Transparent Cisco IOS Firewall

Problem

You want to use a router as a Layer 2 Firewall.

Solution

To enable a transparent Firewall, start by enabling Integrated Routing and Bridging (IRB) between to interfaces:

Router1#configure terminal 
Enter configuration commands, one per line. End with CNTL/Z.
Router1(config)#bridge 1 protocol ieee
Router1(config)#interface FastEthernet0/0
Router1(config-if)#bridge-group 1
Router1(config-if)#interface FastEthernet0/1
Router1(config-if)#bridge-group 1
Router1(config-if)#exit
Router1(config)#bridge irb
Router1(config)#bridge 1 route ip
Router1(config)#interface BVI1
Router1(config-if)#ip address 172.25.1.101 255.255.255.0
Router1(config-if)#no shutdown
Router1(config-if)#end
Router1#

Next, you have to configure the Firewall inspection rules and ACLs:

Router1#configure terminal 
Enter configuration commands, one per line. End with CNTL/Z.
Router1(config)#ip inspect name OREILLY tcp
Router1(config)#interface FastEthernet0/0
Router1(config-if)#ip inspect OREILLY in
Router1(config-if)#exit
Router1(config)#access-list 111 deny tcp any host 172.25.1.102 eq 23
Router1(config)#access-list 111 permit ip any any
Router1(config)#access-list 112 deny ip any any
Router1(config)#interface FastEthernet0/0
Router1(config-if)#ip access-group 111 in
Router1(config-if)#interface FastEthernet0/1
Router1(config-if)#ip access-group 112 in
Router1(config-if)#end
Router1#

 

Discussion

Beginning with IOS Version 12.3(7)T, Cisco introduced the concept of an IOS-based Layer 2 or transparent Firewall. The name of this feature can be somewhat misleading because even though the Firewall sits at a Layer 2 level, it supports the filtering of IP packets (including IP, TCP, UDP, and ICMP protocols). The transparent Firewall is a Layer 2 bridge acting as a Firewall, with the capability of filtering IP-based packets using Context-Based Access Control (CBAC).

A typical layer 3 Firewall filters packets as they transverse from one IP subnet to another. We've seen an excellent example of this in out CBAC Recipe 27.2. A Layer 2 Firewall has the distinct advantage of being able to insert a transparent Firewall into a pre-existing subnet without having to readdress or reconfigure the attached devices. In effect, you can insert a Firewall between neighbors on the same wire.

We have implemented Layer 2 firewalls in several different types of situations. The biggest reason for using a Layer 2 firewall is its complete invisibility at Layer 3. A Layer 2 firewall has no IP addresses, so it can't be detected by devices, even if they are on the same physical segment.

Another common reason for using Layer 2 firewalls is to provide security even when the protocols in use don't really lend themselves to security. Suppose, for example, that you have an application that relies heavily on broadcasts from the server to the clients, but you need to protect this server against possible attack from the client devices. In this case, a Layer 3 firewall will break the application, so your only real option is a Layer 2 firewall configureation like the one shown in this recipe.

The first step in configuring a transparent Firewall is to configure transparent bridging on two of the interfaces. What's more, you need to configure Integrated Routing and Bridging (IRB) and create an associated BVI interface. The result of this is to bridge two physical interfaces together. For more information on IRB, please see Chapter 15.

Once transparent bridging is enabled, you must enable CBAC and configure the required ACLs on the router. In our example, we only enabled CBAC to inspect generic TCP sessions, but you can configure the router to inspect any CBAC supported protocol. For more information on CBAC, please see Recipe 27.2.

After CBAC is configured, you need to create and apply your ACLs to prevent unwanted traffic from passing through the Firewall. In our example, we configured access-list 112 to deny all IP packets. Keep in mind that CBAC will dynamically create session-specific ACL entries in access-list 112, as required.

To view the configuration of the transparent Firewall, use the following show command:

Router1#show ip inspect all 
Session audit trail is disabled
Session alert is enabled
one-minute (sampling period) thresholds are [400:500] connections
max-incomplete sessions thresholds are [400:500]
max-incomplete tcp connections per host is 50. Block-time 0 minute.
tcp synwait-time is 30 sec -- tcp finwait-time is 5 sec
tcp idle-time is 3600 sec -- udp idle-time is 30 sec
dns-timeout is 5 sec
Inspection Rule Configuration
 Inspection name OREILLY
 tcp alert is on audit-trail is off timeout 3600

Interface Configuration
 Interface FastEthernet0/0
 Inbound inspection rule is OREILLY
 tcp alert is on audit-trail is off timeout 3600
 Outgoing inspection rule is not set
 Inbound access list is 111
 Outgoing access list is not set

Established Sessions
 Session 63FA3224 (172.25.1.1:2618)=>(172.25.1.102:21) tcp SIS_OPEN
Router1# 

This command shows the CBAC global configuration as well as the interface-specific configuration as well. Notice that interface FastEthernet0/0 has inspection rule OREILLY configured and inbound access-list 111.

Once the transparent Firewall is configured, we initiated an FTP session from a host on one side of the Firewall to a server on another side. If we view the detailed session information we will see that CBAC dynamically created an ACL entry in access list 112 to permit returning session traffic:

Router1#show ip inspect session detail
Established Sessions
 Session 63FA3224 (172.25.1.1:2618)=>(172.25.1.102:21) tcp SIS_OPEN
 Created 00:02:17, Last heard 00:02:14
 Bytes sent (initiator:responder) [35:150]
 In SID 172.25.1.102[21:21]=>172.25.1.1[2618:2618] on ACL 112 (5 matches)
Router1#

The command output also keeps track of all actively inspected sessions and their current status.

As we've seen, Cisco's transparent Firewall feature is a combination of CBAC and IRB working together to provide a Layer 2 Firewall.

See Also

Recipe 27.2; Chapter 15

Router Configuration and File Management

Router Management

User Access and Privilege Levels

TACACS+

IP Routing

RIP

EIGRP

OSPF

BGP

Frame Relay

Handling Queuing and Congestion

Tunnels and VPNs

Dial Backup

NTP and Time

DLSw

Router Interfaces and Media

Simple Network Management Protocol

Logging

Access-Lists

DHCP

NAT

First Hop Redundancy Protocols

IP Multicast

IP Mobility

IPv6

MPLS

Security

Appendix 1. External Software Packages

Appendix 2. IP Precedence, TOS, and DSCP Classifications

Index



Cisco IOS Cookbook
Cisco IOS Cookbook (Cookbooks (OReilly))
ISBN: 0596527225
EAN: 2147483647
Year: 2004
Pages: 505

Flylib.com © 2008-2020.
If you may any questions please contact us: flylib@qtcs.net