- Defence tcp syn attacks where attacker tries to overload server with half open tcp connections limiting other connections
- TCP intercept can run in 2 modes 1) intercept mode - router acts as proxy it will not forward the connections to the server till they are complete. This is not usually used that much as your effectively moving the issue from the server to the router so not great solution 2)Watch mode - passively monitor sesssion establishement. Send tcp rst if 3 way handshake does not complete in time
- You can set the drop mode to oldest or random oldest it will drop the oldest half opening connectios first if limit is reached random it randomly drops the half open connections
- By default it will start dropping at 1100 half open connections
- Also 30 seconds is the default wait for full session establishment
access-list 101 perit tcp any "ip" "mask" - so this is the subnet or ip you want the inspect done for
tcp intercept list "intcept acl"
ip tcp intercept mode "watch/intercept" - intercept default
Content Based Access Control
- protocols are matched based on port numbers and inspection
- We define inspection based on inspect map and what protocols we want to inspect then this is applied to the interface. Then it will keep track of the traffic going out and allow traffic back in will work better than reflexive as it stateful inspects the traffic at layer 4-7 so can deal with non standard.
- This can be complex if there is more than two interface i.e the inside/outside if we add it third it is more complicated configuration ways so if we have more than 2 cisco ios firewall is better option
- Alerts are on by default
- It supports session logging via audit trail
- We can also allow locally generate traffic.
- CBAC also does not wait for timeout of tcp traffic it will close session once the fin is recieved so it is more secure we are not open to attacks waiting for timeouts
- UDP traffic as there is no control protocol to signify the end of transmission will remain timeout based
- cbac supports inspection of smtp,realaudio,rpc,sqlnet,rcmd,vdolive,tftp,udp,tcp,ftp,h323,cuseeme,https
ip inspect name "inspectname" "protocol to inspect"
ip inspect name "inspectname" "protocol2toinspect"
interface fa0/0
ip address 10.10.10.1 255.255.255.0
ip inspect "inspectname" in/outbound
LAB
----
TCP intercept so we will say we have a few servers in lan segment 155.0.58.0/24
so first things first we create the acl
r5(config)#access-list 108 permit tcp any 155.0.58.0 0.0.0.255
we enable tcp intercept for acl 108
r5(config)#ip tcp intercept list 108
command accepted, interfaces with mls configured might cause inconsistent behavior
r5(config)#ip tcp intercept mode watch
r5#show tcp intercept ?
connections Connection information
statistics Statistics
r5#show tcp intercept connections
Incomplete:
Client Server State Create Timeout Mode
Established:
Client Server State Create Timeout Mode
r5#show tcp intercept stat
Watching new connections using access-list 108
0 incomplete, 0 established connections (total 0)
0 connection requests per minute
r5#
CBAC
------
Ok so s2 is inside the network wanting to connect out to s2 we want s1 to be able to connnect and form 3 way handshake etc but we do not want s1 to be able to iniate connections to s2
so we start of by configuring what protocols we want to inspect
r5(config)#ip inspect name EXAMPLE telnet
r5(config)#ip inspect name EXAMPLE icmp
r5(config)#ip inspect name EXAMPLE ?
802-11-iapp IEEE 802.11 WLANs WG IAPP
ace-svr ACE Server/Propagation
appfw Application Firewall
appleqtc Apple QuickTime
bgp Border Gateway Protocol
biff Bliff mail notification
bittorrent bittorrent
bootpc Bootstrap Protocol Client
bootps Bootstrap Protocol Server
cddbp CD Database Protocol
cifs CIFS
cisco-fna Cisco FNATIVE
cisco-net-mgmt cisco-net-mgmt
cisco-svcs cisco license/perf/GDP/X.25/ident svcs
cisco-sys Cisco SYSMAINT
cisco-tdp Cisco TDP
cisco-tna Cisco TNATIVE
citrix Citrix IMA/ADMIN/RTMP
citriximaclient Citrix IMA Client
clp Cisco Line Protocol
creativepartnr Creative Partnr
creativeserver Creative Server
cuseeme CUSeeMe Protocol
daytime Daytime (RFC 867)
dbase dBASE Unix
dbcontrol_agent Oracle dbControl Agent po
ddns-v3 Dynamic DNS Version 3
dhcp-failover DHCP Failover
directconnect Direct Connect Version 2.0
there is a whole bunch of protocols which are preconfigured i have cut off the list it is similar to nbar list
we can see the port-map
r5#sh ip port-map
Default mapping: snmp udp port 161 system defined
Default mapping: echo tcp port 7 system defined
Default mapping: echo udp port 7 system defined
Default mapping: telnet tcp port 23 system defined
we can edit it like bar
r5(config)#ip port-map http port 8002
r5(config)#do sh ip port-map http
Default mapping: http tcp port 80 system defined
Default mapping: http tcp port 8002 user defined
ok first of all i will create the access list denying incoming traffic i will allow eigrp to keep underlying igp
r5(config)#access-list 120 permit eigrp any any
r5(config)#access-list 120 deny ip any any
r5(config)#int s0/0/0
r5(config-if)#ip access-group 120 in
i will apply the access-list
i will also add the cbac inspection map example
r5(config)#int s0/0/0
r5(config-if)#ip inspect EXAMPLE out
s2
---
s2>en
s2#telnet 2.1.1.1
Trying 2.1.1.1 ... Open
User Access Verification
Username: cisco
Password:
s1>
r5
---
r5#sh ip inspect sess
Established Sessions
Session 651B7EC8 (155.0.58.2:11023)=>(2.1.1.1:23) telnet SIS_OPEN
r5#
s1
---
i can not telnet in
s1#telnet 22.2.2.2
Trying 22.2.2.2 ...
% Destination unreachable; gateway or host down
s1#telnet 22.2.2.2
Trying 22.2.2.2 ...
% Destination unreachable; gateway or host down
No comments:
Post a Comment