40.0 Security Cisco Forum FAQ40.0 Security
·How do I secure a Cisco router from the Internet?
·Protect my network! How do I do that using Cisco IOS?
·Secure and Monitor Network Access with AAA (TACACS/RADIUS) and Privilege Level
·Are there Free authentication packages for TACACS or RADIUS to secure my router?
·Securing access to routers with AAA commands
·Securing access to ASA/PIX Firewall with AAA commands
·Utilizing my router as a firewall. How do I do it?
·Between GRE/IPSEC and IPSEC VPN tunnels
Recommended Global and Interface Configurations
•Disable all non-essential services and features
•no service pad
•no ip finger
•no ip bootp server
•IOS versions 12.x and higher auto disable certain features like no tcp-small-servers; no udp-small-servers; and ip http-server
•no ip source-route
•Enable global security features
•service password-encryption (automatically encrypts configured passwords)
•service timestamps debug datetime msec localtime show-timezone
•service timestamps log datetime msec localtime show-timezone
•service tcp-keepalives-in
•logging buffered <50000> debugging
•logging console warnings (if you don't log, you can't trace problems)
• enable secret
•no cdp run (if you don't need cdp at all)
•Disable the following features per interface
•no ip redirects
•no ip unreachables
•no ip directed-broadcast
•no ip proxy-arp
•no cdp enable (for exterior facing interfaces)
•make sure all other interfaces not being used are administratively shutdown
•Enabling additional features
•ip subnet-zero (enables networks on the 0 boundary)
•ip classless (allows for CIDR netmasks)
•enable access-lists per interface as necessary to restrict the traffic to only required communication (see the links above for info regarding access-list configuration)
interface fastethernet 1/0
ip access-group 101 out
ip access-group 102 in
•clock timezone
•clock summer-time
•NTP is the key to a synchronized clock which is highly recommended for accurate timestamping of log entries
ntp master
ntp update-calendar
ntp server
•snmp-server community
•Add ip addresses of only the hosts that need snmp access to the router to access-list 10
•Use the banner command to state the obvious precuations upon login as a legal disclaimer
banner motd ^CC
You Access Restricted Equipment
All Activities are Monitored and Logged
Unauthorized Use Prohibited
By Accessing, You Are Agree Your Activities to be Monitored and Logged
^C
•Console configuration - use exec-timeout to logout idle users after 5 minutes
line con 0
exec-timeout 5 0
password 7 <######>
login authentication no_tacacs
transport input none
line aux 0
exec-timeout 5 0
password 7 <#######>
login authentication test
modem InOut
transport input all
stopbits 1
speed 19200
flowcontrol hardware
line vty 0 4
exec-timeout 5 0
password 7 <########>
login authentication test
transport input telnet
•IOS version
•Make sure you are running a version of IOS that is stable and is patched
for all of the most latest network bugs, especially the recent SSH and SNMP vulnerabilities.
Cisco Internet Inbound Access List
The following is a commented example of an Access List configuration
for a router that acts as a "choke" device on the inside or outside of
a true firewall device. The ! signifies a commented line in Cisco's
notation. Non-commented lines are the actual configuration syntax as it
would be entered on the Cisco router.
The information supplied in this configuration is in no way guaranteed
or supported by the author to "secure" your network. This is meant to provide
an example of generally accepted configuration practices when securing
routers that provide access to untrusted networks.
This access-list should be applied inbound on your choke router to what
is considered your external or outside interface. In most cases, for routers
outside your firewall this will be some sort of WAN interface like a serial port,
BRI interface, frame relay sub-interface, or ATM PVC. This filters traffic that
is coming from the Internet or untrusted network "inbound" on the external
interface connecting to the Internet.
! Deny all standard external spoofing attacks and log all attempts
! from illegal addresses, your external block, and reserved space
! For obvious reasons, non-routable Internet addresses should not be allowed to
! come inbound. A favorite of hackers is to spoof private source addresses or
! even masquerade as public addresses on your own external networks.
!
deny ip 192.168.0.0 0.0.255.255 any log-input
deny ip 172.16.0.0 0.15.255.255 any log-input
deny ip 10.0.0.0 0.255.255.255 any log-input
deny ip 127.0.0.0 0.255.255.255 any log-input
deny ip 255.0.0.0 0.255.255.255 any log-input
deny ip 224.0.0.0 31.255.255.255 any log-input
deny ip host 0.0.0.0 any log-input
deny ipany log-input
deny ip hostany log-input
!Deny any abusive networks here...
!
deny ip xxx.xxx.xxx.xxx 0.0.0.255 any log-input
! The commands below are all for routers being used as a firewall device.
! If you plan on using another device for a firewall, then do not add any other
! configuration lines except for the following:
! permit ip any any
! If you plan on using your router as your only firewall device you can permit
! or deny particular services as outlined below. The following are only examples.
! There are hundreds of services and non-standard configurations you may need to
! allow based on your indivdual requirements. If you do not have the budget
! for a true firewall such as a PIX, Checkpoint or Netscreen, you should still use
! a router that is sized properly to do the job you need. A Cisco 2620 or 2640
! should have plenty of CPU for Reflexive Access lists and Content Based Access
! Control for a full T-1 worth of traffic. The other key component is RAM. Allow for
! a minimum of 32MB or 64MB if possible. If your budget is still an issue, you are
! probably better off building a firewall using a PC server (under $1000) with 2
! network cards using Linux or NetBSD and IPChains firewall software. You can get a
! lot more mileage out of a machine like that than a low-end Cisco router which
! really wasn't designed for that purpose anyway.
!
! Include the inbound Reflexive Access-Lists if you are using this function
!
! *WARNING* Reflexive Access Lists are CPU and memory intensive on your router.
! Make sure that your hardware is properly sized to support your volume of traffic.
!
! For further explanation of these services and port numbers please refer to
! documentation for the specific protocols.
!
evaluate alliptraffic
! If you need to host any inbound services behind your router then the following
! config may help you out with some example setups.
! Allow outside ftp sessions inbound
!
permit tcp any hosteq 21
! Allow ftp to work from inside your network (requires port 20 to be open
! for incoming data session)
!
permit tcp any eq 20 hostgt 1024
! Allow auth/identd traffic for smtp mail and for other client apps
!
permit tcp any hosteq 113
permit tcp any hosteq 113
! Allow smtp traffic inbound to mail servers
!
permit tcp any hosteq smtp
! Allow http traffic inbound to all web servers
!
permit tcp any hosteq www
! Allow SSL traffic inbound to all SSL servers
!
permit tcp any hosteq 443
! Allow Microsoft PPTP/VPN sessions to connect inbound and log control channel
!
permit tcp any hosteq 1723 log-input
permit tcp any hosteq 1731
permit gre any host
! Allow only certain remote addresses to perform tcp DNS transfers from
! specific DNS servers for secondary DNS service and log each connection
!
permit tcp hosthost eq domain log-input
! Allow inbound client DNS requests to all DNS servers
!
permit udp any hosteq domain
! Allow DNS resolution from the router's serial port for testing purposes
!
permit udp any eq 53 host
! Allow time synchronization to occur on router from ISP
!
permit udp any eq ntp hosteq ntp
! Allow only particular types of icmp packets inbound to
! maintain integrity of data flow and sanity and for troubleshooting etc.
!
permit icmp anynet-unreachable
permit icmp anyhost-unreachable
permit icmp anyport-unreachable
permit icmp anypacket-too-big
permit icmp anyadministratively-prohibited
permit icmp anysource-quench
permit icmp anyttl-exceeded
permit icmp anyecho-reply
! Deny all other ICMP explicitly so it isn't logged
!
deny icmp any any
! Deny all other ip traffic explicitly and log it.
!
deny ip any any log-input
Cisco Internet Outbound Access List
The following is a commented example of an Access List configuration
for a router that acts as a "choke" device on the inside or outside of
a true firewall device. The ! signifies a commented line in Cisco's
notation. Non-commented lines are the actual configuration syntax as it
would be entered on the Cisco router.
The information supplied in this configuration is in no way guaranteed
or supported by the author to "secure" your network. This is meant to provide
an example of generally accepted configuration practices when securing
routers that provide access to untrusted networks.
This access-list should be applied inbound on your choke router to what
is considered your internal or inside interface. In most cases, this will be some
sort of ethernet interface. This filters traffic that is going towards the Internet
or untrusted network "inbound on that interface.
! Deny RFC 1918 private source addresses from going outbound. It is not wise
! to let packets leak outside your network with your internal address information.
! This is the primary way that hackers learn about the configuration of private
! networks. These packets can not be responded to anyway, since these networks are
! not routable on the Internet. they would only be reachable if you are using NAT on a
! device beyond this point in the network to translate to a publicly routable address.
!
deny ip 192.168.0.0 0.0.255.255 any log-input
deny ip 172.16.0.0 0.15.255.255 any log-input
deny ip 10.0.0.0 0.255.255.255 any log-input
! Keep any errant request for private addresses inside your network
! Just in case your internal routing table for some reason does not contain a route
! that should be internal, and clients follow your default route toward the Internet
! for requests that should stay inside your network. This is another way that hackers
! can find out about your internal network is watching for internal requests that
! accidentally get routed out to a public device that they can capture traffic from.
!
deny ip any 192.168.0.0 0.0.255.255 log-input
deny ip any 172.16.0.0 0.15.255.255 log-input
deny ip any 10.0.0.0 0.255.255.255 log-input
! Deny all netbios traffic going outbound since this is one of the top 3 most hacked
! or attacked protocols on the Internet. Users should not access netbios services on
! the Internet since it can very easily compromise NT Domain security and architecture.
!
deny udp any any eq netbios-ns
deny udp any any eq netbios-dgm
deny udp any any eq netbios-ss
! Permit everything else from the "external network" and build the
! reflexive access list alliptraffic with a timeout of 120 seconds
!
! This command allows all other traffic to pass through the interface and
! uses an IOS feature set called Reflexive Access Lists to build a dynamic
! access list for return traffic coming inbound from the Internet. That way a
! command can be appended to an inbound access list to evaluate inbound packets against
! "allowed" return traffic to sessions started from inside your network.
!
! *WARNING* This command is CPU and memory intensive on your router depending on the
! volume of traffic flowing through the interface. I recommend at least a 2610 series
! router with 32MB RAM minimum to support a full T-1 with this configuration.
!
permit ipany reflect alliptraffic timeout 120
deny ip any any log
! If this router is not being used as a firewall but more for just a choke device
! to enhance the security in front of or behind a firewall the following commands should
! replace the above commands... You should specifically define your networks that should
! be allowed to go outbound and then deny everything else explicitly.
!
permit ipany
deny ip any any log
Additional Links to Resources
•NSA Current Security Configuration Guides
•NSA Archived Security Guides
•Other NSA Publications
•Cisco ISP Essentials (a zipped PDF file 902KB).
feedback form
by rolande edited by aryoba
last modified: 2008-01-06 05:32:45
There is a little discussion of Reflexive Access List, where was considered a sophisticated IOS-based Firewall until CBAC came along. If you wish, you can just skip the Reflexive Access List discussion and go straight to CBAC discussion; since it is recommended to deploy CBAC instead of the "obsolete" Reflexive Access List.
Note that with the new Zone-Based Firewall features, Cisco IOS configuration looks similar as ASA 5500 firewall. Therefore now you have option to implement Zone-Based Firewall and IDS/IPS features on your router instead of ACL, CBAC, and IDS/IPS.
Please note that some of the features listed may not be supported by your IOS. Ascertain whether your IOS can support the feature that you require or download one from the software upgrade centre at CCO.
Also note that this is NOT meant to be a tutorial on network protection but more of an overview on the most common methods of protection.
1. ACL (Access List)
Access control lists (ACLs) provide basic filtering capabilities. They can be configured for all routed network protocols (IP, AppleTalk, etc.) to filter the packets of those protocols as the packets pass through a router.
ACLs can PREVENT and ALLOW certain traffic from entering or exiting a network. They filter traffic by controlling whether routed packets are forwarded or blocked at the router’s interfaces. Your router examines each packet to determine whether to forward or drop the packet, on the basis of the criteria you specified within the ACLs.
Access list criteria could be the source address of the traffic, the destination address of the traffic, the upper-layer protocol (session, presentation or application layer), or other information.
Following FAQ utilizes ACL and basic principles of TCP/IP to create simple but quite effective firewall.
»Cisco Forum FAQ »Basic Internet Firewall ACL for Routers without IOS image Firewall feature
Note that that such firewall is "static" (not flexible) and might not always work in any situation.
Reflexive Access Lists
Reflexive access lists allow IP packets to be filtered based on session information, which is a layer in the OSI model. The session layer establishes, manages, and terminates communication sessions between presentation layer entities. Communication sessions consist of service requests and service responses that occur between applications located in different network devices. The reflexive access lists are able to filter packets on these request and responses.
Reflexive access lists can be used to permit IP traffic for sessions originating from within the local network but to deny IP traffic for sessions that originated outside of the same network. Hence, only if the local network initiated a session or a request, will it be allowed back.
When do I configure a reflexive access list?
Reflexive access lists are normally configured on border routers, which are routers that stand on the boundary between the internal and external network (internet or another internal network). They are also often routers with the firewall feature set.
How does it work?
A reflexive access list is activated when a new session is initiated from inside your network, with a packet traveling to the external network. When triggered, the reflexive access list generates a new, temporary entry, which will permit traffic to enter your network if it is part of the session. If the traffic is not part of the session, it will not be permitted to enter your network.
For example, if an outbound TCP packet is forwarded outside of your network, and this packet is the first packet of a TCP session, then a new, temporary reflexive access list entry will be created. This entry is added to the reflexive access list, which applies to inbound traffic so the firewall will not block the responding packet.
What are the drawbacks of reflexive access lists?
Reflexive access lists do not work with some applications that use port numbers that change during a session. For example, if the port numbers for a return packet are different from the originating packet, the return packet will be denied, even if the packet is actually part of the same session.
The TCP application of FTP is an example of an application with changing port numbers. With reflexive access lists, if you start an FTP request from within your network, the request will not complete. Instead, you must use Passive FTP when originating requests from within your network.
This is where CBAC come to play since the CBAC is considered the more advanced firewall (stateful firewall).
2. CBAC (Context Based Access Control)
What is context based access control?
Context based access control (CBAC), intelligently filters TCP and UDP packets based on application layer and session layer information. You can configure CBAC to permit specified TCP and UDP traffic through a firewall only when the connection is initiated from within the network you want to protect. CBAC can inspect traffic for sessions that originate from either side of the firewall, and CBAC can be used for intranet, extranet, and Internet perimeters of your network.
Without CBAC, traffic filtering is limited to access list implementations that examine packets at the network layer, or at most, the transport layer. However, CBAC examines not only network layer and transport layer information but also examines the application-layer protocol information (such as FTP connection information) to learn about the state of the session. This allows support of protocols that involve multiple channels. Most of the multimedia protocols as well as some other protocols (such as FTP, RPC, and SQL*Net) involve multiple channels.
Finding Out Your Internal Private IP Address Even When Behind NAT Box
Following is a nice illustration. When your network is behind a NAT/PAT box, then you think that people in the Internet will never know your internal (private) IP address, correct? Wrong!
By using Java (HTTP application) people in the Internet are still able to detect and find out your internal IP addresses. Such Java program may be implemented by ISP that do not allow you to NAT/PAT your public Internet address without paying additional fee for each additional PC or machine. The Java program may be also deployed by hackers.
Click on this link (and scroll down) to see if this Internet website can reveal your internal private IP address
http://www.auditmypc.com/anonymous-surfing.asp
Using HTTP option in the CBAC, you can block incoming HTTP traffic (including Java) from unknown or untrusted network. Check out the following thread for detail story.
»[HELP] Can't hide internal IP on SOHO 97
How does it work?
CBAC inspects traffic that travels through the firewall from the internal network to discover and manage state information for TCP and UDP sessions. This state information is used to create temporary openings in the firewall’s access lists to allow return traffic and additional data connections for permissible sessions.
When do I employ CBAC?
You can use CBAC when your firewall will be restricting passing traffic consisting of:
* Standard TCP and UDP Internet applications
* HTTP-based applications including Instant Messaging (i.e. AOL, Yahoo, and MSN IM)
* Multimedia applications
* Oracle support
Please note with the new 12.4 IOS train, more applications are supported. Following is a list that supported under 12.4 IOS train.
802-11-iapp IEEE 802.11 WLANs WG IAPP
ace-svr ACE Server/Propagation
aol America-Online
appfw Application Firewall
appleqtc Apple QuickTime
bgp Border Gateway Protocol
bliff Bliff mail notification
bootpc Bootstrap Protocol Client
bootps Bootstrap Protocol Server
cddbp CD Database Protocol
cifs CIFS
cisco-fna Cisco FNATIVE
cisco-net-mgmt cisco-net-mgmt
cisco-svcs cisco license/perf/GDP/X.25/ident svcs
cisco-sys Cisco SYSMAINT
cisco-tdp Cisco TDP
cisco-tna Cisco TNATIVE
citrix Citrix IMA/ADMIN/RTMP
citriximaclient Citrix IMA Client
clp Cisco Line Protocol
creativepartnr Creative Partnr
creativeserver Creative Server
cuseeme CUSeeMe Protocol
daytime Daytime (RFC 867)
dbase dBASE Unix
dbcontrol_agent Oracle dbControl Agent po
ddns-v3 Dynamic DNS Version 3
dhcp-failover DHCP Failover
discard Discard port
dns Domain Name Server
dnsix DNSIX Securit Attribute Token Map
echo Echo port
entrust-svc-handler Entrust KM/Admin Service Handler
entrust-svcs Entrust sps/aaas/aams
esmtp Extended SMTP
exec Remote Process Execution
fcip-port FCIP
finger Finger
fragment IP fragment inspection
ftp File Transfer Protocol
ftps FTP over TLS/SSL
gdoi GDOI
giop Oracle GIOP/SSL
gopher Gopher
gtpv0 GPRS Tunneling Protocol Version 0
gtpv1 GPRS Tunneling Protocol Version 1
h323 H.323 Protocol (e.g, MS NetMeeting, Intel Video Phone)
h323callsigalt h323 Call Signal Alternate
h323gatestat h323gatestat
hp-alarm-mgr HP Performance data alarm manager
hp-collector HP Performance data collector
hp-managed-node HP Performance data managed node
hsrp Hot Standby Router Protocol
http HTTP Protocol
https Secure Hypertext Transfer Protocol
ica ica (Citrix)
icabrowser icabrowser (Citrix)
icmp ICMP Protocol
ident Authentication Service
igmpv3lite IGMP over UDP for SSM
imap IMAP Protocol
imap3 Interactive Mail Access Protocol 3
imaps IMAP over TLS/SSL
ipass IPASS
ipsec-msft Microsoft IPsec NAT-T
ipx IPX
irc Internet Relay Chat Protocol
irc-serv IRC-SERV
ircs IRC over TLS/SSL
ircu IRCU
isakmp ISAKMP
iscsi iSCSI
iscsi-target iSCSI port
kazaa KAZAA
kerberos Kerberos
kermit kermit
l2tp L2TP/L2F
ldap Lightweight Directory Access Protocol
ldap-admin LDAP admin server port
ldaps LDAP over TLS/SSL
login Remote login
lotusmtap Lotus Mail Tracking Agent Protocol
lotusnote Lotus Note
microsoft-ds Microsoft-DS
ms-cluster-net MS Cluster Net
ms-dotnetster Microsoft .NETster Port
ms-sna Microsoft SNA Server/Base
ms-sql Microsoft SQL
ms-sql-m Microsoft SQL Monitor
msexch-routing Microsoft Exchange Routing
mysql MySQL
n2h2server N2H2 Filter Service Port
ncp-tcp NCP (Novell)
net8-cman Oracle Net8 Cman/Admin
netbios-dgm NETBIOS Datagram Service
netbios-ns NETBIOS Name Service
netbios-ssn NETBIOS Session Service
netshow Microsoft NetShow Protocol
netstat Variant of systat
nfs Network File System
nntp Network News Transport Protocol
ntp Network Time Protocol
oem-agent OEM Agent (Oracle)
oracle Oracle
oracle-em-vp Oracle EM/VP
oraclenames Oracle Names
orasrv Oracle SQL*Net v1/v2
parameter Specify inspection parameters
pcanywheredata pcANYWHEREdata
pcanywherestat pcANYWHEREstat
pop3 POP3 Protocol
pop3s POP3 over TLS/SSL
pptp PPTP
pwdgen Password Generator Protocol
qmtp-tcp Quick Mail Transfer Protocol
r-winsock remote-winsock
radius RADIUS & Accounting
rcmd R commands (r-exec, r-login, r-sh)
rdb-dbs-disp Oracle RDB
realaudio Real Audio Protocol
realsecure ISS Real Secure Console Service Port
router Local Routing Process
rpc Remote Prodedure Call Protocol
rsvd-tcp RSVD
rsvp-encap RSVP ENCAPSULATION-1/2
rsvp_tunnel RSVP Tunnel
rtc-pm-port Oracle RTC-PM port
rtelnet Remote Telnet Service
rtsp Real Time Streaming Protocol
send-tcp SEND
shell Remote command
sip SIP Protocol
sip-tls SIP-TLS
skinny Skinny Client Control Protocol
sms SMS RCINFO/XFER/CHAT
smtp Simple Mail Transfer Protocol
snmp Simple Network Management Protocol
snmptrap SNMP Trap
socks Socks
sqlnet SQL Net Protocol
sqlserv SQL Services
sqlsrv SQL Service
ssh SSH Remote Login Protocol
sshell SSLshell
ssp State Sync Protocol
streamworks StreamWorks Protocol
stun cisco STUN
syslog SysLog Service
syslog-conn Reliable Syslog Service
tacacs Login Host Protocol (TACACS)
tacacs-ds TACACS-Database Service
tarantella Tarantella
tcp Transmission Control Protocol
telnet Telnet
telnets Telnet over TLS/SSL
tftp TFTP Protocol
time Time
timed Time server
tr-rsrb cisco RSRB
ttc Oracle TTC/SSL
udp User Datagram Protocol
uucp UUCPD/UUCP-RLOGIN
vdolive VDOLive Protocol
vqp VQP
webster Network Disctionary
who Whois service
wins Microsoft WINS
x11 X Window System
xdmcp XDM Control Protocol
CBAC can be used to allow the application’s traffic through the firewall but only when it is initiated from the protected network.
CBAC is often configured in one direction on a single interface, which will validate the traffic, ensuring it is part of a valid session. This configuration is employed to protect the local network from the Internet.
CBAC can also be used in two directions on one or more interfaces. This method is often employed when networks on both sides of the router needs to be protected. For example, if the firewall is situated between two departments’ networks, CBAC can restrict the traffic of one department’s applications in one direction and restrict traffic in the opposite direction for the other department’s applications.
What are the drawbacks of CBAC?
"If you don’t ask, you don’t get" is the paradigm here. CBAC does not provide intelligent filtering for ALL protocols. It only works for the protocols that you SPECIFY, hence if a protocol is not specified, the ACL will determine its fate.
CBAC is available only for IP protocol traffic. Only TCP and UDP packets are inspected. Other IP traffic, such as ICMP, cannot be inspected with CBAC and should be filtered with basic access lists instead.
If you reconfigure your access lists when you configure CBAC, be aware that if your access lists block TFTP traffic into an interface, you will not be able to netboot over that interface.
Packets with the firewall as the source or destination address are not inspected by CBAC.
CBAC ignores ICMP Unreachable messages. To let specific ICMP traffic to enter, you need to configure the ACL to allow.
H.323 V2 and RTSP protocol inspection supports only the following multimedia client-server applications: Cisco IP/TV, RealNetworks RealAudio G2 Player, Apple QuickTime 4. However with there are more application supported when running 12.4 IOS train as shown previously.
With FTP, CBAC does not allow third-party connections (three-way FTP transfer). Further; when CBAC inspects FTP traffic, it only allows data channels with the destination port in the range of 1024 to 65535. Also, CBAC will not open a data channel if the FTP client-server authentication fails. Therefore when there is a need to have FTP traffic, create ACL to permit such traffic.
CBAC uses less than approximately 600 bytes of memory per connection. There is also a slight amount of additional processing that occurs whenever packets are inspected. Because of the memory and processing usage, you should use CBAC only when your router can handle such work.
Sometimes CBAC must evaluate long access lists, which might have presented a negative impact to performance. However, this impact is avoided, because CBAC evaluates access lists using an accelerated method (CBAC hashes access lists and evaluates the hash).
CBAC does not protect network attacks initiated from within the local network unless the packets travel through the router that employs CBAC for protection. CBAC can only protect against intrusions/attacks that travel through the router.
When you need to protect such network attacks, then you need implement additional security perimeter such as deploy necessary ACL on inside interfaces of the router. Basic logic is that open only necessary ports and protocol; and close others. For the "necessary open" protocol or port guarding, you then need to run IDS/IPS.
What is required for me to undertake reflexive access list and context based access control?
Reflexive access lists can be configured on most IOS feature sets.
CBAC requires the firewall feature set.
3. Zone-Based Firewall
The new Zone-Based Firewall is replacing the previous Stateful IOS-Based Firewall (the CBAC). Zone-Based Firewall is pretty much similar to PIX/ASA OS 7.0 firewall configuration. Check out the following links for details.
Cisco IOS Zone-Based Policy Firewall
Zone-Based Policy Firewall Design and Application Guide
Zone-Based Policy Firewall Design Guide
Cisco IOS Firewall Q&A
Zone-Based Policy Firewall - Introduction and Implementation
4. IDS/IPS (Intrusion Prevention System)
There are prerequisites to properly run Cisco IOS IPS on routers
* Your router IOS version should be at least 12.3(8)T
* Your router IOS feature should be either Advanced Enterprise, Advanced IP Security, or IP Security with IPS
* Your router DRAM is at least 128MB
* There is Signature Detection File (*.sdf) stored in your router, either in flash memory, PCMCIA inside one of the router's slot, Compact Flash, or similar
SDF (Signature Detection File)
* SDF is basically a reference point for router to perform the IPS function
* The IPS functions available are atomic (IP and TCP inspections), service (HTTP, Mail, etc.)
* Detail description on each IPS function is available on the Cisco links below (the SDF and Configuring Cisco IPS)
* You have a choice to either create your own SDF or download from Cisco
* Should you decide to download from Cisco, you need to have proper Smartnet contract
* When you download from Cisco, you can choose either the 128MB.sdf for Basic IPS or the 256MB.sdf for Advanced IPS features
* 128MB.sdf requires at least 128MB DRAM and 256MB.sdf requires at least 256MB DRAM
* In case your router is 870, 1800, 2800, 3800, or other current router models, there should be the 128MB.sdf already stored on the router's flash memory
Note:
* Make sure that the router CPU and memory can handle the workload
* As illustration, 2610XM router with 256MB DRAM and 48MB Flash can jump from 0-1% normal CPU utilization to 99% CPU utilization when running Advanced 256MB.sdf
* For small network environment, the minimal router should be 1841 or similar to properly run Cisco IOS IPS
* You can check out the following FAQ to verify your router CPU power
»Cisco Forum FAQ »Cisco Equipment Performance (per pps and Mbps)
Sample Configuration
ip ips sdf location flash:256MB.sdf
ip ips name MYIPS
!
interface GigabitEthernet0/1
ip address 10.1.1.16 255.255.255.0
ip ips MYIPS in
duplex full
speed 100
media-type rj45
no negotiation auto
Assumption:
* There is 256MB.sdf on the router flash memory
* The IPS will investigate incoming traffic under such router interface
Check out the following link for more info
1. General Info
»www.cisco.com/en/US/products/ps6···ome.html
2. SDF and Configuring Cisco IPS
»www.cisco.com/en/US/products/ps6···3cf.html
SAMPLE CONFIGURATION
1. CBAC Combination Configuration
»Cisco Forum FAQ »Sample IOS Firewall (CBAC) router configuration
»Cisco Forum FAQ »Sample Configuration of ACL-CBAC-IDS/IPS-IPSec VPN on router
2. Official Cisco IOS IDS/IPS Deployment Guide
»www.cisco.com/en/US/products/ps6···57.shtml
3. IDS/IPS Configuration in Action
»www.cisco.com/en/US/products/ps6···32.shtml
4. More IOS Firewall Sample Configuration
»www.cisco.com/en/US/products/sw/···ist.html
5. Official Cisco IOS Firewall Design Guide and Sample Implementation
»www.cisco.com/en/US/products/sw/···670.html
6. Zone-Based Firewall Sample Configuration
»Cisco Forum FAQ »Zone-Based Firewall Sample Configuration
This FAQ brought to you by: LoneBandit & Rhodium_uk
Disclaimer:
The above is a summary of Reflexive Access Lists and CBAC. For more information on the capabilities, limitations and syntax of the commands, please consult the CCO.
The authors do not hold any responsibility for any decisions or actions that may arise from this FAQ.
This document is not endorsed by CISCO.
feedback formby Covenant edited by aryoba
last modified: 2008-02-06 11:40:11
In smaller network environment, pretty much anybody can log into network devices such as routers, switches, and firewalls to make configuration changes. To provide further network access protection, some username and password is stored locally within the network devices.
A downside of such localized credential is that there is minimum or no control of such credential integrity. As illustration, someone could just login and changes password without telling others. Then others can no longer login without knowing the new password.
The best practice to have more control is to have centralized AAA (Authentication, Authorization, Accounting) server that keeps all usernames and passwords for user login authentication. Further, the AAA server can authorize certain tasks or commands that certain users are able to perform. When such users try to do tasks or issue commands that are unauthorized, those tasks or commands will be rejected. In addition, the AAA server can run report which users are accounted for which tasks or command issues on some network devices.
Various Privilege Level and Centralized AAA server
Let's say there are network engineers and network analysts as people who have authorized access to routers. The network engineers have full access to routers from issuing show, ping, traceroute commands for troubleshooting; to issuing configure terminal command to configure the routers. The network analysts have partial access to routers. These analysts are only allowed to troubleshoot and are not allowed to configure routers. Only the engineers have such authorization.
Typically these network analysts are only allowed to issue show, ping, traceroute commands for troubleshooting. They are not allowed to issue configure terminal command since such command is part of configuration command which only network engineers have privilege of.
As you can see, there is a need to have different privilege level between network engineers and network analysts. In AAA world, there is something called Privilege Level 0, 1, 2, all the way up to 15 when somebody (a user) access router or any network device. The Privilege Level 0 is the lowest privilege level a user can have where the Privilege Level 15 is the highest privilege level.
On Cisco router, a user can only issue simple commands such as show version, ping (not extended ping), and traceroute (not extended traceroute) when such user is authenticated as Privilege Level 0 user. A user can issue full commands when such user is authenticated as Privilege Level 15 user. Using the illustration, let's decide that the network analysts are set as Privilege Level 0 users and the network engineers are set as Privilege Level 15 users
Note that on Cisco router, a user can issue commands like show configuration or show running-config when such user is authenticated as Privilege Level 15 user by default. In this case, the network analysts need to issue such commands. To make this possible, there are several approaches you can use.
One approach is to define local credential by creating a list of commands on the router itself for Privilege Level 0 users. In this case, the show command set including show configuration and show running-config is within the list. Note that this approach is only feasible as the only platform of network access security and monitoring when there are only handful of routers. Once there are more and more routers, this approach is not scalable.
Another approach is to utilize external authentication server such as TACACS+ to keep this list of authorized commands for Privilege Level 0 users. By utilizing such TACACS+ server, there is no need to keep list of commands on the router itself. All authorized commands for any users (including network analyst and network engineers) are centralized within the TACACS+ server database. Therefore regardless the router quantity, there are minimum to no changes needed when more routers or any network devices are coming into the network.
In typical production network, both local and external authentication server utilizations are implemented. The authentication server which stores centralized credentials is used primarily. The local credentials are used as backup in case there is an event where the authentication server is unreachable or non-working. By using this approach, there are several platforms of network access security and monitoring (centralized and local credentials) which from network management perspective is more secure, scalable, and practical.
TACACS+ server Management
Let's say now there is a centralized TACACS+ server to regulate which commands specific users can issue. Depending of TACACS+ server software capabilities, there are some TACACS+ servers that are unable to keep specific command set. Certain TACACS+ servers are only able to keep a list of command itself without the following parameters. As illustration, some TACACS+ servers are only able to keep show command but not show running-config or show configuration commands.
When you have to deal with these kind of TACACS+ servers, there is a trick to provide those show running-config or show configuration commands for Privilege Level 0 users. Set those Privilege Level 0 users to have Privilege Level 15. However only handful commands that these users can issue such as show (including show running-config or show configuration), ping (both standard and extended), and traceroute (both standard and extended). When these users try to issue unauthorized command such as configure terminal, the command will be rejected as failed to authorize. This way, you can even have further control of which commands specific users can issue beyond a simple Privilege Level 0 and 15 distinction.
You can also configure TACACS+ server to do further. One is to authorize certain users to have access to only some network device and to reject access to other network devices. When these users only come from certain IP subnet, then you also can utilize ACL (i.e. access-class command under line vty on Cisco routers) to restrict such access.
Another functionality is to grant full Privilege Level 15 to only some network device and to grant partial Privilege Level 15 to other network devices. This is applicable when you have wider network team such as Network Analyst, Network Engineer, and Advanced Network Engineer team; where Network Analysts can only troubleshoot, Network Engineer can troubleshoot and modify configuration on certain network devices only (typically edge network devices), and where Advanced Network Engineers have full access to all network devices.
Between TACACS+ and RADIUS server
Beside TACACS+ server, there is another type of AAA server which is RADIUS server. Typically you implement TACACS+ server for network device access management such as routers, switches, and firewall. To have centralize management of others, you may need RADIUS server instead since RADIUS functionality is more of general purposes.
In addition, typically you need TACACS+ server to do AAA (Authentication, Authorization, Accounting) of user credentials, which Privilege Level the user will be as, which command the user can issue on certain network device, and to record all commands such user issues on certain network device. Since RADIUS is more of general purpose AAA server, RADIUS is typically only capable to either permit or deny access of certain network resources, and to record which users have been logging in from specific IP address to which device.
Last but not least, TACACS+ is Cisco implementation where it towards to more of network device centralized access management where RADIUS is IETF implementation for general purpose AAA functionality.
RADIUS server Implementation
You may wonder when you should implement TACACS+ and when you should implement RADIUS. One good example is remote VPN management access. In this example you provide IPSec VPN service to users that need to remotely access network resources from anywhere securely. The VPN device you use is PIX Firewall.
In general, there are two remote access management concerns. One is the PIX Firewall device management itself and another is the IPSec VPN service management. You basically need to centralized manage who has authorization to modify PIX Firewall configuration, to troubleshoot any connection passing through PIX Firewall, and any related issues. You also need to centralized manage who has authorization to remotely access network resources from anywhere, which network resource that such remote users are authorized to access, and any related issues.
In such situation, you may want to implement TACACS+ server for the PIX Firewall device management itself and to implement RADIUS server for network resource remote access. Check out the following FAQ for sample configuration.
»Cisco Forum FAQ »Configure PIX/ASA as both Internet Firewall and VPN Concentrator
There are other situations when certain network devices or applications only support RADIUS authentication for management such as Cisco VPN Concentrator 3000 series and Cisco MARS. In these situations, then you obviously have no choice but to implement RADIUS authentication instead of TACACS+ one.
AAA Command Set Implementation
As mentioned previously, there are in general two types of AAA accounts; local and centralized in either TACACS+ or RADIUS server. The local accounts are sets of username and password stored locally within network devices. The centralized accounts are sets of username and password stored in some TACACS+ and/or RADIUS server.
In addition, it is also typical practice to define which commands specific accounts or users are able to issue, especially when TACACS+ server is implemented. Similar to the account storage, this list of authorized commands can be either defined locally or centralized within the TACACS+ server.
Check out the following FAQ for details.
»Cisco Forum FAQ »Securing access to routers with AAA commands
»Cisco Forum FAQ »Securing access to ASA/PIX Firewall with AAA commands
AAA Server Implementation
Check out the following FAQ for sample implementation.
»Cisco Forum FAQ »Are there Free authentication packages for TACACS or RADIUS to secure my router?
feedback formby aryoba
last modified: 2008-08-13 16:30:20
• Linux
• http://www.gazi.edu.tr/tacacs/
• http://web.mit.edu/kerberos/www/
• http://www.freeradius.org/
More to come!
For those Windows administrators that try to integrate these UNIX-based authentication software with Active Directory, you need to run Samba. Check out the following link for sample configuration.
FreeRADIUS PEAP Authentication + Cisco AP + Windows XP + Windows AD Authentication
This FAQ courtesy of rolande.
feedback formby nozero edited by aryoba
last modified: 2008-04-21 09:03:48
When there are no AAA commands implemented into routers, there must be a password set under the vty line in addition of login command to have the router remotely accessible via (let's say) telnet and ssh. With the proper implementation of AAA command set, the router no longer need password set under the vty line to be telnet or ssh-able. With proper AAA command set implementation, all login attempt from telnet, ssh, http, https, SNMP, console in via either Console or AUX port will be authenticated using the same credential. In addition, implementing AAA command set is more secure approach especially when the router has to authenticate with external TACACS+ or RADIUS server.
The following AAA commands are applicable not only to routers, but any Cisco gears that are running IOS image (IOS-based gears) such as switches and wireless AP devices. These AAA command set has been tested in various situation; including automatic failover from TACACS+ server to local credential or local enable password during unreachable TACACS+ server situation due to down server or down network.
As mentioned, there will be no need to have passwords under line console, aux, and vty once these AAA command set are in place. All login attempt will be controlled by the AAA command set.
If the router happen to have passwords under line console, aux, and vty; these passwords should be removed since the AAA command set will take over all login authentication anyway. In other words, those passwords are no longer in effect once the AAA command set are in place.
At first AAA command set to authenticate using local credential only is introduced to provide preliminary understanding. Then external TACACS+ server utilization is introduced to provide greater security perimeter.
AAA command set using local credential
Sample #1:
username [ENTER USERNAME HERE] secret 0 [ENTER YOUR PASSWORD HERE]
enable secret 0 [ENTER ENABLE MODE PASSWORD HERE]
aaa new-model
Note:
To login, enter the local username and password. To enter privilege mode, enter the enable password.
Sample #2:
username [ENTER USERNAME HERE] secret 0 [ENTER YOUR PASSWORD HERE]
enable secret 0 [ENTER ENABLE MODE PASSWORD HERE]
aaa new-model
aaa authentication login default group local enable
aaa authentication enable default enable
aaa authorization console
aaa authorization exec default local if-authenticated
aaa authorization commands 15 default local if-authenticated
Note:
Password to login and to enter enable (privilege) mode is the same. Therefore you don't enter the enable password to enter the privilege mode.
AAA command set with external TACACS server
Sample #3:
username [ENTER USERNAME HERE] secret 0 [ENTER YOUR PASSWORD HERE]
enable secret 0 [ENTER ENABLE MODE PASSWORD HERE]
tacacs-server host [ENTER TACACS SERVER IP ADDRESS HERE]
tacacs-server key 0 [ENTER THE SECRET KEY HERE]
aaa new-model
aaa authentication login default group tacacs+ local
aaa authentication enable default group tacacs+ enable
aaa authorization console
aaa authorization exec default group tacacs+ local
aaa authorization commands 15 default group tacacs+ local
aaa accounting exec default start-stop group tacacs+
aaa accounting commands 15 default start-stop group tacacs+
aaa accounting connection default start-stop group tacacs+
Note:
When the TACACS+ server fails, router will authenticate using local credential.
Sample #4:
username [ENTER USERNAME HERE] secret 0 [ENTER YOUR PASSWORD HERE]
enable secret 0 [ENTER ENABLE MODE PASSWORD HERE]
tacacs-server host [ENTER TACACS SERVER IP ADDRESS HERE]
tacacs-server key 0 [ENTER THE SECRET KEY HERE]
aaa new-model
aaa authentication login default group tacacs+ enable
aaa authentication enable default group tacacs+ enable
aaa authorization console
aaa authorization exec default group tacacs+ if-authenticated
aaa authorization commands 15 default group tacacs+ if-authenticated
aaa accounting exec default start-stop group tacacs+
aaa accounting commands 15 default start-stop group tacacs+
aaa accounting connection default start-stop group tacacs+
Note:
When the TACACS+ server fails, router will authenticate using enable password
Setting local account privilege level and authorized command list
Referring to this FAQ
»Cisco Forum FAQ »Secure and Monitor Network Access with AAA (TACACS/RADIUS) and Privilege Level
there is a discussion of setting up certain Privilege Level 15 commands to Privilege Level 0 users. Let's say the following commands are authorized to use for those Privilege Level 0 users in addition to the default Privilege Level 0 authorized command list.
traceroute
traceroute ip (extended traceroute)
ping
ping ip (extended ping)
show (i.e. show version, show ip route, etc.)
show configuration
As discussed in the FAQ link, there should be a centralized TACACS+ server to regulate those commands on the list. However in case of down network or unreachable TACACS+ server, those Privilege Level 0 users should still be able to issue those commands. When the TACACS+ server is unreachable from the router perspective, then one way to keep those Privilege Level 0 users be able to issue those commands is to locally define those commands as additional authorized commands for Privilege Level 0 users. To make that happen, following should be on the router configuration in addition to the above AAA command set of your choice.
username [ENTER Privilege Level 0 USERNAME HERE] privilege 0 secret 0 [ENTER YOUR PASSWORD HERE]
privilege exec level 0 traceroute ip
privilege exec level 0 traceroute
privilege exec level 0 ping ip
privilege exec level 0 ping
privilege exec level 0 show configuration
privilege exec level 0 show
and either one of the following AAA command set
Option 1 (suitable when you implement Sample Configuration #2)
aaa authorization commands 0 default local if-authenticated
Option 2 (suitable when you implement Sample Configuration #3)
aaa authorization commands 0 default group tacacs+ local
aaa accounting commands 0 default start-stop group tacacs+
Option 3 (suitable when you implement Sample Configuration #4)
aaa authorization commands 0 default group tacacs+ if-authenticated
aaa accounting commands 0 default start-stop group tacacs+
Some Discussion on Cisco website:
How to Assign Privilege Levels with TACACS+ and RADIUS
How router behaves with specific AAA command set
Referring to this FAQ
»Cisco Forum FAQ »Secure and Monitor Network Access with AAA (TACACS/RADIUS) and Privilege Level
there is a discussion of how to specify which commands that Privilege Level 0 users can issue eventhough on the TACACS+ server these users are set as Privilege Level 15 users. Let's say there are such Privilege Level 0 users in place. When the router is configured to implement if-authenticated parameter, then the parameter overrides the TACACS+ server command setting. With if-authenticated parameter, Privilege Level 0 users can issue unauthorized command such as configure terminal. Therefore when there is a need to have Privilege Level 0 users that are able to issue certain Privilege Level 15 user commands only, then you might want to implement the AAA command set without the if-authenticated parameter to let the TACACS+ server has the total control.
feedback formby Covenant edited by aryoba
last modified: 2008-08-07 08:44:28
Similar to router, PIX or ASA can use either local credential or remote credential stored on external AAA server such as TACACS+ and RADIUS. Using such external servers for authentication are highly recommended to provide more secure approach.
These AAA command set has been tested in various situation; including automatic failover from TACACS+ server to local credential or local enable password during unreachable TACACS+ server situation due to down server or down network.
At first AAA command set to authenticate using local credential only is introduced to provide preliminary understanding. Then external TACACS+ server utilization is introduced to provide greater security perimeter.
PIX Firewall running OS version 6.3
Using Local Credential
Sample #1:
username [ENTER USERNAME HERE] password [ENTER ADMIN PASSWORD HERE] privilege 15
enable password [ENTER ENABLE MODE PASSWORD HERE]
aaa-server LOCAL protocol local
aaa authentication http console LOCAL
aaa authentication telnet console LOCAL
aaa authentication ssh console LOCAL
Note:
To login, enter the local username and password. To enter the privilege mode, enter the enable password.
Sample #2:
username [ENTER USERNAME HERE] password [ENTER ADMIN PASSWORD HERE] privilege 15
enable password [ENTER ENABLE MODE PASSWORD HERE]
aaa-server LOCAL protocol local
aaa authentication http console LOCAL
aaa authentication telnet console LOCAL
aaa authentication ssh console LOCAL
aaa authentication enable console LOCAL
aaa authorization command LOCAL
Note:
Password to login and to enter privilege mode is the same. Therefore you don't use the enable password to enter the privilege mode.
2. Using External TACACS+ Server
username [ENTER USERNAME HERE] password [ENTER ADMIN PASSWORD HERE] privilege 15
enable password [ENTER ENABLE MODE PASSWORD HERE]
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server TACACS+ (inside) host [ENTER TACACS+ SERVER IP ADDRESS HERE] [ENTER SECRET KEY HERE] timeout 10
aaa-server LOCAL protocol local
aaa authentication http console TACACS+ LOCAL
aaa authentication telnet console TACACS+ LOCAL
aaa authentication ssh console TACACS+ LOCAL
aaa authentication enable console TACACS+ LOCAL
aaa authorization command TACACS+ LOCAL
Note:
When TACACS+ server fails, the PIX Firewall uses local credential to authenticate access.
ASA or PIX Firewall running OS version 7.0 or newer
1. Using Local Credential
Sample #1:
username [ENTER USERNAME HERE] password [ENTER ADMIN PASSWORD HERE] privilege 15
enable password [ENTER ENABLE MODE PASSWORD HERE]
aaa-server LOCAL protocol local
aaa authentication http console LOCAL
aaa authentication telnet console LOCAL
aaa authentication ssh console LOCAL
Note:
To login, enter the local username and password. To enter the privilege mode, enter the enable password.
Sample #2:
username [ENTER USERNAME HERE] password [ENTER ADMIN PASSWORD HERE] privilege 15
enable password [ENTER ENABLE MODE PASSWORD HERE]
aaa-server LOCAL protocol local
aaa authentication http console LOCAL
aaa authentication telnet console LOCAL
aaa authentication ssh console LOCAL
aaa authentication enable console LOCAL
aaa authorization command LOCAL
Note:
Password to login and to enter privilege mode is the same. Therefore you don't use the enable password to enter the privilege mode.
2. Using External TACACS+ Server
username [ENTER USERNAME HERE] password [ENTER ADMIN PASSWORD HERE] privilege 15
enable password [ENTER ENABLE MODE PASSWORD HERE]
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server TACACS+ (inside) host [ENTER TACACS+ SERVER IP ADDRESS HERE] [ENTER SECRET KEY HERE] timeout 10
aaa-server LOCAL protocol local
aaa authentication http console TACACS+ LOCAL
aaa authentication ssh console TACACS+ LOCAL
aaa authentication telnet console TACACS+ LOCAL
aaa authentication enable console TACACS+ LOCAL
aaa authorization command TACACS+ LOCAL
aaa accounting enable console TACACS+
aaa accounting ssh console TACACS+
aaa accounting telnet console TACACS+
aaa accounting command TACACS+
Note:
When TACACS+ server fails, the PIX Firewall uses local credential to authenticate access. FYI, the aaa accounting command set against TACACS+ credential is available starting at OS version 7.0 or newer.
Setting local account privilege level and authorized command list
Referring to this FAQ
»Cisco Forum FAQ »Secure and Monitor Network Access with AAA (TACACS/RADIUS) and Privilege Level
there is a discussion of setting up certain Privilege Level 15 commands to Privilege Level 0 users. Let's say the following commands are authorized to use for those Privilege Level 0 users in addition to the default Privilege Level 0 authorized command list.
show arp
show interface
show ip (i.e. show ip address, show ip audit count)
show route
show crypto (i.e. show crypto isakmp, show crypto ipsec)
show conn
show cpu
show memory
show xlate
clear xlate
ping
As discussed in the FAQ link, there should be a centralized TACACS+ server to regulate those commands on the list. However in case of down network or unreachable TACACS+ server, those Privilege Level 0 users should still be able to issue those commands. When the TACACS+ server is unreachable from the ASA or PIX Firewall perspective, then one way to keep those Privilege Level 0 users be able to issue those commands is to locally define those commands as additional authorized commands for Privilege Level 0 users. To make that happen, following should be on the ASA or PIX Firewall configuration in addition to the above AAA command set of your choice.
username [ENTER Privilege Level 0 USERNAME HERE] password [ENTER YOUR PASSWORD HERE] privilege 0
privilege show level 0 command arp
privilege show level 0 command interface
privilege show level 0 command ip
privilege show level 0 command route
privilege show level 0 command crypto
privilege show level 0 command conn
privilege show level 0 command cpu
privilege show level 0 command memory
privilege show level 0 command xlate
privilege clear level 0 command xlate
privilege level 0 command ping
feedback formby aryoba
last modified: 2008-08-16 22:09:29
»Cisco Forum FAQ »Sample IOS Firewall (CBAC) router configuration
»Cisco Forum FAQ »Sample Configuration of ACL-CBAC-IDS/IPS-IPSec VPN on router
Some discussions
»Cisco 831 hardened config example?
Terms and Definitions
»Cisco Forum FAQ »Protect my network! How do I do that using Cisco IOS?
Please note that the router sample configurations assume the IOS image has Firewall (FW) feature support. When this is not applicable to your router, check out following FAQ:
»Cisco Forum FAQ »Basic Internet Firewall ACL for Routers without IOS image Firewall feature
feedback formby aryoba
last modified: 2008-01-06 05:40:23
»Cisco Forum FAQ »Setting Up Private Site-To-Site Connections
Introduction
IPSec VPN tunnel is one way of setting up private site-to-site connection by utilizing public network (the Internet). Since it is utilizing public network, there would be no need to have dedicated physical circuit to interconnect the sites, hence requiring low cost to setup while maintain private and secure connection.
With site-to-site IPSec VPN, there is a IP routing in place to interconnect multiple subnet. This IP routing could be static routing or dynamic routing. In a small network where there is only one path connecting two sites, then static routing should be sufficient. When there are multiple paths connecting two sites, then dynamic routing (i.e. EIGRP, OSPF) and/or load balancing (either per-packet or per-destination) should be used to have optimal connection.
Note that IPSec tunnelling technology is only able to support static routes and basic IP interconnection. When there are more advance IP interconnections needed; such as running Novell IPX, dynamic routing, and load balancing between the sites; then IPSec tunnelling itself is unable to support. For such advance IP interconnections, GRE tunnelling is the choice. The downside of GRE tunnelling is that GRE tunnel is less-secure tunnel compared to IPSec tunnel.
Should you decide to have advance IP interconnection support while maintain secure connection over public network, the workaround is to run GRE over IPSec. IPSec will then be encrypting the GRE tunnel securely and GRE tunnel will be providing the advance IP interconnection support.
Some Discussions
said by gramzster:
--------------------------------------------------------------------------------
I do have a quick question, When I was looking through the example configurations on the Cisco site, it seemed that GRE was what I wanted to try to configure, since it supported routing protocols. Does this type of IPSEC tunnel also support routing protocols? (basically, what's the difference between a GRE tunnel, and this type of tunnel?)
--------------------------------------------------------------------------------
In a nutshell, the VPN tunnel never forwards the routing broadcasts through the tunnels. Neither do they send the routing updates. To send the routing updates (so that the remote location can learn the network on the local side) you must use GRE over IPSec. With this feature, the routing updates are first encapsulated over a new GRE packet and then forwarded through the VPN (IPSec) tunnel. This is useful and required if you are using OSPF, RIP, EIGRP in your internal network and need to build a routing tunnel.
--------------------------------------------------------------------------------
Here's some more detail and links/differences between a pure IPSec vpn tunnel and a GRE over IPSec tunnel:
Pure IPSec vpn tunnel
=====================
In a pure IPSec vpn tunnel, only ip traffic is encrypted/decrypted.
If you have non ip traffic, example, ipx, then it is not able to go into the vpn tunnel.
OSPF, EIGRP, are not transferred in the tunnel.
The urls below might be helpful for you about IPSec,
An Introduction to IP Security (IPSec) Encryption
http://www.cisco.com/en/US/netsol/ns110/ns170/ns172/ns334/networking_solutions_design_guide_chapter09186a008017e272.html
http://www.cisco.com/en/US/products/sw/secursw/ps2133/products_user_guide_chapter09186a00800d9f4c.html
GRE over IPSec vpn tunnel
=========================
In a GRE over IPSec vpn tunnel, the original packet whether ip, ipx, etc... is first going to be GRE encapsulated and then this packet is then subjected to IPSec encapsulation.
Therefore, in a GRE over IPSec tunnel, all routing traffic (ip and non ip) can be routed through because when the original packet (ip/non ip) is GRE encapsulated, then it will have an ip header (as defined by the GRE tunnel (normally the tunnel interface ip addresses)) then the IPSec protocol can understand the ip packet and and can therefore be able to encapsulate the GRE packet to make it GRE over IPSec.
please visit the urls below for more info.,
http://www.cisco.com/en/US/tech/tk583/tk372/technologies_tech_note09186a00800946ba.shtml
http://www.cisco.com/en/US/tech/tk583/tk372/technologies_tech_note09186a0080094865.shtml
--------------------------------------------------------------------------------
Sample Configurations
»Cisco Forum FAQ »Various Site-to-Site IPSec VPN: Cisco, Juniper, Checkpoint, Sonicwall, Zywall
»Cisco Forum FAQ »Private Routing over VPN: GRE over IP Sec
Last but not least, here's another link for a sample config. which uses GRE/IPSEC, CBAC and NAT but I am sure that you will be able to remove the CBAC if you do not want it.
Hope that helps.
Configuring Router-to-Router IPsec (Pre-shared Keys) on GRE Tunnel with IOS Firewall and NAT
This FAQ brought to you by this post http://www.dslreports.com/forum/remark,8108888~root=equip,cis~mode=flat#8176897 by Covenant.
feedback formby nozero edited by aryoba
last modified: 2008-05-27 16:24:05