Monday, April 29, 2013

Lab 222 - Zone-Based Firewall Part 1

Prerequisites: CCNP level skills.

Topology

Pic 1. Topology Diagram.

Task 1
Consider R1 as the edge router. It's interface Fa0/0 is the OUTSIDE and Se0/0 is the INSIDE interface. Configure firewall on R1 using the following rules:
  • Allow all traffic from INSIDE to OUTSIDE
  • Allow only SSH traffic from OUTSIDE to R1's address 192.0.2.1
  • Allow BGP protocol between R1 and BB3 (to be implemented) and log all other dropped traffic
Use zone-based firewall syntax to accomplish the goal.

Solution

Task 1
Consider R1 as the edge router. It's interface Fa0/0 is the OUTSIDE and Se0/0 is the INSIDE interface. Configure firewall on R1 using the following rules:
  • Allow all traffic from INSIDE to OUTSIDE
  • Allow only SSH traffic from OUTSIDE to R1's address 192.0.2.1
  • Allow BGP protocol between R1 and BB3 (to be implemented) and log all other dropped traffic
Use zone-based firewall syntax to accomplish the goal.

R1 Config:

! Current routing configuration on R1:
!
ip route 0.0.0.0 0.0.0.0 192.0.2.254
!
router eigrp 1
 redistribute static metric 1 1 1 1 1
 network 10.0.1.1 0.0.0.0
 network 172.16.123.1 0.0.0.0
 network 172.16.215.1 0.0.0.0
 no auto-summary
!

!
! Current routing on BB3:
!
ip route 0.0.0.0 0.0.0.0 192.0.2.1
!


Zone-base firewall configuration on R1:

Step 1
Define the zones.

!
zone security INSIDE
zone security OUTSIDE
!


Step 2
Classify interesting traffic (traffic that is allowed from INSIDE to OUTSIDE).
Classify the traffic exceptions.


!
class-map type inspect match-all ICMP
 match protocol icmp
class-map type inspect match-all UDP
 match protocol udp
class-map type inspect match-all TCP
 match protocol tcp
!

! Traffic Exceptions
!
ip access-list extended SSH_TO_R1
 permit tcp any host 192.0.2.1 eq 22

!
class-map type inspect match-any OUTSIDE_TO_SELF_EXCEPTIONS
 match protocol bgp
 match access-group name SSH_TO_R1
!



Step 3
Configure policy regarding the interesting traffic.

!
policy-map type inspect INSIDE_TO_OUTSIDE_POLICY
 class type inspect TCP
  inspect
 class type inspect UDP
  inspect
 class type inspect ICMP
  inspect
!

!
policy-map type inspect OUTSIDE_TO_SELF_POLICY
 class type inspect OUTSIDE_TO_SELF_EXCEPTIONS
  pass
 class class-default
  drop log
!



Step 4
Configure associations between zones. Apply policy map to the zone pairings.

!
zone-pair security INSIDE_TO_OUTSIDE_PAIRING source INSIDE destination OUTSIDE
 service-policy type inspect INSIDE_TO_OUTSIDE_POLICY
!

!
zone-pair security OUTSIDE_TO_SELF_PAIRING source OUTSIDE destination self
 service-policy type inspect OUTSIDE_TO_SELF_POLICY
!


Step 5
Assign interfaces to the zones.

!
interface FastEthernet0/0
 description OUTSIDE
 ip address 192.0.2.1 255.255.255.0
 zone-member security OUTSIDE
 speed 100
 full-duplex
!

!
interface Serial0/0
 description INSIDE
 ip address 172.16.123.1 255.255.255.0
 zone-member security INSIDE
 encapsulation frame-relay
 clock rate 2000000
 frame-relay map ip 172.16.123.2 102 broadcast
 no frame-relay inverse-arp
!


Verification:
Pic. 2 Traffic INSIDE_TO_OUTSIDE.


Pic. 3 - Traffic OUTSIDE_TO_INSIDE (BB3_TO_SW1).
Pic. 4 - OUTSIDE_TO_R1 using SSH.

KEEP THE CONFIGURATION FOR THE NEXT LAB!

Thursday, April 25, 2013

Lab 221 - CBAC

Prerequisites: CCNP level skills.

Topology

Pic 1. Topology Diagram.

Task 1
Consider VLAN 215 as DMZ in the above topology. Configure basic connectivity between BB3 and the rest of the system. Use R1 as the gateway to the internal domain. You can use default routes to accomplish this.

Task 2
Enable WWW service on R5 (R5's loopback address 10.0.5.5 will imitate the web server). Check the WWW access from BB3 and R2.

Task 3
Configure firewall that does not utilize TCP idle timers but removes the state of the sessions if they are properly closed. The firewalls rules should be as follows:
  • All traffic OUT (towards BB3) is allowed
  • Traffic towards DMZ should only allow WWW access (10.0.5.5)
  • Traffic from DMZ out should be allowed only if sent towards WWW server (10.0.5.5)
Solution

Task 1
Consider VLAN 215 as DMZ in the above topology. Configure basic connectivity between BB3 and the rest of the system. Use R1 as the gateway to the internal domain. You can use default routes to accomplish this.

BB3 Config:
!
ip route 0.0.0.0 0.0.0.0 192.0.2.1
!


R1 Config:
!
ip route 0.0.0.0 0.0.0.0 192.0.2.254
!
router eigrp 1
 redistribute static metric 1 1 1 1 1
 network 10.0.1.1 0.0.0.0
 network 172.16.123.1 0.0.0.0
 network 172.16.215.1 0.0.0.0
 no auto-summary
!


Task 2
Enable WWW service on R5 (R5's loopback address 10.0.5.5 will imitate the web server). Check the WWW access from BB3 and R2.

R5 Config:
!
ip http server
!

Verification:
Pic. 2 - WWW Access from BB3.

Pic. 3 - WWW Access from BB3.


Task 3
Configure firewall that does not utilize TCP idle timers but removes the state of the sessions if they are properly closed. The firewalls rules should be as follows:
  • All traffic OUT (towards BB3) is allowed
  • Traffic towards DMZ should only allow WWW access (10.0.5.5)
  • Traffic from DMZ out should be allowed only if sent towards WWW server (10.0.5.5)
Step 1
Configure and apply ACL on the OUTSIDE interface blocking all the traffic.

R1 Config:
!
ip access-list extended OUTSIDE_INBOUND
 permit tcp any host 10.0.5.5 eq www
!

interface FastEthernet0/0
 description OUTSIDE
 ip address 192.0.2.1 255.255.255.0
 ip access-group OUTSIDE_INBOUND in
 speed 100
 full-duplex

!
interface Serial0/0
 description INSIDE
!

Step 2 
Configure inspection rules allowing all traffic out. Apply the rules on the OUTSIDE interface.

R1 Config:
!
ip inspect name ALL_TRAFFIC_OUT tcp
ip inspect name ALL_TRAFFIC_OUT udp
ip inspect name ALL_TRAFFIC_OUT icmp

!
interface FastEthernet0/0
 description OUTSIDE
 ip address 192.0.2.1 255.255.255.0
 ip access-group OUTSIDE_INBOUND in
 ip inspect ALL_TRAFFIC_OUT out
 speed 100
 full-duplex
!


Verification:
Pic. 4 - Traffic OUTSIDE --> OUT.
 Pic. 5 - Traffic OUTSIDE --> IN.

Step 3
DMZ configuration.

R1 Config:
!
ip access-list extended DMZ_INBOUND
permit eigrp any any
 deny   ip any any

!
ip inspect name HTTP_TRAFFIC http
!

!
interface FastEthernet0/1
 description DMZ
 ip address 172.16.215.1 255.255.255.0
 ip access-group DMZ_INBOUND in
 ip inspect HTTP_TRAFFIC out
 speed 100
 full-duplex
!


Verification:
Both R2 (inside host address) and BB3 (outside host addres) can reach WWW (10.0.5.5). R1 show ip inspection session, shows entries. Pinging does not work

REMOVE CBAC CONFIGURATION BEFORE NEXT LAB!

Wednesday, April 24, 2013

Lab 220 - TCP Intercept

Prerequisites: CCNP level skills.

Topology

Pic 1. Topology Diagram.

Task 1
There are web servers in Vlan 215 which have been attacked using TCP Syn Flood method. The attack comes from networks connected to BB1.

Configure protection against this attack on R3 but ensure that R3 is passively monitoring session establishment. It should not act as a TCP proxy server.
Ensure that R3 starts aggressive mode (dropping connections) when it reaches 4000 sessions and leaves aggressive mode when it reaches 3000 connections.
Also ensure that R3 starts resetting sessions if it reaches 400 connections per minute. It should leave aggressive mode when the number of connections per minute reaches 300.

Solution

Task 1
There are web servers in Vlan 215 which have been attacked using TCP Syn Flood method. The attack comes from networks connected to BB1.

Configure protection against this attack on R3 but ensure that R3 is passively monitoring session establishment. It should not act as a TCP proxy server.
Ensure that R3 starts aggressive mode (dropping connections) when it reaches 4000 sessions and leaves aggressive mode when it reaches 3000 connections.
Also ensure that R3 starts resetting sessions if it reaches 400 connections per minute. It should leave aggressive mode when the number of connections per minute reaches 300.

R3 Config:
!
ip access-list extended WEB_VLAN215
 permit tcp any 172.16.215.0 0.0.0.255 eq www
!

ip tcp intercept list WEB_VLAN215
ip tcp intercept max-incomplete low 3000
ip tcp intercept max-incomplete high 4000
ip tcp intercept one-minute low 300
ip tcp intercept one-minute high 400
ip tcp intercept mode watch

!

Verification:
show tcp intercept connections
show tcp intercept statistics

Friday, April 5, 2013

ReadMe

Dear Blog Readers!

In 2013 my employer has put 'a bit of a extra' work on me (this is euphemism of course). In addition to that I am involved in a few long term projects.

These factors, as well as my futile attempt to maintain a family life, leave me no choice by to slow down the work on this blog. I will do my best to create at least two lab challenges a week though.

Due to the aforementioned reasons I have decided to disable the comments until a more 'quiet' time. However, I still find your comments and suggestions invaluable! Only I can't answer them fast enough. Please keep sending me your input, feedback suggestions. error reports etc. Only direct them to my mail box. I will try to answer them as soon as I can.

Thank you very much for visiting my blog. I also send million of thanks to those who told their friends about this blog or commented it on discussion groups and forums. I really appreciate that.

Yours Truly,

Jarek Rek