Posts from ‘IOS Firewall’
INE is proud to announce the upcoming release of our new CCIE Security Advanced Technologies Class and CCIE Security 5-Day Bootcamp. The 5-Day Bootcamp will be available in streaming and download format starting this weekend, followed shortly by the Advanced Technologies class. Both of these video series are included with the All Access Pass subscriptions, or can be purchased as standalone downloads. Samples of both classes are available below.
Hello to all our faithful blog readers, I hope this post find you very well, and enjoying your studies!
Access list tasks are a common CCIE Lab Exam feature, and I wanted to take a moment to show how easy it can be for a candidate to miss one thing or many things in such a task.
Here is the task topology and the task itself. Following that we have the proposed solution by a Mock Student
Can you find the errors in his or her ways?
8.1 Configure a security filter on R3 that will accomplish the following for traffic entering the router from the direction of R2:
- Allow Telnet from R2 (S0/1) to R1 (Lo1)
- Allow BGP traffic through the router
- Allow ICMP ping traffic between R1 (Lo1) and R2 (Lo1)
- Block any traffic sourced from RFC 1918 addresses – log these violations and include Layer 2 address information
The Proposed Solution
access-list 100 permit tcp host 18.104.22.168 eq telnet host 192.168.100.1 eq telnet
access-list 100 permit tcp any any eq bgp
access-list 100 permit icmp host 22.214.171.124 host 192.168.100.1
access-list 100 permit icmp host 192.168.100.1 host 126.96.36.199
access-list 100 deny ip 10.0.0.0 0.255.255.255 any log
access-list 100 deny ip 172.16.0.0 0.0.255.255 any log
access-list 100 deny ip 192.168.0.0 0.0.255.255 any log
ip access-group 100 in
NOTE: I have posted a solution to this blog in the comments. The solution post date is November 20th, 2008.
What in the world is a bogon? It is a source address that should not appear in an IP packet on an interface that faces the public Internet. A very famous example of a bogon address would be the Private IP address space, as defined in RFC 1918. This address space is as follows:
What would be another example of a bogon address? How about the “link-local” addresses that a system will use to communicate on the local link in the event of DHCP failure. This address space is 169.254.0.0/16.
So bogons consist of special use addresses and any other portions of the address space that has not been allocated for public use. This list of addresses is not static, and does change over time. These addresses are excellent entries in your filters (access control lists) for interfaces that face the Internet.
What is a convenient place to learn of the bogon addresses you should be most concerned with as a CCIE candidate? Well, it is none other than an RFC. It is RFC 3330. It is an excellent RFC that summarizes many of the other RFCs detailing special use address space. You can find RFC 3330 here:
Female Voice: “Don’t tell me which zone’s for stopping and which zone’s for loading!”
Male Voice: “Listen, Betty, don’t start your white zone sh*t again. There is just no stopping in the white zone.” – Airplane 1980
A new addition in the CCSP and CCIE tracks is the Cisco IOS Zone-Based Firewall. This blog will introduce you to this new feature. And not to give too much away, but as you will see, it is a new feature based on some more classic-type technologies!
For this blog post, I actually consulted my own book – the CCNA Security Quick Reference published by Cisco Press. That was not a plug, in fact I was paid a flat rate for that one ☺. I also consulted the Cisco DOC-CD.
The IOS Zone-Based Firewall first showed up in 12.4(6)T and the goal was to provide an intuitive and straightforward policy design approach for multiple interface routers. There was also a desire to offer a greater level of granularity for the application of such policies. The Zone-Based approach utilizes CBAC technology and gives you everything you had there, plus more.
In order to configure the Zone-Based Firewall, you define your zones, define your class maps, define your policy maps, and then define your zone pairs and apply your policy maps to them. Possible actions for traffic moving between zones is INSPECT, DROP, or PASS. Zone Drop or Pass? This is starting to sound more and more like a football blog!
Inspect causes the traffic to be monitored with the IOS stateful packet inspection (think CBAC), while drop and pass are obvious. Pass allows the traffic to move between zones with no inspection whatsoever.
Let’s take a look at a quick and simple example.
Let’s presume we have Fa0/0 and Fa0/1 that connect to private networks in our company. We also have S0/0 that connects to the public Internet. Based on this, we create a simple zone-based firewall as follows:
Step 1: Define and populate our zones:
configure terminal ! zone security ZONE_PRIVATE zone security ZONE_INTERNET ! interface range fa0/0 - 1 zone-member security ZONE_PRIVATE ! interface s0/0 zone-member security ZONE_INTERNET
Step 2: Define the class maps that identify traffic that is permitted between zones:
configure terminal ! class-map type inspect match-any CM_INTERNET_TRAFFIC match protocol http match protocol https match protocol ftp
Step 3: Configure a policy map which specifies the action for the class map:
configure terminal ! policy-map type inspect PM_PRIVATE_TO_INTERNET class type inspect CM_INTERNET_TRAFFIC inspect
Step 4: Configure the zone pair and apply your policy:
configure terminal zone-pair security ZONEP_PRIV_INT source ZONE_PRIVATE destination ZONE_INTERNET service-policy type inspect PM_PRIVATE_TO_INTERNET
Notice how this simple configuration allows for the stateful inspection of our Internet protocols from the private areas to the Internet. It also blocks traffic from the Internet heading to the private area unless it is in response to the inspected traffic.
I sure hope you enjoyed this quick introduction to a 3.X CCIE Security feature!