Define Inspection Rules
To define a set of inspection rules, use the ip inspect name command with the same inspection name for each
protocol you want CBAC to inspect. Each set of inspection rules must have a
unique inspection name, which shouldn’t exceed the 16-character limit.
Typically, if inspection is configured for a protocol, return traffic entering
the internal network is only permitted if the packets are part of a valid,
existing session for which state information is being maintained.
Define either one or two sets of rules per interface. A single set
can be used to examine both inbound and outbound traffic, or you can define two
sets: one for outbound traffic and one for inbound traffic. To define a single
set of inspection rules, configure inspection for all the desired
application-layer protocols and for TCP or UDP, as desired. This combination of
TCP, UDP, and application-layer protocols join together to form a single set of
inspection rules with a unique name.
In general, to configure CBAC inspection for a protocol, packets
for that protocol should be permitted to exit the firewall by configuring the
appropriate ACL if necessary. Packets for that protocol will only be allowed
back in through the firewall if they belong to a valid existing session. Without
outbound packets, there can be no existing session. Each protocol packet is
inspected to maintain information about the session state.
Use the Global Configuration Mode command ip inspect
name to define a set of inspection rules. Use the no form of this command to
remove the inspection rule for a protocol or to remove the entire set of
inspection rules. The syntax is
Rtr1(config)#ip inspect name inspection-name protocol [alert {on | off}] [audit-trail
{on | off}] [timeout seconds]
Rtr1(config)#no ip inspect name inspection-name protocol (removes a protocol inspection
rule)
Rtr1(config)#no ip inspect name (removes the
entire set of inspection rules)
This command was introduced in IOS 11.2P. Configurable alert and
audit-trail, IP fragmentation checking, and NetShow protocol support were added
in 12.0(5)T.
TCP and UDP Inspection
Configuring TCP and UDP inspection will permit any TCP and UDP packets to enter the internal network through
the firewall, even if the application-layer protocol isn’t configured to be
inspected. TCP and UDP inspection doesn’t recognize application-specific
commands or processes and might not permit all returning packets for that
application. Any returning application packets with port numbers different than
the exiting packet will be blocked.
Application-layer protocol inspection takes precedence over the
TCP or UDP packet inspection. For example, with FTP inspection, all control
channel information will be recorded in the state table, and all FTP traffic is
permitted back through the firewall if the control channel information is valid
for the state of the FTP session. Any TCP inspection in this case becomes
irrelevant.
Generic TCP and UDP inspection is much like reflexive ACLs, in
that the packets entering the network must exactly match an existing session.
This match is based on having the same source/destination addresses and
source/destination port numbers as the existing packet, except reversed.
Otherwise, the inbound packets are blocked at the interface.
The following example causes the software to inspect TCP sessions
and UDP sessions, and to specifically allow FTP and Real Audio traffic back
through the firewall for existing sessions only. UDP traffic has the audit-trail
feature on, while the FTP timeout is changed to three minutes.
Rtr1(config)#ip inspect name letusin tcp
Rtr1(config)#ip inspect name letusin udp audit-trail on
Rtr1(config)#ip inspect name letusin ftp timeout 180
Rtr1(config)#ip inspect name letusin realaudio-video
H.323 Inspection
If you want CBAC inspection to work with Microsoft
NetMeeting 2.0 traffic, an H.323 application-layer protocol, it’s necessary also
to configure inspection for TCP because NetMeeting 2.0 uses an additional TCP
channel not defined in the H.323 specification. No special configuration options
exist for H.323
To add Microsoft NetMeeting 2.0 inspection, it’s necessary to add
only the following entry because TCP inspection is on in the initial
example:
Rtr1(config)#ip inspect name letusin h323
HTTP Inspection (Java Blocking)
With the proliferation of Java applets available on the
Internet, protecting networks from malicious applets has become a major concern
to network managers. The Java blocking feature can be configured either to
filter or to completely deny access to Java applets.
Java inspection enables Java applet filtering at the firewall. Java applet filtering distinguishes between trusted and
untrusted applets by relying on a list of external sites you designate as
“friendly.” If an applet is from a friendly site, the firewall allows the applet
through. If the applet isn’t from a friendly site, the applet is blocked.
Alternatively, you could permit applets from all sites, except sites
specifically designated as “hostile.”
Java blocking uses only numbered standard access lists to define
friendly and hostile external sites. ACL “permit” statements
define traffic from friendly sites, while ACL “deny
statements” define traffic from hostile sites. If Java
blocking is defined using an ACL number and no matching ACL exists, all Java
applets will be blocked.
|
Note |
CBAC can’t detect or block encapsulated or “zipped” Java
applets. Applets in .zip or .jar format aren’t blocked at the firewall. CBAC
also doesn’t detect or block applets loaded via FTP, gopher, or HTTP on a
nonstandard port. |
Use the no form of the command to remove Java blocking from the
inspection set. The syntax is
Rtr1(config)#ip inspect name inspection-name [http [java-list acl#]]
[alert {on | off}]
[audit-trail {on | off}] [timeout
seconds]
Rtr1(config)#no ip inspect name inspection-name http
The next example would add blocking of all Java applets to the
inspection set.
Rtr1(config)#ip inspect name letusin http
If the next example was used instead, all Java applets would be
blocked except those originating from the server 192.168.0.10.
Rtr1(config)#access-list 15 permit 192.168.0.10
Rtr1(config)#ip inspect name letusin http java-list 15
RPC Inspection
RPC inspection allows the
specification based on program numbers. To define multiple program numbers,
create multiple entries for RPC inspection, each with a different program
number. If a program number is specified, all traffic for that program number is
permitted. Any program number that isn’t specified will have all traffic for
that program number blocked.
Use the no form of the command to remove RPC inspection from the
inspection set. The syntax is
Rtr1(config)#ip inspect name inspection-name [rpc program-number number [wait-time
minutes]] [alert {on | off}] [audit-trail {on | off}]
[timeout seconds]
Rtr1(config)#no ip inspect name inspection-name rpc
The following example adds two RPC program numbers to the
inspection set.
Rtr1(config)#ip inspect name letusin rpc program-number 100002
Rtr1(config)#ip inspect name letusin rpc program-number 100010
Fragment Inspection (DoS Attacks)
CBAC inspection rules can help protect hosts against DoS
attacks involving fragmented IP packets. Even if the firewall prevents an
attacker from completing a connection to a protected host, the attacker might
still be able to disrupt services provided by that host in two ways: by sending
a large number of “noninitial” IP fragments or by sending a complete set of
fragmented packets through a router that has an ACL that filters out the first
fragment of the packet. Either way, the remaining fragments can tie up host
resources as it tries in vain to reassemble the incomplete packets.
Using fragmentation inspection, the CBAC maintains an
interfragment state for IP traffic. Noninitial fragments are discarded unless
the corresponding initial fragment has already been permitted to pass through
the firewall. Noninitial fragments received before the corresponding initial
fragments are discarded. Because many circumstances exist that can cause
out-of-order delivery of legitimate fragments, fragmentation inspection can have
a severe performance implications. For this reason, fragment inspection is off
by default.
Use the no form of the command to remove fragment inspection from
the inspection set. The syntax is
Rtr1(config)#ip inspect name inspection-name fragment [max number
timeout seconds]
Rtr1(config)#no ip inspect name inspection-name fragment
Even if the system is under heavy attack from fragmented packets,
legitimate fragmented traffic, if any, will still get some fraction of the
firewall’s fragment state resources and, more important, regular unfragmented
traffic can pass through the firewall unimpeded.
The following example adds fragment checking to that software
inspection set. The firewall will allocate 100 state structures, meaning 100
initial fragments for 100 different packets sent through the router can be
stored before new ones must be discarded. The timeout value for dropping
unassembled packets is set to four seconds.
Rtr1(config)#ip inspect name letusin fragment max 100 timeout 4
SMTP Inspection
SMTP inspection searches SMTP commands for illegal commands.
Packets with illegal commands are dropped, and the SMTP session will hang and
eventually time out. An illegal command is any command except for the following
legal commands: DATA, EXPN, HELO, HELP, MAIL, NOOP, QUIT, RCPT, RSET, SAML,
SEND, SOML, and VRFY.
Use the no form of the command to remove fragment inspection from
the inspection set. The syntax is
Rtr1(config)#ip inspect name inspection-name smtp [alert {on | off}] [audit-trail {on |
off}] [timeout seconds]
Rtr1(config)#no ip inspect name inspection-name smtp
The following example adds SMTP inspection with default
audit-trail and alert setting.
Rtr1(config)#ip inspect name letusin smtp
Sections
Comments (0 posted)
Syndication
