Differences
This shows you the differences between two versions of the page.
|
sred:laborator_2._cbac_and_zbf [2021/11/05 16:03] horia.stoenescu [Exercies] |
sred:laborator_2._cbac_and_zbf [2022/10/30 20:53] (current) horia.stoenescu Added pointers for exercises |
||
|---|---|---|---|
| Line 5: | Line 5: | ||
| === Story === | === Story === | ||
| In our basic topology scenario, due to small budget our company still uses the old Cisco equipment for routing and filtering, but this time the second branch closed and added instead a visitor network (may be used by people that come at interview). After seeing some attacks done in our internal network like DoS, we decided to test different approaches: started with TCP intercept, continuing with CBAC and in the end implemented successfully a better security solution - zone based firewall (ZBF). | In our basic topology scenario, due to small budget our company still uses the old Cisco equipment for routing and filtering, but this time the second branch closed and added instead a visitor network (may be used by people that come at interview). After seeing some attacks done in our internal network like DoS, we decided to test different approaches: started with TCP intercept, continuing with CBAC and in the end implemented successfully a better security solution - zone based firewall (ZBF). | ||
| + | |||
| + | <note tip> | ||
| + | [[https://curs.upb.ro/2022/pluginfile.php/346995/mod_resource/content/1/sred_lab2_stateful_firewall_updated.pdf|Here]] you can find the presentation for lab2. There are made comparisons between each feature and what is the road from simple ACLs to a basic firewall solution. | ||
| + | </note> | ||
| === Local host prerequisites === | === Local host prerequisites === | ||
| Line 164: | Line 168: | ||
| <note> | <note> | ||
| Check [[http://www.employees.org/univercd/Feb-1998/CiscoCD/cc/td/doc/product/software/ios112/intercpt.htm#xtocid2436922|here]] for a full documentation regarding TCP intercept. | Check [[http://www.employees.org/univercd/Feb-1998/CiscoCD/cc/td/doc/product/software/ios112/intercpt.htm#xtocid2436922|here]] for a full documentation regarding TCP intercept. | ||
| + | </note> | ||
| + | |||
| + | <note important> | ||
| + | Before continuing with CBAC and ZBF, head to [[https://ocw.cs.pub.ro/courses/sred/laborator_2._cbac_and_zbf#exercies|exercises]] section and solve e1 and e2. | ||
| </note> | </note> | ||
| === t2. CBAC === | === t2. CBAC === | ||
| <note important> | <note important> | ||
| - | Before continuing with CBAC, make sure to delete old tcp intercept configuration: | + | Before starting with CBAC, make sure to delete old tcp intercept configuration: |
| <code> | <code> | ||
| cisco_7200(config)#no ip tcp intercept list | cisco_7200(config)#no ip tcp intercept list | ||
| Line 178: | Line 186: | ||
| CBAC stands for **Context-Based Access Control** and represents a feature of Cisco products that is used for verifying protocol of application layer and dynamic modification of firewall rules that are based on it. | CBAC stands for **Context-Based Access Control** and represents a feature of Cisco products that is used for verifying protocol of application layer and dynamic modification of firewall rules that are based on it. | ||
| - | Using this feature, the number of connections opened by outside machines can be limited (to stop a DoS attack). This task proposes to create a CBAC rule that is used for monitoring TCP connections and added on outbound interface to UbuntuVM (traffic to that machine). | + | Using this feature, the number of connections opened by outside machines can be limited (to stop a DoS attack). This task proposes to create a CBAC rule that is used for monitoring TCP connections and added on outbound interface to server (traffic to that machine). |
| It provides 4 main functions: | It provides 4 main functions: | ||
| Line 249: | Line 257: | ||
| <note> | <note> | ||
| If you want to learn more about CBAC, I recommend you this [[http://etutorials.org/Networking/Router+firewall+security/Part+IV+Stateful+and+Advanced+Filtering+Technologies/Chapter+9.+Context-Based+Access+Control/|documentation]]. | If you want to learn more about CBAC, I recommend you this [[http://etutorials.org/Networking/Router+firewall+security/Part+IV+Stateful+and+Advanced+Filtering+Technologies/Chapter+9.+Context-Based+Access+Control/|documentation]]. | ||
| + | </note> | ||
| + | |||
| + | <note important> | ||
| + | Before continuing with the last feature, ZBF, head to [[https://ocw.cs.pub.ro/courses/sred/laborator_2._cbac_and_zbf#exercies|exercises]] section and solve e3 and e4. | ||
| </note> | </note> | ||
| Line 405: | Line 417: | ||
| cisco_7200(config-pmap)#class HTTP-ONLY-CMAP | cisco_7200(config-pmap)#class HTTP-ONLY-CMAP | ||
| cisco_7200(config-pmap-c)#inspect | cisco_7200(config-pmap-c)#inspect | ||
| + | </code> | ||
| + | |||
| + | Remove the old policy-map from zone-pair VISITOR-TO-DMZ (1 can be attached per pair): | ||
| + | <code> | ||
| + | cisco_7200(config)#zone-pair security VISITOR-TO-DMZ | ||
| + | cisco_7200(config)#no service-policy type inspect VISITOR-TO-DMZ-PMAP | ||
| </code> | </code> | ||
| Line 481: | Line 499: | ||
| *Oct 30 17:26:44.711: %FW-2-BLOCK_HOST: (target:class)-(VISITOR-TO-DMZ:HTTP-ONLY-CMAP):Blocking new TCP connections to host 1.1.1.2 for 1 minute (half-open count 4 exceeded). | *Oct 30 17:26:44.711: %FW-2-BLOCK_HOST: (target:class)-(VISITOR-TO-DMZ:HTTP-ONLY-CMAP):Blocking new TCP connections to host 1.1.1.2 for 1 minute (half-open count 4 exceeded). | ||
| </code> | </code> | ||
| + | |||
| + | <note> | ||
| + | Suppose we have in VISITOR area another user. After sending a DoS attack for kali to server, the access to host is blocked so no other users can access it (kali and the other one). | ||
| + | </note> | ||
| ==== Exercies ==== | ==== Exercies ==== | ||
