Introduction
Cisco has been an important part of the networking industry for many years and will continue to become more important. The first router product that I worked on, back in 1993, was a Cisco AGS+. I have seen many flavors of the Cisco IOS Software, including the introduction of most of the security features you see today in the Cisco IOS Software operating system. Over the past several years, I have seen security becoming a key component in network design. And with more companies using the Internet as a business tool today, security is more important than ever.
Goals and Methods
Three years ago, I realized that there were many certification books to help people pass Cisco security certification exams; however, I found no books of any substance that brought Cisco security features together to be applied in a real-life situation. I continually monitor various Cisco newsgroups and constantly see questions related to how to implement various Cisco security features. This was the foundation of my first security book, Cisco PIX Firewalls.
The purpose of this book, Cisco Router Firewall Security, is to show you how to implement a perimeter firewall solution using Cisco routers. To that end, this book focuses on important features of the Cisco IOS Software, and how to use them to secure your perimeter router and provide a secure solution for traffic entering and leaving the perimeter of your network. Of course, many of the topics I discuss in this book can be applied to any Cisco router in your network; however, because most mid- to large-size networks have a Cisco router on their perimeter, I focus this text on perimeter security problems and how to use a Cisco router to deal with these problems. This is not a certification book, but a “how to” book. I’ve included the following methods to help you with the “how to” process:
• Providing explanations and information to fill in your knowledge gaps
• Explaining advantages and disadvantages of the various Cisco IOS Software security features, to help you understand when they should be used
• Using small examples from my personal consulting experience to illustrate the issues related to security
• Supplying many examples, including a detailed case study at the end of the book, to show you how Cisco’s security features should be implemented
Who Should Read This Book?
This book is intended to provide the necessary framework for using a Cisco router as a perimeter firewall solution. With this goal in mind, this is a “how-to” book. Although other objectives can be achieved from using this book, such as preparing for Cisco’s CCSP SECUR exam, this book is written with one main goal in mind: to secure your perimeter network using Cisco routers.
This book assumes that you have a basic understanding of Cisco routers and the Cisco IOS Software operating system and command-line interface (CLI). I assume that you have an intermediate to advanced level of knowledge of Cisco routers and, minimally, that you have Cisco’s CCNA certification to understand and make best use of the material in this book.
Because this book focuses on using Cisco IOS Software features to enhance the security of your perimeter routers, it will be very useful for any network administrator or engineer who currently must provide security for the perimeter of a network, as well as anyone who needs to enhance the security of other routers in a network.
How This Book Is Organized
Although this book can be read cover to cover, it is designed to allow you to move easily among chapters and sections of chapters to cover just the material that you are interested in. However, each part and each chapter in each part builds upon the others. There are nine parts to this book. Each part deals with an important component of perimeter router security, and each chapter covers Cisco IOS Software features that you can use to implement your perimeter router security. The following topics are covered in the chapters of this book:
• Part I, “Security Overview and Firewalls”
— Chapter 1, “Security Threats”—This chapter contains a brief overview of the kinds of threats that you’ll face in securing your network, as well as some generic solutions that you can use to deal with these threats. The chapter begins with a discussion of the causes of security problems. It also categorizes security threats and lists some common and not so common security threats you’ll face: how they’re implemented and a quick overview of how you can deal with them. This chapter lays the groundwork for the rest of the book, which focuses on firewall technologies to protect the perimeter of your network.
— Chapter 2, “Introduction to Firewalls”—This chapter contains an introduction to firewall technologies and the different types of firewall implementations. It includes a brief overview of the OSI Reference Model and uses this model to explain how different types of firewall technologies provide different levels of protection. This chapter also has an introduction to firewall design, including the components typically used to provide a firewall solution. Finally, it introduces the technologies that are discussed in this book.
• Part II, “Managing Access to Routers”
— Chapter 3, “Accessing a Router”—This chapter is the first in the book that deals with Cisco IOS Software features and their implementation. Chapters 3, 4, and 5 discuss how to use Cisco IOS Software features to protect access to the router itself. This chapter focuses on securing basic access to your perimeter router. It discusses the different access methods to a router and the solutions you can use to secure these types of access; it also offers warnings about using certain kinds of access methods. In addition, it discusses how to set up different levels of EXEC access on your perimeter router and how to assign accounts to the different levels of access.
— Chapter 4, “Disabling Unnecessary Services”—This chapter covers how to disable global services, how to disable interface services, and how to use the AutoSecure feature. AutoSecure is a new Cisco IOS Software feature, similar to the System Configuration Dialog script, and is used to automate the basic securing of your router.
— Chapter 5, “Authentication, Authorization, and Accounting”—This chapter discusses the use of AAA to secure your perimeter router. AAA has many features, but this chapter focuses only on those to secure your perimeter router, including the use of local and remote AAA.
• Part III, “Nonstateful Filtering Technologies”
— Chapter 6, “Access List Introduction”—This chapter contains an introduction to access control lists (ACLs). If you already have your CCNA, you should be familiar with this material.
— Chapter 7, “Basic Access Lists”—This chapter includes coverage of the following types of basic ACLs: numbered, named, standard, extended, and timed. It also discusses some new ACL features, such as sequenced ACLs (with the capability to delete any ACL entry or insert a new ACL entry anywhere into an existing list), ACL remarks, logging of ACL information, and turbo ACLs (compiling ACLs to improve router processing efficiency). The last part of the chapter focuses on using ACLs to block various types of security threats and attacks, such as spoofing, DoS, Trojan horses, and worm attacks, as well as unnecessary or nuisance services, such as Peer-to-Peer (P2P) file-sharing and instant messenger (IM) programs.
• Part IV, “Stateful and Advanced Filtering Technologies”
— Chapter 8, “Reflexive Access Lists”—This chapter discusses the use of reflexive ACLs (RACLs). RACLs are a precursor to Cisco’s CBAC technology, and this is a semistateful firewall feature. This chapter discusses the advantages and disadvantages of using RACLs for perimeter routers in implementing a stateful firewall function. The end of the chapter has an example of using RACLs with a two- and three-interface perimeter router.
— Chapter 9, “Context-Based Access Control”—This chapter covers Cisco’s recommended stateful firewall feature: CBAC. Because this is the first chapter that introduces a feature from the Cisco IOS Software Firewall feature set, it includes a brief overview of these features. Following this, the chapter discusses the advantages and limitations of CBAC and then its implementation. Some of CBAC’s components, such as DoS protection, are left for later chapters. The end of the chapter has a few examples, including a complex three-interface router example.
— Chapter 10, “Filtering Web and Application Traffic”—This chapter covers the filtering of application layer traffic, including web traffic. The first part of the chapter deals with web traffic filtering, including the filtering of Java applets and URLs embedded in HTTP requests. The second half of the chapter introduces Network-Based Application Recognition (NBAR). NBAR normally is used to implement QoS functions on a router; however, it also can be used to implement bandwidth and security policies. Other places in this book also discuss the use of NBAR, which is a very useful and flexible Cisco IOS Software feature.
• Part V, “Address Translation and Firewalls”
— Chapter 11, “Address Translation”—This chapter covers address translation on routers. It begins with an overview of what address translation is and the various types of translation and their limitations. The last half of the chapter discusses the implementation of these types of address translation.
— Chapter 12, “Address Translation Issues”—This chapter focuses on some key issues with address translation and solutions for dealing with these issues. It first discusses issues with embedded addresses and how the Cisco IOS Software can deal with these when performing address translation. Then it covers how you can incorporate redundancy in your network when you use address translation, specifically for the address-translation device. In addition, it discusses various methods of load balancing, such as HSRP and server load balancing (SLB).
• Part VI, “Managing Access Through Routers”
— Chapter 13, “Lock-and-Key Access Lists”—This chapter covers the use of lock-and-key ACLs to authenticate users connections before you grant them access through your perimeter router. This was Cisco’s first developed solution for this problem and originally was meant for dialup access; however, it also can be used to authenticate users passing traffic through a perimeter router.
— Chapter 14, “Authentication Proxy”—This chapter covers the use of another Cisco IOS Software Firewall feature set: Authentication Proxy (AP). AP is Cisco’s recommended feature for authenticating users before allowing them to pass traffic through a router. This chapter covers the many advantages that AP has over lock-and-key, as well as its implementation.
— Chapter 15, “Routing Protocol Protection”—This chapter discusses the protection of the routing process on your router, which, in turn, controls the router’s traffic flow. This chapter focuses on authentication for routing protocols, as well as how to protect your router from routing and spoofing attacks. These concepts include black hole routing, interior gateway protocol (IGP) security, BGP security, and reverse-path forwarding (RPF).
• Part VII, “Detecting and Preventing Attacks”
— Chapter 16, “Intrusion-Detection System”—Another component of the Cisco IOS Software Firewall feature set is detecting attacks with a rudimentary IDS component. This chapter contains an introduction to IDS, including signatures, and then follows with the configuration of IDS on a perimeter router.
— Chapter 17, “DoS Protection”—This chapter contains solutions to protect a router and network from DoS attacks. The first part of the chapter discusses how to detect DoS attacks; the last half discusses tools that you can use for protection, including TCP Intercept, CBAC, and rate limiting.
— Chapter 18, “Logging Events”—This chapter discusses how to set up logging on your perimeter router. It covers basic logging, as well as logging to an external server using syslog. It also covers the use of time stamps with logging records and your options of defining time on your router, including manually doing so and using the Network Time Protocol (NTP). The Embedded Syslog Manager (ESM) discusses how you can customize the Cisco IOS Software syslog functions, including e-mail alerts. The last part of the chapter briefly discusses the kinds of things that you should look for in your log files for attacks against your router and network.
• Part VIII, “Virtual Private Networks”
— Chapter 19, “IPSec Site-to-Site Connections”—This chapter discusses the use of a perimeter router to terminate a site-to-site IPSec connection. The chapter begins by discussing preparation needs and then continues to discuss the configuration of the management connection in IKE Phase 1, including device authentication options. The second half of the chapter covers the setup of the data connections in IKE Phase 2, including troubleshooting of your IPSec connections.
— Chapter 20, “IPSec Remote-Access Connections”—This chapter discusses the use of a perimeter router to terminate IPSec remote-access connections. The chapter begins with an overview of remote access, including how remote-access connections are established. The rest of the chapter discusses the use of the Easy VPN feature to establish remote-access connections.
• Part IX, “Case Study”
— Chapter 21, “Case Study”—This last chapter contains a case study and implements many of the features discussed throughout this book. It presents solutions to as well as explanations of a company’s problems for protecting its perimeter network.
Additional Information
Many of the features discussed in this book are supported only on various router models or Cisco IOS Software versions. To learn whether a Cisco IOS Software feature is supported on a specific router platform or Cisco IOS Software version, use the Cisco Feature Navigator at http://www.cisco.com/go/fn. You need a CCO account to use this feature.
For a list of product security advisories and notices for Cisco products and Cisco IOS Software releases, visit http://www.cisco.com/warp/public/707/advisory.html.
Tip
I highly recommand that you carefully view this list before loading a specific Cisco IOS Software version on your perimeter router.
If your router or network has been attacked, you can find a list of law-enforcement contacts at http://www.cisco.com/warp/public/707/LE-contacts.html.
For a list of additional security tools that you can use to detect weaknesses in your network, as well as secure your network, you can visit the following websites:
• http://www.packetstormsecurity.nl
• http://www.insecure.org/nmap