You are on page 1of 52

Deploying IOS Security

BRKSEC-2007

BRKSEC-2007
14465_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 2

© 2006, Cisco Systems, Inc. All rights reserved.
14465_04_2008_c2.scr
Agenda

ƒ Drivers for Integrated Security
ƒ Technology Overview
ƒ Design Considerations
ƒ Deployment Models
ƒ Real World Use Cases
ƒ Case Study
ƒ Summary
BRKSEC-2007
14465_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 3

Security as an Option

ƒ Security is an add-on ƒ Security is built-in

ƒ Challenging integration ƒ Intelligent collaboration

ƒ Not cost-effective ƒ Appropriate security

ƒ Cannot focus on core priority ƒ Direct focus on core priority

BRKSEC-2007
14465_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 4

© 2006, Cisco Systems, Inc. All rights reserved.
14465_04_2008_c2.scr
Threats and Challenges
Threats at the Branch Office and HQ
Branch Office

DDoS on
Router
Attack on DMZ

Attacks on branch
servers QFP

Internet
Head Quarter

Web surfing
Branch Office
Worms/Viruses Wireless attacks
Voice
attacks

Branch Office

BRKSEC-2007
14465_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 5

Requirement of Integrated Security Solution
IOS Security
Securing the Branch Office and HQ

Branch Office
Network
ƒ Secure Internet
Foundation
Protection
access to branch,
DDoS on without the need
Application
Router
for additional
Firewall
Integrated devices
Attacks on HQ Firewall

ƒ Control worms
branch servers QFP

IPS FPM Internet
Head Quarter
and viruses right
Worms
at the remote site,
011111101010101

congesting
WAN
Regulate
conserve WAN
URL surfing
Voice Wireless
bandwidth
Filtering Security Security Wireless
Voice
attacks
attacks ƒ Protect the router
itself from hacking
and DoS attacks
Branch Office

BRKSEC-2007
14465_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 6

© 2006, Cisco Systems, Inc. All rights reserved.
14465_04_2008_c2.scr
Agenda

ƒ Drivers for Integrated Security
ƒ Technology Overview
ƒ Design Considerations
ƒ Deployment Models
ƒ Real World Use Cases
ƒ Case Study
ƒ Summary
BRKSEC-2007
14465_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 7

Cisco IOS Security—
Router Technologies

QFP

Secure Network Solutions

Compliance Secure Secure Business
Voice Mobility Continuity

Integrated Threat Control
011111101010101

Advanced URL Intrusion Flexible Network Network
Firewall Filtering Prevention Packet Admission 802.1x Foundation
Matching Control Protection

Secure Connectivity Management and Instrumentation

Role Based
GET VPN DMVPN SSL VPN IPsec VPN SDM NetFlow IP SLA
Access

BRKSEC-2007
14465_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 8

© 2006, Cisco Systems, Inc. All rights reserved.
14465_04_2008_c2.scr
Integrated Threat Control
ƒ Cisco IOS Firewall (Classic and Zone-Based)
ƒ Cisco IOS Application Intelligence Control
ƒ Cisco IOS Intrusion Prevention System
ƒ Cisco IOS URL Filtering
ƒ Cisco IOS Flexible Packet Matching (FPM)
ƒ Cisco IOS Network Foundation Protection
(NFP)

BRKSEC-2007
14465_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 9

Cisco IOS Firewall Overview Advanced
Firewall
Advanced Layer 3–7 Firewall
ƒ Cisco IOS Firewall is Common Criteria certified firewall
ƒ Stateful filtering
ƒ Application inspection (Layer 3 through Layer 7)
ƒ Application control—Application Layer Gateway (ALG)
engines with wide range of protocols and applications
ƒ Built-in DoS protection capabilities
ƒ Supports deployments with Virtualization (VRFs),
transparent mode and stateful failover
ƒ IPv6 support

http://www.cisco.com/go/iosfw
BRKSEC-2007
14465_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 10

© 2006, Cisco Systems, Inc. All rights reserved.
14465_04_2008_c2.scr
Cisco IOS Zone-Based
Policy Firewall Advanced
Firewall

ƒ Allows grouping of physical and Supported Features
virtual interfaces into zones ƒ Stateful Inspection
ƒ Application Inspection: IM, POP,
ƒ Firewall policies are applied to traffic IMAP, SMTP/ESMTP, HTTP
traversing zones ƒ URL filtering
ƒ Per-policy parameter
ƒ Simple to add or remove interfaces
ƒ Transparent firewall
and integrate into firewall policy
ƒ VRF-aware firewall (Virtual
Firewall)

Private-DMZ
Policy DMZ
DMZ-Private
Public-DMZ
Policy
Policy

Trusted Internet Untrusted

Private-Public
Policy
BRKSEC-2007
14465_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 11

Cisco IOS Zone-Based Firewall—
Rule Table (SDM) Advanced
Firewall

BRKSEC-2007
14465_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 12

© 2006, Cisco Systems, Inc. All rights reserved.
14465_04_2008_c2.scr
Cisco IOS Zone-Based Policy Firewall
Configuration (Command Line Interface (CLI)
class-map type inspect match-any services
Define Services
match protocol tcp
Inspected by Policy
!
policy-map type inspect firewall-policy
class type inspect services Configure Firewall
Action for Traffic
inspect
!
zone security private
zone security public Define Zones
!
zone-pair security private-public source private destination public
service-policy type inspect firewall-policy Establish Zone Pair,
! Apply Policy
interface fastethernet 0/0
zone-member security private
!
Assign Interfaces to
interface fastethernet 0/1 Zones
zone-member 192.168.1.2
security public

BRKSEC-2007
14465_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 13

Cisco IOS Transparent Firewall
ƒ Introduces “stealth firewall” capability
No IP address associated with firewall (nothing to attack)
No need to renumber or break up IP subnets
IOS Router is bridging between the two “halves” of the network
Use Case: Firewall Between Wireless and Wired LANs
ƒ Both “wired” and wireless segments are in same subnet 192.168.1.0/24
ƒ VLAN 1 is the “private” protected network.
ƒ Wireless is not allowed to access wired LAN

192.168.1.3

Wireless
Fa 0/0
Internet
VLAN 1
Transparent
192.168.1.2 Firewall

BRKSEC-2007
14465_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 14

© 2006, Cisco Systems, Inc. All rights reserved.
14465_04_2008_c2.scr
Transparent Cisco IOS Firewall
Configuration (Command Line Interface (CLI)
Classification: Security Zone Policy:
class-map type inspect match-any protocols zone-pair security zone-policy source wired
destination wireless
match protocol dns
service-policy type inspect firewall-policy
match protocol https
!
match protocol icmp
interface VLAN 1
match protocol imap
description private interface
match protocol pop3
bridge-group 1
match protocol tcp
zone-member security wired
match protocol udp
!
interface VLAN2
Security Policy:
description public interface
policy-map type inspect firewall-policy
bridge-group 1
class type inspect protocols
zone-member security wireless
Inspect
Layer2 Configuration:
bridge configuration
Security Zones:
bridge irb
zone security wired
bridge 1 protocol ieee
zone security wireless
bridge 1 route ip
BRKSEC-2007
14465_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 15

Cisco IOS Flexible Packet 011111101010101

Matching (FPM) Flexible
Packet
Matching
Rapid Response to New and Emerging Attacks
ƒ Network managers require tools to filter day-zero
attacks, such as before IPS signatures are
available
ƒ Traditional ACLs take a shotgun approach—
legitimate traffic could be blocked
Example: Stopping Slammer with ACLs
meant blocking
port 1434—denying business transactions
involving
Microsoft SQL
ƒ FPM delivers flexible, granular Layer 2–7
matching
Example: port 1434 + packet length 404B +
specific pattern within payload Æ Slammer

0111111010101010000111000100111110010001000100100010001001

Match Pattern AND OR NOT
Cisco.com/go/fpm
BRKSEC-2007
14465_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 16

© 2006, Cisco Systems, Inc. All rights reserved.
14465_04_2008_c2.scr
Cisco IOS Flexible Packet Matching
Configuration - Slammer Filter
Class-map stack ip-udp
Match field ip protocol eq 17 next udp

Class-map access-control slammer
Match field udp dport eq 1434
Match start ip version offset 224 size 4 eq 0x04011010
Match start network-start offset 224 size 4 eq 0x04011010

Policy-map access-control udp-policy
access-control typed class
Class slammer defines traffic pattern: udp
Drop dst port 1434, starting from
IP header, offset 224 byte,
Poliyc-map access-control fpm-policy
the 4 byte value should be
0x04041010
Class ip-udp
service-policy udp-policy

BRKSEC-2007
14465_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 17

Cisco IOS Intrusion Prevention (IPS) IPS
Distributed Defense Against Worms and Viruses
ƒ Cisco IOS IPS stops attacks at the entry point, conserves WAN bandwidth, and
protects the router and remote network from DoS attacks
ƒ Integrated form factor makes it cost-effective and viable to deploy IPS in Small and
Medium Business and Enterprise branch/telecommuter sites
ƒ Supports 2000+ signatures sharing the same signature database available with
Cisco IPS sensors
ƒ Allows custom signature sets and actions to react quickly to new threats

Protect router
and local network Stop attacks
from DoS attacks before they fill
up the WAN
Branch Office

Internet Corporate Office

Apply IPS on traffic from
Small Branch branches to kill worms
Small Office and
Telecommuter from infected PCs

http://www.cisco.com/go/iosips
BRKSEC-2007
14465_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 18

© 2006, Cisco Systems, Inc. All rights reserved.
14465_04_2008_c2.scr
Cisco IOS Intrusion Prevention System (IPS)
Configuration (Command Line Interface (CLI)
Download Cisco IOS IPS Files to your PC Cisco IOS IPS Configuration (Con’t)
http://www.cisco.com/pcgi-bin/tablebuild.pl/ios-v5sigup retired false
IOS-Sxxx-CLI.pkg
realm-cisco.pub.key.txt interface fast Ethernet 0
ip ips ips-policy in
Configure Cisco IOS IPS Crypto Key
mkdir ipstore (Create directory on flash) Load the signatures from TFTP server
Paste the crypto key from copy tftp://192.168.10.4/IOS-S289-CLI.pkg idconf
realm-cisco.pub.key.txt Loading IOS-S259-CLI.pkg from 192.168.10.4 :!!!

Cisco IOS IPS Configuration show ip ips signature count
ip ips config location flash:ipstore retries 1 Total Compiled Signatures:
ip ips notify SDEE 338 -Total active compiled signatures
ip ips name ips-policy
ip ips signature-category
category all
retired true
category ios_ips basic

BRKSEC-2007
14465_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 19

Comprehensive, Scalable
IPS Management IPS
Integrated, Collaborative Security for the Branch
ƒ Full range of management options:
Cisco SDM 2.5 † provides full IPS provisioning and monitoring for single router
Cisco Security Manager 3.1† / CS-MARS for Enterprise IPS
CLI option supports automated provisioning and signature update†
Cisco Configuration Engine for MSSP—scales to thousands of devices‡

ƒ Operational consistency across Cisco IPS portfolio
ƒ Risk Rating and Event Action Processor (SEAP) reduce
false positives‡
ƒ Enhanced Microsoft signature support (MSRPC and SMB)†

† New in Cisco IOS 12.4(15)T2
‡ Unique in the Industry

BRKSEC-2007
14465_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 20

© 2006, Cisco Systems, Inc. All rights reserved.
14465_04_2008_c2.scr
Cisco IOS Transparent IPS
Use Case: IPS Between Wireless and Wired LANs IPS

ƒ Introduces “stealth IPS” capability
No IP address associated with IPS (nothing to attack)
IOS Router is bridging between the two “halves” of the network

ƒ Both “wired” and wireless segments are in same subnet
192.168.1.0/24
ƒ VLAN 1 is the “private” protected network.

192.168.1.3

Wireless
Fa 0/0
Internet
VLAN 1
Transparent
192.168.1.2 IPS

BRKSEC-2007
14465_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 21

Cisco IOS Intrusion Prevention System (IPS)
Configuration (Command Line Interface (CLI)
Download Cisco IOS IPS Files to your PC Cisco IOS IPS Configuration (Con’t)
http://www.cisco.com/pcgi-bin/tablebuild.pl/ios-v5sigup interface VLAN 1
IOS-Sxxx-CLI.pkg description private interface
realm-cisco.pub.key.txt bridge-group 1
ip ips ips-policy out
Configure Cisco IOS IPS Crypto Key
mkdir ips5 (Create directory on flash) interface VLAN 2
Paste the crypto key from description private interface
realm-cisco.pub.key.txt bridge-group 1
ip ips ips-policy in
Cisco IOS IPS Configuration
ip ips config location flash:ips5 retries 1 Load the signatures from TFTP server
ip ips notify SDEE copy tftp://192.168.10.4/IOS-S289-CLI.pkg
ip ips name ips-policy idconf
ip ips signature-category Loading IOS-S259-CLI.pkg from 192.168.10.4 :!!!
category all
retired true show ip ips signature count
category ios_ips basic Total Compiled Signatures:
338 -Total active compiled signatures
retired false
BRKSEC-2007
14465_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 22

© 2006, Cisco Systems, Inc. All rights reserved.
14465_04_2008_c2.scr
Cisco IOS URL Filtering URL
Filtering

Internet Usage Control
ƒ Control employee access to
entertainment sites during
work hours Internet

ƒ Control downloads of
Branch Web
objectionable or offensive Office Surfing
material, limit liabilities
ƒ Cisco IOS supports static whitelist
and blacklist URL filtering
ƒ External filtering servers such as
Websense, Smartfilter can be
used at the corporate office, with
Cisco IOS static lists as backup
ƒ SDM 2.3 supports configuring
static lists and importing .csv files
for URL lists

BRKSEC-2007
14465_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 23

Router Hardening Network
Foundation
Protection

A router can be logically divided
Data Plane into three functional planes:
Ability to forward 1. Data plane: The vast majority of
data packets handled by a router travel
through the router by way of the
data plane
Control Plane
2. Management plane: Traffic from
Ability to route management protocols and other
interactive access protocols, such
as Telnet, Secure Shell (SSH)
protocol, and SNMP, passes
Cisco NFP Management through the management plane
Plane 3. Control plane: Routing control
Ability to manage protocols, keepalives, ICMP with
IP options, and packets destined
to the local IP addresses of the
Think “Divide and Conquer”: router pass through the control
plane
Methodical Approach to Protect
Three Planes

BRKSEC-2007
14465_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 24

© 2006, Cisco Systems, Inc. All rights reserved.
14465_04_2008_c2.scr
Network Foundation Protection

ƒ Detects traffic anomalies & respond to attacks in real-time
Data Plane ƒ Technologies: NetFlow, IP source tracker, ACLs, uRPF, RTBH,
QoS tools

ƒ Defense-in-depth protection for routing control plane
Control Plane ƒ Technologies: Receive ACLs, control plane policing, iACL’s,
neighbor authentication, BGP best practices

ƒ Secure and continuous management of Cisco IOS network
Management infrastructure
Plane ƒ Technologies: CPU & memory thresholding, dual export syslog,
image verification, SSHv2, SNMPv3, security audit, CLI views

http://www.cisco.com/go/nfp
BRKSEC-2007
14465_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 25

Router Hardening: Traditional Methods
ƒ Disable any unused protocols ƒ Use ‘type 5’ password
ƒ VTY ACLs ‘service password encryption’ is
reversible and is only meant to
ƒ SNMP prevent shoulder surfing

Community ACL ƒ Run AAA
Views Don’t forget Authorization
and Accounting
Disable SNMP RW
ƒ Disable extraneous
Use SNMPv3 for RW if needed
interface features
ƒ Prevent dead TCP sessions
ƒ Encrypt Sessions
from utilizing all VTY lines
service tcp-keepalives-in
SSH
IPSec

BRKSEC-2007
14465_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 26

© 2006, Cisco Systems, Inc. All rights reserved.
14465_04_2008_c2.scr
Best Practice - Features to Disable
BOOTP IP redirects
CDP IP Source Routing
Configuration auto-loading IP unreachable notifications
Identification service
DNS
NTP
DHCP Server
PAD Service
Finger Proxy Arp
HTTP Server Gratuitous Arp
FTP Server SNMP
TFTP Server TCP Small Servers
UDP Small Servers
IP Directed Broadcast
MOP Service
IP mask reply
TCP keep-alives
BRKSEC-2007
14465_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 27

Cisco IOS Control Plane Policing Network
Foundation
Protection
Continual Router Availability Under Stress
ƒ Mitigates DoS attacks on control plane (route processor) such as
ICMP floods
ƒ Polices and throttles incoming traffic to control plane; maintains packet
forwarding and protocol states during attacks or heavy traffic load
Control Plane

Management Routing Management
ICMP IPv6 …..
SNMP, Telnet Updates SSH, SSL

Input Output
to control plane from control plane

Control Plane Policing Silent Mode
(alleviates DoS attacks) (prevents
reconnaissance)
Processor
Switched Packets

Packet Output Packet
Buffer Buffer
Incoming Locally
Packets Switched Packets

CEF/FIB Lookup

Cisco.com/go/nfp
BRKSEC-2007
14465_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 28

© 2006, Cisco Systems, Inc. All rights reserved.
14465_04_2008_c2.scr
Cisco IOS AutoSecure Network
Foundation
Protection
One Touch Automated Router Lockdown
Disables Non-Essential Services
ƒ Eliminates DoS attacks based on fake
requests
ƒ Disables mechanisms that could be
used to exploit security holes

Enforces Secure Access
ƒ Enforces enhanced security in
accessing device
ƒ Enhanced security logs
ƒ Prevents attackers from knowing
packets have been dropped

Secures Forwarding Plane
ƒ Protects against SYN attacks
ƒ Anti-Spoofing
ƒ Enforces stateful firewall configuration
on external interfaces, where available http://www.cisco.com/go/autosecure
BRKSEC-2007
14465_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 29

Secure Connectivity

Secure Connectivity
GET VPN DMVPN Easy VPN SSL VPN

BRKSEC-2007
14465_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 30

© 2006, Cisco Systems, Inc. All rights reserved.
14465_04_2008_c2.scr
Cisco IPsec VPN Technologies

Features Easy VPN DMVPN GET VPN

Infrastructure Network ƒ Public Internet Transport ƒ Public Internet Transport ƒ Private IP Transport

ƒ Hub-Spoke; (Client to ƒ Hub-Spoke and Spoke-to- ƒ Any-to-Any;
Network Style
Site) Spoke; (partial mesh) (full-mesh)

ƒ Dynamic routing on ƒ Dynamic routing on IP
Routing ƒ Reverse-route Injection
tunnels WAN

ƒ Stateful Hub Crypto ƒ Route Distribution Model
Failover Redundancy ƒ Route Distribution Model
Failover + KS: Stateful

Encryption Style ƒ Peer-to-Peer Protection ƒ Peer-to-Peer Protection ƒ Group Protection

ƒ Multicast replication at ƒ Multicast replication at ƒ Multicast replication in IP
IP Multicast
hub hub WAN network

BRKSEC-2007
14465_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 31

Cisco GET VPN GET VPN

GET VPN Simplifies Security Policy and GET VPN Uses IP Header Preservation
Key Distribution to Mitigate Routing Overlay
Group
Original IP packet
Group
Member Member IP IP Header IP Payload
Subnet 1 Packet
Subnet 3

Private IPsec Tunnel Mode
Group WAN Group
IPsec

Member Member New IP
ESP Header
Original
Original
Header IPIP
Header IP Payload
Header
Subnet 2 Subnet 4
IP Header Preservation
GET

Key Original IP Original
Original
ESP Header IPIP
Header IP Payload
Server Header Header
Key Server

ƒ GET uses Group Domain of Interpretation (GDOI): RFC 3547
standards-based key distribution
ƒ GET adds cooperative key servers for high availability
ƒ Key servers authenticate and distribute keys and policies; group member
provisioning is minimized; application traffic is encrypted by group members
BRKSEC-2007
14465_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 32

© 2006, Cisco Systems, Inc. All rights reserved.
14465_04_2008_c2.scr
Cisco Dynamic Multipoint VPN DMVPN

ƒ Full meshed connectivity with Secure On-Demand
simple configuration of hub Meshed Tunnels
and spokes Hub

ƒ Supports dynamically
addressed spokes
ƒ Zero touch configuration for
addition of new spokes WAN
Spoke C

What’s New in Phase 3
ƒ Improved Scaling—NHRP/CEF Rewrite
and EIGRP Scaling enhancements Spoke A Spoke B
ƒ Manageability Enhancements = DMVPN Tunnels
= Traditional Static Tunnels
= Static Known IP Addresses
Cisco.com/go/dmvpn = Dynamic Unknown IP Addresses
BRKSEC-2007
14465_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 33

Cisco Enhanced Easy VPN Easy VPN

Centralized Policy-Based Management
ƒ Automated deployments—no user intervention
Enforces consistent policy on remote devices What’s New in Easy VPN?
Add new devices without changes at headend
ƒ CTA/NAC policy enforcement
ƒ Supports dynamic connections with VPN ƒ Centralized policy push for
integrated client firewall
ƒ Interoperable across Cisco access and
security devices ƒ Password aging via AAA
ƒ cTCP NAT transparency and
ƒ Cisco VPN client—the only FIPS-certified client firewall traversal
ƒ DHCP client proxy and DDNS
registration
1. Remote calls ‘home’
ƒ Split DNS
ƒ Per-user policy from Radius
3. VPN tunnel
ƒ Support for identically
Cisco Security addressed spokes behind
Router Corporate NAT with split tunnels
2. Validate, Policy push
Office
ƒ VTI manageability—Display of
VRF information, summary
Internet
commands
Cisco VPN Software
Hardware Client: Cisco
ASA, PIX®, Security Router Client on PC/MAC/UNIX http://www.cisco.com/go
BRKSEC-2007
/easyvpn
14465_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 34

© 2006, Cisco Systems, Inc. All rights reserved.
14465_04_2008_c2.scr
Cisco IOS SSL VPN SSL VPN

Clientless Access Full Network Access

Internet Internet

SSL IP over SSL

Web based + Application Helper IP-Based Applications
ƒ Browser-based (clientless) ƒ Application agnostic
ƒ Gateway performs content ƒ Tunnel client dynamically loaded
transformation ƒ No reboot required after installation
ƒ File sharing (CIFS), OWA, Citrix ƒ Client may be permanently installed
ƒ Java-based application helper or removed dynamically

ƒ Cisco Router and Security Device Manager—Simple GUI-based provisioning and
management with step-by-step wizards for turnkey deployment
ƒ Cisco Secure Desktop—Prevents digital leakage, protects user privacy, easy to
implement and manage, and works with desktop guest permissions
ƒ Virtualization and VRF awareness—Pool resources
BRKSEC-2007
14465_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 35

Secure Connectivity Related Sessions
ƒ BRKSEC-3005 : Advanced Remote Access with
SSLVPN
ƒ BRKSEC-3008/2007 : Site to Site VPN with GETVPN
ƒ BRKSEC-3006 : Advanced Site to Site VPN Dynamic
Multipoint VPNs (DMVPN)

BRKSEC-2007
14465_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 36

© 2006, Cisco Systems, Inc. All rights reserved.
14465_04_2008_c2.scr
Management and Instrumentation
Instrumentation and
Management SDM
Role Based
Access
NetFlow IP SLA

BRKSEC-2007
14465_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 37

Cisco Security Management Suite

Cisco® Security Cisco Security
Device Manager Manager
• Quickest way to
setup a device
Quickest way to setup a device New solution for configuring
• Configures all routers, appliances, switches
device
Wizards toparameters
configure firewall,
• IPS, Ships
VPN,with
QoS, and wireless
device New user-centered design

Ships with device New levels of scalability

Cisco Security
MARS

Solution for monitoring
and mitigation

Uses control capabilities within
infrastructure to eliminate attacks

Visualizes attack paths

BRKSEC-2007
14465_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 38

© 2006, Cisco Systems, Inc. All rights reserved.
14465_04_2008_c2.scr
Instrumentation
Your network management system is only as good as the data you can
get from the devices in the network

IP Service Level Agent Network performance data (latency & jitter)
(IP SLAs)
NetFlow and NBAR Detailed statistics for all data flows in the
network Advanced Netflow Deployment BRKNMS-3005
SNMP V3 and Reliable traps using SNMP informs
SNMP informs
Syslog Manager and Total flexibility to parse and control syslog
XML-formatted syslog messages on the router itself
Tcl Scripting and Flexible, programmatic control of the router
Kron (Cron) jobs
Role-Based CLI Access Provides partitioned, non-hierarchical, access
(e.g. Network and Security Operations)
EEM Solving Security Challenges using EEM
BRKSEC-2007
14465_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 39

Design
Consideration

BRKSEC-2007
14465_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 40

© 2006, Cisco Systems, Inc. All rights reserved.
14465_04_2008_c2.scr
Design Consideration
Cisco IOS Firewall Advanced
Firewall
ƒ Classic or Zone based Firewall
Zone based Firewall 12.4(4)T or Classic Firewall
All new features would be offered in zone based policy firewall configuration model;
no end-of-life plan for Classic Cisco IOS Firewall but there will be no new features
ASR1000 supports IOS Zone-based Firewall

ƒ Manageability
Provisioning firewall policies:
CLI, Cisco Security Manager, SDM and Config Engine
Monitoring firewall activity:
Syslog, snmp, screen-scrapes from "show" commands
Modifying Security policies
SDM supports zone-based Firewall

ƒ Interoperate
Cisco IOS Firewall interoperate with other features: NAT, VPN,
Intrusion Prevention System (IPS), WCCP/WAAS, proxy, URL Filtering and QoS

ƒ Memory Usage
Single TCP or UDP (layer3/4) session takes 600 bytes of memory
Multi-channel protocol sessions use more than 600 bytes of memory
BRKSEC-2007
14465_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 41

Design Consideration
Cisco IOS Firewall

Cisco IOS Firewall Went Through a Paradigm Shift
12.4(4)T and Onward Supports Zone-Based IOS Firewall
Before Release 12.4(4)T &
Release 12.4(4)T & Later
12.4 Mainline
Interface based policies Zone based policies
No granular support Very granular Firewall policies
Support for Classic IOS Firewall Support for Classic IOS Firewall continued.
No new features on Classic IOS Firewall
No advanced AIC support Advanced protocol conformance support
(P2P, IM, VoIP, etc.)

Classic IOS Firewall Zone Based IOS Firewall
Supported in CSM and SDM Supported in SDM. CSM planned for CY2008
MIB support No MIB—Roadmap
IPv6 support No IPv6—Roadmap

Active/Passive failover support No Active/Passive failover—Roadmap

BRKSEC-2007
14465_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 42

© 2006, Cisco Systems, Inc. All rights reserved.
14465_04_2008_c2.scr
Design Consideration
Cisco IOS Firewall Advanced
Firewall

ƒ Denial of Service (DoS) Protection Settings
Prior 12.4(11)T default DoS settings were set low
http://www.cisco.com/en/US/products/sw/secursw/ps1018/products_white_
paper0900aecd804e5098.shtml
12.4(11)T onwards DOS settings are max out by default

ƒ Addressing
Firewall policies can be made much more efficient with a well thought-out IP
address scheme

ƒ Performance Consideration
Cisco IOS Firewall Performance Guidelines for ISRs (800-3800)
http://www.cisco.com/en/US/partner/products/ps5855/products_white_
paper0900aecd8061536b.shtml
ASR1000 TCP/ICMP/UDP Inspection Performance (Up to 10G) with select ALGs
(SIP UDP, active FTP, DNS, H.323v2, SCCP)

BRKSEC-2007
14465_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 43

Cisco IOS Firewall - ISRs
Real World Performance: HTTP

BRKSEC-2007
14465_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 44

© 2006, Cisco Systems, Inc. All rights reserved.
14465_04_2008_c2.scr
Design Consideration
Cisco IOS Firewall Voice Features Advanced
Firewall

Protocol ISRs ASR1000 Comments

H.323 V1 & V2 Yes Yes Tested using CME 4.0

H.323 V3 & V4 No No Roadmap
H.323 RAS Yes No
H.323 T.38 Fax No No Roadmap
CCM 4.2 supported
SIP UDP Yes Yes RFC 2543, RFC 3261 not
supported
SIP TCP No No Roadmap
SCCP Yes Yes Tested with CCM 4.2/CME 4.0
Locally generated traffic
No No Roadmap
inspection for SIP/SCCP

For Cisco IOS® support, contact ask-stg-ios-pm@cisco.com with requirements
BRKSEC-2007
14465_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 45

Design Consideration
Cisco IOS Flexible Packet Matching IOS FPM

ISR ASR1000
Functionality ACL
12.4(15)T2 RLS 2.2
# of ACEs per interface Unlimited Unlimited 60,000
# of match criteria/ ACE 4 Unlimited 2
Depth of Inspection 44 Bytes Full Pkt 256 B
Raw offset No Yes Yes
Relative offset (fixed header length No Yes Yes
support)
Dynamic offset (variable header No Yes No
length support)
Nested policies No Yes Yes
Nested class-maps No Yes Yes
Regex match No Yes Yes
String match No Yes Yes
Match string pattern window No Full Pkt Full Pkt
Protocol Support IPv4, TCP, UDP, IPv4, TCP, UDP, IPv4, TCP, UDP,
ICMP ICMP, Ethernet, GRE, ICMP, Ethernet
IPsec

Actions supported permit, deny, log permit, count, drop, log, permit, count, drop, log,
send-response, nested- send-response
policy redirect, rate limit

BRKSEC-2007
14465_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 46

© 2006, Cisco Systems, Inc. All rights reserved.
14465_04_2008_c2.scr
Design Consideration
Cisco IOS IPS 4.x and 5.x

Cisco IOS IPS Went Through a Paradigm Shift
12.4(11)T2 and Onward Supports IPS 5.x
Before Release 12.4(11)T2 Release 12.4(11)T2 &
& 12.4 Mainline later
IOS IPS Internal 2.xxx.xxx 3.000.000
Version (show
subsys name ips)
Signature Format 4.x 5.x
Signature http://www.cisco.com/cgi- http://www.cisco.com/cgi-
Download URL bin/tablebuild.pl/ios-sigup bin/tablebuild.pl/ios-v5sigup
Signature Pre Tuned Signature Files Signature package
Distribution Basic/Advanced SDF Files IOS-Sxxx-CLI.pkg
Loading Signatures From a single SDF file From a set of configuration
files
Configuration of Flat single SDF file approach Hierarchical multi-
Signatures level/multi-file approach

Signature Update for Cisco IOS IPS 4.X (12.4(9)T or Prior)
Will Continue Till ?
BRKSEC-2007
14465_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 47

Design Consideration
Migrating to Cisco IOS IPS 5.x (12.4(11)T2)

ƒ Option 1: Existing customer using non-customized pre-built
signature files (SDFs)
No signature migration needed
Signatures in 128MB.sdf are in IOS-Basic Category
Signatures in 256MB.sdf are in IOS-Advanced Category
ƒ Option 2: Existing customer using customized pre-built
signature files (SDFs)
Signature migration (TCL) script available on Cisco.com to convert
customized SDF to 5.x format
This migration script does not migrate user-defined (non-Cisco)
signatures
ƒ Migration Guide:
http://www.cisco.com/en/US/products/ps6634/products_
white_paper0900aecd8057558a.shtml
BRKSEC-2007
14465_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 48

© 2006, Cisco Systems, Inc. All rights reserved.
14465_04_2008_c2.scr
Design Consideration
Cisco IOS IPS—12.4(11)T2 and Later Release IOS IPS

Manageability
ƒ Provisioning IPS policies:
CLI, Cisco Security Manager, SDM and Config Engine

ƒ Signature Tuning and Update:
The basic category is the Cisco recommended signature set
for routers with 128 MB RAM and the advanced category is
for 256MB RAM
Signature tuning with Command line Interface (CLI) is available after 12.4(11)T
Signature package update align with Cisco sensors 42xx. (Auto Update via CSM)

ƒ Monitoring IPS activity:
Reporting via CS-MARS (SDEE and Syslog support) and screen-scrapes from
"show" commands

ƒ Modifying Security policies:
SDM/CSM supports IPS

BRKSEC-2007
14465_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 49

Design Consideration
Provisioning and Monitoring Options

IPS Signature Provisioning IPS Event Monitoring

Up to 5 More than 5 1 Up to 5 More than 5
Cisco Same signature set/policy: Cisco IPS Cisco Cisco Security
Security Opt 1: Cisco Security Manager Event IEV or MARS x.3.2
Device (CSM) Viewer syslog (model and
Manager Opt 2: Cisco SDM and Cisco (IEV) server quantity
(SDM) Configuration Engine to copy depends on #
or
generated IPS files to large # of of routers,
routers Cisco topology and
SDM cumulative
Different signature set/policy:
EPS)
Single or multiple instances of CSM

BRKSEC-2007
14465_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 50

© 2006, Cisco Systems, Inc. All rights reserved.
14465_04_2008_c2.scr
Design Consideration
Cisco IOS Intrusion Prevention System (IPS)

ƒ Performance Consideration
Performance of router is not effected by adding more signatures

ƒ Memory Usage
Signature compilation process is highly CPU-intensive while the
signatures are being compiled. The number of signatures that
can be loaded on a router is memory-dependent

ƒ Fragmentation
Cisco IOS IPS uses VFR (Virtual Fragmentation Reassembly)
to detect fragmentation attacks

BRKSEC-2007
14465_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 51

Cisco IOS IPS and Out-of-Order Packets

ƒ Cisco IOS IPS supports Out-of-Order packet starting
from the following two releases:
Release 12.4(9)T2
Release 12.4(11)T

ƒ Configurable via CLI: ip inspect tcp reassembly
ƒ Notification for packets dropped due to insufficient
buffer space

BRKSEC-2007
14465_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 52

© 2006, Cisco Systems, Inc. All rights reserved.
14465_04_2008_c2.scr
Cisco Security Manager 3.1
Cisco IOS IPS Signature List View

BRKSEC-2007
14465_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 53

Cisco IOS IPS and Auto Update
SDM CSM

BRKSEC-2007
14465_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 54

© 2006, Cisco Systems, Inc. All rights reserved.
14465_04_2008_c2.scr
Design Consideration
IOS IPS and IPS Appliances/Modules
Cisco IOS IPS Cisco IOS IPS Cisco IPS 42xx sensors, IDSM2,
Release 12.4(9)T Release 12.4(11)T SSM-AIP, NM-CIDS modules

Signature Format 4.x 5.x/6.0 5.x/6.0

Signature Updates & Tuning using SDF using IDCONF using IDCONF

Subset of 1700+ signatures (depends 1900+ signatures selected by
Signatures Supported
on router model/DRAM) default
IOS-Basic or IOS-
Recommended (pre-built or Basic or
Advanced
default) Signature Set Advanced SDF All signatures alarm-only
Category

Day-Zero Anomaly Detection No Available in 6.0 release

Transparent (L2) IPS Yes Yes

Rate Limiting No Yes

IPv6 Detection No Yes

Signature Event Action Proc. No Yes Yes

Meta Signatures No Yes

Voice, Sweep & Flood Engines No Yes (H.225 for voice)

Event Notification Syslog & SDEE SDEE

BRKSEC-2007
14465_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 55

IPS Solutions on Cisco ISRs
Cisco IOS IPS Cisco IPS AIM Cisco NM-CIDS

Dedicated CPU/DRAM for IPS No Yes Yes

Inline and Promiscuous Detection No, Promiscuous Mode
Yes Yes
and Mitigation Only
Subset of 2000+
Full Set Signatures Full Set Signatures
Signature Supported Signatures, Subject to
(2200+) (2200+)
Available Memory
Automatic Signature Updates Yes Yes Yes
Day-zero Anomaly Detection No Yes Yes
Rate Limiting No Yes Yes

Cisco Security Agent and Cisco IPS
No Yes No
Collaboration

Meta Event Generator No Yes Yes
Event Notification Syslog, SDEE SNMP and SDEE SNMP and SDEE
Device Management CLI, SDM IOS CLI, IDM IPS CLI, IDM
System/Network Management CSM CSM CSM
IEV, CS-MARS, On-box IEV, CS-MARS, On-box
Event Monitoring and Correlation IEV, CS-MARS
Meta Event Generator Meta Event Generator

Note: Only One IPS Solution May Be Active in the Router. All Other Must Be Removed or Disabled.
BRKSEC-2007
14465_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 56

© 2006, Cisco Systems, Inc. All rights reserved.
14465_04_2008_c2.scr
Design Consideration
Recommendation

ƒ New web and collateral content at http://www.cisco.com/go/iosips/
ƒ Use the latest T Train image: 12.4(15)T2
Native support for Microsoft SMB and MSRPC signatures
Works with WAAS Module if Zone-Based FW also configured
Includes many bug fixes for SDM interoperability, etc.

ƒ To use IOS IPS with WAAS (WAN Optimization) Module:
You must use 12.4(11)T2/T3 or 12.4(15)T2 image
If IPS is applied on the optimized WAN interface, you must also configure Zone-
Based Firewall for a zone including that interface
ASR1000 introduces this fix-up in RLS 2.2 for IOS Firewall

ƒ If working with an image prior to 12.4(11)T or any Mainline image:
Use the latest Basic (128MB.sdf) and Advanced (256MB.sdf) signature files at
http://www.cisco.com/cgi-bin/tablebuild.pl/ios-sigup/

BRKSEC-2007
14465_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 57

Agenda

ƒ Drivers for IOS Security
ƒ Technology Overview
ƒ Design Considerations
ƒ Deployment Models
ƒ Real World Use Cases
ƒ Case Study
ƒ Summary

BRKSEC-2007
14465_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 58

© 2006, Cisco Systems, Inc. All rights reserved.
14465_04_2008_c2.scr
Deployment Models

BRKSEC-2007
14465_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 59

Enterprise Branch and HQ Profiles

Single Router Model Dual Router Model

QFP QFP
QFP QFP

Private Head Quarter Head
Private Quarter
Wan
WAN

Internet

Security Services Security Services
Cisco IOS Firewall Cisco IOS Firewall
Cisco IOS IPS Cisco IOS IPS
Infrastructure Protection Infrastructure Protection
ACLs ACLs
IPsec VPNs IPsec VPNs

Branch Branch
Office Office
BRKSEC-2007
14465_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 60

© 2006, Cisco Systems, Inc. All rights reserved.
14465_04_2008_c2.scr
Enterprise Branch and HQ
Single Router Model

Single Router Model
ƒ Primary: Internet with
IPSec VPN - IPVPN
ƒ Backup: None
QFP
QFP
ƒ Internet access is via
Head Quarter split-tunneling
Internet

Security Services
Cisco IOS Firewall
Cisco IOS IPS
Infrastructure Protection
ACLs

Branch
Office
BRKSEC-2007
14465_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 61

Enterprise Branch and HQ Profile
Single Router Model

Single Router Model
ƒ Primary WAN Services:
Lease line/E1/Fiber or
IP VPN
QFP

QFP
ƒ Backup: Internet (ADSL)
with VPN or UMTS
Private Head Quarter
Wan ƒ Internet access is via split-
tunneling
Internet
ƒ Failover: Routing protocol
with EOT (Enhanced
Security Services
Cisco IOS Firewall
Object Tracking)
Cisco IOS IPS
Infrastructure Protection
ACLs

Branch
Office
BRKSEC-2007
14465_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 62

© 2006, Cisco Systems, Inc. All rights reserved.
14465_04_2008_c2.scr
Enterprise Branch and HQ Profile
Single Router Model

Single Router Model
ƒ Primary WAN Services:
Lease line/E1/Fiber
ƒ Backup: Leased line/E1/Fiber
QFP
QFP
ƒ Internet access policy
Head Quarter enforced via Head Quarter
Private
Wan ƒ Failover: Routing Protocol

Security Services
Cisco IOS Firewall
Cisco IOS IPS
Infrastructure Protection
ACLs

Branch
Office
BRKSEC-2007
14465_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 63

Enterprise Branch and HQ Profile
Dual Router Model

Dual Router Model
ƒ Primary WAN Services:
Lease line/E1/Fiber
ƒ Backup: Leased
QFP line/E1/Fiber
QFP

Head Quarter ƒ Internet access
Private
policy enforced via Head
WAN Quarter
ƒ Stateful Firewall
(Stateful Failover)
Security Services
Cisco IOS Firewall
Cisco IOS IPS
Infrastructure Protection
ACLs

Branch
Office
BRKSEC-2007
14465_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 64

© 2006, Cisco Systems, Inc. All rights reserved.
14465_04_2008_c2.scr
Agenda

ƒ Drivers for IOS Security
ƒ Technology Overview
ƒ Design Considerations
ƒ Deployment Models
ƒ Real World Use Cases
ƒ Case Study
ƒ Summary

BRKSEC-2007
14465_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 65

Real World
Use Cases

BRKSEC-2007
14465_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 66

© 2006, Cisco Systems, Inc. All rights reserved.
14465_04_2008_c2.scr
Real World Use Cases

1. Protect the Inside LAN and DMZ at Branch Office and
HQ with NetFlow Event Logging
2. Protect Servers at Branch Office and HQ
3. Virtual Firewall and IPS at the Branch Office
4. Blocking Peer-to-Peer and Instant Messaging
Applications at the Branch
5. Load Balancing and Failover with two Providers
a. Load Balancing
b. Failover

BRKSEC-2007
14465_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 67

1. Protect the Inside LAN at Branch Office
with Split Tunneling Deployed Advanced
Firewall

Cisco IOS Firewall and IPS Policies:
ƒ Allow authenticated users to access corporate resources
ƒ Restrict guest users to Internet access only
ƒ Control peer-to-peer and instant messaging applications

Employees can
access corporate
network via
encrypted tunnel

IPsec
Employees Tunnel
QFP
192.168.1.x/24

Internet
Branch Office
Router Inspect Head Quarter
Internet
Guests can traffic
access
Wireless Guests Internet only
192.168.2.x/24
BRKSEC-2007
14465_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 68

© 2006, Cisco Systems, Inc. All rights reserved.
14465_04_2008_c2.scr
1. Firewall Configuration Snippet at
Branch
Classification: Security Zones:
class-map type inspect match-any protocols zone security private
match protocol dns zone security public
match protocol https
match protocol icmp Security Zone Policy:
match protocol imap zone-pair security zone-policy source
private destination public
match protocol pop3
service-policy type inspect firewall-policy
match protocol tcp
!
match protocol udp
interface VLAN 1
Order of match statement description private interface
is important
zone-member security private
Security Policy: !
policy-map type inspect firewall-policy interface fastethernet 0
class type inspect protocols description public interface
inspect zone-member security public

BRKSEC-2007
14465_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 69

1. Firewall Configuration Snippet at HQ
Classification:
Security Zones:
class-map type inspect match-any fw-class
zone security public
match protocol udp
zone security dmz
match protocol tcp
policy-map type inspect fw-policy
Security Zone Policy:
class type inspect fw-class
zone-pair security zone-policy source
inspect log public destination dmz
class class-default service-policy type inspect firewall-policy
parameter-map type inspect firewall-policy !
log dropped-packets interface G0/1/0
log flow-export v9 udp destination 1.1.28.199 description public interface
2055 zone-member security public
log flow-export template timeout-rate 30 !
interface g0/1/1
description dmz interface
zone-member security dmz

BRKSEC-2007
14465_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 70

© 2006, Cisco Systems, Inc. All rights reserved.
14465_04_2008_c2.scr
1. Cisco IOS Zone-Based Firewall (SDM)
for ISRs

BRKSEC-2007
14465_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 71

1. IPS Configuration Snippet
Download Cisco IOS IPS Files to your PC Cisco IOS IPS Configuration (Con’t)
http://www.cisco.com/pcgi-bin/tablebuild.pl/ios-v5sigup retired false
IOS-Sxxx-CLI.pkg
realm-cisco.pub.key.txt interface fast Ethernet 0
ip ips ips-policy in
Configure Cisco IOS IPS Crypto Key
mkdir ipstore (Create directory on flash) Load the signatures from TFTP server
Paste the crypto key from copy tftp://192.168.10.4/IOS-S289-CLI.pkg idconf
realm-cisco.pub.key.txt Loading IOS-S259-CLI.pkg from 192.168.10.4 :!!!

Cisco IOS IPS Configuration show ip ips signature count
ip ips config location flash:ipstore retries 1 Total Compiled Signatures:
ip ips notify SDEE 338 -Total active compiled signatures
ip ips name ips-policy
ip ips signature-category
category all
retired true
category ios_ips basic

BRKSEC-2007
14465_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 72

© 2006, Cisco Systems, Inc. All rights reserved.
14465_04_2008_c2.scr
1. Cisco IOS IPS Signatures and
Categories (SDM) for ISRs

BRKSEC-2007
14465_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 73

1. Deploying IOS Firewall Split
Tunneling (CSM) on ISRs

BRKSEC-2007
14465_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 74

© 2006, Cisco Systems, Inc. All rights reserved.
14465_04_2008_c2.scr
1. Deploying IOS IPS (CSM) on ISRs

BRKSEC-2007
14465_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 75

2. Protect Servers at Branch Office Advanced
Firewall

ƒ Cisco IOS® Firewall and IPS policies applied to DMZ
protect distributed application servers and Web servers hosted
at remote sites
Servers
192.168.3.14-16/24
Servers
hosted
separately
in DMZ

IPsec
Employees Tunnel
192.168.1.x/24

Internet
Branch Office
Router Head Quarter

Wireless Guests
192.168.2.x/24
BRKSEC-2007
14465_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 76

© 2006, Cisco Systems, Inc. All rights reserved.
14465_04_2008_c2.scr
2. IPS Configuration Snippet
a. Download Cisco IOS IPS Files to your PC d. Cisco IOS IPS Configuration (Con’t)
http://www.cisco.com/pcgi-bin/tablebuild.pl/ios-v5sigup retired false
IOS-Sxxx-CLI.pkg
realm-cisco.pub.key.txt interface fast Ethernet 1
description DMZ interface
b. Configure Cisco IOS IPS Crypto Key ip ips ips-policy out
mkdir ips5 (Create directory on flash)
Paste the crypto key from e. Load the signatures from TFTP server
realm-cisco.pub.key.txt copy tftp://192.168.10.4/IOS-S289-CLI.pkg idconf
Loading IOS-S259-CLI.pkg from 192.168.10.4 :!!!
c .Cisco IOS IPS Configuration
ip ips config location flash:ips5 retries 1 show ip ips signature count
ip ips notify SDEE Total Compiled Signatures:
ip ips name ips-policy 338 -Total active compiled signatures
ip ips signature-category
category all
retired true
category ios_ips basic

BRKSEC-2007
14465_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 77

2. Firewall Configuration Snippet
Classification: Security Zone Policy:
class-map type inspect match-all web-dmz zone-pair security zone-policy source
public destination dmz
match protocol http
service-policy type inspect firewall-policy
match access-group 199
!
interface VLAN 1
access-list 199 permit tcp any host 192.168.10.3
description private interface
zone-member security private
Security Policy:
!
policy-map type inspect firewall-policy
interface fastethernet 0
class type inspect web-dmz
description public interface
Inspect
zone-member security public

Security Zones:
interface fastethernet 1
zone security private
description dmz interface
zone security public
zone-member security dmz
zone security dmz
BRKSEC-2007
14465_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 78

© 2006, Cisco Systems, Inc. All rights reserved.
14465_04_2008_c2.scr
3. Virtual Firewall and IPS Advanced
Firewall

ƒ Cisco IOS Firewall, NAT, and URL-filtering policies are virtual route
forwarding (VRF) aware, providing support for overlapping address space,
which simplifies troubleshooting and operations
Photo Shop
192.168.1.x/24

Separate IPsec tunnels
for Photo Shop and IPsec
Retail Store traffic Tunnel

VRF A
Photo Shop Head
Retail Store Cash Register VRF B Quarter
192.168.2.x/24
VRF C
Internet
Store Router IPsec
Tunnel

Supports
overlapping
address space Retail Store
Internet Services
Head Quarter
192.168.2.x/24
BRKSEC-2007
14465_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 79

3. Firewall Configuration Snippet
Classification: Security Policy (Continued):
class-map type inspect retail-hq policy-map type inspect hq-retail
match protocol ftp class type inspect hq-retail
match protocol http
inspect
match protocol smtp extended
class class-default
class-map type inspect hq-retail
match protocol smtp extended drop log
class-map type inspect photo-hq policy-map type inspect photo-hq
match protocol http class type inspect photo-hq
match protocol rtsp inspect
class-map type inspect hq-photo class class-default
match protocol h323 drop log
Security Policy policy-map type inspect hq-photo-
policy-map type inspect retail-hq class type inspect hq-photo
class type inspect retail-hq inspect
inspect class class-default
class class-default drop log
drop log

BRKSEC-2007
14465_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 80

© 2006, Cisco Systems, Inc. All rights reserved.
14465_04_2008_c2.scr
3. Deployed Firewall Configuration
Snippet (SDM)

BRKSEC-2007
14465_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 81

4. Blocking Peer-to-Peer and Instant
Messaging Applications Advanced
Firewall

ƒ Cisco IOS Firewall can block/rate-limit instant messaging (IM)
applications like MSN, AOL and Yahoo.
Servers
192.168.3.14-16/24

Blocking the Instant
Messengers e.g.
MSN IPsec
Employees Tunnel
192.168.1.x/24 QFP

Internet
Branch Office
Router Head Quarter

Wireless Guests
192.168.2.x/24
BRKSEC-2007
14465_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 82

© 2006, Cisco Systems, Inc. All rights reserved.
14465_04_2008_c2.scr
4. Firewall Configuration Snippet
Security Zones: Virtualization (Virtual Routing and Forwarding)
zone security retail-LAN interface FastEthernet0/1.10
zone security retail-VPN encapsulation dot1Q 10
zone security photo-LAN ip vrf forwarding retail
zone security photo-VPN zone-member security retail-LAN
!
Security Zone Policy: interface Tunnel0
zone-pair security retail-VPN ip vrf forwarding retail
source retail-LAN destination retail-VPN zone-member security retail-VPN

zone-pair security VPN-retail interface FastEthernet0/1.20
source retail-VPN destination retail-LAN encapsulation dot1Q 20
ip vrf forwarding photo
zone-pair security photo-VPN zone-member security photo-LAN
source photo-LAN destination photo-VPN !
interface Tunnel0
zone-pair security VPN-photo ip vrf forwarding photo
source photo-VPN destination photo-LAN zone-member security photo-VPN

BRKSEC-2007
14465_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 83

4. Deployed Firewall Configuration
Snippet
Servers List: IM-Blocking Policy:
parameter-map type protocol-info msn-servers policy-map type inspect IM-blocking
server name messenger.hotmail.com class type inspect IMs
server name gateway.messenger.hotmail.com drop log
server name webmessenger.msn.com Security Zones
zone security public
parameter-map type protocol-info aol-servers zone security private
server name login.oscar.aol.com Zone Policy
server name toc.oscar.aol.com zone-pair security IM-Zone-policy source
server name oam-d09a.blue.aol.com private destination public
service-policy type inspect IM-blocking
Classification:
class-map type inspect match-any IM interface VLAN 1
match protocol msnmsgr msn-servers description private interface
match protocol aol aol-servers zone-member security private

class-map type inspect match-all IMs interface fastethernet 0
match class-map IM description public interface
zone-member security public
BRKSEC-2007
14465_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 84

© 2006, Cisco Systems, Inc. All rights reserved.
14465_04_2008_c2.scr
4. Blocking Instant Messaging
MSN/AOL (SDM)

BRKSEC-2007
14465_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 85

5a. Load Balancing with
Two Providers Advanced
Firewall

ƒ Cisco IOS Firewall supports WAN Load balancing

Servers
192.168.3.14-16/24
WAN Load Balancing
Multi-Home NAT
Destination Based Load
Balancing
Zone Based Firewall
ISP-1 IPsec
Employees Tunnel
192.168.1.x/24 QFP

Internet
Branch Office ISP-2
Router Head Quarter

Wireless Guests
192.168.2.x/24
BRKSEC-2007
14465_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 86

© 2006, Cisco Systems, Inc. All rights reserved.
14465_04_2008_c2.scr
5a. Configuration Snippet
Classification: WAN Load balancing Configs(Con’t)
class-map type inspect match-any internet route-map dsl1 permit 10
match protocol http
match ip address 121
match protocol https
match interface Dialer1
match protocol dns
match protocol smtp
match protocol icmp route-map dsl0 permit 10
! match ip address 120
! match interface Dialer0
policy-map type inspect private
class type inspect internet access-list 120 permit ip 192.168.10.0
inspect 0.0.0.255 any
class class-default
access-list 121 permit ip 192.168.10.0
WAN Load balancing Configs 0.0.0.255 any
ip route 0.0.0.0 0.0.0.0 Dialer1 Policy Based Routing
ip route 0.0.0.0 0.0.0.0 Dialer0
! route-map IPSEC permit 10
match ip address 128
ip nat inside source route-map dsl0 interface match interface Dialer1
Dialer0 overload access-list 128 permit esp 192.168.10.0
0.0.0.255 any
ip nat inside source route-map dsl1 interface
dialer1 overload
BRKSEC-2007
14465_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 87

5a. Configuration Snippet
Security Zones Configs
zone security trust
zone security untrust

zone-pair security firewall source trust
destination untrust
!
service-policy type inspect private
Interface Configs:
interface Dialer0
zone-member security untrust
ip nat outside
!
interface Dialer1
zone-member security untrust
ip nat outside
!
interface BVI1
zone-member security trust
ip nat inside
BRKSEC-2007
14465_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 88

© 2006, Cisco Systems, Inc. All rights reserved.
14465_04_2008_c2.scr
5b. Failover with Two Providers Advanced
Firewall

ƒ WAN Object Tracking
Servers
192.168.3.14-16/24
WAN Failover
Object Tracking
Fail Over
Zone Based Firewall

ISP-1 IPsec
Employees Tunnel
192.168.1.x/24 QFP

Internet
Branch Office ISP-2
Router Head Quarter

Wireless Guests
192.168.2.x/24

BRKSEC-2007
14465_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 89

5b. Configuration Snippet—
Private Zone Policy
Tracking Configuration: (Object Tracking) Interface Configurations:
track timer interface 5 Interface Dialer 0
! description WAN-Backup interface
track 123 rtr 1 reachability ip address negotiated
delay down 15 up 10 ip nat outside
ip sla 1 NAT Configuration:
icmp-echo 172.16.1.1 source-interface Dialer0 ip nat inside source route-map fixed-nat
timeout 1000 interface Dialer0 overload
threshold 40 ip nat inside source route-map dhcp-nat
interface FastEthernet0 overload
frequency 3
ip sla schedule 1 life forever start-time now
route-map fixed-nat permit 10
match ip address 110
Interface Configurations: match interface Dialer0
interface FastEthernet0 !
description WAN-1 Interface route-map dhcp-nat permit 10
ip address dhcp match ip address 110
ip nat outside match interface FastEthernet0
ip dhcp client route track 123

BRKSEC-2007
14465_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 90

© 2006, Cisco Systems, Inc. All rights reserved.
14465_04_2008_c2.scr
5b. Configuration Snippet—
Private Zone Policy
NAT Configuration (Con’t): Security Zones Configs
access-list 110 permit ip 192.168.108.0 0.0.0.255 zone security trust
any
zone security untrust

Routing Configuration zone-pair security firewall source trust
destination untrust
ip route 0.0.0.0 0.0.0.0 dialer 0 track 123 !
ip route 0.0.0.0 0.0.0.0 dhcp 10 service-policy type inspect private

Classification: interface FastEthernet0
class-map type inspect match-any internet description WAN- Interface
match protocol http
match protocol https Member security zone untrust
match protocol dns
match protocol smtp
match protocol icmp Interface Dialer0
!
! description Backup-Interface
policy-map type inspect private
class type inspect internet member security zone untrust
inspect
class class-default
interface Vlan1
member security zone trust

BRKSEC-2007
14465_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 91

Case Study

BRKSEC-2007
14465_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 92

© 2006, Cisco Systems, Inc. All rights reserved.
14465_04_2008_c2.scr
Education—Centralized Deployment

URL Filtering Internet

School T1

URL Filtering
T1
Private WAN QFP

School
T1

Apply Intrusion Prevention
System (IPS) on traffic from
Schools to kill worms from
infected PCs

URL Filtering
School

BRKSEC-2007
14465_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 93

Education—Decentralized Deployment

URL Filtering Internet

Backup
School
DSL
Illegal
T1 surfing
DSL

Internet T1
Private WAN
School District School
T1
Backup Building
DSL
Apply IPS on traffic from
Schools to kill worms
from infected PCs
Secure Internet
ƒ Advanced Layer School
3-7 firewall
ƒ Web usage control

BRKSEC-2007
14465_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 94

© 2006, Cisco Systems, Inc. All rights reserved.
14465_04_2008_c2.scr
Summary

BRKSEC-2007
14465_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 95

Summary

ƒ There is an established and increasing trend of
integrated services in routing industry
ƒ Integrated Services Edge has become more common
deployment over distributed architecture
ƒ Cisco IOS network security technologies enable new
business applications by reducing risk, as well as
helping to protect sensitive data and corporate
resources from intrusion
ƒ Consolidation of branch office equipment for lowering
OPEX is giving rise to integrated security as evident
from the real world use cases

BRKSEC-2007
14465_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 96

© 2006, Cisco Systems, Inc. All rights reserved.
14465_04_2008_c2.scr
Q and A

BRKSEC-2007
14465_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 97

Recommended Reading

ƒ Continue your Cisco Live
learning experience with further
reading from Cisco Press
ƒ Check the Recommended
Reading flyer for suggested
books

Available Onsite at the Cisco Company Store
BRKSEC-2007
14465_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 98

© 2006, Cisco Systems, Inc. All rights reserved.
14465_04_2008_c2.scr
Complete Your Online
Session Evaluation
ƒ Give us your feedback and you could win Don’t forget to activate
fabulous prizes. Winners announced daily. your Cisco Live virtual
account for access to
ƒ Receive 20 Passport points for each session all session material
evaluation you complete. on-demand and return
for our live virtual event
ƒ Complete your session evaluation online now in October 2008.
(open a browser through our wireless network Go to the Collaboration
to access our portal) or visit one of the Internet Zone in World of
stations throughout the Convention Center. Solutions or visit
www.cisco-live.com.

BRKSEC-2007
14465_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 99

BRKSEC-2007
14465_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 100

© 2006, Cisco Systems, Inc. All rights reserved.
14465_04_2008_c2.scr
Appendix

BRKSEC-2007
14465_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 101

Cisco Security Router Certifications
FIPS Common Criteria
140-2, Firewall
IPsec (EAL4)
Level 2 (EAL4)
Cisco® 870 ISR 9 Q3CY07 9

Cisco 1800 ISR 9 Q3CY07 9

Cisco 2800 ISR 9 Q3CY07 9

Cisco 3800 ISR 9 Q3CY07 9

Cisco 7200 VAM2+ 9 Q3CY07 9

Cisco 7200 VSA Q4CY07 Q3CY07 ---

Cisco 7301 VAM2+ 9 Q3CY07 9

Cisco 7600 IPsec VPN SPA 9 Q3CY07 ---

Cisco ASR1000 Series CY08 CY08 CY08

Catalyst 6500 IPsec VPN SPA 9 Q3CY07 ---

Cisco 7600 9 Q3CY07 9

BRKSEC-2007
Cisco.com/go/securitycert
14465_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 102

© 2006, Cisco Systems, Inc. All rights reserved.
14465_04_2008_c2.scr
Cisco IOS Network Foundation
Protection Network
Foundation
Protection

Data Plane Feature Function and Benefit
ƒ Macro-level, anomaly-based DDoS detection through counting the number of
NetFlow
flows (instead of contents); provides rapid confirmation and isolation of attack
Access Control Lists ƒ Protect edge routers from malicious traffic; explicitly permit the legitimate traffic
(ACLs) that can be sent to the edge router's destination address
ƒ Next generation “Super ACL” – pattern matching capability for more granular
Flexible Packet Matching
and customized packet filters, minimizing inadvertent blocking of legitimate
(FPM)
business traffic
Unicast Reverse Path ƒ Mitigates problems caused by the introduction of malformed or spoofed IP
Forwarding (uRPF) source addresses into either the service provider or customer network
ƒ Drops packets based on source IP address; filtering is at line rate on most
Remotely Triggered
capable platforms. Hundreds of lines of filters can be deployed to multiple
Black Holing (RTBH)
routers even while the attack is in progress
ƒ Protects against flooding attacks by defining QoS policies to limit bandwidth or
QoS Tools
drop offending traffic (identify, classify and rate limit)
Control Plane Function and Benefit
Receive ACLs ƒ Control the type of traffic that can be forwarded to the processor
ƒ Provides QoS control for packets destined to the control plane of the routers
Control Plane Policing
ƒ Ensures adequate bandwidth for high-priority traffic such as routing protocols
ƒ MD5 neighbor authentication protects routing domain from spoofing attacks
Routing Protection ƒ Redistribution protection safe-guards network from excessive conditions
ƒ Overload protection (e.g. prefix limits) enhances routing stability
Management Plane Function and Benefit
CPU and Memory
ƒ Protects CPU and memory of Cisco® IOS® Software device against DoS attacks
Thresholding
Dual Export Syslog ƒ Syslog exported to dual collectors for increased availability
BRKSEC-2007
14465_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 103

© 2006, Cisco Systems, Inc. All rights reserved.
14465_04_2008_c2.scr