Identifying Traffic Using Inspection Rules

Until this point, we have discussed generic CBAC inspection rules. However, to apply CBAC rules to an interface, you must create a named inspection rule . The named inspection rules are required if you want to inspect a particular application or protocol. Remember, if you do not specify a specific application or protocol to be inspected, CBAC does not inspect that traffic. We discussed earlier which specific protocols CBAC can inspect in addition to TCP and UDP traffic.

The default for CBAC is that no inspection rules are defined.

The syntax to define an inspection rule is

 
 [View full width] 
 Router(config)# ip inspect name  inspection-name protocol  [alert {on  off}] [audit-trail  {on  off}] [timeout  seconds  ] 

Everything after protocol is optional with a named inspection rule because the global values are used unless you specifically override them. If you specify a timeout value, the timeout overrides the global TCP and UDP idle timeouts. However, it does not override the global DNS timeout.

The timeout value specified with a named inspection rule overrides the global idle timeouts.

Generic Application Protocol Rules

If you only want to inspect TCP or UDP traffic, create a named inspection rule using tcp or udp as the protocol to be inspected. For example, suppose you want to create a named inspection rule with the following parameters:

To implement this requirement, the commands are shown in Figure 4.7.

Unique Application Protocol Rules

You just configured generic TCP and UDP inspection, but what about individual application protocols? For instance, if your organization requires that all FTP traffic be inspected along with RTSP traffic, you need to configure a named inspection rule specifying these protocols.

Let's look at an example to create a named inspection rule with the following parameters:

To implement this requirement, the commands are shown in Figure 4.8.

Because you used the same inspection rule name, EXAMCRAM2, you are now inspecting TCP, UDP, RTSP, and FTP traffic. However, you could have created an inspection rule using a different name to inspect only RTSP and FTP traffic if you wanted.

IP Packet Fragmentation Rules

One of the DoS attacks that a hacker can launch is a fragmentation attack. With this attack, a hacker sends fragmented IP packets to a host. Not only does the host need to devote resources to reassemble the fragmented packets, but also networking equipment and other security equipment along the way might need to devote resources to reassemble the fragmented packets.

The goal of the hacker when using a frag attack is to exhaust host resources, thus causing a DoS condition.

Remember that individual packets for a particular data session might take different paths to reach the same destination. When this process happens with fragmented packets, the router might not see the initial session packet first. The term used to describe this situation is unassembled packets .

If the CBAC router receives noninitial packet fragments before the router receives the initial packet fragment, the router drops the noninitial fragment packets.

If the IOS Firewall does not permit the initial fragment through the IOS Firewall, all noninitial fragments are dropped.

CBAC has the ability to protect hosts from some frag attacks through the use of the following command:

 Router(config)# ip inspect name  inspection-name  fragment max  number  timeout  seconds  

The max keyword specifies the maximum number of unassembled packets that the router allocates memory for (state structure allocation).

The timeout keyword specifies the length of time that the router continues to maintain a state structure allocation.

An example that allows allocation of 777 state structures and allows those state structures to remain active for 1 minute is

 Router(config)# ip inspect name QUE fragment max 777 timeout 60 

By default, this command is disabled. Some operating systems, such as Linux, send packets in reverse order (the first packet is sent last), and they would be dropped when this command is enabled. Further, in some situations, out-of-order packet delivery is totally legitimate , and you would not want CBAC to drop these packets. In addition to the previous two issues, you must use extreme care when configuring this command because the router sets aside precious memory resources for state structure allocation. If you are not careful, you can crash your router by exhausting its memory.

Unfragmented packets are never dropped when this command is enabled.

Legitimate fragmented packets can pass through the IOS Firewall even if the network is being subjected to an intense frag attack.

RPC Rules

CBAC can inspect RPC if you enable it. The syntax to enable RPC inspection is

 
 [View full width] 
 Router(config)# ip inspect name  inspection-name  rpc program-number  number [wait-time  minutes]  [alert {on  off}] [audit-trail {on  off}] [timeout  seconds  ] 

To configure CBAC to inspect RPC program number 100005, use the following command:

 Router(config)# ip inspect name BILBO rpc program-number 100005 

SMTP Application Rules

When you configure it to inspect SMTP traffic, CBAC inspects every mail packet for specific, allowed commands. If the SMTP packet contains commands that are not allowed, the packet is dropped.

The syntax to enable SMTP inspection is

 
 [View full width] 
 Router(config)# ip inspect name  inspection-name  smtp [alert {on  off}] [audit-trail {on  off}] [timeout  seconds  ] 

To configure CBAC to inspect SMTP, use the following command:

 Router(config)# ip inspect name BILBO smtp 

Only the SMTP commands specified by RFC 821, section 4.5.1, are considered legal by CBAC. Cisco states that the legal commands are DATA, EXPN, HELO, HELP, MAIL, NOOP, QUIT, RCPT, RSET, SAML, SEND, SOML , and VRFY .

If you are using an Extended SMTP (ESMTP) server, do not use CBAC SMTP inspection. ESMTP uses commands that are considered illegal by CBAC, and your SMTP traffic will be dropped.

Java Rules

Java applets can be dangerous, and CBAC lets you configure an inspection rule that distinguishes between friendly sites (trusted) and unfriendly sites (untrusted). Through the use of standard numbered IP ACLs, you can designate trusted and untrusted site. ACEs with permit statements designate trusted sites, and ACEs with deny entries designate untrusted sites.

The syntax to enable Java inspection is

 
 [View full width] 
 Router(config)# ip inspect name  inspection-name  http [java-list  access-list  ] [alert {on  off}] [audit-trail {on  off}] [timeout  seconds  ] 

To configure CBAC to inspect Java, review the command shown in Figure 4.9:

CBAC Java inspection cannot detect, and therefore inspect or block, Java applets if the applet is encapsulated. An encapsulated Java applet might be contained in a Zip file, for example.