Actions

Cisco securing device

From Ever changing code

Switching off unnecessary

!
! Special interfaces configuration
!
! ICMP host unreachable messages are sent out if a router receives a nonbroadcast packet that uses an unknown protocol, 
! or if the router receives a packet that it is unable to deliver to the ultimate destination because it knows of no route to the destination address. 
! Because the null interface is a packet sink, packets forwarded there will always be discarded and, unless disabled, will generate host unreachable messages.
default interface Null0
interface Null0
 no ip unreachables
 exit
!
! Per-interface security configuration
!
! Enable unicast Reverse Path Forwarding (RPF) on all interfaces that connect to the Internet. IP CEF need to be enabled. 
! A feature that causes the router to check the source address of any packet against the interface through which the packet entered the router 
! If the input interface is not a feasible path to the source address according to the routing table, the packet will be dropped.
! Use to verify: show ip cef
interface atm0/0/0
 ip verify unicast reverse-path 
 ntp disable
 no cdp enable
 exit
!
! Switch-off unnecessary services in global-configuration-mode
!
no ip source-route 
ip options drop 
no ip http server 
no ip http secure-server 
! The TCP and UDP small servers are enabled by default on Cisco IOS Software Version 11.2 and earlier. They are disabled by default on Cisco IOS Software Versions 11.3 and later. 
no service tcp-small-servers 
no service udp-small-servers 
service tcp-keepalives-in 
service tcp-keepalives-out 
no ip bootp server 
no ip finger 
no service finger
no ip identd 
no service config 
no lldp run 
no service pad
!
! NetFlow identifies flows of network packets based on the source and destination IP addresses and TCP port numbers. NetFlow then can use just the initial packet of a flow for comparison to ACLs and for other security checks, rather than having to use every packet in the network flow. This can be enabled per also per interface.
ip route-cache flow
!
! Setting the TCP synwait time to 20 seconds causes the router to shut down an incomplete connection after 20
ip tcp synwait-time 20
!
! time-stamps
!
service timestamps debug datetime localtime show-timezone msec 
service timestamps log datetime localtime show-timezone msec
service sequence-numbers 
!
! add logging buffer
!
logging userinfo
logging buffered 50000
ip ssh logging events
login block-for 300 attempts 3 within 300
This automatic time access-list will be created after applying login block-for command
Extended IP access list sl_def_acl
    10 deny tcp any any eq telnet log
    20 deny tcp any any eq www log
    30 deny tcp any any eq 22 log (8015 matches)
    40 permit tcp any any eq 22 log

Access Control Lists

How to apply

First remove ACL from interface
int dialer 0
no ip access-group 90 in
exit
Remove ACL from running-config

Use default statement to delete ACL, then recreate, see below:

default access-list 90
ip access-list standard 90
remark Block abusive IP addresses
deny 42.117.7.53 0.0.0.0
deny 123.232.122.162 0.0.0.0
deny 216.38.217.76 0.0.0.0
permit any
exit
Third re apply ACL to interface
int dialer 0
ip access-group 90 in
exit
Verify

In the example output below 2 access lists have been applied to Gi0/1 interface INTERNET-OUT and INTERNET-IN. Remember only one access list can be applied to interface per direction in/out.

show ip interface gi 0/1
GigabitEthernet0/1 is up, line protocol is up
  Internet address is 196.66.254.77/29
  Broadcast address is 255.255.255.255
  Address determined by non-volatile memory
  MTU is 1500 bytes
  Helper address is not set
  Directed broadcast forwarding is disabled
  Outgoing access list is INTERNET-OUT
  Inbound  access list is INTERNET-IN
  Proxy ARP is enabled
 <-- output omitted -->

Apply MAC address filtering to Access Point using TFTP

This method is the most secure way to apply multiple ACL lines. This method is nice because the ACL doesn't get updated until after the TFTP is complete, so it should be safe even if the change will interrupt network connectivity. Another safety measure is to schedule a reload. Please follow these steps:

Verify TFTP server is running

Windows machine

netstat -ap UDP | find 69
UDP    0.0.0.0:69             *:*   <-- this is expected output

Linux

netstat -ul | grep 69

Schedule a reload

reload in 5 reason Applying ACLs
System configuration has been modified. Save? [yes/no]: yes
Building configuration...
[OK]
Reload scheduled for 22:16:38 UTC Sun Nov 24 2013 (in 5 minutes) by dsneteng on vty0 (10.0.99.13)
Reload reason: Applying ACLs
Proceed with reload? [confirm]
 
***
*** --- SHUTDOWN in 0:05:00 ---
***

Copy ACL to running-config

Copy block-list-apply.txt to tftp root folder. In Windows version of SolarWinds-TFTP-Server its default folder is C:\TFTP-Root.

copy tftp: running-config

or one liner example

copy tftp://10.0.99.11/block-list-apply.txt running-config
Destination filename [running-config]?
Accessing tftp://10.0.99.11/block-list-apply.txt...
Loading block-list-apply.txt from 10.0.99.11 (via BVI1): !
[OK - 3501 bytes]

3501 bytes copied in 1.588 secs (2205 bytes/sec)

Example of block-list-apply.txt file.

! Updated on 24/11/2013@21:00 by user@
! MAC Vendor Lookup http://www.macvendorlookup.com/list-lookup
!
! Exeption list:
! 
! LocationID
! 0022.694C.AABB - Hon Hai Precision - user@
!
! Apply following to all your APs
! 
! 
interface Dot11Radio0.10
no  bridge-group 10 input-address-list 700
exit
!
no access-list 700
!
! LocationID
!
access-list 700 deny    0019.7E72.AABB 0000.0000.0000
access-list 700 deny    083E.8E36.CCDD 0000.0000.0000
!
! Permit all rest
!
access-list 700 permit  0000.0000.0000 ffff.ffff.ffff
!
interface Dot11Radio0.10
 bridge-group 10 input-address-list 700
exit
end
! 
! MAC filter list has been applied - check for connectivity

Cancel reload

reload cancel
***
*** --- SHUTDOWN ABORTED ---
***

Using object-grup with ACLs

We can create a group of hosts, range of hosts, nested group-object. Then we can include the object name in ACL. It is

Create
R1(config)#object-group network GoogleServers
R1(config-network-group)#?
Network object group configuration commands:
  A.B.C.D       Network address of the group members
  any           Any host
  description   Network object group description
  exit          Exit from IP policy-group configuration mode
  group-object  Nested object group
  host          Host address of the object-group member
  no            Negate or set default values of a command
  range         Match only packets in the range of IP address
R1(config-network-group)#description Allow to do DNS request to Google Servers
R1(config-network-group)#host 173.194.34.176
R1(config-network-group)#host 173.194.34.177
R1(config-network-group)#host 173.194.34.180
R1(config-network-group)#host 173.194.34.178
R1(config-network-group)#host 173.194.34.179
R1(config-network-group)#exit
Add to access-list
R1(config)#ip access-list extended Only-GoogleServers
R1(config-ext-nacl)#remark Allow access google.com server
R1(config-ext-nacl)#permit ip any object-group GoogleServers
R1(config-ext-nacl)#deny ip any any
R1(config-ext-nacl)#exit
Preview
R1#sh access-lists Only-GoogleServers
Extended IP access list Only-GoogleServers
    10 permit ip any object-group GoogleServers
    20 deny ip any any

Then you can apply ACL Only-GoogleServers in the standard manner.

Stateful Filtering

Reflexive ACL

Create access-list permitting only tcp, udp, icmp trafic

R1(config)#ip access-list extended GOING-OUT
R1(config-ext-nacl)#permit tcp any any reflect REMEMBER
R1(config-ext-nacl)#permit udp any any reflect REMEMBER
R1(config-ext-nacl)#permit icmp any any reflect REMEMBER
R1(config-ext-nacl)#deny ip any any log

Apply to an interface to all traffic leaving interface. The router will create REMEMBER dynamic ACL for all traffic permitting coming back. Therefore reflective ACL makes sense most when you denying access to the router from outside but you want to allow traffic originated from inside network.

R1(config)#interface dialer 1
R1(config-if)#ip access-group GOING-OUT out

Block all trafic comming in

R1(config)#ip access-list extended COMING-IN
R1(config-ext-nacl)#evaluate REMEMBER
R1(config-ext-nacl)#deny ip any any log
R1(config-ext-nacl)#exit
R1(config)#interface dialer 1
R1(config-if)#ip access-group COMING-IN in

Verify, by opening https://www.google.co.uk

R1#show access-lists
Extended IP access list COMING-IN
   10 evaluate REMEMBER
   20 deny ip any any log (77 matches)
Extended IP access list GOING-OUT
   10 permit tcp any any reflect REMEMBER (79 matches)
   20 permit udp any any reflect REMEMBER
   30 permit icmp any any reflect REMEMBER
   40 deny ip any any log
Reflexive IP access list REMEMBER
    permit tcp host 173.194.34.41 eq 443 host 10.161.93.20 eq 52767 (10 matches) (time left 296)
    permit tcp host 173.194.34.47 eq 443 host 10.161.93.20 eq 41852 (9 matches) (time left 296)
    permit tcp host 74.125.24.94 eq 443 host 10.161.93.20 eq 56001 (37 matches) (time left 296)
    permit tcp host 74.125.24.94 eq www host 10.161.93.20 eq 37352 (4 matches) (time left 295)
    permit tcp host 212.77.101.100 eq www host 10.161.93.20 eq 43924 (6 matches) (time left 294)
    permit tcp host 212.77.101.100 eq www host 10.161.93.20 eq 43923 (5 matches) (time left 294)

Even all incoming traffic on Dialer1 interface is denied we EVALUATE access-list REMEMBER for remembered traffic that left out network. Therefore all traffic originated form our network will be permitted.

Example working reflective ACL allowing only ssh and inside originated traffic

! 
! Remember all traffic orginated from inside
! 
ip access-list extended INTERNET-OUT
 permit tcp any any reflect REMEMBER timeout 300
 permit udp any any reflect REMEMBER timeout 300
 permit icmp any any reflect REMEMBER timeout 300
 deny   ip any any log
!
! Block all except dns(udp53) and ssh(tcp22)
!
ip access-list extended INTERNET-IN
! permit udp any eq 53 any
permit udp any eq domain any
permit tcp any any eq 22
evaluate REMEMBER
deny   ip any any log
!
! Apply access lists to Internet-edge intreface
!
interface Dialer0
 ip access-group INTERNET-IN in
 ip access-group INTERNET-OUT out

Just a note, not existing ACL applied to an interface have no affect on the traffic - all is allowed.

CBAC

CBAC - Context Based Access Control is the next generation of stateful filtering, superseding the reflective access lists. We are going to use inspection rules to remember kind of traffic (aka legacy reflective ACL)

This feature is available only with security or data&security technology feature enabled. Please refer to Cisco Feature Toolkit.

Safety cushion by scheduled reload

When applying ACLs or adding extra security it possible to lock out yourself. Therefore before you apply any changes you can schedule reload and do not save running-config to startup-config until you 100% sure all is working correctly. Then cancel scheduled reload and save changes.

Schedule reload in 5 minutes
reload in 5
Reload scheduled for 19:57:04 GMT Sun Nov 17 2013 (in 5 minutes) by dsneteng on console
Reload reason: Reload Command
Proceed with reload? [confirm]
***
*** --- SHUTDOWN in 0:05:00 ---
***
Cancel reload
reload cancel
***
*** --- SHUTDOWN ABORTED ---
***
Other options
reload ?
  at      Reload at a specific time/date
  cancel  Cancel pending reload
  in      Reload after a time interval
  reason  Reload reason
  warm    Reload should be warm
Use copy tftp run when applying ACLs

Then to a copy tftp run to install the updated ACL into the running config. This method is nice because the ACL doesn't get updated until after the TFTP is complete, so it should be safe even if the change will interrupt network connectivity.

References