CCP Firewall is that bad?

Answered Question
Jul 18th, 2010
User Badges:

Hi,


I got a Cisco 877W set up and have problems with the Firewall setup using Cisco Configuration Professional.


I am new to the security field so I decided to use CCP to configure the firewall. I would like to block all traffic from the internet and allow all traffic originating inside the LAN, I do not care which traffic is originating as I consider the LAN to be completely trusted.


After I configured the default template of Low Security my connection dropped dramatically, from a 10Mbps ADSL connection that I fully utilized, I started getting 150kbps just after I enabled the firewall.

I checked the router's CPU and it showed peaks of up to 87% (Usually was jumping around between 20%-87%).


I turned the firewall off since I need to use my connection, but am I missing something? How come my $20 D-Link router blocks incoming traffic from the internet and performs well while my pricey 877W can't run the firewall.


If I will drop the zone based firewall and go back to the classic one will it be better?


Thanks a lot!

Correct Answer by Jitendriya Athavale about 6 years 8 months ago

choosing inspection rules is your choice depending what you need

for example you might or might not need ftp depending on whether it is active or passive



but definately http is not advisable becuase it will leed to slowing of traffic especially if you line has lot of out of order packets


as far as layer 7 inspections r concerned you will need them only if the server/client on the outside needs to open any ports


with cbac you are options are as such limited to basic inspection, so i think u can probably continue with just icmp, tcp and udp and if there is requirement you can use layer 7 inspection for ftp or voice or something like that


hope this answers your questions, if so i request you to mark this as answered for the benifit of the other users

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (2 ratings)
Loading.
Jitendriya Athavale Sun, 07/18/2010 - 21:41
User Badges:
  • Cisco Employee,

i think for you r setup the classic firewall makes sense


since you need to block everything from wan and allow everything from lan, i think cbac or classid firewall should be enough to begin with

oren.hecht Mon, 07/19/2010 - 00:13
User Badges:

Hey Jathaval,


I indeed used CBAC eventually and got it working, but got some weird results while trying to do so.

At first I set up these rules:


ip inspect name FIREWALL_RULES dns
ip inspect name FIREWALL_RULES ftp
ip inspect name FIREWALL_RULES http
ip inspect name FIREWALL_RULES https
ip inspect name FIREWALL_RULES icmp
ip inspect name FIREWALL_RULES imap
ip inspect name FIREWALL_RULES smtp
ip inspect name FIREWALL_RULES pop3
ip inspect name FIREWALL_RULES tftp
ip inspect name FIREWALL_RULES tcp
ip inspect name FIREWALL_RULES udp


But I got the same behavior as I did with the ZBF, my bandwidth usage dropped to 10%.


Eventually I left it with:

ip inspect name FIREWALL_RULES icmp
ip inspect name FIREWALL_RULES tcp
ip inspect name FIREWALL_RULES udp


And then it started behaving normally.


But I don't get it, lets say I wanted to do some VOIP classifications. According to the results above If I started to match protocols and classify them, the traffic would drop dramatically and both the web traffic and VOIP traffic will be useless (I didn't check the delays but I bet they suffered too).


How come Cisco manufactures a SOHO product that can't handle more than 3 classifications? Luckily it does what I need it to.


Oren.

Jitendriya Athavale Mon, 07/19/2010 - 00:16
User Badges:
  • Cisco Employee,

i think the issue is caused because of inspecting http and https

can you disable them and verify the results again with the rest of the inspections

oren.hecht Mon, 07/19/2010 - 00:53
User Badges:

Yep, you are dead on. And since I don't use https that often it's probably the http, wow that is very shameful isn't it?

Luckily I don't do classification between HTTP and other traffic or my connection would be very bad...


I got two questions though:

1. Do I need all the other inspections rules? Cause most of them are TCP & UDP anyway, won;t be enough to inspect them?

2. Does the order of the inspection matter? Does it behave like an ACL, when it identifies something as one of the inspections it stops inspecting?



Thanks!

Correct Answer
Jitendriya Athavale Mon, 07/19/2010 - 01:04
User Badges:
  • Cisco Employee,

choosing inspection rules is your choice depending what you need

for example you might or might not need ftp depending on whether it is active or passive



but definately http is not advisable becuase it will leed to slowing of traffic especially if you line has lot of out of order packets


as far as layer 7 inspections r concerned you will need them only if the server/client on the outside needs to open any ports


with cbac you are options are as such limited to basic inspection, so i think u can probably continue with just icmp, tcp and udp and if there is requirement you can use layer 7 inspection for ftp or voice or something like that


hope this answers your questions, if so i request you to mark this as answered for the benifit of the other users

oren.hecht Mon, 07/19/2010 - 01:16
User Badges:

Hey Jathaval,

Thank you very much for the help!


One last question I have regarding this issue is if the inspection list behaves as an ACL and if the order matters.


If one inspection rule is identified, does it continue inspecting or does it break the inspection list?


Thanks again,

Oren.

Jitendriya Athavale Mon, 07/19/2010 - 01:28
User Badges:
  • Cisco Employee,

i think such a situation will never arise because if we are talking about at layer 3-4 it will be tcp or udp

if at layer 7 http, ftp smtp etc

so the question of order doesnt arise as each rule is unique

oren.hecht Mon, 07/19/2010 - 01:33
User Badges:

Fair Enough.


Thank you very much for you kind help, I really appreciate it!

Jitendriya Athavale Mon, 07/19/2010 - 01:37
User Badges:
  • Cisco Employee,

hi oren, i just confirmed with one of my collegue i

would like to correct myself

the order does matter


more specific ones first and then general ones


so layer 7 first and then layer 4 like tcp/udp


so it does go like access-list if it finds the match in the first rule it will not look at others


inspect tcp

inspect http


inspect http has no effect


inspect http

inspect ftp

inspect tcp


sorry for the confusion

oren.hecht Mon, 07/19/2010 - 02:16
User Badges:

That makes more sense.


Thank you, and thank your colleague too


Oren.

Actions

This Discussion

Related Content