Until this point, we have discussed generic CBAC inspection rules. However, to apply CBAC rules to an interface, you must create a named inspection rule . The named inspection rules are required if you want to inspect a particular application or protocol. Remember, if you do not specify a specific application or protocol to be inspected, CBAC does not inspect that traffic. We discussed earlier which specific protocols CBAC can inspect in addition to TCP and UDP traffic.
The syntax to define an inspection rule is [View full width]
Everything after protocol is optional with a named inspection rule because the global values are used unless you specifically override them. If you specify a timeout value, the timeout overrides the global TCP and UDP idle timeouts. However, it does not override the global DNS timeout.
Generic Application Protocol RulesIf you only want to inspect TCP or UDP traffic, create a named inspection rule using tcp or udp as the protocol to be inspected. For example, suppose you want to create a named inspection rule with the following parameters:
To implement this requirement, the commands are shown in Figure 4.7. Figure 4.7. TCP and UDP named inspection rule.
Unique Application Protocol RulesYou just configured generic TCP and UDP inspection, but what about individual application protocols? For instance, if your organization requires that all FTP traffic be inspected along with RTSP traffic, you need to configure a named inspection rule specifying these protocols. Let's look at an example to create a named inspection rule with the following parameters:
To implement this requirement, the commands are shown in Figure 4.8. Figure 4.8. Unique application inspection rule.
Because you used the same inspection rule name, EXAMCRAM2, you are now inspecting TCP, UDP, RTSP, and FTP traffic. However, you could have created an inspection rule using a different name to inspect only RTSP and FTP traffic if you wanted. IP Packet Fragmentation RulesOne of the DoS attacks that a hacker can launch is a fragmentation attack. With this attack, a hacker sends fragmented IP packets to a host. Not only does the host need to devote resources to reassemble the fragmented packets, but also networking equipment and other security equipment along the way might need to devote resources to reassemble the fragmented packets. The goal of the hacker when using a frag attack is to exhaust host resources, thus causing a DoS condition. Remember that individual packets for a particular data session might take different paths to reach the same destination. When this process happens with fragmented packets, the router might not see the initial session packet first. The term used to describe this situation is unassembled packets .
CBAC has the ability to protect hosts from some frag attacks through the use of the following command: Router(config)# ip inspect name inspection-name fragment max number timeout seconds The max keyword specifies the maximum number of unassembled packets that the router allocates memory for (state structure allocation). The timeout keyword specifies the length of time that the router continues to maintain a state structure allocation. An example that allows allocation of 777 state structures and allows those state structures to remain active for 1 minute is Router(config)# ip inspect name QUE fragment max 777 timeout 60 By default, this command is disabled. Some operating systems, such as Linux, send packets in reverse order (the first packet is sent last), and they would be dropped when this command is enabled. Further, in some situations, out-of-order packet delivery is totally legitimate , and you would not want CBAC to drop these packets. In addition to the previous two issues, you must use extreme care when configuring this command because the router sets aside precious memory resources for state structure allocation. If you are not careful, you can crash your router by exhausting its memory.
RPC RulesCBAC can inspect RPC if you enable it. The syntax to enable RPC inspection is [View full width]
To configure CBAC to inspect RPC program number 100005, use the following command: Router(config)# ip inspect name BILBO rpc program-number 100005 SMTP Application RulesWhen you configure it to inspect SMTP traffic, CBAC inspects every mail packet for specific, allowed commands. If the SMTP packet contains commands that are not allowed, the packet is dropped. The syntax to enable SMTP inspection is [View full width]
To configure CBAC to inspect SMTP, use the following command: Router(config)# ip inspect name BILBO smtp
If you are using an Extended SMTP (ESMTP) server, do not use CBAC SMTP inspection. ESMTP uses commands that are considered illegal by CBAC, and your SMTP traffic will be dropped. Java RulesJava applets can be dangerous, and CBAC lets you configure an inspection rule that distinguishes between friendly sites (trusted) and unfriendly sites (untrusted). Through the use of standard numbered IP ACLs, you can designate trusted and untrusted site. ACEs with permit statements designate trusted sites, and ACEs with deny entries designate untrusted sites. The syntax to enable Java inspection is [View full width]
To configure CBAC to inspect Java, review the command shown in Figure 4.9:
Figure 4.9. Java inspection rule.
|