Lab 2. Stateful firewall - CBAC and ZBF

Setup

For the second lab, there is added a new end-point machine called KaliVM, which is a Kali Linux and represents the attacker in our scenario. Also, a new network is considered: 10.10.10.0/24, again with the first IP from subnet for router and the second one for end-device. Note that we may refer to the router as firewall during the course of the lab.

The router is now a model 7200. See below the link to download it:

Link to image for CISCO 7200

Credentials:

KaliVM - root:student

UbuntuVM - student:student

InternetVM - student:student

InternetVM has a NAT connection with the cloud on interface enp0s8 (IP is configured using dhclient).

Your job here is to configure again the IPs and routes for UbuntuVM (client), KaliVM, InternetVM and Router. Keep in mind the following:

  • 10.20.20.0/24 is the network UbuntuVM (enp0s3) ←→ (ethernet 0/0) router
  • 10.30.30.0/24 is the network InternetVM (enp0s3) ←→ (ethernet1/0) router
  • 10.10.10.0/24 is the network KaliVM (enp0s3) ←→ (ethernet2/0) router

Also, do not forget about the static routes you need to add on all end-devices and router:

  • UbuntuVM: default route, route to 10.30.30.0/24 and 10.10.10.0/24
  • KaliVM: default route, route to 10.20.20.0/24 and 10.10.10.0/24
  • InternetVM: add here a bigger subnet that contains the one from above - route to 10.0.0.0/8
  • router: default route (the rest are DC)

On InternetVM, an ip address may be already assigned for enp0s3. Delete it with:

student@internet: $ sudo ip a del 172.31.0.1/24 dev enp0s3

and then add the one.

On Linux VMs, add IPs and routes non-permanent, as the machines do not need to be rebooted.

There is no need for Ubuntu and Kali to have access to Internet. We will use these machines as webservers.

Exercises

1. SYN flood in our topology

This first exercise is just for getting used to DoS attacks in our topology and hping3 command. Suppose that an attacker (called Trudy) wants to make a server unavailable using a denial of service attack. In this lab, we will use hping3 to simulate it.

On InternetVM we have an apache2 webserver up and running and suppose we add on router an ACL to permit tcp for any ip:

CISCO_7200(config)#ip access-list extended TCP_INTERCEPT
CISCO_7200(config-ext-nacl)#permit tcp any host 10.30.30.2 eq 80

Stress the webserver (on 10.30.30.2 ip) using hping3 command:

root@KaliVM:# hping3 -n -c 1000 -d 120 -S -w 64 -p 80 --flood 10.30.30.2

Explanations for the flags used:

  1. -n = numeric output only (no lookup is done for host names)
  2. -c 1000 = number of packets to send
  3. -d 120 = size of each packet to target machine
  4. -S = send SYN only (SYN attack)
  5. -w 64 = TCP window size
  6. -p 80 = port 80 (http)
  7. –flood = send packets as fast as possible without taking care about the replies

Monitor the connections on router device (see that all are marked as incomplete):

CISCO_7200#sh tcp intercept connections
Incomplete:
Client Server State
Create Timeout Mode
10.10.10.2:2859 10.30.30.2:80 SYNRCVD 00:00:00 00:00:00 I
10.10.10.2:6954 10.30.30.2:80 SYNRCVD 00:00:00
00:00:00 I
[...]
*Mar 1 00:00:31.232: %TCP-6-INTERCEPT: getting
aggressive, count (1100/1100) 1 min 0

2. CBAC

CBAC stands for Context-Based Access Control and represents a feature of Cisco products that is used for verifying protocol of application layer and dynamic modification of firewall rules that are based on it.

Using this feature, the number of connections opened by outside machines can be limited (to stop a DoS attack). This task proposes to create a CBAC rule that is used for monitoring TCP connections and added on outbound interface to UbuntuVM (traffic to that machine).

Before the traffic gets inspected by CBAC, the traffic must be permitted by ACLs. In our case, there are no ACLs added to simplify the usage.

Create firstly an inspect rule for tcp and apply it to an interface:

CISCO_7200(config)#ip inspect name INSPECT_TCP_CONN tcp
CISCO_7200(config)#int fa0/0
CISCO_7200(config-if)#ip inspect INSPECT_TCP_CONN out

Try now to access the webserver from KaliVM. It should work.

CBAC has 2 types of logging functions: alerts and audits.

Alerts are messages concerning CBAC operations (like alert for DoS attack or low resources). They are enabled by default and displayed to console. To disable, use:

CISCO_7200(config)#ip inspect alert-off

Audits are used to keep track of connections inspected by CBAC. Used for statistics about connections. There are disabled by default and to enable use:

CISCO_7200(config)#ip inspect audit-trail

In the case from above, the number of connections are not limited and a DoS attack using hping3 is possible:

root@KaliVM:# hping3 -n -c 10 -w 64 -S -p 80 10.20.20.2

On the next step, we want to limit the number of half-opened TCP connections (3-way handshake is not finished) - see image from here.

Using the command from below, only a maximum of 4 half-opened TCP connections are accepted by one host, the other ones being dropped and blocked for 1 minute (block-time 1, where is in minuted):

CISCO_7200(config)#ip inspect tcp max-incomplete host 4 block-time 1

On attacker (KaliVM) start a 10 connections using hping3 command:

root@KaliVM:# hping3 -n -c 10 -w 64 -S -p 80 10.20.20.2

You will see on the kali VM that the first 4 are allowed and the rest of 6 are blocked:

root@KaliVM:/# hping3 -n -c 10 -w 64 -S -p 80 10.20.20.2
HPING 10.20.20.2 (eth0 10.20.20.2): S set, 40 headers + 0 data bytes
len=46 ip=10.20.20.2 ttl=63 DF id=0 sport=80 flags=SA seq=0 win=29200 rtt=31.6 ms
len=46 ip=10.20.20.2 ttl=63 DF id=0 sport=80 flags=SA seq=1 win=29200 rtt=14.9 ms
len=46 ip=10.20.20.2 ttl=63 DF id=0 sport=80 flags=SA seq=2 win=29200 rtt=22.8 ms
len=46 ip=10.20.20.2 ttl=63 DF id=0 sport=80 flags=SA seq=3 win=29200 rtt=21.9 ms
--- 10.20.20.2 hping statistic ---
10 packets transmitted, 4 packets received, 60% packet loss

Also, log entries are generated on Cisco device:

CISCO_7200(config)#
*Oct  8 20:33:16.127: %FW-4-HOST_TCP_ALERT_ON: Max tcp half-open connections (4) exceeded for host 10.20.20.2
CISCO_7200(config)#
*Oct  8 20:33:16.131: %FW-2-BLOCK_HOST: Blocking new TCP connections to host 10.20.20.2 for 1 minute (half-open count 4 exceeded).

Options of CBAC to keep in mind:

  • new connections can be limited based on the total number of sessions opened at a time
  • new connections can be limited based on sampling with one minute rates
  • the number of half-opened TCP connections opened by a host can be limited also

3. ZBF

A big drawback of the solution presented above is that it can become very complex when there is need to manage multiple interfaces. Also, it does not offer rules per host or network, all being bound to inbound or outbound traffic. Zone based firewall (or ZBF) is the next proposed security solution.

The model of ZBF is as following:

  • each interface is part of a group, called zone
  • traffic between zones is monitored by the device

ZBF allows the configuration of policies at a granular level, per protocol, host. Each policy can take one of these three actions:

  • DROP action - DENY any traffic from moving between zones
  • PERMIT action - ALLOW traffic to flow in a stateless manner (no monitor)
  • INSPECT action - handle application sessions

The table from below summaries the actions taken by ZBF when monitoring traffic:

The router is not attached to any zone, instead a special self zone is created from traffic to/from device and a policy can be used for filtering it.

The configuration steps are as followed:

  1. create the zones (add also a description in configuration mode for zone)
  2. define the zone-pairs (a pair defined with source and destination zones)
  3. define traffic classes (what type of traffic is of interest and allowed to pass the firewall)
  4. define firewall policies (named policy maps on cisco routers)
  5. assign policy maps to zone pairs
  6. assign router interfaces to zones (this can be done also after the second step)

In the setup presented above, we will consider:

  • KaliVM is in LAN zone
  • UbuntuVM is in DMZ zone
  • InternetVM is in PUBLIC zone (it has internet access)

A. Create zones on firewall:

CISCO_7200(config)#zone security LAN
CISCO_7200(config-sec-zone)#description Local Area Network
CISCO_7200(config-sec-zone)#exit   
CISCO_7200(config)#zone security DMZ
CISCO_7200(config-sec-zone)#description Public Servers Network
CISCO_7200(config-sec-zone)#exit
CISCO_7200(config)#zone security PUBLIC
CISCO_7200(config-sec-zone)#description Internet Access
CISCO_7200(config-sec-zone)#exit

B. Add the pairs between zones:

CISCO_7200(config)#zone-pair security LAN-TO-INTERNET source LAN destination PUBLIC    
CISCO_7200(config-sec-zone-pair)#exit
CISCO_7200(config)#zone-pair security LAN-TO-DMZ source LAN destination DMZ
CISCO_7200(config-sec-zone-pair)#exit
CISCO_7200(config)#zone-pair security PUBLIC-TO-DMZ source PUBLIC destination DMZ
CISCO_7200(config-sec-zone-pair)#exit

C. Go directly to step 6 and configure interfaces to each zones:

CISCO_7200(config)#int e1/0
CISCO_7200(config-if)#zone-member security DMZ
CISCO_7200(config)#int e1/1
CISCO_7200(config-if)#zone-member security  LAN
CISCO_7200(config-if)#int e1/2
CISCO_7200(config-if)#zone-member security PUBLIC

This will apply to zone-pairs defined above the default policy rule and all traffic is denied:

root@UbuntuVM:~# ping 10.20.20.2
PING 10.20.20.2 (10.20.20.2) 56(84) bytes of data.

^C
--- 10.20.20.2 ping statistics ---
7 packets transmitted, 0 received, 100% packet loss, time 6148ms

D. Define what type of traffic is of interest and should be allowed to pass the firewall. In our case, we would like to let our LAN members to access anything from Internet and DMZ, including TCP and ICMP.

CISCO_7200(config)#class-map type inspect match-any TCP-ICMP-CMAP
CISCO_7200(config-cmap)#match protocol tcp
CISCO_7200(config-cmap)#match protocol icmp

The class map from above is going to match any protocols defined within it OR match all of them. You can force some source IP addresses to match by using an ACL.

E. Define firewall policies: add to policy map the class map defined on point D)

CISCO_7200(config)#policy-map type inspect LAN-TO-INTERNET-PMAP
CISCO_7200(config-pmap)#class TCP-ICMP-CMAP
CISCO_7200(config-pmap-c)#inspect

F. Add to LAN-TO-INTERNET zone-pair the policy map:

CISCO_7200(config)#zone-pair security LAN-TO-INTERNET 
CISCO_7200(config-sec-zone-pair)#service-policy type inspect LAN-TO-INTERNET-PMAP

After sending successfully 2 icmp-echo-requests from KaliVM to InternetVM (from LAN to PUBLIC) - the traffic is allowed, the policy using is as follows:

CISCO_7200#show policy-map type inspect zone-pair 

policy exists on zp LAN-TO-INTERNET
 Zone-pair: LAN-TO-INTERNET

  Service-policy inspect : LAN-TO-INTERNET-PMAP

    Class-map: TCP-ICMP-CMAP (match-any)
      Match: protocol tcp
        0 packets, 0 bytes
        30 second rate 0 bps
      Match: protocol icmp
        1 packets, 64 bytes
        30 second rate 0 bps

   Inspect
        Packet inspection statistics [process switch:fast switch]
        icmp packets: [0:4]

        Session creations since subsystem startup or last reset 1
        Current session counts (estab/half-open/terminating) [1:0:0]
        Maxever session counts (estab/half-open/terminating) [1:1:0]
        Last session created 00:00:07
        Last statistic reset never
        Last session creation rate 1
        Maxever session creation rate 1
        Last half-open session total 0

    Class-map: class-default (match-any)
      Match: any 
      Drop
        0 packets, 0 bytes

See the match for protocol icmp (incremented with 1).

4. Extra ZBF

To allow access to DMZ for http (web servers) for LAN and PUBLIC zones, there is need to create a class-map for matching only HTTP traffic and a policy-map to allow data inspection.

Class map:

CISCO_7200(config)#class-map type inspect HTTP-ONLY-CMAP
CISCO_7200(config-cmap)#match protocol http

Policy map:

CISCO_7200(config)#policy-map type inspect HTTP-ONLY-PMAP
CISCO_7200(config-pmap)#class HTTP-ONLY-CMAP
CISCO_7200(config-pmap-c)#inspect 

Add policy-map to zone-pairs LAN-TO-DMZ and PUBLIC-TO-DMZ:

CISCO_7200(config)#zone-pair security LAN-TO-DMZ
CISCO_7200(config-sec-zone-pair)#service-policy type inspect HTTP-ONLY-PMAP
CISCO_7200(config-sec-zone-pair)#exit
CISCO_7200(config)#zone-pair security PUBLIC-TO-DMZ  
CISCO_7200(config-sec-zone-pair)#service-policy type inspect HTTP-ONLY-PMAP

This allows KaliVM (supposed for now to be a good person) and InternetVM to access HTTP service from DMZ zone (on UbuntuVM open a temporary service using: nc -k -l 80):

CISCO_7200#show policy-map type inspect zone-pair  PUBLIC-TO-DMZ

policy exists on zp PUBLIC-TO-DMZ
 Zone-pair: PUBLIC-TO-DMZ

  Service-policy inspect : HTTP-ONLY-PMAP

    Class-map: HTTP-ONLY-CMAP (match-all)
      Match: protocol http

   Inspect
        Packet inspection statistics [process switch:fast switch]
        tcp packets: [0:2]

        Session creations since subsystem startup or last reset 1
        Current session counts (estab/half-open/terminating) [0:0:0]
        Maxever session counts (estab/half-open/terminating) [0:1:0]
        Last session created 00:01:12
        Last statistic reset never
        Last session creation rate 0
        Maxever session creation rate 1
        Last half-open session total 0

    Class-map: class-default (match-any)
      Match: any 
      Drop
        0 packets, 0 bytes

However, this does not limit the number of tcp sessions opened. Using a session-filter, we can block more than X sessions opened (X=4 in this case, as it was for CBAC):

CISCO_7200(config)#parameter-map type inspect TCP-SYN-LIMIT
CISCO_7200(config-profile)#tcp max-incomplete host 4 block-time 1

Modify the policy-map to use inspect TCP-SYN-LIMIT:

CISCO_7200(config)#policy-map type inspect HTTP-ONLY-PMAP
CISCO_7200(config-pmap)#class HTTP-ONLY-CMAP
CISCO_7200(config-pmap-c)#inspect TCP-SYN-LIMIT

After this, we can start our DoS attack on KaliVM (now becomes again Trudy):

root@KaliVM:# hping3 -n -c 10 -w 64 -S -p 80 10.20.20.2
HPING 10.20.20.2 (eth0 10.20.20.2): S set, 40 headers + 0 data bytes
len=46 ip=10.20.20.2 ttl=63 DF id=0 sport=80 flags=SA seq=0 win=29200 rtt=31.6 ms
len=46 ip=10.20.20.2 ttl=63 DF id=0 sport=80 flags=SA seq=1 win=29200 rtt=14.9 ms
len=46 ip=10.20.20.2 ttl=63 DF id=0 sport=80 flags=SA seq=2 win=29200 rtt=22.8 ms
len=46 ip=10.20.20.2 ttl=63 DF id=0 sport=80 flags=SA seq=3 win=29200 rtt=21.9 ms

--- 10.20.20.2 hping statistic ---
10 packets transmitted, 4 packets received, 60% packet loss

Also, on router we can see some logs generated:

CISCO_7200(config-pmap-c)#
*Oct  8 22:24:35.163: %FW-4-HOST_TCP_ALERT_ON: (target:class)-(PUBLIC-TO-DMZ:HTTP-ONLY-CMAP):Max tcp half-open connections (4) exceeded for host 10.20.20.2
CISCO_7200(config-pmap-c)#
*Oct  8 22:24:35.167: %FW-2-BLOCK_HOST: (target:class)-(PUBLIC-TO-DMZ:HTTP-ONLY-CMAP):Blocking new TCP connections to host 10.20.20.2 for 1 minute (half-open count 4 exceeded).
CISCO_7200(config-pmap-c)#
sred/laborator_2._cbac_and_zbf.txt · Last modified: 2019/11/13 17:16 by horia.stoenescu
CC Attribution-Share Alike 3.0 Unported
www.chimeric.de Valid CSS Driven by DokuWiki do yourself a favour and use a real browser - get firefox!! Recent changes RSS feed Valid XHTML 1.0