IPSEC traffic from behind Cisco 2801 router with CBAC feature.

rootless.rooter · ‎02-23-2010

hi forum,

I'm using pair of Juniper SSG550 to form a site-to-site IPSEC tunnel.

both SSGs are behind Cisco 2801 routers,acting as a main ISP gateways for the Juniper boxes.

now, during recent penetration tests I found that both Cisco gear is vulnerable to even most primitive SYN flood type of attack.

[using hping3 --flood --syn --rand-source <target_IP> I was able to DoS the 2801 and fill up its session tables in few seconds].

in order to increase the level of protection I'm looking into implementing Cisco's CBAC/TCP Inspection features,

to be able to defeat DoS/DDoS type of attacks and guard the Cisco.

now, the question is the interop between Cisco's CBAC feature and Juniper's IPSEC/IKE/ESP type of traffic.

first,lets have this simple topology as an example of functional model:

{LAN_A}<--->SSG550<--->[Cisco_A]<-------VPN_TUNNEL------>[Cisco_B]<----->SSG550<--->{LAN_B}

SSG550's acct as VPN endpoints for IPSEC/IKE type of tunnel and both LANs can reach each other.

now, if I enable CBAC/TCP Intercept on Cisco_A:

when an intial IPSEC/IKE handshake request is sent from SSG_A to SSG_B, CBAC on Cisco_A should record this flow as valid outbound flow,

and should pass it thru,as there's no outbound ACL at all.

but what will happen with return/inbound traffic [IPSEC response/keys from SSG_B] ?

is CBAC clever enough to recognize the response from SSG_B even if there's no inbound ACL on the Cisco_A for IP of SSG_B?

will this one pass thru Cisco_A and form the tunnel?

or the CBAC on Cisco_A will drop the flow?

many thanks for ANY response/hint or tip.

rooter

Federico Coto Fajardo · ‎02-25-2010

Hi,

You can enable IOS Firewall CBAC on both Cisco routers to allow the replies from traffic originated from the local network on each side.

The thing here, is that CBAC is not going to inspect the VPN traffic due to encryption.

You can permit or deny the flows, but not inspect inside the VPN flows with CBAC in this scenario.

Federico.

rootless.rooter · ‎02-25-2010

hi,

thanks for the reply. in fact, I'm not looking into IPSEC inspection at all.

my concern is just whether the CBAC - with no inbound/outbound ACLs - will transparently allow IPSEC originating on the Juniper boxes and will

pass them thru to create the tunnels,while protecting the Cisco gear against the DoS attacks.

maybe I should set up some small lab network to simulate it to get clue.

is here anybody from the Cisco with such experience?

thanks again.

Federico Coto Fajardo · ‎02-25-2010

I would think that CBAC will allow the IPSec tunnel transparently to operate from the Juniper boxes, since you can enable CBAC

for ISAKMP (depending on the IOS) and for UDP (UDP port 500).

Anyway, if you have the chance to set up a small lab to test it, will be the best way to go, and share with us the results ;-)

Unless, somebody else have done it already and save us the lab ;-)

Federico.

rootless.rooter · ‎03-15-2010

well.

I did the lab and found that CBAC won't stop IPSEC, it will pass it without any problems, but found that CBAC won't prevent against

SYN flood at all :\

my small test lab was pair of 2801,running IOS 12.4 [adventerprisek9], one juniper ns50 and juniper ssg5,to simulate the scenario I described earlier.

I was able to form a VNP tunnel using IPSEC/AutoIKE with no issues, with CBAC enabled.

even if the Cisco gear was set up to use extended ACLs, TCP Inspect features [even using 'AutoSecure], simple sending SYN flood to FastEthernet0/0 interface caused panic mode, CPU on the Cisco hit the sky. during this flood attack I was not able to reach the far-end of the VPN tunnel internally [pinging network A from B via VPN], due to high CPU utilization on the router[s] under the attack.

my understanding and perhaps the conclusion is, that there's no real DoS/DDoS attack protection/mitigation on the routers, without deploying IDP/IDS

infront of the router.

regards

rooter