Skip to main content

CCIE R&S CBAC FireWall

One of my major weakness until recently was security, security is the one topic that can kill you if you do not know what you are doing or if you are not careful enough to lookinto the small details. in the past when I came to a task I would attack it straight ahead and not thinking what it can do to other things I did before or what I need to do in the next task, I worked in a task by task strategy, today as I grown :-) I learned that nothing especially in real life is not presented to you in a step by step manner, you always need to gather all the information and sort it your self like a puzzle, some time the puzzle is small and easy some time you cant find the middle piece to complete your puzzle. so my advice to you is take the exam as a puzzle put all the parts in front of you (mean read all and draw basic topology accordingly) and build your puzzle from bottom up (piece by piece) if you cant find a piece then skip you will find it later. Now with that analogy the Security is one of those last pieces in your puzzle that can brake your entire puzzle so you can decide either to leave one piece out or to start rearrange everything (not recommended). With that in mind I would like to talk here on CBAC or the IOS Firewall, the basic Idea is very similar to reflexive ACL but with enhanced support of features and application. What Do we need for the firewall to work: 1) We Must have an ACL - the ACL will be in most of the cases (for the R&S CCIE) on the outside interface and it will have a Deny all statement, now that was a hard issue for me to grasp at first I said to my self what the hell do I need the Firewall to use a ACL?! isn’t that already build into the firewall, well no! the Firewall is "inspecting" traffic as it go out or come in but the ACL define what to be denied from coming into the Router, so that mean only traffic that is coming from inside the network to outside is allowed back in and traffic that is trying to come from outside need to stay out unless there is a permit statement. 2) We need to define and inspect rules and that is another thing that you need to be careful, as if you only set a rule to inspect icmp that mean that only icmp traffic from your network to the outside and back will be allowed, if you will try to browse the internet without setting an inspect rule your traffic will not be inspected and therefore not been allowed back in!!! Now here is my home router example: I start by defign the traffic that I am using from in --> out ip inspect name HOME-FW sip <- My Voip service need to be up ip inspect name HOME-FW snmp <- I have Snmp Server to monitor the networks I maintain ip inspect name HOME-FW http <- a man need to surf :-) ip inspect name HOME-FW https <- some time need to use a secure web browsing ip inspect name HOME-FW dns <- well I do not want to use IP for all my surfing so I need name resolve server access ip inspect name HOME-FW smtp <- need to sent out mail ip inspect name HOME-FW pop3 <- mail in ip inspect name HOME-FW ssh <- all my servers using SSH (linux RHES) ip inspect name HOME-FW icmp <- Pings ip inspect name HOME-FW telnet <- Some of the router I manage are old or do not have SSH ip inspect name HOME-FW udp <- miscellaneous traffic ip inspect name HOME-FW tcp <- miscellaneous traffic ! ip access-list extended ACCESS-CONTROL permit icmp any any echo-reply <- that I am using as the traffic from the router it self is not inspected so if I will not permit it then I will not babble to ping from the router, the same go for the traceroute permit icmp any any time-exceeded permit icmp any any port-unreachable permit udp x.x.x.80 0.0.0.15 any eq snmptrap <- I have in my home a Snmp Server and to allow traps from outside to come in I need a permit permit udp x.x.x.80 0.0.0.15 any eq 5060 <- although I enabled SIP in the inspection rule calls that are originated from outside in need to be permitted as only traffic inspected from inside to outside is permited permit udp host x.x.x.83 any range 10000 20000 <- that is for the RTP, it is not really needed but for the "obscure" bugs that can happen I rather permit it then loose a call. deny ip any any log-input <- the log-input is for tracing attackers always good to have. ! interface Dialer0 <-- that is my outside interface .. ip access-group ACCESS-CONTROL in .. ! interface Vlan16 <-- that is my inside interface .. ip inspect HOME-FW in .. !

This is In response to the comment posted: The ACL has no direct relation to the CBAC firewall, it is there to prevent traffic coming into your network from the outside, the inspection rule is there to inspect traffic going out from your network. if the ACL was not there the traffic would have been inspected but still people would able to go into your network. so if you want to block traffic you must have ACL but if you inspect traffic then even if there is a deny statement on the outside interface traffic is allowed to return. so the short answer CBAC is not inspecting the ACL, CBAC is inspecting what you tell him on the inspection rule.

4 comments

Popular posts from this blog

Step By Step MPLS – Basic MPLS Setup

Initial configuration , very basic with no MPLS, connectivity only to directly connected interfaces.R1R2R3R4!
!
!
interface Loopback0
ip address 1.1.1.1 255.255.255.255
!
interface FastEthernet0/0
ip address 10.0.31.1 255.255.255.0
duplex auto
speed auto
!
!
!
interface Loopback0
ip address 2.2.2.2 255.255.255.255
!
interface FastEthernet0/0
ip address 10.0.42.2 255.255.255.0
duplex auto
speed auto
!
!
!
interface Loopback0
ip address 3.3.3.3 255.255.255.255
no clns route-cache
!
interface FastEthernet0/0
ip address 10.0.31.3 255.255.255.0
duplex auto
speed auto
  no clns route-cache
!
interface Serial1/0
ip address 10.0.43.3 255.255.255.0
  serial restart-delay 0
no clns route-cache
!
!
!
interface Loopback0
ip address 4.4.4.4 255.255.255.255
no clns route-cache
!
interface FastEthernet0/0
ip address 10.0.42.4 255.255.255.0
duplex auto
speed auto
!
interface Serial1/0
ip address 10.0.43.4 255.255.255.0
  serial restart-delay 0
no clns route-cache
!
adding to the following configuration MPLS labels we will start wi…

What is about to change in CISSP from Apr 2018

Change have arrived and like with other professional certification there is almost a standard time before certification gets its update, with most anywhere it is between 3 - 4 years, CISSP is no different and since last update was on 2015 the change is arriving here as well.

For the people that wish to see the official existing and new outline

I have decided to write this post as the new out line is more of a list of Domain and Sections within the domain without hint or indication to what was modified actually and I could not find anyone else that done that comparison, I had to take the task and do the comparison, please be advised that I have done it for my own "pleasure" so apologies if I missed something :-)
Lets start with the obvious change:
CISSP - Before Apr 2018CISSP - from Apr 20181. Security and Risk Management16%15%2. Asset Security10%10%3. Security Engineering12%13%4. Communications and Network Security12%14%5. Identity and Access Management13%13%6. …

VRF Maximum Routes

Maximum routes under customer vrf, if the service provider had unlimited resources he would not have needed that!
however normally resources are limited and expensive, and Service provider would like to make money from his available resources. maximum routes configured under VRF provide a mean of controlling PE local resource and abuse avoidance from the CE side.I have vrf called DC_EXTRANET, you can see that I have 16 routes, I have configured 10 maximum routes under that vrf however I did not want to be aggressive so I have set the warning only option. See that immediately I get a notice that I have more routes then the maximum, however no action is taken other then alerting and sending a syslog. ! PE_ashdod_otherisp.n(config-vrf)# maximum routes 10 warning-only % The current number of routes in the routing table is equal to, or exceeds the configured warning limit PE_ashdod_otherisp.n(config-vrf)# *Nov 26 20:39:41.175: %IPRT-3-ROUTELIMITWARNING: IP routing table limit warning - DC_…