Professional Documents
Culture Documents
BRKSEC-3007 - Advanced Cisco IOS Security Features (2010 Las Vegas)
BRKSEC-3007 - Advanced Cisco IOS Security Features (2010 Las Vegas)
BRKSEC-3007 - Advanced Cisco IOS Security Features (2010 Las Vegas)
BRKSEC3007
Agenda
Troubleshooting Cisco IOS Firewall
Cisco IOS Firewall Overview Cisco IOS Firewall Packet Flow Cisco IOS Firewall Troubleshooting Common Issues and Resolutions Summary
Zone Based Firewall Troubleshooting Example Troubleshooting Cisco IOS Intrusion Prevention System
Cisco IOS IPS Overview Cisco IOS IPS Packet Flow Cisco IOS IPS Troubleshooting Common Issues and Resolutions Summary
Presentation_ID 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public
VPN
BRKSEC-3011: Troubleshooting GET VPN
BRKSEC-3012: Troubleshooting DMVPN NRLSEC-3013: Troubleshooting Remote Access SSL VPN
Presentation_ID
Cisco Public
Presentation_ID
Cisco Public
12.4(6)T
Per-policy parameter
Transparent firewall VRF-aware firewall
Trusted
E0
S0
Internet
Untrusted
Private-Public Policy
Presentation_ID 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public
Setup zones
zone-pair security priv-pub source private destination public service-policy type inspect mypolicy interface Ethernet0 zone-member security private interface Serial0 zone-member security public access-list 102 permit ip 192.168.0.0 0.0.255.255 any
Presentation_ID
Cisco Public
Presentation_ID
Cisco Public
Determine the packet flow based on SRC IP, DST IP, SRC port, DST port, and protocol
Determine the interfaces/zones through which the flow passes Then perform a systematic walk of the packet flow through the device based on feature configured
Source Address:a.b.c.1 Destination Address:d.e.f.1 Source Port: xxxx Destination Port:yyy Protocol: UDP Source Interface: Fa 0/0 Destination Interface: Fa 1/0 Flow is narrowed to 2 interfaces only
Packet Flow
Packet Flow
PAYLOAD
interface Fa 0/0
2010 Cisco and/or its affiliates. All rights reserved.
Presentation_ID
interface Fa 1/0
8
Auth Proxy
Fragment Inspection
Decrypt Packet N IPSec Pkt? Y Inbound Input ACL Encrypt Packet Y IPSec Pkt? N
Presentation_ID 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public
IOS FW
Presentation_ID
Cisco Public
10
Ask the right questions to better define and clarify the problem
Acquire
What information do we need but we dont have? How to get that information?
Analyze
Understand the flow Whats supposed to happen vs. What actually happened
Act
Test assumptions Deploy changes
Presentation_ID 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public
11
Show commands
Packet capture Debug commands
Presentation_ID
Cisco Public
12
Syslog
Most effective troubleshooting tool available for Zone-Based Policy Firewall Tool for alert and audit trail Tool to help identify packet dropped by the firewall Tool for capturing the debug command output Use of syslog server strongly recommended when deploying firewall solutions
Presentation_ID
Cisco Public
13
Jul 26 13:58:16 200.1.1.1 2167: Jul 26 18:02:34.907 UTC: %APPFW-4-HTTP_JAVA_APPLET: HTTP Java Applet detected resetting session 172.16.1.100:80 10.1.1.100:3372 on zonepair publicPrivateOut class myClassMap appl-class HttpAic
Class-map name
2010 Cisco and/or its affiliates. All rights reserved. Cisco Public
CBAC
15
Segment matching no TCP connection Invalid Seq# Invalid Ack (or no Ack) SYN inside current window Out-Of-Order Segment Stray Segment
16
*Jun 26 04:07:04.347: %FW-4-ALERT_OFF: calming down, count (99/100) current 1-min rate: 173
17
Show Commands
Use to display the configuration, and connections statistics information MOST of the problem can be diagnosed with the Syslog & Show commands Show commands are different for Classic Cisco IOS Firewall and Zone-Based Policy Firewall
Presentation_ID
Cisco Public
18
Presentation_ID
Cisco Public
19
20
Presentation_ID
Cisco Public
21
Typical problem scenario: Application x failing when going through the firewall Capture Server
Internet
Capture
Client
Inside
Outside
Setup the capture filter for the flow in question Start packet capture on both inside and outside of the firewall
Presentation_ID
Cisco Public
22
23
Router# monitor capture buffer test-buffer export ? ftp: Location to dump buffer http: Location to dump buffer https: Location to dump buffer rcp: Location to dump buffer scp: Location to dump buffer tftp: Location to dump buffer
Presentation_ID 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public
24
Solutions:
IOS Firewall works with IPSec in one of the two ways: IOS Firewall and IPSec enabled on the same router
IOS FW does packet inspection on the decrypted packets for inbound traffic IOS FW does packet inspection before encryption for outbound traffic
Presentation_ID
Cisco Public
25
DMVPN
Static VTI (Virtual Tunnel Interface) EzVPN using Dynamic VTI
Presentation_ID
Cisco Public
26
Server
R1 Internet
R2
192.168.2.0/24
Private N/A Allow TCP/UDP/ICMP traffic from the tunnel, and Web traffic to server 192.168.1.10
Private
Public
Presentation_ID
Cisco Public
zone security public description Internet facing zone zone security private description Secure private zone zone-pair security pub-pri source public destination private service-policy type inspect pub-pri-pmap zone-pair security pri-pub source private destination public service-policy type inspect pri-pub-pmap ! interface FastEthernet0/0 zone-member security public crypto map test ! interface FastEthernet1/0 zone-member security private ! ip access-list extended tunnel-traffic permit ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255 ip access-list extended web-server permit ip any host 192.168.1.10
Cisco Public
28
Server
Zone Private
Zone Public
Web server
192.168.1.0/24
Zone VPN
192.168.2.0/24
Private N/A
Allow Web traffic to 192.168.1.10
Presentation_ID
Cisco Public
30
Presentation_ID
Cisco Public
31
Performance Degrades
Symptom:
After turning on IOS Firewall, the connection is very Slow Valid Packet Drops after a while of turning the Firewall ON
Troubleshooting Steps:
Step1: Check & investigate which process utilizes MAXIMUM CPU
Router# show processes cpu | exclude 0.00
CPU utilization for five seconds: 70%/39%; one minute: 52%; five minutes: 43% PID Runtime(ms) Invoked uSecs 5Sec 1Min 5Min TTY Process
74 84 120 1388 983836 24468 31823 305327 3070 43 3222 7970 0.08% 38.18% 1.22% 0.04% 37.74% 1.27% 0.04% 37.02% 1.26% 0 EAPFramework 0 IP Input 0 Inspect process
Solution:
IP Input process is expected to be higher than any process If any process > IP Input process, need investigation of that process, may e0 s0 not be related to IOS Firewall If IP Input process is HIGH, it could be related to IOS Firewall
Public Network
Presentation_ID
Cisco Public
32
Each class-map's DoS protection is individually configurable with a parameter-map that modifies the DoS protection values The legacy default settings prior to Release 12.4(11)T may interfere with proper network operation if they are not configured for the appropriate level
Presentation_ID
Cisco Public
33
Step2: Define a parameter-map and set the max-incomplete high values to very high values
parameter-map type inspect DoS-param-map max-incomplete high 20000000 one-minute high 100000000 tcp max-incomplete host 100000 block-time 0
Cisco IOS Step3: Apply the parameter-map to every class-map's inspection action Public policy-map type inspect z1-z2-pmap Network Firewall
Presentation_ID
Cisco Public
34
Step 5: Tune the DoS settings for every inspect-type class-map contained Public within a policy-map that must have unique DoS protection requirements
Network
http://www.cisco.com/en/US/prod/collateral/vpndevc/ps5708/ps5710/ps1018/pr e0 s0 od_white_paper0900aecd8055e6ac.html
Presentation_ID
Cisco Public
35
Troubleshooting Steps:
Step1a: Analyze syslog messages generated by the router Jul 26 13:58:16 200.1.1.1 2167: Jul 26 18:02:34.907 UTC: %APPFW-4HTTP_JAVA_APPLET: HTTP Java Applet detected - resetting session 172.16.1.100:80 10.1.1.100:3372 on zone-pair publicPrivateOut class myClassMap appl-class HttpAic Step1b: Review the configuration with show command.
class-map type inspect http match-any HttpAic match response body java-applet exit policy-map type inspect http HttpAicPolicy class type inspect http HttpAic reset log Exit Reason for the connection reset
Solution:
Remove the reset command under policy map
Presentation_ID 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public
36
Solution:
Reset the body length for request/response to higher value
class-map type inspect http match-any HttpAic match req-resp body length gt 1000000 exit
Presentation_ID 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public
37
3b. Using show command in reviewing configuration may reveal Request URI Length was set Too LOW.
Resolution:
Reset URI Length to 256 as follows
class-map type inspect http match-any HttpAic match request uri length gt 256 exit
Presentation_ID
Cisco Public
38
Presentation_ID
Cisco Public
39
Zone Inside
10.2.3.0/24
Server
R1
10.2.1.0/24
R2 IOS Firewall
R3 .3
Clients
.1
.2 IPsec tunnel .2
.2
Zone DMZ
10.2.4.0/24
.4
http server
R4
Presentation_ID 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public
40
R2
R3
Three Zones
inside zone outside zone dmz zone
R4 Zone DMZ
http server
Traffic policies
TCP and UDP connections from inside to outside
TCP and UDP connections from dmz to outside, http from the outside to the dmz any other required connections from the outside to the inside
Presentation_ID
Cisco Public
41
Zone Outside
Zone Inside R2 R3
R1
Zone DMZ
class-map type inspect match-any INSIDE match protocol tcp match protocol udp class-map type inspect match-any DMZ match protocol tcp match protocol udp class-map type inspect match-all OUTSIDE match protocol http match access-group name OUT_DMZ match access-group name OUT_IN
http server R4
42
Zone DMZ
http server
Presentation_ID
Cisco Public
43
Zone Outside R1 R2
Zone Inside R3
policy-map type inspect OUT_IN class type inspect OUTSIDE inspect class class-default drop
Presentation_ID 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public
class-map type inspect match-any INSIDE match protocol tcp match protocol udp class-map type inspect match-any DMZ match protocol tcp match protocol udp class-map type inspect match-all OUTSIDE match protocol http match access-group name OUT_DMZ match access-group name OUT_IN
44
Zone Outside
Zone Inside R2 R3
R1
class-map type inspect match-any INSIDE match protocol tcp match protocol udp class-map type inspect match-any DMZ match protocol tcp match protocol udp class-map type inspect match-all OUTSIDE match protocol http match access-group name OUT_DMZ match access-group name OUT_IN
45
Zone Outside
Zone Inside R2 R3
R1
zone-pair security IN->OUT source inside destination outside service-policy type inspect IN_OUT zone-pair security OUT->IN source outside destination inside service-policy type inspect OUT_IN
zone-pair security DMZ->OUT source dmz destination outside service-policy type inspect DMZ_OUT
zone-pair security OUT->DMZ source outside destination dmz service-policy type inspect OUT_DMZ
Presentation_ID 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public
46
interface Loopback0 ip address 2.2.2.2 255.255.255.255 ! interface Ethernet0/0 ip address 10.2.1.2 255.255.255.0
R1
47
Zone Outside R1 R2
Zone Inside
R3
Zone DMZ
http server
R4
48
Telnet from R3 to R1
Telnet from R1 to R3 Telnet from R1 to R4.
Telnet
http server
R4
Presentation_ID 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public
49
1 packets, 24 bytes
30 second rate 0 bps .. Inspect Number of Established Sessions = 1
Established Sessions
Session 6A62F98 (10.2.4.4:59121)=>(1.1.1.1:23) tcp SIS_OPEN/TCP_ESTAB Created 00:00:05, Last heard 00:00:04 Bytes sent (initiator:responder) [30:69]
Presentation_ID 2010 Cisco and/or its affiliates. All rights reserved.
Password:
Cisco Public
50
Class-map: OUTSIDE (match-all) Match: protocol http Match: access-group name OUT_IN
Inspect
Presentation_ID
51
R1#telnet 4.4.4.4 80
52
Traffic policies
TCP and UDP connections from inside to outside
TCP and UDP connections from dmz to outside, http from the outside to the dmz any other required connections from the outside to the inside
Presentation_ID
Cisco Public
53
R2#
*Apr 5 23:45:25.723: %SYS-5-CONFIG_I: Configured from console by console R2# *Apr 5 23:47:10.931: %FW-6-DROP_PKT: Dropping udp session 10.2.1.1:500 10.2.3.3:500 on zone-pair OUT->IN class class-default due to DROP action found in policy-map with ip ident 0
R1# *Apr 5 23:46:18.687: %SYS-5CONFIG_I: Configured from console by console R1#ping 10.2.3.3 .. Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 10.2.3.3, timeout is 2 seconds: ..... Success rate is 0 percent (0/5)
54
R2# *Apr 5 23:48:38.055: %FW-6-LOG_SUMMARY: 3 packets were dropped from 10.2.1.1:500 => 10.2.3.3:500 (target:class)-(OUT->IN:class-default)
Presentation_ID 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public
Zone Inside
10.2.3.0/24
Server
R1
10.2.1.0/24
R2
.2 ??? .2
R3 .3
Clients
.1
.2
Zone DMZ
10.2.4.0/24
.4
http server
R4
Cisco Public
55
R1
10.2.1.0/24 .1 .2
ip access-list extended OUT_IN permit udp host 10.2.1.1 host 10.2.3.3 eq isakmp permit udp host 10.2.1.1 host 10.2.3.3 eq non500-isakmp permit esp host 10.2.1.1 host 10.2.3.3 ip access-list extended VPN_OUT permit udp host 10.2.3.3 host 10.2.1.1 eq isakmp permit udp host 10.2.3.3 host 10.2.1.1 eq non500-isakmp permit esp host 10.2.3.3 host 10.2.1.1
Presentation_ID
Cisco Public
56
class-map type inspect match-all VPN match access-group name OUT_IN class-map type inspect match-any DMZ match protocol tcp match protocol udp class-map type inspect match-all OUTSIDE match protocol http match access-group name OUT_DMZ match access-group name OUT_IN class-map type inspect match-all VPN_OUT match access-group name VPN_OUT
pass
Presentation_ID
Cisco Public
57
R1
Firewall Summary
Presentation_ID
Cisco Public
59
Firewall Summary
ALWAYS TAKE Systematic Approach to troubleshoot IOS Firewall issues Establish base-line traffic profile for your network through IOS Firewall, and set the DoS settings accordingly DO NOT change the default UDP & DNS session timeout value Use syslog and show commands to troubleshoot IOS firewall
Presentation_ID
Cisco Public
60
Presentation_ID
Cisco Public
61
Presentation_ID
Cisco Public
62
63
Signature Files
Contains signature engine, parameter information such as signature name, signature ID and signature actions etc.
Signature categories*
A signature category contains pre-selected signature sets for a specific vulnerability
Event Monitoring
Syslog messages and/or SDEE** alerts for events generated by IOS IPS
* Version 5.x Signature Format Only (i.e. 12.4(11)T or later) ** SDEE = Security Device Event Exchange
Presentation_ID 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public
64
Signature Categories
IOS IPS with Cisco 5.x/6.x format signatures operate with signature categories Signature category is a group of relevant signatures represented by a meaningful name All signatures are pregrouped into categories An individual signature can belong to more than one category
Router#sh ip ips category ?
adware/spyware attack ddos dos email instant_messaging ios_ips l2/l3/l4_protocol network_services os other_services p2p reconnaissance releases viruses/worms/trojans web_server
Adware/Spyware (more sub-categories) Attack (more sub-categories) DDoS (more sub-categories) DoS (more sub-categories) Email (more sub-categories) Instant Messaging (more sub-categories) IOS IPS (more sub-categories) L2/L3/L4 Protocol (more sub-categories) Network Services (more sub-categories) OS (more sub-categories) Other Services (more sub-categories) P2P (more sub-categories) Reconnaissance (more sub-categories) Releases (more sub-categories) Viruses/Worms/Trojans (more sub-categories) Web Server (more sub-categories)
Presentation_ID
Cisco Public
65
Packet Flow
Presentation_ID
Cisco Public
66
Packet Re-injection
Layer 2 decapsulation
Stateless IPS
IPSEC?
Inbound ACL
IPSec decryption
N
Auth Proxy
Inbound ACL
NAT
Forwarding
Presentation_ID
Cisco Public
67
Forwarding
Stateless IPS
NAT
Fragment Inspection
Outbound ACL
IPSEC?
Layer 2 encapsulation
Forwarding
Presentation_ID 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public
68
Troubleshooting IPS
Presentation_ID
Cisco Public
69
Ask the right questions to better define and clarify the problem
Acquire
What information do we need but we dont have? How to get that information?
Analyze
Understand the flow Whats supposed to happen vs. What actually happened
Act
Test assumptions Deploy changes
Presentation_ID 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public
70
ALWAYS remember first select category all AND retire all signatures
crypto key pubkey-chain rsa named-key realm-cisco.pub signature key-string 30820122 300D0609 2A864886 F70D0101 01050003 82010F00 3082010A 02820101 | snip | F3020301 0001 quit
interface GigabitEthernet0/1 ip address 10.1.1.6 255.255.255.0 ip ips iosips in ip virtual-reassembly duplex auto speed auto
Presentation_ID
Cisco Public
71
*Mar 22 03:53:13.827: %IPS-4-SIGNATURE: Sig:5081 Subsig:0 Sev:100 WWW WinNT cmd.exe Access [10.1.1.252:4150 -> 192.168.1.249:80] RiskRating:100
72
show run
2. Check signatures status, to confirm signatures are compiled show ip ips config show ip ips signatures count 3. Check flows inspected by IOS IPS, to verify IOS IPS is inspecting traffic show ip ips sessions detail 4. Check SDEE alerts / syslog messages, to verify attacks are being detected show ip sdee alerts
show logging
5. Use appropriate debug commands
Presentation_ID
Cisco Public
73
-- output skipped -! ip ips config location flash:ips/ retries 1 ip ips notify SDEE ip ips name iosips Configure IOS IPS to use one ! of the pre-defined signature ip ips signature-category categories category all retired true Configure an IOS IPS crypto category ios_ips advanced key which is used to verify the retired false digital signature on the ! signature package crypto key pubkey-chain rsa named-key realm-cisco.pub signature key-string 30820122 300D0609 2A864886 F70D0101 01050003 82010F00 3082010A 02820101 -- output skipped -F3020301 0001 quit ! interface GigabitEthernet0/1 ip address 10.1.1.6 255.255.255.0 ip ips iosips in ip Presentation_ID virtual-reassemblyCisco and/or its affiliates. All rights reserved. 2010
Enable IPS rule on the desired interface and specify the direction the rule will be applied to
Cisco Public
74
Verify the IOS IPS policy is applied to the right interface in the right direction Verify the signature category being used
Cisco Public
75
Signature Micro-Engine: multi-string: Total Signatures 8 multi-string enabled signatures: 8 multi-string retired signatures: 8 - output omitted Signature Micro-Engine: service-msrpc: Total Signatures 27 service-msrpc enabled signatures: 27 service-msrpc retired signatures: 19 service-msrpc compiled signatures: 1 service-msrpc inactive signatures - invalid params: 7
Total Signatures: 2204 Total Enabled Signatures: 873 Total Retired Signatures: 1617 Check Total Compiled Signatures: 580 Total Signatures with invalid parameters: 7 Total Obsoleted Signatures: 11
Presentation_ID
Cisco Public
76
Session 47506A34 (10.1.1.252:3959)=>(192.168.1.249:21) tcp SIS_OPEN Created 00:02:49, Last heard 00:02:44 Bytes sent (initiator:responder) [25:95] sig cand list ID 14272 sig cand list ID 14273
Presentation_ID
Cisco Public
77
Router#sh ip sdee alerts Alert storage: 200 alerts using 75200 bytes of memory SDEE Alerts SigID Sig Name SrcIP:SrcPort DstIP:DstPort or Summary Info 1: 5114:1 WWW IIS Unicode Attack 10.1.1.252:4150 192.168.1.249:80 2: 5081:0 WWW WinNT cmd.exe Access 10.1.1.252:4150 192.168.1.249:80
Presentation_ID
Cisco Public
78
Presentation_ID
Cisco Public
79
Presentation_ID
Cisco Public
80
Common Issues
Misunderstanding of terms used for signature status Memory allocation errors when compiling signatures Total number of signatures that can be compiled
81
Presentation_ID
Cisco Public
82
Unretiring a signature instructs IOS IPS to compile the signature into memory and use the signature to scan traffic
You can use IOS command-line interface (CLI) or CCP to retire or unretire individual signatures or a signature category
Presentation_ID
Cisco Public
83
Disabling a signature means that when triggered by a matching packet (or packet flow), the signature DOES NOT take the appropriate action associated with it
In other words, when a signature is disabled, even though it is unretired and successfully compiled, it will not take the action associated with it
You can use IOS command-line interface (CLI) or CCP to enable or disable individual signatures or a signature category Enable/disable is NOT used to select/de-select signatures to be used by IOS IPS
Presentation_ID 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public
84
Compiling refers to the process where the parameter values from unretired signatures are compiled into a regular expression table
This happens when signatures are unretired or when other parameters of signatures belonging to that regular expression table changes Once signatures are compiled, traffic is scanned against the compiled signatures
Presentation_ID 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public
85
-Process= "Exec", ipl= 0, pid= 3, -Traceback= 0x4164F41C 0x400AEF1C 0x400B4D58 0x400B52C4 0x400C102C 0x400C0820 0x400C23EC 0x400C0484 0x424C1DEC 0x424C2A4C 0x424C2FF0 0x424C31A0 0x430D6ECC 0x430D7864 0x430F0210 0x430FA0E8
*Mar 18 07:09:36.911: %SYS-2-CHUNKEXPANDFAIL: Could not expand chunk pool for regex. No memory available Process= "Chunk Manager", ipl= 3, pid= 1, -Traceback= 0x4164F41C 0x400C06FC *Mar 18 07:09:37.115: %IPS-4-SIGNATURE_COMPILE_FAILURE: service-http 12024:0 - compilation of regular expression failed *Mar 18 07:09:41.535: %IPS-4-SIGNATURE_COMPILE_FAILURE: service-http 5280:0 - compilation of regular expression failed *Mar 18 07:09:44.955: %IPS-4-SIGNATURE_COMPILE_FAILURE: service-http 5284:0 - compilation of regular expression failed *Mar 18 07:09:44.979: %IPS-4-SIGNATURE_COMPILE_FAILURE: service-http 12023:0 - compiles discontinued for this engine
Presentation_ID 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public
86
Presentation_ID
Cisco Public
87
When router free memory drops below 10% of the total installed memory, then stop unretiring signatures
Presentation_ID
Cisco Public
88
Retire signatures not supported by IOS IPS and signatures not applicable to your network to save memory
Presentation_ID
Cisco Public
89
Configuration Steps
Follow the steps in the following order for initial Cisco IOS IPS configuration:
Step 1: Download IOS IPS signature package to PC Step 2: Create IOS IPS configuration directory Step 3: Configure IOS IPS crypto key Step 4: Create IOS IPS policy and apply to interface(s)
Remember to FIRST retire the all category
Presentation_ID
Cisco Public
90
Presentation_ID
Cisco Public
91
Case A: IOS IPS Policy Is Applied at the Wrong Issue Direction/InterfaceIncorrect Configuration
Head Office
Branch Office
Worms FE0/0 FE0/1 Web Clusters Internet Traffic IPSec Tunnel Cisco 28xx Internet Interface FastEthernet0/0 Branch Office PCs/Laptops ip ips ips-policy out Policy applied to the wrong direction Head Office PCs Application Servers
Cisco 18xx
Presentation_ID
Cisco Public
92
Case A: Solution
Head Office
Branch Office
Worms FE0/0 FE0/1 Web Clusters Internet Traffic IPSec Tunnel Cisco 28xx Internet Interface FastEthernet0/0 Branch Office PCs/Laptops ip ips ips-policy in Policy applied to the right direction Head Office PCs Application Servers
Cisco 18xx
Presentation_ID
Cisco Public
93
Case B: IOS IPS Policy Is Applied at the Wrong Issue Direction/InterfaceIncorrect Configuration
attacks
Inside Outside
Head Office
Branch Office
FE0/0 FE0/1 Web Clusters Internet Traffic IPSec Tunnel Cisco 28xx Internet DMZ Interface FastEthernet0/1 Branch Office PCs/Laptops
Presentation_ID
Cisco 18xx
Application Servers
Case B: Solution
attacks
Inside Outside
Head Office
Branch Office
FE0/0 FE0/1 Web Clusters Internet Traffic IPSec Tunnel Cisco 28xx Internet DMZ Interface FastEthernet0/1 Branch Office PCs/Laptops ip ips ips-policy in Policy applied to the right direction
2010 Cisco and/or its affiliates. All rights reserved. Cisco Public
Cisco 18xx
Application Servers
Presentation_ID
Use show ip ips signatures statistics | i <sig id> to see signature hits
Run debugs:
debug ip ips <engine name>
Presentation_ID
Cisco Public
96
IPS Summary
Presentation_ID
Cisco Public
97
BENEFIT
Memory efficient traffic scanning for attack signatures consuming up to 40 % less memory on the router. More comprehensive and effective attack coverage by default. Much quicker inclusion of most relevant new threat signatures within the default set (category). Capability to load more signatures simultaneously and provide protection for larger number of threats and vulnerabilities
Avoid large amount of router memory by IPS signature Tables. Prevent IPS feature to consume all the free processing memory available and cause performance and other operational problems
Presentation_ID
Cisco Public
98
IPS Summary
Use the Getting Started Guide as a reference to check that IOS IPS is configured properly.
Recommendation is to use pre-defined IOS IPS Basic or Advanced signature category and tune the signature set based on your network applications
Cisco IOS IPS show Commands and SDEE are the most essential component for troubleshooting
Presentation_ID
Cisco Public
99
Presentation_ID
Cisco Public
100
Presentation_ID
Cisco Public
101
Q&A
Dont forget to activate your Cisco Live and Networkers Virtual account for access to all session materials, communities, and on-demand and live activities throughout the year. Activate your account at any internet station or visit www.ciscolivevirtual.com.
Cisco Public
Presentation_ID
103
Presentation_ID
Cisco Public
105
e0
1. Define the security policy
s0
ACL to deny inbound connection ACL to allow only SMTP, FTP, and HTTP from inside to outside Inspection for necessary protocols Inspection rule, and ACL both applied as inbound on ethernet 0 interface
106
CBAC
107
CBAC
108
CBAC
Connection states
SIS_OPENING SYN has been received but Three way Hand-shake is not complete SIS_OPEN When Three WAY Hand-Shake is complete SIS_CLOSING FIN is received but the entire closing sequence has not been achieved SIS_CLOSE When FIN and FIN-ACK have been received from both sides
Inside Client Outside Inside Outside
Server
SYN SYN+ACK ACK
Presentation_ID
Client
Server
FIN FIN+ACK ACK 2
1
3
1
2 3
Cisco Public
109
Presentation_ID
Cisco Public
110
Public Network s0
Internet
Inbound inspection and ACL are both applied on the outside interface and return traffic gets dropped by ACL 101
Presentation_ID 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public
111
Inspect
ACL 101
Resolution: Apply Inspection Outbound on the Internet facing interface (while, ACL is applied Inbound)
Presentation_ID 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public
112
As of 12.3(8)T release
IOSFW now takes advantage of virtual fragmentation reassembly. VFR provides a mechanism to buffer incoming IP fragments for re-ordering and virtual reassembly. This now enables IOS FW to manage sessions that include fragmented packets. Should be enabled on both public/private interface
Router(config-if)# ip virtual-reassembly
Presentation_ID
Cisco Public
113
ip ip ip ip
inspect max-incomplete low value (default 400) inspect one-minute e0 high values0 (default 500) inspect one-minute low value (default 400) inspect tcp max-incomplete host value (default 50) [block-time minutes
2010 Cisco and/or its affiliates. All rights reserved. Cisco Public
Presentation_ID
114
Inspect http" adds capability to inspect returned content for java applets hence get substantial performance hit
Solution:
If Java Applet filter is NOT required, turn off http inspection. Otherwise, create Java-list to bypass inspection from the known trusted sites.
ip inspect name IOSFirewall http java-list 20 ip inspect name IOSFirewall smtp ip inspect name IOSFirewall dns access-list 20 permit 10.1.1.0 0.0.0.255
Presentation_ID 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public
115
Solution:
Set the UDP timeout to 30 seconds (default) and DNS timeout to 5 Seconds (default) unless otherwise required.
Router(config)#ip inspect dns-timeout 5
Configuring DNS in the firewall policy results in performance degradation bug ID (CSCse35588). This was fixed in 12.4(11)T
Presentation_ID
Cisco Public
116
117
Troubleshooting Steps:
Use show ip inspect session, and check the state of the data connection Analyze Syslog Message
Resolution:
Every multi-channel protocol needs to be inspected
Presentation_ID
Cisco Public
118
Presentation_ID
Cisco Public
119
Presentation_ID
Cisco Public
120
IPS requires packets arrive in order to perform signature scanning, thus drops out-of-order packet; this is one of the reasons for slow response and longer latency in network traffic IOS IPS supports Out-of-Order packet starting from 12.4(9)T2 and later 12.4T releases Not fixed in 12.4 mainline releases Out-of-Order fix also applies to application firewall Out-of-order fix DOES NOT work when IOS IPS interface is included in a Zone-Based FW zone Out-of-order fix works between IOS IPS and Classic IOS FW (ip inspect) If using a release that does not have the fix, workaround is to use ACL to bypass IOS IPS inspection for the traffic flow in question
router(config)#access-list 120 deny ip any host 199.200.9.1 router(config)#access-list 120 deny ip host 199.200.9.1 any router(config)#access-list 120 permit ip any any router(config)#ip ips name myips list 120
In the example, ACL 120 denies traffic and remove the traffic from IPS scanning; the network traffic between the two site do not experience slow response
Presentation_ID
Cisco Public
121
Firewall policies are configured Firewall Policy = Inspection policy on traffic moving between zones combined with ACL policy Policy correlation is simple, and Policy correlation is difficult therefore easier to troubleshoot More granular inspection policy
Conceptual Difference Between Cisco IOS Classic and Zone-Based Firewalls http://www.cisco.com/en/US/prod/collateral/vpndevc/ps5708/ps5710/ps1018/p rod_white_paper0900aecd806f31f9.html Zone-Based Policy Firewall is supported since 12.4(6)T
Presentation_ID 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public
122
crypto isakmp key p address 0.0.0.0 0.0.0.0 ! crypto ipsec transform-set e esp-des
R1
Zone DMZ
! crypto map blah 1 ipsec-isakmp set peer 10.2.3.3 set transform-set e match address 101 !
R4
http server
interface Ethernet1/0
ip address 10.2.1.1 255.255.255.0 crypto map blah ! access-list 101 permit ip host 10.2.1.1 host 10.2.3.3
Presentation_ID 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public
123