- Traffic Filtering
CBAC does not provide intelligent filtering for all protocols; it only works for the protocols that you specify. If you do not specify a certain protocol for CBAC, the existing access lists will determine how that protocol is filtered. No temporary openings will be created for protocols not specified for CBAC inspection.
ip inspect name INSPECT icmp
ip inspect name INSPECT dns
ip inspect name INSPECT http
ip inspect name INSPECT https
ip inspect name INSPECT ftp
interface FastEthernet2/0
ip address 172.20.1.2 255.255.255.0
ip access-group TRAFFIC-IN in
ip inspect INSPECT out
ip access-list extended TRAFFIC-IN
deny ip any any log
Verification:
R1#show ip inspect sessions
Established Sessions
Session 6696A4D4 (10.1.1.2:44279)=>(8.8.8.8:53) dns SIS_OPEN
Session 6696CE8C (10.1.1.2:8)=>(8.8.8.8:0) icmp SIS_OPEN
Session 669616FC (10.1.1.2:54196)=>(173.194.39.120:443) https SIS_OPEN
Session 6696AFF4 (10.1.1.2:34012)=>(173.194.39.145:443) https SIS_OPEN
Session 6696CBC4 (10.1.1.2:33813)=>(8.8.8.8:53) dns SIS_OPEN
Session 6696BDDC (10.1.1.2:59747)=>(8.8.8.8:53) dns SIS_OPEN
Session 6696C0A4 (10.1.1.2:53093)=>(192.168.223.129:21) ftp SIS_OPEN
Session 669696EC (10.1.1.2:37786)=>(8.8.8.8:53) dns SIS_OPEN
Session 6696A20C (10.1.1.2:50251)=>(8.8.8.8:53) dns SIS_OPEN
Session 6696BB14 (10.1.1.2:51174)=>(8.8.8.8:53) dns SIS_OPEN
Session 6696AD2C (10.1.1.2:48128)=>(109.100.26.54:80) http SIS_OPEN
By default, CBAC do not apply to router-generated traddic.
ip inspect name INSPECT icmp router-traffic
R1#show ip inspect sessions
Established Sessions
Session 6696AFF4 (172.20.1.2:8)=>(192.168.223.129:0) icmp SIS_OPEN
- Traffic inspection
A SYN-flood attack occurs when a network attacker floods a server with a barrage of requests for connection and does not complete the connection. The resulting volume of half-open connections can overwhelm the server, causing it to deny service to valid requests. Network attacks that deny access to a network device are called denial-of-service (DoS) attacks.
CBAC helps to protect against DoS attacks in other ways. CBAC inspects packet sequence numbers in TCP connections to see if they are within expected ranges—CBAC drops any suspicious packets. You can also configure CBAC to drop half-open connections, which require firewall processing and memory resources to maintain. Additionally, CBAC can detect unusually high rates of new connections and issue alert messages.
Packets entering the firewall are inspected by CBAC only if they first pass the inbound access list at the input interface and outbound access list at the output interface. If a packet is denied by the access list, the packet is simply dropped and not inspected by CBAC.
CBAC inspection tracks sequence numbers in all TCP packets, and drops those packets with sequence numbers that are not within expected ranges.
When CBAC suspects an attack, the DoS feature can take several actions:
•Generate alert messages
•Protect system resources that could impede performance
•Block packets from suspected attackers
CBAC uses timeout and threshold values to manage session state information, helping to determine when to drop sessions that do not become fully established.
CBAC provides three thresholds against DoS attacks:
•The total number of half-open TCP or UDP sessions
•The number of half-open sessions based upon time
•The number of half-open TCP-only sessions per host
If a threshold is exceeded, CBAC has two options:
•Send a reset message to the end points of the oldest half-open session, making resources available to service newly arriving SYN packets.
•In the case of half open TCP only sessions, CBAC blocks all SYN packets temporarily for the duration configured by the threshold value. When the router blocks a SYN packet, the TCP three-way handshake is never initiated, which prevents the router from using memory and processing resources needed for valid connections.
ip inspect max-incomplete low 20
ip inspect max-incomplete high 30
ip inspect one-minute low 100
ip inspect one-minute high 120
ip inspect tcp max-incomplete host 10 block-time 5
Verification:
R1#show ip inspect config
Session audit trail is disabled
Session alert is enabled
one-minute (sampling period) thresholds are [100 : 120] connections
max-incomplete sessions thresholds are [20 : 30]
max-incomplete tcp connections per host is 10. Block-time 5 minutes.
tcp synwait-time is 30 sec -- tcp finwait-time is 5 sec
tcp idle-time is 3600 sec -- udp idle-time is 30 sec
tcp reassembly queue length 16; timeout 5 sec; memory-limit 1024 kilo bytes
dns-timeout is 5 sec
Inspection Rule Configuration
Inspection name INSPECT
dns alert is on audit-trail is off timeout 30
http alert is on audit-trail is off timeout 3600
https alert is on audit-trail is off timeout 3600
ftp alert is on audit-trail is off timeout 3600
icmp alert is on audit-trail is off timeout 10
*Mar 14 16:58:46.322: %FW-4-ALERT_ON: getting aggressive, count (2/30) current 1-min rate: 11
- Alerts and Audit Trails
CBAC also generates real-time alerts and audit trails. Enhanced audit trail features use SYSLOG to track all network transactions; recording time stamps, source host, destination host, ports used, and the total number of transmitted bytes, for advanced, session-based reporting. Real-time alerts send SYSLOG error messages to central management consoles upon detecting suspicious activity. Using CBAC inspection rules, you can configure alerts and audit trail information on a per-application protocol basis. For example, if you want to generate audit trail information for HTTP traffic, you can specify that in the CBAC rule covering HTTP inspection.
CBAC does not provide intelligent filtering for all protocols; it only works for the protocols that you specify. If you do not specify a certain protocol for CBAC, the existing access lists will determine how that protocol is filtered. No temporary openings will be created for protocols not specified for CBAC inspection.
ip inspect alert-offVerification
ip inspect name INSPECT icmp alert on
no ip inspect audit-trail
ip inspect name INSPECT tcp audit-trail on
R1#show ip inspect config
Session audit trail is disabled
Session alert is disabledone-minute (sampling period) thresholds are [5 : 10] connections
max-incomplete sessions thresholds are [20 : 30]
max-incomplete tcp connections per host is 10. Block-time 5 minutes.
tcp synwait-time is 30 sec -- tcp finwait-time is 5 sec
tcp idle-time is 3600 sec -- udp idle-time is 30 sec
tcp reassembly queue length 16; timeout 5 sec; memory-limit 1024 kilo bytes
dns-timeout is 5 sec
Inspection Rule Configuration
Inspection name INSPECT
dns alert is off audit-trail is off timeout 30
http alert is off audit-trail is off timeout 3600
https alert is off audit-trail is off timeout 3600
ftp alert is off audit-trail is off timeout 3600
icmp alert is on audit-trail is off timeout 10 tcp alert is off audit-trail is on timeout 3600
*Mar 14 17:07:19.650: %FW-6-SESS_AUDIT_TRAIL_START: Start tcp session: initiator (10.1.1.2:33675) -- responder (172.20.1.1:23)
*Mar 14 17:08:08.390: %FW-6-SESS_AUDIT_TRAIL: Stop tcp session: initiator (10.1.1.2:33675) sent 67 bytes -- responder (172.20.1.1:23) sent 117 bytes
- Manual Port Mappings
ip port-map user-custom port tcp 65000 description CUSTOM_APPLICATION
ip inspect name INSPECT user-custom
No comments:
Post a Comment