|Previous ||Table of Contents ||Next |
Network address translation will allow the use of unregistered address space on the inside of the firewall and registered space within the firewall. The Cisco PIX Firewall can operate with a mixture of both registered and unregistered IP addresses. In addition, it also supports port address translation (PAT) with port level multiplexing, which is a method to further conserve address space. Through the use of this feature, inside user local IP addresses are automatically converted to a single outside IP address and the PIX Firewall uses different port numbers to distinguish between hosts. Over 64,000 inside hosts can be served by a single outside IP address with PAT. For additional information on Ciscos PIX Firewall, please refer to the following Web site:
Frequently Asked Questions
- QI want to control which hosts can Telnet to or from the routers in my network. What is the easiest way to do that?
- ABuild a standard access list to define which IP addresses will be allowed, then apply the list to the console or VTY line. Doing this by using the ip access-class # in command will limit inbound access to only those hosts allowed by your standard IP access list.
- QI want to control which hosts will be allowed to send data onto my wide-area network. What is the easiest way to do that?
- ABuild a standard access list that will define the hosts that are allowed to send data onto the network, and then apply the access list to the Ethernet interface. Do this by using the ip access-group # in command, which will allow packets from only the hosts you defined to pass out onto the network.
- QWhat is the difference between the ip access-class command and the ip access-group command?
- AWhen using the ip access-class command, you are controlling Telnet access. Use the ip access-group command to filter data packets.
- QHow do I configure an OSPF private net for a firewall for Internet access? I currently have static routes for 0.0.0.0 via the firewall. I cannot redistribute this static route. This doesnt seem to work. I dont want to go to 100+ routers to add a static route. I have only one firewall now, but I might add a second one. The firewall does address translation; it masks our internal net numbers. How should I do this?
- AOn the firewall router running OSPF, enter this command:
default-information originate always
It will originate the default route to all your other OSPF routers in the domain. You dont need to configure default routes in all your OSPF routers in the domain.
- QHow do you configure MD5 authentication on OSPF neighbor routing updates and exchanges? Is the MD5 authentication used for Hello protocol negotiations? Is the MD5 authentication used in all router protocol updates? Will you please provide a sample configuration?
- AHere is a short description of MD5 authentication:
Message Digest Authentication is a cryptographic authentication. A key (password) and key identification are configured on each router. The router uses an algorithm based on the OSPF packet, the key, and the key-id to generate a message digest that is appended to the packet. Unlike the simple authentication, the key is not exchanged over the wire. A non-decreasing sequence number is also included in each OSPF packet to protect against replay attacks. This method also allows for uninterrupted transitions between keys. This is helpful for administrators who wish to change the OSPF password without disrupting communication. If an interface is configured with a new key, the router will send multiple copies of the same packet, each authenticated by different keys. The router will stop sending duplicate packets once it detects that all of its neighbors have adopted the new key. The following commands are used for message digest authentication.
- ip ospf message-digest-key keyid md5 key (used under the interface)
- area area-id authentication message-digest (used under router OSPF)
interface Ethernet0 ip address 10.10.10.10 255.255.255.0 ip ospf message-digest-key 10 md5 mypassword router ospf 10 network 10.10.0.0 0.0.255.255 area 0 area 0 authentication message-digest
- QIve heard that OSPF routing protocol exchanges are authenticated. What does this mean?
- AThis means that only trusted routers can participate in the autonomous systems routing. A single authentication scheme is used for each area. Each participating router can have a password.
- QDoes using an extended IP access list prevent regular routing updates (such as OSPF)? I have to specify 184.108.40.206 (destination) in my access list before routing updates allow for OSPFs hello packets.
- AInbound access lists on an interface are applied to any IP traffic on that interface. Outbound access lists apply only to traffic switched through the router.
- QCan the distribute-list in|out command be used with OSPF to filter routes?
- AThe distribute-list in command works on all OSPF routes. It is applied when OSPF routes are fed into the routing table. The distribute-list out command works only on the routes being redistributed from other processes into OSPF. It can be applied only to EXTERNAL_TYPE2 and EXTERNAL_TYPE1 routes and cannot be applied to INTRA and INTER routes.
- QWhy would I want or need to consider adding a firewall or other proxy device to my network?
- AIf you want to increase the security and integrity of your network when connecting it to the Internet, you should consider adding a firewall. In addition, firewalls and proxy devices are able to translate private IP addresses into public IP addresses, thereby allowing your network to join the Internet.
- QFor Internet access, I have a router with access lists in place to allow communications only with a TCP proxy server on the same segment. There is another router on this segment with filters in place also to allow communications only with the proxy server. Are there methods for implementing another filter(s) on both routers to allow SNMP management of the external router?
- AYou can use the snmp-server access-list command to restrict SNMP traffic. You will, however, have to allow SNMP (UDP) traffic through.
- QI have two devices: One device is 220.127.116.11 with a 9-bit mask, and the other device is 18.104.22.168 with a 12-bit mask. I want to allow only TCP connections on ports 5000 and 5020 between two devices through serial 0 of router A. One of the access list statements will be:
access-list 110 permit tcp 192.168.14.97 <mask> 22.214.171.124 <mask> eq 5000
- My question concerns the mask portion. For the 192.168.14.97, do I use a mask of 0.0.0.240, 0.0.0.15, or 255.255.255.240? And for the 126.96.36.199, do I use a mask of 255.255.255.128, 0.0.0.128, or 0.0.0.127?
- AIf you want to permit only these two devices to talk to each other, use the mask 0.0.0.0 on both. The 0s in an access list mean that you do not want to deal with any portion of the address. The 255s mean that you dont care what is in a particular position in the address. The mask here is not used like the mask defined on the interface for the subnet mask portion.
- QIm using the access-list nnn deny ip any any log command to track potential break-ins. This works fine in Cisco IOS 10.3, but it does not work in 10.2(11). Is there another way to do the same thing in Cisco IOS 10.2?
- ANo, not in 10.2. You need to upgrade your Cisco IOS.
- QCan access list wildcards be used both front and back (like *TOR*)? What level of Cisco IOS is required? I would like to filter all NetBIOS broadcasts except when the name contains a certain string, as in permit *TOR*. Is this possible?
- AYes. The following steps show you how to configure NetBIOS access filters using station names.
- 1. Assign the station access list name (note that there is an implicit DENY ALL after the permit statement):
netbios access-list host DEVICE permit *TOR* ^^^^^ wildcard
- 2. Specify the direction of the message to be filtered on the interface:
netbios input\output-access-filter host DEVICE
Here is a configuration example:
! hostname ROUTER ! netbios access-list host DEVICE permit *TOR* ! interface TokenRing0 ip address 10.10.10.1 255.255.255.0 ring-speed 16 source-bridge 2 1 2000 source-bridge spanning netbios input-access-filter host DEVICE !
- QHow can I build a firewall with my Cisco router?
- AComplementing the Cisco PIX™ Firewall, the Cisco Internetwork Operating System (Cisco IOS™) software, too, can be configured as a potent firewall. You can combine extended IP access lists for packet filtering, several methods of user authentication, and Ciscos lock-and-key security solution to provide a strong, secure perimeter between trusted and untrusted networks.
The router can be configured to log security violations to a UNIX hosts syslog facility. In Release 11.2 of Cisco IOS software, network managers can enable IP network-layer encryption and Network Address Translation (NAT) capability (a separately priced software option) in their router-based firewalls.
For more information on Cisco IOS security solutions, visit this Web site:
- QWhat other configuration options should I enable on the router to secure my network?
- ASome additional options and the commands that will help protect the router from unauthorized access include the following:
- Disable proxy arp: no ip proxy-arp.
- Disable IP source routing: no ip source-route.
- Enable only required applications, such as the Domain Name Service (DNS), Simple Mail Transfer Protocol (SMTP), e-mail, outgoing Web client traffic, outgoing File Transfer Protocol (FTP)for which passive (PASV) mode is most secureand outgoing Telnet.
- Encrypt router passwords (service password-encryption) and encrypt the enable password with an MD5 hashing algorithm (enable secret password).
- Apply access lists and passwords to virtual terminal (VTY) ports.
- Enable route authentication in supported routing protocols.
- QDoes Cisco support Kerberos?
- ACisco has announced plans to support Kerberos but has not announced specific products or time frames. Here is an excerpt from the Cisco IOS Security Architecture article:
- Kerberos is a secret-key network authentication system developed at Massachusetts Institute of Technology (MIT) that uses the Data Encryption Standard (DES) cryptographic algorithm for encryption and authentication. Kerberos was designed to authenticate requests for network resources. Kerberos, like other secret-key systems, requires trust in a third party; in this case, the Kerberos server. Cisco will integrate the client portion of Kerberos within the Cisco IOS in Cisco access servers.
- QWhich IP address space is reserved for secure networks (full internal connectivity, but outside connections from corporate only through firewall proxy or router)?
- ARFC 1597: Address Allocation for Private Internets (http://ds.internic.net/rfc/rfc1597.txt) covers this subject. An excerpt from this RFC follows.
- The Internet Assigned Numbers Authority (IANA) has reserved the following three blocks of the IP address space for private networks:
The first block is referred to as 24-bit block, the second as 20-bit block, and the third as 16-bit block. Note that the first block is nothing but a single class A network number, the second block is a set of 16 contiguous class B network numbers, and third block is a set of 255 contiguous class C network numbers.
- QWhen setting up a router as a firewall (allowing only FTP traffic through), is there a way to log messages indicating failed attempts, what the server was connected to, and for how long?
- AThe best way to log connection attempts to the router is to use TACACS+. You can use access list violation logging in Cisco IOS 10.3(3) or higher to see the access list information.
- QWhich version of Cisco IOS addresses the security issue of IP spoofing?
- AAll versions of Cisco IOS address the spoofing problem. For details, see the Details on CERT Advisory Dated 1/23/95 (http://www.cisco.com/warp/customer/459/12.html) and CERT Advisory 95:01 Response technical tips (http://www.cisco.com/warp/customer/701/29.html).
- QIs there a performance advantage when using the IP access list keyword established on an extended access list? Does using established make the access list more vulnerable? Do you have specific examples of the usage?
- AThere is no performance advantage per se. The established keyword simply means that packets with the ACK or RST bits set are allowed through. To better understand access lists in general, read Increasing Security on IP Networks (http://www.cisco.com/warp/customer/701/31.html). There are many examples there.
- QWhat TCP port numbers are required for FTP?
- AFTP data is port 20, and FTP control is port 21. If you are trying to set up an access list, keep in mind that port 21 is the source port from the FTP server when it tries to establish the data connection back to the client. The destination port is a high-numbered port greater than 1023.
- QCan I apply IP filters (access list in Cisco IOS 10.3.4) so that multiple (adjacent) class C nets are covered in one command (similar to class B)? Or do I have to specify each class C individually?
- AA mask can be specified to include multiple class C nets. For example:
access-list 1 permit 188.8.131.52 0.0.15.255 access-list 1 deny 0.0.0.0 255.255.255.255
This access list permits addresses from a range of class C nets that start with 184.108.40.206-220.127.116.11.
- QHow do you interpret the command access-list permit 18.104.22.168 0.0.7.255?
- AFirst, you need to add a unique number between 1 and 99 after access-list and before permit. Then, when applied to something, the list will permit packets with a source address from 22.214.171.124-126.96.36.199 and deny all others.
- QMy HTTPD program is set up to use port 80, and I want to limit accessing it from my network only. Will the following IP access list accomplish this without limiting other access, such as FTP, if I use it on my Internet serial connection: access-list 102 deny 80 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255?
- AThere is an implicit deny all at the end of every access list. The access list is checked in the order of the statements, and if the first true-condition occurs, it is left in place. So you have to configure a permit of any-to-any at the end of your list. It would look something like this:
access-list 102 deny tcp 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255 EQ 80 access-list 102 permit ip 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255
- QHow do I properly set the anti-spoofing filters in Cisco IOS 9.21(7)?
- ASee the information on CCO about the CERT Advisory Dated 1/23/95 (http://www.cisco.com/warp/customer/69/12.html). The defense is to set up your Internet firewall router to deny packets from outside your network that claim to have a source address inside your network. An example configuration follows:
access-list 101 deny 188.8.131.52 0.0.255.255 0.0.0.0 255.255.255.255 access-list 101 deny 184.108.40.206 0.0.0.255 0.0.0.0 255.255.255.255
Repeat the preceding commands, where access-list 101 describes all possible source addresses on your network. The preceding example describes a network with internal source addresses of 131.108.x.x and 198.92.93.x. Then, for a router running 9.21 or later, continue with this command:
interface serial 0 description interface facing the Internet ip access-group 101 in
If you do not have 9.21, an upgrade is not required if your Internet firewall is a two-port router (which it should be). Simply apply the access-list 101 command (as previously demonstrated) to the LAN interface and not the serial interface, as shown in the following example:
interface ethernet 0 description LAN port on my internet router ip access-group 101
The essence of this defense is that any packets coming from the Internet that claim to be from your network are thrown out, which prevents this type of attack.
Also, for good measure, all Internet firewalls should have the global command no ip source-routing. You can also see Increasing Security on IP Networks (http://www.cisco.com/warp/customer/701/31.html) for more information about firewalling your network.
- QHow is CHAP security implemented with your products? When a user dials into a Cisco access server, does the access server make a call of some kind to a separate CHAP server, which then sends a random challenge to the remote users who must activate a software key or hand-held device to authenticate themselves?
- AThe CHAP password for each user must be configured on the Cisco 2511 using the USERNAME command (the password must be the same on both the 2511 and the remote device). When the user dials in, the 2511 challenges the user for the password. For a full description, see Configuring DDR (http://www.cisco.com/univ-src/ccden/data/doc/software/11_0/ rpcg/cddr.htm) in the Router Products Configuration Guide.
- QDoes Cisco support encryption?
- AYes, refer to the following documents on CCO for more information.
- Cisco Network Encryption Services (http://www.cisco.com/warp/ public/732/Security/ncryp_tc.htm)
- Cisco IOS Software (http://www.cisco.com/univercd/data/ doc/cintrnet/prod_cat/79999.htm)
- Cisco IOS Security Architecture (http://www.cisco.com/warp/ public/732/Security/ossec_wp.htm)
- QCisco routers support the IP packet security types 130 and 133, which are for Basic and Extended IP security options (IPSO). However, if a router sees a packet with a different type number (assuming IPSO has not been configured), will the router forward the packet, or will it drop it and generate an ICMP error?
- AIf the router is not configured for IPSO, it forwards the packet. If the router is configured for IPSO, it drops the packet.
- QHow can I provide ICMP packets to transmit and receive to a specific internal IP address via the Internet without compromising security to our internal network?
- AYou can set up an access list permitting only ICMP from that specific host through to your internal network.
- QI have a question regarding Novell IPX and routing via ISDN when using snapshot routing. I have one server and some workstations on one side, and a lot of servers on the other. When the one server has received its SAP update, it keeps the line up by sending Novell Security Packets to the other servers. Is there a way to keep it from doing this?
- AYou have to make sure that the security packets are not part of the interesting packets in the dialer list. Depending on what you want to do on the line, I would set up the dialer list on a permit basis. If, for example, you just enable NCP to do file copies or REMOTE CONSOLE and so on, you definitely have to exclude the security packets.
- QI need to know how to define an extended access list that will allow my users to access the Internet (using Netscape and Gopher) but keep intruders out. I am using Cisco 2513 with IOS v10.0(2).
- AIn general, you are asking about the established keyword, which can be defined within an access list to permit two-way communication with an Internet host if (and only if) the session was started on your side of the firewall. However, security and firewalling are big issues. Please look at Increasing Security on IP Networks (http://www.cisco.com/warp/ customer/590/3.html) for more details on securing your firewall.
|Previous ||Table of Contents ||Next |