Show page

Differences

This shows you the differences between two versions of the page.

--- sred:laborator_2._cbac_and_zbf [2021/11/05 13:09]
horia.stoenescu [Exercies]
+++ sred:laborator_2._cbac_and_zbf [2022/10/30 20:53] (current)
horia.stoenescu Added pointers for exercises
@@ Line 5: / Line 5: @@
 === Story ===
 In our basic topology scenario, due to small budget our company still uses the old Cisco equipment for routing and filtering, but this time the second branch closed and added instead a visitor network (may be used by people that come at interview). After seeing some attacks done in our internal network like DoS, we decided to test different approaches: started with TCP intercept, continuing with CBAC and in the end implemented successfully a better security solution - zone based firewall (ZBF).
+<note tip>
+[[https://curs.upb.ro/2022/pluginfile.php/346995/mod_resource/content/1/sred_lab2_stateful_firewall_updated.pdf|Here]] you can find the presentation for lab2. There are made comparisons between each feature and what is the road from simple ACLs to a basic firewall solution.
+</note>
 === Local host prerequisites ===
@@ Line 56: / Line 60: @@
 - **watch**: the disadvantage of intercept is that most of the times the router does this mitm for fair clients and adds overhead. A solution can be watch mode, which is a reactive approach that is monitoring connections, keeping track of half-open ones. Again, after a timeout (default 30 seconds) if a connection is not completed, the router sends a RST to server to remove it. This will remove all unwanted incompleted connections and allows legitimate ones to complete.
+If the high threshold value is exceeded, then the timeout is reduced by half (in default case, to 15 seconds). The connections have the state SYNSENT at start, then if the server responds with SYN-ACK the state is changed to SYNRCVD and firewall is waiting for client to send the ACK in order to finish the 3-way handshake.
 In this lab, we will use [[https://linux.die.net/man/8/hping3|hping3]] to simulate the attack. On server machine we have SimpleHTTPServer up and running on port 8080.
@@ Line 138: / Line 144: @@
 *Oct 29 02:30:54.195: %TCP-6-INTERCEPT: calming down, count (0/900) 1 min 0
 </code>
+Example state watch-mode (with only 1 SYN packet sent from kali):
+<code>
+# attacker sends 1 SYN packet to server on port 8080
+root@kali:# hping3 -n -c 1 -d 120 -S -w 64 -p 8080 1.1.1.2
+# at start, the connection is saved with SYNSENT
+Router#sh tcp intercept connections
+Incomplete:
+Client                Server                State    Create   Timeout  Mode
+.3.3.2:14482         1.1.1.2:8080          SYNSENT  00:00:00 00:00:30 W
+# then, the server responds with SYN+ACK and the connection is updated
+Router#sh tcp intercept connections
+Incomplete:
+Client                Server                State    Create   Timeout  Mode
+.3.3.2:1626          1.1.1.2:8080          SYNRCVD  00:00:03 00:00:26 W
+# at last, after the timeout, the connection is removed and a RST is sent to server
+Router#sh tcp intercept connections
+Incomplete:
+Client                Server                State    Create   Timeout  Mode
+</code>
+<note>
+Check [[http://www.employees.org/univercd/Feb-1998/CiscoCD/cc/td/doc/product/software/ios112/intercpt.htm#xtocid2436922|here]] for a full documentation regarding TCP intercept.
+</note>
+<note important>
+Before continuing with CBAC and ZBF, head to [[https://ocw.cs.pub.ro/courses/sred/laborator_2._cbac_and_zbf#exercies|exercises]] section and solve e1 and e2.
+</note>
 === t2. CBAC ===
 <note important>
-Before continuing with CBAC, make sure to delete old tcp intercept configuration:
+Before starting with CBAC, make sure to delete old tcp intercept configuration:
 <code>
 cisco_7200(config)#no ip tcp intercept list
@@ Line 151: / Line 186: @@
 CBAC stands for **Context-Based Access Control** and represents a feature of Cisco products that is used for verifying protocol of application layer and dynamic modification of firewall rules that are based on it.
-Using this feature, the number of connections opened by outside machines can be limited (to stop a DoS attack). This task proposes to create a CBAC rule that is used for monitoring TCP connections and added on outbound interface to UbuntuVM (traffic to that machine).
+Using this feature, the number of connections opened by outside machines can be limited (to stop a DoS attack). This task proposes to create a CBAC rule that is used for monitoring TCP connections and added on outbound interface to server (traffic to that machine).
 It provides 4 main functions:
@@ Line 222: / Line 257: @@
 <note>
 If you want to learn more about CBAC, I recommend you this [[http://etutorials.org/Networking/Router+firewall+security/Part+IV+Stateful+and+Advanced+Filtering+Technologies/Chapter+9.+Context-Based+Access+Control/|documentation]].
+</note>
+<note important>
+Before continuing with the last feature, ZBF, head to [[https://ocw.cs.pub.ro/courses/sred/laborator_2._cbac_and_zbf#exercies|exercises]] section and solve e3 and e4.
 </note>
@@ Line 378: / Line 417: @@
 cisco_7200(config-pmap)#class HTTP-ONLY-CMAP
 cisco_7200(config-pmap-c)#inspect
+</code>
+Remove the old policy-map from zone-pair VISITOR-TO-DMZ (1 can be attached per pair):
+<code>
+cisco_7200(config)#zone-pair security VISITOR-TO-DMZ
+cisco_7200(config)#no service-policy type inspect VISITOR-TO-DMZ-PMAP
 </code>
@@ Line 454: / Line 499: @@
 *Oct 30 17:26:44.711: %FW-2-BLOCK_HOST: (target:class)-(VISITOR-TO-DMZ:HTTP-ONLY-CMAP):Blocking new TCP connections to host 1.1.1.2 for 1 minute (half-open count 4 exceeded).
 </code>
+<note>
+Suppose we have in VISITOR area another user. After sending a DoS attack for kali to server, the access to host is blocked so no other users can access it (kali and the other one).
+</note>
 ==== Exercies ====