Deploying IOS Security

BRKSEC-2007

BRKSEC-2007 14465_04_2008_c2

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

2

© 2006, Cisco Systems, Inc. All rights reserved. 14465_04_2008_c2.scr

Agenda
Drivers for Integrated Security Technology Overview Design Considerations Deployment Models Real World Use Cases Case Study Summary
BRKSEC-2007 14465_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public

3

Security as an Option

Security is an add-on Challenging integration Not cost-effective Cannot focus on core priority
BRKSEC-2007 14465_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public

Security is built-in Intelligent collaboration Appropriate security Direct focus on core priority
4

© 2006, Cisco Systems, Inc. All rights reserved. 14465_04_2008_c2.scr

Threats and Challenges
Threats at the Branch Office and HQ
Branch Office

DDoS on Router Attack on DMZ Attacks on branch servers Internet Head Quarter

QFP

Web surfing Branch Office Worms/Viruses Voice attacks Wireless attacks

Branch Office
BRKSEC-2007 14465_04_2008_c2

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

5

Requirement of Integrated Security Solution IOS Security
Securing the Branch Office and HQ
Branch Office Network Foundation Protection DDoS on Router Application Firewall Attacks on branch servers IPS Worms congesting WAN FPM
011111101010101

Integrated HQ Firewall
QFP

Secure Internet access to branch, without the need for additional devices Control worms and viruses right at the remote site, conserve WAN bandwidth Protect the router itself from hacking and DoS attacks
6

Internet

Head Quarter

URL Filtering

Regulate surfing Voice Security Voice attacks

Wireless Security

Wireless attacks

Branch Office
BRKSEC-2007 14465_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public

© 2006, Cisco Systems, Inc. All rights reserved. 14465_04_2008_c2.scr

Agenda Drivers for Integrated Security Technology Overview Design Considerations Deployment Models Real World Use Cases Case Study Summary
BRKSEC-2007 14465_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public

7

Cisco IOS Security— Router Technologies
QFP

Secure Network Solutions

Compliance

Secure Voice

Secure Mobility

Business Continuity

Integrated Threat Control
011111101010101

Advanced URL Firewall Filtering

Intrusion Prevention

Flexible Packet Matching

Network Admission 802.1x Control

Network Foundation Protection

Secure Connectivity

Management and Instrumentation

GET VPN

DMVPN

SSL VPN IPsec VPN

SDM

Role Based Access

NetFlow

IP SLA

BRKSEC-2007 14465_04_2008_c2

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

8

© 2006, Cisco Systems, Inc. All rights reserved. 14465_04_2008_c2.scr

Integrated Threat Control
Cisco IOS Firewall (Classic and Zone-Based) Cisco IOS Application Intelligence Control Cisco IOS Intrusion Prevention System Cisco IOS URL Filtering Cisco IOS Flexible Packet Matching (FPM) Cisco IOS Network Foundation Protection (NFP)
BRKSEC-2007 14465_04_2008_c2

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

9

Cisco IOS Firewall Overview
Stateful filtering Application inspection (Layer 3 through Layer 7)

Advanced Layer 3–7 Firewall Cisco IOS Firewall is Common Criteria certified firewall

Advanced Firewall

Application control—Application Layer Gateway (ALG) engines with wide range of protocols and applications Built-in DoS protection capabilities Supports deployments with Virtualization (VRFs), transparent mode and stateful failover IPv6 support http://www.cisco.com/go/iosfw
BRKSEC-2007 14465_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public

10

© 2006, Cisco Systems, Inc. All rights reserved. 14465_04_2008_c2.scr

Cisco IOS Zone-Based Policy Firewall
Allows grouping of physical and virtual interfaces into zones Firewall policies are applied to traffic traversing zones Simple to add or remove interfaces and integrate into firewall policy
Supported Features
Stateful Inspection Application Inspection: IM, POP, IMAP, SMTP/ESMTP, HTTP URL filtering Per-policy parameter Transparent firewall VRF-aware firewall (Virtual Firewall)

Advanced Firewall

Private-DMZ Policy DMZ-Private Policy

DMZ Public-DMZ Policy

Trusted Private-Public Policy
BRKSEC-2007 14465_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public

Internet

Untrusted

11

Cisco IOS Zone-Based Firewall— Rule Table (SDM)

Advanced Firewall

BRKSEC-2007 14465_04_2008_c2

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

12

© 2006, Cisco Systems, Inc. All rights reserved. 14465_04_2008_c2.scr

Cisco IOS Zone-Based Policy Firewall Configuration (Command Line Interface (CLI)
class-map type inspect match-any services Define Services match protocol tcp Inspected by Policy ! policy-map type inspect firewall-policy Configure Firewall class type inspect services Action for Traffic inspect ! zone security private Define Zones zone security public ! zone-pair security private-public source private destination public service-policy type inspect firewall-policy Establish Zone Pair, Apply Policy ! interface fastethernet 0/0 zone-member security private ! Assign Interfaces to interface fastethernet 0/1 Zones zone-member 192.168.1.2 security public
BRKSEC-2007 14465_04_2008_c2

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

13

Cisco IOS Transparent Firewall
Introduces “stealth firewall” capability
No IP address associated with firewall (nothing to attack) No need to renumber or break up IP subnets IOS Router is bridging between the two “halves” of the network

Use Case: Firewall Between Wireless and Wired LANs

Both “wired” and wireless segments are in same subnet 192.168.1.0/24 VLAN 1 is the “private” protected network. Wireless is not allowed to access wired LAN
192.168.1.3

Wireless Fa 0/0

Internet
VLAN 1

192.168.1.2
BRKSEC-2007 14465_04_2008_c2

Transparent Firewall
Cisco Public

© 2008 Cisco Systems, Inc. All rights reserved.

14

© 2006, Cisco Systems, Inc. All rights reserved. 14465_04_2008_c2.scr

Transparent Cisco IOS Firewall Configuration (Command Line Interface (CLI)
Classification: class-map type inspect match-any protocols match protocol dns match protocol https match protocol icmp match protocol imap match protocol pop3 match protocol tcp match protocol udp Security Policy: policy-map type inspect firewall-policy class type inspect protocols Inspect Security Zones: zone security wired zone security wireless
BRKSEC-2007 14465_04_2008_c2

Security Zone Policy: zone-pair security zone-policy source wired destination wireless service-policy type inspect firewall-policy ! interface VLAN 1 description private interface bridge-group 1 zone-member security wired ! interface VLAN2 description public interface bridge-group 1 zone-member security wireless Layer2 Configuration: bridge configuration bridge irb bridge 1 protocol ieee bridge 1 route ip
15

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

Cisco IOS Flexible Packet Matching (FPM)
Rapid Response to New and Emerging Attacks
Network managers require tools to filter day-zero attacks, such as before IPS signatures are available Traditional ACLs take a shotgun approach— legitimate traffic could be blocked Example: Stopping Slammer with ACLs meant blocking port 1434—denying business transactions involving Microsoft SQL FPM delivers flexible, granular Layer 2–7 matching Example: port 1434 + packet length 404B + specific pattern within payload Slammer

011111101010101

Flexible Packet Matching

0111111010101010000111000100111110010001000100100010001001
Match Pattern
BRKSEC-2007 14465_04_2008_c2

AND

OR

NOT
16

Cisco.com/go/fpm
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public

© 2006, Cisco Systems, Inc. All rights reserved. 14465_04_2008_c2.scr

Cisco IOS Flexible Packet Matching Configuration - Slammer Filter
Class-map stack ip-udp Match field ip protocol eq 17 next udp Class-map access-control slammer Match field udp dport eq 1434 Match start ip version offset 224 size 4 eq 0x04011010 Match start network-start offset 224 size 4 eq 0x04011010

Policy-map access-control udp-policy Class slammer Drop Poliyc-map access-control fpm-policy Class ip-udp service-policy udp-policy

access-control typed class defines traffic pattern: udp dst port 1434, starting from IP header, offset 224 byte, the 4 byte value should be 0x04041010

BRKSEC-2007 14465_04_2008_c2

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

17

Cisco IOS Intrusion Prevention (IPS)
Distributed Defense Against Worms and Viruses
Cisco IOS IPS stops attacks at the entry point, conserves WAN bandwidth, and protects the router and remote network from DoS attacks Integrated form factor makes it cost-effective and viable to deploy IPS in Small and Medium Business and Enterprise branch/telecommuter sites Supports 2000+ signatures sharing the same signature database available with Cisco IPS sensors Allows custom signature sets and actions to react quickly to new threats
Protect router and local network from DoS attacks Branch Office

IPS

Stop attacks before they fill up the WAN Internet Corporate Office

Small Branch

Small Office and Telecommuter

Apply IPS on traffic from branches to kill worms from infected PCs

http://www.cisco.com/go/iosips
BRKSEC-2007 14465_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public

18

© 2006, Cisco Systems, Inc. All rights reserved. 14465_04_2008_c2.scr

Cisco IOS Intrusion Prevention System (IPS) Configuration (Command Line Interface (CLI)
Download Cisco IOS IPS Files to your PC
http://www.cisco.com/pcgi-bin/tablebuild.pl/ios-v5sigup

Cisco IOS IPS Configuration (Con’t) retired false interface fast Ethernet 0 ip ips ips-policy in Load the signatures from TFTP server
copy tftp://192.168.10.4/IOS-S289-CLI.pkg idconf Loading IOS-S259-CLI.pkg from 192.168.10.4 :!!!

IOS-Sxxx-CLI.pkg realm-cisco.pub.key.txt Configure Cisco IOS IPS Crypto Key mkdir ipstore (Create directory on flash) Paste the crypto key from realm-cisco.pub.key.txt Cisco IOS IPS Configuration ip ips config location flash:ipstore retries 1 ip ips notify SDEE ip ips name ips-policy ip ips signature-category category all retired true category ios_ips basic
BRKSEC-2007 14465_04_2008_c2

show ip ips signature count Total Compiled Signatures: 338 -Total active compiled signatures

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

19

Comprehensive, Scalable IPS Management
Integrated, Collaborative Security for the Branch
Full range of management options:
Cisco SDM 2.5 † provides full IPS provisioning and monitoring for single router Cisco Security Manager 3.1† / CS-MARS for Enterprise IPS CLI option supports automated provisioning and signature update† Cisco Configuration Engine for MSSP—scales to thousands of devices‡

IPS

Operational consistency across Cisco IPS portfolio Risk Rating and Event Action Processor (SEAP) reduce false positives‡ Enhanced Microsoft signature support (MSRPC and SMB)†

† ‡

New in Cisco IOS 12.4(15)T2 Unique in the Industry

BRKSEC-2007 14465_04_2008_c2

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

20

© 2006, Cisco Systems, Inc. All rights reserved. 14465_04_2008_c2.scr

Cisco IOS Transparent IPS
Use Case: IPS Between Wireless and Wired LANs
Introduces “stealth IPS” capability
No IP address associated with IPS (nothing to attack) IOS Router is bridging between the two “halves” of the network
IPS

Both “wired” and wireless segments are in same subnet 192.168.1.0/24 VLAN 1 is the “private” protected network.

192.168.1.3

Wireless Fa 0/0

Internet
VLAN 1

192.168.1.2
BRKSEC-2007 14465_04_2008_c2

Transparent IPS
Cisco Public

© 2008 Cisco Systems, Inc. All rights reserved.

21

Cisco IOS Intrusion Prevention System (IPS) Configuration (Command Line Interface (CLI)
Download Cisco IOS IPS Files to your PC
http://www.cisco.com/pcgi-bin/tablebuild.pl/ios-v5sigup

IOS-Sxxx-CLI.pkg realm-cisco.pub.key.txt Configure Cisco IOS IPS Crypto Key mkdir ips5 (Create directory on flash) Paste the crypto key from realm-cisco.pub.key.txt Cisco IOS IPS Configuration ip ips config location flash:ips5 retries 1 ip ips notify SDEE ip ips name ips-policy ip ips signature-category category all retired true category ios_ips basic

Cisco IOS IPS Configuration (Con’t) interface VLAN 1 description private interface bridge-group 1 ip ips ips-policy out interface VLAN 2 description private interface bridge-group 1 ip ips ips-policy in Load the signatures from TFTP server copy tftp://192.168.10.4/IOS-S289-CLI.pkg idconf Loading IOS-S259-CLI.pkg from 192.168.10.4 :!!! show ip ips signature count Total Compiled Signatures: 338 -Total active compiled signatures
22

retired false
BRKSEC-2007 14465_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public

© 2006, Cisco Systems, Inc. All rights reserved. 14465_04_2008_c2.scr

Cisco IOS URL Filtering
Internet Usage Control
Control employee access to entertainment sites during work hours Control downloads of objectionable or offensive material, limit liabilities Cisco IOS supports static whitelist and blacklist URL filtering External filtering servers such as Websense, Smartfilter can be used at the corporate office, with Cisco IOS static lists as backup SDM 2.3 supports configuring static lists and importing .csv files for URL lists
Branch Office Internet Web Surfing

URL Filtering

BRKSEC-2007 14465_04_2008_c2

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

23

Router Hardening
Data Plane
Ability to forward data

Network Foundation Protection

Control Plane
Ability to route

Cisco NFP

Management Plane
Ability to manage

Think “Divide and Conquer”: Methodical Approach to Protect Three Planes
BRKSEC-2007 14465_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public

A router can be logically divided into three functional planes: 1. Data plane: The vast majority of packets handled by a router travel through the router by way of the data plane 2. Management plane: Traffic from management protocols and other interactive access protocols, such as Telnet, Secure Shell (SSH) protocol, and SNMP, passes through the management plane 3. Control plane: Routing control protocols, keepalives, ICMP with IP options, and packets destined to the local IP addresses of the router pass through the control plane

24

© 2006, Cisco Systems, Inc. All rights reserved. 14465_04_2008_c2.scr

Network Foundation Protection
Detects traffic anomalies & respond to attacks in real-time Technologies: NetFlow, IP source tracker, ACLs, uRPF, RTBH, QoS tools

Data Plane

Control Plane

Defense-in-depth protection for routing control plane Technologies: Receive ACLs, control plane policing, iACL’s, neighbor authentication, BGP best practices Secure and continuous management of Cisco IOS network infrastructure Technologies: CPU & memory thresholding, dual export syslog, image verification, SSHv2, SNMPv3, security audit, CLI views

Management Plane

http://www.cisco.com/go/nfp
BRKSEC-2007 14465_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public

25

Router Hardening: Traditional Methods
Disable any unused protocols VTY ACLs SNMP
Community ACL Views Disable SNMP RW
Use SNMPv3 for RW if needed

Use ‘type 5’ password
‘service password encryption’ is reversible and is only meant to prevent shoulder surfing

Run AAA
Don’t forget Authorization and Accounting

Disable extraneous interface features Encrypt Sessions
SSH IPSec

Prevent dead TCP sessions from utilizing all VTY lines
service tcp-keepalives-in

BRKSEC-2007 14465_04_2008_c2

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

26

© 2006, Cisco Systems, Inc. All rights reserved. 14465_04_2008_c2.scr

Best Practice - Features to Disable
BOOTP CDP Configuration auto-loading DNS DHCP Server Finger HTTP Server FTP Server TFTP Server IP Directed Broadcast IP mask reply
BRKSEC-2007 14465_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public

IP redirects IP Source Routing IP unreachable notifications Identification service NTP PAD Service Proxy Arp Gratuitous Arp SNMP TCP Small Servers UDP Small Servers MOP Service TCP keep-alives
27

Cisco IOS Control Plane Policing
Continual Router Availability Under Stress
Mitigates DoS attacks on control plane (route processor) such as ICMP floods Polices and throttles incoming traffic to control plane; maintains packet forwarding and protocol states during attacks or heavy traffic load
Control Plane
Management SNMP, Telnet ICMP IPv6 Routing Updates Management SSH, SSL …..

Network Foundation Protection

Input to control plane Control Plane Policing (alleviates DoS attacks) Processor Switched Packets Packet Buffer Incoming Packets CEF/FIB Lookup

Output from control plane Silent Mode (prevents reconnaissance)

Output Packet Buffer Locally Switched Packets

Cisco.com/go/nfp
BRKSEC-2007 14465_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public

28

© 2006, Cisco Systems, Inc. All rights reserved. 14465_04_2008_c2.scr

Cisco IOS AutoSecure
One Touch Automated Router Lockdown
Disables Non-Essential Services Eliminates DoS attacks based on fake requests Disables mechanisms that could be used to exploit security holes Enforces Secure Access Enforces enhanced security in accessing device Enhanced security logs Prevents attackers from knowing packets have been dropped Secures Forwarding Plane Protects against SYN attacks Anti-Spoofing Enforces stateful firewall configuration on external interfaces, where available
BRKSEC-2007 14465_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public

Network Foundation Protection

http://www.cisco.com/go/autosecure
29

Secure Connectivity

Secure Connectivity
GET VPN DMVPN Easy VPN SSL VPN

BRKSEC-2007 14465_04_2008_c2

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

30

© 2006, Cisco Systems, Inc. All rights reserved. 14465_04_2008_c2.scr

Cisco IPsec VPN Technologies
Features Easy VPN DMVPN GET VPN

Infrastructure Network

Public Internet Transport

Public Internet Transport

Private IP Transport

Network Style

Hub-Spoke; (Client to Site)

Hub-Spoke and Spoke-toSpoke; (partial mesh)

Any-to-Any; (full-mesh)

Routing

Reverse-route Injection

Dynamic routing on tunnels

Dynamic routing on IP WAN

Failover Redundancy

Stateful Hub Crypto Failover

Route Distribution Model

Route Distribution Model + KS: Stateful

Encryption Style

Peer-to-Peer Protection

Peer-to-Peer Protection

Group Protection

IP Multicast

Multicast replication at hub

Multicast replication at hub

Multicast replication in IP WAN network

BRKSEC-2007 14465_04_2008_c2

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

31

Cisco GET VPN
GET VPN Simplifies Security Policy and Key Distribution
Group Member
Subnet 1

GET VPN

GET VPN Uses IP Header Preservation to Mitigate Routing Overlay
Original IP packet
IP Packet

Group Member
Subnet 3

IP Header

IP Payload

IPsec

Group Member
Subnet 2

Private WAN

Group Member
Subnet 4

IPsec Tunnel Mode
New IP Header ESP Header

Original Original IPIP Header Header

IP Payload

IP Header Preservation
Key Server Key Server GET
Original IP Header ESP Header

Original Original IPIP Header Header

IP Payload

GET uses Group Domain of Interpretation (GDOI): RFC 3547 standards-based key distribution GET adds cooperative key servers for high availability Key servers authenticate and distribute keys and policies; group member provisioning is minimized; application traffic is encrypted by group members
BRKSEC-2007 14465_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public

32

© 2006, Cisco Systems, Inc. All rights reserved. 14465_04_2008_c2.scr

Cisco Dynamic Multipoint VPN
Full meshed connectivity with simple configuration of hub and spokes Supports dynamically addressed spokes Zero touch configuration for addition of new spokes
WAN

DMVPN

Secure On-Demand Meshed Tunnels
Hub

Spoke C What’s New in Phase 3
Improved Scaling—NHRP/CEF Rewrite and EIGRP Scaling enhancements Manageability Enhancements

Spoke A

Spoke B
= DMVPN Tunnels = Traditional Static Tunnels = Static Known IP Addresses = Dynamic Unknown IP Addresses
33

Cisco.com/go/dmvpn
BRKSEC-2007 14465_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public

Cisco Enhanced Easy VPN
Centralized Policy-Based Management
Automated deployments—no user intervention
Enforces consistent policy on remote devices Add new devices without changes at headend

Easy VPN

What’s New in Easy VPN? CTA/NAC policy enforcement Centralized policy push for integrated client firewall Password aging via AAA cTCP NAT transparency and firewall traversal DHCP client proxy and DDNS registration Split DNS Per-user policy from Radius Support for identically addressed spokes behind NAT with split tunnels VTI manageability—Display of VRF information, summary commands

Supports dynamic connections with VPN Interoperable across Cisco access and security devices Cisco VPN client—the only FIPS-certified client

1. Remote calls ‘home’

3. VPN tunnel Cisco Security Router Corporate Office

2. Validate, Policy push

Internet Hardware Client: Cisco ASA, PIX®, Security Router
BRKSEC-2007 14465_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved.

Cisco VPN Software Client on PC/MAC/UNIX
Cisco Public

http://www.cisco.com/go /easyvpn
34

© 2006, Cisco Systems, Inc. All rights reserved. 14465_04_2008_c2.scr

Cisco IOS SSL VPN
Clientless Access
Internet

SSL VPN

Full Network Access
Internet IP over SSL

SSL

Web based + Application Helper
Browser-based (clientless) Gateway performs content transformation File sharing (CIFS), OWA, Citrix Java-based application helper

IP-Based Applications
Application agnostic Tunnel client dynamically loaded No reboot required after installation Client may be permanently installed or removed dynamically

Cisco Router and Security Device Manager—Simple GUI-based provisioning and management with step-by-step wizards for turnkey deployment Cisco Secure Desktop—Prevents digital leakage, protects user privacy, easy to implement and manage, and works with desktop guest permissions Virtualization and VRF awareness—Pool resources
BRKSEC-2007 14465_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public

35

Secure Connectivity Related Sessions
BRKSEC-3005 : Advanced Remote Access with SSLVPN BRKSEC-3008/2007 : Site to Site VPN with GETVPN BRKSEC-3006 : Advanced Site to Site VPN Dynamic Multipoint VPNs (DMVPN)

BRKSEC-2007 14465_04_2008_c2

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

36

© 2006, Cisco Systems, Inc. All rights reserved. 14465_04_2008_c2.scr

Instrumentation and Management

Management and Instrumentation

SDM

Role Based Access

NetFlow

IP SLA

BRKSEC-2007 14465_04_2008_c2

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

37

Cisco Security Management Suite
Cisco® Security Device Manager
Quickest way to setup a device
• Configures all device configure Wizards toparameters firewall, • IPS, Ships with device wireless VPN, QoS, and Quickest way to setup a device

Cisco Security Manager
New solution for configuring routers, appliances, switches New user-centered design New levels of scalability

Ships with device

Cisco Security MARS
Solution for monitoring and mitigation Uses control capabilities within infrastructure to eliminate attacks Visualizes attack paths
BRKSEC-2007 14465_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public

38

© 2006, Cisco Systems, Inc. All rights reserved. 14465_04_2008_c2.scr

Instrumentation
Your network management system is only as good as the data you can get from the devices in the network IP Service Level Agent (IP SLAs) NetFlow and NBAR SNMP V3 and SNMP informs Syslog Manager and XML-formatted syslog Tcl Scripting and Kron (Cron) jobs Role-Based CLI Access EEM
BRKSEC-2007 14465_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved.

Network performance data (latency & jitter) Detailed statistics for all data flows in the network Advanced Netflow Deployment BRKNMS-3005 Reliable traps using SNMP informs Total flexibility to parse and control syslog messages on the router itself Flexible, programmatic control of the router Provides partitioned, non-hierarchical, access (e.g. Network and Security Operations) Solving Security Challenges using EEM
Cisco Public

39

Design Consideration

BRKSEC-2007 14465_04_2008_c2

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

40

© 2006, Cisco Systems, Inc. All rights reserved. 14465_04_2008_c2.scr

Design Consideration
Cisco IOS Firewall
Classic or Zone based Firewall
Zone based Firewall 12.4(4)T or Classic Firewall All new features would be offered in zone based policy firewall configuration model; no end-of-life plan for Classic Cisco IOS Firewall but there will be no new features ASR1000 supports IOS Zone-based Firewall
Advanced Firewall

Manageability
Provisioning firewall policies: CLI, Cisco Security Manager, SDM and Config Engine Monitoring firewall activity: Syslog, snmp, screen-scrapes from "show" commands Modifying Security policies SDM supports zone-based Firewall

Interoperate
Cisco IOS Firewall interoperate with other features: NAT, VPN, Intrusion Prevention System (IPS), WCCP/WAAS, proxy, URL Filtering and QoS

Memory Usage
Single TCP or UDP (layer3/4) session takes 600 bytes of memory Multi-channel protocol sessions use more than 600 bytes of memory
BRKSEC-2007 14465_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public

41

Design Consideration
Cisco IOS Firewall
Cisco IOS Firewall Went Through a Paradigm Shift
12.4(4)T and Onward Supports Zone-Based IOS Firewall
Before Release 12.4(4)T & 12.4 Mainline
Interface based policies No granular support Support for Classic IOS Firewall No advanced AIC support

Release 12.4(4)T & Later
Zone based policies Very granular Firewall policies Support for Classic IOS Firewall continued. No new features on Classic IOS Firewall Advanced protocol conformance support (P2P, IM, VoIP, etc.)

Classic IOS Firewall
Supported in CSM and SDM MIB support IPv6 support Active/Passive failover support

Zone Based IOS Firewall
Supported in SDM. CSM planned for CY2008 No MIB—Roadmap No IPv6—Roadmap No Active/Passive failover—Roadmap

BRKSEC-2007 14465_04_2008_c2

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

42

© 2006, Cisco Systems, Inc. All rights reserved. 14465_04_2008_c2.scr

Design Consideration
Cisco IOS Firewall
Denial of Service (DoS) Protection Settings
Prior 12.4(11)T default DoS settings were set low http://www.cisco.com/en/US/products/sw/secursw/ps1018/products_white_ paper0900aecd804e5098.shtml 12.4(11)T onwards DOS settings are max out by default
Advanced Firewall

Addressing
Firewall policies can be made much more efficient with a well thought-out IP address scheme

Performance Consideration
Cisco IOS Firewall Performance Guidelines for ISRs (800-3800) http://www.cisco.com/en/US/partner/products/ps5855/products_white_ paper0900aecd8061536b.shtml ASR1000 TCP/ICMP/UDP Inspection Performance (Up to 10G) with select ALGs (SIP UDP, active FTP, DNS, H.323v2, SCCP)

BRKSEC-2007 14465_04_2008_c2

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

43

Cisco IOS Firewall - ISRs
Real World Performance: HTTP

BRKSEC-2007 14465_04_2008_c2

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

44

© 2006, Cisco Systems, Inc. All rights reserved. 14465_04_2008_c2.scr

Design Consideration
Cisco IOS Firewall Voice Features
Protocol
H.323 V1 & V2 H.323 V3 & V4 H.323 RAS H.323 T.38 Fax SIP UDP SIP TCP SCCP Locally generated traffic inspection for SIP/SCCP
Advanced Firewall

ISRs
Yes No Yes No Yes No Yes No

ASR1000 Comments
Yes No No No Yes No Yes No Roadmap CCM 4.2 supported RFC 2543, RFC 3261 not supported Roadmap Tested with CCM 4.2/CME 4.0 Roadmap Tested using CME 4.0 Roadmap

For Cisco IOS® support, contact ask-stg-ios-pm@cisco.com with requirements
BRKSEC-2007 14465_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public

45

Design Consideration
Cisco IOS Flexible Packet Matching
Functionality
# of ACEs per interface # of match criteria/ ACE Depth of Inspection Raw offset Relative offset (fixed header length support) Dynamic offset (variable header length support) Nested policies Nested class-maps Regex match String match Match string pattern window Protocol Support
IOS FPM

ACL
Unlimited 4 44 Bytes No No No No No No No No IPv4, TCP, UDP, ICMP permit, deny, log

ISR 12.4(15)T2
Unlimited Unlimited Full Pkt Yes Yes Yes Yes Yes Yes Yes Full Pkt IPv4, TCP, UDP, ICMP, Ethernet, GRE, IPsec permit, count, drop, log, send-response, nestedpolicy redirect, rate limit 2 256 B Yes Yes No Yes Yes Yes Yes

ASR1000 RLS 2.2
60,000

Full Pkt IPv4, TCP, UDP, ICMP, Ethernet permit, count, drop, log, send-response

Actions supported

BRKSEC-2007 14465_04_2008_c2

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

46

© 2006, Cisco Systems, Inc. All rights reserved. 14465_04_2008_c2.scr

Design Consideration
Cisco IOS IPS 4.x and 5.x
Cisco IOS IPS Went Through a Paradigm Shift
12.4(11)T2 and Onward Supports IPS 5.x

Before Release 12.4(11)T2 & 12.4 Mainline
IOS IPS Internal Version (show subsys name ips) Signature Format Signature Download URL Signature Distribution Loading Signatures Configuration of Signatures 2.xxx.xxx

Release 12.4(11)T2 & later
3.000.000

4.x http://www.cisco.com/cgibin/tablebuild.pl/ios-sigup Pre Tuned Signature Files Basic/Advanced SDF Files From a single SDF file Flat single SDF file approach

5.x http://www.cisco.com/cgibin/tablebuild.pl/ios-v5sigup Signature package IOS-Sxxx-CLI.pkg From a set of configuration files Hierarchical multilevel/multi-file approach

Signature Update for Cisco IOS IPS 4.X (12.4(9)T or Prior) Will Continue Till ?
BRKSEC-2007 14465_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public

47

Design Consideration
Migrating to Cisco IOS IPS 5.x (12.4(11)T2)
Option 1: Existing customer using non-customized pre-built signature files (SDFs)
No signature migration needed Signatures in 128MB.sdf are in IOS-Basic Category Signatures in 256MB.sdf are in IOS-Advanced Category

Option 2: Existing customer using customized pre-built signature files (SDFs)
Signature migration (TCL) script available on Cisco.com to convert customized SDF to 5.x format This migration script does not migrate user-defined (non-Cisco) signatures

Migration Guide:
http://www.cisco.com/en/US/products/ps6634/products_ white_paper0900aecd8057558a.shtml
BRKSEC-2007 14465_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public

48

© 2006, Cisco Systems, Inc. All rights reserved. 14465_04_2008_c2.scr

Design Consideration
Cisco IOS IPS—12.4(11)T2 and Later Release
Manageability
Provisioning IPS policies:
CLI, Cisco Security Manager, SDM and Config Engine
IOS IPS

Signature Tuning and Update:
The basic category is the Cisco recommended signature set for routers with 128 MB RAM and the advanced category is for 256MB RAM Signature tuning with Command line Interface (CLI) is available after 12.4(11)T Signature package update align with Cisco sensors 42xx. (Auto Update via CSM)

Monitoring IPS activity:
Reporting via CS-MARS (SDEE and Syslog support) and screen-scrapes from "show" commands

Modifying Security policies:
SDM/CSM supports IPS
BRKSEC-2007 14465_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public

49

Design Consideration
Provisioning and Monitoring Options
IPS Signature Provisioning
Up to 5 More than 5 1

IPS Event Monitoring
Up to 5 More than 5

Cisco Security Device Manager (SDM)

Same signature set/policy:
Opt 1: Cisco Security Manager (CSM) Opt 2: Cisco SDM and Cisco Configuration Engine to copy generated IPS files to large # of routers

Cisco IPS Event Viewer (IEV) or Cisco SDM

Cisco IEV or syslog server

Different signature set/policy:
Single or multiple instances of CSM

Cisco Security MARS x.3.2 (model and quantity depends on # of routers, topology and cumulative EPS)

BRKSEC-2007 14465_04_2008_c2

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

50

© 2006, Cisco Systems, Inc. All rights reserved. 14465_04_2008_c2.scr

Design Consideration
Cisco IOS Intrusion Prevention System (IPS) Performance Consideration
Performance of router is not effected by adding more signatures

Memory Usage
Signature compilation process is highly CPU-intensive while the signatures are being compiled. The number of signatures that can be loaded on a router is memory-dependent

Fragmentation
Cisco IOS IPS uses VFR (Virtual Fragmentation Reassembly) to detect fragmentation attacks

BRKSEC-2007 14465_04_2008_c2

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

51

Cisco IOS IPS and Out-of-Order Packets
Cisco IOS IPS supports Out-of-Order packet starting from the following two releases:
Release 12.4(9)T2 Release 12.4(11)T

Configurable via CLI: ip inspect tcp reassembly Notification for packets dropped due to insufficient buffer space

BRKSEC-2007 14465_04_2008_c2

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

52

© 2006, Cisco Systems, Inc. All rights reserved. 14465_04_2008_c2.scr

Cisco Security Manager 3.1
Cisco IOS IPS Signature List View

BRKSEC-2007 14465_04_2008_c2

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

53

Cisco IOS IPS and Auto Update
SDM CSM

BRKSEC-2007 14465_04_2008_c2

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

54

© 2006, Cisco Systems, Inc. All rights reserved. 14465_04_2008_c2.scr

Design Consideration
IOS IPS and IPS Appliances/Modules
Cisco IOS IPS Release 12.4(9)T Cisco IOS IPS Release 12.4(11)T Cisco IPS 42xx sensors, IDSM2, SSM-AIP, NM-CIDS modules

Signature Format Signature Updates & Tuning Signatures Supported Recommended (pre-built or default) Signature Set Day-Zero Anomaly Detection Transparent (L2) IPS Rate Limiting IPv6 Detection Signature Event Action Proc. Meta Signatures Voice, Sweep & Flood Engines Event Notification
BRKSEC-2007 14465_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved.

4.x using SDF

5.x/6.0 using IDCONF

5.x/6.0 using IDCONF 1900+ signatures selected by default

Subset of 1700+ signatures (depends on router model/DRAM) Basic or Advanced SDF IOS-Basic or IOSAdvanced Category No Yes No No No No No Syslog & SDEE
Cisco Public

All signatures alarm-only Available in 6.0 release Yes Yes Yes

Yes

Yes Yes Yes (H.225 for voice) SDEE
55

IPS Solutions on Cisco ISRs
Cisco IOS IPS
Dedicated CPU/DRAM for IPS Inline and Promiscuous Detection and Mitigation Signature Supported Automatic Signature Updates Day-zero Anomaly Detection Rate Limiting Cisco Security Agent and Cisco IPS Collaboration Meta Event Generator Event Notification Device Management System/Network Management Event Monitoring and Correlation No Yes Subset of 2000+ Signatures, Subject to Available Memory Yes No No No No Syslog, SDEE CLI, SDM CSM IEV, CS-MARS

Cisco IPS AIM
Yes Yes Full Set Signatures (2200+) Yes Yes Yes Yes Yes SNMP and SDEE IOS CLI, IDM CSM

Cisco NM-CIDS
Yes No, Promiscuous Mode Only Full Set Signatures (2200+) Yes Yes Yes No Yes SNMP and SDEE IPS CLI, IDM CSM

IEV, CS-MARS, On-box IEV, CS-MARS, On-box Meta Event Generator Meta Event Generator

Note: Only One IPS Solution May Be Active in the Router. All Other Must Be Removed or Disabled.
BRKSEC-2007 14465_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public

56

© 2006, Cisco Systems, Inc. All rights reserved. 14465_04_2008_c2.scr

Design Consideration
Recommendation
New web and collateral content at http://www.cisco.com/go/iosips/ Use the latest T Train image: 12.4(15)T2
Native support for Microsoft SMB and MSRPC signatures Works with WAAS Module if Zone-Based FW also configured Includes many bug fixes for SDM interoperability, etc.

To use IOS IPS with WAAS (WAN Optimization) Module:
You must use 12.4(11)T2/T3 or 12.4(15)T2 image If IPS is applied on the optimized WAN interface, you must also configure ZoneBased Firewall for a zone including that interface ASR1000 introduces this fix-up in RLS 2.2 for IOS Firewall

If working with an image prior to 12.4(11)T or any Mainline image:
Use the latest Basic (128MB.sdf) and Advanced (256MB.sdf) signature files at http://www.cisco.com/cgi-bin/tablebuild.pl/ios-sigup/

BRKSEC-2007 14465_04_2008_c2

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

57

Agenda
Drivers for IOS Security Technology Overview Design Considerations Deployment Models Real World Use Cases Case Study Summary

BRKSEC-2007 14465_04_2008_c2

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

58

© 2006, Cisco Systems, Inc. All rights reserved. 14465_04_2008_c2.scr

Deployment Models

BRKSEC-2007 14465_04_2008_c2

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

59

Enterprise Branch and HQ Profiles
Single Router Model Dual Router Model

QFP QFP

QFP QFP

Private Wan Internet

Head Quarter Private WAN

Head Quarter

Security Services Cisco IOS Firewall Cisco IOS IPS Infrastructure Protection ACLs IPsec VPNs

Security Services Cisco IOS Firewall Cisco IOS IPS Infrastructure Protection ACLs IPsec VPNs

Branch Office
BRKSEC-2007 14465_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public

Branch Office
60

© 2006, Cisco Systems, Inc. All rights reserved. 14465_04_2008_c2.scr

Enterprise Branch and HQ
Single Router Model
Single Router Model

Primary: Internet with IPSec VPN - IPVPN Backup: None
QFP QFP

Head Quarter Internet

Internet access is via split-tunneling

Security Services Cisco IOS Firewall Cisco IOS IPS Infrastructure Protection ACLs

Branch Office
BRKSEC-2007 14465_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public

61

Enterprise Branch and HQ Profile
Single Router Model
Single Router Model

Primary WAN Services: Lease line/E1/Fiber or IP VPN
QFP QFP

Backup: Internet (ADSL) with VPN or UMTS Internet access is via splittunneling Failover: Routing protocol with EOT (Enhanced Object Tracking)

Private Wan Internet

Head Quarter

Security Services Cisco IOS Firewall Cisco IOS IPS Infrastructure Protection ACLs

Branch Office
BRKSEC-2007 14465_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public

62

© 2006, Cisco Systems, Inc. All rights reserved. 14465_04_2008_c2.scr

Enterprise Branch and HQ Profile
Single Router Model
Single Router Model

Primary WAN Services: Lease line/E1/Fiber Backup: Leased line/E1/Fiber
QFP QFP

Head Quarter Private Wan

Internet access policy enforced via Head Quarter Failover: Routing Protocol

Security Services Cisco IOS Firewall Cisco IOS IPS Infrastructure Protection ACLs

Branch Office
BRKSEC-2007 14465_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public

63

Enterprise Branch and HQ Profile
Dual Router Model
Dual Router Model

Primary WAN Services: Lease line/E1/Fiber Backup: Leased line/E1/Fiber
QFP

QFP

Head Quarter Private WAN

Internet access policy enforced via Head Quarter Stateful Firewall (Stateful Failover)

Security Services Cisco IOS Firewall Cisco IOS IPS Infrastructure Protection ACLs

Branch Office
BRKSEC-2007 14465_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public

64

© 2006, Cisco Systems, Inc. All rights reserved. 14465_04_2008_c2.scr

Agenda
Drivers for IOS Security Technology Overview Design Considerations Deployment Models Real World Use Cases Case Study Summary

BRKSEC-2007 14465_04_2008_c2

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

65

Real World Use Cases

BRKSEC-2007 14465_04_2008_c2

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

66

© 2006, Cisco Systems, Inc. All rights reserved. 14465_04_2008_c2.scr

Real World Use Cases
1. Protect the Inside LAN and DMZ at Branch Office and HQ with NetFlow Event Logging 2. Protect Servers at Branch Office and HQ 3. Virtual Firewall and IPS at the Branch Office 4. Blocking Peer-to-Peer and Instant Messaging Applications at the Branch 5. Load Balancing and Failover with two Providers
a. Load Balancing b. Failover

BRKSEC-2007 14465_04_2008_c2

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

67

1. Protect the Inside LAN at Branch Office with Split Tunneling Deployed
Cisco IOS Firewall and IPS Policies:
Allow authenticated users to access corporate resources Restrict guest users to Internet access only Control peer-to-peer and instant messaging applications
Employees can access corporate network via encrypted tunnel IPsec Tunnel
QFP

Advanced Firewall

Employees 192.168.1.x/24

Internet
Branch Office Router Guests can access Internet only
Cisco Public

Inspect Internet traffic

Head Quarter

Wireless Guests 192.168.2.x/24
BRKSEC-2007 14465_04_2008_c2

© 2008 Cisco Systems, Inc. All rights reserved.

68

© 2006, Cisco Systems, Inc. All rights reserved. 14465_04_2008_c2.scr

1. Firewall Configuration Snippet at Branch
Classification: class-map type inspect match-any protocols match protocol dns match protocol https match protocol icmp match protocol imap match protocol pop3 match protocol tcp match protocol udp
Order of match statement is important Security Policy:

Security Zones: zone security private zone security public Security Zone Policy: zone-pair security zone-policy source private destination public service-policy type inspect firewall-policy ! interface VLAN 1 description private interface zone-member security private ! interface fastethernet 0 description public interface zone-member security public

policy-map type inspect firewall-policy class type inspect protocols inspect
BRKSEC-2007 14465_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public

69

1. Firewall Configuration Snippet at HQ
Classification: class-map type inspect match-any fw-class match protocol udp match protocol tcp policy-map type inspect fw-policy class type inspect fw-class inspect log class class-default parameter-map type inspect firewall-policy log dropped-packets log flow-export v9 udp destination 1.1.28.199 2055 log flow-export template timeout-rate 30 Security Zones: zone security public zone security dmz Security Zone Policy: zone-pair security zone-policy source public destination dmz service-policy type inspect firewall-policy ! interface G0/1/0 description public interface zone-member security public ! interface g0/1/1 description dmz interface zone-member security dmz
BRKSEC-2007 14465_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public

70

© 2006, Cisco Systems, Inc. All rights reserved. 14465_04_2008_c2.scr

1. Cisco IOS Zone-Based Firewall (SDM) for ISRs

BRKSEC-2007 14465_04_2008_c2

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

71

1. IPS Configuration Snippet
Download Cisco IOS IPS Files to your PC
http://www.cisco.com/pcgi-bin/tablebuild.pl/ios-v5sigup

Cisco IOS IPS Configuration (Con’t) retired false interface fast Ethernet 0 ip ips ips-policy in Load the signatures from TFTP server
copy tftp://192.168.10.4/IOS-S289-CLI.pkg idconf Loading IOS-S259-CLI.pkg from 192.168.10.4 :!!!

IOS-Sxxx-CLI.pkg realm-cisco.pub.key.txt Configure Cisco IOS IPS Crypto Key mkdir ipstore (Create directory on flash) Paste the crypto key from realm-cisco.pub.key.txt Cisco IOS IPS Configuration ip ips config location flash:ipstore retries 1 ip ips notify SDEE ip ips name ips-policy ip ips signature-category category all retired true category ios_ips basic
BRKSEC-2007 14465_04_2008_c2

show ip ips signature count Total Compiled Signatures: 338 -Total active compiled signatures

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

72

© 2006, Cisco Systems, Inc. All rights reserved. 14465_04_2008_c2.scr

1. Cisco IOS IPS Signatures and Categories (SDM) for ISRs

BRKSEC-2007 14465_04_2008_c2

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

73

1. Deploying IOS Firewall Split Tunneling (CSM) on ISRs

BRKSEC-2007 14465_04_2008_c2

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

74

© 2006, Cisco Systems, Inc. All rights reserved. 14465_04_2008_c2.scr

1. Deploying IOS IPS (CSM) on ISRs

BRKSEC-2007 14465_04_2008_c2

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

75

2. Protect Servers at Branch Office
Cisco IOS® Firewall and IPS policies applied to DMZ protect distributed application servers and Web servers hosted at remote sites
Servers 192.168.3.14-16/24

Advanced Firewall

Servers hosted separately in DMZ

Employees 192.168.1.x/24

IPsec Tunnel

Internet
Branch Office Router Head Quarter

Wireless Guests 192.168.2.x/24
BRKSEC-2007 14465_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public

76

© 2006, Cisco Systems, Inc. All rights reserved. 14465_04_2008_c2.scr

2. IPS Configuration Snippet
a. Download Cisco IOS IPS Files to your PC
http://www.cisco.com/pcgi-bin/tablebuild.pl/ios-v5sigup

d. Cisco IOS IPS Configuration (Con’t) retired false interface fast Ethernet 1 description DMZ interface ip ips ips-policy out e. Load the signatures from TFTP server
copy tftp://192.168.10.4/IOS-S289-CLI.pkg idconf Loading IOS-S259-CLI.pkg from 192.168.10.4 :!!!

IOS-Sxxx-CLI.pkg realm-cisco.pub.key.txt b. Configure Cisco IOS IPS Crypto Key mkdir ips5 (Create directory on flash) Paste the crypto key from realm-cisco.pub.key.txt c .Cisco IOS IPS Configuration ip ips config location flash:ips5 retries 1 ip ips notify SDEE ip ips name ips-policy ip ips signature-category category all retired true category ios_ips basic
BRKSEC-2007 14465_04_2008_c2

show ip ips signature count Total Compiled Signatures: 338 -Total active compiled signatures

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

77

2. Firewall Configuration Snippet
Classification: class-map type inspect match-all web-dmz match protocol http match access-group 199
access-list 199 permit tcp any host 192.168.10.3

Security Zone Policy: zone-pair security zone-policy source public destination dmz service-policy type inspect firewall-policy ! interface VLAN 1 description private interface zone-member security private ! interface fastethernet 0 description public interface zone-member security public interface fastethernet 1 description dmz interface zone-member security dmz
Cisco Public

Security Policy: policy-map type inspect firewall-policy class type inspect web-dmz Inspect Security Zones: zone security private zone security public zone security dmz
BRKSEC-2007 14465_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved.

78

© 2006, Cisco Systems, Inc. All rights reserved. 14465_04_2008_c2.scr

3. Virtual Firewall and IPS

Advanced Firewall

Cisco IOS Firewall, NAT, and URL-filtering policies are virtual route forwarding (VRF) aware, providing support for overlapping address space, which simplifies troubleshooting and operations
Photo Shop 192.168.1.x/24

Separate IPsec tunnels for Photo Shop and Retail Store traffic VRF A
Retail Store Cash Register 192.168.2.x/24

IPsec Tunnel

VRF B VRF C Store Router Supports overlapping address space

Photo Shop Head Quarter

Internet

IPsec Tunnel

Internet Services 192.168.2.x/24
BRKSEC-2007 14465_04_2008_c2

Retail Store Head Quarter
79

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

3. Firewall Configuration Snippet
Classification: class-map type inspect retail-hq match protocol ftp match protocol http match protocol smtp extended class-map type inspect hq-retail match protocol smtp extended class-map type inspect photo-hq match protocol http match protocol rtsp class-map type inspect hq-photo match protocol h323 Security Policy policy-map type inspect retail-hq class type inspect retail-hq inspect class class-default drop log
BRKSEC-2007 14465_04_2008_c2

Security Policy (Continued): policy-map type inspect hq-retail class type inspect hq-retail inspect class class-default drop log policy-map type inspect photo-hq class type inspect photo-hq inspect class class-default drop log policy-map type inspect hq-photoclass type inspect hq-photo inspect class class-default drop log

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

80

© 2006, Cisco Systems, Inc. All rights reserved. 14465_04_2008_c2.scr

3. Deployed Firewall Configuration Snippet (SDM)

BRKSEC-2007 14465_04_2008_c2

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

81

4. Blocking Peer-to-Peer and Instant Messaging Applications
Cisco IOS Firewall can block/rate-limit instant messaging (IM) applications like MSN, AOL and Yahoo.
Servers 192.168.3.14-16/24

Advanced Firewall

Blocking the Instant Messengers e.g. MSN
Employees 192.168.1.x/24

IPsec Tunnel
QFP

Internet
Branch Office Router Head Quarter

Wireless Guests 192.168.2.x/24
BRKSEC-2007 14465_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public

82

© 2006, Cisco Systems, Inc. All rights reserved. 14465_04_2008_c2.scr

4. Firewall Configuration Snippet
Security Zones: zone security retail-LAN zone security retail-VPN zone security photo-LAN zone security photo-VPN Security Zone Policy: zone-pair security retail-VPN source retail-LAN destination retail-VPN zone-pair security VPN-retail source retail-VPN destination retail-LAN zone-pair security photo-VPN source photo-LAN destination photo-VPN zone-pair security VPN-photo source photo-VPN destination photo-LAN
BRKSEC-2007 14465_04_2008_c2

Virtualization (Virtual Routing and Forwarding) interface FastEthernet0/1.10 encapsulation dot1Q 10 ip vrf forwarding retail zone-member security retail-LAN ! interface Tunnel0 ip vrf forwarding retail zone-member security retail-VPN interface FastEthernet0/1.20 encapsulation dot1Q 20 ip vrf forwarding photo zone-member security photo-LAN ! interface Tunnel0 ip vrf forwarding photo zone-member security photo-VPN
83

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

4. Deployed Firewall Configuration Snippet
Servers List: parameter-map type protocol-info msn-servers server name messenger.hotmail.com server name gateway.messenger.hotmail.com server name webmessenger.msn.com parameter-map type protocol-info aol-servers server name login.oscar.aol.com server name toc.oscar.aol.com server name oam-d09a.blue.aol.com Classification: class-map type inspect match-any IM match protocol msnmsgr msn-servers match protocol aol aol-servers class-map type inspect match-all IMs match class-map IM
BRKSEC-2007 14465_04_2008_c2

IM-Blocking Policy: policy-map type inspect IM-blocking class type inspect IMs drop log Security Zones zone security public zone security private Zone Policy zone-pair security IM-Zone-policy source private destination public service-policy type inspect IM-blocking interface VLAN 1 description private interface zone-member security private interface fastethernet 0 description public interface zone-member security public
84

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

© 2006, Cisco Systems, Inc. All rights reserved. 14465_04_2008_c2.scr

4. Blocking Instant Messaging MSN/AOL (SDM)

BRKSEC-2007 14465_04_2008_c2

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

85

5a. Load Balancing with Two Providers
Cisco IOS Firewall supports WAN Load balancing
Servers 192.168.3.14-16/24

Advanced Firewall

WAN Load Balancing Multi-Home NAT Destination Based Load Balancing Zone Based Firewall ISP-1
Employees 192.168.1.x/24

IPsec Tunnel
QFP

Internet
Branch Office ISP-2 Router Head Quarter

Wireless Guests 192.168.2.x/24
BRKSEC-2007 14465_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public

86

© 2006, Cisco Systems, Inc. All rights reserved. 14465_04_2008_c2.scr

5a. Configuration Snippet
Classification: class-map type inspect match-any internet match protocol http match protocol https match protocol dns match protocol smtp match protocol icmp ! ! policy-map type inspect private class type inspect internet inspect class class-default WAN Load balancing Configs ip route 0.0.0.0 0.0.0.0 Dialer1 ip route 0.0.0.0 0.0.0.0 Dialer0 ! ip nat inside source route-map dsl0 interface Dialer0 overload ip nat inside source route-map dsl1 interface dialer1 overload
BRKSEC-2007 14465_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public

WAN Load balancing Configs(Con’t) route-map dsl1 permit 10 match ip address 121 match interface Dialer1 route-map dsl0 permit 10 match ip address 120 match interface Dialer0 access-list 120 permit ip 192.168.10.0 0.0.0.255 any access-list 121 permit ip 192.168.10.0 0.0.0.255 any Policy Based Routing route-map IPSEC permit 10 match ip address 128 match interface Dialer1 access-list 128 permit esp 192.168.10.0 0.0.0.255 any

87

5a. Configuration Snippet
Security Zones Configs zone security trust zone security untrust zone-pair security firewall source trust destination untrust ! service-policy type inspect private Interface Configs: interface Dialer0 zone-member security untrust ip nat outside ! interface Dialer1 zone-member security untrust ip nat outside ! interface BVI1 zone-member security trust ip nat inside
BRKSEC-2007 14465_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public

88

© 2006, Cisco Systems, Inc. All rights reserved. 14465_04_2008_c2.scr

5b. Failover with Two Providers
WAN Object Tracking
Servers 192.168.3.14-16/24

Advanced Firewall

WAN Failover Object Tracking Fail Over Zone Based Firewall ISP-1
Employees 192.168.1.x/24

IPsec Tunnel
QFP

Internet
Branch Office ISP-2 Router Head Quarter

Wireless Guests 192.168.2.x/24
BRKSEC-2007 14465_04_2008_c2

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

89

5b. Configuration Snippet— Private Zone Policy
Tracking Configuration: (Object Tracking)
track timer interface 5 ! track 123 rtr 1 reachability delay down 15 up 10 ip sla 1 icmp-echo 172.16.1.1 source-interface Dialer0 timeout 1000 threshold 40 frequency 3 ip sla schedule 1 life forever start-time now

Interface Configurations:
Interface Dialer 0 description WAN-Backup interface ip address negotiated ip nat outside

NAT Configuration:
ip nat inside source route-map fixed-nat interface Dialer0 overload ip nat inside source route-map dhcp-nat interface FastEthernet0 overload route-map fixed-nat permit 10 match ip address 110 match interface Dialer0 ! route-map dhcp-nat permit 10 match ip address 110 match interface FastEthernet0

Interface Configurations:
interface FastEthernet0 description WAN-1 Interface ip address dhcp ip nat outside ip dhcp client route track 123
BRKSEC-2007 14465_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public

90

© 2006, Cisco Systems, Inc. All rights reserved. 14465_04_2008_c2.scr

5b. Configuration Snippet— Private Zone Policy
NAT Configuration (Con’t): access-list 110 permit ip 192.168.108.0 0.0.0.255 any Routing Configuration ip route 0.0.0.0 0.0.0.0 dialer 0 track 123 ip route 0.0.0.0 0.0.0.0 dhcp 10 Classification: class-map type inspect match-any internet match protocol http match protocol https match protocol dns match protocol smtp match protocol icmp ! ! policy-map type inspect private class type inspect internet inspect class class-default Security Zones Configs zone security trust zone security untrust zone-pair security firewall source trust destination untrust ! service-policy type inspect private interface FastEthernet0 description WAN- Interface Member security zone untrust Interface Dialer0 description Backup-Interface member security zone untrust interface Vlan1 member security zone trust

BRKSEC-2007 14465_04_2008_c2

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

91

Case Study

BRKSEC-2007 14465_04_2008_c2

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

92

© 2006, Cisco Systems, Inc. All rights reserved. 14465_04_2008_c2.scr

Education—Centralized Deployment
URL Filtering

Internet

School
URL Filtering T1

T1

Private WAN School
T1 Apply Intrusion Prevention System (IPS) on traffic from Schools to kill worms from infected PCs

QFP

School

URL Filtering

BRKSEC-2007 14465_04_2008_c2

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

93

Education—Decentralized Deployment
URL Filtering
Backup DSL

Internet

School
T1 Illegal surfing

DSL

Internet School
Backup DSL

T1

Private WAN
T1

District School Building

Apply IPS on traffic from Schools to kill worms from infected PCs Secure Internet
Advanced Layer 3-7 firewall Web usage control

School

BRKSEC-2007 14465_04_2008_c2

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

94

© 2006, Cisco Systems, Inc. All rights reserved. 14465_04_2008_c2.scr

Summary

BRKSEC-2007 14465_04_2008_c2

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

95

Summary
There is an established and increasing trend of integrated services in routing industry Integrated Services Edge has become more common deployment over distributed architecture Cisco IOS network security technologies enable new business applications by reducing risk, as well as helping to protect sensitive data and corporate resources from intrusion Consolidation of branch office equipment for lowering OPEX is giving rise to integrated security as evident from the real world use cases
BRKSEC-2007 14465_04_2008_c2

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

96

© 2006, Cisco Systems, Inc. All rights reserved. 14465_04_2008_c2.scr

Q and A

BRKSEC-2007 14465_04_2008_c2

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

97

Recommended Reading
Continue your Cisco Live learning experience with further reading from Cisco Press Check the Recommended Reading flyer for suggested books

Available Onsite at the Cisco Company Store
BRKSEC-2007 14465_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public

98

© 2006, Cisco Systems, Inc. All rights reserved. 14465_04_2008_c2.scr

Complete Your Online Session Evaluation
Give us your feedback and you could win fabulous prizes. Winners announced daily. Receive 20 Passport points for each session evaluation you complete. Complete your session evaluation online now (open a browser through our wireless network to access our portal) or visit one of the Internet stations throughout the Convention Center.
Don’t forget to activate your Cisco Live virtual account for access to all session material on-demand and return for our live virtual event in October 2008. Go to the Collaboration Zone in World of Solutions or visit www.cisco-live.com.

BRKSEC-2007 14465_04_2008_c2

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

99

BRKSEC-2007 14465_04_2008_c2

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

100

© 2006, Cisco Systems, Inc. All rights reserved. 14465_04_2008_c2.scr

Appendix

BRKSEC-2007 14465_04_2008_c2

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

101

Cisco Security Router Certifications
FIPS
140-2, Level 2

Common Criteria
IPsec (EAL4) Q3CY07 Q3CY07 Q3CY07 Q3CY07 Q3CY07 Firewall (EAL4)

Cisco® 870 ISR Cisco 1800 ISR Cisco 2800 ISR Cisco 3800 ISR Cisco 7200 VAM2+ Cisco 7200 VSA Cisco 7301 VAM2+ Cisco 7600 IPsec VPN SPA Cisco ASR1000 Series Catalyst 6500 IPsec VPN SPA Cisco 7600
BRKSEC-2007 14465_04_2008_c2

Q4CY07

Q3CY07 Q3CY07 Q3CY07

---

--CY08 ---

CY08

CY08 Q3CY07 Q3CY07

Cisco.com/go/securitycert
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public

102

© 2006, Cisco Systems, Inc. All rights reserved. 14465_04_2008_c2.scr

Cisco IOS Network Foundation Protection
Data Plane Feature NetFlow Access Control Lists (ACLs) Flexible Packet Matching (FPM) Unicast Reverse Path Forwarding (uRPF) Remotely Triggered Black Holing (RTBH) QoS Tools Control Plane Receive ACLs Control Plane Policing Routing Protection Management Plane CPU and Memory Thresholding Dual Export Syslog
BRKSEC-2007 14465_04_2008_c2

Network Foundation Protection

Function and Benefit Macro-level, anomaly-based DDoS detection through counting the number of flows (instead of contents); provides rapid confirmation and isolation of attack Protect edge routers from malicious traffic; explicitly permit the legitimate traffic that can be sent to the edge router's destination address Next generation “Super ACL” – pattern matching capability for more granular and customized packet filters, minimizing inadvertent blocking of legitimate business traffic Mitigates problems caused by the introduction of malformed or spoofed IP source addresses into either the service provider or customer network Drops packets based on source IP address; filtering is at line rate on most capable platforms. Hundreds of lines of filters can be deployed to multiple routers even while the attack is in progress Protects against flooding attacks by defining QoS policies to limit bandwidth or drop offending traffic (identify, classify and rate limit) Function and Benefit Control the type of traffic that can be forwarded to the processor Provides QoS control for packets destined to the control plane of the routers Ensures adequate bandwidth for high-priority traffic such as routing protocols MD5 neighbor authentication protects routing domain from spoofing attacks Redistribution protection safe-guards network from excessive conditions Overload protection (e.g. prefix limits) enhances routing stability Function and Benefit Protects CPU and memory of Cisco® IOS® Software device against DoS attacks Syslog exported to dual collectors for increased availability
Cisco Public

© 2008 Cisco Systems, Inc. All rights reserved.

103

© 2006, Cisco Systems, Inc. All rights reserved. 14465_04_2008_c2.scr