CBAC - examples
Â
Schema
- Inspection should be set on inbound direction on external interface(for hosting) or on outbound direction on external interface(for Lan access)
- Decide what traffic to inspect, what traffic to forward and what traffic to block
- Create ACL (ACL is always before CBAC)
- Create inspection rule for interesting protocols
- Assign inspection rule and ACL(s) to interface(s)
Â
Â
- 1.ACL
Â
(config)#ip access-list extended DANPOLIN
(config-ext-nacl)#1 deny ip 172.16.0.0 0.0.255.255 any
(config-ext-nacl)#2 deny ip 255.255.255.255 0.0.0.0 any
(config-ext-nacl)#10 permit icmp any any echo
(config-ext-nacl)#15 permit icmp any any echo-replay
(config-ext-nacl)#30 permit tcp any any eq 22
(config-ext-nacl)#40 permit tcp any any eq 23
(config-ext-nacl)#50 permit tcp any any eq 80
(config-ext-nacl)#60 permit tcp any any eq 443
Warning: Sequence number is available o newer ios only
172.16.0.0/16 LAN
(config)#ip access-list extended DANPOLIN2
(config-ext-nacl)#1 deny ip 192.168.1.0 0.255.255.255 any
(config-ext-nacl)#2 deny ip 255.255.255.255 0.0.0.0 any
(config-ext-nacl)#10 permit icmp any any echo
(config-ext-nacl)#20 permit icmp any any echo-replay
Warning: Sequence number is available o newer ios only
192.168.1.0/24 Internet
- 2.Inspection rule - let's call her DANPOLIN and inspect: ssh, http, https
Â
ip inspect name DANPOLIN ssh
ip inspect name DANPOLIN http
ip inspect name DANPOLIN https
Â
- 3.check what we did
Â
Router#sh ip inspect all
Inspection Rule Configuration
Inspection name DANPOLIN
 ssh alert is on audit-trail is off timeout 3600
 http alert is on audit-trail is off timeout 3600
 https alert is on audit-trail is off timeout 3600
Â
Â
- 4.Assign ACL to interface
Â
(config)#interface fastethernet 0/0
(config-if)#ip access-group DANPOLIN in
Fastethernet 0/0 is connected to Internet
(config)#interface fastethernet 0/1
(config-if)#ip access-group DANPOLIN2 in
Fastethernet 0/1 is connected to LAN
- 5.Assign inspection rule to interface
Â
(config)#interface fastethernet 0/0
(config-if)#ip inspect DANPOLIN in
- 6.List all sessions
Â
sh ip inspect session
Session 64FDF33C (x.x.x.x:1829)=>(x.x.x.x:22) ftp SIS_OPEN
Â
- 7.Tune timers which are too high in my opinion(be carefull - every network is different)
Â
(config)#ip inspect tcp synwait-time 15
default 30 secs
(config)#ip inspect tcp finwait-time 3
default 5 secs
(config)#ip inspect tcp idle-time 1800
default 3600 secs
(config)#ip inspect max-incomplete low 150
default 300
(config)#ip inspect max-incomplete high 250
default 500
(config)#ip inspect one-minute low 100
default unlimited
(config)#ip inspect one-minute high 200
default unlimited
(config)#ip inspect tcp max-incomplete host 40 block-time 1
default unlimited for incompleted sessions and block-time 0
(config)#ip inspect name DANPOLIN fragment maximum 100 timeout 5
default 256 secs for fragmented packets with timeout 1
dzbanek 2011-09-08