Deploying IOS firewall feature set

Answered Question
Jul 18th, 2008
User Badges:

Hi All,


We are trying to deploy firewall feature in the 2811 router by suing the SDM 2.5. We choosed option for basic firewall setup. It required us to choose trusted and non-trusted interfaces and we did the same. It added access-list inbound on the trusted interface and ip inspect command on the un-trusetd interface.


Also,Intially we want to allow all traffic from untrusted-interface to the trusted interface,so we manually allowed permit ip any to inside network block ?---Is that right ?


We have another question,we would be having a another interface on that router to connect to a different network and preferrably doesn't want to configure that interface as trusted or non-trusted,in this scenario,if any traffic originated from non-defined interface will be able to access the trusted interface or also non-trusted interface ?


Any help would be really appreciated


Thanks


Regards

Anantha Subramanian Natarajan



Correct Answer by husycisco about 8 years 8 months ago

Anantha,

"we should be able to leave the other interface undefined"

Yes you can! leave them undefined. Setting an interface as "trusted" does only add an acl inbount to that trusted interface which denies traffic appears to be originated from other interface subnets, which is against spoofing attacks, and permits the rest of the traffic. This approach does not cause an administrative overhead actually, so it is for your benefit to choose an interface as "trusted" or "untrusted" but since it has no relationship with inspections, you can leave them unset.


Regards

Correct Answer by husycisco about 8 years 8 months ago

Hello Anantha,

"Also,Intially we want to allow all traffic from untrusted-interface " That would entirely break the idea of deploying the IOS Firewall. Nature of statefull firewall that comes with IOS firewall feature set is, to block all traffic from an untrusted interface by default, then only allow the return traffic of connections, originated from a trusted interface (inspection). And you also can permit some traffic that you trust manually.

"We have another question,we would be having a another interface on that router to connect to a different network and preferrably doesn't want to configure that interface as trusted or non-trusted,in this scenario,if any traffic originated from non-defined interface will be able to access the trusted interface or also non-trusted interface ?"

If the inspection rule is applied to oubound direction of untrusted interface, feel free to unset other interfaces as trusted.


Regards


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (2 ratings)
Loading.
Correct Answer
husycisco Fri, 07/18/2008 - 09:58
User Badges:
  • Gold, 750 points or more

Hello Anantha,

"Also,Intially we want to allow all traffic from untrusted-interface " That would entirely break the idea of deploying the IOS Firewall. Nature of statefull firewall that comes with IOS firewall feature set is, to block all traffic from an untrusted interface by default, then only allow the return traffic of connections, originated from a trusted interface (inspection). And you also can permit some traffic that you trust manually.

"We have another question,we would be having a another interface on that router to connect to a different network and preferrably doesn't want to configure that interface as trusted or non-trusted,in this scenario,if any traffic originated from non-defined interface will be able to access the trusted interface or also non-trusted interface ?"

If the inspection rule is applied to oubound direction of untrusted interface, feel free to unset other interfaces as trusted.


Regards


anasubra_2 Fri, 07/18/2008 - 10:07
User Badges:

Hi,


Thank you very much for the answer ....


The background of this deployment is for one of our customers,they just want to enable to CBAC and day one wants to permit all traffic in either directions. Later seems they would be managing the CBAC in such a way that,it could provide effectively does statefull firewall inspection as you were mentioning...........


Yes we planning to set the ip inspect on the outbound direction of the untruseted interface and so as per my understanding from your cmment,we should be able to leave the other interface undefined.If this understanding not correct,please let us know or else thank you very much for the help


Regards

Anantha Subramanian Natarajan

Correct Answer
husycisco Fri, 07/18/2008 - 10:38
User Badges:
  • Gold, 750 points or more

Anantha,

"we should be able to leave the other interface undefined"

Yes you can! leave them undefined. Setting an interface as "trusted" does only add an acl inbount to that trusted interface which denies traffic appears to be originated from other interface subnets, which is against spoofing attacks, and permits the rest of the traffic. This approach does not cause an administrative overhead actually, so it is for your benefit to choose an interface as "trusted" or "untrusted" but since it has no relationship with inspections, you can leave them unset.


Regards

husycisco Fri, 07/18/2008 - 15:43
User Badges:
  • Gold, 750 points or more

You are welcome and thanks for rating :)

Actions

This Discussion