Cisco IOS Threat Defense Features

2006 Cisco Systems, Inc. All rights reserved.

BCMSN v3.02-1

6.1 Introducing the Cisco IOS Firewall

6.1.1 Layered Defense Strategy
A security zone is an administratively separate domain to or from which
a firewall can filter incoming or outgoing traffic.
The most notable security zones are inside and outside networks.
To provide a layered defense, security designers developed the concept
of the screened subnet often called the Demilitarized Zone (DMZ).
Another type of filtering device is a proxy server, also known as an
application layer gateway (ALG).
An ALG establishes two application sessionsone with the client and
the other with the application server. The ALG acts as a server to the
client and as a client to the server and provides security by sanitizing
the data flow.

2006 Cisco Systems, Inc. All rights reserved.

BCMSN v3.02-2

 2006 Cisco Systems, Inc. All rights reserved.

BCMSN v3.02-3

6.1.2 Private VLAN

Most DMZ implementations use a common segment for all
servers.
Cisco's private VLAN implementation helps solve these
problems.
This allows you to isolate devices to prevent connectivity
between devices.
Within a private VLAN, you can create communities to allow
connection between some devices and to prevent them from
communicating with others.

2006 Cisco Systems, Inc. All rights reserved.

BCMSN v3.02-4

 2006 Cisco Systems, Inc. All rights reserved.

BCMSN v3.02-5

6.1.3 Firewall Technologies

Firewall operations are based on one of these technologies:
Packet filtering: Layer 3 devices usually use packet filtering to statically
define access control lists (ACLs) that determine which traffic to permit or
deny.
ALGs: ALGs work at the application layer. An ALG is a special piece of
software that is designed to relay application-layer requests and responses
between endpoints.

2006 Cisco Systems, Inc. All rights reserved.

BCMSN v3.02-6

Stateful packet filtering: Stateful packet filtering is an application-aware

method of packet filtering that works on the connection, or flow, level.
Stateful packet filtering maintains a state table to keep track of all active
sessions that cross the firewall. A state table, which is part of the internal
structure of the firewall, tracks all sessions and inspects all packets that pass
through the firewall.

2006 Cisco Systems, Inc. All rights reserved.

BCMSN v3.02-7

6.1.5 Introducing the Cisco IOS Firewall Feature

Set
The Cisco IOS Firewall Feature Set is a security-specific option for Cisco IOS
software that is available in select security Cisco IOS images.
The Cisco IOS Firewall Feature Set integrates robust firewall functionality,
authentication proxy, and intrusion prevention for every network perimeter and
enriches existing Cisco IOS security capabilities.
The feature set adds more flexibility to existing Cisco IOS security solutions,
such as authentication, encryption, and failover, by delivering application-based
filtering, dynamic per-user authentication and authorization, defense against
network attacks, Java blocking, and real-time alerts.
When combined with Cisco IOS IPsec software and other Cisco IOS softwarebased technologies, such as Layer 2 Tunneling Protocol (L2TP) and quality of
service (QoS), the Cisco IOS Firewall provides a complete, integrated virtual
private network (VPN) solution.

2006 Cisco Systems, Inc. All rights reserved.

BCMSN v3.02-8

 2006 Cisco Systems, Inc. All rights reserved.

BCMSN v3.02-9

Cisco IOS Firewall TCP Handling

2006 Cisco Systems, Inc. All rights reserved.

BCMSN v3.02-10

Cisco IOS Firewall UDP Handling

2006 Cisco Systems, Inc. All rights reserved.

BCMSN v3.02-11

These steps occur when a packet arrives at the Cisco IOS Firewall:
Step 1
A packet traveling through the inside interface triggers an inspection rule and an entry that
is logged in the connection state table.
Step 2
The Cisco IOS Firewall opens a dynamic ACL entry that permits the return traffic through
the outside interface inbound ACL.
Step 3T
he Cisco IOS Firewall filter engine keeps inspecting the incoming traffic from the outside to
permit the proper return traffic and blocks application attacks or misuses.
Step 4
When the session terminates, the Cisco IOS Firewall filter engine removes the dynamic
information from the connection state table and removes the dynamic ACL entry.

2006 Cisco Systems, Inc. All rights reserved.

BCMSN v3.02-12

Cisco IOS Firewall provides three thresholds against TCP-based DoS

attacks:
The total number of half-opened TCP sessions
The number of half-opened sessions in a time interval
The number of half-opened TCP sessions per host

If a threshold for the number of half-opened TCP sessions is exceeded,

the firewall engine has two options:
The engine can send a reset message to the endpoints of the oldest halfopened session, making resources available to service newly arriving SYN
packets.
The engine blocks all SYN packets temporarily for the duration that the
threshold value configures. When the router blocks a SYN packet, the TCP
three-way handshake is never initiated, which prevents the router from using
memory and processing resources that valid connections need.

2006 Cisco Systems, Inc. All rights reserved.

BCMSN v3.02-13

 2006 Cisco Systems, Inc. All rights reserved.

BCMSN v3.02-14

6.1.9 Alerts and Audit Trails

Cisco IOS Firewall generates real-time alerts and audit trails
based on events that are tracked by the firewall engine.
Enhanced audit trail features use syslog to track all network
transactions.
The audit trail records time stamps, source host, destination
host, ports that are used, and the total number of transmitted
bytes for advanced, session-based reporting.

2006 Cisco Systems, Inc. All rights reserved.

BCMSN v3.02-15

6.2 Configuring Cisco IOS Firewall from the CLI

6.2.1 Configuration Tasks

2006 Cisco Systems, Inc. All rights reserved.

BCMSN v3.02-16

Configuring Cisco IOS Firewall from the CLI

2006 Cisco Systems, Inc. All rights reserved.

BCMSN v3.02-17

 2006 Cisco Systems, Inc. All rights reserved.

BCMSN v3.02-18

 2006 Cisco Systems, Inc. All rights reserved.

BCMSN v3.02-19

 2006 Cisco Systems, Inc. All rights reserved.

BCMSN v3.02-20

 2006 Cisco Systems, Inc. All rights reserved.

BCMSN v3.02-21

 2006 Cisco Systems, Inc. All rights reserved.

BCMSN v3.02-22

 2006 Cisco Systems, Inc. All rights reserved.

BCMSN v3.02-23

 2006 Cisco Systems, Inc. All rights reserved.

BCMSN v3.02-24

6.2.7 Verifying Cisco IOS Firewall

2006 Cisco Systems, Inc. All rights reserved.

BCMSN v3.02-25

 2006 Cisco Systems, Inc. All rights reserved.

BCMSN v3.02-26

6.2.8 Troubleshooting Cisco IOS Firewall

2006 Cisco Systems, Inc. All rights reserved.

BCMSN v3.02-27

6.4 Introducing Cisco IOS IPS

6.4.1 Introducing Cisco IOS IDS and IPS
Intrusion Detection System
The intrusion detection system (IDS) is a software- or hardware-based
solution that passively listens to network traffic. The IDS is not in the
traffic path, but listens promiscuously to all traffic on the network.
When the IDS detects malicious traffic, the IDS sends an alert to the
management station.
When configured, the IDS can block further malicious traffic by actively
configuring network devices in response to malicious traffic detection.
However, the original malicious traffic has already passed through the
network to the intended destination and cannot be blocked. Only
subsequent traffic will be blocked. The IDS also has the capability of
sending a TCP reset to the end host to terminate any malicious TCP
connections.

2006 Cisco Systems, Inc. All rights reserved.

BCMSN v3.02-28

Intrusion Prevention System

An intrusion prevention system (IPS) is an active device in the traffic path that
listens to network traffic and permits or denies flows and packets into the
network. All traffic passes through an IPS for inspection.
When the IPS detects malicious traffic, the IPS sends an alert to the
management station and can be configured to block the malicious traffic
immediately. IPS proactively prevents attacks by blocking the original and
subsequent malicious traffic.
Because network attack mechanisms are becoming more sophisticated, this
proactive approach is required to protect against network viruses, worms,
malicious applications, and vulnerability exploits.

2006 Cisco Systems, Inc. All rights reserved.

BCMSN v3.02-29

Cisco IOS ISP combines existing Cisco IDS and IPS product features
with three different intrusion detection techniques:
Profile-based intrusion detection: Profile-based intrusion detection
generates an alarm when activity on the network goes outside a defined
profile. A profile could be created to monitor web traffic.
Signature-based intrusion detection: A signature is a set of rules
pertaining to typical intrusion activity. A Cisco IOS IPS implements
signatures that can look at every packet going through the network and
generate alarms when necessary.
Protocol analysis-based intrusion detection: Protocol analysis-based
intrusion detection is similar to signature-based intrusion detection, but it
performs a more in-depth analysis of the protocols specified in the
packets. A deeper analysis examines the payloads within TCP and UDP
packets, which contain other protocols. For example, a protocol such as
Domain Name System (DNS) is contained within TCP or UDP, which itself
is contained within IP.
2006 Cisco Systems, Inc. All rights reserved.

BCMSN v3.02-30

6.4.2 Types of IDS and IPS Systems

There are two possible deployment options for IDS
and IPS solutions:
Network-based
Host-based

2006 Cisco Systems, Inc. All rights reserved.

BCMSN v3.02-31

 2006 Cisco Systems, Inc. All rights reserved.

BCMSN v3.02-32

6.5Configuring Cisco IOS IPS

6.5.1 Cisco IOS IPS Signature Definition Files
(SDF)
Cisco IOS IPS offers configuration flexibility by providing these two
functions:
The administrator can load the built-in signature database (available
in the Cisco IOS image itself), load a specific signature database file
(sdf), or even merge different databases to extend the protection
scope.
Individual signatures can be disabled or tuned in case of false
positives.
Downloading Signatures from Cisco.com
Multiple definition sources are available, such as the default, built-in
signatures that are shipped with the routers, or the SDF files named
64MB.sdf, 128MB.sdf, and 256MB.sdf. The files differ in the number of
configured signatures.

2006 Cisco Systems, Inc. All rights reserved.

BCMSN v3.02-33

 2006 Cisco Systems, Inc. All rights reserved.

BCMSN v3.02-34

6.5.2 Cisco IOS IPS Alarms

You can configure IPS to choose the appropriate response to various

threats:
Send an alarm to a syslog server or a centralized management interface.
This action is typically combined with other preventive actions.
Drop the packet. This action is effective for all IP protocols and does not
affect any legitimate user if the source IP address was spoofed.
Reset the connection. This action works only for TCP sessions.
Block traffic from the source IP address of the attacker for a specified
amount of time. This action imposes a penalty on the attacker IP address.

2006 Cisco Systems, Inc. All rights reserved.

BCMSN v3.02-35

6.5.3 Configuring Cisco IOS IPS

There are four basic configuration steps:
Specify the SDF to load the signatures from.
Configure a failure parameter that defines whether to block or forward traffic if
signature microengines (SMEs) are not operational.
Create an IPS rule and, optionally, combine the rule with an access control list
(ACL) for traffic filtering purposes.
Apply the IPS rule to an interface.

These are the enhanced configuration steps:

Merge two or more SDFs to increase the signature coverage.
Delete, disable, or filter individual signatures.
Reapply the IPS rule to an interface for the changes to take effect.

2006 Cisco Systems, Inc. All rights reserved.

BCMSN v3.02-36

Configuring Cisco IOS IPS

The default command

Router(config)#ip ips sdf builtin
does not appear in this IPS configuration example because the configuration
specifies the default built-in SDF.

The command
Router(config)#ip ips fail closed
instructs the router to drop all traffic if any of the SMEs that should scan the data
are not available. This command has no other parameters.

2006 Cisco Systems, Inc. All rights reserved.

BCMSN v3.02-37

The command
Router(config)#ip ips name SECURIPS list <access-list>
is used to create an IPS rule.

2006 Cisco Systems, Inc. All rights reserved.

BCMSN v3.02-38

At the end of the script, the IPS rule is applied to a router interface

Router(config0-if)#ip ips SECURIPS in

IPS rules can be applied to an interface in either the inbound or
outbound direction.

2006 Cisco Systems, Inc. All rights reserved.

BCMSN v3.02-39

Enhanced Cisco IOS IPS Configuration

In this enhanced Cisco IOS IPS configuration example, the first command,
Router#copy flash:attack-drop.sdf ips-sdf
merges the attack-drop.sdf file in flash with the built-in SDF that has been
loaded as a result of the basic configuration.
The
Router#copy ips-sdf flash:my-signatures.sdf
command copies the resulting merged SDF to flash so that the signature
database becomes usable after a router reload.

2006 Cisco Systems, Inc. All rights reserved.

BCMSN v3.02-40

The
Router(config)#ip ips sdf location flash:my-signatures.sdf
configuration command specifies a new SDF location pointing to the merged
SDF file in the flash.
The
Router(config)#ip ips signature 1007 0 disable
command deactivates the signature with ID 1107 and sub-signature ID 0.

2006 Cisco Systems, Inc. All rights reserved.

BCMSN v3.02-41

The
Router(config)#ip ips signature 5037 0 delete
command marks the signature with ID 5037 and sub-signature ID 0 for deletion.
The signature will be removed when the signatures are reloaded or saved.
The
Router(config)#ip ips signature 6190 0 list 101
command filters the traffic prior to scanning by the signature with ID 6190 and
sub-signature ID 0.

2006 Cisco Systems, Inc. All rights reserved.

BCMSN v3.02-42

Finally, the IPS rule needs to be reapplied to the interface for the
changes in SDF to take effect. You can reapply the rule by unbinding
the IPS rule from the interface and assigning the rule to the interface
again using the
Router(config-if)#no ip ips SECURIPS in
and
Router(config-if)# ip ips SECURIPS in
commands in interface configuration mode

2006 Cisco Systems, Inc. All rights reserved.

BCMSN v3.02-43

Verifying IOS IPS Configuration

You can verify the Cisco IOS IPS configuration and parameters
by using the
Router#show ip ips configuration
EXEC command.

2006 Cisco Systems, Inc. All rights reserved.

BCMSN v3.02-44

 2006 Cisco Systems, Inc. All rights reserved.

BCMSN v3.02-45