brksec-2007

© 2006, Cisco Systems, Inc. All rights reserved.14465_04_2008_c2.scr

© 2008 Cisco Systems, Inc. All rights reserved. Cisco PublicBRKSEC-200714465_04_2008_c2 2

Deploying IOS Security

BRKSEC-2007


© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 3BRKSEC-200714465_04_2008_c2

Agenda

Drivers for Integrated Security

Technology Overview

Design Considerations

Deployment Models

Real World Use Cases

Case Study

Summary


Security as an Option

Security is an add-onChallenging integration

Not cost-effectiveCannot focus on core priority

Security is built-inIntelligent collaboration

Appropriate securityDirect focus on core priority



Threats and Challenges

Branch Office

Head QuarterInternet

Web surfing

DDoS on Router

Threats at the Branch Office and HQ

Worms/Viruses Wireless attacksVoice

attacks

Attacks on branch servers

Branch Office

Branch Office

Attack on DMZ

QFP


Requirement of Integrated Security SolutionIOS Security

Branch Office

Head QuarterInternet

Regulate surfing

DDoS on Router

Worms congesting

WAN

Voice attacks

Attacks on branch servers

Branch Office

Network Foundation Protection

Application Firewall

011111101010101011111101010101

IPS FPM

URL Filtering Voice

Security Wireless attacks

Wireless Security

Secure Internet access to branch, without the need for additional devicesControl worms and viruses right at the remote site, conserve WAN bandwidthProtect the router itself from hacking and DoS attacks

Securing the Branch Office and HQ

QFP

Integrated HQ Firewall



Agenda

Drivers for Integrated Security

Technology Overview


Deployment Models


Case Study

Summary


Cisco IOS Security—Router Technologies

IPsec VPNSSL VPN

Secure Connectivity

GET VPN DMVPN

Network Admission

ControlAdvanced Firewall

Intrusion Prevention

Integrated Threat Control

URL Filtering 802.1x


Flexible Packet

Matching

011111101010101011111101010101

SDM NetFlow IP SLARole Based Access

Management and Instrumentation

Secure Network Solutions

Secure VoiceCompliance Secure

MobilityBusiness Continuity

QFP



Integrated Threat Control

Cisco IOS Firewall (Classic and Zone-Based)

Cisco IOS Application Intelligence Control

Cisco IOS Intrusion Prevention System

Cisco IOS URL Filtering

Cisco IOS Flexible Packet Matching (FPM)

Cisco IOS Network Foundation Protection (NFP)


Cisco IOS Firewall Overview

Cisco IOS Firewall is Common Criteria certified firewall

Stateful filtering

Application inspection (Layer 3 through Layer 7)

Application control—Application Layer Gateway (ALG) engines with wide range of protocols and applications

Built-in DoS protection capabilities

Supports deployments with Virtualization (VRFs), transparent mode and stateful failover

IPv6 support

http://www.cisco.com/go/iosfw

Advanced Layer 3–7 FirewallAdvanced Firewall



Cisco IOS Zone-Based Policy Firewall

Allows grouping of physical and virtual interfaces into zonesFirewall policies are applied to traffic traversing zonesSimple to add or remove interfaces and integrate into firewall policy

DMZ

UntrustedTrusted

Private-Public Policy

Public-DMZ Policy

DMZ-Private Policy

Private-DMZ Policy

Supported FeaturesStateful InspectionApplication Inspection: IM, POP, IMAP, SMTP/ESMTP, HTTP URL filteringPer-policy parameter Transparent firewallVRF-aware firewall (Virtual Firewall)

Internet

Advanced Firewall


Cisco IOS Zone-Based Firewall—Rule Table (SDM) Advanced

Firewall



Cisco IOS Zone-Based Policy Firewall Configuration (Command Line Interface (CLI)

class-map type inspect match-any servicesmatch protocol tcp

!policy-map type inspect firewall-policyclass type inspect servicesinspect

!zone security privatezone security public!zone-pair security private-public source private destination publicservice-policy type inspect firewall-policy

!interface fastethernet 0/0zone-member security private

!interface fastethernet 0/1zone-member security public

Define Services Inspected by Policy

Configure Firewall Action for Traffic

Define Zones

Establish Zone Pair, Apply Policy

Assign Interfaces to Zones

192.168.1.2


Cisco IOS Transparent Firewall

Introduces “stealth firewall” capabilityNo IP address associated with firewall (nothing to attack)No need to renumber or break up IP subnetsIOS Router is bridging between the two “halves” of the network

Use Case: Firewall Between Wireless and Wired LANsBoth “wired” and wireless segments are in same subnet 192.168.1.0/24VLAN 1 is the “private” protected network.Wireless is not allowed to access wired LAN

Fa 0/0

VLAN 1

Wireless

Transparent Firewall192.168.1.2

192.168.1.3

Internet



Transparent Cisco IOS Firewall Configuration (Command Line Interface (CLI)

Security Zone Policy:zone-pair security zone-policy source wired

destination wirelessservice-policy type inspect firewall-policy!interface VLAN 1description private interfacebridge-group 1zone-member security wired!interface VLAN2description public interfacebridge-group 1zone-member security wirelessLayer2 Configuration:bridge configurationbridge irbbridge 1 protocol ieeebridge 1 route ip

Classification:class-map type inspect match-any protocols

match protocol dnsmatch protocol httpsmatch protocol icmpmatch protocol imapmatch protocol pop3match protocol tcpmatch protocol udp

Security Policy:policy-map type inspect firewall-policyclass type inspect protocolsInspect

Security Zones:zone security wiredzone security wireless


Cisco IOS Flexible Packet Matching (FPM)

Network managers require tools to filter day-zero attacks, such as before IPS signatures are availableTraditional ACLs take a shotgun approach—legitimate traffic could be blocked

Example: Stopping Slammer with ACLsmeant blocking port 1434—denying business transactions involving Microsoft SQL

FPM delivers flexible, granular Layer 2–7 matching

Example: port 1434 + packet length 404B + specific pattern within payload Slammer

Rapid Response to New and Emerging Attacks

0111111010101010000111000100111110010001000100100010001001

Match Pattern AND OR NOTCisco.com/go/fpm

FlexiblePacket

Matching

011111101010101011111101010101



Cisco IOS Flexible Packet MatchingConfiguration - Slammer Filter

Class-map stack ip-udpMatch field ip protocol eq 17 next udp

Class-map access-control slammerMatch field udp dport eq 1434Match start ip version offset 224 size 4 eq 0x04011010Match start network-start offset 224 size 4 eq 0x04011010

Policy-map access-control udp-policyClass slammer

Drop

Poliyc-map access-control fpm-policyClass ip-udpservice-policy udp-policy

access-control typed class defines traffic pattern: udpdst port 1434, starting from IP header, offset 224 byte, the 4 byte value should be 0x04041010


Cisco IOS Intrusion Prevention (IPS)

Cisco IOS IPS stops attacks at the entry point, conserves WAN bandwidth, and protects the router and remote network from DoS attacksIntegrated form factor makes it cost-effective and viable to deploy IPS in Small and Medium Business and Enterprise branch/telecommuter sitesSupports 2000+ signatures sharing the same signature database available with Cisco IPS sensorsAllows custom signature sets and actions to react quickly to new threats

Small Branch

Branch Office

Small Office and Telecommuter

Corporate Office

Apply IPS on traffic from branches to kill worms from infected PCs

Stop attacks before they fill up the WAN

Distributed Defense Against Worms and Viruses

http://www.cisco.com/go/iosips

IPS

Internet

Protect router and local network from DoS attacks



Cisco IOS Intrusion Prevention System (IPS) Configuration (Command Line Interface (CLI)

Cisco IOS IPS Configuration (Con’t)retired false

interface fast Ethernet 0 ip ips ips-policy in

Load the signatures from TFTP servercopy tftp://192.168.10.4/IOS-S289-CLI.pkg idconfLoading IOS-S259-CLI.pkg from 192.168.10.4 :!!!

show ip ips signature countTotal Compiled Signatures:338 -Total active compiled signatures

Download Cisco IOS IPS Files to your PC http://www.cisco.com/pcgi-bin/tablebuild.pl/ios-v5sigup

IOS-Sxxx-CLI.pkgrealm-cisco.pub.key.txt

Configure Cisco IOS IPS Crypto Keymkdir ipstore (Create directory on flash)Paste the crypto key fromrealm-cisco.pub.key.txt

Cisco IOS IPS Configurationip ips config location flash:ipstore retries 1ip ips notify SDEEip ips name ips-policyip ips signature-categorycategory allretired truecategory ios_ips basic


Comprehensive, Scalable IPS Management

Full range of management options:Cisco SDM 2.5 † provides full IPS provisioning and monitoring for single router

Cisco Security Manager 3.1† / CS-MARS for Enterprise IPS

CLI option supports automated provisioning and signature update†

Cisco Configuration Engine for MSSP—scales to thousands of devices‡

Operational consistency across Cisco IPS portfolio

Risk Rating and Event Action Processor (SEAP) reduce false positives‡

Enhanced Microsoft signature support (MSRPC and SMB)†

† New in Cisco IOS 12.4(15)T2‡ Unique in the Industry

Integrated, Collaborative Security for the BranchIPS



Cisco IOS Transparent IPSUse Case: IPS Between Wireless and Wired LANs

Introduces “stealth IPS” capabilityNo IP address associated with IPS (nothing to attack)

IOS Router is bridging between the two “halves” of the network

Both “wired” and wireless segments are in same subnet 192.168.1.0/24

VLAN 1 is the “private” protected network.

Fa 0/0

VLAN 1

Wireless

Transparent IPS192.168.1.2

192.168.1.3

Internet

IPS


Cisco IOS Intrusion Prevention System (IPS)Configuration (Command Line Interface (CLI)

Cisco IOS IPS Configuration (Con’t)interface VLAN 1description private interfacebridge-group 1ip ips ips-policy out

interface VLAN 2description private interfacebridge-group 1ip ips ips-policy in

Load the signatures from TFTP servercopy tftp://192.168.10.4/IOS-S289-CLI.pkg

idconfLoading IOS-S259-CLI.pkg from 192.168.10.4 :!!!




Configure Cisco IOS IPS Crypto Key mkdir ips5 (Create directory on flash)Paste the crypto key fromrealm-cisco.pub.key.txt

Cisco IOS IPS Configurationip ips config location flash:ips5 retries 1ip ips notify SDEEip ips name ips-policyip ips signature-categorycategory allretired truecategory ios_ips basicretired false



Cisco IOS URL Filtering

Control employee access to entertainment sites during work hours

Control downloads of objectionable or offensive material, limit liabilities

Cisco IOS supports static whitelist and blacklist URL filtering

External filtering servers such as Websense, Smartfilter can be used at the corporate office, with Cisco IOS static lists as backup

SDM 2.3 supports configuring static lists and importing .csv files for URL lists

Internet Usage Control

Internet

Web Surfing

Branch Office

URL Filtering


A router can be logically dividedinto three functional planes:1. Data plane: The vast majority of

packets handled by a router travel through the router by way of the data plane

2. Management plane: Traffic from management protocols and other interactive access protocols, such as Telnet, Secure Shell (SSH) protocol, and SNMP, passes through the management plane

3. Control plane: Routing control protocols, keepalives, ICMP with IP options, and packets destined to the local IP addresses of the router pass through the control plane

Router Hardening

Data PlaneAbility to forward data

Control PlaneAbility to route

Management PlaneAbility to manage

Cisco NFPCisco NFP

Think “Divide and Conquer”: Methodical Approach to Protect

Three Planes

NetworkFoundationProtection




Control Plane

Data Plane

Defense-in-depth protection for routing control planeTechnologies: Receive ACLs, control plane policing, iACL’s, neighbor authentication, BGP best practices

Detects traffic anomalies & respond to attacks in real-timeTechnologies: NetFlow, IP source tracker, ACLs, uRPF, RTBH, QoS tools

Secure and continuous management of Cisco IOS network infrastructureTechnologies: CPU & memory thresholding, dual export syslog, image verification, SSHv2, SNMPv3, security audit, CLI views

Management Plane

http://www.cisco.com/go/nfp


Router Hardening: Traditional Methods

Disable any unused protocols

VTY ACLs

SNMP Community ACL

Views

Disable SNMP RWUse SNMPv3 for RW if needed

Prevent dead TCP sessions from utilizing all VTY lines

service tcp-keepalives-in

Use ‘type 5’ password‘service password encryption’ is reversible and is only meant to prevent shoulder surfing

Run AAADon’t forget Authorization and Accounting

Disable extraneous interface features

Encrypt SessionsSSH

IPSec



Best Practice - Features to Disable

BOOTP

CDP

Configuration auto-loading

DNS

DHCP Server

Finger

HTTP Server

FTP Server

TFTP Server

IP Directed Broadcast

IP mask reply

IP redirectsIP Source Routing IP unreachable notificationsIdentification serviceNTPPAD ServiceProxy ArpGratuitous ArpSNMPTCP Small ServersUDP Small ServersMOP ServiceTCP keep-alives


Cisco IOS Control Plane Policing

Mitigates DoS attacks on control plane (route processor) such asICMP floodsPolices and throttles incoming traffic to control plane; maintains packet forwarding and protocol states during attacks or heavy traffic load

IncomingPackets

Control Plane Policing(alleviates DoS attacks)

Silent Mode(prevents

reconnaissance)

PacketBuffer

Output Packet Buffer

LocallySwitched Packets

CEF/FIB Lookup

ProcessorSwitched Packets

Control Plane

ManagementSNMP, Telnet ICMP IPv6 Routing

UpdatesManagement

SSH, SSL …..

Output from control plane

Input to control plane

Cisco.com/go/nfp

Continual Router Availability Under Stress




Cisco IOS AutoSecure

http://www.cisco.com/go/autosecure

One Touch Automated Router Lockdown

Eliminates DoS attacks based on fake requestsDisables mechanisms that could be used to exploit security holes

Disables Non-Essential Services

Protects against SYN attacksAnti-SpoofingEnforces stateful firewall configuration on external interfaces, where available

Secures Forwarding Plane

Enforces enhanced security in accessing deviceEnhanced security logsPrevents attackers from knowing packets have been dropped

Enforces Secure Access



Secure ConnectivitySecure ConnectivitySecure Connectivity

GET VPN DMVPN Easy VPN SSL VPN



Features

Cisco IPsec VPN Technologies

Easy VPN DMVPN GET VPN

Infrastructure Network Public Internet Transport Public Internet Transport Private IP Transport

Network Style Hub-Spoke; (Client to Site)

Hub-Spoke and Spoke-to-Spoke; (partial mesh)

Any-to-Any; (full-mesh)

Routing Reverse-route Injection Dynamic routing on tunnels

Dynamic routing on IP WAN

Failover Redundancy Stateful Hub Crypto Failover

Route Distribution Model Route Distribution Model + KS: Stateful

Encryption Style

IP Multicast Multicast replication at hub

Multicast replication at hub

Multicast replication in IP WAN network

Peer-to-Peer ProtectionPeer-to-Peer Protection Group Protection


Subnet 4

Subnet 3

Cisco GET VPN

GET uses Group Domain of Interpretation (GDOI): RFC 3547 standards-based key distribution

GET adds cooperative key servers for high availability

Key servers authenticate and distribute keys and policies; group member provisioning is minimized; application traffic is encrypted by group members

GET VPN Simplifies Security Policy and Key Distribution

GET VPN Uses IP Header Preservation to Mitigate Routing Overlay

IP Payload

Original IP HeaderIP Payload

IP Payload

IPse

cG

ET

IP PayloadESP HeaderNew IP Header

IPsec Tunnel Mode

Original IP HeaderIP PayloadIP PayloadESP HeaderOriginal IP

Header

IP Header Preservation

IP Packet

Subnet 2

Subnet 1

Group Member

Group Member

Group Member

Group Member

Key Server

Original IP packet

Private WAN

Original IP Header

IP HeaderIP Header

Original IP Header

Key Server

GET VPN



Spoke A

Hub

Spoke C

WAN

= Traditional Static Tunnels= DMVPN Tunnels

= Static Known IP Addresses= Dynamic Unknown IP Addresses

Secure On-Demand Meshed Tunnels

Cisco Dynamic Multipoint VPN

Full meshed connectivity with simple configuration of hub and spokes

Supports dynamicallyaddressed spokes

Zero touch configuration for addition of new spokes

Cisco.com/go/dmvpn

Spoke B

What’s New in Phase 3Improved Scaling—NHRP/CEF Rewrite and EIGRP Scaling enhancementsManageability Enhancements

DMVPN


What’s New in Easy VPN?CTA/NAC policy enforcementCentralized policy push for integrated client firewallPassword aging via AAAcTCP NAT transparency and firewall traversalDHCP client proxy and DDNS registrationSplit DNSPer-user policy from RadiusSupport for identically addressed spokes behind NAT with split tunnelsVTI manageability—Display of VRF information, summary commands

Cisco Enhanced Easy VPN

Automated deployments—no user interventionEnforces consistent policy on remote devicesAdd new devices without changes at headend

Supports dynamic connections with VPNInteroperable across Cisco access and security devicesCisco VPN client—the only FIPS-certified client

Hardware Client: Cisco ASA, PIX®, Security Router

Cisco Security Router Corporate

Office

Remote calls ‘home’1.

VPN tunnel3.

Cisco VPN Software Client on PC/MAC/UNIX

Validate, Policy push2.

Centralized Policy-Based Management

http://www.cisco.com/go/easyvpn

Internet

Easy VPN



Internet

Web based + Application HelperBrowser-based (clientless)Gateway performs content transformationFile sharing (CIFS), OWA, CitrixJava-based application helper

IP-Based ApplicationsApplication agnosticTunnel client dynamically loadedNo reboot required after installationClient may be permanently installed or removed dynamically

Full Network Access

IP over SSL

Cisco IOS SSL VPN

Cisco Router and Security Device Manager—Simple GUI-based provisioning and management with step-by-step wizards for turnkey deployment

Cisco Secure Desktop—Prevents digital leakage, protects user privacy, easy to implement and manage, and works with desktop guest permissions

Virtualization and VRF awareness—Pool resources

Clientless Access

SSL

Internet

SSL VPN


Secure Connectivity Related SessionsBRKSEC-3005 : Advanced Remote Access with SSLVPN

BRKSEC-3008/2007 : Site to Site VPN with GETVPN

BRKSEC-3006 : Advanced Site to Site VPN Dynamic Multipoint VPNs (DMVPN)



Instrumentation and Management SDM NetFlow IP SLARole Based

Access

Management and Instrumentation


Cisco Security Management Suite

• Quickest way to setup a device

• Configures all device parameters

• Ships with device

Cisco® Security Device ManagerCisco® Security Device Manager

Quickest way to setup a device

Wizards to configure firewall, IPS, VPN, QoS, and wireless

Ships with device

Cisco Security MARSCisco Security MARS

Solution for monitoringand mitigation

Uses control capabilities within infrastructure to eliminate attacks

Visualizes attack paths

Cisco Security Manager

Cisco Security Manager

New solution for configuring routers, appliances, switches

New user-centered design

New levels of scalability



Instrumentation

IP Service Level Agent (IP SLAs)NetFlow and NBAR

SNMP V3 and SNMP informsSyslog Manager and XML-formatted syslogTcl Scripting and Kron (Cron) jobsRole-Based CLI Access

EEM Solving Security Challenges using EEM

Network performance data (latency & jitter)

Detailed statistics for all data flows in the network

Reliable traps using SNMP informs

Total flexibility to parse and control syslogmessages on the router itself

Flexible, programmatic control of the router

Provides partitioned, non-hierarchical, access (e.g. Network and Security Operations)

Advanced Netflow Deployment BRKNMS-3005

Your network management system is only as good as the data you can get from the devices in the network


Design Consideration



Design ConsiderationCisco IOS Firewall

Classic or Zone based FirewallZone based Firewall 12.4(4)T or Classic Firewall

All new features would be offered in zone based policy firewall configuration model; no end-of-life plan for Classic Cisco IOS Firewall but there will be no new features

ASR1000 supports IOS Zone-based Firewall

ManageabilityProvisioning firewall policies: CLI, Cisco Security Manager, SDM and Config Engine

Monitoring firewall activity:Syslog, snmp, screen-scrapes from "show" commands

Modifying Security policies SDM supports zone-based Firewall

InteroperateCisco IOS Firewall interoperate with other features: NAT, VPN, Intrusion Prevention System (IPS), WCCP/WAAS, proxy, URL Filtering and QoS

Memory UsageSingle TCP or UDP (layer3/4) session takes 600 bytes of memory

Multi-channel protocol sessions use more than 600 bytes of memory

Advanced Firewall


Design ConsiderationCisco IOS Firewall

Before Release 12.4(4)T & 12.4 Mainline Release 12.4(4)T & Later

Interface based policies Zone based policiesNo granular support Very granular Firewall policies

Support for Classic IOS Firewall Support for Classic IOS Firewall continued. No new features on Classic IOS Firewall

No advanced AIC support Advanced protocol conformance support (P2P, IM, VoIP, etc.)

Cisco IOS Firewall Went Through a Paradigm Shift12.4(4)T and Onward Supports Zone-Based IOS Firewall

Classic IOS Firewall Zone Based IOS Firewall Supported in CSM and SDM Supported in SDM. CSM planned for CY2008

MIB support No MIB—RoadmapIPv6 support No IPv6—Roadmap

Active/Passive failover support No Active/Passive failover—Roadmap



Design Consideration Cisco IOS Firewall

Denial of Service (DoS) Protection SettingsPrior 12.4(11)T default DoS settings were set low

http://www.cisco.com/en/US/products/sw/secursw/ps1018/products_white_paper0900aecd804e5098.shtml

12.4(11)T onwards DOS settings are max out by default

AddressingFirewall policies can be made much more efficient with a well thought-out IP address scheme

Performance ConsiderationCisco IOS Firewall Performance Guidelines for ISRs (800-3800) http://www.cisco.com/en/US/partner/products/ps5855/products_white_paper0900aecd8061536b.shtml

ASR1000 TCP/ICMP/UDP Inspection Performance (Up to 10G) with select ALGs (SIP UDP, active FTP, DNS, H.323v2, SCCP)

Advanced Firewall


Cisco IOS Firewall - ISRsReal World Performance: HTTP



Design Consideration Cisco IOS Firewall Voice Features

Protocol ISRs ASR1000 Comments

H.323 V1 & V2 Yes Yes Tested using CME 4.0

H.323 V3 & V4 No No RoadmapH.323 RAS Yes No

H.323 T.38 Fax No No Roadmap

SIP UDP Yes YesCCM 4.2 supportedRFC 2543, RFC 3261 not supported

SIP TCP No No RoadmapSCCP Yes Yes Tested with CCM 4.2/CME 4.0

Locally generated traffic inspection for SIP/SCCP No No Roadmap

For Cisco IOS® support, contact [email protected] with requirements

Advanced Firewall


Design ConsiderationCisco IOS Flexible Packet Matching

Functionality ACL ISR12.4(15)T2

ASR1000RLS 2.2

# of ACEs per interface Unlimited Unlimited 60,000

# of match criteria/ ACE 4 Unlimited 2

Depth of Inspection 44 Bytes Full Pkt 256 B

Raw offset No Yes Yes

Relative offset (fixed header length support)

No Yes Yes

Dynamic offset (variable header length support)

No Yes No

Nested policies No Yes Yes

Nested class-maps No Yes Yes

Regex match No Yes Yes

String match No Yes Yes

Match string pattern window No Full Pkt Full Pkt

Protocol Support IPv4, TCP, UDP, ICMP

IPv4, TCP, UDP, ICMP, Ethernet, GRE, IPsec

IPv4, TCP, UDP, ICMP, Ethernet

Actions supported permit, deny, log permit, count, drop, log, send-response, nested-policy redirect, rate limit

permit, count, drop, log, send-response

IOS FPM



Design ConsiderationCisco IOS IPS 4.x and 5.x

Before Release 12.4(11)T2 & 12.4 Mainline

Release 12.4(11)T2 & later

IOS IPS Internal Version (show subsys name ips)

2.xxx.xxx 3.000.000

Signature Format 4.x 5.xSignature Download URL

http://www.cisco.com/cgi-bin/tablebuild.pl/ios-sigup

http://www.cisco.com/cgi-bin/tablebuild.pl/ios-v5sigup

Signature Distribution

Pre Tuned Signature Files Basic/Advanced SDF Files

Signature packageIOS-Sxxx-CLI.pkg

Loading Signatures From a single SDF file From a set of configuration files

Configuration of Signatures

Flat single SDF file approach Hierarchical multi-level/multi-file approach

Cisco IOS IPS Went Through a Paradigm Shift12.4(11)T2 and Onward Supports IPS 5.x

Signature Update for Cisco IOS IPS 4.X (12.4(9)T or Prior)Will Continue Till ?


Design Consideration Migrating to Cisco IOS IPS 5.x (12.4(11)T2)

Option 1: Existing customer using non-customized pre-built signature files (SDFs)

No signature migration needed Signatures in 128MB.sdf are in IOS-Basic Category Signatures in 256MB.sdf are in IOS-Advanced Category

Option 2: Existing customer using customized pre-built signature files (SDFs)

Signature migration (TCL) script available on Cisco.com to convert customized SDF to 5.x formatThis migration script does not migrate user-defined (non-Cisco) signatures

Migration Guide:http://www.cisco.com/en/US/products/ps6634/products_white_paper0900aecd8057558a.shtml



Design ConsiderationCisco IOS IPS—12.4(11)T2 and Later Release

ManageabilityProvisioning IPS policies:

CLI, Cisco Security Manager, SDM and Config Engine

Signature Tuning and Update:The basic category is the Cisco recommended signature set for routers with 128 MB RAM and the advanced category is for 256MB RAM

Signature tuning with Command line Interface (CLI) is available after 12.4(11)T

Signature package update align with Cisco sensors 42xx. (Auto Update via CSM)

Monitoring IPS activity: Reporting via CS-MARS (SDEE and Syslog support) and screen-scrapes from "show" commands

Modifying Security policies: SDM/CSM supports IPS

IOS IPS


Design ConsiderationProvisioning and Monitoring Options

IPS Signature Provisioning IPS Event Monitoring

Up to 5 More than 5 1 Up to 5 More than 5

Cisco Security Device Manager (SDM)

Same signature set/policy: Opt 1: Cisco Security Manager (CSM)

Opt 2: Cisco SDM and Cisco Configuration Engine to copy generated IPS files to large # of routers

Different signature set/policy: Single or multiple instances of CSM

Cisco IPS Event Viewer (IEV)

or

Cisco SDM

Cisco IEV or syslog server

Cisco Security MARS x.3.2 (model and quantity depends on # of routers, topology and cumulative EPS)



Design ConsiderationCisco IOS Intrusion Prevention System (IPS)

Performance ConsiderationPerformance of router is not effected by adding more signatures

Memory UsageSignature compilation process is highly CPU-intensive while the signatures are being compiled. The number of signatures that can be loaded on a router is memory-dependent

FragmentationCisco IOS IPS uses VFR (Virtual Fragmentation Reassembly) to detect fragmentation attacks


Cisco IOS IPS and Out-of-Order Packets

Cisco IOS IPS supports Out-of-Order packet starting from the following two releases:

Release 12.4(9)T2

Release 12.4(11)T

Configurable via CLI: ip inspect tcp reassembly

Notification for packets dropped due to insufficient buffer space



Cisco Security Manager 3.1 Cisco IOS IPS Signature List View


Cisco IOS IPS and Auto Update

SDM CSM



Cisco IOS IPS Release 12.4(9)T

Cisco IOS IPS Release 12.4(11)T

Cisco IPS 42xx sensors, IDSM2, SSM-AIP, NM-CIDS modules

Signature Format 4.x 5.x/6.0 5.x/6.0

Signature Updates & Tuning using SDF using IDCONF using IDCONF

Signatures Supported Subset of 1700+ signatures (depends on router model/DRAM)

1900+ signatures selected by default

Recommended (pre-built or default) Signature Set

Basic or Advanced SDF

IOS-Basic or IOS-Advanced Category All signatures alarm-only

Day-Zero Anomaly Detection No Available in 6.0 release

Transparent (L2) IPS Yes Yes

Rate Limiting No Yes

IPv6 Detection No Yes

Signature Event Action Proc. No Yes Yes

Meta Signatures No Yes

Voice, Sweep & Flood Engines No Yes (H.225 for voice)

Event Notification Syslog & SDEE SDEE

Design ConsiderationIOS IPS and IPS Appliances/Modules


IPS Solutions on Cisco ISRs

Note: Only One IPS Solution May Be Active in the Router. All Other Must Be Removed or Disabled.

Cisco IOS IPS Cisco IPS AIM Cisco NM-CIDS

Dedicated CPU/DRAM for IPS No Yes Yes

Inline and Promiscuous Detection and Mitigation Yes Yes No, Promiscuous Mode

Only

Signature SupportedSubset of 2000+

Signatures, Subject to Available Memory

Full Set Signatures (2200+)

Full Set Signatures (2200+)

Automatic Signature Updates Yes Yes Yes

Day-zero Anomaly Detection No Yes Yes

Rate Limiting No Yes Yes

Cisco Security Agent and Cisco IPS Collaboration No Yes No

Meta Event Generator No Yes Yes

Event Notification Syslog, SDEE SNMP and SDEE SNMP and SDEE

Device Management CLI, SDM IOS CLI, IDM IPS CLI, IDM

System/Network Management CSM CSM CSM

Event Monitoring and Correlation IEV, CS-MARS IEV, CS-MARS, On-box Meta Event Generator

IEV, CS-MARS, On-box Meta Event Generator



Design Consideration Recommendation

New web and collateral content at http://www.cisco.com/go/iosips/

Use the latest T Train image: 12.4(15)T2Native support for Microsoft SMB and MSRPC signatures

Works with WAAS Module if Zone-Based FW also configured

Includes many bug fixes for SDM interoperability, etc.

To use IOS IPS with WAAS (WAN Optimization) Module:You must use 12.4(11)T2/T3 or 12.4(15)T2 image

If IPS is applied on the optimized WAN interface, you must also configure Zone-Based Firewall for a zone including that interface

ASR1000 introduces this fix-up in RLS 2.2 for IOS Firewall

If working with an image prior to 12.4(11)T or any Mainline image:Use the latest Basic (128MB.sdf) and Advanced (256MB.sdf) signature files at http://www.cisco.com/cgi-bin/tablebuild.pl/ios-sigup/


Agenda

Drivers for IOS Security

Technology Overview


Deployment Models


Case Study

Summary



Deployment Models


Enterprise Branch and HQ Profiles

Branch Office

Head Quarter

Security ServicesCisco IOS Firewall Cisco IOS IPSInfrastructure ProtectionACLsIPsec VPNs

Single Router Model

Branch Office

Head Quarter

Dual Router Model

Security ServicesCisco IOS Firewall Cisco IOS IPSInfrastructure ProtectionACLsIPsec VPNs

Internet

Private Wan Private

WAN

QFPQFP

QFPQFP



Branch Office

Head Quarter

Security ServicesCisco IOS Firewall Cisco IOS IPSInfrastructure ProtectionACLs

Single Router Model

Enterprise Branch and HQSingle Router Model

Primary: Internet with IPSec VPN - IPVPN

Backup: None

Internet access is via split-tunneling

Internet

QFPQFP


Enterprise Branch and HQ ProfileSingle Router Model

Primary WAN Services: Lease line/E1/Fiber or IP VPN

Backup: Internet (ADSL) with VPN or UMTS

Internet access is via split-tunneling

Failover: Routing protocol with EOT (Enhanced Object Tracking)

Branch Office

Head Quarter


Single Router Model

Internet

Private Wan

QFP

QFP



Branch Office

Head Quarter


Single Router Model

Enterprise Branch and HQ ProfileSingle Router Model

Primary WAN Services: Lease line/E1/Fiber

Backup: Leased line/E1/Fiber

Internet access policy enforced via Head Quarter

Failover: Routing ProtocolPrivate

Wan

QFP

QFP


Enterprise Branch and HQ ProfileDual Router Model

Primary WAN Services: Lease line/E1/Fiber

Backup: Leased line/E1/Fiber

Internet access policy enforced via Head Quarter

Stateful Firewall (Stateful Failover)

Branch Office

Head Quarter


Dual Router Model

Private WAN

QFPQFP



Agenda

Drivers for IOS Security

Technology Overview


Deployment Models


Case Study

Summary






1. Protect the Inside LAN and DMZ at Branch Office and HQ with NetFlow Event Logging

2. Protect Servers at Branch Office and HQ3. Virtual Firewall and IPS at the Branch Office4. Blocking Peer-to-Peer and Instant Messaging

Applications at the Branch5. Load Balancing and Failover with two Providers

a. Load Balancingb. Failover


1. Protect the Inside LAN at Branch Officewith Split Tunneling Deployed

Cisco IOS Firewall and IPS Policies:Allow authenticated users to access corporate resourcesRestrict guest users to Internet access onlyControl peer-to-peer and instant messaging applications

Internet

Head Quarter

IPsec Tunnel

Guests can access Internet only Wireless Guests

192.168.2.x/24

Employees192.168.1.x/24

Employees can access corporate network via encrypted tunnel

Branch Office Router Inspect

Internet traffic

Advanced Firewall

QFP



1. Firewall Configuration Snippet at Branch

Security Zones:zone security privatezone security public

Security Zone Policy:zone-pair security zone-policy source

private destination publicservice-policy type inspect firewall-policy!interface VLAN 1description private interfacezone-member security private!interface fastethernet 0description public interfacezone-member security public

Classification:class-map type inspect match-any protocols

match protocol dnsmatch protocol httpsmatch protocol icmpmatch protocol imapmatch protocol pop3match protocol tcpmatch protocol udp

Security Policy:

policy-map type inspect firewall-policyclass type inspect protocolsinspect

Order of match statement is important


1. Firewall Configuration Snippet at HQSecurity Zones:zone security publiczone security dmz

Security Zone Policy:zone-pair security zone-policy source

public destination dmzservice-policy type inspect firewall-policy!interface G0/1/0description public interfacezone-member security public!interface g0/1/1description dmz interfacezone-member security dmz

Classification:class-map type inspect match-any fw-class

match protocol udpmatch protocol tcp

policy-map type inspect fw-policyclass type inspect fw-classinspect logclass class-default

parameter-map type inspect firewall-policylog dropped-packetslog flow-export v9 udp destination 1.1.28.199

2055log flow-export template timeout-rate 30



1. Cisco IOS Zone-Based Firewall (SDM) for ISRs


1. IPS Configuration SnippetCisco IOS IPS Configuration (Con’t)retired false

interface fast Ethernet 0 ip ips ips-policy in

Load the signatures from TFTP servercopy tftp://192.168.10.4/IOS-S289-CLI.pkg idconfLoading IOS-S259-CLI.pkg from 192.168.10.4 :!!!




Configure Cisco IOS IPS Crypto Keymkdir ipstore (Create directory on flash)Paste the crypto key fromrealm-cisco.pub.key.txt

Cisco IOS IPS Configurationip ips config location flash:ipstore retries 1ip ips notify SDEEip ips name ips-policyip ips signature-categorycategory allretired truecategory ios_ips basic



1. Cisco IOS IPS Signatures and Categories (SDM) for ISRs


1. Deploying IOS Firewall Split Tunneling (CSM) on ISRs



1. Deploying IOS IPS (CSM) on ISRs


2. Protect Servers at Branch Office

Cisco IOS® Firewall and IPS policies applied to DMZ protect distributed application servers and Web servers hosted at remote sites

Internet

Head Quarter

IPsec Tunnel

Wireless Guests192.168.2.x/24

Branch Office Router

Servers hosted separately in DMZ

Servers192.168.3.14-16/24


Advanced Firewall



2. IPS Configuration Snippetd. Cisco IOS IPS Configuration (Con’t)retired false

interface fast Ethernet 1 description DMZ interfaceip ips ips-policy out

e. Load the signatures from TFTP servercopy tftp://192.168.10.4/IOS-S289-CLI.pkg idconfLoading IOS-S259-CLI.pkg from 192.168.10.4 :!!!


a. Download Cisco IOS IPS Files to your PC http://www.cisco.com/pcgi-bin/tablebuild.pl/ios-v5sigup


b. Configure Cisco IOS IPS Crypto Key mkdir ips5 (Create directory on flash)Paste the crypto key fromrealm-cisco.pub.key.txt

c .Cisco IOS IPS Configurationip ips config location flash:ips5 retries 1ip ips notify SDEEip ips name ips-policyip ips signature-categorycategory allretired truecategory ios_ips basic


2. Firewall Configuration SnippetSecurity Zone Policy:zone-pair security zone-policy source

public destination dmzservice-policy type inspect firewall-policy!interface VLAN 1description private interfacezone-member security private!interface fastethernet 0description public interfacezone-member security public

interface fastethernet 1description dmz interfacezone-member security dmz

Classification:class-map type inspect match-all web-dmz

match protocol httpmatch access-group 199

access-list 199 permit tcp any host 192.168.10.3

Security Policy:policy-map type inspect firewall-policyclass type inspect web-dmzInspect

Security Zones:zone security privatezone security publiczone security dmz



3. Virtual Firewall and IPS

Cisco IOS Firewall, NAT, and URL-filtering policies are virtual route forwarding (VRF) aware, providing support for overlapping address space, which simplifies troubleshooting and operations

Internet

Photo Shop Head Quarter

IPsec Tunnel

Internet Services192.168.2.x/24

Store Router

Photo Shop192.168.1.x/24

Retail Store Cash Register192.168.2.x/24

Retail Store Head Quarter

Supports overlapping address space

Separate IPsec tunnels for Photo Shop and Retail Store traffic

VRF A

VRF BVRF C

IPsec Tunnel

Advanced Firewall


3. Firewall Configuration SnippetClassification:class-map type inspect retail-hqmatch protocol ftpmatch protocol httpmatch protocol smtp extended

class-map type inspect hq-retailmatch protocol smtp extended

class-map type inspect photo-hqmatch protocol httpmatch protocol rtsp

class-map type inspect hq-photomatch protocol h323

Security Policypolicy-map type inspect retail-hqclass type inspect retail-hqinspect

class class-defaultdrop log

Security Policy (Continued):

policy-map type inspect hq-retail

class type inspect hq-retail

inspect

class class-default

drop log

policy-map type inspect photo-hqclass type inspect photo-hqinspect


policy-map type inspect hq-photo-class type inspect hq-photoinspect




3. Deployed Firewall Configuration Snippet (SDM)


4. Blocking Peer-to-Peer and Instant Messaging Applications

Cisco IOS Firewall can block/rate-limit instant messaging (IM) applications like MSN, AOL and Yahoo.

Internet

Head Quarter

IPsec Tunnel



Servers192.168.3.14-16/24


Blocking the Instant Messengers e.g. MSN

Advanced Firewall

QFP



4. Firewall Configuration SnippetVirtualization (Virtual Routing and Forwarding)interface FastEthernet0/1.10encapsulation dot1Q 10ip vrf forwarding retailzone-member security retail-LAN

!interface Tunnel0ip vrf forwarding retailzone-member security retail-VPN

interface FastEthernet0/1.20encapsulation dot1Q 20ip vrf forwarding photozone-member security photo-LAN

!interface Tunnel0ip vrf forwarding photozone-member security photo-VPN

Security Zones:zone security retail-LANzone security retail-VPNzone security photo-LANzone security photo-VPN

Security Zone Policy:zone-pair security retail-VPNsource retail-LAN destination retail-VPN

zone-pair security VPN-retailsource retail-VPN destination retail-LAN

zone-pair security photo-VPN source photo-LAN destination photo-VPN

zone-pair security VPN-photosource photo-VPN destination photo-LAN


4. Deployed Firewall Configuration Snippet

Servers List:parameter-map type protocol-info msn-serversserver name messenger.hotmail.comserver name gateway.messenger.hotmail.comserver name webmessenger.msn.com

parameter-map type protocol-info aol-serversserver name login.oscar.aol.comserver name toc.oscar.aol.comserver name oam-d09a.blue.aol.com

Classification:class-map type inspect match-any IMmatch protocol msnmsgr msn-serversmatch protocol aol aol-servers

class-map type inspect match-all IMsmatch class-map IM

IM-Blocking Policy:policy-map type inspect IM-blockingclass type inspect IMsdrop log

Security Zoneszone security publiczone security privateZone Policyzone-pair security IM-Zone-policy source

private destination publicservice-policy type inspect IM-blocking

interface VLAN 1description private interfacezone-member security private

interface fastethernet 0description public interfacezone-member security public



4. Blocking Instant Messaging MSN/AOL (SDM)


5a. Load Balancing with Two Providers

Cisco IOS Firewall supports WAN Load balancing

Internet

Head Quarter

IPsec Tunnel



Servers192.168.3.14-16/24


WAN Load Balancing Multi-Home NATDestination Based Load BalancingZone Based Firewall

ISP-2

ISP-1

Advanced Firewall

QFP



5a. Configuration SnippetClassification:

class-map type inspect match-any internetmatch protocol httpmatch protocol httpsmatch protocol dnsmatch protocol smtpmatch protocol icmp

!!policy-map type inspect privateclass type inspect internetinspect

class class-default

WAN Load balancing Configs

ip route 0.0.0.0 0.0.0.0 Dialer1ip route 0.0.0.0 0.0.0.0 Dialer0!

ip nat inside source route-map dsl0 interface Dialer0 overload

ip nat inside source route-map dsl1 interface dialer1 overload

WAN Load balancing Configs(Con’t)

route-map dsl1 permit 10

match ip address 121match interface Dialer1

route-map dsl0 permit 10match ip address 120match interface Dialer0

access-list 120 permit ip 192.168.10.0 0.0.0.255 any

access-list 121 permit ip 192.168.10.0 0.0.0.255 any

Policy Based Routing

route-map IPSEC permit 10match ip address 128match interface Dialer1

access-list 128 permit esp 192.168.10.0 0.0.0.255 any


5a. Configuration SnippetSecurity Zones Configszone security trustzone security untrust

zone-pair security firewall source trust destination untrust!service-policy type inspect privateInterface Configs:interface Dialer0zone-member security untrustip nat outside !interface Dialer1zone-member security untrustip nat outside!interface BVI1 zone-member security trustip nat inside



5b. Failover with Two Providers

WAN Object Tracking

Internet

Head Quarter

IPsec Tunnel


Servers192.168.3.14-16/24


WAN Failover Object TrackingFail OverZone Based Firewall

ISP-2

ISP-1


Advanced Firewall

QFP


5b. Configuration Snippet—Private Zone Policy

Interface Configurations:Interface Dialer 0description WAN-Backup interfaceip address negotiatedip nat outside

NAT Configuration:ip nat inside source route-map fixed-nat

interface Dialer0 overloadip nat inside source route-map dhcp-nat

interface FastEthernet0 overload

route-map fixed-nat permit 10match ip address 110match interface Dialer0

!route-map dhcp-nat permit 10 match ip address 110match interface FastEthernet0

Tracking Configuration: (Object Tracking)track timer interface 5!track 123 rtr 1 reachabilitydelay down 15 up 10

ip sla 1icmp-echo 172.16.1.1 source-interface Dialer0timeout 1000threshold 40frequency 3

ip sla schedule 1 life forever start-time now

Interface Configurations:interface FastEthernet0description WAN-1 Interfaceip address dhcpip nat outside

ip dhcp client route track 123



5b. Configuration Snippet—Private Zone Policy

Security Zones Configszone security trustzone security untrust

zone-pair security firewall source trust destination untrust!

service-policy type inspect private

interface FastEthernet0description WAN- InterfaceMember security zone untrust

Interface Dialer0description Backup-Interfacemember security zone untrust

interface Vlan1member security zone trust

NAT Configuration (Con’t): access-list 110 permit ip 192.168.108.0 0.0.0.255

any

Routing Configurationip route 0.0.0.0 0.0.0.0 dialer 0 track 123ip route 0.0.0.0 0.0.0.0 dhcp 10

Classification:class-map type inspect match-any internet

match protocol httpmatch protocol httpsmatch protocol dnsmatch protocol smtpmatch protocol icmp

!!policy-map type inspect privateclass type inspect internetinspect

class class-default


Case Study



Education—Centralized Deployment

T1

T1

T1

School

School

School

Apply Intrusion Prevention System (IPS) on traffic from Schools to kill worms from infected PCs

URL Filtering

URL Filtering

URL Filtering

Private WAN

Internet

QFP


T1

T1

T1

School

School

School

Apply IPS on traffic from Schools to kill worms from infected PCs

URL Filtering

DSL

DSL

DSL

Backup

Backup

Secure InternetAdvanced Layer 3-7 firewallWeb usage control

Internet

Internet

Education—Decentralized Deployment

District School Building

Illegal surfing

Private WAN



Summary


Summary

There is an established and increasing trend of integrated services in routing industry

Integrated Services Edge has become more common deployment over distributed architecture

Cisco IOS network security technologies enable new business applications by reducing risk, as well as helping to protect sensitive data and corporate resources from intrusion

Consolidation of branch office equipment for lowering OPEX is giving rise to integrated security as evident from the real world use cases



Q and A


Recommended Reading

Continue your Cisco Live learning experience with further reading from Cisco Press

Check the Recommended Reading flyer for suggested books

Available Onsite at the Cisco Company Store



Complete Your Online Session Evaluation

Give us your feedback and you could win fabulous prizes. Winners announced daily.

Receive 20 Passport points for each session evaluation you complete.

Complete your session evaluation online now (open a browser through our wireless network to access our portal) or visit one of the Internet stations throughout the Convention Center.

Don’t forget to activate your Cisco Live virtual account for access to all session material on-demand and return for our live virtual event in October 2008.

Go to the Collaboration Zone in World of Solutions or visit www.cisco-live.com.




Appendix


Cisco Security Router CertificationsFIPS Common Criteria140-2,Level 2 IPsec (EAL4) Firewall

(EAL4)

Cisco® 870 ISR Q3CY07

Cisco 1800 ISR Q3CY07



Cisco 7200 VAM2+ Q3CY07

Cisco 7200 VSA Q4CY07 Q3CY07 ---

Cisco 7301 VAM2+ Q3CY07

Cisco 7600 IPsec VPN SPA Q3CY07 ---

Cisco ASR1000 Series CY08 CY08 CY08

Catalyst 6500 IPsec VPN SPA Q3CY07 ---

Cisco 7600 Q3CY07

Cisco.com/go/securitycert



Cisco IOS Network Foundation ProtectionData Plane Feature Function and Benefit

NetFlow Macro-level, anomaly-based DDoS detection through counting the number of flows (instead of contents); provides rapid confirmation and isolation of attack

Access Control Lists (ACLs)

Protect edge routers from malicious traffic; explicitly permit the legitimate traffic that can be sent to the edge router's destination address

Flexible Packet Matching (FPM)

Next generation “Super ACL” – pattern matching capability for more granular and customized packet filters, minimizing inadvertent blocking of legitimate business traffic

Unicast Reverse Path Forwarding (uRPF)

Mitigates problems caused by the introduction of malformed or spoofed IP source addresses into either the service provider or customer network

Remotely Triggered Black Holing (RTBH)

Drops packets based on source IP address; filtering is at line rate on most capable platforms. Hundreds of lines of filters can be deployed to multiple routers even while the attack is in progress

QoS Tools Protects against flooding attacks by defining QoS policies to limit bandwidth or drop offending traffic (identify, classify and rate limit)

Control Plane Function and BenefitReceive ACLs Control the type of traffic that can be forwarded to the processor

Control Plane Policing Provides QoS control for packets destined to the control plane of the routersEnsures adequate bandwidth for high-priority traffic such as routing protocols

Routing ProtectionMD5 neighbor authentication protects routing domain from spoofing attacksRedistribution protection safe-guards network from excessive conditionsOverload protection (e.g. prefix limits) enhances routing stability

Management Plane Function and BenefitCPU and Memory Thresholding Protects CPU and memory of Cisco® IOS® Software device against DoS attacks

Dual Export Syslog Syslog exported to dual collectors for increased availability


brksec-2007

Documents