Cisco IOS Firewall Features
Cisco IOS Firewall combines firewall features, routing services, and intrusion detection within a single router IOS. Formerly called the Cisco IOS Firewall Feature Set, Cisco IOS Firewall provides security and policy enforcement on a wide range of routers.
Cisco IOS Firewall adds functionality to the existing Cisco IOS security capabilities. These enhancements include encryption, failover services, authentication, encryption, per-user authentication, real-time intrusion alerts, and application-based filtering through CBAC.
In Chapter 6, “Intrusion Detection Systems,” Table 6-1 contains the Cisco IOS intrusion-detection signatures that are used in conjunction with CBAC. There are a total of 59 distinctive signatures recognized by Cisco IOS Firewall. These signatures are listed in the same numerical order as listed by their signature number in the NetRanger Network Security Database.
These intrusion-detection signatures were chosen as representative of the most common network attacks and information gathering scans not commonly found in an operational network.
Included in Table 6-1 is an indication of the type of signature: Info or Attack, Atomic or Compound. Atomic signatures that show as Atomic* are allocated memory for session states by CBAC.
Port Application Mapping (PAM)
Port Application Mapping (PAM) gives the administrator the ability to customize TCP and UDP port numbers in relation to access lists. PAM allows support of services using ports different from the registered and well-known ports associated with an application.
PAM creates a table of default port-to-application mapping information at the firewall router. This table is populated with system-defined maps when the IOS is booted. The administrator can modify this table to include host-specific and user-defined mappings. The PAM table works with CBAC-supported services to allow applications through the access list while still running on nonstandard ports. Without the use of PAM, CBAC is limited to inspecting traffic using only the standard application ports. CBAC will use the PAM table to identify a service or application. CBAC associates the nonstandard port numbers entered through PAM with specific protocols. The mappings serve as the default port mapping for traffic passing through the router.
System-Defined Port Mapping
When the system starts, the PAM table is created, and the system-defined variables are entered into the table. The PAM table contains entries comprising all the services supported by CBAC, which requires the system-defined mapping information to function properly.
These system-defined mappings cannot be deleted or changed. It is possible, however, to override the system-defined entries for specific hosts using the PAM host-specific option.
Table 5-1 lists the system-defined services, port mappings, and protocol descriptions.
User-Defined Port Mapping
Using applications with nonstandard ports requires the addition of user-defined entries into the PAM table. Each instance of a nonstandard application is entered into the table. Applications can be enabled to use multiple ports or a range of ports by entering each port in succession. Entering a port number a second time with a new application overwrites the original entry. Attempting to enter an application using a system-defined port results in an error message and an unsuccessful mapping. Save mappings by writing the router configuration.
Host-Specific Port Mapping
User-defined entries can include host-specific mapping information, which establishes port mapping information for specific hosts or subnets. Host-specific port mapping overrides system-defined entries in the PAM table. It might be necessary to override the default port mapping information for a specific host or subnet.
Using host-specific port mapping, the same port number can be used for different services on different hosts. For example, it is possible to assign port 6565 to Telnet on one host while assigning the same port (6565) to HTTP on another host.
Host-specific port mapping also allows PAM to be applied to individual subnets. Similar to host-specific port mapping, you can assign port 6565 to Telnet on one network while assigning the same port (6565) to HTTP on another network.
Configuring PAM
The ip port-map command is used to configure PAM. The following example sets HTTP to ports 8000, 8001, 8002, and 8003. After this command is run, the keyword http in an access list will relate not only to the default port 80, but also to the ports 8000, 8001, 8002, and 8003. This example is entered in the global configuration mode and applies globally:
ip port-map http 8000 ip port-map http 8001 ip port-map http 8002 ip port-map http 8003
If PAM is to be applied to only a specific access list, the entries are made with the additional keyword list and the access list number for the affected access list. The following example shows HTTP ports mapped to an access list 101. In this case, HTTP for access list 101 includes port 80 (the default), as well as port 8000:
access-list 101 permit ip any any eq http ip port-map http port 8000 list 101
In the following example, a specific host runs HTTP services on port 21, which is a system-defined port for FTP data. Therefore, it requires a host-specific entry:
access-list 55 permit 172.30.1.2 !define the host that will have the default mapping changed ip port-map http port 21 list 55 !map HTTP to port 21, replacing the default usage for port 21