recognize Yahoo! Messenger traffic, Gnutella and
KaZaA file sharing activity, and some applications that can
tunnel other traffic through TCP Port 80 to avoid an otherwise
restrictive firewall. Figures through provide a granular list
in alphabetical order of all the application layer protocols
you can configure the Cisco IOS Firewall to inspect. You should
refer to the latest Cisco IOS documentation for the latest and
full listing of Cisco IOS Firewall applications support.
Content 6.1 Introducing the Cisco IOS
Firewall 6.1.9 Alerts and Audit Trails
Cisco IOS Firewall generates real-time alerts and audit trails
based on events that are tracked by the firewall engine. Figure
describes the features of the Cisco IOS Firewall alerts and
audit trails. Enhanced audit trail features use syslog to track
all network transactions. The audit trail records time stamps,
source host, destination host, ports that are used, and the
total number of transmitted bytes for advanced, session-based
reporting. Real-time alerts send syslog error messages to
central management consoles upon detecting suspicious activity.
Using firewall inspection rules, you can configure alerts and
audit trail information on a per-application protocol basis.
For example, if you want to generate audit trail information
for HTTP traffic, you can specify what information to generate
in the inspection rule that covers HTTP inspection.
Content 6.2 Configuring Cisco IOS Firewall
from the CLI 6.2.1 Configuration Tasks The
main feature of the Cisco IOS Firewall has always been its
stateful inspection. Numerous other features (such as URL
inspection, intrusion detection, and, more recently,
application awareness) have become quite useful, especially for
tasks such as blocking or restricting peer-to-peer traffic and
instant messaging applications. To configure Cisco IOS Firewall
through the CLI, perform the tasks listed in Figure .
Content 6.2 Configuring Cisco IOS Firewall
from the CLI 6.2.2 Pick an Interface: Internal
or External First, you must decide whether to configure
Cisco IOS Firewall on an internal or external router
interface: - If you configure the firewall in two
directions, you should configure the inspection in one
direction first using the appropriate internal and external
interface designations.
- When you configure the
inspection in the second direction, the interface designations
will be switched.
Figure shows a simple Cisco IOS
Firewall topology configured for the external interface
Serial 1. This prevents specified protocol traffic from
entering the firewall and the internal network, unless the
traffic is part of a session initiated from within the internal
network. The topology in Figure shows a Cisco IOS Firewall
configuration for the internal interface Ethernet 0.
This allows external traffic to access the services in the DMZ,
such as Domain Name System (DNS) services, but prevents
specified protocol traffic from entering your internal
network—unless the traffic is part of a session initiated from
within the internal network. Note
You can configure
the Cisco IOS Firewall in two directions at one or more
interfaces. Configure the firewall in two directions when the
networks on both sides of the firewall require protection, such
as with extranet or intranet configurations, and for protection
against denial of service (DoS) attacks.
Content
6.2 Configuring Cisco IOS Firewall from the
CLI 6.2.3 Configure IP ACLs at the
Interface For Cisco IOS Firewall to work properly, you need
to configure IP ACLs appropriately at the inside, outside, and
DMZ interfaces. An ACL can allow one host to access a part of
your network and prevent another host from accessing the same
area. Use access lists in "firewall" routers that you
position between your internal network and an external network
such as the Internet. You can also use access lists on a router
positioned between two parts of your network, to control
traffic entering or exiting a specific part of your internal
network. In Figure , an ACL allows Host A to access the Human
Resources network, and prevents Host B from accessing the Human
Resources network. To provide the security benefits of access
lists, you should at a minimum configure access lists on border
routers—routers situated at the edges of your networks. This
provides a basic buffer from the outside network, or from a
less controlled area of your own network into a more sensitive
area of your network. On these routers, you should configure
access lists for each network protocol configured on the router
interfaces. You can configure access lists to filter inbound
traffic or outbound traffic or both on an interface. You must
define access lists on a per-protocol basis. In other words,
you should define access lists for every protocol enabled on an
interface if you want to control traffic flow for that
protocol. You can also use ACLs to determine what types of
traffic to forward or block at the router interfaces. For
example, you can permit e-mail traffic and at the same time
block all Telnet traffic. Follow these guidelines summarized in
Figure when configuring IP ACLs at the firewall: -
Start with a basic configuration. A basic initial configuration
allows all network traffic to flow from protected networks to
unprotected networks while blocking network traffic from any
unprotected networks.
- Permit traffic the Cisco IOS
Firewall is to inspect. For example, if the firewall is set to
inspect Telnet, then Telnet traffic should be permitted on all
ACLs that apply to the initial Telnet flow.
- Use
extended ACLs to filter traffic that enters the router from the
unprotected networks. For Cisco IOS Firewall to create
dynamically temporary openings, the ACL for the returning
traffic must be an extended ACL.
Note
If
your firewall only has two connections, one to the internal
network and one to the external network, applying ACLs inbound
on both interfaces works well because packets are stopped
before the packets have a chance to affect the router itself.
- Set up antispoofing protection by denying any inbound
traffic (incoming on external interface) from a source address
that matches an address on the protected network. Antispoofing
protection prevents traffic from an unprotected network from
assuming the identity of a device on the protected
network.
- Deny broadcast messages with a source
address of 255.255.255.255. This entry helps to prevent
broadcast attacks.
- By default, the last entry in an
ACL is an implicit denial of all IP traffic that is not
specifically allowed by other entries in the ACL. Optionally,
you can add an entry to the ACL that denies IP traffic with any
source or destination address, thus making the denial rule
explicit. Adding this entry is especially useful if you want to
log information about the denied packets.
For
complete information about how to configure IP ACLs, refer to
the Configuring IP Services chapter of the Cisco IOS IP
Configuration Guide. Note
You do not necessarily
need to configure an extended ACL at both the outbound internal
interface and the inbound external interface, but at least one
extended ACL is necessary to restrict traffic that flows
through the firewall into the internal protected network.
Content 6.2 Configuring Cisco IOS Firewall
from the CLI 6.2.4 Set Audit Trails and
Alerts Audit trails and alerts are notification settings in
the Cisco IOS Firewall. Figure shows the Cisco IOS commands
that you use to configure the delivery of audit trail messages
using syslog and to enable real-time alerts. Real-time alerts
send SYSLOG error messages to central management consoles upon
detecting suspicious activity. Using Cisco IOS Firewall
inspection rules, you can configure alerts and audit trail
information on a per-application protocol basis. Turn on audit