CBAC - examples

 

Schema

  • Inspection should be set on inbound direction on external interface(for hosting) or on outbound direction on external interface(for Lan access)
  • Decide what traffic to inspect, what traffic to forward and what traffic to block
  • Create ACL (ACL is always before CBAC)
  • Create inspection rule for interesting protocols
  • Assign inspection rule and ACL(s) to interface(s)

 

 

  • 1.ACL

 

(config)#ip access-list extended DANPOLIN

(config-ext-nacl)#1 deny ip 172.16.0.0 0.0.255.255 any

(config-ext-nacl)#2 deny ip 255.255.255.255 0.0.0.0 any

(config-ext-nacl)#10 permit icmp any any echo

(config-ext-nacl)#15 permit icmp any any echo-replay

(config-ext-nacl)#30 permit tcp any any eq 22

(config-ext-nacl)#40 permit tcp any any eq 23

(config-ext-nacl)#50 permit tcp any any eq 80

(config-ext-nacl)#60 permit tcp any any eq 443

Warning: Sequence number is available o newer ios only

172.16.0.0/16 LAN


(config)#ip access-list extended DANPOLIN2

(config-ext-nacl)#1 deny ip 192.168.1.0 0.255.255.255 any

(config-ext-nacl)#2 deny ip 255.255.255.255 0.0.0.0 any

(config-ext-nacl)#10 permit icmp any any echo

(config-ext-nacl)#20 permit icmp any any echo-replay

Warning: Sequence number is available o newer ios only

192.168.1.0/24 Internet


  • 2.Inspection rule - let's call her DANPOLIN and inspect: ssh, http, https

 

ip inspect name DANPOLIN ssh

ip inspect name DANPOLIN http

ip inspect name DANPOLIN https

 

  • 3.check what we did

 

Router#sh ip inspect all

Inspection Rule Configuration

Inspection name DANPOLIN

  ssh alert is on audit-trail is off timeout 3600

  http alert is on audit-trail is off timeout 3600

  https alert is on audit-trail is off timeout 3600

 

 

  • 4.Assign ACL to interface

 

(config)#interface fastethernet 0/0

(config-if)#ip access-group DANPOLIN in

Fastethernet 0/0 is connected to Internet

(config)#interface fastethernet 0/1

(config-if)#ip access-group DANPOLIN2 in

Fastethernet 0/1 is connected to LAN


  • 5.Assign inspection rule to interface

 

(config)#interface fastethernet 0/0

(config-if)#ip inspect DANPOLIN in

  • 6.List all sessions

 

sh ip inspect session

Session 64FDF33C (x.x.x.x:1829)=>(x.x.x.x:22) ftp SIS_OPEN

 

  • 7.Tune timers which are too high in my opinion(be carefull - every network is different)

 

(config)#ip inspect tcp synwait-time 15

default 30 secs

(config)#ip inspect tcp finwait-time 3

default 5 secs

(config)#ip inspect tcp idle-time 1800

default 3600 secs

(config)#ip inspect max-incomplete low 150

default 300

(config)#ip inspect max-incomplete high 250

default 500

(config)#ip inspect one-minute low 100

default unlimited

(config)#ip inspect one-minute high 200

default unlimited

(config)#ip inspect tcp max-incomplete host 40 block-time 1

default unlimited for incompleted sessions and block-time 0

(config)#ip inspect name DANPOLIN fragment maximum 100 timeout 5

default 256 secs for fragmented packets with timeout 1


dzbanek 2011-09-08

This site uses cookies. Some of the cookies we use are essential for parts of the site to operate and have already been set. You may delete and block all cookies from this site, but parts of the site will not work.