cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
8512
Views
20
Helpful
27
Replies

Ask the Expert: Security on IOS Router Devices (ZBFW, IPS, CBAC)

ciscomoderator
Community Manager
Community Manager

Read the bioWith Julio Carvajal Segura

Welcome to the Cisco Support Community Ask the Expert conversation with Cisco expert Julio Carvajal Segura. This is an opportunity to learn and ask questions on how to make your IOS router devices (Zone-Base Firewall, Intrusion Prevention Systems, & Context-Base Access Control) more secure.

Julio Carvajal Segura is a support engineer at the Cisco Technical Center in Costa Rica. His expertise is in security topics such as Cisco Security Content, intrusion prevention systems, Cisco Adaptive Security Appliances (ASA), Cisco Firewall Services Modules, zone based firewalls, and context-based access control. He has over a year of experience working and resolving customer problems.

Remember to use the rating system to let Julio know if you have received an adequate response. 

Julio might not be able to answer each question due to the volume expected during this event. Remember that you can continue the conversation on the Security sub-community Firewalling forum shortly after the event. This event lasts through July 13, 2012. Visit this forum often to view responses to your questions and the questions of other community members.

27 Replies 27

Hello Rogelio,

It's my pleasure to help.

Regards,

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

Yadhu Tony
Level 1
Level 1

Hi Julio,

Can you please check the link https://supportforums.cisco.com/message/3680429#3680429 where i have posted a query about VPN. Could you please refer the configuration. I just wanted to know whether the VPN access problem is due to the ZBF or not.

Regards,

Tony

Regards,
Tony

http://yadhutony.blogspot.com

Hello Yadhu,

Can you remove the following configuration:

zone security VPN

interface Virtual-Template1 type tunnel

  zone-member security VPN

policy-map type inspect VPN-TO-IN-POLICY

class type inspect vpn-access

  inspect

zone-pair security VPN-TO-IN source VPN destination INSIDE service-policy type inspect VPN-TO-IN-POLICY

Then add the following:

interface Virtual-Template1 type tunnel

     zone-member security OUTSIDE

Then take the tunnel down and generate some traffic,

let me know how it goes

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

Hello Julio,

Thank you for your reply.

I removed the same and added :

interface Virtual-Template1 type tunnel

zone-member security OUTSIDE

The moment i added the above configuration i cannot even ping the LAN interface of my router. Instead of adding 'Virtual-Template1' interface to the OUTSIDE zone i tried to include it in the INSIDE zone like:

interface Virtual-Template1 type tunnel

zone-member security INSIDE

and its started working i.e i can access the LAN of my company. Can u please tell me whether it is a correct approach or not ?

Please see the zones :

Router#sh zone security
zone self
  Description: System defined zone


zone INSIDE
  Member Interfaces:
    GigabitEthernet0/0
    Virtual-Template1


zone OUTSIDE
  Member Interfaces:
    GigabitEthernet0/1

Regards,

Tony

Regards,
Tony

http://yadhutony.blogspot.com

Hello Yadhu,

Great to hear it is working,

The first problem you had was that the zone was not applied to any zone security and we needed it to have it on one to make it work.

The approach looks good to me, actually if the change on the outside zone the next step would be on the inside.

This will still be safe as in order to any user to get into the in-zone he will need to authenticate itself first to this Ezvpn server.

Regards,

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

Thank you so much for your support Julio.

Regards,

Tony

Regards,
Tony

http://yadhutony.blogspot.com

Hello Tony,

My pleasure,

Regards

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

r.heitmann
Level 1
Level 1

Hi Julio,

since the "aes-256-cbc"-cipher can't be used anymore if security is needed -any production-grade network?- (see for example http://lwn.net/Articles/307873/
)  and the RFC 4344 which addresses and solves the issue (using "ctr" instead of the "cbc" cipher) isn't implemented in IOS today - what would you recommend to do:

- switch to sshv1 using 3des

- switch to telnet and use vpn-client/ezvpn to provide encryption

any better idea?

Cheers,

//Ronald

Hello Ronald,

You might want to take a look at the following bug CSCsx30944
      http://tools.cisco.com/squish/b1Cc1

So as you already said implementing the CTR cipher instead of CBC on an IOS router is not an option.

From the two options you point I would say that the implementation of sshv1 is the easiest of the two options( it offers encryption (It can be reversible so it also has some vulnerabilitys)

Now talking about the VPN ezvpn option it would require way more administration but it will provide more security so I will choose that one if this were my case ( We are trying to get rid of a vulnerability and by using this option we can make it happen)

Hope this helps,

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

Hi Julio, thank you for the very quick answer!

...do you know - for the case that SSHv1/3DES is an option - if there's a posibillity to specify (decrease) the "key-lifetime" to increase the ssh-3DES-security like we*'ve done it in IPSec-VPNs as AES wasn't available?

I didn't find anything on the web how to fine-tune the IOS-SSH-Daemon regarding the cipher-suites used.

Since there is no official "security advisory" and the Bug mentions "Workaround: None", are there some best practices beyond "config)# ip ssh version 1"?

Best Regards,

//Ronald

Hello Ronald,

Since there is no official "security advisory" and the Bug mentions "Workaround: None", are there some best practices beyond "config)# ip ssh version 1"?

A/ No,Given the low probability of this being successfully exploited.


Do you know - for the case that SSHv1/3DES is an option - if there's a posibillity to specify (decrease) the "key-lifetime" to increase the ssh-3DES-security like we*'ve done it in IPSec-VPNs as AES wasn't available?

A/ No, there are only a few commands to tune SSH paramaters:

        ip ssh time-out 60

     ip ssh authentication-retries 2

You will need to re-generate the RSA key manually.

Regards,

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

masierra
Level 1
Level 1

Hi Julio

I have a quick question regarding ZBFW running on ASR platform. I have an asr1001-universalk9.03.06.01.S.152-2.S1 version and I'm trying to configure SMTP inspection, I have found information but I'm not sure if I'm in the correct path.

http://www.cisco.com/en/US/docs/ios-xml/ios/sec_data_zbf/configuration/xe-3s/sec-data-zbf-xe-book.pdf

Security Configuration Guide: Zone- Based Policy Firewall, Cisco IOS XE Release 3S

Restrictions for Zone-Based Policy Firewall

• Application-level maps (also referred to as Layer 7 class maps) are not supported in Cisco IOS XE

software.

Layer 3 and Layer 4 Class Maps and Policy Maps

Supported Protocols

The following protocols are supported:

• FTP

• H.323

• ICMP

• Lightweight Directory Access Protocol (LDAP)

• LDAP over Transport Layer Security/Secure Socket Layer (LDAPS)

• Real-time Streaming Protocol (RTSP)

• Session Initiation Protocol (SIP)

• SCCP (Skinny Client Control Protocol)

• TCP

• TFTP

• UDP

Then I got

http://www.cisco.com/en/US/partner/hmpgs/index.html

http://www.cisco.com/en/US/partner/docs/ios/ios_xe/3/release/notes/asr1k_feats_important_notes_32s.html#wp3074650

Cisco IOS XE 3S Release Notes Release 3.2S Features and Important Notes

New Software Features in Cisco IOS XE Release 3.2.0S

Application Inspection and Control for SMTP

The Application Inspection for SMTP feature provides an intense provisioning mechanism that can be configured to inspect packets on a granular level so that malicious network activity, related to the transfer of e-mail at the application level, can be identified and controlled. This feature qualifies the Cisco IOS firewall extended Simple Mail Transfer Protocol (ESMTP) module as an "SMTP application firewall," which protects in a similar way to that of an HTTP application firewall.

For more information, see the following document:

http://www.cisco.com/en/US/partner/docs/ios/sec_data_plane/configuration/guide/sec_app_insp_ctrl_smtp.html

If I go to the last link I'm getting

Networking Software (IOS & NX-OS)

Application Inspection and Control for SMTP

So at this point is talking about regular IOS and NX-OS but not IOS-XE. So I thin that statement "Application-level maps (also referred to as Layer 7 class maps) are not supported in Cisco IOS XE software."  still applies right?

I have this configuration but I'm not able to get SMTP inpection working.

class-map type inspect match-any InspProtocol

match protocol http

match protocol https

match protocol smtp

match protocol ftp

match protocol dns

match protocol icmp

match protocol ntp

match protocol isakmp

match protocol ssh

match protocol tcp

match protocol udp

policy-map type inspect PInspect

class type inspect InspProtocol

  inspect

class class-default

  pass log

I just want to inspect specific traffic and permit the rest.

zone security INSIDE

zone security OUTSIDE

zone-pair security IN-to-Out-ZONE source INSIDE destination OUTSIDE

service-policy type inspect PInspect

interface GigabitEthernet0/0/0

description Red Interna

ip address 192.168.100.1 255.255.255.0

ip access-group privated in

ip nat inside

ip virtual-reassembly

zone-member security INSIDE

interface GigabitEthernet0/1/1

bandwidth 8192

ip address x.x.x.x

ip access-group antispoofing in

ip access-group monitoreo out

ip nat outside

ip flow ingress

ip virtual-reassembly

zone-member security OUTSIDE

speed 1000

no negotiation auto

crypto map VPNs-Internet

hold-queue 4096 in

The results

sh policy-map type inspect  zone-pair sessions

Zone-pair: IN-to-Out-ZONE

  Service-policy inspect : PInspect

    Class-map: InspProtocol (match-any) 

      Match: protocol http

      Match: protocol https

      Match: protocol smtp

      Match: protocol ftp

      Match: protocol dns

      Match: protocol icmp

      Match: protocol ntp

      Match: protocol isakmp

      Match: protocol ssh

      Match: protocol tcp

      Match: protocol udp

      Inspect

        Half-open Sessions

         Session 1920248 (192.168.100.6:1115)=>(200.x.x.x:25) smtp SIS_OPENING

          Created 00:00:18, Last heard 00:00:18

          Bytes sent (initiator:responder) [0:0]

         Session 1920294 (192.168.100.6:1247)=>(174.x.x.x:25) smtp SIS_OPENING

          Created 00:00:23, Last heard 00:00:23

          Bytes sent (initiator:responder) [0:0]

         Session 19202E0 (192.168.100.6:1220)=>(193.x.x.x:25) smtp SIS_OPENING

          Created 00:00:12, Last heard 00:00:03

Thanks in advance

Hello Mario,

That is correct, Application-level maps (also referred to as Layer 7 class maps) are not supported in Cisco IOS XE

software.

You will not be able to inspect the SMTP protocol.

You can inspect it but at layer 3 and 4 based on an ACL

     ip access-list e SMTP

          permit tcp any any eq 25

class-map type inspect SMTP

     match access-group name SMTP

policy-map type inspect PInspect

class SMTP

     inspect

class  InspProtocol

       inspect

class class-default

       pass log

Then you can remove the match protocol SMTP from the class InspProtocol

Regards,

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: