ASK THE EXPERT - IOS SECURITY TECHNOLOGIES

Unanswered Question
Oct 5th, 2007
User Badges:
  • Gold, 750 points or more

Welcome to the Cisco Networking Professionals Ask the Expert conversation. This is an opportunity to get an update on troubleshooting and deploying IOS firewall and IOS intrusion prevention system with Cisco expert Rachna Srivastava. Rachna is a product manager and technical marketing engineer for IOS URL Filtering solutions in Cisco?s router security group in San Jose, California. She is responsible for bringing advanced Cisco IOS security solutions to market, while integrating customer and market security requirements with Cisco Integrated Services Routers. She has previously worked on Cisco IOS Intrusion Prevention Service as well as IOS Firewall as a technical marketing engineer. Rachna also has experience with application and implementation of Cisco managed security services with Cisco Integrated Services Routers.


Remember to use the rating system to let Rachna know if you have received an adequate response.


Rachna might not be able to answer each question due to the volume expected during this event. Our moderators will post many of the unanswered questions in other discussion forums shortly after the event. This event lasts through October 19, 2007. Visit this forum often to view responses to your questions and the questions of other community members.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (6 ratings)
Loading.
yuliang11 Sun, 10/07/2007 - 18:22
User Badges:



Hi rachna,



1. Do you feel that 600 -800 signatures in IOS IPS is sufficient for detection purposes especially for managed security services environment ?



2) Do you have any other methods for custom signature deployments on ISR routers ?

a) I don't have CSM yet

b) SDM access to my routers have failed

c) Direct xml signatures adding on IOS-S301-CLI.pkg for IOS IPS 5.x has failed ,i believe the package is encrypted.



3) IOS Firewall. We get a lot of drop packets from %FW stray segments , RST in current windows ,etc ,etc. These features were turned on by default. Are there anyway to disable these fatures?


Thanks in advance.

rsrivast Mon, 10/08/2007 - 11:15
User Badges:

Hello, Please see the answers below.


1. Do you feel that 600 -800 signatures in IOS IPS is sufficient for detection purposes especially for managed security services environment ?


Rachna-> Number of signatures will depend on the attacks/vulnerabilities that you want to prevent and the level of service (protection) you have available for your managed security services customers. for example : you can use the pre-definited IOS IPS Basic category (approx 400 pre-selected sigs) for bronze level, advanced category ( approx 580 pre-selected sigs) for silver level, and Advanced + additional signatures for Gold level.


These pre-defined sets (Basic and Advanced) contains high severity and high fidelity IPS signatures and worms/virus/IM/P2P signatures, and they provide a very good starting point for small offices and brnaches to use. You can either start from these sets of signatures or choose to create your own signature set depends on the type of services you provide to your cusotmer.



2) Do you have any other methods for custom signature deployments on ISR routers ?

a) I don't have CSM yet

b) SDM access to my routers have failed

c) Direct xml signatures adding on IOS-S301-CLI.pkg for IOS IPS 5.x has failed ,i believe the package is encrypted.


Rachna -> You can deploy custom signatures on ISR using:


1) CSM


2) SDM


3) or create your own XML and then use the "copy idconf" command to deploy it on the ISR. The following is the format for using the XML:


<?xml version="1.0" encoding="UTF-8" ?>


- http://www.cisco.com/cids/idconf" xmlns:id="http://www.cisco.com/cids/idiom">

-

-

-

-

-

-

-

-

-

60000

0

-

-



3) IOS Firewall. We get a lot of drop packets from %FW stray segments , RST in current windows ,etc ,etc. These features were turned on by default. Are there anyway to disable these fatures?


Rachna -> These errors can be caused by unusual applications and may to be looked at in some more detail. Perhaps if you can send me more details, I can put you in touch with the appropriate product teams and they would be more than happy to help.


thanks




yuliang11 Mon, 10/08/2007 - 20:26
User Badges:

hi Rachna,


1. Thanks


2. That was very very helpful indeed! I had major headaches struggling at the *.pkg file cracking up the Cisco IOS IPS signature format. There are not much documentations about these.


a ) Do you have any recommendations on signature customization (performances on use of different engines) ? Best practice ? Documentation on signature development?


b ) Would you recommended signature management on large scale of ISR routers by manipulating the *.pkg file ?




3. Here are some details. Basically , to turn off this logs. we had to turn off the whole IP inspect security feature. i understand Cisco's concern on unusual application. i've sniffer traced these logs and i do believe there are no major implications on the network. but dropped logs always raise the red flag when we are working with different IT teams :D



Due to RST:

503024: Sep 3 10:36:20.826 GMT: %FW-6-DROP_TCP_PKT: Dropping tcp pkt *.*.*.*:* => *.*.*.*:* due to RST inside current window -- ip ident 53051

tcpflags 0x5014 seq.no 4089128565 ack 2915367815


Due to stray segments:

503026: Sep 3 10:37:10.434 GMT: %FW-6-DROP_TCP_PKT: Dropping tcp pkt *.*.*.*:* => *.*.*.*:* due to Stray Segment -- ip ident 11196 tcpflags 0x501

seq.no 4286787544 ack 896131408



Due to invalid segments:

503028: Sep 3 10:37:51.394 GMT: %FW-6-DROP_TCP_PKT: Dropping tcp pkt *.*.*.*:* => *.*.*.*:* due to Invalid Segment -- ip ident 59737 tcpflags

0x5004 seq.no 816531889 ack 0


Due to out of order segment:

Dropping tcp pkt *.*.*.*:* => *.*.*.*:* due to Out-Of-Order Segment -- ip ident 17939 tcp

lags 0x5010 seq.no 3092955571 ack 401998231



Thanks again. You've helped me a lot.

kemal Wed, 10/10/2007 - 13:53
User Badges:

Hi,


Regarding #2 above, most recent documentation on IOS IPS can be found at http://www.cisco.com/en/US/products/ps6634/prod_white_papers_list.html


Regarding 2a), we do not have documentation

regarding creation of custom signatures specifically for IOS IPS as rules and parameters of custom signatures are the same for IOS IPS and stand-alone Cisco IPS sensors and modules. Both Router and Security Device Manager (SDM 2.4.1) and Cisco Security Management (CSM 3.1.1) applications provide intuitive wizards for custom signature creation. Those wizards allow you to clone existing signatures with customized/modified parameters and, if desired, one can create a completely new signature from scratch, defining packet parameters and strings or regular expressions to match. Most custom signatures use ATOMIC.IP engine if the signature is not stateful and looking for a match in IP or TCP/UDP headers, or use STRING.TCP or STRING.UDP engine otherwise.


In terms of best practices regarding selecting among Cisco-provided signatures, we recommend starting with the IOS Basic or IOS Advamced categories depending on available memory (see http://www.cisco.com/en/US/products/ps6634/products_white_paper0900aecd805c4ea8.shtml) and adding individual signatures based on most common protocols and related vulnerabilities ptentially impacting on a customer's network, as well as signatures' severity and fidelity rating (also called SFR).


Regarding 2b), it is NOT possible to manipulate *.pkg files, as they are digitally signed. To deploy IPS policies to large number of routers, with custom selection of Cisco-provided signatures and respective actions and possibly custom-written or cloned signatures, our recommendation is to use SDM to create the desired policy on a single (staging) router and after proper testing that all selected signatures load successfully and custom signatures work as intended, distribute IPS files created on the flash to the large # of routers using image/file distribution facility within the Cisco Config Engine (CNS) application. For more information on how to do this, please contact myself ([email protected]) or Alex Yeung ([email protected]).


Kemal Akozer

Cisco IOS IPS Product Manager

rsrivast Wed, 10/10/2007 - 14:34
User Badges:

Also, for the FW issue, I have passed on your question to the appropriate teams. In the meanwhile, you can give me your contact information so they can get back to you.

thanks

acharyr123 Mon, 10/15/2007 - 20:37
User Badges:

Hello,


Do u feel we can replace pix/asa in an organization if we choose security bundle (with hsec)on router?



rsrivast Tue, 10/16/2007 - 12:03
User Badges:

hello

thanks for your question. The correct answer is it depends.


On:


1. Size of the organization

2. Hosts you want to support

3. What do you want your router to do.


We typically recommend ISRs in a branch scenario and there is feature parity with the ASA/PIX on security features along with minimal performance impact and does not impact the routing functions.


But, in general for a branch, ASA/PIX can be replaced with ISR.


thanks

russellderr Mon, 10/08/2007 - 06:32
User Badges:

This is an edited copy from my original post!!


Upon adding a IOS IPS device running (C2800NM-ADVIPSERVICESK9-M,Version 12.4(15)T1,)& 5.x-303 release signatures, CSM 3.1 does not display it as an IPS enabled device. The device in question (2821) has a stand-alone config and 5.x advanced signatures functioning properly.


In the device properties of CSM 3.1 of said 2821, IPS is a feature but is grayed out. I have successfully added 2 ADSM modules from our 6513's and it displays them as IPS devices and I can add/deploy signatures to these devices. However, CSM 3.1 does not recognize the 2821 as an IOS IPS device and I can not add/deploy to this device. What am I missing here?



Attachment: 
rsrivast Mon, 10/08/2007 - 11:36
User Badges:

Hello,


You will need to use IPS Update from CSM 3.1, and once signatures are compiled from CSM, the device will be ready to use.


Follow this document

http://www.cisco.com/en/US/products/ps6634/products_white_paper0900aecd8066d280.shtml


Step 15 - is when you start the IPS updates, assuming the device is already bootstrapped for IOS IPS


Please let me know if you have more questions. thanks!

russellderr Tue, 10/09/2007 - 07:31
User Badges:



I have figured this out. Your comment and document does not answer the question as it does not address the issue. I can not use IPS updater if CSM doesn?t recognize the platform as an IPS enabled device!! I have found that CSM 3.1.0 and 3.1.1 does not support IOS version 12.4(15)T1. It only supports IOS IPS feature in 12.3(14)T4, 12.4M, 12.4(2)T, 12.4(4)T, and 12.4(11)T2 release.


Once I rolled back the IOS to (11), CMS recognized IPS. Caveat, new issues have risen!! Bonus!


More to follow as the bugs arise!

anitakuang Mon, 10/08/2007 - 14:51
User Badges:

Hi Rachna,


I purchased a base-lisenced ASA 5505 recently and attempted to configure SSL VPN. This project created 2 internal interfaces, denoted as niside and DMZ, which are allowed to access Internet using NAT. The outside interface was connected to a Internet router Netgear DG632 configured as "half bridge". However, i got stuck in the initial setup using ASDM 6.02. Upon iterative testing and modifying, it still took no effect. Assuming three interfaces work below:


Inside (PC)--- dhcp 192.168.1.2-192.168.1.33--- access Internet using NAT, talk to DMZ


DMZ (server)--- 192.168.2.1 --- access Internet using NAT, restrict traffic from DMZ to internal


Outside --- dhcp setroute????


On the other hand, the Netgear turned out to be proper. It can pass external IP address directly and browse internet no problem at all. However, when Netgear worked with ASA, it ended up to be frustrating.


Here is my running config and my question is how to fulfill internet access using CLI.




Any advice would be greatly appreciated ^_^





ASA Version 8.0(2)

!

hostname firewall

domain-name domain. default. invalid

enable password eyGCl5bdTW9mecaw encrypted

names

!

interface Vlan1

nameif inside

security-level 100

ip address 192.168.1.1 255.255.255.0

!

interface Vlan2

nameif outside

security-level 0

ip address dhcp setroute

!

interface Vlan3

no forward interface Vlan1

nameif dmz

security-level 50

ip address 192.168.2.1 255.255.255.0


!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

!

passwd 2KFQnbNIdI.2KYOU encrypted

ftp mode passive

pager lines 24

logging asdm informational

mtu inside 1500

mtu outside 1500

mtu dmz 1500

ip local pool cisco 192.168.1.200-192.168.1.210 mask 255.255.255.0

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-602.bin

no asdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 1 0.0.0.0 0.0.0.0

dhcpd dns 192.168.1.1

dhcpd wins 192.168.1.1

dhcpd auto_config outside

!

dhcpd address 192.168.1.2-192.168.1.33 inside

dhcpd dns 192.168.1.1 interface inside

dhcpd wins 192.168.1.1 interface inside

!


!Cryptochecksum:10eaa5848790f456d9ea72ff4c4f21b6

: end



rsrivast Mon, 10/08/2007 - 22:56
User Badges:

hi Anita


I mainly specialize in IOS security features, not ASA. Also, this forum mainly covers IOS security topics.


However, please feel free to contact the ASA product team for appropriate answer to your question. Let me know if I can help in any other way.


thanks

anitakuang Tue, 10/09/2007 - 14:58
User Badges:

Hi Rsrivast,


Thanks for your quick replies.


I got some progress today as to the DHCP on outside interface. My ASA can obtain an external IP from DSL router at least. However, no luck in accessing Internet.


As mentioned earlier, my set up is:


Internet--> DSL router--> ASA 5505




Here is the result of issuing "sh route" and "sh ip" command.


C 127.1.0.0 255.0.0.0 directly connected

C 192.168.1.0 255.255.255.0 direcly connected

C 125.xxx.xxx.xxx 255.255.255.255 direcly connected

d* 0.0.0.0 0.0.0.0 [1/0] via 125.xxx.xxx.xxx



Vlan 1: 192.168.1.1 255.255.255.0

Vlan 2: 125.xxx.xxx.xxx 255.255.255.255


Coule you please give a clue on Internet access?


Many thanks


Anita



rsrivast Tue, 10/09/2007 - 16:40
User Badges:

hi Anita


While I am not an expert in ASA, please do check whether the FW permissions are set correctly in the ASA, which may block internet access. Please do post this on the appropriate ASA forums to get a better answer. thanks



varun_vicky2000... Mon, 10/08/2007 - 19:45
User Badges:

Hi everyone,

I am a graduate and working in the field of entertainment (video editing). I would like to persue a course in CCNA. Can anybody guide me how is the course. How much time it takes normally to complete it? Cost? Job prospects? Is mathematics knowledge required? Is it really hard course( how many hours of study is required everyday to clear this certificate? Do u think it is really useful.


jsteffensen Tue, 10/09/2007 - 01:57
User Badges:

Hi Rachna


I have a question related to ISR Routers with DMZ and NAT because it seems that the ASA/PIX are much moore flexible regarding the NAT configuration.


1. Source & Destination NAT

Is it possible to configure static Destination NAT from DMZ to the inside interface, at the same time with Source Nat from DMZ to the outside?

(This should make it possible to access the DMZ servers using the "Public" IP address from both internet and inside LAN)


2. NAT ENABLE

Are there any In-Depth Whitepapers on CCO wich describes how "NAT enable" works in detail?

(this relates to how nat is done when utilizing multiple DMZ, with a full mix of when Inside/DMZ traffick between the interfaces should be natted or not)


Best Regards


Jarle Steffensen

rsrivast Wed, 10/10/2007 - 23:22
User Badges:

hi Jarle


You should be able to follow this document to figure out your configuration


http://www.cisco.com/en/US/products/sw/secursw/ps1018/products_configuration_example09186a0080094111.shtml


Also, depending on what IOS image you have, you can use either classic FW or Zone based FW.


Here is the link for all NAT related cisco documentation. I will check for what you are looking for in specific and will get back to you. CAn you please provide me your contact information? thanks

http://www.cisco.com/en/US/products/ps6640/products_ios_protocol_group_home.html

jsteffensen Wed, 10/10/2007 - 23:56
User Badges:

Hi Rachna.


Thanx for your answers so far. It would be great if you could contact me.

steffensen[at]netcloud[dot]ch

The first link - does not contain any NAT configuration (witch is the tricky part) .


I'll need some time to read the information on the second link, but the pages looks "familiar"....


Best Regards


Jarle Steffensen

spycampers Tue, 10/09/2007 - 07:02
User Badges:

if

office Bravo

has network of

10.1.0.0/16

and office Cindy

has network of

10.2.0.0/24


routed together via

2 routers for the two offices.


A) what is the maximum number of machine can office cindy and bravo?


B)asssuming both machine running on linux.

write down route commands to config node for both office.

so that ip forwardinf can occure btw 2 net work.


c) write down commands to config interface on 2 router and a node from both office.


d)is there any reason why there would be a network solely for the routers? if so what is it?




rsrivast Tue, 10/09/2007 - 16:08
User Badges:

hello, thanks for your question. You will get much better help if you post in the appropriate routing forums.


thanks again!

Manjunatha Jayaram Mon, 10/15/2007 - 00:38
User Badges:

Hi Rachna,


I am facing a peculiar issue that is when i try accessing a particular driver site of hp, the page is not getting displayed.My PC passes thru the ASA running 7.2.3 version which then has a next hop router to the internet.I did face the same problem for many other sites but got resolved after i applied the tcp mss based commands menioned below.

------------------------------------------

tcp-map mss-map

exceed-mss allow

access-list http-list extended permit ip any any

access-list http-list extended permit tcp any any

class-map http-map1

match access-list http-list

policy-map http-map1

class http-map1

set connection advanced-options mss-map

service-policy http-map1 interface outside

----------------------------------------

But this driver site of hp alone is not accesible.When i place my pc above the firewall with the gateway directly as my router it works fine.Please let me know if there is some way out to resolve this problem.


Regards...Jithesh

rsrivast Tue, 10/16/2007 - 12:46
User Badges:

hello Jithesh


Do you have any firewall turned on your router? Are you saying ASA is the one blocking access to the driver site? If yes, I can pass your question to the relevant ASA teams who can see if there's a particular knob you may have to turn off?


thanks

Manjunatha Jayaram Thu, 10/18/2007 - 04:23
User Badges:

Thanks a lot for your response Rachna.


There is no firewalling in the router.


I strongly feel the ASA is blcoking it.Coz am able to open it from the DMZ but not from the Inside.


Kindly help me do those fine tunings to get the driver site access.


regards..Jithesh

rsrivast Thu, 10/18/2007 - 09:55
User Badges:

hi Jithesh

I have passed your question to the ASA team. Please also post it on the appropriate ASA forums for a faster response.


thanks

rachna

nhuan022354 Tue, 10/09/2007 - 10:43
User Badges:

Hello Rachna,

Let imagine that there is a transparent L2 link between campuses A and B, connected each other with UTP gig copper port on 6513 blades. CDP is enable on both ports.


If we insert ASA5510s at both ends, between the 6513 ports and the transparent link ingress ports ( same both ends ). The ASA will run in transparent firewall mode and multiple security context mode and according to TAC, the ASA will block CDP packets between A and B.


Please advise:

1. Is that true that the 6513s don't care about CDP packets between them anyway in order to route ospf?

2. The ASA only block CDP packets between inside ( security 100 ) and the outside ( security 0 )to the internet. NOT the other INTERNAL available ports ( if we set security to 100 ) ? There are 5 10/100 ports on the ASA5510.


6513 ---A------------B-----6513

6513----ASA---A-------B----ASA-----6513 ?


Thanks for your time.


Leo Le


chaitanya_rce Tue, 10/09/2007 - 22:52
User Badges:

Can u please help me in solving how to retrieve data from the XML file using Get XML Document Data step in Cisco CRS Editor. My Xml file is as: -


<?xml version="1.0" standalone="yes"?>



58.0625

0.67114094



58

0.67




Can anyone help me in retrieving the second set of node elements, what should be the XML Path to retrieve the second set of node elements.

rsrivast Wed, 10/10/2007 - 23:11
User Badges:

hello Chaitanya


I have passed your question on to the CRS product team. I will get back to you on it as soon as I hear from them. I mainly specialize in IOS security, please feel free to post this question on the appropriate forums. thanks

rsrivast Wed, 10/10/2007 - 07:08
User Badges:

Hello Leo Le


While I am not an expert on both 6500s and the ASA, some initial research did suggest that the 6500s do not care about CDP packets to route OSPF. However, it is best if you posted the question on the ASA forum for a better answer.


thanks

bvj197222 Wed, 10/10/2007 - 00:58
User Badges:

I am running the Cisco ASDM 5.2 for pix, but have problems with logging. I want to see which traffic is accepted for a certain rule. I right-click the rule and choose "show log" - and nothing appears in the realtime monitor! I know traffic is hitting this rule cause the hit counters are increasing. When I use the realtime monitor without filtering it's swamped with log entries. What is wrong??? My logging config is:

Syslog logging: enabled

Facility: 20

Timestamp logging: enabled

Standby logging: disabled

Deny Conn when Queue Full: disabled

Console logging: disabled

Monitor logging: level debugging, 424341 messages logged

Buffer logging: level debugging, 190895 messages logged

Trap logging: level errors, facility 20, 59690 messages logged

Logging to inside 10.50.0.254

History logging: disabled

Device ID: disabled

Mail logging: disabled

ASDM logging: level debugging, 19572899 messages logged

rsrivast Wed, 10/10/2007 - 07:00
User Badges:

hello,

I am not an expert in PIX. It would be best if you posted this question on the appropriate PIX forums.


thanks!

fredj1234 Wed, 10/10/2007 - 10:34
User Badges:

Hi,


I want to use a 2811 router as an IOS firewall/IPS/edge router. First I was wondering if theres any specific documentation or configuration samples you could provide for this setup.

Also, I've noticed that the SDM firewall generated config has significantly changed over the past sdm versions. It's gone from primarily using CBAC to now using class-maps(c3pl?) in the SDM generated configuration. Could you explain why?


My last question is, how much dedicated memory do you need for IOS IPS to work in a production enviorment. I use Advanced Enterprise IOS req that requires 256 MB. Would I need more than 256 MB to activate the IPS on my IOS router? How much additional if any memory would it require?


Thanks in advance.

rsrivast Wed, 10/10/2007 - 15:35
User Badges:

Hello

thanks for your question.


If you go to http://www.cisco.com/en/US/products/sw/secursw/ps1018/prod_white_papers_list.html , there are many documents that point to best practices and design guides for ISR as an edge router. You can look at the Legacy FW document to start with.


IOS is moving towards Zone based firewall, which is different from the old CBAC method of configuring firewalls. The idea is to assign policies to logical interfaces rather than actual physical interfaces. SDM reflects this new change and the configuration is class map based.


For IOS IPS, depends on the signatures you want to use. Different signatures require different memory. 256MB is good for IOS IPS to start. Please take a look at www.cisco.com/go/iosips for more details on signature recommendations.


thanks



It seems almost nobody is using IOS routers for security purposes ;) and the following explains why.


During the testing of the 12.4(15)T1 I've found the following caveats in the IOS IPS v5:


1. SDM 2.4.1 doesn't show signatures (the screen is empty; signatures are loaded and working ok). CLI doesn't have signature-editing commands. This basically means that editing of signatures is not possible at all (editing of XML is not an option IMO).


2. SDM 2.4.1 produces an error when one goes into the RR (SEAP) section. CLI only allows to specify TVRs. It doesn't have commands to create event action overrides / event action filters.


3. IEV 5.2 is unable to connect to the router to retrieve alerts.


4. CLI "show ip sdee alerts" doesn't show alert details (it even doesn't show event-actions applied).


5. It seems that deny-connection-inline is not functioning at all. Deny-attacker-inline blocks connection instead of an attacker - ping can still go thru. CLI doesn't have a command to see denied-attackers list. You even cannot clear denied-attackers.


6. IPS can easyly be evaded by using incorrect TCP checksums - checksums are not verified by either IPS or IOS firewall.


7. Contrary to the documentation TCP reassembly code is not integrated with IPS or integrated improperly. IPS can easyly be evaded by sending more than 16 TCP segments in reverse order. This has been verified to work.



Could you please comment on this? Could you please post here the Bug IDs of the above caveats so we all be able to track them?


Regards,

and the list of bugs to be continued in my next message.





rsrivast Thu, 10/11/2007 - 07:08
User Badges:

Hello


thanks for the comments.


I spoke with Kemal from our product team as well as the SDM teams, and they mentioned they have already written to you about these questions. Please feel free to contact the SDM teams as well as Kemal directly for more answers.


thanks

This message is about caveats in Zone-based Policy Firewall.


1. GRE traffic is not controlled by anyzone->self zone policy.


2. Multicast traffic is not controlled by anyzone->self zone policy.


3. There is no option to generate unreachables if "drop log" is specified. Unreachables are not generated by default.


4. There is no command to disable SMTP guard. If SMTP is inspected the guard is always ON.


5. It is not possible to modify "parameter-map type inspect default": "% parameter-map default cannot be configured or deleted". This basically means that one should create another parameter-map and apply it to _every_ "inspect" statement !?


6. It is absolutely not possible to manage ZPF. "show policy-map type inspect zone-pair sessions" doesn't pause output (!) It shows too many info (many screens). It is even not possible to see just firewall sessions (!) It is not possible to see only sessions of the specific policy-map.


7. Deep HTTP inspection doesn't work. yahoo.com isn't opening at all - even if _all_ actions are to allow traffic (!). The error message is: "%APPFW-4-HTTP_PROTOCOL_VIOLATION".


cisco.com opens with errors. For example: "%APPFW-4-HTTP_DEOBFUSCATION: Deobfuscation signature (16) detected"


"%APPFW-3-HTTP_MAX_REQ_EXCEEDED: Number of unanswered HTTP requests exceeded the limit 10" is produced constantly. This leads to TCP resets even if all actions are to allow traffic.


8. The size of typical ZPF configuration is 10-15 times larger than the size of classic IOS Firewall configuration. Class-maps and policy-maps are not sorted in the config. The CLI doesn't have an option to reorder/edit class-maps within the policy-map. This makes ZPF absolutely unmanageble.



Could you please comment on this. What Bug IDs are assigned to the above defects?


my 2 cents.





bstiff Tue, 10/16/2007 - 13:34
User Badges:

I can respond with DDTS numbers for the issues that you mention that are truly bugs. Many of your other points are known issues and are being addressed by product management and engineering teams. Some of the DDTS numbers may be enhancement requests, which are not accessible to customers.



1. GRE traffic is not controlled by anyzone->self zone policy.


CSCse90875


2. Multicast traffic is not controlled by anyzone->self zone policy.


* Multicast inspection is not part of the present scope of ZFW. Please email a note if you would like to discuss your business case and requirements.


3. There is no option to generate unreachables if "drop log" is specified. Unreachables are not generated by default.


* This is by design. Yours is the first comment that I have seen that this behavior is undesired.


4. There is no command to disable SMTP guard. If SMTP is inspected the guard is always ON.


* If you don't want SMTP/ESMTP conformance checking and controls, you can inspect SMTP without application inspection by applying a class-map matching "protocol tcp" and an ACL allowing TCP 25.


5. It is not possible to modify "parameter-map type inspect default": "% parameter-map default cannot be configured or deleted". This basically means that one should create another parameter-map and apply it to _every_ "inspect" statement !?


CSCsj00045, CSCsi09310

* Options to address these and other capabilities are being discussed among product management team.


6. It is absolutely not possible to manage ZPF. "show policy-map type inspect zone-pair sessions" doesn't pause output (!) It shows too many info (many screens). It is even not possible to see just firewall sessions (!) It is not possible to see only sessions of the specific policy-map.


CSCsh12559


7. Deep HTTP inspection doesn't work. yahoo.com isn't opening at all - even if _all_ actions are to allow traffic (!). The error message is: "%APPFW-4-HTTP_PROTOCOL_VIOLATION".


cisco.com opens with errors. For example: "%APPFW-4-HTTP_DEOBFUSCATION: Deobfuscation signature (16) detected"


"%APPFW-3-HTTP_MAX_REQ_EXCEEDED: Number of unanswered HTTP requests exceeded the limit 10" is produced constantly. This leads to TCP resets even if all actions are to allow traffic.


* Changes will be made in the long term to address this issue. Use of medium- or high- security SDM firewall profiles is discouraged in cases where this behavior is seen. This is generally the result of differences of RFC interpretation between application- and security-software developers.


8. The size of typical ZPF configuration is 10-15 times larger than the size of classic IOS Firewall configuration. Class-maps and policy-maps are not sorted in the config. The CLI doesn't have an option to reorder/edit class-maps within the policy-map. This makes ZPF absolutely unmanageble.


CSCsj47547

Rachna,


1. Could you please give us detailed explaination of the following (Classic) IOS Firewall command:


ip inspect tcp block-non-session


2. Is it possible to kill specific IOS firewall session? For example, suppose we have PCs infected by a worm. It can take a lot of time to locate and isolate those PCs in a big network. How can we block _established_ sessions of those PCs on a router? (An ACL will not work, because the sessions are already established -- they are managed by IOS Firewall code)


Thx.



rsrivast Wed, 10/10/2007 - 23:07
User Badges:

hello, thanks for your question


This feature denies any externally initiated TCP sessions. There is a command line option to enable ICSA requirement of dropping non-initiating TCP traffic if CBAC is configured for the protocol. Prevents transmitting of TCP packets prior to a valid 3-way handshake being completed (SYN -> SYN,ACK -> ACK), through the CFP on RSSP ports with any combination of TCP

flags set.


You can also limit number of sessions to prevent some common attacks. Please take a look at http://www.cisco.com/en/US/products/sw/secursw/ps1018/products_configuration_example09186a00808b7200.shtml for more information.


I am checking on the possibility of killing a possible FW session, and will get back to you when I get an answer.


thanks


thanks

Thank you for the replay.


How does CBAC decides which "non-initiated" TCP traffic should be blocked?


Suppose we have 3-interface firewall with inside, outside and dmz interfaces. "ip inspect in" is configured on the inside interface and absolutely no ACLs are configured (just to better understand the sense of the "ip inspect tcp block-non-session" command).


1. Will this command block all TCP traffic (both SYNs and non-initiating) coming from the outside to the dmz because the outside interface doesn't have inspection configured and session table is not built for traffic initiated from the outside?


2. If SYNs are permitted to come from outside to the dmz and inside, what will happen with the returning traffic? Will SYN+ACK go back thru the dmz interface (no inspection rule)? Will SYN+ACK go back thru the inside interface (there is an inspection rule for TCP on this interface)? This SYN+ACK traffic should be treated as non-initiated, because session table is not built for sessions originated from the outside, right?


3. Does this command mean "SYNs are passed subject to the ACLs configured; all other TCP traffic is passed _only_ in case the session state is created by the SYN"? If yes, does this mean that configuration of the TCP inspection is a must on _all_ the firewall interfaces, in case this command is used?



rsrivast Fri, 10/19/2007 - 00:18
User Badges:

You are correct, also TCP inspection is a must if ip inspect tcp block non session command is used.

Rachna,


IOS 12.3T introduced


ip inspect log drop-pkt


command. Now we can see messages about dropped packets like this: %FW-6-DROP_PKT : Dropping [chars] pkt [IP_address]:[int] =>

[IP_address]:[int].


Could you please explain _all_ the reasons why IOS Firewall is dropping packets, so we can understand how it verifyes incoming traffic. The most interesting one is "stray TCP segment...".



rsrivast Thu, 10/11/2007 - 13:58
User Badges:

"Stray segment" messages with packet drops should be seen when an unexpected packet is seen during a TCP state change. The reasons are:


-When a responder in a TCP three-way handshake returns an unexpected, out-of-turn packet to the initiator (in addition to, or instead of the expected SYN+ACK) 2. A packet with the RST flag set or a packet that CEF cannot handle is seen from either peer during TCP_TIMEWAIT during connection closure.

thanks


harinirina Thu, 10/11/2007 - 06:46
User Badges:

Hi Rachna,


We've configured an ios ips on a 1760 router.

We'd like to test it before implementation.


Can you give us some idea on how to test it, tools used to simulate attacks, software used for monitoring and management.

rsrivast Fri, 10/12/2007 - 15:23
User Badges:

Hello


Once you have configured IOS IPS, you can some try metasploit tools available freely on the internet.


for monitoring and management - SDM as well as CSM 3.0 can be used. CS-Mars is good for viewing attack vectors and monitoring as well.


thanks

kemal Fri, 10/12/2007 - 15:51
User Badges:

In addition, there are tools available for purchase as well such as Core Impact. If you already have a stand-alone IDS/IPS appliance (sensor) in your network, you can route traffic that is inspected by that sensor to this 1760 router to see if it detects/stops same attacks like the stand-alone IDS/IPS sensor.


What you can use for management and event monitoring depends on the IOS image you are running, although CS-MARS can be used for all versions if you enable Secure Devive Event Exchange (SDEE) based alarms. Cisco IPS Event Viewer, a free application, can also be used if you are running 12.4(11)T2 or later IOS image in which case you need to use SDM 2.4.x or CSM 3.1.1 for IPS management on single or multiple routers, respectively.


How much memory do you have on 1760? Although supported, 1760 is an old platform ro run IPS feature on.


Kemal Akozer

Cisco IOS IPS Product Manager

harinirina Sat, 10/13/2007 - 05:25
User Badges:

Hi all,



Thanks both for your reply.


We have CSM, it's verion is 3.0. is it ok for managing IPS? we added device from security manager but we couldn't have it under sensor on IPS manager.Do you have any idea what's the reason of that?


The ios 1760 is running is : c1700-advipservicesk9-mz.124-4.XC6.bin



We have a 3725 or 2811, which do you suggest to run IPS on?



Is Cisco IPS event viewer free or not?

kemal Sat, 10/13/2007 - 11:07
User Badges:

You need to cross-launch IPS-MC from CSM 3.0 to manage IPS on a router running that image. It is a different application. I would suggest 2811 which should have min 128MB DRAM which is the lowest amount of memory IPS feature needs. Yes, IEV is free and supports up to 5 devices. However, it has not been tested to operate with that relatively old IOS image.

Actions

This Discussion