Implementing Cisco IOS Firewalls.ppt

1、Cisco IOS Threat Defense Features,Implementing Cisco IOS Firewalls,Configuring Cisco IOS Firewall from the CLI,Cisco IOS Firewall ConfigurationTasks Using the CLI,Pick an interface: internal or external. Configure IP ACLs at the interface. Define inspection rules. Apply inspection rules and ACLs to

2、interfaces. Test and verify.,Set Audit Trails and Alerts,Router(config)#logging on Router(config)#logging host Router(config)#ip inspect audit-trail Router(config)#no ip inspect alert-off,Enables the delivery of audit trail messages using syslog,ip inspect audit-trail,Router(config)#,Enable

3、s real-time alerts,no ip inspect alert-off,Router(config)#,Define Inspection Rules forApplication Protocols,ip inspect name inspection-name protocol alert on|off audit-trail on|off timeout seconds,Defines the application protocols to inspect. Will be applied to an interface: Available protocols are

4、tcp, udp, icmp, smtp, esmtp, cuseeme, ftp, ftps, http, h323, netshow, rcmd, realaudio, rpc, rtsp, sip, skinny, sqlnet, tftp, vdolive, etc. Alert, audit-trail, and timeout are configurable per protocol, and override global settings.,Router(config)#,Router(config)#ip inspect name FWRULE smtp alert on

5、audit-trail on timeout 300 Router(config)#ip inspect name FWRULE ftp alert on audit-trail on timeout 300,Apply an Inspection Rule to an Interface,ip inspect inspection-name in | out,Applies the named inspection rule to an interface,Router(config-if)#,Router(config)#interface e0/0 Router(config-if)#i

6、p inspect FWRULE in,Applies the inspection rule to interface e0/0 in inward direction,Guidelines for Applying InspectionRules and ACLs to Interfaces,On the interface where traffic initiates: Apply ACL on the inward direction that permits only wanted traffic. Apply rule on the inward direction that i

7、nspects wanted traffic. On all other interfaces, apply ACL on the inward direction that denies all unwanted traffic.,Example: Two-Interface Firewall,ip inspect name OUTBOUND tcp ip inspect name OUTBOUND udp ip inspect name OUTBOUND icmp ! interface FastEthernet0/0 ip access-group OUTSIDEACL in ! int

8、erface FastEthernet0/1 ip inspect OUTBOUND in ip access-group INSIDEACL in ! ip access-list extended OUTSIDEACL permit icmp any any packet-too-big deny ip any any log ! ip access-list extended INSIDEACL permit tcp any any permit udp any any permit icmp any any,Example: Three-Interface Firewall,inter

9、face FastEthernet0/0 ip inspect OUTSIDE in ip access-group OUTSIDEACL in ! interface FastEthernet0/1 ip inspect INSIDE in ip access-group INSIDEACL in ! interface FastEthernet0/2 ip access-group DMZACL in ! ip inspect name INSIDE tcp ip inspect name OUTSIDE tcp ! ip access-list extended OUTSIDEACL p

10、ermit tcp any host eq 25 permit tcp any host eq 80 permit icmp any any packet-too-big deny ip any any log ! ip access-list extended INSIDEACL permit tcp any any eq 80 permit icmp any any packet-too-big deny ip any any log ! ip access-list extended DMZACL permit icmp any any packe

11、t-too-big deny ip any any log,Verifying Cisco IOS Firewall,show ip inspect name inspection-name show ip inspect config show ip inspect interfaces show ip inspect session detail show ip inspect statistics show ip inspect all,Displays inspections, interface configurations, sessions, and statistics,Rou

12、ter#show ip inspect session Established Sessions Session 6155930C (:35009)=(0:34233) tcp SIS_OPEN Session 6156F0CC (:35011)=(0:34234) tcp SIS_OPEN Session 6156AF74 (:35010)=(0:5002) tcp SIS_OPEN,Router#,Troubleshooting Cisco IOS Firewall,debug ip

13、 inspect function-trace debug ip inspect object-creation debug ip inspect object-deletion debug ip inspect events debug ip inspect timers debug ip inspect detail,General debug commands,debug ip inspect protocol,Protocol-specific debug,Router#,Router#,Basic and Advanced Firewall Wizards,Basic and Adv

14、anced Firewall Wizards,SDM offers configuration wizards to simplify Cisco IOS Firewall configuration. Two configuration wizards exist: Basic Firewall Configuration wizard: Supports two interface types (Inside and Outside) Applies predefined rules Advanced Firewall Configuration wizard: Supports more

15、 interfaces (Inside, Outside, and DMZ) Applies predefined or custom rules,Configuring a Basic Firewall,Configuring a Basic Firewall,1.,2.,3.,4.,Basic Firewall Interface Configuration,Basic Firewall Configuration Summary and Deployment,Reviewing the Basic Firewall for the Originating Traffic,Reviewin

16、g the Basic Firewall for the Returning Traffic,Resulting Basic Firewall Inspection Rule Configuration,Router#show running-config | include ip inspect name ip inspect name SDM_LOW cuseeme ip inspect name SDM_LOW dns ip inspect name SDM_LOW ftp ip inspect name SDM_LOW h323 ip inspect name SDM_LOW http

17、s ip inspect name SDM_LOW icmp ip inspect name SDM_LOW imap ip inspect name SDM_LOW pop3 ip inspect name SDM_LOW netshow ip inspect name SDM_LOW rcmd ip inspect name SDM_LOW realaudio ip inspect name SDM_LOW rtsp ip inspect name SDM_LOW esmtp ip inspect name SDM_LOW sqlnet ip inspect name SDM_LOW st

18、reamworks ip inspect name SDM_LOW tftp ip inspect name SDM_LOW tcp ip inspect name SDM_LOW udp ip inspect name SDM_LOW vdolive,Resulting Basic Firewall ACL Configuration,Router#show running-config | include access-list access-list 100 remark autogenerated by SDM firewall configuration access-list 10

19、0 remark SDM_ACL Category=1 access-list 100 deny ip any access-list 100 deny ip host 55 any access-list 100 deny ip 55 any access-list 100 permit ip any any access-list 101 remark autogenerated by SDM firewall configuration access-list 101 remark S

20、DM_ACL Category=1 access-list 101 deny ip 55 any access-list 101 permit icmp any host echo-reply access-list 101 permit icmp any host time-exceeded access-list 101 permit icmp any host unreachable access-list 101 deny ip 55 any access

21、-list 101 deny ip 55 any access-list 101 deny ip 55 any access-list 101 deny ip 55 any access-list 101 deny ip host 55 any access-list 101 deny ip host any access-list 101 deny ip any any log,Resulting Basic Firewall

22、 Interface Configuration,Router#show running-config | begin interface interface FastEthernet0/0 description $FW_INSIDE$ ip address ip access-group 100 in ! interface Serial0/0/0 description $FW_OUTSIDE$ ip address 52 ip access-group 101 in ip verify unic

23、ast reverse-path ip inspect SDM_LOW out ! ,Configuring Interfaces on an Advanced Firewall,Configuring Interfaces onan Advanced Firewall,2.,3.,4.,1.,Advanced Firewall Interface Configuration,Configuring a DMZ on an Advanced Firewall,Advanced Firewall DMZService Configuration,Advanced Firewall DMZServ

24、ice Configuration: TCP,Advanced Firewall DMZService Configuration: UDP,Advanced Firewall DMZService Configuration (Cont.),Advanced Firewall Security Configuration,Advanced Firewall Security Policy,Advanced Firewall Protocolsand Applications,Advanced Firewall Protocolsand Applications (Cont.),Advance

25、d Firewall Protocolsand Applications (Cont.),Advanced Firewall Inspection Parameters,Advanced Firewall Security Policy Selection,Complete the Configuration,Advanced Firewall ConfigurationSummary and Deployment,Resulting Advanced FirewallInspection Rule Configuration,Router#show running-config | incl

26、ude ip inspect name ip inspect name appfw_100 tcp audit-trail on ip inspect name appfw_100 udp ip inspect name appfw_100 ftp ip inspect name dmzinspect tcp ip inspect name dmzinspect udp,Resulting Advanced FirewallACL Configuration,Router#show running-config | include access-list access-list 100 rem

27、ark autogenerated by SDM firewall configuration access-list 100 remark SDM_ACL Category=1 access-list 100 deny ip any access-list 100 deny ip 55 any access-list 100 deny ip host 55 any access-list 100 deny ip 55 any access-list 1

28、00 permit ip any any access-list 101 remark autogenerated by SDM firewall configuration access-list 101 remark SDM_ACL Category=1 access-list 101 deny ip any any log access-list 102 remark autogenerated by SDM firewall configuration access-list 102 remark SDM_ACL Category=1 access-list 102 deny ip 1

29、 55 any access-list 102 deny ip 55 any access-list 102 permit icmp any host echo-reply access-list 102 permit icmp any host time-exceeded access-list 102 permit icmp any host unreachable access-list 102 permit tcp any host eq

30、www access-list 102 permit udp any host eq isakmp access-list 102 deny ip 55 any access-list 102 deny ip 55 any access-list 102 deny ip 55 any access-list 102 deny ip 55 any access-list 102 deny ip host 55 any access-list 102 deny ip host any access-list 102 deny ip any any log,Resulting Advanced FirewallInterface Configuration,Router#show running-config | begin interface interface FastEthernet0/0 description $FW_INSIDE$ ip address ip access-g