Skip to main content

CCIE R&S CBAC FireWall

One of my major weakness until recently was security, security is the one topic that can kill you if you do not know what you are doing or if you are not careful enough to lookinto the small details. in the past when I came to a task I would attack it straight ahead and not thinking what it can do to other things I did before or what I need to do in the next task, I worked in a task by task strategy, today as I grown :-) I learned that nothing especially in real life is not presented to you in a step by step manner, you always need to gather all the information and sort it your self like a puzzle, some time the puzzle is small and easy some time you cant find the middle piece to complete your puzzle. so my advice to you is take the exam as a puzzle put all the parts in front of you (mean read all and draw basic topology accordingly) and build your puzzle from bottom up (piece by piece) if you cant find a piece then skip you will find it later. Now with that analogy the Security is one of those last pieces in your puzzle that can brake your entire puzzle so you can decide either to leave one piece out or to start rearrange everything (not recommended). With that in mind I would like to talk here on CBAC or the IOS Firewall, the basic Idea is very similar to reflexive ACL but with enhanced support of features and application. What Do we need for the firewall to work: 1) We Must have an ACL - the ACL will be in most of the cases (for the R&S CCIE) on the outside interface and it will have a Deny all statement, now that was a hard issue for me to grasp at first I said to my self what the hell do I need the Firewall to use a ACL?! isn’t that already build into the firewall, well no! the Firewall is "inspecting" traffic as it go out or come in but the ACL define what to be denied from coming into the Router, so that mean only traffic that is coming from inside the network to outside is allowed back in and traffic that is trying to come from outside need to stay out unless there is a permit statement. 2) We need to define and inspect rules and that is another thing that you need to be careful, as if you only set a rule to inspect icmp that mean that only icmp traffic from your network to the outside and back will be allowed, if you will try to browse the internet without setting an inspect rule your traffic will not be inspected and therefore not been allowed back in!!! Now here is my home router example: I start by defign the traffic that I am using from in --> out ip inspect name HOME-FW sip <- My Voip service need to be up ip inspect name HOME-FW snmp <- I have Snmp Server to monitor the networks I maintain ip inspect name HOME-FW http <- a man need to surf :-) ip inspect name HOME-FW https <- some time need to use a secure web browsing ip inspect name HOME-FW dns <- well I do not want to use IP for all my surfing so I need name resolve server access ip inspect name HOME-FW smtp <- need to sent out mail ip inspect name HOME-FW pop3 <- mail in ip inspect name HOME-FW ssh <- all my servers using SSH (linux RHES) ip inspect name HOME-FW icmp <- Pings ip inspect name HOME-FW telnet <- Some of the router I manage are old or do not have SSH ip inspect name HOME-FW udp <- miscellaneous traffic ip inspect name HOME-FW tcp <- miscellaneous traffic ! ip access-list extended ACCESS-CONTROL permit icmp any any echo-reply <- that I am using as the traffic from the router it self is not inspected so if I will not permit it then I will not babble to ping from the router, the same go for the traceroute permit icmp any any time-exceeded permit icmp any any port-unreachable permit udp x.x.x.80 0.0.0.15 any eq snmptrap <- I have in my home a Snmp Server and to allow traps from outside to come in I need a permit permit udp x.x.x.80 0.0.0.15 any eq 5060 <- although I enabled SIP in the inspection rule calls that are originated from outside in need to be permitted as only traffic inspected from inside to outside is permited permit udp host x.x.x.83 any range 10000 20000 <- that is for the RTP, it is not really needed but for the "obscure" bugs that can happen I rather permit it then loose a call. deny ip any any log-input <- the log-input is for tracing attackers always good to have. ! interface Dialer0 <-- that is my outside interface .. ip access-group ACCESS-CONTROL in .. ! interface Vlan16 <-- that is my inside interface .. ip inspect HOME-FW in .. !

This is In response to the comment posted: The ACL has no direct relation to the CBAC firewall, it is there to prevent traffic coming into your network from the outside, the inspection rule is there to inspect traffic going out from your network. if the ACL was not there the traffic would have been inspected but still people would able to go into your network. so if you want to block traffic you must have ACL but if you inspect traffic then even if there is a deny statement on the outside interface traffic is allowed to return. so the short answer CBAC is not inspecting the ACL, CBAC is inspecting what you tell him on the inspection rule.

4 comments

Popular posts from this blog

Step By Step MPLS – Basic MPLS Setup

Initial configuration , very basic with no MPLS, connectivity only to directly connected interfaces.R1R2R3R4!
!
!
interface Loopback0
ip address 1.1.1.1 255.255.255.255
!
interface FastEthernet0/0
ip address 10.0.31.1 255.255.255.0
duplex auto
speed auto
!
!
!
interface Loopback0
ip address 2.2.2.2 255.255.255.255
!
interface FastEthernet0/0
ip address 10.0.42.2 255.255.255.0
duplex auto
speed auto
!
!
!
interface Loopback0
ip address 3.3.3.3 255.255.255.255
no clns route-cache
!
interface FastEthernet0/0
ip address 10.0.31.3 255.255.255.0
duplex auto
speed auto
  no clns route-cache
!
interface Serial1/0
ip address 10.0.43.3 255.255.255.0
  serial restart-delay 0
no clns route-cache
!
!
!
interface Loopback0
ip address 4.4.4.4 255.255.255.255
no clns route-cache
!
interface FastEthernet0/0
ip address 10.0.42.4 255.255.255.0
duplex auto
speed auto
!
interface Serial1/0
ip address 10.0.43.4 255.255.255.0
  serial restart-delay 0
no clns route-cache
!
adding to the following configuration MPLS labels we will start wi…

VRF Maximum Routes

Maximum routes under customer vrf, if the service provider had unlimited resources he would not have needed that!
however normally resources are limited and expensive, and Service provider would like to make money from his available resources. maximum routes configured under VRF provide a mean of controlling PE local resource and abuse avoidance from the CE side.I have vrf called DC_EXTRANET, you can see that I have 16 routes, I have configured 10 maximum routes under that vrf however I did not want to be aggressive so I have set the warning only option. See that immediately I get a notice that I have more routes then the maximum, however no action is taken other then alerting and sending a syslog. ! PE_ashdod_otherisp.n(config-vrf)# maximum routes 10 warning-only % The current number of routes in the routing table is equal to, or exceeds the configured warning limit PE_ashdod_otherisp.n(config-vrf)# *Nov 26 20:39:41.175: %IPRT-3-ROUTELIMITWARNING: IP routing table limit warning - DC_…

ISIS Database Reading

ISIS is simple to operate normally while everything is working, most common deployments are flat network based on L2, however when there is a problem and we need to start troubleshooting then people start to get lost.So I would like to provide some tools on how to read ISIS database.notice to the “*” sign, that mean LSP was generated on the router you did the show command, you can see that host name from the show command match also host name on the LSPID,LSPID identified by hostname.xx-yy,  xx is normally 00 unless that LSP is pseudo node LSP generated by DIS , yy is representing the number of fragments for that LSP 00 – FF (max 255 fragments, plenty), most cases all the important information will be in 00 unless there are many fragments.LSP Holdtime is the amount of time an LSP will stay in database without any refresh.ATT/P/OL - 0/0/0, ATT bit or attached bit is used on L1/L2 connected to L1 node, if set to 1 L1 node will generate default route to the best L1/L2 node (best metric)AT…