This discussion is locked

Ask the Expert: Security on IOS Router Devices (ZBFW, IPS, CBAC)

Unanswered Question
Jun 29th, 2012

Read the bioWith Julio Carvajal Segura

Welcome to the Cisco Support Community Ask the Expert conversation with Cisco expert Julio Carvajal Segura. This is an opportunity to learn and ask questions on how to make your IOS router devices (Zone-Base Firewall, Intrusion Prevention Systems, & Context-Base Access Control) more secure.

Julio Carvajal Segura is a support engineer at the Cisco Technical Center in Costa Rica. His expertise is in security topics such as Cisco Security Content, intrusion prevention systems, Cisco Adaptive Security Appliances (ASA), Cisco Firewall Services Modules, zone based firewalls, and context-based access control. He has over a year of experience working and resolving customer problems.

Remember to use the rating system to let Julio know if you have received an adequate response. 

Julio might not be able to answer each question due to the volume expected during this event. Remember that you can continue the conversation on the Security sub-community Firewalling forum shortly after the event. This event lasts through July 13, 2012. Visit this forum often to view responses to your questions and the questions of other community members.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Average Rating: 5 (4 ratings)
john.ventura73 Tue, 07/03/2012 - 07:02

Hi Julio,

After I configured the ZBFW or the CBAC feature my VPN's were down, how can I resolve this?

Thank you

John

Julio Carvaja Tue, 07/03/2012 - 09:44

Hello John,

Hope you are doing great

Now regarding your query if you configure the ZBFW using the SDM you will have the inside, outside and Self-zone configured.

That being the case you will need to allow traffic on port udp 4500 ( NAT T) and 500 ( Isakmp) to the interface where the crypto map is applied ( Self-zone)

I would say that is the problem but just in case remember to allow traffic from inside zone to outside zone from your Local Lan to the Destination Lan. Same thing from outside to inside.

If you want you can post your configuration and  I can make the changes to make it work

Regards,

Julio

rizwanr74 Tue, 07/03/2012 - 13:30

"After I configured the ZBFW or the CBAC feature my VPN's were down, how can I resolve this?"

Hi John,

your ACL for CBAC please create two permit lines as shown below, which you have applied on the outside interface, xxx assumed to be your public ip address.

access-list 101 permit udp any host xxx.xxx.xxx.xxx eq isakmp

access-list 101 permit esp any host xxx.xxx.xxx.xxx

Hope that helps.

thanks

Rizwan Rafeek

james_flockton Wed, 07/04/2012 - 07:52

Hi Julio,

My company has recently deployed VCS around an established ASA 5510 service.  The Firewall traversal element is working perfecty for H323 calls but SIP seems to fail for no clear reason.  The traversal zone is active but yet if I call from a SIP UI registered to Cisco Expressway it cannot call the UI of a device on the inside.  I have allowed the VCS control to (through ACLS) to connect to any device on the outside but yet calls still seem to fail.  Do you have any pointers to help me resolve this problem please?

Thanks

James

Julio Carvaja Wed, 07/04/2012 - 08:45

Hello James,

This Ask the expert is focus on IOS routers but I still will help on this

So basically the problem is SIP across the ASA.

Do you have already the inspection enabled for the SIP protocol?

Are you using a static one to one NAT translation for the VCS control?

Regards,

JohnPete868 Thu, 07/05/2012 - 14:33

Hi Julio,

In my recent experience I have used ASA as edge devices. But after seeming some of the features on a router I would like to replace my ASAs with Cisco routers.

I have seen some router which has an built in firewall features based on the firmware.

What would be your thoughts of this, are the new routers and which firmware would you recommend on a router for firewall features together with its routing capabilities?

Julio Carvaja Thu, 07/05/2012 - 15:35

Hello John,

Nice question.

That is correct some of the IOS devices come with a built-in IPS sensor as an example that you could use to secure your network perimeter.

One of the other advantages from my perspective would be that the IOS router will support Routing protocols on a extended way than the ASA.

The router supports Policed Based Routing ( Route based on source Ip addresses)

The router does QoS on an extended way than the ASA,etc.

The thing is that by default the router is not a security device so we will need to configure them on a way that they can protect our network.

If you ask me what do I prefer (If ZBFW or CBAC witch are the 2 Firewall built in options on an IOS router):

     I would recommend you 100% ZBFW witch lets you be more flexible with your actions to security policies. ( You  can be as granular as you want )

Now regarding firmware you should go to the latest versions as they will provide new features and will fix previous bugs on the code.

ZBFW is supported after 12.4(6)T6 but  if you use code 15.1(2) you will have additional features like support to IPV6 or if you go to IOS Release 15.0(1)M you will have intra-zone policies,etc.

Hope I could help,

PD: The ASA for monitoring and troubleshooting is the best option in the market on the security area.

       The ASA is capable of having a local-host table, Conn table to correlate events,etc.

Julio

Cisco TAC engineer.

carlosrodo Mon, 07/09/2012 - 08:18

Hi Julio,

I wonder how can I state fully inspect RDP sessions using a IOS router? Can you comment on this?

Thanks,

Carlos

Julio Carvaja Mon, 07/09/2012 - 08:39

Hello Carlos,

We need to configure the following in order to make the router able to inspect RDP sessions as this protocol uses a non-standar port.

This can be done using ip port-maps:

ip port-map RDP port tcp 3389

Class-map type inspect RDP

match protocol RDP


policy-map type inspect RDP
class type inspect RDP
  inspect

That should make the router firewall able to statefully inspect RDP.

There is another option ( instead of using the Ip port-map command we can make it work doing a match with an ACL:

ip access-list extended RDP

permit tcp any any eq 3389

Class-map type inspect RDP

match access-group name RDP

policy-map type inspect RDP
class type inspect RDP
  inspect

Hope I could help,

Julio

rogelioalvez Tue, 07/10/2012 - 07:13

Hello Julio:

I would like to mount a cluster of two routers running CBAC and SSO to implement the Stateful Failover High Availability concept, as shown in http://www.cisco.com/en/US/prod/collateral/routers/ps5855/white_paper_c11_472858.html.

Actually, the documentation mentions the support for only one inside and one outside interface, and the standby router taking over if either of these interfaces on the active router goes down.

¿ Is it possible to extend this concept for a cluster with at least three interfaces on each router ?

Your kind answer will be greatly appreciated.

Best regards...

Rogelio Alvez

Argentina

Julio Carvaja Tue, 07/10/2012 - 11:56

Hello Rogelio,

¿Is it possible to extend this concept for a cluster with at least three interfaces on each router?

A/ It is possible to have a stateful IOS cluster with firewall enabled. You will be able to monitor three different  interfaces using HSRP and SSO.

Now  to improve the performance of your firewall you can only  apply a inspection policy  to an interface ( this could be done by appliying it to the outside interface)

Let me know if this answers your question.

Regards,

Julio

clark-white Tue, 07/10/2012 - 12:49

Hello Julio,

I tried to configure CBAC on the IOS flash:c2800nm-advipservicesk9-mz.124-3g.bin, after configuring CBAC my internet connection is very slow with no video specially with youtube.

From inside to outside i ahve permited everything permit tcp any any and permit udp any any

Julio Carvaja Tue, 07/10/2012 - 14:07

Hello Clark,

Can you share the CBAC configuration you have, also I would like to see the logs generated by the IOS router.

To be able to generate the logs from the firewall please set the following command:

     -ip inspect log drop-pkt

With the logs we will be able to see if this happens because of a deep packet inspection problem, out of order packets,etc.

Regards,

Julio

rogelioalvez Wed, 07/11/2012 - 05:51

Thank you very much Julio.

Best regards, Rogelio

Julio Carvaja Wed, 07/11/2012 - 06:04

Hello Rogelio,

It's my pleasure to help.

Regards,

Julio

Julio Carvaja Wed, 07/11/2012 - 06:14

Hello Yadhu,

Can you remove the following configuration:

zone security VPN

interface Virtual-Template1 type tunnel

  zone-member security VPN

policy-map type inspect VPN-TO-IN-POLICY

class type inspect vpn-access

  inspect

zone-pair security VPN-TO-IN source VPN destination INSIDE service-policy type inspect VPN-TO-IN-POLICY

Then add the following:

interface Virtual-Template1 type tunnel

     zone-member security OUTSIDE

Then take the tunnel down and generate some traffic,

let me know how it goes

Julio

Yadhu Tony Thu, 07/12/2012 - 02:51

Hello Julio,

Thank you for your reply.

I removed the same and added :

interface Virtual-Template1 type tunnel

zone-member security OUTSIDE

The moment i added the above configuration i cannot even ping the LAN interface of my router. Instead of adding 'Virtual-Template1' interface to the OUTSIDE zone i tried to include it in the INSIDE zone like:

interface Virtual-Template1 type tunnel

zone-member security INSIDE

and its started working i.e i can access the LAN of my company. Can u please tell me whether it is a correct approach or not ?

Please see the zones :

Router#sh zone security
zone self
  Description: System defined zone


zone INSIDE
  Member Interfaces:
    GigabitEthernet0/0
    Virtual-Template1


zone OUTSIDE
  Member Interfaces:
    GigabitEthernet0/1

Regards,

Tony

Julio Carvaja Thu, 07/12/2012 - 09:39

Hello Yadhu,

Great to hear it is working,

The first problem you had was that the zone was not applied to any zone security and we needed it to have it on one to make it work.

The approach looks good to me, actually if the change on the outside zone the next step would be on the inside.

This will still be safe as in order to any user to get into the in-zone he will need to authenticate itself first to this Ezvpn server.

Regards,

Julio

Yadhu Tony Thu, 07/12/2012 - 10:17

Thank you so much for your support Julio.

Regards,

Tony

r.heitmann Wed, 07/11/2012 - 03:08

Hi Julio,

since the "aes-256-cbc"-cipher can't be used anymore if security is needed -any production-grade network?- (see for example http://lwn.net/Articles/307873/
)  and the RFC 4344 which addresses and solves the issue (using "ctr" instead of the "cbc" cipher) isn't implemented in IOS today - what would you recommend to do:

- switch to sshv1 using 3des

- switch to telnet and use vpn-client/ezvpn to provide encryption

any better idea?

Cheers,

//Ronald

Julio Carvaja Wed, 07/11/2012 - 06:40

Hello Ronald,

You might want to take a look at the following bug CSCsx30944
      http://tools.cisco.com/squish/b1Cc1

So as you already said implementing the CTR cipher instead of CBC on an IOS router is not an option.

From the two options you point I would say that the implementation of sshv1 is the easiest of the two options( it offers encryption (It can be reversible so it also has some vulnerabilitys)

Now talking about the VPN ezvpn option it would require way more administration but it will provide more security so I will choose that one if this were my case ( We are trying to get rid of a vulnerability and by using this option we can make it happen)

Hope this helps,

Julio

r.heitmann Wed, 07/11/2012 - 07:41

Hi Julio, thank you for the very quick answer!

...do you know - for the case that SSHv1/3DES is an option - if there's a posibillity to specify (decrease) the "key-lifetime" to increase the ssh-3DES-security like we*'ve done it in IPSec-VPNs as AES wasn't available?

I didn't find anything on the web how to fine-tune the IOS-SSH-Daemon regarding the cipher-suites used.

Since there is no official "security advisory" and the Bug mentions "Workaround: None", are there some best practices beyond "config)# ip ssh version 1"?

Best Regards,

//Ronald

Julio Carvaja Wed, 07/11/2012 - 07:52

Hello Ronald,

Since there is no official "security advisory" and the Bug mentions "Workaround: None", are there some best practices beyond "config)# ip ssh version 1"?

A/ No,Given the low probability of this being successfully exploited.


Do you know - for the case that SSHv1/3DES is an option - if there's a posibillity to specify (decrease) the "key-lifetime" to increase the ssh-3DES-security like we*'ve done it in IPSec-VPNs as AES wasn't available?

A/ No, there are only a few commands to tune SSH paramaters:

        ip ssh time-out 60

     ip ssh authentication-retries 2

You will need to re-generate the RSA key manually.

Regards,

masierra Thu, 07/12/2012 - 20:47

Hi Julio

I have a quick question regarding ZBFW running on ASR platform. I have an asr1001-universalk9.03.06.01.S.152-2.S1 version and I'm trying to configure SMTP inspection, I have found information but I'm not sure if I'm in the correct path.

http://www.cisco.com/en/US/docs/ios-xml/ios/sec_data_zbf/configuration/xe-3s/sec-data-zbf-xe-book.pdf

Security Configuration Guide: Zone- Based Policy Firewall, Cisco IOS XE Release 3S

Restrictions for Zone-Based Policy Firewall

• Application-level maps (also referred to as Layer 7 class maps) are not supported in Cisco IOS XE

software.

Layer 3 and Layer 4 Class Maps and Policy Maps

Supported Protocols

The following protocols are supported:

• FTP

• H.323

• ICMP

• Lightweight Directory Access Protocol (LDAP)

• LDAP over Transport Layer Security/Secure Socket Layer (LDAPS)

• Real-time Streaming Protocol (RTSP)

• Session Initiation Protocol (SIP)

• SCCP (Skinny Client Control Protocol)

• TCP

• TFTP

• UDP

Then I got

http://www.cisco.com/en/US/partner/hmpgs/index.html

http://www.cisco.com/en/US/partner/docs/ios/ios_xe/3/release/notes/asr1k_feats_important_notes_32s.html#wp3074650

Cisco IOS XE 3S Release Notes Release 3.2S Features and Important Notes

New Software Features in Cisco IOS XE Release 3.2.0S

Application Inspection and Control for SMTP

The Application Inspection for SMTP feature provides an intense provisioning mechanism that can be configured to inspect packets on a granular level so that malicious network activity, related to the transfer of e-mail at the application level, can be identified and controlled. This feature qualifies the Cisco IOS firewall extended Simple Mail Transfer Protocol (ESMTP) module as an "SMTP application firewall," which protects in a similar way to that of an HTTP application firewall.

For more information, see the following document:

http://www.cisco.com/en/US/partner/docs/ios/sec_data_plane/configuration/guide/sec_app_insp_ctrl_smtp.html

If I go to the last link I'm getting

Networking Software (IOS & NX-OS)

Application Inspection and Control for SMTP

So at this point is talking about regular IOS and NX-OS but not IOS-XE. So I thin that statement "Application-level maps (also referred to as Layer 7 class maps) are not supported in Cisco IOS XE software."  still applies right?

I have this configuration but I'm not able to get SMTP inpection working.

class-map type inspect match-any InspProtocol

match protocol http

match protocol https

match protocol smtp

match protocol ftp

match protocol dns

match protocol icmp

match protocol ntp

match protocol isakmp

match protocol ssh

match protocol tcp

match protocol udp

policy-map type inspect PInspect

class type inspect InspProtocol

  inspect

class class-default

  pass log

I just want to inspect specific traffic and permit the rest.

zone security INSIDE

zone security OUTSIDE

zone-pair security IN-to-Out-ZONE source INSIDE destination OUTSIDE

service-policy type inspect PInspect

interface GigabitEthernet0/0/0

description Red Interna

ip address 192.168.100.1 255.255.255.0

ip access-group privated in

ip nat inside

ip virtual-reassembly

zone-member security INSIDE

interface GigabitEthernet0/1/1

bandwidth 8192

ip address x.x.x.x

ip access-group antispoofing in

ip access-group monitoreo out

ip nat outside

ip flow ingress

ip virtual-reassembly

zone-member security OUTSIDE

speed 1000

no negotiation auto

crypto map VPNs-Internet

hold-queue 4096 in

The results

sh policy-map type inspect  zone-pair sessions

Zone-pair: IN-to-Out-ZONE

  Service-policy inspect : PInspect

    Class-map: InspProtocol (match-any) 

      Match: protocol http

      Match: protocol https

      Match: protocol smtp

      Match: protocol ftp

      Match: protocol dns

      Match: protocol icmp

      Match: protocol ntp

      Match: protocol isakmp

      Match: protocol ssh

      Match: protocol tcp

      Match: protocol udp

      Inspect

        Half-open Sessions

         Session 1920248 (192.168.100.6:1115)=>(200.x.x.x:25) smtp SIS_OPENING

          Created 00:00:18, Last heard 00:00:18

          Bytes sent (initiator:responder) [0:0]

         Session 1920294 (192.168.100.6:1247)=>(174.x.x.x:25) smtp SIS_OPENING

          Created 00:00:23, Last heard 00:00:23

          Bytes sent (initiator:responder) [0:0]

         Session 19202E0 (192.168.100.6:1220)=>(193.x.x.x:25) smtp SIS_OPENING

          Created 00:00:12, Last heard 00:00:03

Thanks in advance

Julio Carvaja Fri, 07/13/2012 - 05:41

Hello Mario,

That is correct, Application-level maps (also referred to as Layer 7 class maps) are not supported in Cisco IOS XE

software.

You will not be able to inspect the SMTP protocol.

You can inspect it but at layer 3 and 4 based on an ACL

     ip access-list e SMTP

          permit tcp any any eq 25

class-map type inspect SMTP

     match access-group name SMTP

policy-map type inspect PInspect

class SMTP

     inspect

class  InspProtocol

       inspect

class class-default

       pass log

Then you can remove the match protocol SMTP from the class InspProtocol

Regards,

Julio

Actions

Login or Register to take actions

This Discussion

Posted June 29, 2012 at 10:41 AM
Stats:

Related Content

Discussions Leaderboard

Rank Username Points
1 7,861
2 6,140
3 3,165
4 1,473
5 1,446