Show page

Differences

This shows you the differences between two versions of the page.

--- sred:laborator_2._cbac_and_zbf [2020/10/29 23:56]
horia.stoenescu [Setup]
+++ sred:laborator_2._cbac_and_zbf [2022/10/30 20:53] (current)
horia.stoenescu Added pointers for exercises
@@ Line 4: / Line 4: @@
 === Story ===
-In our basic topology scenario, due to small budget our company still uses the old Cisco equipment for routing and filtering, but this time the second branch closed and added instead a visitor network (may be used by people that come at interview). After seeing some attacks done in our internal network like DoS, we decided to test different approaches: started with TCP intercept, continuing with CBAC and in the end implemented successfully the better security solution - zone based firewall (ZBF).
+In our basic topology scenario, due to small budget our company still uses the old Cisco equipment for routing and filtering, but this time the second branch closed and added instead a visitor network (may be used by people that come at interview). After seeing some attacks done in our internal network like DoS, we decided to test different approaches: started with TCP intercept, continuing with CBAC and in the end implemented successfully a better security solution - zone based firewall (ZBF).
+<note tip>
+[[https://curs.upb.ro/2022/pluginfile.php/346995/mod_resource/content/1/sred_lab2_stateful_firewall_updated.pdf|Here]] you can find the presentation for lab2. There are made comparisons between each feature and what is the road from simple ACLs to a basic firewall solution.
+</note>
+=== Local host prerequisites ===
+If you have a Windows/MacOS machine, you need to install on it [[https://www.realvnc.com/en/connect/download/viewer/windows/|vnc viewer]] to access the Linux/Firewall machines and [[https://www.chiark.greenend.org.uk/~sgtatham/putty/latest.html|putty]] for Cisco routers/switches.
+You can also check this client side pack from Eve-ng for [[https://www.eve-ng.net/index.php/download/#DL-WIN|Windows]] and [[https://www.eve-ng.net/index.php/download/#DL-OSX|MacOS]].
+For Linux OS, you can use Remmina or Remote Desktop Viewer (both should be already installed). Check this link also: [[https://remmina.org/how-to-install-remmina/|Remmina install]].
 === Lab infra ===
@@ Line 12: / Line 22: @@
 You have to do the following:
+- create a new node for the attacker (see [[https://ocw.cs.pub.ro/courses/sred/setup_lab_remote#create_a_new_node|here]] a tutorial), remove connection router - client2 and attach this new machine
 - add IPs for network between the server and the network equipment (use range 1.1.1.0/24)
@@ Line 29: / Line 41: @@
 **server** and **client1** - eve:eve (with sudo access)
-**cisco_7200** - enable passwd: cisco
+**cisco_7200** - no enable password added
-**Mapping ip-student**: check your machine ip [[https://curs.upb.ro/mod/url/view.php?id=84844|here]]
 </note>
 ==== Stateful firewall implementations ====
-=== 1. TCP intercept ===
+=== t1. TCP intercept ===
 This first scenario is just for getting used to [[https://www.paloaltonetworks.com/cyberpedia/what-is-a-denial-of-service-attack-dos|DoS]] attacks in our topology and hping3 command. Suppose that an attacker (called Trudy) wants to make a server unavailable using a SYN flood attack (which is fairly easy to create). This is done by sending TCP segments with SYN flag and no intention to complete the handshake. The server hangs by waiting for these connections to be finished until the timeout expires, but creates problems with legitimate TCP connections which can be denied.
@@ Line 50: / Line 60: @@
 - **watch**: the disadvantage of intercept is that most of the times the router does this mitm for fair clients and adds overhead. A solution can be watch mode, which is a reactive approach that is monitoring connections, keeping track of half-open ones. Again, after a timeout (default 30 seconds) if a connection is not completed, the router sends a RST to server to remove it. This will remove all unwanted incompleted connections and allows legitimate ones to complete.
+If the high threshold value is exceeded, then the timeout is reduced by half (in default case, to 15 seconds). The connections have the state SYNSENT at start, then if the server responds with SYN-ACK the state is changed to SYNRCVD and firewall is waiting for client to send the ACK in order to finish the 3-way handshake.
 In this lab, we will use [[https://linux.die.net/man/8/hping3|hping3]] to simulate the attack. On server machine we have SimpleHTTPServer up and running on port 8080.
@@ Line 133: / Line 145: @@
 </code>
-=== 2. CBAC ===
+Example state watch-mode (with only 1 SYN packet sent from kali):
-CBAC stands for **Context-Based Access Control** and represents a feature of Cisco products that is used for verifying protocol of application layer and dynamic modification of firewall rules that are based on it.
+<code>
+# attacker sends 1 SYN packet to server on port 8080
+root@kali:# hping3 -n -c 1 -d 120 -S -w 64 -p 8080 1.1.1.2
+# at start, the connection is saved with SYNSENT
+Router#sh tcp intercept connections
+Incomplete:
+Client                Server                State    Create   Timeout  Mode
+.3.3.2:14482         1.1.1.2:8080          SYNSENT  00:00:00 00:00:30 W
+# then, the server responds with SYN+ACK and the connection is updated
+Router#sh tcp intercept connections
+Incomplete:
+Client                Server                State    Create   Timeout  Mode
+.3.3.2:1626          1.1.1.2:8080          SYNRCVD  00:00:03 00:00:26 W
+# at last, after the timeout, the connection is removed and a RST is sent to server
+Router#sh tcp intercept connections
+Incomplete:
+Client                Server                State    Create   Timeout  Mode
-Using this feature, the number of connections opened by outside machines can be limited (to stop a DoS attack). This task proposes to create a CBAC rule that is used for monitoring TCP connections and added on outbound interface to UbuntuVM (traffic to that machine).
+</code>
+<note>
+Check [[http://www.employees.org/univercd/Feb-1998/CiscoCD/cc/td/doc/product/software/ios112/intercpt.htm#xtocid2436922|here]] for a full documentation regarding TCP intercept.
+</note>
 <note important>
-Before the traffic gets inspected by CBAC, the traffic must be permitted by ACLs. In our case, there are no ACLs added to simplify the usage.
+Before continuing with CBAC and ZBF, head to [[https://ocw.cs.pub.ro/courses/sred/laborator_2._cbac_and_zbf#exercies|exercises]] section and solve e1 and e2.
 </note>
-Create firstly an inspect rule for tcp and apply it to an interface:
+=== t2. CBAC ===
+<note important>
+Before starting with CBAC, make sure to delete old tcp intercept configuration:
 <code>
-CISCO_7200(config)#ip inspect name INSPECT_TCP_CONN tcp
+cisco_7200(config)#no ip tcp intercept list
-CISCO_7200(config)#int fa0/0
+cisco_7200(config)#no ip tcp intercept max-incomplete  high
-CISCO_7200(config-if)#ip inspect INSPECT_TCP_CONN out
+cisco_7200(config)#no ip tcp intercept max-incomplete  low
 </code>
+</note>
-Try now to access the webserver from KaliVM. It should work.
+CBAC stands for **Context-Based Access Control** and represents a feature of Cisco products that is used for verifying protocol of application layer and dynamic modification of firewall rules that are based on it.
-CBAC has 2 types of logging functions: alerts and audits.
+Using this feature, the number of connections opened by outside machines can be limited (to stop a DoS attack). This task proposes to create a CBAC rule that is used for monitoring TCP connections and added on outbound interface to server (traffic to that machine).
-**Alerts** are messages concerning CBAC operations (like alert for DoS attack or low resources). They are **enabled by default** and displayed to console. To disable, use:
+It provides 4 main functions:
-<code>
+- filtering traffic: TCP, UDP, ICMP connections. As seen on lab 1, ACLs can filter only at layers 3 and 4 and reflexive ones (RACL) at layer 5. CBAC can also inspect at application level.
-CISCO_7200(config)#ip inspect alert-off
-</code>
-**Audits** are used to keep track of connections inspected by CBAC. Used for statistics about connections. There are **disabled by default** and to enable use:
+- inspecting traffic: CBAC maintains its stateful firewall by looking at layer 7. It can also prevent SYN flood attacks by shutting connections down after a specific threshold is reached.
+- detecting intrusions: DoS protection, limit phishing attacks.
+- generate alerts and audits: it can generate real-time alerts and detect attacks. Logs can later be inspected
+**CBAC configuration steps**:
+//Part 1//: find which interface is external for router. In our case this is e1/0.
+//Part 2 [optional for us]//: Before the traffic gets inspected by CBAC, the traffic must be permitted by ACLs. In our case, there are no ACLs added to simplify the usage.
+Try now to access the webserver from client1 and kali. It should work.
+//Part 3//: global timeout values for tcp, udp, icmp can also be changed (like synwait-time, finwait-time, idle-time etc.). Another value that can be changed is the maximum number of incomplete connections:
 <code>
-CISCO_7200(config)#ip inspect audit-trail
+cisco_7200(config)#ip inspect tcp max-incomplete host 4 block-time 1
 </code>
 <note>
-In the case from above, the number of connections are not limited and a DoS attack using hping3 is possible:
+There is a bug on this IOS version - for a host VAL < 4, the blocked packets is VAL + 1.
-<code>
-root@KaliVM:# hping3 -n -c 10 -w 64 -S -p 80 10.20.20.2
-</code>
 </note>
+//Part 4//: port application mapping (PAM) - used to determine which type of inspection to perform on a connection. Example: for SMTP is 25 and CBAC knows that is email and what kinds of commands are exchanged.
-On the next step, we want to limit the number of half-opened TCP connections (3-way handshake is not finished) - see image from [[https://www.researchgate.net/publication/307782595/figure/fig1/AS:405479864979465@1473685341714/Half-Open-TCP-Connection.png|here]].
+There are multiple default mappings on ios:
+<code>
+cisco_7200#sh ip port-map
+Default mapping:  snmp                 udp port 161                        system defined
+Default mapping:  echo                 tcp port 7                          system defined
+[...]
+</code>
+You can also create nonstandard ones, like 8080 in our case or a host-specific one (for example: there are 2 machines listening on port 4444, but I want only the first one to be inspected).
-Using the command from below, only a maximum of 4 half-opened TCP connections are accepted by one host, the other ones being dropped and blocked for 1 minute (block-time 1, where is in minuted):
+We can create here for 1.1.1.2:8080 - this will do http inspection:
 <code>
-CISCO_7200(config)#ip inspect tcp max-incomplete host 4 block-time 1
+cisco_7200(config)#ip port-map http port 8080 list 1
+cisco_7200(config)#access-list 1 permit 1.1.1.2
 </code>
-On attacker (KaliVM) start a 10 connections using hping3 command:
+//Part 5//: create the inspection rules to filter the connections that are added to state table and what returning traffic is allowed back to client. If no rules are added, then all traffic is treated as usual.
+We will use here inspection of http - mostly used when nonstandard ports are used (like us , 8080) or filter urls:
+Create firstly an inspect rule for tcp and apply it to an interface.
 <code>
-root@KaliVM:# hping3 -n -c 10 -w 64 -S -p 80 10.20.20.2
+CISCO_7200(config)#ip inspect name INSPECT_TCP tcp alert on
 </code>
-You will see on the kali VM that the first 4 are allowed and the rest of 6 are blocked:
+//Part 6//: activate the rule on an interface
 <code>
-root@KaliVM:/# hping3 -n -c 10 -w 64 -S -p 80 10.20.20.2
+CISCO_7200(config)#int e1/0
-HPING 10.20.20.2 (eth0 10.20.20.2): S set, 40 headers + 0 data bytes
+CISCO_7200(config-if)#ip inspect INSPECT_TCP out
-len=46 ip=10.20.20.2 ttl=63 DF id=0 sport=80 flags=SA seq=0 win=29200 rtt=31.6 ms
-len=46 ip=10.20.20.2 ttl=63 DF id=0 sport=80 flags=SA seq=1 win=29200 rtt=14.9 ms
-len=46 ip=10.20.20.2 ttl=63 DF id=0 sport=80 flags=SA seq=2 win=29200 rtt=22.8 ms
-len=46 ip=10.20.20.2 ttl=63 DF id=0 sport=80 flags=SA seq=3 win=29200 rtt=21.9 ms
---- 10.20.20.2 hping statistic ---
-packets transmitted, 4 packets received, 60% packet loss
 </code>
-Also, log entries are generated on Cisco device:
+//Part 7//: troubleshooting
+From client1, ssh the server and see the sessions:
 <code>
-CISCO_7200(config)#
+cisco_7200#sh ip inspect sessions
-*Oct  8 20:33:16.127: %FW-4-HOST_TCP_ALERT_ON: Max tcp half-open connections (4) exceeded for host 10.20.20.2
+Established Sessions
-CISCO_7200(config)#
+ Session 66180AB0 (2.2.2.2:39808)=>(1.1.1.2:22) tcp SIS_OPEN
-*Oct  8 20:33:16.131: %FW-2-BLOCK_HOST: Blocking new TCP connections to host 10.20.20.2 for 1 minute (half-open count 4 exceeded).
 </code>
 <note>
-Options of CBAC to keep in mind:
+If you want to learn more about CBAC, I recommend you this [[http://etutorials.org/Networking/Router+firewall+security/Part+IV+Stateful+and+Advanced+Filtering+Technologies/Chapter+9.+Context-Based+Access+Control/|documentation]].
-  * new connections can be limited based on the total number of sessions opened at a time
+</note>
-  * new connections can be limited based on sampling with one minute rates
-  * the number of half-opened TCP connections opened by a host can be limited also
+<note important>
+Before continuing with the last feature, ZBF, head to [[https://ocw.cs.pub.ro/courses/sred/laborator_2._cbac_and_zbf#exercies|exercises]] section and solve e3 and e4.
 </note>
-=== 3. ZBF ===
+=== t3. ZBF ===
 A big drawback of the solution presented above is that it can become very complex when there is need to manage multiple interfaces. Also, it does not offer rules per host or network, all being bound to inbound or outbound traffic. **Zone based firewall** (or ZBF) is the next proposed security solution.
@@ Line 242: / Line 292: @@
 In the setup presented above, we will consider:
-  * KaliVM is in LAN zone
+  * client1 is in LAN zone
-  * UbuntuVM is in DMZ zone
+  * server is in DMZ zone
-  * InternetVM is in PUBLIC zone (it has internet access)
+  * kali is in VISITOR zone
+<note important>
+Before going through exercises 3 and 4 (from this tutorial, not your own tasks), remove all CBAC config using:
+<code>
+cisco_7200(config)#no ip inspect
+</code>
+</note>
 A. Create zones on firewall:
 <code>
-CISCO_7200(config)#zone security LAN
+cisco_7200(config)#zone security LAN
-CISCO_7200(config-sec-zone)#description Local Area Network
+cisco_7200(config-sec-zone)#description Local Area Network - client1
-CISCO_7200(config-sec-zone)#exit
+cisco_7200(config-sec-zone)#exit
-CISCO_7200(config)#zone security DMZ
+cisco_7200(config)#zone security DMZ
-CISCO_7200(config-sec-zone)#description Public Servers Network
+cisco_7200(config-sec-zone)#description local Servers
-CISCO_7200(config-sec-zone)#exit
+cisco_7200(config-sec-zone)#exit
-CISCO_7200(config)#zone security PUBLIC
+cisco_7200(config)#zone security VISITOR
-CISCO_7200(config-sec-zone)#description Internet Access
+cisco_7200(config-sec-zone)#description Visitor area - kali
-CISCO_7200(config-sec-zone)#exit
+cisco_7200(config-sec-zone)#exit
 </code>
 B. Add the pairs between zones:
 <code>
-CISCO_7200(config)#zone-pair security LAN-TO-INTERNET source LAN destination PUBLIC
+cisco_7200(config)#zone-pair security LAN-TO-VISITOR source LAN destination VISITOR
-CISCO_7200(config-sec-zone-pair)#exit
+cisco_7200(config-sec-zone-pair)#exit
-CISCO_7200(config)#zone-pair security LAN-TO-DMZ source LAN destination DMZ
+cisco_7200(config)#zone-pair security LAN-TO-DMZ source LAN destination DMZ
-CISCO_7200(config-sec-zone-pair)#exit
+cisco_7200(config-sec-zone-pair)#exit
-CISCO_7200(config)#zone-pair security PUBLIC-TO-DMZ source PUBLIC destination DMZ
+cisco_7200(config)#zone-pair security VISITOR-TO-DMZ source VISITOR destination DMZ
-CISCO_7200(config-sec-zone-pair)#exit
+cisco_7200(config-sec-zone-pair)#exit
 </code>
 C. Go directly to step 6 and configure interfaces to each zones:
 <code>
-CISCO_7200(config)#int e1/0
+cisco_7200(config)#int e1/0
-CISCO_7200(config-if)#zone-member security DMZ
+cisco_7200(config-if)#zone-member security DMZ
-CISCO_7200(config)#int e1/1
+cisco_7200(config)#int e1/1
-CISCO_7200(config-if)#zone-member security  LAN
+cisco_7200(config-if)#zone-member security  LAN
-CISCO_7200(config-if)#int e1/2
+cisco_7200(config-if)#int e1/2
-CISCO_7200(config-if)#zone-member security PUBLIC
+cisco_7200(config-if)#zone-member security VISITOR
 </code>
-This will apply to zone-pairs defined above the default policy rule and all traffic is denied:
+This will apply to zone-pairs defined above the default policy rule and all traffic is denied (like a firewall - deny all by def):
 <code>
-root@UbuntuVM:~# ping 10.20.20.2
+eve@client1:~/Desktop$ ping -c 3 1.1.1.2
-PING 10.20.20.2 (10.20.20.2) 56(84) bytes of data.
+PING 1.1.1.2 (1.1.1.2) 56(84) bytes of data.
 ^C
---- 10.20.20.2 ping statistics ---
+--- 1.1.1.2 ping statistics ---
- packets transmitted, 0 received, 100% packet loss, time 6148ms
+ packets transmitted, 0 received, 100% packet loss, time 2051ms
+# same for kali client
 </code>
-D. Define what type of traffic is of interest and should be allowed to pass the firewall. In our  case, we would like to let our LAN members to access anything from Internet and DMZ, including TCP and ICMP.
+D. Define what type of traffic is of interest and should be allowed to pass the firewall. In our  case, we would like to let our VISITOR members to send icmp-echo req to DMZ.
 <code>
-CISCO_7200(config)#class-map type inspect match-any TCP-ICMP-CMAP
+cisco_7200(config)#class-map type inspect match-any ICMP-CMAP
-CISCO_7200(config-cmap)#match protocol tcp
+cisco_7200(config-cmap)#match protocol icmp
-CISCO_7200(config-cmap)#match protocol icmp
 </code>
@@ Line 300: / Line 357: @@
 E. Define firewall policies: add to policy map the class map defined on point D)
 <code>
-CISCO_7200(config)#policy-map type inspect LAN-TO-INTERNET-PMAP
+cisco_7200(config)#policy-map type inspect VISITOR-TO-DMZ-PMAP
-CISCO_7200(config-pmap)#class TCP-ICMP-CMAP
+cisco_7200(config-pmap)#class ICMP-CMAP
-CISCO_7200(config-pmap-c)#inspect
+cisco_7200(config-pmap-c)#inspect
 </code>
-F. Add to LAN-TO-INTERNET zone-pair the policy map:
+F. Add to VISITOR-TO-DMZ zone-pair the policy map:
 <code>
-CISCO_7200(config)#zone-pair security LAN-TO-INTERNET
+cisco_7200(config)#zone-pair security VISITOR-TO-DMZ
-CISCO_7200(config-sec-zone-pair)#service-policy type inspect LAN-TO-INTERNET-PMAP
+cisco_7200(config-sec-zone-pair)#service-policy type inspect VISITOR-TO-DMZ-PMAP
 </code>
-After sending successfully 2 icmp-echo-requests from KaliVM to InternetVM (from LAN to PUBLIC) - the traffic is allowed, the policy using is as follows:
+After sending successfully 2 icmp-echo-requests from kali to server (from VISITOR to DMZ) - the traffic is allowed, the policy using is as follows:
 <code>
-CISCO_7200#show policy-map type inspect zone-pair
+cisco_7200#show policy-map type inspect zone-pair
+ Zone-pair: VISITOR-TO-DMZ
-policy exists on zp LAN-TO-INTERNET
+  Service-policy inspect : VISITOR-TO-DMZ-PMAP
- Zone-pair: LAN-TO-INTERNET
-  Service-policy inspect : LAN-TO-INTERNET-PMAP
+    Class-map: ICMP-CMAP (match-any)
-    Class-map: TCP-ICMP-CMAP (match-any)
-      Match: protocol tcp
-packets, 0 bytes
-second rate 0 bps
       Match: protocol icmp
 packets, 64 bytes
 second rate 0 bps
+      Inspect
-   Inspect
         Packet inspection statistics [process switch:fast switch]
         icmp packets: [0:4]
         Session creations since subsystem startup or last reset 1
-        Current session counts (estab/half-open/terminating) [1:0:0]
+        Current session counts (estab/half-open/terminating) [0:0:0]
-        Maxever session counts (estab/half-open/terminating) [1:1:0]
+        Maxever session counts (estab/half-open/terminating) [0:1:0]
-        Last session created 00:00:07
+        Last session created 00:00:12
         Last statistic reset never
         Last session creation rate 1
@@ Line 343: / Line 394: @@
     Class-map: class-default (match-any)
       Match: any
-      Drop
+      Drop (default action)
 packets, 0 bytes
 </code>
@@ Line 349: / Line 400: @@
 See the match for protocol icmp (incremented with 1).
-=== 4. Extra ZBF ===
+Try to send a GET request to server. Does it work?
+=== t4. Extra ZBF ===
-To allow access to DMZ for http (web servers) for LAN and PUBLIC zones, there is need to create a class-map for matching only HTTP traffic and a policy-map to allow data inspection.
+To allow access to DMZ for http (web servers) for VISITOR and LAN zones, there is need to create a class-map for matching only HTTP traffic and a policy-map to allow data inspection.
 Class map:
 <code>
-CISCO_7200(config)#class-map type inspect HTTP-ONLY-CMAP
+cisco_7200(config)#class-map type inspect HTTP-ONLY-CMAP
-CISCO_7200(config-cmap)#match protocol http
+cisco_7200(config-cmap)#match protocol http
 </code>
 Policy map:
 <code>
-CISCO_7200(config)#policy-map type inspect HTTP-ONLY-PMAP
+cisco_7200(config)#policy-map type inspect HTTP-ONLY-PMAP
-CISCO_7200(config-pmap)#class HTTP-ONLY-CMAP
+cisco_7200(config-pmap)#class HTTP-ONLY-CMAP
-CISCO_7200(config-pmap-c)#inspect
+cisco_7200(config-pmap-c)#inspect
 </code>
-Add policy-map to zone-pairs LAN-TO-DMZ and PUBLIC-TO-DMZ:
+Remove the old policy-map from zone-pair VISITOR-TO-DMZ (1 can be attached per pair):
 <code>
-CISCO_7200(config)#zone-pair security LAN-TO-DMZ
+cisco_7200(config)#zone-pair security VISITOR-TO-DMZ
-CISCO_7200(config-sec-zone-pair)#service-policy type inspect HTTP-ONLY-PMAP
+cisco_7200(config)#no service-policy type inspect VISITOR-TO-DMZ-PMAP
-CISCO_7200(config-sec-zone-pair)#exit
-CISCO_7200(config)#zone-pair security PUBLIC-TO-DMZ
-CISCO_7200(config-sec-zone-pair)#service-policy type inspect HTTP-ONLY-PMAP
 </code>
-This allows KaliVM (supposed for now to be a good person) and InternetVM to access HTTP service from DMZ zone (on UbuntuVM open a temporary service using: //nc -k -l 80//):
+Add policy-map to zone-pairs LAN-TO-DMZ and VISITOR-TO-DMZ:
 <code>
-CISCO_7200#show policy-map type inspect zone-pair  PUBLIC-TO-DMZ
+cisco_7200(config)#zone-pair security LAN-TO-DMZ
+cisco_7200(config-sec-zone-pair)#service-policy type inspect HTTP-ONLY-PMAP
+cisco_7200(config-sec-zone-pair)#exit
+cisco_7200(config)#zone-pair security VISITOR-TO-DMZ
+cisco_7200(config-sec-zone-pair)#service-policy type inspect HTTP-ONLY-PMAP
+</code>
-policy exists on zp PUBLIC-TO-DMZ
+This allows kali (supposed for now to be a good person) and client1 to access HTTP service from DMZ zone on port 8080:
- Zone-pair: PUBLIC-TO-DMZ
+<code>
+cisco_7200#show policy-map type inspect zone-pair  VISITOR-TO-DMZ
+ Zone-pair: VISITOR-TO-DMZ
   Service-policy inspect : HTTP-ONLY-PMAP
@@ Line 386: / Line 443: @@
     Class-map: HTTP-ONLY-CMAP (match-all)
       Match: protocol http
+      Inspect
-   Inspect
         Packet inspection statistics [process switch:fast switch]
-        tcp packets: [0:2]
+        tcp packets: [0:10]
         Session creations since subsystem startup or last reset 1
         Current session counts (estab/half-open/terminating) [0:0:0]
-        Maxever session counts (estab/half-open/terminating) [0:1:0]
+        Maxever session counts (estab/half-open/terminating) [1:1:1]
-        Last session created 00:01:12
+        Last session created 00:00:19
         Last statistic reset never
-        Last session creation rate 0
+        Last session creation rate 1
         Maxever session creation rate 1
         Last half-open session total 0
@@ Line 402: / Line 458: @@
     Class-map: class-default (match-any)
       Match: any
-      Drop
+      Drop (default action)
 packets, 0 bytes
 </code>
+<note important>
+The port for webserver is a nonstandard one, so the router will not know about it. Make sure to have the PAM from CBAC here.
+</note>
 However, this does not limit the number of tcp sessions opened. Using a session-filter, we can block more than X sessions opened (X=4 in this case, as it was for CBAC):
 <code>
-CISCO_7200(config)#parameter-map type inspect TCP-SYN-LIMIT
+cisco_7200(config)#parameter-map type inspect TCP-SYN-LIMIT
-CISCO_7200(config-profile)#tcp max-incomplete host 4 block-time 1
+cisco_7200(config-profile)#tcp max-incomplete host 4 block-time 1
 </code>
 Modify the policy-map to use inspect TCP-SYN-LIMIT:
 <code>
-CISCO_7200(config)#policy-map type inspect HTTP-ONLY-PMAP
+cisco_7200(config)#policy-map type inspect HTTP-ONLY-PMAP
-CISCO_7200(config-pmap)#class HTTP-ONLY-CMAP
+cisco_7200(config-pmap)#class HTTP-ONLY-CMAP
-CISCO_7200(config-pmap-c)#inspect TCP-SYN-LIMIT
+cisco_7200(config-pmap-c)#inspect TCP-SYN-LIMIT
 </code>
 After this, we can start our DoS attack on KaliVM (now becomes again Trudy):
 <code>
-root@KaliVM:# hping3 -n -c 10 -w 64 -S -p 80 10.20.20.2
+root@kali:~# hping3 -n -c 10 -w 64 -S -p 8080 1.1.1.2
-HPING 10.20.20.2 (eth0 10.20.20.2): S set, 40 headers + 0 data bytes
+HPING 1.1.1.2 (eth0 1.1.1.2): S set, 40 headers + 0 data bytes
-len=46 ip=10.20.20.2 ttl=63 DF id=0 sport=80 flags=SA seq=0 win=29200 rtt=31.6 ms
+len=44 ip=1.1.1.2 ttl=63 DF id=0 sport=8080 flags=SA seq=0 win=64240 rtt=20.3 ms
-len=46 ip=10.20.20.2 ttl=63 DF id=0 sport=80 flags=SA seq=1 win=29200 rtt=14.9 ms
+len=44 ip=1.1.1.2 ttl=63 DF id=0 sport=8080 flags=SA seq=1 win=64240 rtt=20.0 ms
-len=46 ip=10.20.20.2 ttl=63 DF id=0 sport=80 flags=SA seq=2 win=29200 rtt=22.8 ms
+len=44 ip=1.1.1.2 ttl=63 DF id=0 sport=8080 flags=SA seq=2 win=64240 rtt=19.7 ms
-len=46 ip=10.20.20.2 ttl=63 DF id=0 sport=80 flags=SA seq=3 win=29200 rtt=21.9 ms
+len=44 ip=1.1.1.2 ttl=63 DF id=0 sport=8080 flags=SA seq=3 win=64240 rtt=19.6 ms
---- 10.20.20.2 hping statistic ---
+--- 1.1.1.2 hping statistic ---
 packets transmitted, 4 packets received, 60% packet loss
+round-trip min/avg/max = 19.6/19.9/20.3 ms
 </code>
 Also, on router we can see some logs generated:
 <code>
-CISCO_7200(config-pmap-c)#
+cisco_7200(config-pmap-c)#
-*Oct  8 22:24:35.163: %FW-4-HOST_TCP_ALERT_ON: (target:class)-(PUBLIC-TO-DMZ:HTTP-ONLY-CMAP):Max tcp half-open connections (4) exceeded for host 10.20.20.2
+*Oct 30 17:26:44.707: %FW-4-HOST_TCP_ALERT_ON: (target:class)-(VISITOR-TO-DMZ:HTTP-ONLY-CMAP):Max tcp half-open connections (4) exceeded for host 1.1.1.2.
-CISCO_7200(config-pmap-c)#
+*Oct 30 17:26:44.711: %FW-2-BLOCK_HOST: (target:class)-(VISITOR-TO-DMZ:HTTP-ONLY-CMAP):Blocking new TCP connections to host 1.1.1.2 for 1 minute (half-open count 4 exceeded).
-*Oct  8 22:24:35.167: %FW-2-BLOCK_HOST: (target:class)-(PUBLIC-TO-DMZ:HTTP-ONLY-CMAP):Blocking new TCP connections to host 10.20.20.2 for 1 minute (half-open count 4 exceeded).
-CISCO_7200(config-pmap-c)#
 </code>
+<note>
+Suppose we have in VISITOR area another user. After sending a DoS attack for kali to server, the access to host is blocked so no other users can access it (kali and the other one).
+</note>
 ==== Exercies ====
-=== 1. [2p] Let's sit and watch the attack ===
+=== e1. [2p] Let's sit and watch the attack ===
 For TCP intercept, change the mode to **watch**, high value for threshold to 100 and low to 10. Keep the list TCP_INTERCEPT.
@@ Line 456: / Line 519: @@
 </note>
-=== 2. [2p] There is still hope ===
+=== e2. [2p] There is still hope ===
 The server opened again port 4444 for chatting. Client1 wants to use it, but the attacker wants to initiate another SYN attack.
@@ Line 469: / Line 532: @@
 </code>
-Open the connection (before all entries expire - in 15 secs) from client1, send some messages and check the connection from router:
+Open the connection (before all entries expire - in 30 secs) from client1, send some messages and check the connection from router:
 <code>
 cisco_7200#sh tcp intercept connections
@@ Line 483: / Line 546: @@
 From server, check if it received client1's messages.
-=== 3. [2p] SSH sessions ===
+<note>
+This IOS version is a bit buggy, as the timeout has firstly the default value to 0, then after some seconds (see the create time), is [15 seconds - create_time]. Then, after those 15 seconds passed, it is assigned with 15 seconds, so the total time is 30 seconds for keeping a connection.
+</note>
-=== 4. [2p] TODO ===
+=== e3. [2p] Back to business ===
+As seen above on CBAC - part 3, we can modify also the maximum number of half-open connections for TCP and add a block-time (in minutes). Configure value 5 for host and block-time 1, 2 minutes.
+From attacker, start 10 connections:
+<code>
+root@kali:~# hping3 -n -c 10 -w 64 -S -p 8080 1.1.1.2
+</code>
+See how from packet 6, all are dropped and the router generates an alert (Max tcp half-open connections (4) exceeded for host 1.1.1.2.).
+Try now to acces from kali browser the website - does it work?
+Do the same thing for client1.
+Wait until timeout expires. Access again the website from kali and client1.
+=== e4. [2p] Not this time  ===
+In the previous exercise, we saw that after the maximum value of half-open connections is reached, the resources can no longer be accessed, even by the valid clients. After cheking some logs, we identified the attacker's ip and interface and decided to block his access.
+Remember that at part 4 on CBAC, we create a PAM for port 8080 for http.
+We need now to create an urlfilter using:
+<code>
+cisco_7200(config)#ip urlfilter exclusive-domain deny 1.1.1.2
+cisco_7200(config)#ip urlfilter allow-mode off
+</code>
+Then create a new inspection rule for http with urlfilter, add it to the required interface and direction (in/out), then generate GET requests from each machine - client1 and kali. You should find:
+<code>
+root@kali:~# curl 1.1.1.2:8080
+<html>
+<head>
+<title>Forbidden</title></head>
+<body bgcolor="#ffffff">
+<center><h1><font color="#ff0000">HTTP Error 403 - Forbidden</font></h1>
+<b>You do not have permission to access the document or program you requested.
+</b></center>
+</body></html>
+eve@client1:~/Desktop$ curl 1.1.1.2:8080
+<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 3.2 Final//EN"><html>
+<title>Directory listing for /</title>
+<body>
+<h2>Directory listing for /</h2>
+[...]
+</code>
-=== 5. [2p] TODO ===
+=== e5. [2p] Extra ZBF ===
+Do task t4 from [[https://ocw.cs.pub.ro/courses/sred/laborator_2._cbac_and_zbf#extra_zbf|Extra ZBF]].