The key of securing network using Cisco IOS is a combination of implementing three factors: ACL (Access List), CBAC (Context Based Access Control), and IDS/IPS (Intrusion Prevention System). Therefore keep in mind that to get the ultimate network security using Cisco IOS, you need to implement all the three and not just one or two factors since those three factors are to complement each other.

There is a little discussion of Reflexive Access List, where was considered a sophisticated IOS-based Firewall until CBAC came along. If you wish, you can just skip the Reflexive Access List discussion and go straight to CBAC discussion; since it is recommended to deploy CBAC instead of the "obsolete" Reflexive Access List.

Note that with the new Zone-Based Firewall features, Cisco IOS configuration looks similar as ASA 5500 firewall. Therefore now you have option to implement Zone-Based Firewall and IDS/IPS features on your router instead of ACL, CBAC, and IDS/IPS.

Please note that some of the features listed may not be supported by your IOS. Ascertain whether your IOS can support the feature that you require or download one from the software upgrade centre at CCO.

Also note that this is NOT meant to be a tutorial on network protection but more of an overview on the most common methods of protection.

1. ACL (Access List)

Access control lists (ACLs) provide basic filtering capabilities. They can be configured for all routed network protocols (IP, AppleTalk, etc.) to filter the packets of those protocols as the packets pass through a router.

ACLs can PREVENT and ALLOW certain traffic from entering or exiting a network. They filter traffic by controlling whether routed packets are forwarded or blocked at the router’s interfaces. Your router examines each packet to determine whether to forward or drop the packet, on the basis of the criteria you specified within the ACLs.

Access list criteria could be the source address of the traffic, the destination address of the traffic, the upper-layer protocol (session, presentation or application layer), or other information.

Following FAQ utilizes ACL and basic principles of TCP/IP to create simple but quite effective firewall.

»Cisco Forum FAQ »Basic Internet Firewall for Routers without IOS image Firewall feature

Note that that such firewall is "static" (not flexible) and might not always work in any situation.

Reflexive Access Lists

Reflexive access lists allow IP packets to be filtered based on session information, which is a layer in the OSI model. The session layer establishes, manages, and terminates communication sessions between presentation layer entities. Communication sessions consist of service requests and service responses that occur between applications located in different network devices. The reflexive access lists are able to filter packets on these request and responses.

Reflexive access lists can be used to permit IP traffic for sessions originating from within the local network but to deny IP traffic for sessions that originated outside of the same network. Hence, only if the local network initiated a session or a request, will it be allowed back.

When do I configure a reflexive access list?

Reflexive access lists are normally configured on border routers, which are routers that stand on the boundary between the internal and external network (internet or another internal network). They are also often routers with the firewall feature set.

How does it work?

A reflexive access list is activated when a new session is initiated from inside your network, with a packet traveling to the external network. When triggered, the reflexive access list generates a new, temporary entry, which will permit traffic to enter your network if it is part of the session. If the traffic is not part of the session, it will not be permitted to enter your network.

For example, if an outbound TCP packet is forwarded outside of your network, and this packet is the first packet of a TCP session, then a new, temporary reflexive access list entry will be created. This entry is added to the reflexive access list, which applies to inbound traffic so the firewall will not block the responding packet.

What are the drawbacks of reflexive access lists?

Reflexive access lists do not work with some applications that use port numbers that change during a session. For example, if the port numbers for a return packet are different from the originating packet, the return packet will be denied, even if the packet is actually part of the same session.

The TCP application of FTP is an example of an application with changing port numbers. With reflexive access lists, if you start an FTP request from within your network, the request will not complete. Instead, you must use Passive FTP when originating requests from within your network.

This is where CBAC come to play since the CBAC is considered the more advanced firewall (stateful firewall).

2. CBAC (Context Based Access Control)

What is context based access control?

Context based access control (CBAC), intelligently filters TCP and UDP packets based on application layer and session layer information. You can configure CBAC to permit specified TCP and UDP traffic through a firewall only when the connection is initiated from within the network you want to protect. CBAC can inspect traffic for sessions that originate from either side of the firewall, and CBAC can be used for intranet, extranet, and Internet perimeters of your network.

Without CBAC, traffic filtering is limited to access list implementations that examine packets at the network layer, or at most, the transport layer. However, CBAC examines not only network layer and transport layer information but also examines the application-layer protocol information (such as FTP connection information) to learn about the state of the session. This allows support of protocols that involve multiple channels. Most of the multimedia protocols as well as some other protocols (such as FTP, RPC, and SQL*Net) involve multiple channels.

Finding Out Your Internal Private IP Address Even When Behind NAT Box

Following is a nice illustration. When your network is behind a NAT/PAT box, then you think that people in the Internet will never know your internal (private) IP address, correct? Wrong!

By using Java (HTTP application) people in the Internet are still able to detect and find out your internal IP addresses. Such Java program may be implemented by ISP that do not allow you to NAT/PAT your public Internet address without paying additional fee for each additional PC or machine. The Java program may be also deployed by hackers.

Click on this link (and scroll down) to see if this Internet website can reveal your internal private IP address
http://www.auditmypc.com/anonymous-surfing.asp

Using HTTP option in the CBAC, you can block incoming HTTP traffic (including Java) from unknown or untrusted network. Check out the following thread for detail story.

»[HELP] Can't hide internal IP on SOHO 97

How does it work?

CBAC inspects traffic that travels through the firewall from the internal network to discover and manage state information for TCP and UDP sessions. This state information is used to create temporary openings in the firewall’s access lists to allow return traffic and additional data connections for permissible sessions.

When do I employ CBAC?

You can use CBAC when your firewall will be restricting passing traffic consisting of:
* Standard TCP and UDP Internet applications
* HTTP-based applications including Instant Messaging (i.e. AOL, Yahoo, and MSN IM)
* Multimedia applications
* Oracle support

Please note with the new 12.4 IOS train, more applications are supported. Following is a list that supported under 12.4 IOS train.

  802-11-iapp          IEEE 802.11 WLANs WG IAPP
  ace-svr              ACE Server/Propagation
  aol                  America-Online
  appfw                Application Firewall
  appleqtc             Apple QuickTime
  bgp                  Border Gateway Protocol
  bliff                Bliff mail notification
  bootpc               Bootstrap Protocol Client
  bootps               Bootstrap Protocol Server
  cddbp                CD Database Protocol
  cifs                 CIFS
  cisco-fna            Cisco FNATIVE
  cisco-net-mgmt       cisco-net-mgmt
  cisco-svcs           cisco license/perf/GDP/X.25/ident svcs
  cisco-sys            Cisco SYSMAINT
  cisco-tdp            Cisco TDP
  cisco-tna            Cisco TNATIVE
  citrix               Citrix IMA/ADMIN/RTMP
  citriximaclient      Citrix IMA Client
  clp                  Cisco Line Protocol
  creativepartnr       Creative Partnr
  creativeserver       Creative Server
  cuseeme              CUSeeMe Protocol
  daytime              Daytime (RFC 867)
  dbase                dBASE Unix
  dbcontrol_agent      Oracle dbControl Agent po
  ddns-v3              Dynamic DNS Version 3
  dhcp-failover        DHCP Failover
  discard              Discard port
  dns                  Domain Name Server
  dnsix                DNSIX Securit Attribute Token Map
  echo                 Echo port
  entrust-svc-handler  Entrust KM/Admin Service Handler
  entrust-svcs         Entrust sps/aaas/aams
  esmtp                Extended SMTP
  exec                 Remote Process Execution
  fcip-port            FCIP
  finger               Finger
  fragment             IP fragment inspection
  ftp                  File Transfer Protocol
  ftps                 FTP over TLS/SSL
  gdoi                 GDOI
  giop                 Oracle GIOP/SSL
  gopher               Gopher
  gtpv0                GPRS Tunneling Protocol Version 0
  gtpv1                GPRS Tunneling Protocol Version 1
  h323                 H.323 Protocol (e.g, MS NetMeeting, Intel Video Phone)
  h323callsigalt       h323 Call Signal Alternate
  h323gatestat         h323gatestat
  hp-alarm-mgr         HP Performance data alarm manager
  hp-collector         HP Performance data collector
  hp-managed-node      HP Performance data managed node
  hsrp                 Hot Standby Router Protocol
  http                 HTTP Protocol
  https                Secure Hypertext Transfer Protocol
  ica                  ica (Citrix)
  icabrowser           icabrowser (Citrix)
  icmp                 ICMP Protocol
  ident                Authentication Service
  igmpv3lite           IGMP over UDP for SSM
  imap                 IMAP Protocol
  imap3                Interactive Mail Access Protocol 3
  imaps                IMAP over TLS/SSL
  ipass                IPASS
  ipsec-msft           Microsoft IPsec NAT-T
  ipx                  IPX
  irc                  Internet Relay Chat Protocol
  irc-serv             IRC-SERV
  ircs                 IRC over TLS/SSL
  ircu                 IRCU
  isakmp               ISAKMP
  iscsi                iSCSI
  iscsi-target         iSCSI port
  kazaa                KAZAA
  kerberos             Kerberos
  kermit               kermit
  l2tp                 L2TP/L2F
  ldap                 Lightweight Directory Access Protocol
  ldap-admin           LDAP admin server port
  ldaps                LDAP over TLS/SSL
  login                Remote login
  lotusmtap            Lotus Mail Tracking Agent Protocol
  lotusnote            Lotus Note
  microsoft-ds         Microsoft-DS
  ms-cluster-net       MS Cluster Net
  ms-dotnetster        Microsoft .NETster Port
  ms-sna               Microsoft SNA Server/Base
  ms-sql               Microsoft SQL
  ms-sql-m             Microsoft SQL Monitor
  msexch-routing       Microsoft Exchange Routing
  mysql                MySQL
  n2h2server           N2H2 Filter Service Port
  ncp-tcp              NCP (Novell)
  net8-cman            Oracle Net8 Cman/Admin
  netbios-dgm          NETBIOS Datagram Service
  netbios-ns           NETBIOS Name Service
  netbios-ssn          NETBIOS Session Service
  netshow              Microsoft NetShow Protocol
  netstat              Variant of systat
  nfs                  Network File System
  nntp                 Network News Transport Protocol
  ntp                  Network Time Protocol
  oem-agent            OEM Agent (Oracle)
  oracle               Oracle
  oracle-em-vp         Oracle EM/VP
  oraclenames          Oracle Names
  orasrv               Oracle SQL*Net v1/v2
  parameter            Specify inspection parameters
  pcanywheredata       pcANYWHEREdata
  pcanywherestat       pcANYWHEREstat
  pop3                 POP3 Protocol
  pop3s                POP3 over TLS/SSL
  pptp                 PPTP
  pwdgen               Password  Generator Protocol
  qmtp-tcp             Quick Mail Transfer Protocol
  r-winsock            remote-winsock
  radius               RADIUS & Accounting
  rcmd                 R commands (r-exec, r-login, r-sh)
  rdb-dbs-disp         Oracle RDB
  realaudio            Real Audio Protocol
  realsecure           ISS Real Secure Console Service Port
  router               Local Routing Process
  rpc                  Remote Prodedure Call Protocol
  rsvd-tcp             RSVD
  rsvp-encap           RSVP ENCAPSULATION-1/2
  rsvp_tunnel          RSVP Tunnel
  rtc-pm-port          Oracle RTC-PM port
  rtelnet              Remote Telnet Service
  rtsp                 Real Time Streaming Protocol
  send-tcp             SEND
  shell                Remote command
  sip                  SIP Protocol
  sip-tls              SIP-TLS
  skinny               Skinny Client Control Protocol
  sms                  SMS RCINFO/XFER/CHAT
  smtp                 Simple Mail Transfer Protocol
  snmp                 Simple Network Management Protocol
  snmptrap             SNMP Trap
  socks                Socks
  sqlnet               SQL Net Protocol
  sqlserv              SQL Services
  sqlsrv               SQL Service
  ssh                  SSH Remote Login Protocol
  sshell               SSLshell
  ssp                  State Sync Protocol
  streamworks          StreamWorks Protocol
  stun                 cisco STUN
  syslog               SysLog Service
  syslog-conn          Reliable Syslog Service
  tacacs               Login Host Protocol (TACACS)
  tacacs-ds            TACACS-Database Service
  tarantella           Tarantella
  tcp                  Transmission Control Protocol
  telnet               Telnet
  telnets              Telnet over TLS/SSL
  tftp                 TFTP Protocol
  time                 Time
  timed                Time server
  tr-rsrb              cisco RSRB
  ttc                  Oracle TTC/SSL
  udp                  User Datagram Protocol
  uucp                 UUCPD/UUCP-RLOGIN
  vdolive              VDOLive Protocol
  vqp                  VQP
  webster              Network Disctionary
  who                  Whois service
  wins                 Microsoft WINS
  x11                  X Window System
  xdmcp                XDM Control Protocol

CBAC can be used to allow the application’s traffic through the firewall but only when it is initiated from the protected network.

CBAC is often configured in one direction on a single interface, which will validate the traffic, ensuring it is part of a valid session. This configuration is employed to protect the local network from the Internet.

CBAC can also be used in two directions on one or more interfaces. This method is often employed when networks on both sides of the router needs to be protected. For example, if the firewall is situated between two departments’ networks, CBAC can restrict the traffic of one department’s applications in one direction and restrict traffic in the opposite direction for the other department’s applications.

What are the drawbacks of CBAC?

"If you don’t ask, you don’t get" is the paradigm here. CBAC does not provide intelligent filtering for ALL protocols. It only works for the protocols that you SPECIFY, hence if a protocol is not specified, the ACL will determine its fate.

CBAC is available only for IP protocol traffic. Only TCP and UDP packets are inspected. Other IP traffic, such as ICMP, cannot be inspected with CBAC and should be filtered with basic access lists instead.

If you reconfigure your access lists when you configure CBAC, be aware that if your access lists block TFTP traffic into an interface, you will not be able to netboot over that interface.

Packets with the firewall as the source or destination address are not inspected by CBAC.

CBAC ignores ICMP Unreachable messages. To let specific ICMP traffic to enter, you need to configure the ACL to allow.

H.323 V2 and RTSP protocol inspection supports only the following multimedia client-server applications: Cisco IP/TV, RealNetworks RealAudio G2 Player, Apple QuickTime 4. However with there are more application supported when running 12.4 IOS train as shown previously.

With FTP, CBAC does not allow third-party connections (three-way FTP transfer). Further; when CBAC inspects FTP traffic, it only allows data channels with the destination port in the range of 1024 to 65535. Also, CBAC will not open a data channel if the FTP client-server authentication fails. Therefore when there is a need to have FTP traffic, create ACL to permit such traffic.

CBAC uses less than approximately 600 bytes of memory per connection. There is also a slight amount of additional processing that occurs whenever packets are inspected. Because of the memory and processing usage, you should use CBAC only when your router can handle such work.

Sometimes CBAC must evaluate long access lists, which might have presented a negative impact to performance. However, this impact is avoided, because CBAC evaluates access lists using an accelerated method (CBAC hashes access lists and evaluates the hash).

CBAC does not protect network attacks initiated from within the local network unless the packets travel through the router that employs CBAC for protection. CBAC can only protect against intrusions/attacks that travel through the router.

When you need to protect such network attacks, then you need implement additional security perimeter such as deploy necessary ACL on inside interfaces of the router. Basic logic is that open only necessary ports and protocol; and close others. For the "necessary open" protocol or port guarding, you then need to run IDS/IPS.

What is required for me to undertake reflexive access list and context based access control?

Reflexive access lists can be configured on most IOS feature sets.

CBAC requires the firewall feature set.

3. Zone-Based Firewall

The new Zone-Based Firewall is replacing the previous Stateful IOS-Based Firewall (the CBAC). Zone-Based Firewall is pretty much similar to PIX/ASA OS 7.0 firewall configuration. Check out the following links for details.

Cisco IOS Zone-Based Policy Firewall
Zone-Based Policy Firewall Design and Application Guide
Zone-Based Policy Firewall Design Guide
Cisco IOS Firewall Q&A
Zone-Based Policy Firewall - Introduction and Implementation

4. IDS/IPS (Intrusion Prevention System)

There are prerequisites to properly run Cisco IOS IPS on routers

* Your router IOS version should be at least 12.3(8)T
* Your router IOS feature should be either Advanced Enterprise, Advanced IP Security, or IP Security with IPS
* Your router DRAM is at least 128MB
* There is Signature Detection File (*.sdf) stored in your router, either in flash memory, PCMCIA inside one of the router's slot, Compact Flash, or similar

SDF (Signature Detection File)

* SDF is basically a reference point for router to perform the IPS function
* The IPS functions available are atomic (IP and TCP inspections), service (HTTP, Mail, etc.)
* Detail description on each IPS function is available on the Cisco links below (the SDF and Configuring Cisco IPS)
* You have a choice to either create your own SDF or download from Cisco
* Should you decide to download from Cisco, you need to have proper Smartnet contract
* When you download from Cisco, you can choose either the 128MB.sdf for Basic IPS or the 256MB.sdf for Advanced IPS features
* 128MB.sdf requires at least 128MB DRAM and 256MB.sdf requires at least 256MB DRAM
* In case your router is 870, 1800, 2800, 3800, or other current router models, there should be the 128MB.sdf already stored on the router's flash memory

Note:

* Make sure that the router CPU and memory can handle the workload
* As illustration, 2610XM router with 256MB DRAM and 48MB Flash can jump from 0-1% normal CPU utilization to 99% CPU utilization when running Advanced 256MB.sdf
* For small network environment, the minimal router should be 1841 or similar to properly run Cisco IOS IPS
* You can check out the following FAQ to verify your router CPU power
»Cisco Forum FAQ »Cisco Equipment Performance (per pps and Mbps)

Sample Configuration

ip ips sdf location flash:256MB.sdf
ip ips name MYIPS
!
interface GigabitEthernet0/1
ip address 10.1.1.16 255.255.255.0
ip ips MYIPS in
duplex full
speed 100
media-type rj45
no negotiation auto

Assumption:
* There is 256MB.sdf on the router flash memory
* The IPS will investigate incoming traffic under such router interface

Check out the following link for more info

1. General Info
Cisco IOS IPS Supported Signature List in 5.x Signature Format

2. SDF and Configuring Cisco IPS
Cisco IOS IPS Configuration Guide

SAMPLE CONFIGURATION

1. CBAC Combination Configuration
»Cisco Forum FAQ »Sample IOS Firewall (CBAC) router configuration
»Cisco Forum FAQ »Sample Configuration of ACL-CBAC-IDS/IPS-IPSec VPN on router

2. Official Cisco IOS IDS/IPS Deployment Guide
Cisco IOS IPS Signature Deployment Guide

3. IDS/IPS Configuration in Action
Configuring Cisco IOS IPS Using Cisco SDM and CLI

4. More IOS Firewall Sample Configuration
Configuration Examples and TechNotes

5. Official Cisco IOS Firewall Design Guide and Sample Implementation
Cisco IOS Firewall Design Guide

6. Zone-Based Firewall Sample Configuration
»Cisco Forum FAQ »Zone-Based Firewall Sample Configuration

This FAQ brought to you by: LoneBandit & Rhodium_uk

---

Disclaimer:

The above is a summary of Reflexive Access Lists and CBAC. For more information on the capabilities, limitations and syntax of the commands, please consult the CCO.

The authors do not hold any responsibility for any decisions or actions that may arise from this FAQ.

This document is not endorsed by CISCO.



got feedback? got feedback?

Any feedback you provide is sent to the owner of this FAQ for possible incorporation and shown publically as well.

by Covenant edited by aryoba
last modified: 2009-01-21 08:51:14