Sei sulla pagina 1di 123
Troubleshooting Cisco IOS Security Features BRKSEC – 3007
Troubleshooting Cisco IOS Security Features BRKSEC – 3007

Troubleshooting Cisco IOS

Security Features

BRKSEC3007

Agenda

Troubleshooting Cisco IOS Firewall

Cisco IOS Firewall Overview Cisco IOS Firewall Packet Flow Cisco IOS Firewall Troubleshooting Common Issues and Resolutions Summary

Zone Based Firewall Troubleshooting Example

Troubleshooting Cisco IOS Intrusion Prevention

System

Cisco IOS IPS Overview Cisco IOS IPS Packet Flow Cisco IOS IPS Troubleshooting Common Issues and Resolutions Summary

Presentation_ID

© 2010 Cisco and/or its affiliates. All rights reserved.

Cisco Public

2

What is Not Covered

Troubleshooting Firewalls on PIX/ASA and FWSM

BRKSEC-3020: Advanced Firewalls

IPS Appliance Troubleshooting

BRKSEC-3030: Advanced Intrusion Prevention Systems

VPN

BRKSEC-3011: Troubleshooting GET VPN

BRKSEC-3012: Troubleshooting DMVPN NRLSEC-3013: Troubleshooting Remote Access SSL VPN

Presentation_ID

© 2010 Cisco and/or its affiliates. All rights reserved.

Cisco Public

3

Cisco IOS Firewall Overview

Presentation_ID

© 2010 Cisco and/or its affiliates. All rights reserved.

Cisco Public

4

Zone-Based Policy Firewall Overview

12.4(6)T

Allows grouping of physical and virtual interfaces into zones

Firewall policies are applied

to traffic traversing zones

Simple to add or remove interfaces and integrate into firewall policy

Supported Features

Stateful inspection

Application inspection: IM, POP, IMAP, SMTP/ESMTP, HTTP

URL filtering

Per-policy parameter

Transparent firewall

VRF-aware firewall

Private-DMZ DMZ Policy DMZ-Private Public-DMZ Policy Policy E0 S0 Untrusted Trusted Internet Private-Public
Private-DMZ
DMZ
Policy
DMZ-Private
Public-DMZ
Policy
Policy
E0
S0
Untrusted
Trusted
Internet
Private-Public
Policy

Presentation_ID

© 2010 Cisco and/or its affiliates. All rights reserved.

Cisco Public

5

Zone-Based Policy Firewall Configuration

class-map type inspect match-any myprotocol match protocol smtp match protocol ftp match protocol http

class-map type inspect match-all myclass match access-group 102 match class-map myprotocol

Define services inspected by policy
Define services
inspected by policy
Services with ACL to define permitted/denied hosts (Optional)
Services with ACL to
define permitted/denied
hosts (Optional)

policy-map type inspect mypolicy class type inspect myclass inspect

Define firewall action for traffic
Define firewall action
for traffic

zone security private zone security public

Setup zones
Setup zones

zone-pair security priv-pub source private destination public service-policy type inspect mypolicy

interface Ethernet0 zone-member security private

interface Serial0 zone-member security public

Establish zone-pair & apply the policy
Establish zone-pair &
apply the policy
Assign interfaces to zones
Assign interfaces to
zones

access-list 102 permit ip 192.168.0.0 0.0.255.255 any

Presentation_ID

© 2010 Cisco and/or its affiliates. All rights reserved.

Cisco Public

6

Cisco IOS Firewall Packet Flow

Presentation_ID

© 2010 Cisco and/or its affiliates. All rights reserved.

Cisco Public

7

Understanding the Packet Flow

End-to-end packet path must be identified

Narrow down the issue to the device level

Determine the packet flow based on SRC IP, DST IP, SRC port,

DST port, and protocol

Determine the interfaces/zones through which the flow passes

Then perform a systematic walk of the packet flow through the

device based on feature configured

IP S: a.b.c.1 D: d.e.f.1 Proto: 17 (udp)

UDP -- S: xxxx -- D: yyy

PAYLOAD

Presentation_ID

Source Address:a.b.c.1 Destination Address:d.e.f.1 Source Port: xxxx Flow is narrowed to 2 interfaces only
Source Address:a.b.c.1
Destination Address:d.e.f.1
Source Port: xxxx
Flow is narrowed to 2
interfaces only
Destination Port:yyy
Protocol: UDP
Source Interface: Fa 0/0
Destination Interface: Fa 1/0
Packet Flow
Fa 0/0 Destination Interface: Fa 1/0 Packet Flow Cisco Public interface Fa 0/0 © 2010 Cisco
Fa 0/0 Destination Interface: Fa 1/0 Packet Flow Cisco Public interface Fa 0/0 © 2010 Cisco

Cisco Public

interface

Fa 0/0

© 2010 Cisco and/or its affiliates. All rights reserved.

interface

Fa 2/0

Packet Flow interface
Packet Flow
interface

Fa 1/0

8

General Packet Flow

Inbound ACL

Input Int

NAT Before

Routing

Auth

Proxy

N

IPSec

Pkt?

Stateless IPS Input Int

Decrypt

Packet

Y

Inbound

Input ACL

Stateless IPS Input Int

Routing

Presentation_ID

© 2010 Cisco and/or its affiliates. All rights reserved.

Cisco Public

NAT After

Routing

Encrypt

Packet

Y

Stateful IPS Output Int

Fragment

Inspection

Outbound ACL Output Int

IOS FW

IPSec

Pkt?

N

9

Cisco IOS Firewall Troubleshooting

Presentation_ID

© 2010 Cisco and/or its affiliates. All rights reserved.

Cisco Public

10

The problem solving Process

Assess

What‘s going on Prioritize

Ask the right questions to better define and clarify the problem

Acquire

What information do we need but we don‘t have? How to get that information?

Analyze

Understand the flow What‘s supposed to happen vs. What actually happened

Act

Test assumptions Deploy changes

Presentation_ID

© 2010 Cisco and/or its affiliates. All rights reserved.

Cisco Public

11

IOS Firewall Troubleshooting Tools

Syslog

Show commands

Packet capture

Debug commands

Presentation_ID

© 2010 Cisco and/or its affiliates. All rights reserved.

Cisco Public

12

Syslog

Most effective troubleshooting tool available for

Zone-Based Policy Firewall

Tool for alert and audit trail

Tool to help identify packet dropped by the firewall

Tool for capturing the debug command output

Use of syslog server strongly recommended when deploying firewall solutions

Presentation_ID

© 2010 Cisco and/or its affiliates. All rights reserved.

Cisco Public

13

SyslogDissection of a Syslog Message

Symptom: An user complains that he is unable to browse to an web server at 172.16.1.100

Cause of the reset
Cause of the reset

EC-SUN[100]# grep "172.16.1.100"

Jul 26 13:58:16 200.1.1.1 2167: Jul 26 18:02:34.907 UTC:

%APPFW-4-HTTP_JAVA_APPLET: HTTP Java Applet detected - resetting session 172.16.1.100:80 10.1.1.100:3372 on zone- pair publicPrivateOut class myClassMap appl-class HttpAic

Class-map name AIC Policy Name
Class-map
name
AIC Policy
Name
Name of the Zone-Pair
Name of the
Zone-Pair

Presentation_ID

© 2010 Cisco and/or its affiliates. All rights reserved.

Cisco Public

14

SyslogCheck for Packet Drops

CBAC

Configure ―ip inspect log drop-pkt‖ to help identify packet dropped by the Firewall and drop reason

Feature introduced in 12.3(8)T

Rate limited at 30 seconds intervals

Router(config)# ip inspect log drop-pkt Router# *Mar 25 19:21:27.811: %FW-6-DROP_PKT: Dropping tcp session 1.1.1.20:0

Router(config)#ip inspect log drop-pkt

Router#

*Mar 25 19:21:27.811: %FW-6-DROP_PKT: Dropping tcp session

*Mar 25 19:21:27.811: %FW-6-DROP_PKT: Dropping tcp session 1.1.1.20:0 2.1.1.2:0 due to Invalid Header length with ip

1.1.1.20:0 2.1.1.2:0 due to Invalid Header length with

ip ident 7205

*Mar 25 19:30:23.131: %FW-6-DROP_PKT: Dropping tcp session 1.1.1.20:59807 2.1.1.2:23 due to RST inside current window with ip ident 14992 tcpflags 0x5004 seq.no 7916131

2.1.1.2:23 due to RST inside current window with ip ident 14992 tcpflags 0x5004 seq.no 7916131 ack

ack 1538156964

Presentation_ID

© 2010 Cisco and/or its affiliates. All rights reserved.

Cisco Public

15

SyslogCommon Packet Drop Reasons

Invalid Header length

The datagram is so small that it could not contain the layer 4 TCP, Universal Computer Protocol (UCP), or Internet Control Message Protocol (ICMP)

 

header

Segment matching no TCP connection

Non-initial TCP segment is received without a valid session.

Invalid Seq#

The packet contains an invalid TCP sequence number.

Invalid Ack (or no Ack)

The packet contains an invalid TCP acknowledgement number.

SYN inside current window

A

synchronization packet is seen within the window of an already

established TCP connection.

Out-Of-Order Segment

The TCP packet received is out of order.

Stray Segment

A

TCP segment is received that should not have been received through the

TCP state machine such as a TCP SYN packet being received in the listen state.

Invalid Window scale option

The TCP responder proposes an illegal window scale option when the initiator does not offer the window scale option

RST inside current window

A

reset (RST) packet is observed within the window of an already

established TCP connection.

SYN with data or with

TCP SYN packet is seen with data.

PSH/URG flags

Presentation_ID

© 2010 Cisco and/or its affiliates. All rights reserved.

Cisco Public

16

Syslog alert and audit-trail

Check the syslog for firewall alerts that may indicate potential hostile events

firewall alerts that may indicate potential hostile events *Jun 26 04:05:59.803: %FW-4-HOST_TCP_ALERT_ON: Max tcp

*Jun 26 04:05:59.803: %FW-4-HOST_TCP_ALERT_ON: Max tcp half-open connections (10) exceeded for host 2.1.1.2

tcp half-open connections (10) exceeded for host 2.1.1.2 current 1-min rate: 173 * Jun 26 04:07:04.347:

current 1-min rate: 173

(10) exceeded for host 2.1.1.2 current 1-min rate: 173 * Jun 26 04:07:04.347: %FW-4-ALERT_ON: getting aggressive

*Jun 26 04:07:04.347: %FW-4-ALERT_ON: getting aggressive, count (101/100) current 1-min rate: 173

*Jun 26 04:07:04.347: %FW-4-ALERT_OFF: calming down, count (99/100)

Audit-trail for session establishment and tear down

 Audit-trail for session establishment and tear down *Jun 26 03:47:36.879: %FW-6-SESS_AUDIT_TRAIL_START: Start

*Jun 26 03:47:36.879: %FW-6-SESS_AUDIT_TRAIL_START: Start tcp session: initiator (1.1.1.2:11081) -- responder (2.1.1.2:23)

: initiator (1.1.1.2:11081) -- responder (2.1.1.2:23) *Jun 26 03:47:52.843: %FW-6-SESS_AUDIT_TRAIL: Stop tcp

*Jun 26 03:47:52.843: %FW-6-SESS_AUDIT_TRAIL: Stop tcp session:

initiator (1.1.1.2:11081) sent 63 bytes -- responder

(2.1.1.2:23) sent 96581 bytes

Presentation_ID

© 2010 Cisco and/or its affiliates. All rights reserved.

Cisco Public

17

Show Commands

Use to display the configuration, and connections statistics information

MOST of the problem can be diagnosed with the

Syslog & Show commands

Show commands are different for Classic Cisco IOS Firewall and Zone-Based Policy Firewall

Presentation_ID

© 2010 Cisco and/or its affiliates. All rights reserved.

Cisco Public

18

Show CommandsZone-Based Firewall

To display zone and member interfaces

show zone security [zone-name]

To display zone - pair information

Router#show zone-pair security source private destination public

Zone-pair name priv-pub

source-Zone private Destination-Zone public

service-policy priv-pub-pol

Show policy stats and session

show policy-map type inspect { <policy name> [class <class

name>] | zone-pair [<zone-pair name>] [sessions | urlfilter

cache] }

Presentation_ID

© 2010 Cisco and/or its affiliates. All rights reserved.

Cisco Public

19

Show Commands - Zone-Based Firewall

To display the firewall statistics

Zone-Based Firewall  To display the firewall statistics Router# show policy-map type inspect zone-pair policy

Router# show policy-map type inspect zone-pair policy exists on zp priv-pub Zone-pair: priv-pub

Service-policy inspect : firewall-pmap

Class-map: L4-inspect-class (match-any) Match: protocol tcp 1 packets, 24 bytes 30 second rate 0 bps

Inspect Packet inspection statistics [process switch:fast switch] tcp packets: [44:0]
Inspect
Packet inspection statistics [process switch:fast switch]
tcp packets: [44:0]

Session creations since subsystem startup or last reset 1 Current session counts (estab/half-open/terminating) [1:0:0] Maxever session counts (estab/half-open/terminating) [1:1:0] Last session created 00:00:40 Last statistic reset never Last session creation rate 1 Maxever session creation rate 1 Last half-open session total 0

Class-map: class-default (match-any) Match: any Drop 0 packets, 0 bytes

class-default (match-any) Match: any Drop 0 packets, 0 bytes Presentation_ID © 2010 Cisco and/or its affiliates.

Presentation_ID

© 2010 Cisco and/or its affiliates. All rights reserved.

Cisco Public

20

Show Commands - Zone-Based Firewall

To display the Firewall sessions

Zone-Based Firewall  To display the Firewall sessions Router# show policy-map type inspect zone-pair sessions

Router# show policy-map type inspect zone-pair sessions

policy exists on zp priv-pub Zone-pair: priv-pub

Service-policy inspect : firewall-pmap

Class-map: L4-inspect-class (match-any) Match: protocol tcp

1 packets, 24 bytes

30 second rate 0 bps

Inspect

Number of Established Sessions = 1 Established Sessions

Session 5346C90 (1.1.1.20:44181)=>(2.1.1.2:23) tcp SIS_OPEN

Created 00:09:22, Last heard 00:09:17 Bytes sent (initiator:responder) [46:119]

Class-map: class-default (match-any) Match: any Drop

0 packets, 0 bytes

(match-any) Match: any Drop 0 packets, 0 bytes Presentation_ID © 2010 Cisco and/or its affiliates. All

Presentation_ID

© 2010 Cisco and/or its affiliates. All rights reserved.

Cisco Public

21

How to use packet captures for troubleshooting firewall issues?

Typical problem scenario: Application x failing when going through the firewall

Capture

Capture

when going through the firewall Capture C a p t u r e Server Client Inside
when going through the firewall Capture C a p t u r e Server Client Inside

Server

through the firewall Capture C a p t u r e Server Client Inside Internet Outside

Client

Inside
Inside
firewall Capture C a p t u r e Server Client Inside Internet Outside  Setup
Internet
Internet

Outside

Setup the capture filter for the flow in question

Start packet capture on both inside and outside of the firewall

Start the application that‘s failing

Compare the packet captures to look for packet drops and match that up with the firewall logs

Presentation_ID

© 2010 Cisco and/or its affiliates. All rights reserved.

Cisco Public

22

Using IOS Embedded Packet Captures

Key configuration steps Create the capture buffer and capture point Associate the capture point to the buffer Start/stop the capture

the capture point to the buffer Start/stop the capture Router#monitor capture buffer test-buffer Router#monitor

Router#monitor capture buffer test-buffer Router#monitor capture buffer test-buffer filter access-list 120 Filter Association succeeded Router# Router#monitor capture point ip cef test-capture serial 2/0 both

*Mar 26 20:33:10.896: %BUFCAP-6-CREATE: Capture Point test-capture created.

%BUFCAP-6-CREATE: Capture Point test-capture created. Router#monitor capture point associate test-capture
%BUFCAP-6-CREATE: Capture Point test-capture created. Router#monitor capture point associate test-capture

Router#monitor capture point associate test-capture test-buffer Router#monitor capture point start test-capture *Mar 26 20:34:03.108: %BUFCAP-6-ENABLE: Capture Point test-capture enabled. Router# Router#monitor capture point stop test-capture

Router# Router#monitor capture point stop test-capture *Mar 26 20:34:21.636: %BUFCAP-6-DISABLE: Capture Point

*Mar 26 20:34:21.636: %BUFCAP-6-DISABLE: Capture Point test-capture

disabled.

Presentation_ID

© 2010 Cisco and/or its affiliates. All rights reserved.

Cisco Public

23

Using IOS Embedded Packet Captures

Now we have the packets captured, what‘s next?

Dump the packet on the router itself

Router# show monitor capture buffer test-buffer dump 15:34:07.228 EST Mar 26 2009 : IPv4 LES

Router# show monitor capture buffer test-buffer dump

15:34:07.228 EST Mar 26 2009 : IPv4 LES CEF

: Se2/0 None

05CECE30:

05CECE40: 6D170000 FE0649DD 02010102 01010114 m

05CECE50: 0017A353 0FB6B952 3EF1499C 60121020

05CECE60: 917A0000 02040218 00

.

.

0F000800 45C0002C

E@.,

~.I]

#S.69R>qI.`

.z

 Or export it out and analyze it in Ethereal/Wireshark Router# monitor capture buffer test-buffer
 Or export it out and analyze it in Ethereal/Wireshark
Router# monitor capture buffer test-buffer export ?
ftp:
http:
Location to dump buffer
Location to dump buffer

https: Location to dump buffer

rcp:

Location to dump buffer

scp:

Location to dump buffer

tftp:

Location to dump buffer

Presentation_ID

© 2010 Cisco and/or its affiliates. All rights reserved.

Cisco Public

24

IPSec and Cisco IOS Firewall

Problem Statement:

How IPSec works/interacts with IOS Firewall

Solutions:

IOS Firewall works with IPSec in one of the two ways:

IOS Firewall and IPSec enabled on the same router

IOS FW does packet inspection on the decrypted packets for inbound

traffic

IOS FW does packet inspection before encryption for outbound traffic

IOS Firewall for IPSec pass-through traffic

IOS FW will not inspect encrypted IPSec packets as the protocol number in the IP header is not TCP or UDP

ISKMP which is UDP/500 will be inspected

Router needs to allow UDP/500 (ISKMP) UDP/4500 (NAT-T), IP 50 (ESP)/

IP 51 (AH) for IPSEC

Presentation_ID

© 2010 Cisco and/or its affiliates. All rights reserved.

Cisco Public

25

IPSec and Zone-Based-Firewall

Two types of IPSec configuration

Non-VTI based Classic configuration with crypto

map applied to an interface

Interface-based IPSec configuration

GRE over IPSec

DMVPN

Static VTI (Virtual Tunnel Interface) EzVPN using Dynamic VTI

Using VPN with Zone-Based Policy Firewall

http://www.cisco.com/en/US/prod/collateral/vpndevc/ps5708/ps5710/ps101

8/prod_white_paper0900aecd8062a909.html

Presentation_ID

© 2010 Cisco and/or its affiliates. All rights reserved.

Cisco Public

26

Classic IPSec with ZBF

Server

Classic IPSec with ZBF Server C l i e n t s Zone Private Z o
Classic IPSec with ZBF Server C l i e n t s Zone Private Z o

Clients

Zone Private

Zone Public

IPSec Tunnel
IPSec Tunnel

Internet

Internet Traffic (TCP/UDP/ICMP)

i c IPSec Tunnel Internet Internet Traffic (TCP/UDP/ICMP) 192.168.1.0/24 Clients R1 R2 Web server 192.168.2.0/24 
i c IPSec Tunnel Internet Internet Traffic (TCP/UDP/ICMP) 192.168.1.0/24 Clients R1 R2 Web server 192.168.2.0/24 

192.168.1.0/24

Clients

Internet Traffic (TCP/UDP/ICMP) 192.168.1.0/24 Clients R1 R2 Web server 192.168.2.0/24  Define the zone

R1

R2

Internet Traffic (TCP/UDP/ICMP) 192.168.1.0/24 Clients R1 R2 Web server 192.168.2.0/24  Define the zone security

Web

server

192.168.2.0/24

Define the zone security policies

Destination Source Private Public Zone Zone Private N/A Allow all outbound TCP/UDP/ICMP traffic Public Allow
Destination
Source
Private
Public
Zone
Zone
Private
N/A
Allow all outbound
TCP/UDP/ICMP
traffic
Public
Allow TCP/UDP/ICMP
traffic from the tunnel,
and Web traffic to
server 192.168.1.10
N/A
Presentation_ID
© 2010 Cisco and/or its affiliates. All rights reserved.
Cisco Public

27

Classic IPSec with ZBF - Configuration

class-map type inspect match-any

all-traffic match protocol tcp match protocol udp match protocol icmp class-map type inspect match-all pub-pri-cmap match class-map all-traffic match access-group name tunnel- traffic class-map type inspect match-all inbound-web match protocol http match access-group name web-server

!

policy-map type inspect pri-pub-pmap class type inspect all-traffic inspect policy-map type inspect pub-pri-pmap class type inspect pub-pri-cmap

inspect class type inspect inbound-web

inspect

zone security public description Internet facing zone zone security private

description Secure private zone

zone-pair security pub-pri source public destination private service-policy type inspect pub-pri-pmap zone-pair security pri-pub source private destination public service-policy type inspect pri-pub-pmap

!

interface FastEthernet0/0 zone-member security public crypto map test

!

interface FastEthernet1/0 zone-member security private

!

ip access-list extended tunnel-traffic permit ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255 ip access-list extended web-server permit ip any host 192.168.1.10

Presentation_ID

© 2010 Cisco and/or its affiliates. All rights reserved.

Cisco Public

28

Interface-based IPSec with ZBF

Server

Interface-based IPSec with ZBF Server C l i e n t s Zone Private Z o
Interface-based IPSec with ZBF Server C l i e n t s Zone Private Z o

Clients

Zone Private

Zone Public

l i e n t s Zone Private Z o n e P u b l

Zone VPN

IPSec Tunnel
IPSec Tunnel

Internet

Internet Traffic (TCP/UDP/ICMP)

P N IPSec Tunnel Internet Internet Traffic (TCP/UDP/ICMP) 192.168.1.0/24 R1 Clients R2 Web server 192.168.2.0/24 

192.168.1.0/24

Internet Internet Traffic (TCP/UDP/ICMP) 192.168.1.0/24 R1 Clients R2 Web server 192.168.2.0/24  Define the zone

R1

Internet Internet Traffic (TCP/UDP/ICMP) 192.168.1.0/24 R1 Clients R2 Web server 192.168.2.0/24  Define the zone

Clients

Internet Traffic (TCP/UDP/ICMP) 192.168.1.0/24 R1 Clients R2 Web server 192.168.2.0/24  Define the zone security
Internet Traffic (TCP/UDP/ICMP) 192.168.1.0/24 R1 Clients R2 Web server 192.168.2.0/24  Define the zone security

R2

Web

server

192.168.2.0/24

Define the zone security policies

Destination Source Zone Private Public VPN Zone Private N/A Allow all TCP/UDP/ICMP Allow all TCP/UDP/ICMP
Destination
Source
Zone
Private
Public
VPN
Zone
Private
N/A
Allow all
TCP/UDP/ICMP
Allow all
TCP/UDP/ICMP
Public
Allow Web traffic
to 192.168.1.10
N/A
Deny
VPN
Allow All TCP
Deny
N/A
Presentation_ID
© 2010 Cisco and/or its affiliates. All rights reserved.
Cisco Public
29

Interface-based IPSec with ZBF -

Configuration

class-map type inspect match-any tcp- traffic match protocol tcp

!

policy-map type inspect pri-pub-pmap class type inspect all-traffic inspect policy-map type inspect pub-pri-pmap

class type inspect inbound-web

inspect policy-map type inspect pri-vpn-pmap class type inspect all-traffic inspect policy-map type inspect vpn-pri-pmap class type inspect tcp-traffic

inspect

!

zone security public description Internet facing zone zone security private description Secure private zone zone security vpn description This is the VPN zone

Presentation_ID

© 2010 Cisco and/or its affiliates. All rights reserved.

zone-pair security pub-pri source public destination private service-policy type inspect pub-pri-pmap zone-pair security pri-pub source private destination public service-policy type inspect pri-pub-pmap zone-pair security vpn-pri source vpn destination private service-policy type inspect vpn-pri-pmap zone-pair security pri-vpn source private destination vpn service-policy type inspect pri-vpn-pmap

!

interface Tunnel0

zone-member security vpn

tunnel mode ipsec ipv4 tunnel protection ipsec profile test

!

interface FastEthernet0/0 zone-member security public

!

interface FastEthernet1/0 zone-member security private

Cisco Public

30

Common Issues and Resolutions

Presentation_ID

© 2010 Cisco and/or its affiliates. All rights reserved.

Cisco Public

31

Performance Degrades

Symptom: • After turning on IOS Firewall, the connection is very Slow • Valid Packet
Symptom:
• After turning on IOS Firewall, the connection is very Slow
• Valid Packet Drops after a while of turning the Firewall ON
Troubleshooting Steps:
Step1: Check & investigate which process utilizes MAXIMUM CPU
Router# show processes cpu | exclude 0.00
CPU utilization for five seconds: 70%/39%; one minute: 52%; five minutes: 43%
PID Runtime(ms)
Invoked
uSecs
5Sec
1Min
5Min TTY Process
74
1388
31823
43
0.08%
0.04%
0.04%
0 EAPFramework
84
983836
305327
3222 38.18% 37.74%
37.02%
0 IP Input
120
24468
3070
7970
1.22%
1.27%
1.26%
0 Inspect process
Public
Solution:
Network
IP Input process is expected to be higher than any process
If any process > IP Input process, need investigation of that process, may
not be related to IOS Firewall
e0
s0
If IP Input process is HIGH, it could be related to IOS Firewall
Presentation_ID
© 2010 Cisco and/or its affiliates. All rights reserved.
Cisco Public

32

Performance Degrades (Cont.)

Zone-Based Policy Firewall DoS Protection

Every class-map configured with the "inspect" action in a policy-map carries its own set of DoS protection

counters

Counters of the number of "half-open" TCP and UDP connections

Total connection rate through the firewall and IPS software

Each class-map's DoS protection is individually configurable with a parameter-map that modifies the DoS protection values

The legacy default settings prior to Release 12.4(11)T

may interfere with proper network operation if they are

not configured for the appropriate level

Presentation_ID

© 2010 Cisco and/or its affiliates. All rights reserved.

Cisco Public

33

Performance Degrades ZBF

Troubleshooting Steps:

Step2: Define a parameter-map and set the max-incomplete high values to

very high values

parameter-map type inspect DoS-param-map

max-incomplete high 20000000 one-minute high 100000000 tcp max-incomplete host 100000 block-time 0
max-incomplete high 20000000
one-minute high 100000000
tcp max-incomplete host 100000 block-time 0

Step3: Apply the parameter-map to every class-map's inspection action

Cisco IOS

Public

Network

Firewall policy-map type inspect z1-z2-pmap class type inspect my-cmap inspect DoS-param-map e0 s0
Firewall
policy-map type inspect z1-z2-pmap
class type inspect my-cmap
inspect DoS-param-map
e0
s0

Presentation_ID

© 2010 Cisco and/or its affiliates. All rights reserved.

Cisco Public

34

Performance Degrades ZBF

Troubleshooting Steps: Step 4: check the DoS counters with the following command router#sh policy-map type
Troubleshooting Steps:
Step 4: check the DoS counters with the following command
router#sh policy-map type inspect zone-pair priv-pub
< Removed >
Maxever session counts (estab/half-open/terminating) [92:46:33]
Last session created 00:00:45
Last statistic reset never
Last session creation rate 1
Maxever session creation rate 270
Step 5: Tune the DoS settings for every inspect-type class-map contained
within a policy-map that must have unique DoS protection requirements
Public
Network
http://www.cisco.com/en/US/prod/collateral/vpndevc/ps5708/ps5710/ps1018/pr
od_white_paper0900aecd8055e6ac.html
e0
s0
Presentation_ID
© 2010 Cisco and/or its affiliates. All rights reserved.
Cisco Public
35

HTTP Connection Reset

Symptom:

Unexpected web connection reset while browsing a web site

Troubleshooting Steps:

Step1a: Analyze syslog messages generated by the router Jul 26 13:58:16 200.1.1.1 2167: Jul 26 18:02:34.907 UTC: %APPFW-4- HTTP_JAVA_APPLET: HTTP Java Applet detected - resetting session 172.16.1.100:80 10.1.1.100:3372 on zone-pair publicPrivateOut

10.1.1.100:3372 on zone-pair publicPrivateOut class myClassMap appl-class HttpAic Step1b: Review the
10.1.1.100:3372 on zone-pair publicPrivateOut class myClassMap appl-class HttpAic Step1b: Review the

class myClassMap appl-class HttpAic

Step1b: Review the configuration with show command.

class-map type inspect http match-any HttpAic match response body java-applet exit policy-map type inspect http HttpAicPolicy

class type inspect http HttpAic reset log Exit Reason for the connection reset Solution:
class type inspect http HttpAic
reset
log
Exit
Reason for the connection reset
Solution:

Remove the reset command under policy map

Presentation_ID

© 2010 Cisco and/or its affiliates. All rights reserved.

Cisco Public

36

HTTP Connection Reset (Cont.)

Troubleshooting Steps:

2a. Analyze Syslog messages generated by the router

Jul 26 15:03:51 200.1.1.1 2768: Jul 26 19:08:08.751 UTC:

– Jul 26 15:03:51 200.1.1.1 2768: Jul 26 19:08:08.751 UTC: %APPFW-4-HTTP_CONTENT_LENGTH: Content length (82271) out of

%APPFW-4-HTTP_CONTENT_LENGTH: Content length (82271) out of range - resetting session 208.254.0.103:80 10.1.1.100:3491 on zone-pair publicPrivateOut class myClassMap appl-class HttpAic

publicPrivateOut class myClassMap appl-class HttpAic 2b. Using show command reveals the Body Length of the web

2b. Using show command reveals the Body Length of the web traffic was configured too LOW.

Solution:

Reset the body length for request/response to higher value

class-map type inspect http match-any HttpAic match req-resp body length gt 1000000 exit

Presentation_ID

© 2010 Cisco and/or its affiliates. All rights reserved.

Cisco Public

37

HTTP Connection Reset (Cont.)

Troubleshooting Steps:

3a. Analyzing Syslog reveals the following messages

Jul 27 13:12:39 200.1.1.1 5448:

the following messages – Jul 27 13:12:39 200.1.1.1 5448: Sig:12 HTTP URI length exceeded. Received 10.1.1.100:1451

Sig:12 HTTP URI length exceeded. Received 10.1.1.100:1451 to 216.73.86.52:

3b. Using show command in reviewing configuration may reveal Request URI Length was set Too LOW.

Resolution:

Reset URI Length to 256 as follows

class-map type inspect http match-any HttpAic match request uri length gt 256 exit

Presentation_ID

© 2010 Cisco and/or its affiliates. All rights reserved.

Cisco Public

38

Zone Based Firewall Troubleshooting Example

Presentation_ID

© 2010 Cisco and/or its affiliates. All rights reserved.

Cisco Public

39

Zone Based Firewall Desired setup

Server

Zone Outside

Zone Inside

R2 R1 10.2.1.0/24 10.2.3.0/24 IOS Firewall .1 .2 .2 .3 IPsec tunnel
R2
R1
10.2.1.0/24
10.2.3.0/24
IOS Firewall
.1
.2
.2
.3
IPsec tunnel
10.2.3.0/24 IOS Firewall .1 .2 .2 .3 IPsec tunnel Clients R3 .2 10.2.4.0/24 Zone DMZ .4
10.2.3.0/24 IOS Firewall .1 .2 .2 .3 IPsec tunnel Clients R3 .2 10.2.4.0/24 Zone DMZ .4

Clients

R3

IOS Firewall .1 .2 .2 .3 IPsec tunnel Clients R3 .2 10.2.4.0/24 Zone DMZ .4 R4
.2
.2

10.2.4.0/24

Zone DMZ

.4

.2 .3 IPsec tunnel Clients R3 .2 10.2.4.0/24 Zone DMZ .4 R4 Clients http server Presentation_ID

R4

.3 IPsec tunnel Clients R3 .2 10.2.4.0/24 Zone DMZ .4 R4 Clients http server Presentation_ID ©

Clients

tunnel Clients R3 .2 10.2.4.0/24 Zone DMZ .4 R4 Clients http server Presentation_ID © 2010 Cisco

http server

Presentation_ID

© 2010 Cisco and/or its affiliates. All rights reserved.

Cisco Public

40

Zone Based Firewall Example

Desired Policy

Three Zones

inside zone outside zone dmz zone

Traffic policies

Zone Outside Zone Inside R1 R3 R2 Zone DMZ http server R4
Zone Outside
Zone Inside
R1
R3
R2
Zone DMZ
http server
R4

TCP and UDP connections from inside to outside

TCP and UDP connections from dmz to outside, http from the outside to the dmz any other ―required‖ connections from the outside to the inside

Presentation_ID

© 2010 Cisco and/or its affiliates. All rights reserved.

Cisco Public

41

Zone Outside Zone Inside Zone Based Firewall R1 R3 R2 Class Map Configuration Zone DMZ
Zone Outside
Zone Inside
Zone Based Firewall
R1
R3
R2
Class Map Configuration
Zone DMZ
http server
class-map type inspect match-any INSIDE
match protocol tcp
R4

match protocol udp

class-map type inspect match-any DMZ match protocol tcp

match protocol udp

class-map type inspect match-all OUTSIDE match protocol http match access-group name OUT_DMZ

match access-group name OUT_IN

Presentation_ID

© 2010 Cisco and/or its affiliates. All rights reserved.

ip access-list extended OUT_DMZ

permit tcp any host 4.4.4.4 eq www

Cisco Public

42

Zone Based Firewall

Zone Configuration

zone security inside

zone security outside

zone security dmz

Presentation_ID

© 2010 Cisco and/or its affiliates. All rights reserved.

Zone Outside Zone Inside R1 R3 R2 Zone DMZ http server R4
Zone Outside
Zone Inside
R1
R3
R2
Zone DMZ
http server
R4

Cisco Public

43

Zone Based Firewall

Policy Map Configuration

policy-map type inspect IN_OUT class type inspect INSIDE

inspect

class class-default drop

policy-map type inspect OUT_IN

class type inspect OUTSIDE inspect class class-default drop

Presentation_ID

© 2010 Cisco and/or its affiliates. All rights reserved.

Cisco Public

Zone Outside Zone Inside R1 R3 R2 Zone DMZ http server R4
Zone Outside
Zone Inside
R1
R3
R2
Zone DMZ
http server
R4

class-map type inspect match-any INSIDE

match protocol tcp match protocol udp class-map type inspect match-any DMZ match protocol tcp match protocol udp class-map type inspect match-all OUTSIDE match protocol http match access-group name OUT_DMZ

match access-group name OUT_IN

zone security inside zone security outside zone security dmz

zone security inside

zone security outside

zone security inside zone security outside zone security dmz

zone security dmz

44

Zone Outside Zone Inside R1 R3 Zone Based Firewall R2 Policy Map Configuration (continued) Zone
Zone Outside
Zone Inside
R1
R3
Zone Based Firewall
R2
Policy Map Configuration (continued)
Zone DMZ
policy-map type inspect DMZ_OUT
http server
R4

class type inspect DMZ inspect class class-default

drop

policy-map type inspect OUT_DMZ class type inspect OUTSIDE

inspect

class class-default

Presentation_ID

drop

© 2010 Cisco and/or its affiliates. All rights reserved.

Cisco Public

class-map type inspect match-any INSIDE match protocol tcp match protocol udp class-map type inspect match-any DMZ match protocol tcp match protocol udp class-map type inspect match-all OUTSIDE match protocol http match access-group name OUT_DMZ match access-group name OUT_IN

zone security inside

zone security inside zone security outside zone security dmz

zone security outside

zone security dmz

zone security inside zone security outside zone security dmz

45

Zone Based Firewall

Zone-pair Configuration

Zone Outside Zone Inside R1 R3 R2 Zone DMZ http server R4
Zone Outside
Zone Inside
R1
R3
R2
Zone DMZ
http server
R4

zone-pair security IN->OUT source inside destination outside

service-policy type inspect IN_OUT

zone-pair security OUT->IN source outside destination inside service-policy type inspect OUT_IN

zone-pair security DMZ->OUT source dmz destination outside

service-policy type inspect DMZ_OUT

zone-pair security OUT->DMZ source outside destination dmz service-policy type inspect OUT_DMZ

Presentation_ID

© 2010 Cisco and/or its affiliates. All rights reserved.

Cisco Public

46

Zone Based Firewall

Firewall Interface Configuration

interface Loopback0 ip address 2.2.2.2 255.255.255.255

!

interface Ethernet0/0 ip address 10.2.1.2 255.255.255.0

zone-member security outside

!

interface Ethernet1/0 ip address 10.2.3.2 255.255.255.0

zone-member security inside

!

interface Ethernet2/0 ip address 10.2.4.2 255.255.255.0 zone-member security dmz

Zone Outside Zone Inside R1 R3 R2 Zone DMZ http server R4
Zone Outside
Zone Inside
R1
R3
R2
Zone DMZ
http server
R4

Presentation_ID

© 2010 Cisco and/or its affiliates. All rights reserved.

Cisco Public

47

Zone Based Firewall

Additional Configuration

Enable telnet on all the routers

Line vty 0 15 password hello Login

Zone Outside Zone Inside R1 R3 R2 Zone DMZ http server R4
Zone Outside
Zone Inside
R1
R3
R2
Zone DMZ
http server
R4

Enable http server on R4 (DMZ)

R4#conf t

Enter configuration commands, one per line. End with CNTL/Z.

R4(config)#ip http server

Enable logging on R2 (Zone Based Firewall)

R2#conf t Enter configuration commands, one per line. End with CNTL/Z. R2(config)#ip inspect log drop-pkt

Presentation_ID

© 2010 Cisco and/or its affiliates. All rights reserved.

Cisco Public

48

Zone Based Firewall

Testing

Telnet from R4 to R1

Telnet from R3 to R1

× Telnet from R1 to R3

× Telnet from R1 to R4.

Telnet from R1 to R4 on port 80 (http access)

R1

√ Telnet

from R1 to R4 on port 80 (http access) R 1 √ Telnet R2 R3 ×

R2

R3

from R1 to R4 on port 80 (http access) R 1 √ Telnet R2 R3 ×
from R1 to R4 on port 80 (http access) R 1 √ Telnet R2 R3 ×
from R1 to R4 on port 80 (http access) R 1 √ Telnet R2 R3 ×
× Telnet
× Telnet
R4 on port 80 (http access) R 1 √ Telnet R2 R3 × Telnet Cisco Public

Cisco Public

R4
R4

© 2010 Cisco and/or its affiliates. All rights reserved.

http server

Presentation_ID

49

Zone Based Firewall Telnet should work

Telnet from R4 to R1 should work

– Telnet should work Telnet from R4 to R1 should work R2#sh policy-map type inspect zone-pair

R2#sh policy-map type inspect zone-pair DMZ->OUT sessions

policy exists on zp DMZ->OUT

Zone-pair: DMZ->OUT

Service-policy inspect : DMZ_OUT

Class-map: DMZ (match-any)

Service-policy inspect : DMZ_OUT Class-map: DMZ (match-any) Match: protocol tcp 1 packets, 24 bytes 30 second

Match: protocol tcp

1 packets, 24 bytes

30 second rate 0 bps

……………

Inspect

Number of Established Sessions = 1

Established Sessions

Session 6A62F98 (10.2.4.4:59121)=>(1.1.1.1:23) tcp SIS_OPEN/TCP_ESTAB
Session 6A62F98 (10.2.4.4:59121)=>(1.1.1.1:23) tcp
SIS_OPEN/TCP_ESTAB

Created 00:00:05, Last heard 00:00:04

Bytes sent (initiator:responder) [30:69]

Zone Outside Zone Inside R1 R3 R2 Zone DMZ http server R4
Zone Outside
Zone Inside
R1
R3
R2
Zone DMZ
http server
R4

R4#telnet 1.1.1.1 Trying 1.1.1.1

Open

User Access Verification

Password:

Presentation_ID

© 2010 Cisco and/or its affiliates. All rights reserved.

Cisco Public

50

Zone Based Firewall Telnet blocked

Telnet from R1 to R3 is blocked

– Telnet blocked Telnet from R1 to R3 is blocked R2#sh policy-map type inspect zone-pair OUT->IN

R2#sh policy-map type inspect zone-pair OUT->IN sess

policy exists on zp OUT->IN

Zone-pair: OUT->IN

Service-policy inspect : OUT_IN

Class-map: OUTSIDE (match-all)

Match: protocol http

Match: access-group name OUT_IN

Inspect

Class-map: class-default (match-any)

Match: any Drop 10 packets, 240 bytes
Match: any
Drop
10 packets, 240 bytes

Presentation_ID

© 2010 Cisco and/or its affiliates. All rights reserved.

Cisco Public

Zone Outside Zone Inside R1 R3 R2 Zone DMZ http server R4
Zone Outside
Zone Inside
R1
R3
R2
Zone DMZ
http server
R4

R1#telnet 3.3.3.3

Trying 3.3.3.3

% Connection timed out;

remote host not responding

51

Zone Based Firewall http should work

Telnet from R1 to R4 on port 80 (http access) works

R2#sh policy-map type inspect zone-pair OUT->DMZ sessions policy exists on zp OUT->DMZ Zone-pair: OUT->DMZ

R2#sh policy-map type inspect zone-pair OUT->DMZ sessions

policy exists on zp OUT->DMZ

Zone-pair: OUT->DMZ

Service-policy inspect : OUT_DMZ

Class-map: OUTSIDE (match-all)

Match: protocol http
Match: protocol http

Match: access-group name OUT_DMZ

Inspect

Number of Established Sessions = 1
Number of Established Sessions = 1

Established Sessions

Session 6A62C48 (10.2.1.1:34095)=>(4.4.4.4:80) http:tcp SIS_OPEN/TCP_ESTAB
Session 6A62C48 (10.2.1.1:34095)=>(4.4.4.4:80) http:tcp
SIS_OPEN/TCP_ESTAB

Created 00:01:29, Last heard 00:00:13

Bytes sent (initiator:responder) [2:0]

Class-map: class-default (match-any)

Match: any

Drop

0 packets, 0 byte

Presentation_ID

© 2010 Cisco and/or its affiliates. All rights reserved.

Cisco Public

Zone Outside Zone Inside R1 R3 R2 Zone DMZ http server R4
Zone Outside
Zone Inside
R1
R3
R2
Zone DMZ
http server
R4

R1#telnet 4.4.4.4 80

Trying 4.4.4.4, 80

Open

52

Zone Based Firewall Policies Again

Three Zones

inside zone outside zone dmz zone.

Traffic policies

Zone Outside Zone Inside R1 R3 R2 Zone DMZ http server R4
Zone Outside
Zone Inside
R1
R3
R2
Zone DMZ
http server
R4

TCP and UDP connections from inside to outside

TCP and UDP connections from dmz to outside, http from the outside to the dmz any other ―required‖ connections from the outside to the inside

Presentation_ID

© 2010 Cisco and/or its affiliates. All rights reserved.

Cisco Public

53

Zone Based Firewall IPsec does not work!

Telnet from R1 to R3 (IPsec peers) works

R2#conf t

Enter configuration commands, one per line. End with

CNTL/Z.

Enter configuration commands, one per line. End with CNTL/Z. R2(config)#ip inspect log drop-pkt R2(config)#end R2# *Apr

R2(config)#ip inspect log drop-pkt

R2(config)#end

R2#

*Apr 5 23:45:25.723: %SYS-5-CONFIG_I: Configured from console by console

R2# *Apr 5 23:47:10.931: %FW-6-DROP_PKT: Dropping udp session 10.2.1.1:500 10.2.3.3:500 on zone-pair OUT->IN class
R2#
*Apr 5 23:47:10.931: %FW-6-DROP_PKT: Dropping
udp session 10.2.1.1:500 10.2.3.3:500 on zone-pair
OUT->IN class class-default due to DROP action
found in policy-map with ip ident 0
R2#

*Apr 5 23:48:38.055: %FW-6-LOG_SUMMARY: 3

packets were dropped from 10.2.1.1:500 =>

10.2.3.3:500 (target:class)-(OUT->IN:class-default)

Presentation_ID

© 2010 Cisco and/or its affiliates. All rights reserved.

Cisco Public

Zone Outside Zone Inside R1 R3 R2 Zone DMZ http server R4
Zone Outside
Zone Inside
R1
R3
R2
Zone DMZ
http server
R4

R1#

*Apr 5 23:46:18.687: %SYS-5- CONFIG_I: Configured from console by console

R1#ping 10.2.3.3

……………

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 10.2.3.3, timeout is 2 seconds:

Success rate is 0 percent (0/5)

54

Zone Based Firewall – What’s missing?

Server

Zone Outside

Zone Inside

R1 10.2.1.0/24 R2 10.2.3.0/24 .1 .2 .2 .3 ???
R1
10.2.1.0/24
R2
10.2.3.0/24
.1
.2
.2
.3
???
Inside R1 10.2.1.0/24 R2 10.2.3.0/24 .1 .2 .2 .3 ??? Clients R3 ??? Need a policy
Inside R1 10.2.1.0/24 R2 10.2.3.0/24 .1 .2 .2 .3 ??? Clients R3 ??? Need a policy

Clients

R3

10.2.1.0/24 R2 10.2.3.0/24 .1 .2 .2 .3 ??? Clients R3 ??? Need a policy for the

??? Need a policy for the IKE and IPsec traffic

.2
.2

10.2.4.0/24

Zone DMZ

.4

for the IKE and IPsec traffic .2 10.2.4.0/24 Zone DMZ .4 R4 Clients http server Presentation_ID

R4

for the IKE and IPsec traffic .2 10.2.4.0/24 Zone DMZ .4 R4 Clients http server Presentation_ID

Clients

IKE and IPsec traffic .2 10.2.4.0/24 Zone DMZ .4 R4 Clients http server Presentation_ID © 2010

http server

Presentation_ID

© 2010 Cisco and/or its affiliates. All rights reserved.

Cisco Public

55

Zone Based Firewall ACL Configuration

Allow IKE and IPsec

Zone Outside Zone Inside R1 R3 10.2.1.0/24 R2 10.2.3.0/24 .1 .2 .2 .3 .2 10.2.4.0/24
Zone Outside
Zone Inside
R1
R3
10.2.1.0/24
R2
10.2.3.0/24
.1
.2
.2
.3
.2
10.2.4.0/24
Zone DMZ
.4
http server
R4

ip access-list extended OUT_IN permit udp host 10.2.1.1 host 10.2.3.3 eq isakmp permit udp host 10.2.1.1 host 10.2.3.3 eq non500-isakmp permit esp host 10.2.1.1 host 10.2.3.3

ip access-list extended VPN_OUT permit udp host 10.2.3.3 host 10.2.1.1 eq isakmp permit udp host 10.2.3.3 host 10.2.1.1 eq non500-isakmp permit esp host 10.2.3.3 host 10.2.1.1

Presentation_ID

© 2010 Cisco and/or its affiliates. All rights reserved.

Cisco Public

56

Zone Based Firewall Configuration

Add Class maps and Policy maps for IKE & IPsec

class-map type inspect match-any INSIDE match protocol tcp match protocol udp

class-map type inspect match-all VPN match access-group name OUT_IN

class-map type inspect match-any DMZ match protocol tcp match protocol udp

class-map type inspect match-all OUTSIDE match protocol http match access-group name OUT_DMZ match access-group name OUT_IN

class-map type inspect match-all VPN_OUT match access-group name VPN_OUT

Presentation_ID

© 2010 Cisco and/or its affiliates. All rights reserved.

policy-map type inspect IN_OUT class type inspect INSIDE inspect class type inspect VPN_OUT pass policy-map
policy-map type inspect IN_OUT
class type inspect INSIDE
inspect
class type inspect VPN_OUT
pass
policy-map type inspect OUT_IN
class type inspect OUTSIDE
inspect
class type inspect VPN
pass
policy-map type inspect DMZ_OUT

class type inspect DMZ

inspect

policy-map type inspect OUT_DMZ

class type inspect OUTSIDE

inspect

Cisco Public

Note: Order

of inspection.

57

Zone Based Firewall IPsec should work

Telnet from R1 to R3 (IPsec peers) works now

R2#sh policy-map type inspect zone-pair OUT->IN sess policy exists on zp OUT->IN Zone-pair: OUT->IN

R2#sh policy-map type inspect zone-pair OUT->IN sess

policy exists on zp OUT->IN

Zone-pair: OUT->IN

Service-policy inspect : OUT_IN

Class-map: OUTSIDE (match-all)

Match: protocol http

Match: access-group name OUT_IN

Inspect

Class-map: VPN (match-all)

Match: access-group name OUT_IN Pass 5 packets, 652 bytes
Match: access-group name OUT_IN
Pass
5 packets, 652 bytes

Class-map: class-default (match-any)

Match: any

Drop

0 packets, 0 bytes

Zone Outside Zone Inside R1 R3 R2 Zone DMZ http server R4
Zone Outside
Zone Inside
R1
R3
R2
Zone DMZ
http server
R4

R1#ping 10.2.3.3

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to

10.2.3.3, timeout is 2 seconds:

.!!!!

Success rate is 80 percent (4/5), round- trip min/avg/max = 8/10/12 ms

Presentation_ID

© 2010 Cisco and/or its affiliates. All rights reserved.

Cisco Public

58

Firewall Summary

Presentation_ID

© 2010 Cisco and/or its affiliates. All rights reserved.

Cisco Public

59

Firewall Summary

ALWAYS TAKE Systematic Approach to troubleshoot IOS Firewall issues

Establish base-line traffic profile for your network through IOS Firewall, and set the DoS settings accordingly

DO NOT change the default UDP & DNS session

timeout value

Use syslog and show commands to troubleshoot IOS firewall

Presentation_ID

© 2010 Cisco and/or its affiliates. All rights reserved.

Cisco Public

60

Troubleshooting Cisco IOS Intrusion Prevention System

Presentation_ID

© 2010 Cisco and/or its affiliates. All rights reserved.

Cisco Public

61

Cisco IOS IPS Overview

Presentation_ID

© 2010 Cisco and/or its affiliates. All rights reserved.

Cisco Public

62

OverviewWhat Is Cisco IOS IPS

Previously called IDS before 12.3(8)T, use ―ip audit‖ CLI

Introduced in 12.3(8)T, now refers to ―Cisco IOS IPS‖

Software based inline intrusion prevention sensor

Support Cisco IPS version 5.x signature format starting from 12.4(11)T*

Signature based packet scanning, use same set of signatures as the Cisco IPS 4200 sensor platform

Dynamic signature update, no need to update IOS

image

Variety event actions configurable per-signature and per-category

Ease of managementCCP, CSM**

* Version 5.x Signature Format Is Not Backward Compatible with Version 4.x Signature Format ** CCP = Cisco Configuration Professional; CSM = Cisco Security Manager

Presentation_ID

© 2010 Cisco and/or its affiliates. All rights reserved.

Cisco Public

63

Cisco IOS IPSSystem Components

Signature Micro-Engines (SMEs)

A SME defines parameters for signatures in a specific protocol category,

e.g. HTTP

Signature Files

Contains signature engine, parameter information such as signature name, signature ID and signature actions etc.

Signature categories*

A signature category contains pre-selected signature sets for a specific

vulnerability

SEAP (Signature Event Action Processor)

SEAP allows for advanced event action filtering and overrides on the basis of the Event Risk Rating (ERR) feedback

Event Monitoring

Syslog messages and/or SDEE** alerts for events generated by IOS IPS

* Version 5.x Signature Format Only (i.e. 12.4(11)T or later) ** SDEE = Security Device Event Exchange

Presentation_ID

© 2010 Cisco and/or its affiliates. All rights reserved.

Cisco Public

64

Signature Categories

IOS IPS with Cisco 5.x/6.x format

signatures operate with

signature categories

Signature category is a group of relevant signatures represented by a meaningful name

All signatures are pre- grouped into categories

An individual signature can belong to more than

one category

Router#sh ip ips category ?

adware/spyware

attack ddos dos email instant_messaging ios_ips

l2/l3/l4_protocol

network_services

os

other_services

p2p

reconnaissance

releases

viruses/worms/trojans Viruses/Worms/Trojans (more sub-categories)

web_server

Adware/Spyware (more sub-categories)

Attack (more sub-categories) DDoS (more sub-categories) DoS (more sub-categories) Email (more sub-categories) Instant Messaging (more sub-categories) IOS IPS (more sub-categories) L2/L3/L4 Protocol (more sub-categories) Network Services (more sub-categories)

OS (more sub-categories)

Other Services (more sub-categories) P2P (more sub-categories) Reconnaissance (more sub-categories) Releases (more sub-categories)

Web Server (more sub-categories)

Presentation_ID

© 2010 Cisco and/or its affiliates. All rights reserved.

Cisco Public

65

Packet Flow

Presentation_ID

© 2010 Cisco and/or its affiliates. All rights reserved.

Cisco Public

66

Cisco IOS IPS Packet FlowInbound

Cisco IOS IPS Packet Flow — Inbound Packet Re-injection Layer 2 decapsulation Y IPSec Stateless IPS

Packet Re-injection

Layer 2 decapsulation

Y IPSec Stateless IPS IPSEC? Inbound ACL decryption Inbound crypto map ACL
Y
IPSec
Stateless IPS
IPSEC?
Inbound ACL
decryption
Inbound crypto
map ACL

N

IPSEC? Inbound ACL decryption Inbound crypto map ACL N Auth Proxy Inbound ACL N A T

Auth Proxy

ACL decryption Inbound crypto map ACL N Auth Proxy Inbound ACL N A T Forwarding Presentation_ID

Inbound ACL

decryption Inbound crypto map ACL N Auth Proxy Inbound ACL N A T Forwarding Presentation_ID ©

NAT

Inbound crypto map ACL N Auth Proxy Inbound ACL N A T Forwarding Presentation_ID © 2010

Forwarding

crypto map ACL N Auth Proxy Inbound ACL N A T Forwarding Presentation_ID © 2010 Cisco

Presentation_ID

© 2010 Cisco and/or its affiliates. All rights reserved.

Cisco Public

67

IPSec/IPS Packet FlowOutbound

Forwarding

Stateless IPS

NAT
NAT

Fragment

Inspection

Outbound ACL

IPS NAT Fragment I n s p e c t i o n Outbound ACL Stateful

Stateful IPS & Firewall

p e c t i o n Outbound ACL Stateful IPS & Firewall Y IPSEC? N
p e c t i o n Outbound ACL Stateful IPS & Firewall Y IPSEC? N
p e c t i o n Outbound ACL Stateful IPS & Firewall Y IPSEC? N
Y IPSEC?
Y
IPSEC?

N

i o n Outbound ACL Stateful IPS & Firewall Y IPSEC? N Layer 2 encapsulation Forwarding

Layer 2

encapsulation

IPS & Firewall Y IPSEC? N Layer 2 encapsulation Forwarding Outbound crypto map ACL IPSec encryption

Forwarding

Outbound

crypto map ACL

IPSec encryption
IPSec
encryption
Forwarding Outbound crypto map ACL IPSec encryption Presentation_ID © 2010 Cisco and/or its affiliates. All

Presentation_ID

© 2010 Cisco and/or its affiliates. All rights reserved.

Cisco Public

68

Troubleshooting IPS

Presentation_ID

© 2010 Cisco and/or its affiliates. All rights reserved.

Cisco Public

69

The Problem Solving Process

Assess

What‘s going on Prioritize

Ask the right questions to better define and clarify the problem

Acquire

What information do we need but we don‘t have? How to get that information?

Analyze

Understand the flow What‘s supposed to happen vs. What actually happened

Act

Test assumptions Deploy changes

Presentation_ID

© 2010 Cisco and/or its affiliates. All rights reserved.

Cisco Public

70

Basic Configuration Example

ip ips config location flash:ips/ retries 1 ip ips notify SDEE ip ips name iosips

ip ips signature-category category all retired true

ALWAYS remember first select category ―all‖ AND retire all signatures
ALWAYS remember first
select category ―all‖ AND
retire all signatures

category ios_ips advanced

retired false

crypto key pubkey-chain rsa named-key realm-cisco.pub signature key-string

IOS IPS crypto key
IOS IPS crypto key

30820122 300D0609 2A864886 F70D0101 01050003 82010F00 3082010A 02820101

|

snip

|

F3020301 0001 quit

interface GigabitEthernet0/1

ip address 10.1.1.6 255.255.255.0 ip ips iosips in ip virtual-reassembly duplex auto speed auto

enable IOS IPS policy on interface
enable IOS IPS policy on interface

Presentation_ID

© 2010 Cisco and/or its affiliates. All rights reserved.

Cisco Public

71

Configure Event Notification Using SDEE

SDEE messages are transported over HTTP/HTTPS

You must enable HTTP/HTTPS in order to use SDEE

Recommend to set the number of concurrent subscriptions to three when using IME

Router(config)#ip sdee subscriptions ? <1-3> Number of concurrent SDEE subscriptions

? <1-3> Number of concurrent SDEE subscriptions  IOS IPS log message format: * Mar 22

IOS IPS log message format:

*Mar 22 03:53:13.827: %IPS-4-SIGNATURE: Sig:5114 Subsig:1 Sev:75 WWW IIS Unicode Attack [10.1.1.252:4150 -> 192.168.1.249:80] RiskRating:75

*Mar 22 03:53:13.827: %IPS-4-SIGNATURE: Sig:5081 Subsig:0 Sev:100

WWW WinNT cmd.exe Access [10.1.1.252:4150 -> 192.168.1.249:80]

RiskRating:100

SDEE = Security Device Event Exchange

Presentation_ID

© 2010 Cisco and/or its affiliates. All rights reserved.

Cisco Public

72

Common Troubleshooting Steps

1. Check IOS IPS configuration, to confirm policy is applied to the right interface in the right direction

show run

2. Check signatures status, to confirm signatures are compiled

show ip ips config

show ip ips signatures count

3. Check flows inspected by IOS IPS, to verify IOS IPS is inspecting traffic

show ip ips sessions detail

4. Check SDEE alerts / syslog messages, to verify attacks are being detected

show ip sdee alerts

show logging

5. Use appropriate debug commands

Presentation_ID

© 2010 Cisco and/or its affiliates. All rights reserved.

Cisco Public

73

IOS IPS Troubleshooting Commands

Step 1: Check IOS IPS configuration

Router#sh run Building configuration

-- output skipped --

!

Configure IPS signature storage location Enable IPS SDEE event notification
Configure IPS signature
storage location
Enable IPS SDEE event
notification

ip ips config location flash:ips/ retries 1

ip ips notify SDEE

ip ips name iosips

Configure IOS IPS to use one of the pre-defined signature categories Configure an IOS IPS
Configure IOS IPS to use one
of the pre-defined signature
categories
Configure an IOS IPS crypto
key which is used to verify the
digital signature on the
signature package

!

ip ips signature-category category all retired true category ios_ips advanced retired false

!

crypto key pubkey-chain rsa

named-key realm-cisco.pub signature key-string 30820122 300D0609 2A864886 F70D0101 01050003 82010F00 3082010A 02820101

-- output skipped --

Enable IPS rule on the desired interface and specify the direction the rule will be
Enable IPS rule on the desired
interface and specify the
direction the rule will be
applied to

Cisco Public

F3020301 0001 quit

!

interface GigabitEthernet0/1 ip address 10.1.1.6 255.255.255.0 ip ips iosips in ip virtual-reassembly

Presentation_ID

© 2010 Cisco and/or its affiliates. All rights reserved.

74

IOS IPS Troubleshooting Commands

Step 2: Check IOS IPS Configuration and Signatures Status

Router#sh ip ips all

IPS Signature File Configuration Status Configured Config Locations: flash:ips/ Last signature default load time: 16:42:08 PST Mar 1 2008 Last signature delta load time: 22:59:57 PST Mar 3 2008 Last event action (SEAP) load time: -none-

General SEAP Config:

Global Deny Timeout: 3600 seconds Global Overrides Status: Enabled

Global Filters Status: Enabled

IPS Auto Update is not currently configured

IPS Syslog and SDEE Notification Status Event notification through syslog is enabled Event notification through SDEE is enabled

IPS Signature Status Total Active Signatures: 581 Total Inactive Signatures: 1623

Determine the # of active signatures

IPS Packet Scanning and Interface Status IPS Rule Configuration IPS name iosips IPS fail closed is disabled IPS deny-action ips-interface is false Fastpath ips is enabled Quick run mode is enabled Interface Configuration Interface GigabitEthernet0/1 Inbound IPS rule is iosips Outgoing IPS rule is not set

Verify the IOS IPS policy is applied to the right interface in the right direction
Verify the IOS IPS policy is applied
to the right interface in the right
direction

IPS Category CLI Configuration:

Verify the signature category being used
Verify the signature category being used

Category all:

Retire: True Category ios_ips advanced:

Retire: False

Presentation_ID

© 2010 Cisco and/or its affiliates. All rights reserved.

Cisco Public

75

advanced: Retire: False Presentation_ID © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 7

IOS IPS Troubleshooting Commands

Step 2: Check Signatures Status

Router#show ip ips signatures count Check signature release version Cisco SDF release version S318.0 Trend
Router#show ip ips signatures count
Check signature release version
Cisco SDF release version S318.0
Trend SDF release version V0.0

Signature Micro-Engine: multi-string: Total Signatures 8 multi-string enabled signatures: 8 multi-string retired signatures: 8

- output omitted -

Signature Micro-Engine: service-msrpc: Total Signatures 27 service-msrpc enabled signatures: 27 service-msrpc retired signatures: 19 service-msrpc compiled signatures: 1 service-msrpc inactive signatures - invalid params: 7

Total Signatures: 2204

Total Enabled Signatures: 873 Total Retired Signatures: 1617

Check there are signatures being compiled
Check there are signatures being compiled

Total Compiled Signatures: 580 Total Signatures with invalid parameters: 7 Total Obsoleted Signatures: 11

Presentation_ID

© 2010 Cisco and/or its affiliates. All rights reserved.

Cisco Public

76

IOS IPS Troubleshooting Commands

Step 3: Check Flows Inspected by IOS IPS

Router#show ip ips sessions detail Established Sessions

Src.address/port & dest.address/port Bytes sent and received
Src.address/port & dest.address/port
Bytes sent and received

Session 47506A34 (10.1.1.252:3959)=>(192.168.1.249:21) tcp SIS_OPEN Created 00:02:49, Last heard 00:02:44 Bytes sent (initiator:responder) [25:95] sig cand list ID 14272 sig cand list ID 14273

Presentation_ID

© 2010 Cisco and/or its affiliates. All rights reserved.

Cisco Public

77

IOS IPS Troubleshooting Commands

Step 4: Check Alert Messages

Verify that the router is seeing IOS IPS related event and alert

messages.

Router#sh logging

Syslog logging: enabled (12 messages dropped, 7 messages rate-limited, 0 flushes, 0 overruns, xml disabled, filtering disabled)

-- output skipped --

Log Buffer (4096 bytes):

*Mar 22 03:53:13.827: %IPS-4-SIGNATURE: Sig:5114 Subsig:1 Sev:75 WWW IIS Unicode Attack [10.1.1.252:4150 -> 192.168.1.249:80] RiskRating:75 *Mar 22 03:53:13.827: %IPS-4-SIGNATURE: Sig:5081 Subsig:0 Sev:100 WWW WinNT cmd.exe Access [10.1.1.252:4150 -> 192.168.1.249:80] RiskRating:100

Router#sh ip sdee alerts

Alert storage: 200 alerts using 75200 bytes of memory SDEE Alerts

SigID

Sig Name

1:

5114:1

WWW IIS Unicode Attack

2:

5081:0

WWW WinNT cmd.exe Access

SrcIP:SrcPort

DstIP:DstPort

or Summary Info

10.1.1.252:4150

10.1.1.252:4150 192.168.1.249:80

192.168.1.249:80

Presentation_ID

© 2010 Cisco and/or its affiliates. All rights reserved.

Cisco Public

78

Cisco IOS IPS Debugging Commands

Step 5: Use Debug Commands

Enable debugs on specified IOS IPS engines

Router# debug ip ips timers

Router# debug ip ips [object-creation | object-deletion]

Router# debug ip ips function trace

Not recommended in production network

Router# debug ip ips detail
Router# debug ip ips detail

L3/L4 debug commands:

Router# debug ip ips detail  L3/L4 debug commands: Router# debug ip ips [ ip |

Router# debug ip ips [ip | icmp | tcp | udp]

Application-level debug commands:

Router# debug ip ips [tftp | smtp | ftp-cmd | ftp-token]

Enable debug on specified SDEE attributes

Router# debug ip sdee [alerts | details | messages | requests |

subscriptions ]

Presentation_ID

© 2010 Cisco and/or its affiliates. All rights reserved.

Cisco Public

79

Common Issues and Resolutions

Presentation_ID

© 2010 Cisco and/or its affiliates. All rights reserved.

Cisco Public

80

Common Issues

Misunderstanding of terms used for signature

status

Memory allocation errors when compiling signatures

Total number of signatures that can be compiled

Signature failed to compile

Configuration steps

Cisco IOS IPS policy is applied at the wrong

direction and/or interface

Signature does not fire with matching traffic

Presentation_ID

© 2010 Cisco and/or its affiliates. All rights reserved.

Cisco Public

81

Misunderstanding of Terms Used

for Signature Status

Retire vs. unretire

Enable vs. disable

Compiled vs. loaded

Cisco IOS IPS inherited these terms from IPS 4200

series appliance

Due to memory constraints, most of the signatures on router are retired by default

IOS IPS users need to worry about enable/disable

as well as retire/unretire

Presentation_ID

© 2010 Cisco and/or its affiliates. All rights reserved.

Cisco Public

82

Misunderstanding of Terms Used for

Signature Status (Cont.)

Retire vs. Unretire

Select/de-select which signatures are being used by IOS IPS to scan traffic

Retiring a signature means IOS IPS will NOT compile that signature into memory for scanning

Unretiring a signature instructs IOS IPS to compile

the signature into memory and use the signature to scan traffic

You can use IOS command-line interface (CLI) or

CCP to retire or unretire individual signatures or a

signature category

Presentation_ID

© 2010 Cisco and/or its affiliates. All rights reserved.

Cisco Public

83

Misunderstanding of Terms Used

for Signature Status (Cont.)

Enable vs. Disable

Enabling a signature means that when triggered by a matching packet (or packet flow), the signature takes the appropriate action associated with it

However, only unretired AND successfully compiled signatures will take the action when they are enabled. In other words, if a signature is retired, even though it is enabled, it will not be compiled (because it is retired) and it will not take the action associated with it

Disabling a signature means that when triggered by a matching packet (or packet flow), the signature DOES NOT take the appropriate action associated with it

In other words, when a signature is disabled, even though it is unretired and successfully compiled, it will not take the action associated with it

You can use IOS command-line interface (CLI) or CCP to enable or

disable individual signatures or a signature category

Enable/disable is NOT used to select/de-select signatures to be used by IOS IPS

Presentation_ID

© 2010 Cisco and/or its affiliates. All rights reserved.

Cisco Public

84

Misunderstanding of Terms Used

for Signature Status (Cont.)

Compiled vs. Loaded

Loading refers to the process where IOS IPS parse the signature files (XML files in the config location) and fill in the signature database

This happens when signatures are loaded via ―copy <sig file> idconfor the router reboots with IOS IPS already configured

Compiling refers to the process where the parameter

values from unretired signatures are compiled into a regular expression table

This happens when signatures are unretired or when other parameters of signatures belonging to that regular expression table changes

Once signatures are compiled, traffic is scanned against the compiled signatures

Presentation_ID

© 2010 Cisco and/or its affiliates. All rights reserved.

Cisco Public

85

Memory Allocation Errors When

Compiling Signatures

The number of signatures that can be compiled depends on the free memory available on the router

When router does not have enough memory to compile

signatures, memory allocation failure messages are logged

Already compiled signatures will still be used to scan traffic. No additional signatures will be compiled for that engine during the compiling process. IOS IPS will proceed with compiling signatures for the next engine

*Mar 18 07:09:36.887: %SYS-2-MALLOCFAIL: Memory allocation of 65536 bytes failed from 0x400C1024, alignment 0

Pool: Processor Free: 673268 Cause: Memory fragmentation

Alternate Pool: None Free: 0 Cause: No Alternate pool

-Process= "Exec", ipl= 0, pid= 3, -Traceback= 0x4164F41C 0x400AEF1C 0x400B4D58 0x400B52C4 0x400C102C

0x400C0820 0x400C23EC 0x400C0484 0x424C1DEC 0x424C2A4C 0x424C2FF0 0x424C31A0 0x430D6ECC 0x430D7864 0x430F0210

0x430FA0E8

*Mar 18 07:09:36.911: %SYS-2-CHUNKEXPANDFAIL: Could not expand chunk pool for regex. No memory available - Process= "Chunk Manager", ipl= 3, pid= 1, -Traceback= 0x4164F41C 0x400C06FC

*Mar 18 07:09:37.115: %IPS-4-SIGNATURE_COMPILE_FAILURE: service-http 12024:0 - compilation of regular expression failed

*Mar 18 07:09:41.535: %IPS-4-SIGNATURE_COMPILE_FAILURE: service-http 5280:0 - compilation of regular expression failed *Mar 18 07:09:44.955: %IPS-4-SIGNATURE_COMPILE_FAILURE: service-http 5284:0 - compilation of regular expression failed *Mar 18 07:09:44.979: %IPS-4-SIGNATURE_COMPILE_FAILURE: service-http 12023:0 - compiles discontinued for this engine

Presentation_ID

© 2010 Cisco and/or its affiliates. All rights reserved.

Cisco Public

86

Memory Allocation Errors When

Compiling SignaturesResolution

The pre-defined IOS IPS Basic and Advanced signature categories contain optimum combination of signatures for

all standard memory configurations, providing a good starting

point

Never unretire the ―all‖ category

For routers with 128MB memory, start with the IOS IPS Basic category

For routers with 256MB memory, start with the IOS IPS

Advanced category

Then customize the signature set by unretiring/retiring few signatures at a time according to your network needs

Pay attention to the free memory every time after you

unretiring/retiring signatures

Presentation_ID

© 2010 Cisco and/or its affiliates. All rights reserved.

Cisco Public

87

Total Number of Signatures

Can Be Compiled

There is no magic number!

Many factors can have impact:

Available free memory on router

Type of signatures being unretired, e.g. signatures in the complex STRING.TCP engine

When router free memory drops below 10% of the

total installed memory, then stop unretiring signatures

Presentation_ID

© 2010 Cisco and/or its affiliates. All rights reserved.

Cisco Public

88

Signature Failed to Compile

There are mainly three reasons that could cause a signature fail to compile

Memory constraint, running out of memory

Signatures are not supported in IOS IPS: META signatures

Regular Expression table for a particular engine exceeds 32MB entries

Check the list of supported signatures in IOS IPS at:

Retire signatures not supported by IOS IPS and

signatures not applicable to your network to save

memory

Presentation_ID

© 2010 Cisco and/or its affiliates. All rights reserved.

Cisco Public

89

Configuration Steps

Follow the steps in the following order for initial Cisco IOS IPS configuration:

Step 1: Download IOS IPS signature package to PC

Step 2: Create IOS IPS configuration directory Step 3: Configure IOS IPS crypto key Step 4: Create IOS IPS policy and apply to interface(s)

Remember to FIRST retire the ―all‖ category

Step 5: Load IOS IPS signature package

Next verify the configuration and signatures are compiled:

show ip ips configuration show ip ips signatures count

Presentation_ID

© 2010 Cisco and/or its affiliates. All rights reserved.

Cisco Public

90

Configuration Steps (Cont.)

Next you can start to tune the signature set with the

following options:

Retire/unretire signatures (i.e. add/remove signatures to/from the compiled list)

Enable/disable signatures (i.e. enforce/disregard actions)

Change actions associated with signatures

Refer to Getting Started Guide at:

ml

Presentation_ID

© 2010 Cisco and/or its affiliates. All rights reserved.

Cisco Public

91

Case A:

Issue

IOS IPS Policy Is Applied at the Wrong

Direction/InterfaceIncorrect Configuration

Protecting Attacks from Inside

Head Office Inside Outside Branch Office Web Clusters Worms FE0/0 FE0/1 Internet Traffic IPSec Tunnel
Head Office
Inside
Outside
Branch Office
Web Clusters
Worms
FE0/0
FE0/1
Internet Traffic
IPSec Tunnel
Cisco 18xx
Cisco
28xx
Application
Servers
Internet
Interface FastEthernet0/0
Branch Office
PCs/Laptops
ip ips ips-policy out
Policy applied to
the wrong direction
Head Office PCs

Presentation_ID

© 2010 Cisco and/or its affiliates. All rights reserved.

Cisco Public

92

IOS IPS Policy Is Applied at the Wrong

Direction/InterfaceResolution

Protecting Attacks from Inside

Case A:

Solution

Head Office Inside Outside Branch Office Web Clusters Worms FE0/0 FE0/1 Internet Traffic IPSec Tunnel
Head Office
Inside
Outside
Branch Office
Web Clusters
Worms
FE0/0
FE0/1
Internet Traffic
IPSec Tunnel
Cisco 18xx
Cisco
28xx
Application
Servers
Internet
Interface FastEthernet0/0
Branch Office
PCs/Laptops
ip ips ips-policy in
Policy applied to
the right direction
Head Office PCs

Presentation_ID

© 2010 Cisco and/or its affiliates. All rights reserved.

Cisco Public

93

IOS IPS Policy Is Applied at the Wrong

Direction/InterfaceIncorrect Configuration

Protecting Attacks from Outside

Case B:

Issue

attacks Head Office Inside Outside Branch Office Web Clusters FE0/1 FE0/0 Internet Traffic IPSec Tunnel
attacks
Head Office
Inside
Outside
Branch Office
Web Clusters
FE0/1
FE0/0
Internet Traffic
IPSec Tunnel
Cisco 18xx
Cisco
28xx
Application
Servers
Internet
DMZ
Interface FastEthernet0/1
Branch Office
PCs/Laptops
ip ips ips-policy out
Policy applied to
the wrong direction
Head Office PCs

Presentation_ID

© 2010 Cisco and/or its affiliates. All rights reserved.

Cisco Public

94

IOS IPS Policy Is Applied at the Wrong

Direction/InterfaceResolution

Protecting Attacks from Outside

Case B:

Solution

Protecting Attacks from Outside Case B: Solution attacks Head Office Outside FE0/1 Internet Traffic IPSec

attacks

Protecting Attacks from Outside Case B: Solution attacks Head Office Outside FE0/1 Internet Traffic IPSec Tunnel
Head Office Outside FE0/1 Internet Traffic IPSec Tunnel Cisco 28xx Internet Interface FastEthernet0/1 ip ips
Head Office
Outside
FE0/1
Internet Traffic
IPSec Tunnel
Cisco
28xx
Internet
Interface FastEthernet0/1
ip ips ips-policy in

Cisco 18xx

Policy applied to the right direction

Inside

in Cisco 18xx Policy applied to the right direction Inside Web Clusters Application Servers Branch Office
in Cisco 18xx Policy applied to the right direction Inside Web Clusters Application Servers Branch Office

Web Clusters

Policy applied to the right direction Inside Web Clusters Application Servers Branch Office FE0/0 DMZ Branch

Application

Servers

the right direction Inside Web Clusters Application Servers Branch Office FE0/0 DMZ Branch Office PCs/Laptops Head
the right direction Inside Web Clusters Application Servers Branch Office FE0/0 DMZ Branch Office PCs/Laptops Head
the right direction Inside Web Clusters Application Servers Branch Office FE0/0 DMZ Branch Office PCs/Laptops Head
the right direction Inside Web Clusters Application Servers Branch Office FE0/0 DMZ Branch Office PCs/Laptops Head

Branch Office

Inside Web Clusters Application Servers Branch Office FE0/0 DMZ Branch Office PCs/Laptops Head Office PCs

FE0/0

DMZ

Branch Office PCs/Laptops

Head Office PCs

Presentation_ID

© 2010 Cisco and/or its affiliates. All rights reserved.

Cisco Public

95

Signature Does Not Fire with

Matching Traffic

Verify IOS IPS is applied in the right direction (inbound/outbound) and on the right interface

Is IOS IPS event notification enabled? i.e. syslog/SDEE

Do you see alarms/alerts showing signature matching?

It is essential that we see whether signatures are triggered by the traffic

Use ―show ip ips signatures statistics | i <sig id>‖ to see

signature hits

Run debugs:

debug ip ips <engine name>

debug ip ips detailed

debug ip ips function-trace (if the above two do not show anything)

Presentation_ID

© 2010 Cisco and/or its affiliates. All rights reserved.

Cisco Public

96

IPS Summary

Presentation_ID

© 2010 Cisco and/or its affiliates. All rights reserved.

Cisco Public

97

Cisco IOS IPS Enhancements

 

ENHANCEMENT

BENEFIT

 

Lightweight IPS Engines for existing and

Memory efficient traffic scanning for attack signatures consuming up to 40 % less memory on the router.

1

new signatures optimized for HTTP, SMTP and FTP protocols

 

New Default IOS IPS Category

More comprehensive and effective attack coverage by default. Much quicker inclusion of most relevant new threat signatures within the default set (category).

2

signatures updated frequently by Cisco Signature Team

3

Chaining of Traffic Scanning (Regular Expression) Tables

Capability to load more signatures simultaneously and provide protection for larger number of threats and vulnerabilities

4

Configurable Threshold (Upper Limit) to be dedicated to IPS feature

Avoid large amount of router memory by IPS signature Tables. Prevent IPS feature to consume all the free processing memory available and cause performance and other operational problems

Presentation_ID

© 2010 Cisco and/or its affiliates. All rights reserved.

Cisco Public

98

IPS Summary

Use the ―Getting Started Guide‖ as a reference to check that IOS IPS is configured properly.

Always remember to RETIRE ALL signatures first.

ip ips signature-category category all retired true

Recommendation is to use pre-defined IOS IPS Basic or

Advanced signature category and tune the signature set based on your network applications

Cisco IOS IPS ―show Commands‖ and SDEE are the

most essential component for troubleshooting

Presentation_ID

© 2010 Cisco and/or its affiliates. All rights reserved.

Cisco Public

99

Documentation and Links

Presentation_ID

© 2010 Cisco and/or its affiliates. All rights reserved.

Cisco Public

100

Documentation for Cisco IOS Security

Router Security

Cisco IOS Security Commands Reference

Cisco IOS Firewall

Cisco Zone-based Firewall Design and Application Guide

Cisco IOS IPS

Cisco Configuration Professional (CCP)

Presentation_ID

© 2010 Cisco and/or its affiliates. All rights reserved.

Cisco Public

101

Q&A

Q&A

Q&A
Q&A

Complete Your Online

Session Evaluation

Give us your feedback and you could win fabulous prizes.

Winners announced daily.

Receive 20 Cisco Preferred Access points for each session evaluation you complete.

Complete your session

evaluation online now (open a

browser through our wireless network to access our portal) or visit one of the Internet stations throughout the Convention Center.

of the Internet stations throughout the Convention Center. Don‘t forget to activate your Cisco Live and

Don‘t forget to activate your Cisco Live and Networkers Virtual account for access to all session

materials, communities, and on-demand

and live activities throughout the year. Activate your account at any internet station or visit www.ciscolivevirtual.com.

Presentation_ID

© 2010 Cisco and/or its affiliates. All rights reserved.

Cisco Public

103

Appendix : Classic IOS Firewall

Presentation_ID

© 2010 Cisco and/or its affiliates. All rights reserved.

Cisco Public

105

Simple Classic IOS Firewall Configuration

Inside

e0

Simple Classic IOS Firewall Configuration Inside e0 Outside s0 Internet CBAC 1. Define the security policy

Outside

s0

Internet
Internet

CBAC

1. Define the security policy

Deny any connections initiating from outside

Allow only SMTP, ftp, and http connections from inside

2. Convert the security policy into IOS configuration

access-list 101 deny ip any any interface serial0

ip access-group 101 in

ACL to deny inbound connection
ACL to deny inbound
connection

access-list 102 permit any any eq smtp access-list 102 permit any any eq ftp access-list 102 permit any any eq http

ACL to allow only SMTP, FTP, and HTTP from inside to outside
ACL to allow only
SMTP, FTP, and HTTP
from inside to outside

ip inspect name foo smtp

ip inspect name foo http

ip inspect name foo ftp

foo smtp ip inspect name foo http ip inspect name foo ftp interface ethernet0 ip inspect

interface ethernet0 ip inspect foo in ip access-group 102 in

Presentation_ID

Inspection for necessary protocols Inspection rule, and ACL both applied as inbound on ethernet 0
Inspection for
necessary protocols
Inspection rule, and
ACL both applied as
inbound on ethernet 0
interface
Cisco Public

© 2010 Cisco and/or its affiliates. All rights reserved.

106

Show CommandsClassic IOS Firewall

CBAC

To display the firewall policy and sessions

Router# show ip inspect all

Session audit trail is disabled

Session alert is enabled

one-minute (sampling period) thresholds are [400:20000] connections

max-incomplete sessions thresholds are [400:20000]

max-incomplete tcp connections per host is 100000. Block-time 0 minute