security 469 Figure 9.2. Let’s further assume that we want to restrict data originating from the Internet to Web traffic bound for the host whose IP address is 198.78.46.8. In addition, we want to allow users on the 205 and 198 networks shown in Figure 9.2 to initiate Telnet and Web-based queries to hosts on the Internet and allow the results of those queries to return via the Internet. To do so our access list would be as follows: interface serial0 ip access-group 110 in access-list 110 remark allow TCP with ACK or RST bit set access-list 110 permit TCP any any established access-list 110 remark allow Web access to server access-list 110 permit TCP any host 198.78.46.8 access-list 110 remark block everything else access-list 110 deny ip any any In this example the ‘‘interface’’ command is first used to define serial port 0. Next, the ‘‘ip access-group’’ command is used to apply the access list statements we will enter as access list number 110 in the inbound direction on the serial interface. This is followed by the entry of six access list statements that form the actual access list. Note that for internal documentation three statements include remarks. Thus, let’s focus our attention upon the other three statements in the access list. The first non-remark statement permits TCP traffic that responds to queries initiated from the internal Ethernet networks. This is due to the keyword ‘‘established’’ in the statement. The second non-remark statement permits Web traffic (port 80) from any host on the Internet to the server whose IP address is 198.78.46.8. The third non-remark statement is not really necessary as an access list has a ‘‘deny all’’ implicitly placed at the end of the list. In examining this access list it is important to note that it could create a problem for Web surfers and other persons using the Internet. This is because, although TCP traffic is permitted, all other traffic is blocked. This means your internal network users cannot use DNS as it is carried via UDP, nor can they use ping as ICMP messages are not permitted. To allow UDP we could add the following statement before the ‘‘deny’’ statement: access-list 110 permit UDP any any eq 53 470 chapter nine In this statement port 53 represents DNS. Thus, instead of opening all UDP access we will just allow DNS. To allow pings we can permit echo replies to echo r equests. Thus, we could add either of the following statements to our access list: access-list 110 permit icmp any any echo-reply or access-list 110 permit icmp any any eq 0 Here the value 0 represents the ICMP type number for echo reply. Limiting ICMP To make your TCP connection more secure you should consider limiting the types of ICMP messages allowed to flow through your router. As previously indicated in our short extended IP access list example addendum, you can include a permit statement to allow a specific type of ICMP message. If you do not allow any ICMP and d o not include a permit for the IP protocol, then all ICMP messages will be blocked. Before you block all ICMP messages there are certain ICMP messages you should consider permitting and others you may wish to block. Thus, let’s focus our attention upon those messages. In doing so we will again assume the access list will be applied to the serial interface in Figure 9.2 in the inbound direction to the 205.131.175.0 network. You will obviously add an additional permit statement if you wish to allow applicable traffic to the other Ethernet network. Permitting Echo-reply If you have no outbound restrictions, then you are only filtering an inbound packets. Thus, echo requests transmitted from either Ethernet result in an echo-reply. To allow responses to those pings you could code the following statement into your access list: access-list 101 permit icmp any 198.78.46.0 0.0.0.255 echo-reply Permitting Pings Although ping can be used as a discovery weapon to probe your network to discover information about your organization’s resources, it can also be helpful for determining the status of certain devices. For example, if your organization administers a remote Web server, you might wish to permit pings to that server from your IP address. Assuming your IP address is 192.36.25.11, to permit pings to the server at 198.78.46.8 you would enter the following statement: access-list 101 permit icmp host 192.36.25.11 host 198.78.46.8 echo Considering Destination Unreachable By default, when an access list sends a packet to the great bit bucket in the sky the router will return a type 3 ICMP security 471 message that has a code value of 13. This message, which is displayed as ‘‘Destination net unreachable,’’ informs the person issuing the packet that the router on the path to that target address is p erforming access list filtering. There is a special router statement you can use to prevent this information from being determined by a potential hacker. After all, why make their job easier? That statement is: no ip unreachables which you would enter for each router interface providing an Internet con- nection. The reason you cannot use an access-list statement is due to the fact that router-generated packets are not checked by an access list applied in an outbound direction. Thus, to turn off the previously mentioned message, you need to enter the no ip unreachables statement. Anti-Spoofing Statements Regardless of the type of access list employed, one of the first series of statements in your list should be anti-address spoofing statements. Because hackers like to use RFC 1918 addresses, you should deny all packets with a source address in three address blocks in RFC 1918. In addition, you should block all packets with an IP address of all zeros, all ones, and the IP loopback address of 127.0.0.0. If your organization does not support multicast (Class D) nor any experimental access via Class E addresses, there is also no reason to allow packets with Class D or class E source addresses. Finally, because some hackers think it is funny to use a source address on the network they are attacking, you should block all packets with a source address associated with your network. If we assume that the internal network to be protected has the network address 198.78.46.0, then the initial anti-spoofing statements at the beginning of your access list would be as follows: !Anti-spoofing statements ! !Deny RFC 1918 addresses access-list 101 deny 10.0.0.0 0.255.255.255 any access-list 101 deny 172.16.0.0 0.31.255.255 any access-list 101 deny 192.168.0.0 0.0.255.255 any ! !Deny address all zeros, all ones, loopback access-list 101 deny 0.0.0.0 0.255.255.255 any access-list 101 deny host 255.255.255.255 any access-list 101 deny 127.0.0.0 0.0.255.255 any 472 chapter nine ! !Deny Class D and Class E addresses access-list 101 deny 224.0.0.0 15.255.255.255 any access-list 101 deny 240.0.0.0 7.255.255.255 any ! !Deny source address of your network access-list 101 deny 198.78.46.0 0.0.0.255 any Now that we have an appreciation of the operational capabilities of standard and extended IP access lists, let’s turn our attention to new features that were added over the past few years that significantly enhance the capability of router packet filtering technology. New Capabilities in Access Lists In tandem with several relatively recent updates to the Cisco Internetwork Operating System (IOS) were improvements to the functionality and capability of access lists. Six additions to access lists that warrant attention include named access lists, dynamic access lists, reflexive access lists, time-based access lists, TCP intercept and Context Based Access Control (CBAC). In actuality, these additions represent new capabilities added to access lists and do not literally represent new types of access lists. Named Access Lists Because standard and extended access lists have a limited range of acceptable numbers, it is theoretically possible, although highly unlikely, that you could run out of numbers when configuring an enterprise router. Perhaps a more important reason for the use of named access lists is the fact that a name can be more meaningful than a number. In addition, as we will shortly note, you can delete statements in a named access list while a numbered list does not provide this capability. Overview Named access lists were introduced in IOS Version 11.2. As its name implies, a named access list is referred to by a name instead of a number. Standard Named IP Access List Named access lists are applicable to both standard and extended lists. The format of a standard named IP access list is shown below. ip access-list standard name security 473 where ‘‘name’’ represents the name you would assign to the standard named IP access list. The preceding statement is then followed by one or more permit or deny statements that define the filtering to take place. The following example illustrates the creation of a standard named access list to which we assigned the name ‘‘inbound’’ to denote that it will be applied in the inbound direction. In this access list we only permit traffic from two defined network addresses: ip access-list standard inbound permit 205.131.175.0 0.0.0.255 permit 198.78.46.0 0.0.0.255 To apply a named access list we use a modified version of the previously described ip access-group command. That modified version includes the name of a named access list and has the following format: ip access-group name [in|out] where ‘‘name’’ represents the name of the named access list. Thus, to apply the previously created named access list to the serial0 interface to filter inbound packets, our IOS statements would appear as follows: interface serial0 ip access-group inbound in ! ip access-list standard inbound permit 205.131.175.0 0.0.0.255 permit 198.78.46.0 0.0.0.255 Now that we have an appreciation for the creation of standard named IP access lists, let’s turn our attention to extended named IP access lists. Extended Named IP Access Lists An extended named IP access list is similar to a standard named IP access list. The format of the extended named IP access list command is shown below: ip access-list extended <name> where ‘‘name’’ represents the name assigned to the access list. 474 chapter nine You can use an extended named IP access list in the same manner as a standard named IP access list. However, because extended access lists provide considerably greater filtering capability, you can perform more functions with this access list. To illustrate an example of the use of an extended named IP access list, assume you only want to allow http access to the server shown in Figure 9.2, whose IP address is 198.78.46.8. Let’s further assume you will name the access list ‘‘security.’’ Because you want to filter packets flowing from port 31, you would apply the access list in the outbound direction. Based upon the preceding, the extended named IP access list statements would be as follows: interface ethernet1 ip access-group security out ! ip access-list extended security ip permit tcp any host 198.78.46.8 eq 80 In examining this extended named access list, you may be puzzled as to the selection of the ethernet1 interface instead of the serial0 interface. The reason we apply the access list to the ethernet1 interface instead of the serial0 interface is that selecting the latter would block all Internet traffic flowing into the router other than Web traffic flowing to the specified server. Also note that we specify the direction of the list as being applied to outbound (out) traffic. This is because packets leave the ethernet1 interface to flow to the specified network. Editing Capability We previously mentioned that one advantage of a named access list is the fact you can remove previously entered list statements. To do so you would reenter the configuration mode and enter a ‘‘no’’ prefix for the statement you previously entered. It should be noted that you cannot delete specific entries in a numbered access list. One other point that deserves mentioning is the fact that you cannot selectively add statements to any type of access list other than to the bottom of the list. To add statements to a numbered or a named access list you must delete an existing list and reapply a new or modified list with appropriate entries. Now that we have an appreciation for the operation and utilization of named access lists, let’s continue our exploration of additional list features and turn our attention to dynamic access lists. security 475 Dynamic Access Lists As the name of this access list implies, dynamic access lists create dynamic entries in a list. Those dynamic entries represent temporary openings in an access list that occur in response to a user authentication process. Rationale for Use The primary use of a dynamic access list is to obtain the ability to authenticate users attempting to access your network. To accomplish this you would first set up user accounts on your router. Next, you would create and apply a dynamic access list to the serial port of your router in the inbound direction, assuming you wish to authenticate users transmitting in that direction. Users then open a Telnet session to your router and authenticate themselves, normally by providing a user ID and password. Once the user is authenticated, the router will close the Telnet session and place a dynamic entry in an access list, which permits packets with a source IP address of the authenticated user’s workstation. One of the key advantages associated with the use of a dynamic access list is that it can be used for certain situations where it is not possible to use a static access list. For example, many Internet Service Providers (ISPs) assign dynamic IP addresses to subscribers. This means that there is no way to create a static access list entry to allow authorized users who have dynamically assigned addresses to access your network via an ISP connection other than to allow all ISP network addresses. Because this would result in a potentially large security gap and is not recommended, you would more than likely turn to the use of a dynamic access list for this situation. Utilization The dynamic access list is very similar to an extended IP access list, with a key difference being the inclusion of the keyword ‘‘dynamic’’ in an extended access-list statement. The format of a dynamic access-list entry is shown below: access-list <list number> dynamic <name> [timeout n] [permit|deny] <protocol> any <destination address><destination mask> The first variable field, ‘‘list number,’’ follows the same format as a tradi- tional extended access list and represents a number between 100 and 199. The second variable field, ‘‘name,’’ represents the designated name of the dynamic access list. The optional timeout variable can be used to specify an absolute 476 chapter nine timeout for a particular dynamic entry. The ‘‘protocol’’ parameters represent any one of the TCP/IP protocols, such as IP, TCP, UDP, and ICMP. Because the source IP address is always replaced by the IP address of the authenticating host, the keyword ‘‘any’’ should be used for the source IP address field. The last two variable fields, ‘‘destination address’’ and ‘‘destination mask’’ are used in the same manner as in an extended IP access list. Prior to examining an example of the use of a dynamic access list, a few additional details warrant discussion. First, you cannot specify more than one dynamic access-list statement per access list. This means you need to consider carefully which protocols you want to create dynamic openings for in an access list. Second, you need to permit users to Telnet to your router or they will not be able to authenticate themselves and proceed to create dynamic openings in the access list. Third, to allow dynamic entries to be created, you must use the ‘‘autocommand’’ parameter under the vty line configuration. An example of the use of this command parameter is shown below: line vty 0 3 login local autocommand access-enable host timeout 5 In this example the ‘‘host’’ parameter enables the source IP address of the authenticating host to be substituted into the dynamic entries that will be created. The ‘‘timeout’’ parameter is optional and when included specifies an idle timeout. If you use both absolute and idle timers, the idle timer value should be set to a value less than the absolute timer. As a minimum, at least one timer value should be configured. This is because without a timer the dynamic entries will remain until the router is reinitialized. One additional point deserves mention p rior to illustrating the utilization of a dynamic access list. This point is of key importance because its omission can become a network administrator’s n ightmare if he or she is remotely administrating a router. Because a Telnet session is immediately closed after authentication, this action will prevent you from managing a router via Telnet. If you configure your virtual terminal lines as previously described you would be literally up the creek without a paddle. The way around this problem is to specify the ‘‘rotary 1’’ command beneath one or more vty ports as this command enables normal Telnet access to a router on port 3001. For example, to enable normal Telnet access on port 3001 for vty 4, you would enter the following commands: security 477 line vty 4 login local rotary 1 Once the preceding occurs, you would set your Telnet application to use port 3001. For example, if your router’s IP address is 205.131.176.1, you would enter the following command: telnet 205.131.176.1 3001 Now that we have an appreciation of the details concerning a dynamic access list, let’s focus our attention upon an example. In doing so, let’s assume your router is connected to the Internet as shown in Figure 9.4. The serial port of your router has the IP address 205.131.175.1 and you only want to allow Internet Router e0 s0 205.131.175.1 198.78.46.0 Figure 9.4 Configuration to reference for creating a dynamic access list that permits authenticated users access to the 198.78.46.0 network. 478 chapter nine persons with predefined user IDs on the router to access your private network. In addition, we will assume you wish to permit remote administration of the router via Telnet. To accomplish the preceding you would enter the following IOS commands. Note that only the relevant portions of the configuration commands are listed: username gxheld password gizmo87 ! interface serial0 ip address 205.131.175.1 255.255.255.0 ip access-group 101 in ! access-list 101 permit tcp any host 205.131.175.1 eq 23 access-list 101 dynamic gxheld 1 0 permit ip any 198.78.46.0 0.0.0.255 ! line vty 0 3 login local autocommand access-enable host timeout 5 line vty 4 login local rotary 1 In this example note that we create the user name gxheld and reference it in the second access-list statement. This makes it harder for an attack since a person must specify both a user name and password to gain access. Also note that the first access-list statement restricts access to the router to Telnet (port 23). The second access-list statement contains the keyword ‘‘dynamic.’’ This statement creates dynamic openings in the access list, substituting the source address of the authenticated Telnet user for all IP traffic with a destination address on the 198.78.46.0 network. Now that we have an understanding of the operation and utilization of dynamic access lists, let’s turn our attention to reflexive access lists. Reflexive Access Lists When we previously discussed the use of the keyword ‘‘established’’ in an extended IP access list, we noted that it is only applicable to TCP. If you wish to control other upper-layer protocols, such as UDP and ICMP, you would have to either permit all incoming traffic or define a large number of permissible source/destination host/port addresses. In addition to representing a time- consuming and tedious task, the resulting access list could conceivably require [...]... capabilities Introduced during 199 9, CBAC provides a 484 chapter nine router administrator with the ability to create dynamic entries in a router’s access list for both single- and multi-channel applications In addition, CBAC provides the ability to control the flow of Java applets, as well as the ability to minimize the effect of certain types of denial-of-service attacks Overview Until 199 9 CBAC was a special... connection to the Internet as 486 chapter nine Internet S0 Router E0 Ethernet LAN Legend: E1 Ethernet LAN Workstations Figure 9. 6 A sample network to be used for illustrating the configuration and operation of Context-Based Access Control (CBAC) illustrated in Figure 9. 6 In this example we will assume the branch office operates two Ethernet LANs, connected to ports #0 and E1 on the router, while port... address of a parent Ethernet network located on the other side of the Internet in Figure 9. 6 is 198 .78.46.0 Then, to block all Java applets other than those from the parent network, you would code the following commands: access-list 1 permit 198 .78.46.0 0.0.0.255 ip inspect name firewall http java-list 1 Although these commands block all Java applets other than those originating from the 198 .78.46.0 network,... your internal Ethernet users to perform ping and traceroute operations to hosts on the Internet The specific coding we would use to implement the previously stated network requirements are listed below: interface ethernet0 ip address 198 .78.46.1 255.255.255.0 ip access-group 101 in ! ! interface serial0 ip address 198 .78.40.5 255.255.255.0 ip inspect firewall out ip access-group 102 in 492 chapter nine... firewall feature set (FFS), which was only available for use on the Cisco series 1600 and 2500 router platforms During 199 9 the release of Cisco’s Internetwork Operating System (IOS) Release 12.0T expanded the availability of FFS, which is now referred to as CBAC, to Cisco 800, uBR900, 1600, 1700, 2500, 2600, 3600, 7100, and 7200 series platforms CBAC operates similarly to reflexive access lists, which... authentication, virus scanning, and even encryption of data, which is a necessity when creating a virtual private network (VPN) It should again be noted security 499 Internet Router s0 e0 Non-populated hub DMZ LAN Firewall 198 78 46 0 Figure 9. 8 Private network Using a firewall to protect a private network that the specific features and functions performed by a firewall considerably vary between vendor... assume our organization has a two-port router with the serial port providing a connection to an Internet Service Provider, while the Ethernet interface provides a connection to the internal Ethernet network Let’s further assume you want to allow the internal users on your Ethernet LAN to have access to the Internet for Web browsing, FTP and electronic mail Let’s also further assume that your parent organization,... openings created Because you normally want any user behind the router to create 480 chapter nine Internet Router s0 e0 Opening created from 205 131 122 6 to 198 78 46 8 from port 23 to port 1023 Telnet to 205 131 122 6 User 198 78 46 8 Figure 9. 5 Examining the operation of a reflexive access list dynamic openings, the keyword ‘‘any’’ is used for the source address Similarly, because reflexive results... for multi-channel applications, Cisco initially provided a special release of IOS referred to as the Firewall Feature Set (FFS), which was limited with respect to the platforms it operated upon During 199 9 FFS was incorporated into IOS Release 12.0 under the name Context Based Access Control (CBAC) CBAC not only supports multi-channel applications but, in addition, adds a Java blocking capability as well... private networks and limit firewall protection to the private network An example of this network configuration is illustrated in Figure 9. 9 In this example a public Web server is located on the 205.131.175.0 network while the firewall is used to protect organizational hosts on the 198 .78.46.0 network If the Web server is the only network device on the 205.131.175.0 network you would more than likely create a . attacks. Overview Until 199 9 CBAC was a special feature referred to as the firewall feature set (FFS), which was only available for use on the Cisco series 1600 and 2500 router platforms. During 199 9 the release. your IP address is 192 .36.25.11, to permit pings to the server at 198 .78.46.8 you would enter the following statement: access-list 101 permit icmp host 192 .36.25.11 host 198 .78.46.8 echo Considering. Internet as shown in Figure 9. 4. The serial port of your router has the IP address 205.131.175.1 and you only want to allow Internet Router e0 s0 205.131.175.1 198 .78.46.0 Figure 9. 4 Configuration to