IOS IPS config Steps

• Enabling IOS IPS on a router is fairly simple
• Globally load the IPS Signature Package
• Then create an IPS Rule
• Then apply that rule to an interface either inbound or outbound
• To decrypt the signature files we need an RSA Key based on the Cisco Public key
• Configuration steps
• "retire"(disable) all signature categories & then "unretire" (enable) the basic IOS IPS category.
• created a directory in flash to store the IPS configuration
• Create an IOS IPS rule.
• Specify the location of the signature configuration information.
• Apply the 

Cisco Intrusion Prevent System (IPS)

• Cisco IPS is a feature that must be enable on Cisco routers.
• It provides Deep Packet Inspection (DPI) of traffic transiting the router.
• This is especially useful in branch offices
• to catch worms, viruses, and other exploits before they leave the local site.
• Routers with the security image come with a package of signature files loaded in their flash.
• Signature updates are posted on the Cisco website.
• These signature updates are downloaded to TFTP server & then to server.
• When IOS IPS is configured, the router acts as an inline IPS,
• & compare each packet that flows through it to known signature.
• Router actions upon finding a signature match include
• Dropping the packet
• Resetting the connection
• Sending an alarm log message
• Blocking traffic from the packet source for a configurable amount of time
• Blocking traffic on the connection for a configurable amount of time
• IOS IPS can be configurable through the command line,
• or, using the Security Device Manger(SDM)
• 
  

ZFW Configuration

• Create the desired zones on the router
• Decide how traffic should travel between the zones
• and then create zone-pairs on the router
• Create Class maps
• to identify the inter-zone traffic
• that must be inspected by the firewall
• Create Policy maps
• to assign policies to traffic
• ans associate class maps with them.
• Policy Maps were assigned to the appropriate zone-pair.
• Assign interfaces to zones.
• an interface may be assigned to only one security zone
• 
  

ZFW Inspection & Controlling of Protocols

• HTTP & HTTPS
• SMTP, Extened SMTP(ESMTP), POP3, & IMAP
• Peer-to-peer applications, with the ability to use heuristics to track port hopping
• Instant messaging applications(AOl, Yahoo!, & MSM as of this writing)
• Remote Procedure Calls (RPC)
• 
  

Cisco IOS Zone-Based Firewall

• Classic IOS, inspection policies were applied to all traffic on that interface,
• we can't apply to different policies to different groups of users.
• Zone-based firewall (ZFW), available in IOS release 12.4(6)T or later.
• This concept(ZFW) is similar to that used by appliance firewalls.
• Router interfaces are placed into security zones.
• Traffic between zones were blocked by default.
• Some times traffic blocked between interfaces that have been assigned to a security zone & those that have not.
• We must explicitly apply a policy to allow traffic between zones.
• Zone policies are configured using the Class-based Policy Language(CPL), 
• which is similar to Modular QoS Command Line Interface (MQC) 
• in its use of class maps and policy maps.
• Class maps let you configure highly granular policies if needed.
• A new class & policy map type, the inspect type, is introduced for zone-based firewalls.
• 
  
• 
  

Cisco IOS Firewall Configuration Steps

CBAC configuration steps:

• Choose an interface (inside or outside).
• Configure an ip access list that denies all traffic to be inspected.
• Configure global timeouts & thresholds using the ip inspect commands.
• Define an inspection rule & an optional rule-specific timeout value using the ip inspect name protocol commands.
• Apply the inspection rule to an interface.
• Apply the access list to the same interface as the inspection rule, but in the opposite direction(inbound or outbound)

Cisco IOS Firewall Caveats(limitations)

• Caveats are powerful as CBAC is for dynamic inspection and filtering.
• it has also some limitations.
• CBAC comes after Access-list filters are applied to an interface.
• if an access list blocks a particular type of traffic on an interface,
• where you are using CBAC to inspect inbound traffic,
• that traffic will be denied before CBAC sees it.
• CBAC cannot protect against attacks that originate inside your network.
• CBAC works only on protocols that you specified,
• leaving all other traffic to access lists & other filtering methods.
• To inspect traffic other than TCP & UDP transported traffic,
• you must configure a named inspection rule.
• CBAC does not inspect traffic destined to or  originated from the firewall router itself,
• only that traverses the firewall router.
• CBAC has restrictions on handling encrypted traffic.

Cisco IOS Firewall protocol Support

• An IOS firewall can inspect a long list of protocols when CBAC was used.
• Common protocols that CBAC can inspects are:
• Any generic TCP session, regardless of application layer protocol
• All UDP "sessions"
• FTP
• SMTP
• TFTP
• H.323 (NetMeeting, ProShare, and so on)
• Java
• CU-SeeMe
• UNIX R commands (rlogin, rexec, rsh, and so on)
• RealAudo
• Sun RPC
• SQL*Net
• StreamWorks
• VDOLive

TCP vs UDP with CBAC

• CBAC works on TCP & UDP traffic 
• It supports FTP that require multiple, simultaneous sessions or connections.
• CBA used to protect internal network from external threats by configuring it to inspect inbound traffic from the outside world for those protocols.
• TCP has clear-cut connections
• so CBAC can handle it rather easily.
• CBAC works at a deeper level than simply protocols & port numbers.
• for example, with FTP traffic, CBAC recognises and inspects the specific FTP control channel commands to decide when to open and close the temporary firewall openings.
• UDP traffic is connection less when compare to TCP, so it is more difficult to handle. 
•  CBAC manages UDP by approximating based on factors such as
• whether the source and destination addresses & ports of UDP frames are the same as those that came recently
• & their relative timing.
• CBAC uses the global idle timeout to determine whether a segment arrived "close enough" in time (then it will be considered as part of the same flow.
• Other timeouts are protocol-specific timeouts for TCP & UDP traffic.
• 
  
• 
  

Classic Cisco IOS Firewall

• ACL filtering may be enough to control & secure a router interface
• When attackers have become more sophisticated, Cisco has developed better tools to deal with threats.
• The challenge, is always, is to make security features relatively transparent to network users while thwarting attackers. 

                               

3) TCP SYN Flood, the Established Bit, and TCP Intercept

• A TCP SYN flood is an attack directed at servers
• By initiating the large no.of TCP connections
• but not the completing the connections.
• The attacker initiates many TCP connections, each with only the TCP SYN flag set.
• the server sends reply with tcy syn & ACK flag set
• but attacker simply does not reply( with the 3rd message in 3-way TCP connection setup flow
• Then there is servers consumes memory & resources while waiting on its timeouts.
• This can cause the unbalance the load of  actual working connections.
• solution:
• Statefull firewalls can prevent TCP SYN attacks.
• Bothe the Cisco ASA Firewall & Cisco IOS Firewall features set can be used to do this.
• The impact of TCP SYN attacks can be reduced or eliminated by using a few other tools in cisco ios.
• To prevent SYN attacks is to simply filter packets whose TCP header shows only the SYN flag set.
• In other words, filter all packets that are the first packet in a new TCP connections.
• In many cases router should not allow TCP connections to be established by a client on one side to a server on the other.
• In this cases, filtering the initial TCP segment prevents the SYN attack.
• Cisco IOS ACLs cannot directly match the TCP SYN flag. 
• However, an ACE can use the established keyword, which matches TCP segment except the very 1st TCP segment in a new connection.
• The ACL works well when host outside of a network are not allowed to make TCP connections into the network.
• There is situation when some inbound TCP connections allowed,
• at that time ACL can not be used
• TCP intercept  is used
• It provides an alternative that allows TCP connections into the network, but monitors those TCP connections for TCP SYN attacks.
• TCP intercepts operates in one of 2 different modes
• In Watch Mode,
• It keeps state of information about TCP connections that match a defined ACL. 
• If a TCP connection does not complete the 3-way, with in a particular time period, TCP intercept sends a TCP reset to the server, cleaning up the connection.
• Also counts no.of new connections attempted over time, 
• if a large number of new connections occurs in 1 second (default is 1100 connections per sec), the router temporarily filters new TCP requests to prevent a perceived SYN attack.
• In Intercept Mode,
• The router replies to TCP connections requests instead of forwarding them to the actual server.
• Then, if 3-way hand shake completes, the router creates a TCP connection between itself and the server.
• 
  

2) Inappropriate IP addresses

• By using Inappropriate IP addresses, some of
• the attackers remain hidden & with help of other hosts to create a distributed denial-of-service(DDoS) attack.
• Best Layer-3 security practice is use of ACL to filter packets containing ip address which are not appropriate.
• Router should also filter packets that are bogus or inappropriate.
• ex, a packet should never have a broadcast or multicast source ip address in normal use.
• Router should never receive a packet from an ISP with that Packet's source ip address being a private network per RFC 1918.
• Additionally the same router should not receive packets sourced from IP addresses in ranges currently unallocated by IANA.
• These types of ip addresses are frequently called bogons (unallocated ip addresses ranges of IANA).
• Filter these bogons by
• Creating an ACL to match these bogon ip addresses (regularly updated based on changes in IANA's assigned prefixes).
• Use freeware called the Router Audit Tool(RAT) that makes recommendations for router security, including bogon ACLs.
• Also use the Cisco IOS AutoSecure feature.
• It automatically configures ACLs to prevent the use of such  bogus ip addressess

General layer 3 Security considerations

1) Smurf Attacks:

• When a host sends a large number of ICMP echo request with atypical(not related) IP address in the packet & destination address is a subnet broadcast address (also known as a directed broadcast address).
• Routers forward these packets normally to the final router connected to the destination subnet.
• This final router forwards the packets to the LAN as broadcast (send a copy to every host on that subnet)
• Other feature of a smurf attack is that the source IP address of the packet sent by the attacker is the ip address of the attacked host.
• Several solutions to this problem are:
• IOS v12.0, default each interface to use the no ip directed-broadcast which prevent the router from forwarding the broadcast onto the LAN
• Unicast a Reverse Path Forwarding (uRPF) check could be enabled using the ip verify unicast source reachable-via {rx | any } [allow-default] [allow-self-ping[ [list] interface sub command.
• This command tells cisco ios to examine the source IP address of incoming packets on that interface.
• CEF must be enabled for uRPF to work.
• Strict RPF:
• Using the rx  keyword, the router checks to see if the the matching route uses an outgoing interface that is the same interface on which the packet was received.
• Loose RPF:
• Using the any keyword, the router checks for any route that can be used to reach the source ip address.
• These commands can also ignore default routes when it performs the check (default) or use default routes when performing the check by including the allow-default keyword.
• allow-default command can trigger a ping(RPF) to the source to verify connectivity.
• This RPF check is limited by a ACL.
• Fraggle Attack use similar logic as smurf attacks, but insted of ICMP, fraggle attacks use the UDP Echo application.
• These attacks can be defeated using the same options as listed for smurf attacks.

Basic Terminology

IP addresses: Each machine on the internet is assigned a unique address called an IP address.
Domain Names: Human readable ip addresses are called domain names.
Protocols: Predefined way that someone(program or person) who wants to use a service, talks with that service.
IP:  the main delivery system for information over the internet
TCP(transmission control protocol): used to break apart and rebuild information that travels over the intenet
HTTP(Hyper Text Transfer Protocol): used for webpages
FTP: used to download & upload files
UDP(User Datagram Protocol): used for information that require no response, such as streaming audio & video
ICMP(Internet Control Message Protocol): used by a router to exchange the information with other routers
SMTP(Simple Mail Transport Protocol): used to send text based information
SNMP(Simple Network Management Protocol): Used to collect system information from a remote computer.
Telnet: Used to perform commands on a remote computer