[Chapter 21] 21.3 Example: Cisco Systems Routers as Chokes

Practical UNIX & Internet Security

Practical UNIX & Internet SecuritySearch this book
Previous: 21.2 Building Your Own FirewallChapter 21
Firewalls
Next: 21.4 Setting Up the Gate
 

21.3 Example: Cisco Systems Routers as Chokes

Many organizations use high-performance routers both to connect their companies to the Internet and to perform limited packet filtering. Because routers made by Cisco Systems, Inc., are widely used within the Internet community as this book is being written, we decided that a look at the security configuration for a Cisco router might be helpful.

NOTE: Bear in mind that this description is not a definitive reference for configuring Cisco routers, but is intended to demonstrate highlights of how a router is configured as a choke. Further examples of Cisco configurations may be obtained via FTP from ftp://ftp.cisco.com/pub/acl-examples.

Please also note that we do not intend that our inclusion of vendor-specific information for Cisco routers be taken as an endorsement of their routers over any other vendor's products.

Cisco Systems routers run a complicated operating system called Internetwork Operating System (IOS), which is specially tailored to perform high-speed routing. It is a real-time operating system that is not based on UNIX.

IOS maintains a set of internal configuration tables that are associated with the router, each protocol that the router understands, each network interface, and each physical "line" interface. These configuration tables are consulted by the IOS operating system each time a packet is received for routing.

The IOS internal tables are configured from the console when the router is in configuration mode. The current configuration can be extracted from the router using the write command; this command produces a text file of commands that can be stored in the router's nonvolatile memory or saved using a network TFTP server. The router then interprets these commands when it boots as if they were typed on the router's console.

21.3.1 access-list Command: Creating an Access List

IOS uses the access-list command to define the set of IP addresses and protocols with which a particular router will communicate. The access-list command creates an access list; each access list has a unique number. IOS sets aside specific ranges of access-list numbers for specific purposes.

21.3.1.1 access-list: standard form

The standard form of the access-list command for the IP protocol has the form:

access-list access-list-number {deny|permit} source [source-mask]

Where:

access-list-number

Denotes the number of the access list you are defining. For the standard form of the access-list command, the access-list-number must be a decimal integer from 1 though 99.

deny | permit

Specifies whether IP packets matching this access list should be denied (not transmitted) or permitted (transmitted).

source

Specifies the IP address of the host or network from which this packet is being sent. Source must be in the standard form ii.jj.kk.ll.

source-mask

An optional mask that is applied to the source. As with the source, the source-mask is specified in four-part dotted-decimal notation. A 1 in a position indicates that it should be masked (ignored). Thus, 0.0.0.255 means that only the first three octets of the source address will be considered.

If you specify an access-list, IOS will add an implicit rule to deny all packets that do not match the rules that you have provided.

For example, this command would permit all packets from the host 204.17.195.100:

access-list 1 permit 204.17.195.100

This command would deny all packets from the IP subclass C network 198.3.4:

access-list 1 deny 198.3.4.0 0.0.0.255

21.3.1.2 access-list: extended form

The access-list command has an extended form which allows you to make distinctions based on the particular IP protocol and service.[8] In the case of the TCP/IP protocol, you can even create restrictions based on the connection's direction - whether it is outgoing or incoming.

[8] In addition to IP, Cisco routers support many other protocols as well, including AppleTalk and IPX, but we won't discuss them here.

The extended version of the access-list command has syntax that is similar to the standard form; the key difference is that the access-list-number must be in the range 100 to 199, and there are additional parameters:

access-list access-list-number {deny|permit} protocol\
		source source-mask destination destination-mask [established]

Where:

access-list-number

Denotes the number of the access list that you are defining. For the extended form of the access-list command, the access-list-number must be a decimal integer from 100 though 199.

deny | permit

Specifies whether IP packets matching this access list should be denied (not transmitted) or permitted (transmitted).

protocol

Specifies the protocol name or number. Specify ip, tcp, udp, icmp, igmp, gre, igrp, or the IP protocol number (range 0 through 255). Use ip to specify all IP protocols, including TCP, UDP, and ICMP.

source

Specifies the IP address of the host or network from which this packet is being sent; must be in the standard form ii.jj.kk.ll.

source-mask

An optional mask that is applied to the source. As with the source, the source-mask is specified in four-part dotted-decimal notation. A 1 in a position indicates that it should be masked. Thus, 0.0.0.255 means that only the first three octets of the source addresses should be considered.

destination

Specifies the address of the host or network to which this packet is being sent; must be in the standard form ii.jj.kk.ll.

destination-mask

An optional mask that is applied to the destination. As with the source-mask, the destination-mask is specified in four-part dotted-decimal notation, where a 1 in a position indicates that it should be masked.

operator

This optional argument allows you to specify a particular TCP or UDP port, or even a range of ports. Allowable values are described in Table 21.1.

operand

A number, in decimal, used to refer to a specific TCP or UDP port.

Table 21.1: Cisco Operator/Operand Combinations

Operator

Meaning

Example

Result

eq

equal to

eq 23

Selects Telnet port.

gt

greater than

gt 1023

Selects all non-privileged ports.

lt

less than

lt 1024

Selects all privileged ports.

neq

not equal to

neq 25

Selects all protocols other than SMTP.

established

If present, indicates packets for an established connection. This is only applicable to the TCP protocol, and selects for packets that have the ACK or RST bits set. By blocking packets that do not have either the ACK or RST bits set that are traveling into your organization's network, you can block incoming connections while still allowing outgoing connections.

log

If present, causes violations of access lists to be logged via syslog to the specified logging host.

21.3.2 show access-lists Command: Seeing the Current Access Lists

You can use the CIOS show access-lists command to display all of the current access lists. For example:

router>show access-lists
Standard IP access list 1
    permit 204.17.195.0
    permit 199.232.92.0
Extended IP access list 108
    deny   ip 199.232.92.0 0.0.0.255 any
    deny   ip 204.17.195.0 0.0.0.255 any
    permit ip any any (1128372 matches)
router>

In this example, there are two IP access lists: access list #1, which is a standard list, and access list #108, which is an extended list. The standard list permits the transmission of any packet that comes from the IP networks 204.17.195 or 199.232.92; the extended list denies any packet coming from these two networks.

The pair of rules in this example can be used to erect a barrier to IP spoofing for an organization that is connected to the Internet. The organization, with two internal IP networks (204.17.195 and 199.232.92), could apply the first access list to its outbound interface, and the extended list to inbound packets from its serial interface. As a result, any incoming packets that claim to be from the organization's internal network would be rejected.

Be aware that the show access-lists command is normally not a privileged command; anybody who can log into your router can see all of your access lists. You can make it privileged by using the IOS privilege commands added in IOS Version 10.3.

21.3.3 access-class Command: Protecting Virtual Terminals

After you have created one or more access lists, you can use the access-class command to assign the access-control list to a particular Cisco virtual-terminal line. You assign access lists to a particular Cisco interface by using the access-class command. You should use the access-class command to configure your router so that it will reject login attempts from any host outside your organization. You may also wish to configure your router so that it rejects all login attempts from inside your organization as well, with the exception of a specially designed administrative machine.

The access-class command has the following syntax:

access-class access-list-number {in|out}

Where:

access-list-number

Specifies the number of an access list. This must be a number between 1 and 199.

in | out

Specifies whether incoming connections or outgoing connections should be blocked.

You can use this command to prevent people from logging directly onto your router (using one of the vty interfaces) unless they are coming from a specially designated network. For example, to configure your router so that it will only accept logins from the subclass C network 198.3.3, you could use the following sequence of IOS commands:

router#config t
Enter configuration commands, one per line.  End with CNTL/Z.
router(config)#access-list 12 permit 198.3.3.0 0.0.0.255
router(config)#line vty 0 4
router(config-line)#access-class 12 in
router(config-line)#^Z
router#

21.3.4 ip access-group Command: Protecting IP Interfaces

You can also use access lists to specify packets that should be blocked from crossing an IP interface. For example, if you are using the Cisco interface to create a conventional choke-and-gate interface, and you have a serial connection to an Internet service provider, you can specify that the only IP packets that should be transmitted in from the interface should be those that are destined for the gate machine, and that the only IP packets that should be transmitted out from the serial interface are those that are from your gate.

The command that associates an access list with a particular interface is the access-group command. This is an interface-configuration command, which means that it is typed when the router is in interface-configuration mode.

The access-group command has the following syntax:

ip access-group access-list-number {in | out}

Where:

access-list-number

Specifies the number of an access list. This must be a number between 1 and 199.

in | out

Specifies whether incoming connections or outgoing connections should be blocked.

For example, to configure your serial 0 interface so that it will only send packets to or from a gate computer located at IP address 204.17.100.200, you might configure your router as explained in the following paragraphs.

First, create one access list that selects for packets that have the gate as their source (access list #10) and a second access list that selects for packets that have the gate as their destination (access list #110):

router#config t
Enter configuration commands, one per line.  End with CNTL/Z.
router(config)#access-list 10 permit 204.17.100.200 0.0.0.0
router(config)#access-list 110 permit ip 0.0.0.0 255.255.255.255 
					204.17.100.200 0.0.0.0

Now, assign these access lists to the serial 0 interface:

router(config)#int serial 1
router(config-if)#ip access-group 10 out
router(config-if)#ip access-group 110 in

Remember, use the IOS write command to save the configuration.

21.3.5 accounting access-violations Command: Using IP Accounting

IOS has an IP accounting feature that can track the number of IP packets that are passed by the router and then rejected. You can use this feature to detect whether somebody is trying to bypass your firewall security. If logging is enabled, you will be told the IP address of the attacker and the protocol being used.

To turn on IP accounting to check for access violations on a specific interface use the command:

router(config-if)#ip accounting access-violations


Previous: 21.2 Building Your Own FirewallPractical UNIX & Internet SecurityNext: 21.4 Setting Up the Gate
21.2 Building Your Own FirewallBook Index21.4 Setting Up the Gate