Build Your Skills: Create a poor man's

firewall with the Cisco IOS

Takeaway: Uncovers a little-known secret regarding a built-in feature set for creating a
firewall and intrusion-detection system within the Cisco IOS router

Today, network security has become a top priority for every organization connected to the
Internet, and firewalls have come to serve as the main security mechanism. While vendors
have been pushing toward dedicated “firewall appliances”—and I don’t argue that these are
excellent solutions—such appliances can also be very costly for small to medium-size
businesses. For example, a Cisco PIX Firewall can cost thousands of dollars.

However, there is an inexpensive and effective firewall solution that you may have
overlooked. Most companies that connect to the Internet use a standard router to do so. If you
use a Cisco router, you should know that the Cisco IOS has a built-in feature set for creating
a firewall and intrusion detection system. Using this solution, you don’t need a separate
firewall box—it can all be done inside your current Cisco router. I like to call this a "poor
man’s firewall.”
Security resource
An excellent source for the proper recommendations and precautions for Cisco routers is the
National Security Agency's executive summary for Cisco router security. This is the best
single list of recommendations I have found for implementing strong security on Cisco
routers.

Getting the proper IOS

The first step is to get the proper IOS for your Cisco router. If you are interested in only the
most basic form of a firewall (allowing only the required IP addresses/ports and blocking the
others), it’s likely that your existing Cisco router can do this by configuring extended IP
access control lists. However, if you want many of the same features available in today’s
more powerful firewalls, you need the firewall/intrusion detection system (FW/IDS) feature
set.

You can get the IOS with the FW/IDS feature set by using the Cisco IOS Upgrade Planner.
You must be a registered user on the Cisco site to access this. Using the IOS Upgrade
Planner, you can select the model of router you have, the IOS version you would like
(preferably one of the most recent), and the software features you're looking for. Make sure
that you choose one with the FW/IDS feature set. (You may need to pay a small licensing fee
to use this feature set.) Then, download the IOS, update your router to the new version, and
reboot.

Configuring NAT
Next, you’ll need to properly configure the firewall and IDS features. As I mentioned earlier,
the most basic firewall is configured with extended IP access control lists. This will also be
the place we start when configuring a more advanced firewall.

Because many companies use network address translation (NAT) and private internal TCP/IP
addresses, we'll build that part of the access list first. One common NAT scenario is for a
router to have a serial connection to the Internet and an Ethernet connection to the local
network. In this case, NAT enables the use of private TCP/IP addresses on the internal
network, which provides additional privacy and security for internal systems and keeps you
from having to change your internal addresses if you change your Internet Service Provider
(ISP).

The configuration on your Cisco router might look something like this:
interface Serial1/0
description Internet connection – external
ip address 1.1.1.254 255.255.255.0 !real Internet network
no ip proxy-arp
ip nat outside

interface Ethernet1/1
description Local Network Ethernet Connection - internal
ip address 10.253.2.2 255.255.0.0 !local private network
no ip proxy-arp
ip nat inside

ip nat inside source static 10.253.1.1 1.1.1.1 ! Web server

ip nat inside source static 10.253.1.2 1.1.1.2 ! Email server

ip route 0.0.0.0 0.0.0.0 1.1.1.0

Note that the IP address of the local Web server is now 10.253.1.1, and the IP address of the
local mail server is now 10.253.1.2. Before implementing the firewall, these two systems
were sitting unprotected on the Internet with their two public Internet addresses, 1.1.1.1 (Web
server) and 1.1.1.2 (mail server). Now, these two servers have internal IPs. Their external IPs,
which stay the same, are terminated at the firewall; they're then translated to the internal IPs.

Also, all of the other internal and external addresses are translated, and anything that isn’t on
the local 10.x.x.x network is sent out the serial interface with a default route. That takes care
of NAT and internal addressing.

Configuring access lists

Now, for some network security, let's configure the access lists. If you wanted to allow only
the HTTP protocol for the Web server and SMTP protocol for the mail server, the list would
look like this:
access-list 100 remark Begin -- IP .1 10.253.1.1 Web Server
access-list 100 permit tcp any eq www host 1.1.1.1
access-list 100 remark End ----------------------------------
!
access-list 100 remark Begin -- IP .2 10.253.1.2 Email Server
access-list 100 permit tcp any eq smtp host 1.1.1.2 gt 1023
access-list 100 permit tcp any host 1.1.1.2 eq smtp
access-list 100 remark End ----------------------------------

You would then apply it to the serial (Internet) interface with the following commands:
interface Serial1/0
ip access-group 100 in
Since this is going to be an important point of network security, you would want a log of the
types of data being denied by your firewall. Although there is an implicit deny at the end of
every access list, those denies aren’t logged. I would suggest running a syslog server on your
network and telling the router to log, on the syslog server, all packets that are denied by your
firewall. In this example, if the Web server were also your syslog server, you would add the
following commands:
access-list 100 deny ip any any log
logging 10.253.1.1

Working with NBAR

So far, we really haven’t tapped into the FW/IDS feature set. Now we'll configure Network-
Based Application Recognition (NBAR), which is one of the firewall features. Basically,
NBAR recognizes “applications,” such as HTTP, MIME, PCAnywhere, Microsoft SQL
server, and many others, and takes action on them—most likely to discard the traffic.

For a simple example, let's use Cisco’s article on blocking the Code Red worm with NBAR.
First, create a class-map that defines the traffic, in this case, applications and names of files
that you want to block:
class-map match-any http-hacks
match protocol http url "*cmd.exe*"
match protocol http url "*root.exe*"

Next, use a policy map to mark packets with these characteristics:

policy-map mark-inbound-http-hacks
class http-hacks
set ip dscp 1

Then, apply the policy map to the serial (Internet) interface:

interface Serial1/0
service-policy input mark-inbound-http-hacks

NBAR is useful for blocking all types of worms that are slithering around the Internet or even
just known trouble-making executables that are distributed through e-mail or via
downloading from a Web page. NBAR is just one of the many features in the firewall feature
set; the others can be found in this Cisco configuration guide.

Using IDS features and other options

The other important aspect of network security is an intrusion detection system, or IDS. The
Cisco IDS will recognize “signatures,” or what I call "attack patterns." One example is
spamming a mail server. The IDS can recognize this is occurring and take whatever actions
you specify (drop packets, notify you, etc.).

I could write an entire article on configuring Cisco’s IDS. Since IDS is an optional part of
your firewall, I’ll save that configuration for another time and instead suggest you read
Configuring Cisco IOS Firewall Intrusion Detection System before you begin such
configuration.

A couple of other useful features in the firewall set are Context-Based Access Control
(CBAC) and TCP Intercept. CBAC recognizes “content” in packets and creates a dynamic
access list for that content.

An example is FTP traffic. If you wanted to allow users to FTP out of your network, you
could use CBAC rather than have those ports open all the time in your access list. Normally,
you would have the return FTP traffic denied back into your network. But CBAC will
recognize that the FTP outbound traffic was initiated from your network and dynamically
open up a port so that the traffic can return. This makes your network more secure because
when that type of traffic is not occurring, there is no “hole” (open port) in your network that a
hacker might be able to exploit.

TCP Intercept can prevent denial of service (DoS) attacks on your network. TCP Intercept
will verify that a packet’s source is real before forwarding it on to its destination (your
server). If the incoming packet’s source does not exist, the router drops it before it ever
reaches your server and can chew up valuable processing time. This can stop DoS attacks in
their tracks.

Summary
You can see what a variety of rich capabilities the Cisco IOS FW/IDS feature set offers. This
all-in-one router and firewall has been a money-saving solution for my company, and perhaps
it can be for yours as well. Although this article just scratched the surface of what you can do
with the Cisco IOS firewall, it should get you off to a good start. The links below will also
help you build and customize an IOS firewall to meet your needs.
Useful Cisco IOS firewall links

• Cisco IOS Upgrade Planner

• Cisco IOS Software
• Cisco IOS Security Configuration Guide, Release 12.2, Traffic Filtering and Firewalls
Section
• Cisco IOS Firewall Overview
• Configuring Cisco IOS Firewall Intrusion Detection System
• Configuring TCP Intercept (Preventing Denial-of-Service Attacks)
• Configuring Context-Based Access Control
• Access Control Lists: Overview and Guidelines
• Cisco IOS Security Command Reference, Release 12.2, Traffic Filtering and
Firewalls Section
• TCP Intercept Commands
• Context-Based Access Control Commands
• Cisco IOS Firewall Intrusion Detection System Commands
• Cisco - Security Technical Tips
• Cisco - Configuring Network Based Application Recognition (NBAR)
• Cisco - Using Network-Based Application Recognition and Access Control Lists for
Blocking the Code Red Worm
• National Security Agency (NSA): Cisco Router Security Configuration Guide
• National Security Agency (NSA): Cisco Router Security Configuration Guide
EXECUTIVE SUMMARY
• TechRepublic: “Cisco's hidden gem: The IOS firewall”
• TechRepublic: “Get secure with Cisco extended IP access control lists”
• CertCities: The NBAR Defense