It’s hard to find a company these days that doesn’t have its corporate network connected to the Internet in some = way. Naturally, when you decide to establish an Internet connection, especially = an “always on” connection typical of corporate networks, you have security considerations. Probably the most basic component of security betw= een a private network such as that at a private company and a public network su= ch as the Internet is a firewall. As you go through the working world, you also find that Cisco routers have the lion’s share of the market, connecti= ng private networks to each other and to the Internet. In this article we̵= 7;ll introduce a feature set of Cisco’s Internetworking Operating System (= IOS) that provides firewall capabilities. There is an additional licensing fee to use the IOS firewall feature set, and depending on the router model you may have to upgrade the RAM in order to use it. The first time I installed it o= n a 2501 router, for example, I had to upgrade the standard 4MB of RAM to 8MB. =
Here we will start with the basics of setting of access control lists, and in a future article examine the more advanced features of the firewall feature set.
The IOS firewall offer three levels of access control features, from basic to advanced. They are:
Standard Access Control Lists and Extended Access C=
ontrol
Lists
These types of access control lists provide basic traf= fic filtering capabilities. Essentially you define criteria for IP addresses and ports that you want to allow to pass in and out = of your network. For an average small to mid sized network, these lists may be= all you need. We will focus on these in this article, though we’ll briefly mention the more advanced access control features, which we can discuss in = more detail in a future article.
Lock-and-Key (Dynamic Access Control Lists)
Lock-and-key traffic filtering is a more advanced form= of access control that allows temporary openings in the firewall for individua= ls who validate with a username and password. Because the opening is temporary= (it closed when the user disconnects), security is tighter than simply leaving certain ports open all the time. It’s more inconvenient for average day-to-day use though, but useful if you have users who only need to connect through the firewall on occasion for specialized services.
Context-Based Access Control (CBAC)
Context-based access control works at a higher level t= han access control lists to examine the actual content of the packets for the purpose of determining whether they should be allowed to pass or denied. Th= is type of “stateful inspection” firewall is much more secure than= a basic packet filtering firewall, and CBAC gives the firewall the ability to handle protocols that work over multiple channels simultaneously. The downs= ide to CBAC is increased memory usage and processing time can have a performance impact on packet routing. This is the best level of security the IOS firewa= ll feature set provides though, and will be the subject of a future article.
Access Control Lists (or, just access lists) provide a= basic level of firewall functionality for the IOS feature set. You generally need= to create two access lists, one for inbound traffic and one for outbound traff= ic (though you can configure up to 99 standard access lists if your network is more complicated). For most protocols, such as http, you only have to confi= gure a one way access. For example, you allow http outbound but don’t have= to do anything special to allow the traffic to come back through. With some protocols, particularly multimedia protocols, you might need to likewise configure a return path through the inbound access list.
Before we demonstrate creating an access list, it is important to note a couple of things about their behavior. The first is that rules are processed in the order they are listed (top to bottom), so how you arrange your rules can have a significant impact on how your firewall functions. Second, there is an implicit “deny all” at the end of each access list, which means that anything not defined in your access list= is rejected. That provides ease of management so you don’t have to confi= gure rules to reject anything not explicitly allowed.
Creating an access list can be done by editing the configuration file and uploading it through a TFTP server, though most peop= le login through a telnet or console session to configure the router. If you do the latter, issue the enable command and enter the password to gain superuser permissions to the router.
After logging in, you can issue the show running-co= nfig command to view the current configuration. It is highly recommended that you make a copy of your current configuration before you start making changes. = If you are logged in through a telnet connection, simply copy/paste the config= uration into a text document.
There are two steps to setting up your traffic filteri= ng. The first is to create the access control lists.
For our purposes, we’re going to assume you are telnetting into a router that is already setup and passing traffic, and that we’re adding the access lists to provide security on that existing connection. That’s a common scenario; you get your basic routing up a= nd running, and then configure services on it such as a firewall. To create an access list, login to the router as above and issue the config terminal<= /i> to enter configuration mode.
You can call your access lists anything you want, thou= gh IOS versions prior to 11.2 won’t recognize if you use named lists (they accepted numbers only to identify lists). Out of habit many network enginee= rs have stuck with the numbering naming scheme. Since that is what I was taugh= t as well, that’s what I use. Any version of IOS 11.2 or greater can recog= nize names though, so you can be more descriptive with your naming if you’d like.
We’ll begin by creating an outbound access list,= which controls what traffic can pass from your internal network to the Internet. = The format of the command is:
access-list a=
cl name
or number deny/permit protocol source-address destination-address po=
rt
You only have to use what is applicable from the above= in your rule, and there are some shortcuts we can take. For example, we want to allow anyone on the internal network to access any website on the Internet:=
access-list 101 p= ermit tcp any any eq www
The above says access list 101, which we’ve name= d our outbound list, will let the TCP protocol www (http, port 80) from any inter= nal address (source) pass through to any destination address. Now, say you want= ed to allow any internal computer to use the NNTP protocol to read newsgroups,= but only to a specific news server on the Internet. That command would look like this:
access-list 101 p= ermit tcp any 192.168.0.100 eq nntp
The above command is similar to the one before it, but rather than granting access to any destination, the destination is explicit= ly defined. You might find cause at some point to prevent users from accessing= a particular host on the Internet. We had a situation with the ILOVEYOU virus where user’s browsers attempted to contact a specific website on the Internet to download a malicious program. Because of that, I added a rule t= hat denied access to the subnet the particular ISP’s webservers were on:<= /p>
access-list 101 d=
eny ip any
host 194.87.6.0
Creating inbound access lists is largely similar. If y= ou are allowing access to webservers or other services on your network, it is important to put your rules in the correct order so that the behave the way you want. For example, say you have a mail server and= you want users to be able to connect to it from the Internet. You don’t w= ant users to have access to any other services on that server, however. The rule would look like this:
access-list 102 p=
ermit
tcp any host 192.168.0.101 eq smtp
access-list 102 p=
ermit
tcp any host 192.168.0.101 eq pop3
access-list 102 d=
eny ip
any host 192.168.0.101
The above rule allows access to the server 192.168.0.1= 01 for smtp and pop3 traffic, then blocks everything el= se. Why we say that rule ordering is important is that if you put the deny rule before the permit rules, all traffic would be blocked. The firewall stops processing rules as soon as it finds one that permits or denies the intended traffic.
You can also use inbound rules to allow traffic from o= nly specified hosts to certain services. An example would be if you had a client who you wanted to be able to establish a telnet connection to a server on y= our internal subnet without permitting all telnet traffic. The rule would look something like:
access-list 102 p=
ermit
tcp host 216.99.100.62 host 192.168.0.5 eq telnet
access-list 102 d= eny ip host 216.99.100.62 any
The above would allow telnet from IP address 216.99.10= 0.62 to the internal server 192.168.0.5, then deny any other IP traffic from that host.
Once you create access lists on your router, you have = to apply them to an interface for them to take effect. This is a simple process but one important not to overlook, since if you don’t apply your acce= ss lists they won’t have any effect on traffic.
This step is also done in the interface configuration = mode. For a firewall controlling access to the Internet, the interface would be t= he serial interface your Internet connection was attached to. An example comma= nd would be to login to the router in superuser mode and issue interface se= rial0 to enter interface configuration mode for the first serial interface. T= he command is as follows:
ip access-group <=
/i>acl
name or number in/out
Using our access lists that we created above, we would= issue the commands:
ip access-group 1=
01 out
ip access-group 1=
02 in
At this point we would hit ctrl-z to exit configuration mode and view the configuration to make sure we didn’t = make any mistakes. Once we were happy with it we would write the current configuration to memory so it would still be active if the router rebooted.= You can either use the older write memory command for that, or the more current copy running-config startup-config.
Cisco’s IOS firewall feature set offers basic an= d advanced levels of firewall functionality. We demonstrated how to configure basic ac= cess lists to provide packet filtering capabilities, something that is useful bo= th in the real world and if you are taking Cisco’s certification exams. = Even with a firewall though, network security is an ongoing process that must be continually worked on to be most effective. If you have questions or commen= ts about this article, you can reach Will at WWillis@Transcender.com.