:54.571: RADIUS/ENCODE(00000015): acct_session_id: 11
Mar 23 14:27:54.571: RADIUS(00000015): sending
Mar 23 14:27:54.575: RADIUS/ENCODE: Best Local IP-Address 14.36.112.40 for Radius-Server 14.36.112.250
Mar 23 14:27:54.575: RADIUS(00000015): Send Access-Request to 14.36.112.250:1645 id 1645/11, len 110
Mar 23 14:27:54.575: RADIUS: authenticator 54 01 93 F4 17 F1 93 7D - EB 44 A3 05 FA 49 79 24
Mar 23 14:27:54.575: RADIUS: User-Name [1] 7 "cisco"
Mar 23 14:27:54.575: RADIUS: User-Password [2] 18 *
Mar 23 14:27:54.575: RADIUS: Service-Type [6] 6 Outbound [5]
Mar 23 14:27:54.575: RADIUS: Vendor, Cisco [26] 29
Mar 23 14:27:54.575: RADIUS: Cisco AVpair [1] 23 "service-type=Outbound"
Mar 23 14:27:54.575: RADIUS: Message-Authenticato[80] 18
Mar 23 14:27:54.575: RADIUS: 53 E1 38 E5 A2 93 DD 40 61 88 99 60 A6 70 2D 2E [ S8@a`p-.]
Mar 23 14:27:54.575: RADIUS: NAS-Port-Type [61] 6 Async [0]
Mar 23 14:27:54.575: RADIUS: NAS-IP-Address [4] 6 14.36.112.40
Mar 23 14:27:54.575: RADIUS(00000015): Sending a IPv4 Radius Packet
Mar 23 14:27:54.575: RADIUS(00000015): Started 5 sec timeout
Mar 23 14:27:54.591: RADIUS: Received from id 1645/11 14.36.112.250:1645, Access-Accept, len 287
Mar 23 14:27:54.591: RADIUS: authenticator C0 07 BB 4F 81 FC B8 33 - CB 2A 22 98 23 C0 6E 58
Mar 23 14:27:54.591: RADIUS: User-Name [1] 7 "cisco"
Mar 23 14:27:54.591: RADIUS: State [24] 40
Mar 23 14:27:54.591: RADIUS: 52 65 61 75 74 68 53 65 73 73 69 6F 6E 3A 30 65 [ReauthSession:0e]
Mar 23 14:27:54.591: RADIUS: 32 34 37 30 66 61 30 30 30 30 30 30 33 35 35 33 [2470fa0000003553]
Mar 23 14:27:54.591: RADIUS: 32 45 45 44 36 44 [ 2EED6D]
Mar 23 14:27:54.591: RADIUS: Class [25] 54
Mar 23 14:27:54.591: RADIUS: 43 41 43 53 3A 30 65 32 34 37 30 66 61 30 30 30 [CACS:0e2470fa000]
Mar 23 14:27:54.591: RADIUS: 30 30 30 33 35 35 33 32 45 45 44 36 44 3A 72 61 [00035532EED6D:ra]
Mar 23 14:27:54.591: RADIUS: 64 61 72 2D 69 73 65 2F 31 38 34 36 39 38 35 36 [dar-ise/18469856]
Mar 23 14:27:54.591: RADIUS: 36 2F 35 34 [ 6/54]
Mar 23 14:27:54.591: RADIUS: 3E F1 DA B1 22 AB 23 26 12 0E 54 83 2C 96 C1 AF [ >"#&T,]
Mar 23 14:27:54.591: RADIUS: Cisco AVpair [1] 19 "shell:priv-lvl=15"
Mar 23 14:27:54.591: RADIUS: Cisco AVpair [1] 24 "aaa:event=acl-download"
Mar 23 14:27:54.591: RADIUS: Cisco AVpair [1] 26 "aaa:service=ip_admission"
Mar 23 14:27:54.591: RADIUS: Cisco AVpair [1] 55 "ACS:CiscoSecure-Defined-ACL=#ACSACL#-IP-dACL-532eed4c"
Mar 23 14:27:54.591: RADIUS(00000015): Received from id 1645/11
Authentication Proxy - Debugs
Mar 23 14:27:54.591: RADIUS/ENCODE(00000000):Orig. component type = Invalid
Mar 23 14:27:54.591: RADIUS(00000000): Config NAS IP: 0.0.0.0
Mar 23 14:27:54.591: RADIUS(00000000): sending
Mar 23 14:27:54.591: RADIUS/ENCODE: Best Local IP-Address 14.36.112.40 for Radius-Server 14.36.112.250
Mar 23 14:27:54.591: RADIUS(00000000): Send Access-Request to 14.36.112.250:1645 id 1645/12, len 133
Mar 23 14:27:54.591: RADIUS: authenticator 86 69 58 02 68 24 B8 7D - 52 A6 74 12 C6 34 5E 85
Mar 23 14:27:54.591: RADIUS: NAS-IP-Address [4] 6 14.36.112.40
Mar 23 14:27:54.591: RADIUS: User-Name [1] 27 "#ACSACL#-IP-dACL-532eed4c"
Mar 23 14:27:54.591: RADIUS: Cisco AVpair [1] 26 "aaa:service=ip_admission"
Mar 23 14:27:54.591: RADIUS: Cisco AVpair [1] 24 "aaa:event=acl-download"
Mar 23 14:27:54.591: RADIUS: FA 55 AC 1F E1 57 22 F9 0F 77 4B A6 F4 19 42 5E [ UW"wKB^]
Mar 23 14:27:54.591: RADIUS(00000000): Sending a IPv4 Radius Packet
Mar 23 14:27:54.591: RADIUS(00000000): Started 5 sec timeout
Mar 23 14:27:54.595: RADIUS: Received from id 1645/12 14.36.112.250:1645, Access-Accept, len 327
Mar 23 14:27:54.595: RADIUS: authenticator CD CB 43 D2 51 C4 A2 46 - 80 0C E3 03 10 57 52 4C
Mar 23 14:27:54.595: RADIUS: User-Name [1] 27 "#ACSACL#-IP-dACL-532eed4c"
Mar 23 14:27:54.595: RADIUS: State [24] 40
Mar 23 14:27:54.595: RADIUS: 52 65 61 75 74 68 53 65 73 73 69 6F 6E 3A 30 65 [ReauthSession:0e]
Mar 23 14:27:54.595: RADIUS: 32 34 37 30 66 61 30 30 30 30 30 30 33 36 35 33 [2470fa0000003653]
Mar 23 14:27:54.595: RADIUS: 32 45 45 44 36 44 [ 2EED6D]
Mar 23 14:27:54.595: RADIUS: Class [25] 54
Mar 23 14:27:54.595: RADIUS: 43 41 43 53 3A 30 65 32 34 37 30 66 61 30 30 30 [CACS:0e2470fa000]
Mar 23 14:27:54.595: RADIUS: 30 30 30 33 36 35 33 32 45 45 44 36 44 3A 72 61 [00036532EED6D:ra]
Mar 23 14:27:54.595: RADIUS: 64 61 72 2D 69 73 65 2F 31 38 34 36 39 38 35 36 [dar-ise/18469856]
Mar 23 14:27:54.595: RADIUS: 36 2F 35 35 [ 6/55]
Mar 23 14:27:54.595: RADIUS: C4 80 ED 58 1A 8C 7E 7A 60 C2 BC 2E 5C CF 66 5B [ X~z`.\f[]
Mar 23 14:27:54.595: RADIUS: Cisco AVpair [1] 37 "ip:inacl#1=permit tcp any any eq 80"
Mar 23 14:27:54.595: RADIUS: Cisco AVpair [1] 38 "ip:inacl#2=permit tcp any any eq 443"
Mar 23 14:27:54.595: RADIUS: Cisco AVpair [1] 37 "ip:inacl#3=permit udp any any eq 53"
Mar 23 14:27:54.595: RADIUS: Cisco AVpair [1] 32 "ip:inacl#4=permit icmp any any"
Mar 23 14:27:54.595: RADIUS(00000000): Received from id 1645/12
Authentication Proxy - Outputs
radar-CLUS#show ip admission cache
Authentication Proxy Cache
Client Name cisco, Client IP 14.38.112.250, Port 41699, timeout 60, Time Remaining 60,
state ESTAB
radar-CLUS#show epm session summary

EPM Session Information
-----------------------
Total sessions seen so far : 5
Total active sessions : 1
Session IP Address :
-------------------
14.38.112.250
radar-CLUS#show epm session ip 14.38.112.250

Admission feature : Authproxy
AAA Policies :
ACS ACL : xACSACLx-IP-dACL-
532eed4c
Supplicant-Group : ENG
Authentication Proxy with Consent Configuration
ip admission name AUTHPROXY proxy http
ip admission auth-proxy-banner file flash:banner.html
ip admission auth-proxy-banner http ^C You have logged in^C
ip admission name AUTHPROXY consent list 100 param-map CONSENT_PMAP
parameter-map type consent CONSENT_PMAP

copy tftp://14.36.112.254/banner.html flash:banner.html
logging enabled
authorize accept identity IDENTITY_POLICY
timeout file download 3600
file flash:html.html
identity policy consent_identity_policy

access-group consent_access_group
User Group Tag and Template
User credentials are stored on a central ACS
Each user is bound to a different group
MKT, ENG, FIN, HRC, etc
This is the tag
Routers will ask the ACS for group information of the user
Routers will apply specific action based on the tags
Template is the configuration on each router
Security Group Tagging Active Authentication
What should I do
BUT mark them with this
Security Group Tagging functionality is Security Group Tag.
similar to Tag/Template configuration
Policies are created using SGT number Cisco Avpair: SGT = 3
instead of tag name
This specific implementation of SGT is
local to the router
SGT information is not exchanged
with other devices ACS
User Group Tagging Active Authentication
UserA = 3

UserB = 4
ACS
High Availability
parameter-map type inspect global
redundancy
redundancy
application redundancy
group 1
name ZBFW_HA interface Ethernet0/0
preempt ip address 10.1.1.1 255.255.255.0
priority 200 ip nat inside
control Ethernet0/2 protocol 1 zone-member security INSIDE
data Ethernet0/2 redundancy rii 100
Verifying High Availability
Router# show redundancy application group 1
Group ID:1
Group Name:ZBFW_HA
Administrative State: No Shutdown

Aggregate operational state : Up
My Role: ACTIVE
Peer Role: STANDBY
Peer Presence: Yes
Peer Comm: Yes
Peer Progression Started: Yes
RF Domain: btob-one
RF state: ACTIVE
Peer RF state: STANDBY-HOT
Asymmetric Routing
ISP1
redundancy ISP2
application redundancy
group 1
asymmetric-routing interface interface Ethernet0/0
Ethernet0/3 ip address 10.1.1.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
redundancy rii 100
redundancy asymmetric-routing enable
DoS Attack Mitigation
TCP Intercept
access-list 101 permit any
!
ip tcp intercept list 101
ip tcp intercept mode intercept
ip tcp intercept drop-mode random
ip tcp intercept max-incomplete low 2000 high 3000
ip tcp intercept one-minute low 1000 high 1500
TCP intercept is enabled because the one minute rate exceeded 1500
embryonic connection attempts
Jan 1 12:00:01 EST: %TCP-6-INTERCEPT: getting aggressive, count (2700/3000) 1 min 100
TCP Intercept was disabled because the one minute rate fell below 900
embryonic connection attempts
Jan 1 12:05:01 EST: %TCP-6-INTERCEPT: calming down, count (1800/2000) 1 min 900
IP Virtual Fragment Reassembly (VFR) Logs
Basic features of enabling VFR
VFR-3-OVERLAP_FRAGMENT
VFR-3-TINY_FRAGMENTS
Max-reassemblies
Maximum number of concurrent IP datagrams that can be reassembled
VFR-4_FRAG_TABLE_OVERFLOW
Max-fragments
Maximum number of fragments for the same IP datagram
VFR-4_TOO_MANY_FRAGMENTS
Drop-fragments
Drops all fragments
Spoofing Attack Mitigation
uRPF configuration example
Strict mode
The source address is in the Forwarding Information Base (FIB) and reachable only
through the interface on which the packet was received
Router(config-if)# ip verify unicast source reachable-via rx
Loose mode
If the source address is in the FIB and reachable through any interface on the router
Used for asymmetric routing or multi-homed ISP connections
Router(config-if)# ip verify unicast source reachable-via any
uRPF Advanced Features
Old configuration (DO NOT USE)
Router(config-if)# ip verify unicast reserve-path
Above command was replaced by below command in 12.0(15)S

Router(config-if)# ip verify unicast source reachable-via [rx|any]
Cisco Express Forwarding (CEF) must be enabled (on by default)

Router(config)# ip cef
Allow default route for uRPF verification

Router(config-if)# ip verify unicast source reachable-via allow-default
Control Plane Protection (CoPPr)
Benefits
Extends protection against DoS attacks on infrastructure routers by providing a
mechanism for finer policing of control plane traffic that allows you to rate-limit
each type individually
Provides a mechanism for early dropping of packets that are directed to closed
or nonlistened Cisco IOS TCP/UDP ports
Provides ability to limit protocol queue usage such that no single protocol flood
can overwhelm the input interface
Provides QoS control for packets that are destined to the control plane of Cisco
routers
Provides better platform reliability, security, and availability
Provides CPU protection so it can be used for important jobs, such as routing
Monitoring Drops
Router#show control-plane counters
Feature Path Packets processed/dropped/errors
Aggregate 3/0/0
Host 3/3/0
Transit 0/0/0
Cef-exception 0/0/0
Router#show control-plane host counters

Control plane host path counters :
Feature Packets Processed/Dropped/Errors
--------------------------------------------------------
TCP/UDP Portfilter 3/3/0
--------------------------------------------------------
Monitoring Drops
Router#show policy-map type port-filter control-plane all
Control Plane Host
Service-policy port-filter input: PORTFILTER_PMAP
Class-map: PORTFILTER_CMAP (match-all)

3 packets, 180 bytes
5 minute offered rate 0000 bps, drop rate 0000 bps
Match: closed-ports
drop
Class-map: class-default (match-any)

0 packets, 0 bytes
5 minute offered rate 0000 bps, drop rate 0000 bps
Match: any
Control Plane Protection Example 2
Problem
SNMP is exhausting control plane resources, preventing the router from executing
certain core functions such as routing and management
Solution
Limit the number of packets allowed on the input queue
Route can use queue-limits

Prevent a single function from overwhelming all resource
Create tiered policy to ensure functionality
Queue Threshold
class-map type queue-treshold match-all SNMP_QUEUE
match protocol snmp Match SNMP
class-map type queue-treshold match-all OTHER_QUEUE
match protocol host-protocols Match all other protocols
!
policy-map type port-filter QUEUELIMIT_PMAP
class SNMP_QUEUE
queue-limit 50 Limit packets to prevent
class-map OTHER_QUEUE oversubscription
queue-limit 150
!
control-plane host Apply to host subinterface
service-policy type queue-limit input QUEUELIMIT_PMAP

Viewing Current Queue
Only telnet is enabled on the router
Router#show control-plane host counters
Control plane host path counters :
Feature Packets Processed/Dropped/Errors
--------------------------------------------------------
Port Queue Threshold 150/30/0
--------------------------------------------------------
The queue threshold processes packets until the limit is exceeded

Excess unprocessed packets beyond the limit are dropped to protect control-plan
resources

Advanced IOS Security - BRKSEC-3007

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Advanced IOS Security - BRKSEC-3007

Uploaded by

Copyright:

Available Formats

Rama Darbha, Customer Support Engineer

Data Plane Security Control Plane Security

BRKSEC-2007 Fundamental IOS Security

Allow tunneled/VPN traffic

Access-lists (ACLs) as a Security Solution

SMTP Server SMTP

Default drop policy

Zone Policy Assignment and Scalability

Use to protect management and control plane traffic

Identify traffic Access-list

Take action Inspect

Apply action Service policy applied traffic

Identifying Traffic using Class-maps

class-map type inspect match-all USERS_PROTOCOLS

Identifying Traffic using Class-maps

class-map type inspect match-all USERS->INTERNET_CMAP

class-map type inspect match-any USER_PROTOCOLS_CMAP

Drop Drops packets silently

Bypasses firewall checks

Apply Action using Zone-Pair

zone-pair security USERS->INTERNET_ZP source USERS destination INTERNET

Apply Action using Zone-Pair

Uptime and Bytes can be used to verify functionality

Basic TCP inspection

Session B251B268 (192.168.1.100:59651)=>(4.2.2.2:80) http:tcp SIS_OPEN/TCP_ESTAB

Advanced Layer 7 inspection

Increasing the OoO size reduces inspection based packet loss

parameter-map type ooo global

Access-lists can be use to limit inspection ports

Router(config)# ip port-map http port 8888 list 99

View existing ports for application inspection

Blocking Websites using Zone Based Firewall

Match URLs using a regex

Number of regex is limited

User gets no feedback

Will not match HTTPS traffic

BRKSEC-2042 Content Filtering in the Enterprise

Content Scanning Configuration

Website visited User Identity integration Total Data transferred

Advanced ZBFW Connection Limits

ZBFW will send resets to both endpoints once timer expires

Advanced ZBFW Connection Limits

Logging Dropped Packets

Dropped packet logging is rate limited after first hit

Logging New Connections

%FW-6-SESS_AUDIT_TRAIL: (target:class)-(INSIDE->OUTSIDE_ZP:INSIDE->OUTSIDE_CMAP):Stop tcp session:

Tunneled traffic Unencapsulated traffic

Self-to-Out zone-pair will identify Inside-to-Tunnel zone-pair will

IPv6 IPv4 IPv6

ZBFW Interaction with Other Features

User Identity Concepts

What happens when a user moves

Effective security policies track

Authentication Security Group Do Not Use!

Who are you?

ip access-list extended DACL

Authentication Proxy Traffic Flow Apply Action

ip access-list extended UserA_DACL

ip access-list extended UserB_DACL

Terms of use can be regularly

Legal requirements for certain

UserA class-map type inspect INSIDE->OUTSIDE_CMAP