|
CBAC inspection rules specify which
application layer protocols of the IP traffic will be inspected by
CBAC at an interface. Normally, you define only one inspection rule.
The only exception might occur if you want to enable CBAC in two
directions, as described earlier in this chapter. For CBAC
configured in both directions at a single firewall interface, you
should configure two rules, one for each direction.
An inspection rule should specify
each desired application layer protocol as well as generic TCP or
generic UDP, if desired. The inspection rule consists of a series of
statements, each listing a protocol and specifying the same
inspection rule name. Inspection rules include options for
controlling alert and audit trail messages and for checking IP
packet fragmentation. The following sections describe how to define
an inspection rule.
Configuring Application Layer
Protocol Inspection
To configure CBAC inspection for an application layer protocol
(except for RPC and Java), use the following command syntax (Figure ):
Router(config)#ip inspect name inspection-name
protocol [timeout seconds]
The protocol option can be any one of
several possible arguments, listed in Figure .
Repeat this command for each desired protocol. Use the same inspection-name
to create a single inspection rule, as shown:
RTA(config)#ip inspect name
FIREWALL http
RTA(config)#ip inspect name FIREWALL ftp
RTA(config)#ip inspect name FIREWALL udp
RTA(config)#interface s0
RTA(config-if)#ip inspect FIREWALL out
These commands create a CBAC inspect
list named FIREWALL that is applied to outbound traffic exiting
interface S0. RTA will inspect outbound traffic and create dynamic
access list entries to allow inbound traffic through the firewall,
if it is part of the session started by an internal host.
How is this CBAC configuration
different from a reflexive access list? In the above, CBAC is
configured to inspect FTP, which was challenging in a reflexive
access list. Also, UDP conversations that use multiple ports are
fully supported by CBAC, while reflexive access lists cannot handle
an IP conversation when the outside host changes ports.
The syntax for configuring a CBAC
inspection for Java is as follows :
Router(config-if)#ip inspect
name inspection-name http [java-list access-list]
[timeout seconds]
Java applets can represent a security
risk because unaware users can download them into your network and
then run malicious code behind your firewall. You can configure CBAC
to filter Java applets at the firewall, which enables users to
download only applets residing within the firewall and trusted
applets from outside the firewall.
Java applet filtering distinguishes
between trusted and untrusted applets by relying on a list of
external sites that you designate as "friendly." If an
applet is from a friendly site, the firewall allows the applet
through. If the applet is not from a friendly site, the applet is
blocked. (Alternately, you could permit applets from all external
sites except for those that you specifically designate as hostile.)
To block Java applets from sites
known to be a risk, but to permit all others, you can use a
configuration similar to this:
RTA(config)#access-list 24 deny
200.100.50.0 0.0.0.255
RTA(config)#access-list 24 deny 169.199.0.0 0.0.255.255
RTA(config)#access-list 24 permit any
RTA(config)#ip inspect name FIREWALL http java-list 24
RTA(config)#ip inspect name FIREWALL tcp
RTA(config)#interface s0
RTA(config-if)#ip inspect FIREWALL out
If RTA is configured accordingly, it
will inspect traffic for Java and match it according to access list
24. Holes will not be opened in the firewall for Java traffic
originating from the explicitly defined networks. Of course, the permit
any statement makes this
configuration extremely vulnerable to the thousands of other sites
that may infect your network with malicious Java code. If you want
to sacrifice functionality and end-user freedom, you can use an
access list to explicitly permit Java code from friendly networks,
and deny code from all others. The result will be a secure but
highly restrictive configuration.
Note: CBAC does not detect
or block encapsulated Java applets. Therefore, Java applets that
are wrapped or encapsulated, such as applets in .zip or .jar
format, are not blocked at the firewall. CBAC also does not
detect or block applets loaded from FTP, gopher, HTTP on a
nonstandard port, and certain other applications.
Configuring Generic TCP and UDP
Inspection
You can configure TCP and UDP inspection to permit TCP and UDP
packets to enter the internal network through the firewall, even if
the application layer protocol is not configured to be inspected .
However, TCP and UDP inspection do not recognize
application-specific commands and therefore might not permit all
return packets for an application. This particularly true if the
return packets have a different port number than the previous
exiting packet.
Any application layer protocol that
is inspected will take precedence over the TCP or UDP packet
inspection. For example, if inspection is configured for FTP, all
control channel information will be recorded in the state table. In
addition, if the control channel information is valid for the state
of the FTP session, all FTP traffic will be permitted back through
the firewall. The fact that TCP inspection is configured is irrelevant to
the FTP state information.
With TCP and UDP inspection, packets
entering the network must exactly match the corresponding packet
that previously exited the network. The entering packets must have
the same source/destination addresses and source/destination port
numbers as the exiting packet (but reversed). Otherwise, the
entering packets will be blocked at the interface.
With UDP inspection configured,
replies will be permitted back in through the firewall only if they
are received within a configurable time after the last request was
sent out. (This time is configured with the ip
inspect udp idle-time
command.) To configure CBAC inspection for TCP or UDP packets, use
the following commands:
RTA(config)#ip inspect name
FIREWALL tcp
RTA(config)#ip inspect name FIREWALL udp
Applying the Inspection Rule to an
Interface
After you define an inspection rule, you apply that rule to an
interface. Normally, you apply only one inspection rule to one
interface. The only exception might occur if you want to enable CBAC
in two directions. For CBAC configured in both directions at a
single firewall interface, you should apply two rules, one for each
direction.
To apply an inspection rule to an
interface, use the following syntax :
router(config-if)#ip inspect inspection-name
in | out
The following example shows the
commands needed to configure RTA to use the inspection list,
FIREWALL, on traffic traveling out E0 into a protected network.
RTA(config)#interface ethernet 0
RTA(config-if)#ip inspect FIREWALL out
|