21.3 Example: Cisco Systems Routers as ChokesMany organizations use high-performance routers both to connect their companies to the Internet and to perform limited packet filtering. Because routers made by Cisco Systems, Inc., are widely used within the Internet community as this book is being written, we decided that a look at the security configuration for a Cisco router might be helpful.
Cisco Systems routers run a complicated operating system called Internetwork Operating System (IOS), which is specially tailored to perform high-speed routing. It is a real-time operating system that is not based on UNIX . IOS maintains a set of internal configuration tables that are associated with the router, each protocol that the router understands, each network interface, and each physical "line" interface. These configuration tables are consulted by the IOS operating system each time a packet is received for routing. The IOS internal tables are configured from the console when the router is in configuration mode. The current configuration can be extracted from the router using the write command; this command produces a text file of commands that can be stored in the router's nonvolatile memory or saved using a network TFTP server. The router then interprets these commands when it boots as if they were typed on the router's console. 21.3.1 access-list Command: Creating an Access ListIOS uses the access-list command to define the set of IP addresses and protocols with which a particular router will communicate. The access-list command creates an access list; each access list has a unique number. IOS sets aside specific ranges of access-list numbers for specific purposes. 21.3.1.1 access-list: standard formThe standard form of the access-list command for the IP protocol has the form: access-list access-list-number {deny|permit} source [ source-mask ] Where:
If you specify an access-list , IOS will add an implicit rule to deny all packets that do not match the rules that you have provided. For example, this command would permit all packets from the host 204.17.195.100: access-list 1 permit 204.17.195.100 This command would deny all packets from the IP subclass C network 198.3.4: access-list 1 deny 198.3.4.0 0.0.0.255 21.3.1.2 access-list: extended formThe access-list command has an extended form which allows you to make distinctions based on the particular IP protocol and service.[8] In the case of the TCP/IP protocol, you can even create restrictions based on the connection's direction - whether it is outgoing or incoming.
The extended version of the access-list command has syntax that is similar to the standard form; the key difference is that the access-list-number must be in the range 100 to 199, and there are additional parameters: access-list access-list-number {deny|permit} protocol \ source source-mask destination destination-mask [established] Where:
21.3.2 show access-lists Command: Seeing the Current Access ListsYou can use the CIOS show access-lists command to display all of the current access lists. For example: router> show access-lists Standard IP access list 1 permit 204.17.195.0 permit 199.232.92.0 Extended IP access list 108 deny ip 199.232.92.0 0.0.0.255 any deny ip 204.17.195.0 0.0.0.255 any permit ip any any (1128372 matches) router> In this example, there are two IP access lists: access list #1, which is a standard list, and access list #108, which is an extended list. The standard list permits the transmission of any packet that comes from the IP networks 204.17.195 or 199.232.92; the extended list denies any packet coming from these two networks. The pair of rules in this example can be used to erect a barrier to IP spoofing for an organization that is connected to the Internet. The organization, with two internal IP networks (204.17.195 and 199.232.92), could apply the first access list to its outbound interface, and the extended list to inbound packets from its serial interface. As a result, any incoming packets that claim to be from the organization's internal network would be rejected. Be aware that the show access-lists command is normally not a privileged command; anybody who can log into your router can see all of your access lists. You can make it privileged by using the IOS privilege commands added in IOS Version 10.3. 21.3.3 access-class Command: Protecting Virtual TerminalsAfter you have created one or more access lists, you can use the access-class command to assign the access-control list to a particular Cisco virtual-terminal line. You assign access lists to a particular Cisco interface by using the access-class command. You should use the access-class command to configure your router so that it will reject login attempts from any host outside your organization. You may also wish to configure your router so that it rejects all login attempts from inside your organization as well, with the exception of a specially designed administrative machine. The access-class command has the following syntax: access-class access-list-number {in|out} Where:
You can use this command to prevent people from logging directly onto your router (using one of the vty interfaces) unless they are coming from a specially designated network. For example, to configure your router so that it will only accept logins from the subclass C network 198.3.3, you could use the following sequence of IOS commands: router# config t Enter configuration commands, one per line. End with CNTL/Z. router(config)# access-list 12 permit 198.3.3.0 0.0.0.255 router(config)# line vty 0 4 router(config-line)# access-class 12 in router(config-line)# ^Z router# 21.3.4 ip access-group Command: Protecting IP InterfacesYou can also use access lists to specify packets that should be blocked from crossing an IP interface. For example, if you are using the Cisco interface to create a conventional choke-and-gate interface, and you have a serial connection to an Internet service provider, you can specify that the only IP packets that should be transmitted in from the interface should be those that are destined for the gate machine, and that the only IP packets that should be transmitted out from the serial interface are those that are from your gate. The command that associates an access list with a particular interface is the access-group command. This is an interface-configuration command, which means that it is typed when the router is in interface-configuration mode. The access-group command has the following syntax: ip access-group access-list-number {in | out} Where:
For example, to configure your serial 0 interface so that it will only send packets to or from a gate computer located at IP address 204.17.100.200, you might configure your router as explained in the following paragraphs. First, create one access list that selects for packets that have the gate as their source (access list #10) and a second access list that selects for packets that have the gate as their destination (access list #110): router# config t Enter configuration commands, one per line. End with CNTL/Z. router(config)# access-list 10 permit 204.17.100.200 0.0.0.0 router(config)# access-list 110 permit ip 0.0.0.0 255.255.255.255 204.17.100.200 0.0.0.0 Now, assign these access lists to the serial 0 interface: router(config)# int serial 1 router(config-if)# ip access-group 10 out router(config-if)# ip access-group 110 in Remember, use the IOS write command to save the configuration. 21.3.5 accounting access-violations Command: Using IP AccountingIOS has an IP accounting feature that can track the number of IP packets that are passed by the router and then rejected. You can use this feature to detect whether somebody is trying to bypass your firewall security. If logging is enabled, you will be told the IP address of the attacker and the protocol being used. To turn on IP accounting to check for access violations on a specific interface use the command: router(config-if)# ip accounting access-violations | ||||||||||||||||||||
|