After selecting the application security policy in
the Advanced Firewall Security Configuration window and
clicking Next, the Internet Firewall Configuration
Summary window appears, shown in Figure . The window lists all
firewall rules that will be applied to the router interfaces.
Click Finish to apply the configuration to the router.
The wizard finishes and the Edit Firewall Policy / ACL tab of
the Firewall and ACL menu appears. In this window, you can
review and modify the configured options. The fine-tuning that
you perform here is necessary in situations when non-TCP and
non-UDP traffic, such as ESP, must be permitted in the inbound
direction or when separate inspection rules should be applied
to different interfaces. Note
If the SDM detects NAT
or IPsec VPN configurations on the router already, SDM
automatically adjusts the ACLs so that NAT or IPsec VPN
operations are not affected. Resulting Advanced Firewall
Inspection Rule Configuration
Finally, you can verify
the router configuration using the CLI. Figure illustrates the
inspection rules configuration that is applied to the router.
First in the list is the custom inspection rule appfw_100 that
you created using the wizard. This rule will be applied to the
inside interface in the inbound direction (for inspecting the
outbound traffic from the inside to outside). This rule
includes generic TCP and UDP as well as FTP inspection and
enabled audit trail for TCP traffic. The rule dmzinspect will
be applied to the DMZ interface in the outbound direction (for
inspecting traffic from the outside to the DMZ services) and
checks generic TCP and UDP. Resulting Advanced Firewall ACL
Configuration
Figure shows which ACLs are sent to the
router as a result of the wizard. This configuration includes
three ACLs that apply to the router interfaces: - ACL
100 applies in the inbound direction to the inside interface.
The ACL prevents spoofing by denying packets that are sourced
from 200.0.0.0/30 and 192.168.0.0/24 networks, which are
configured on the outside and DMZ interfaces, respectively. The
ACL also blocks packets that are sourced from the broadcast
address and the 127.0.0.0/8 network and permits all other
traffic.
- ACL 101 applies in the inbound direction to
the DMZ interface. This ACL blocks and logs all packets.
- ACL 102 applies in the inbound direction to the outside
interface. The ACL prevents spoofing by denying packets that
are sourced from 192.168.0.0/24 and 10.1.1.0/24 networks, which
are configured on the DMZ and inside interfaces, respectively.
The ACL permits ICMP echo-reply, time-exceeded, and unreachable
messages that are destined to the outside router interface
(200.0.0.1). This ACL also permits packets that are destined to
the DMZ servers—HTTP traffic to host 192.168.0.2 and ISAKMP
data to host 192.168.0.3. Next, the ACL blocks packets that are
sourced from private address ranges, the broadcast, and the
0.0.0.0 address. The final entry denies and logs all other
packets.
Note
The Advanced Firewall
wizard was used to permit HTTP (TCP/80) to the web server
(192.168.0.2) and ISAKMP (UDP/500) to the VPN server
(192.168.0.3) residing in the DMZ. The VPN server communicates
with the server’s peers using both ISAKMP and ESP (IP/50).
Because ESP is stateless, the Advanced Firewall wizard does not
allow ESP-based access to the VPN server. In a real-life
scenario, you will have to modify the ACL that you apply to the
outside interface (102) to permit ESP data to the VPN server.
Resulting Advanced Firewall Interface Configuration
Figure shows the resulting interface configuration options.
Finally, the Advanced Firewall Configuration wizard applies the
configured ACLs and inspection rules to the router interfaces.
Additionally, unicast reverse path forwarding is enabled on the
outside interface.
Content 6.3
Basic and Advanced Firewall Wizards 6.3.7
Viewing Firewall Activity Figure shows the steps you use to
activate logging using the Cisco SDM GUI. Use these steps to
enable logging: Step 1 Click the Configure icon
in the top navigation bar to enter the configuration page.
Step 2 Click the Additional Tasks icon in the left
vertical navigation bar. Step 3 Choose the Router
Properties > Logging item from the tree in the
window on the left side of the screen. Step 4 Click the
Edit button in the upper-right corner of the window to
modify the logging settings. Step 5 Select the
debugging (7) option from the Logging Level drop-down
list. Step 6 Click OK. Note
Logging
is not activated by default. Viewing Firewall Log
After activating firewall logging, you can view the firewall
log, as shown in Figure : Step 1 Click the
Monitor icon in the top navigation bar to enter the
configuration page. Step 2 Click the Firewall
Status icon in the left vertical navigation bar. In the
example in Figure , you see a number of packets that have been
denied on the outside interface because they did not comply
with the firewall policy that the firewall wizard created. A
number of packets from an attacker using the address 1.1.1.1
have been dropped. The attacker attempted to send ICMP, TCP
(Telnet), and UDP packets to some high ports, probably using a
traceroute. The target systems were the two hosts in the DMZ,
192.168.0.2 and 192.168.0.3, and the inside interface address
10.1.1.1.
Content 6.4 Introducing Cisco
IOS IPS 6.4.1 Introducing Cisco IOS IDS and
IPS Intrusion Detection System
The intrusion
detection system (IDS) is a software- or hardware-based
solution that passively listens to network traffic. The IDS is
not in the traffic path, but listens promiscuously to all
traffic on the network. Typically, only one promiscuous
interface is required for network monitoring. Additional
promiscuous interfaces can be used to monitor multiple
networks. When the IDS detects malicious traffic, the IDS sends
an alert to the management station. Figure summarizes the
features of an IDS. The IDS has limited active response
capabilities. When configured, the IDS can block further
malicious traffic by actively configuring network devices (for
example, security appliances or routers) in response to
malicious traffic detection. However, the original malicious
traffic has already passed through the network to the intended
destination and cannot be blocked. Only subsequent traffic will
be blocked. The IDS also has the capability of sending a TCP
reset to the end host to terminate any malicious TCP
connections. Intrusion Prevention System
An
intrusion prevention system (IPS) is an active device in the
traffic path that listens to network traffic and permits or
denies flows and packets into the network. All traffic passes
through an IPS for inspection. Traffic arrives on one IPS
interface and exits on another interface. When the IPS detects
malicious traffic, the IPS sends an alert to the management
station and can be configured to block the malicious traffic
immediately. IPS proactively prevents attacks by blocking the
original and subsequent malicious traffic. Figure summarizes
the features of an IPS. Because network attack mechanisms are
becoming more sophisticated, this proactive approach is
required to protect against network viruses, worms, malicious
applications, and vulnerability exploits. Combining IDS and
IPS
Figure describes how an IDS and an IPS are
complementary technologies. IDS and IPS are often deployed in
parallel in enterprise networks. The IPS actively blocks
offending traffic and can be considered another implementation
of a firewall system. The IPS should be tuned to block only
known malicious traffic in order to avoid connectivity
disruptions. An IDS can verify that the IPS is really blocking
offending traffic. In addition, the IDS can be configured to
send alerts about the “gray area” traffic—data that is neither
clearly malicious nor clearly legitimate. Such traffic should