brksec-3007 - advanced cisco ios security features (2010 las vegas)
DESCRIPTION
CiscoTRANSCRIPT
BRKSEC–3007
Troubleshooting Cisco IOSSecurity Features
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation_ID 2
Agenda
Troubleshooting Cisco IOS Firewall
Cisco IOS Firewall Overview
Cisco IOS Firewall Packet Flow
Cisco IOS Firewall Troubleshooting
Common Issues and Resolutions
Summary
Zone Based Firewall Troubleshooting Example
Troubleshooting Cisco IOS Intrusion Prevention System
Cisco IOS IPS Overview
Cisco IOS IPS Packet Flow
Cisco IOS IPS Troubleshooting
Common Issues and Resolutions
Summary
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation_ID 3
What is Not Covered
Troubleshooting Firewalls on PIX/ASA and FWSM
BRKSEC-3020: Advanced Firewalls
IPS Appliance Troubleshooting
BRKSEC-3030: Advanced Intrusion Prevention Systems
VPN
BRKSEC-3011: Troubleshooting GET VPN
BRKSEC-3012: Troubleshooting DMVPN
NRLSEC-3013: Troubleshooting Remote Access SSL VPN
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation_ID 4
Cisco IOS Firewall Overview
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation_ID 5
Zone-Based Policy Firewall Overview
Allows grouping of physical and virtual interfaces into zones
Firewall policies are applied to traffic traversing zones
Simple to add or remove interfaces and integrate into firewall policy
12.4(6)T
Supported Features
Stateful inspection
Application inspection: IM, POP, IMAP, SMTP/ESMTP, HTTP
URL filtering
Per-policy parameter
Transparent firewall
VRF-aware firewall
DMZ
UntrustedTrusted
Private-Public Policy
Public-DMZ Policy
DMZ-Private Policy
Private-DMZ Policy
InternetE0 S0
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation_ID 6
Zone-Based Policy Firewall Configurationclass-map type inspect match-any myprotocol
match protocol smtp
match protocol ftp
match protocol http
class-map type inspect match-all myclass
match access-group 102
match class-map myprotocol
policy-map type inspect mypolicy
class type inspect myclass
inspect
zone security private
zone security public
zone-pair security priv-pub source private destination public
service-policy type inspect mypolicy
interface Ethernet0
zone-member security private
interface Serial0
zone-member security public
access-list 102 permit ip 192.168.0.0 0.0.255.255 any
Services with ACL to
define permitted/denied
hosts (Optional)
Define services
inspected by policy
Assign interfaces to zones
Define firewall action for traffic
Establish zone-pair & apply the policy
Setup zones
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation_ID 7
Cisco IOS Firewall Packet Flow
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation_ID 8
Understanding the Packet Flow
Narrow down the issue to the device level
Determine the packet flow based on SRC IP, DST IP, SRC port, DST port, and protocol
Determine the interfaces/zones through which the flow passes
Then perform a systematic walk of the packet flow through the device based on feature configured
End-to-end packet path must be identified
Packet Flow
IP – S: a.b.c.1
D: d.e.f.1
Proto: 17 (udp)
UDP -- S: xxxx
-- D: yyy
PAYLOAD interface
Fa 0/0
interface
Fa 1/0
Source Address:a.b.c.1
Destination Address:d.e.f.1
Source Port: xxxx
Destination Port:yyy
Protocol: UDP
Source Interface: Fa 0/0
Destination Interface: Fa 1/0
Packet Flow
interface
Fa 2/0
Flow is narrowed to 2
interfaces only
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation_ID 9
General Packet Flow
IPSecPkt?
Stateless IPSInput Int
AuthProxy
Inbound ACLInput Int
DecryptPacket
Stateless IPSInput Int
InboundInput ACL
NAT BeforeRouting
Routing NAT AfterRouting
Stateful IPSOutput Int
FragmentInspection
Outbound ACLOutput Int
IOS FW
IPSecPkt?
EncryptPacket
Y
N
Y
N
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation_ID 10
Cisco IOS Firewall Troubleshooting
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation_ID 11
The problem solving Process
Assess
What‘s going on
Prioritize
Ask the right questions to better define and clarify the problem
Acquire
What information do we need but we don‘t have?
How to get that information?
Analyze
Understand the flow
What‘s supposed to happen vs. What actually happened
Act
Test assumptions
Deploy changes
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation_ID 12
IOS Firewall Troubleshooting Tools
Syslog
Show commands
Packet capture
Debug commands
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation_ID 13
Syslog
Most effective troubleshooting tool available for Zone-Based Policy Firewall
Tool for alert and audit trail
Tool to help identify packet dropped by the firewall
Tool for capturing the debug command output
Use of syslog server strongly recommended when deploying firewall solutions
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation_ID 14
Syslog—Dissection of a Syslog Message
Symptom: An user complains that he is unable to browse to an web server at 172.16.1.100
EC-SUN[100]# grep "172.16.1.100"
Jul 26 13:58:16 200.1.1.1 2167: Jul 26 18:02:34.907 UTC:
%APPFW-4-HTTP_JAVA_APPLET: HTTP Java Applet detected -
resetting session 172.16.1.100:80 10.1.1.100:3372 on zone-
pair publicPrivateOut class myClassMap appl-class HttpAic
Cause of the reset
Name of the Zone-Pair
AIC Policy Name
Class-map name
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation_ID 15
Syslog—Check for Packet Drops
Configure ―ip inspect log drop-pkt‖ to help identify packet dropped by the Firewall and drop reason
Feature introduced in 12.3(8)T
Rate limited at 30 seconds intervals
Router(config)#ip inspect log drop-pkt
Router#
...
*Mar 25 19:21:27.811: %FW-6-DROP_PKT: Dropping tcp session
1.1.1.20:0 2.1.1.2:0 due to Invalid Header length with
ip ident 7205
...
*Mar 25 19:30:23.131: %FW-6-DROP_PKT: Dropping tcp session
1.1.1.20:59807 2.1.1.2:23 due to RST inside current
window with ip ident 14992 tcpflags 0x5004 seq.no 7916131
ack 1538156964
CBAC
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation_ID 16
Syslog—Common Packet Drop Reasons
Invalid Header length The datagram is so small that it could not contain the layer 4 TCP, Universal Computer Protocol (UCP), or Internet Control Message Protocol (ICMP) header
Segment matching no TCP connection
Non-initial TCP segment is received without a valid session.
Invalid Seq# The packet contains an invalid TCP sequence number.
Invalid Ack (or no Ack) The packet contains an invalid TCP acknowledgement number.
SYN inside current window
A synchronization packet is seen within the window of an already established TCP connection.
Out-Of-Order Segment The TCP packet received is out of order.
Stray Segment A TCP segment is received that should not have been received through the TCP state machine such as a TCP SYN packet being received in the listen state.
Invalid Window scale option
The TCP responder proposes an illegal window scale option when the initiator does not offer the window scale option
RST inside current window
A reset (RST) packet is observed within the window of an already established TCP connection.
SYN with data or with PSH/URG flags
TCP SYN packet is seen with data.
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation_ID 17
Syslog – alert and audit-trail
Check the syslog for firewall alerts that may indicate potential hostile events
Audit-trail for session establishment and tear down
*Jun 26 04:05:59.803: %FW-4-HOST_TCP_ALERT_ON: Max tcp half-open
connections (10) exceeded for host 2.1.1.2
*Jun 26 04:07:04.347: %FW-4-ALERT_ON: getting aggressive, count
(101/100) current 1-min rate: 173
*Jun 26 04:07:04.347: %FW-4-ALERT_OFF: calming down, count (99/100)
current 1-min rate: 173
*Jun 26 03:47:36.879: %FW-6-SESS_AUDIT_TRAIL_START: Start tcp
session: initiator (1.1.1.2:11081) -- responder (2.1.1.2:23)
*Jun 26 03:47:52.843: %FW-6-SESS_AUDIT_TRAIL: Stop tcp session:
initiator (1.1.1.2:11081) sent 63 bytes -- responder
(2.1.1.2:23) sent 96581 bytes
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation_ID 18
Show Commands
Use to display the configuration, and connections statistics information
MOST of the problem can be diagnosed with the Syslog & Show commands
Show commands are different for Classic Cisco IOS Firewall and Zone-Based Policy Firewall
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation_ID 19
Show Commands—Zone-Based Firewall
To display zone and member interfaces
To display zone-pair information
Show policy stats and session
show policy-map type inspect { <policy name> [class <class
name>] | zone-pair [<zone-pair name>] [sessions | urlfilter
cache] }
show zone security [zone-name]
Router#show zone-pair security source private destination public
Zone-pair name priv-pub
source-Zone private Destination-Zone public
service-policy priv-pub-pol
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation_ID 20
Show Commands - Zone-Based Firewall To display the firewall statistics
Router# show policy-map type inspect zone-pair
policy exists on zp priv-pub
Zone-pair: priv-pub
Service-policy inspect : firewall-pmap
Class-map: L4-inspect-class (match-any)
Match: protocol tcp
1 packets, 24 bytes
30 second rate 0 bps
Inspect
Packet inspection statistics [process switch:fast switch]
tcp packets: [44:0]
Session creations since subsystem startup or last reset 1
Current session counts (estab/half-open/terminating) [1:0:0]
Maxever session counts (estab/half-open/terminating) [1:1:0]
Last session created 00:00:40
Last statistic reset never
Last session creation rate 1
Maxever session creation rate 1
Last half-open session total 0
Class-map: class-default (match-any)
Match: any
Drop
0 packets, 0 bytes
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation_ID 21
Show Commands - Zone-Based Firewall To display the Firewall sessions
Router# show policy-map type inspect zone-pair sessions
policy exists on zp priv-pub
Zone-pair: priv-pub
Service-policy inspect : firewall-pmap
Class-map: L4-inspect-class (match-any)
Match: protocol tcp
1 packets, 24 bytes
30 second rate 0 bps
Inspect
Number of Established Sessions = 1
Established Sessions
Session 5346C90 (1.1.1.20:44181)=>(2.1.1.2:23) tcp SIS_OPEN
Created 00:09:22, Last heard 00:09:17
Bytes sent (initiator:responder) [46:119]
Class-map: class-default (match-any)
Match: any
Drop
0 packets, 0 bytes
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation_ID 22
How to use packet captures for troubleshooting firewall issues?
Typical problem scenario: Application x failing when going through the firewall
Setup the capture filter for the flow in question
Start packet capture on both inside and outside of the firewall
Start the application that‘s failing
Compare the packet captures to look for packet drops and match that up with the firewall logs
OutsideInside
Capture Capture
Internet
Server Client
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation_ID 23
Using IOS Embedded Packet Captures
Router#monitor capture buffer test-buffer
Router#monitor capture buffer test-buffer filter access-list 120
Filter Association succeeded
Router#
Router#monitor capture point ip cef test-capture serial 2/0 both
*Mar 26 20:33:10.896: %BUFCAP-6-CREATE: Capture Point test-capture created.
Router#monitor capture point associate test-capture test-buffer
Router#monitor capture point start test-capture
*Mar 26 20:34:03.108: %BUFCAP-6-ENABLE: Capture Point test-capture enabled.
Router#
Router#monitor capture point stop test-capture
*Mar 26 20:34:21.636: %BUFCAP-6-DISABLE: Capture Point test-capture
disabled.
Key configuration steps
Create the capture buffer and capture point
Associate the capture point to the buffer
Start/stop the capture
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation_ID 24
Using IOS Embedded Packet CapturesNow we have the packets captured, what‘s next?
Router# show monitor capture buffer test-buffer dump
15:34:07.228 EST Mar 26 2009 : IPv4 LES CEF : Se2/0 None
05CECE30: 0F000800 45C0002C ....E@.,
05CECE40: 6D170000 FE0649DD 02010102 01010114 m...~.I]........
05CECE50: 0017A353 0FB6B952 3EF1499C 60121020 ..#S.69R>qI.`..
05CECE60: 917A0000 02040218 00 .z.......
.
.
Dump the packet on the router itself
Or export it out and analyze it in Ethereal/Wireshark
Router# monitor capture buffer test-buffer export ?
ftp: Location to dump buffer
http: Location to dump buffer
https: Location to dump buffer
rcp: Location to dump buffer
scp: Location to dump buffer
tftp: Location to dump buffer
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation_ID 25
IPSec and Cisco IOS Firewall
Problem Statement:
How IPSec works/interacts with IOS Firewall
Solutions:
IOS Firewall works with IPSec in one of the two ways:
IOS Firewall and IPSec enabled on the same router
IOS FW does packet inspection on the decrypted packets for inbound traffic
IOS FW does packet inspection before encryption for outbound traffic
IOS Firewall for IPSec pass-through traffic
IOS FW will not inspect encrypted IPSec packets as the protocol number in the IP header is not TCP or UDP
ISKMP which is UDP/500 will be inspected
Router needs to allow UDP/500 (ISKMP) UDP/4500 (NAT-T), IP 50 (ESP)/ IP 51 (AH) for IPSEC
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation_ID 26
IPSec and Zone-Based-Firewall
Non-VTI based Classic configuration with crypto map applied to an interface
Interface-based IPSec configuration
GRE over IPSec
DMVPN
Static VTI (Virtual Tunnel Interface)
EzVPN using Dynamic VTI
Using VPN with Zone-Based Policy Firewall
http://www.cisco.com/en/US/prod/collateral/vpndevc/ps5708/ps5710/ps1018/prod_white_paper0900aecd8062a909.html
Two types of IPSec configuration
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation_ID 27
Classic IPSec with ZBF
Private Public
Private N/AAllow all outbound TCP/UDP/ICMP traffic
Public
Allow TCP/UDP/ICMP traffic from the tunnel, and Web traffic to server 192.168.1.10
N/A
Define the zone security policies
Destination
ZoneSource
Zone
Clients
Server
IPSec Tunnel
Internet Traffic (TCP/UDP/ICMP)
Internet
Web
server
Clients Zone Private Zone Public
192.168.2.0/24192.168.1.0/24
R1 R2
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation_ID 28
Classic IPSec with ZBF - Configuration
class-map type inspect match-any
all-traffic
match protocol tcp
match protocol udp
match protocol icmp
class-map type inspect match-all
pub-pri-cmap
match class-map all-traffic
match access-group name tunnel-
traffic
class-map type inspect match-all
inbound-web
match protocol http
match access-group name web-server
!
policy-map type inspect pri-pub-pmap
class type inspect all-traffic
inspect
policy-map type inspect pub-pri-pmap
class type inspect pub-pri-cmap
inspect
class type inspect inbound-web
inspect
zone security public
description Internet facing zone
zone security private
description Secure private zone
zone-pair security pub-pri source public
destination private
service-policy type inspect pub-pri-pmap
zone-pair security pri-pub source private
destination public
service-policy type inspect pri-pub-pmap
!
interface FastEthernet0/0
zone-member security public
crypto map test
!
interface FastEthernet1/0
zone-member security private
!
ip access-list extended tunnel-traffic
permit ip 192.168.2.0 0.0.0.255
192.168.1.0 0.0.0.255
ip access-list extended web-server
permit ip any host 192.168.1.10
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation_ID 29
Interface-based IPSec with ZBF
Define the zone security policies
Private Public VPN
Private N/AAllow all TCP/UDP/ICMP
Allow all TCP/UDP/ICMP
PublicAllow Web traffic to 192.168.1.10
N/A Deny
VPN Allow All TCP Deny N/A
Source
Zone
Destination
Zone
IPSec Tunnel
Internet Traffic (TCP/UDP/ICMP)
Internet
Clients Zone Private Zone Public
192.168.2.0/24192.168.1.0/24
Zone VPN
Web
server
Server
Clients
R1 R2
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation_ID 30
Interface-based IPSec with ZBF -Configuration
class-map type inspect match-any tcp-
traffic
match protocol tcp
!
policy-map type inspect pri-pub-pmap
class type inspect all-traffic
inspect
policy-map type inspect pub-pri-pmap
class type inspect inbound-web
inspect
policy-map type inspect pri-vpn-pmap
class type inspect all-traffic
inspect
policy-map type inspect vpn-pri-pmap
class type inspect tcp-traffic
inspect
!
zone security public
description Internet facing zone
zone security private
description Secure private zone
zone security vpn
description This is the VPN zone
zone-pair security pub-pri source public
destination private
service-policy type inspect pub-pri-pmap
zone-pair security pri-pub source private
destination public
service-policy type inspect pri-pub-pmap
zone-pair security vpn-pri source vpn
destination private
service-policy type inspect vpn-pri-pmap
zone-pair security pri-vpn source private
destination vpn
service-policy type inspect pri-vpn-pmap
!
interface Tunnel0
zone-member security vpn
tunnel mode ipsec ipv4
tunnel protection ipsec profile test
!
interface FastEthernet0/0
zone-member security public
!
interface FastEthernet1/0
zone-member security private
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation_ID 31
Common Issues and Resolutions
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation_ID 32
Performance Degrades
s0e0
Public
Network
Symptom: • After turning on IOS Firewall, the connection is very Slow
• Valid Packet Drops after a while of turning the Firewall ON
Troubleshooting Steps:Step1: Check & investigate which process utilizes MAXIMUM CPU
Router# show processes cpu | exclude 0.00
CPU utilization for five seconds: 70%/39%; one minute: 52%; five minutes: 43%
PID Runtime(ms) Invoked uSecs 5Sec 1Min 5Min TTY Process 74 1388 31823 43 0.08% 0.04% 0.04% 0 EAPFramework
84 983836 305327 3222 38.18% 37.74% 37.02% 0 IP Input
120 24468 3070 7970 1.22% 1.27% 1.26% 0 Inspect process
Solution:• IP Input process is expected to be higher than any process• If any process > IP Input process, need investigation of that process, may
not be related to IOS Firewall• If IP Input process is HIGH, it could be related to IOS Firewall
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation_ID 33
Performance Degrades (Cont.)
Every class-map configured with the "inspect" action in a policy-map carries its own set of DoS protection counters
Counters of the number of "half-open" TCP and UDPconnections
Total connection rate through the firewall and IPS software
Each class-map's DoS protection is individually configurable with a parameter-map that modifies the DoS protection values
The legacy default settings prior to Release 12.4(11)T may interfere with proper network operation if they are not configured for the appropriate level
Zone-Based Policy Firewall DoS Protection
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation_ID 34
Performance Degrades ZBF
s0e0
Public
Network
Cisco IOS
Firewall
Troubleshooting Steps:
Step2: Define a parameter-map and set the max-incomplete high values to
very high values
parameter-map type inspect DoS-param-map
max-incomplete high 20000000
one-minute high 100000000
tcp max-incomplete host 100000 block-time 0
Step3: Apply the parameter-map to every class-map's inspection action
policy-map type inspect z1-z2-pmap
class type inspect my-cmap
inspect DoS-param-map
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation_ID 35
Performance Degrades ZBF
s0e0
Public
Network
Troubleshooting Steps:
Step 4: check the DoS counters with the following command
router#sh policy-map type inspect zone-pair priv-pub
< Removed >
Maxever session counts (estab/half-open/terminating) [92:46:33]
Last session created 00:00:45
Last statistic reset never
Last session creation rate 1
Maxever session creation rate 270
Step 5: Tune the DoS settings for every inspect-type class-map contained
within a policy-map that must have unique DoS protection requirements
http://www.cisco.com/en/US/prod/collateral/vpndevc/ps5708/ps5710/ps1018/pr
od_white_paper0900aecd8055e6ac.html
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation_ID 36
HTTP Connection Reset Symptom:
Unexpected web connection reset while browsing a web site
Troubleshooting Steps:
Step1a: Analyze syslog messages generated by the routerJul 26 13:58:16 200.1.1.1 2167: Jul 26 18:02:34.907 UTC: %APPFW-4-
HTTP_JAVA_APPLET: HTTP Java Applet detected - resetting session
172.16.1.100:80 10.1.1.100:3372 on zone-pair publicPrivateOut
class myClassMap appl-class HttpAic
Step1b: Review the configuration with show command.
class-map type inspect http match-any HttpAic
match response body java-applet
exit
policy-map type inspect http HttpAicPolicy
class type inspect http HttpAic
reset
log
Exit
Solution:
Remove the reset command under policy map
Reason for the connection reset
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation_ID 37
HTTP Connection Reset (Cont.)
Troubleshooting Steps:
2a. Analyze Syslog messages generated by the router –
Jul 26 15:03:51 200.1.1.1 2768: Jul 26 19:08:08.751 UTC:
%APPFW-4-HTTP_CONTENT_LENGTH: Content length (82271) out
of range - resetting session 208.254.0.103:80
10.1.1.100:3491 on zone-pair publicPrivateOut class
myClassMap appl-class HttpAic
2b. Using show command reveals the Body Length of the web traffic was configured too LOW.
Solution:
Reset the body length for request/response to higher value –
class-map type inspect http match-any HttpAic
match req-resp body length gt 1000000
exit
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation_ID 38
HTTP Connection Reset (Cont.)
Troubleshooting Steps:
3a. Analyzing Syslog reveals the following messages –
Jul 27 13:12:39 200.1.1.1 5448:
Sig:12 HTTP URI length exceeded. Received
10.1.1.100:1451 to 216.73.86.52:
3b. Using show command in reviewing configuration may reveal Request URI Length was set Too LOW.
Resolution:
Reset URI Length to 256 as follows –
class-map type inspect http match-any HttpAic
match request uri length gt 256
exit
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation_ID 39
Zone Based Firewall Troubleshooting Example
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation_ID 40
Zone Based Firewall – Desired setup
.2.2
R3
.3
.4
.2
10.2.1.0/24 10.2.3.0/24
10.2.4.0/24
http server
IPsec tunnel
R1R2
IOS Firewall
.1
R4
Clients
Clients
ServerZone Outside Zone Inside
Zone DMZ
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation_ID 41
Zone Based Firewall Example
Three Zones
inside zone
outside zone
dmz zone
Traffic policies
TCP and UDP connections from inside to outside
TCP and UDP connections from dmz to outside,
http from the outside to the dmz
any other ―required‖ connections from the outside to the inside
Desired Policy
R3
http server
R1R2
R4
Zone Outside Zone Inside
Zone DMZ
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation_ID 42
Zone Based Firewall
class-map type inspect match-any INSIDE
match protocol tcp
match protocol udp
class-map type inspect match-any DMZ
match protocol tcp
match protocol udp
class-map type inspect match-all OUTSIDE
match protocol http
match access-group name OUT_DMZ
match access-group name OUT_IN
Class Map Configuration
R3
http server
R1R2
R4
Zone Outside Zone Inside
Zone DMZ
ip access-list extended OUT_DMZ
permit tcp any host 4.4.4.4 eq www
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation_ID 43
Zone Based Firewall
zone security inside
zone security outside
zone security dmz
Zone ConfigurationR3
http server
R1R2
R4
Zone Outside Zone Inside
Zone DMZ
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation_ID 44
Zone Based Firewall
policy-map type inspect IN_OUT
class type inspect INSIDE
inspect
class class-default
drop
policy-map type inspect OUT_IN
class type inspect OUTSIDE
inspect
class class-default
drop
class-map type inspect match-any INSIDE
match protocol tcp
match protocol udp
class-map type inspect match-any DMZ
match protocol tcp
match protocol udp
class-map type inspect match-all OUTSIDE
match protocol http
match access-group name OUT_DMZ
match access-group name OUT_IN
Policy Map Configuration
zone security inside
zone security outside
zone security dmz
R3
http server
R1R2
R4
Zone Outside Zone Inside
Zone DMZ
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation_ID 45
Zone Based Firewall
policy-map type inspect DMZ_OUT
class type inspect DMZ
inspect
class class-default
drop
policy-map type inspect OUT_DMZ
class type inspect OUTSIDE
inspect
class class-default
drop
class-map type inspect match-any INSIDE
match protocol tcp
match protocol udp
class-map type inspect match-any DMZ
match protocol tcp
match protocol udp
class-map type inspect match-all OUTSIDE
match protocol http
match access-group name OUT_DMZ
match access-group name OUT_IN
Policy Map Configuration (continued)
zone security inside
zone security outside
zone security dmz
R3
http server
R1R2
R4
Zone Outside Zone Inside
Zone DMZ
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation_ID 46
Zone Based Firewall
zone-pair security IN->OUT source inside destination outside
service-policy type inspect IN_OUT
zone-pair security OUT->IN source outside destination inside
service-policy type inspect OUT_IN
zone-pair security DMZ->OUT source dmz destination outside
service-policy type inspect DMZ_OUT
zone-pair security OUT->DMZ source outside destination dmz
service-policy type inspect OUT_DMZ
Zone-pair Configuration
R3
http server
R1R2
R4
Zone Outside Zone Inside
Zone DMZ
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation_ID 47
Zone Based Firewall
interface Loopback0
ip address 2.2.2.2 255.255.255.255
!
interface Ethernet0/0
ip address 10.2.1.2 255.255.255.0
zone-member security outside
!
interface Ethernet1/0
ip address 10.2.3.2 255.255.255.0
zone-member security inside
!
interface Ethernet2/0
ip address 10.2.4.2 255.255.255.0
zone-member security dmz
Firewall Interface Configuration
R3
http server
R1R2
R4
Zone Outside Zone Inside
Zone DMZ
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation_ID 48
Zone Based Firewall
Enable telnet on all the routers
Line vty 0 15
password hello
Login
Enable http server on R4 (DMZ)
R4#conf t
Enter configuration commands, one per line. End with CNTL/Z.
R4(config)#ip http server
Enable logging on R2 (Zone Based Firewall)
R2#conf t
Enter configuration commands, one per line. End with CNTL/Z.
R2(config)#ip inspect log drop-pkt
Additional ConfigurationR3
http server
R1R2
R4
Zone Outside Zone Inside
Zone DMZ
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation_ID 49
Zone Based Firewall
Telnet from R4 to R1
Telnet from R3 to R1
× Telnet from R1 to R3
× Telnet from R1 to R4.
Telnet from R1 to R4 on port 80 (http access)
Testing
R3
http server
R1 R2
R4
√ Telnet
×Telnet
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation_ID 50
Zone Based Firewall – Telnet should work
R4#telnet 1.1.1.1
Trying 1.1.1.1 ... Open
User Access Verification
Password:
R2#sh policy-map type inspect zone-pair DMZ->OUT sessions
policy exists on zp DMZ->OUT
Zone-pair: DMZ->OUT
Service-policy inspect : DMZ_OUT
Class-map: DMZ (match-any)
Match: protocol tcp
1 packets, 24 bytes
30 second rate 0 bps
……………..
Inspect
Number of Established Sessions = 1
Established Sessions
Session 6A62F98 (10.2.4.4:59121)=>(1.1.1.1:23) tcpSIS_OPEN/TCP_ESTAB
Created 00:00:05, Last heard 00:00:04
Bytes sent (initiator:responder) [30:69]
Telnet from R4 to R1 should work
R3
http server
R1R2
R4
Zone Outside Zone Inside
Zone DMZ
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation_ID 51
Zone Based Firewall – Telnet blocked
R1#telnet 3.3.3.3
Trying 3.3.3.3 ...
% Connection timed out; remote host not responding
R2#sh policy-map type inspect zone-pair OUT->IN sess
policy exists on zp OUT->IN
Zone-pair: OUT->IN
Service-policy inspect : OUT_IN
Class-map: OUTSIDE (match-all)
Match: protocol http
Match: access-group name OUT_IN
Inspect
Class-map: class-default (match-any)
Match: any
Drop
10 packets, 240 bytes
Telnet from R1 to R3 is blockedR3
http server
R1R2
R4
Zone Outside Zone Inside
Zone DMZ
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation_ID 52
Zone Based Firewall – http should work
R1#telnet 4.4.4.4 80
Trying 4.4.4.4, 80 ... Open
R2#sh policy-map type inspect zone-pair OUT->DMZ sessions
policy exists on zp OUT->DMZ
Zone-pair: OUT->DMZ
Service-policy inspect : OUT_DMZ
Class-map: OUTSIDE (match-all)
Match: protocol http
Match: access-group name OUT_DMZ
Inspect
Number of Established Sessions = 1
Established Sessions
Session 6A62C48 (10.2.1.1:34095)=>(4.4.4.4:80) http:tcp SIS_OPEN/TCP_ESTAB
Created 00:01:29, Last heard 00:00:13
Bytes sent (initiator:responder) [2:0]
Class-map: class-default (match-any)
Match: any
Drop
0 packets, 0 byte
Telnet from R1 to R4 on port 80 (http access) works
R3
http server
R1R2
R4
Zone Outside Zone Inside
Zone DMZ
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation_ID 53
Zone Based Firewall – Policies Again
Three Zones
inside zone
outside zone
dmz zone.
Traffic policies
TCP and UDP connections from inside to outside
TCP and UDP connections from dmz to outside,
http from the outside to the dmz
any other ―required‖ connections from the outside to the inside
R3
http server
R1R2
R4
Zone Outside Zone Inside
Zone DMZ
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation_ID 54
Zone Based Firewall – IPsec does not work!
R1#
*Apr 5 23:46:18.687: %SYS-5-CONFIG_I: Configured from console by console
R1#ping 10.2.3.3
……………..
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.2.3.3, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
R2#conf t
Enter configuration commands, one per line. End with CNTL/Z.
R2(config)#ip inspect log drop-pkt
R2(config)#end
R2#
*Apr 5 23:45:25.723: %SYS-5-CONFIG_I: Configured from console by console
R2#
*Apr 5 23:47:10.931: %FW-6-DROP_PKT: Dropping udp session 10.2.1.1:500 10.2.3.3:500 on zone-pair OUT->IN class class-default due to DROP action found in policy-map with ip ident 0
R2#
*Apr 5 23:48:38.055: %FW-6-LOG_SUMMARY: 3 packets were dropped from 10.2.1.1:500 => 10.2.3.3:500 (target:class)-(OUT->IN:class-default)
Telnet from R1 to R3 (IPsec peers) works
R3
http server
R1R2
R4
Zone Outside Zone Inside
Zone DMZ
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation_ID 55
Zone Based Firewall – What’s missing?
.2.2
R3
.3
.4
.2
10.2.1.0/24 10.2.3.0/24
10.2.4.0/24
http server
???
R1 R2
.1
R4
Clients
Clients
ServerZone Outside Zone Inside
Zone DMZ
??? Need a policy
for the IKE and
IPsec traffic
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation_ID 56
Zone Based Firewall – ACL Configuration
ip access-list extended OUT_IN
permit udp host 10.2.1.1 host 10.2.3.3 eq isakmp
permit udp host 10.2.1.1 host 10.2.3.3 eq non500-isakmp
permit esp host 10.2.1.1 host 10.2.3.3
ip access-list extended VPN_OUT
permit udp host 10.2.3.3 host 10.2.1.1 eq isakmp
permit udp host 10.2.3.3 host 10.2.1.1 eq non500-isakmp
permit esp host 10.2.3.3 host 10.2.1.1
Allow IKE and IPsec .2.2
R3
.3
.4
.2
10.2.1.0/24 10.2.3.0/24
10.2.4.0/24
http server
R1R2
.1
R4
Zone Outside Zone Inside
Zone DMZ
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation_ID 57
Zone Based Firewall – Configuration
class-map type inspect match-any INSIDE
match protocol tcp
match protocol udp
class-map type inspect match-all VPN
match access-group name OUT_IN
class-map type inspect match-any DMZ
match protocol tcp
match protocol udp
class-map type inspect match-all OUTSIDE
match protocol http
match access-group name OUT_DMZ
match access-group name OUT_IN
class-map type inspect match-all VPN_OUT
match access-group name VPN_OUT
Add Class maps and Policy maps for IKE & IPsec
policy-map type inspect IN_OUT
class type inspect INSIDE
inspect
class type inspect VPN_OUT
pass
policy-map type inspect OUT_IN
class type inspect OUTSIDE
inspect
class type inspect VPN
pass
policy-map type inspect DMZ_OUT
class type inspect DMZ
inspect
policy-map type inspect OUT_DMZ
class type inspect OUTSIDE
inspect
Note: Order
of inspection.
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation_ID 58
Zone Based Firewall –IPsec should work
R1#ping 10.2.3.3
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.2.3.3, timeout is 2 seconds:
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 8/10/12 ms
R2#sh policy-map type inspect zone-pair OUT->IN sess
policy exists on zp OUT->IN
Zone-pair: OUT->IN
Service-policy inspect : OUT_IN
Class-map: OUTSIDE (match-all)
Match: protocol http
Match: access-group name OUT_IN
Inspect
Class-map: VPN (match-all)
Match: access-group name OUT_IN
Pass
5 packets, 652 bytes
Class-map: class-default (match-any)
Match: any
Drop
0 packets, 0 bytes
Telnet from R1 to R3 (IPsec peers) works now
R3
http server
R1R2
R4
Zone Outside Zone Inside
Zone DMZ
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation_ID 59
Firewall Summary
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation_ID 60
Firewall Summary
ALWAYS TAKE Systematic Approach to troubleshoot IOS Firewall issues
Establish base-line traffic profile for your network through IOS Firewall, and set the DoS settings accordingly
DO NOT change the default UDP & DNS session timeout value
Use syslog and show commands to troubleshoot IOS firewall
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation_ID 61
Troubleshooting Cisco IOS Intrusion Prevention System
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation_ID 62
Cisco IOS IPS Overview
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation_ID 63
Overview—What Is Cisco IOS IPS
Previously called IDS before 12.3(8)T, use ―ip audit‖ CLI
Introduced in 12.3(8)T, now refers to ―Cisco IOS IPS‖
Software based inline intrusion prevention sensor
Support Cisco IPS version 5.x signature format starting from 12.4(11)T*
Signature based packet scanning, use same set of signatures as the Cisco IPS 4200 sensor platform
Dynamic signature update, no need to update IOS image
Variety event actions configurable per-signature and per-category
Ease of management—CCP, CSM**
* Version 5.x Signature Format Is Not Backward Compatible with Version 4.x Signature Format
** CCP = Cisco Configuration Professional; CSM = Cisco Security Manager
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation_ID 64
Cisco IOS IPS—System Components
Signature Micro-Engines (SMEs)
A SME defines parameters for signatures in a specific protocol category, e.g. HTTP
Signature Files
Contains signature engine, parameter information such as signature name, signature ID and signature actions etc.
Signature categories*
A signature category contains pre-selected signature sets for a specific vulnerability
SEAP (Signature Event Action Processor)
SEAP allows for advanced event action filtering and overrides on the basis of the Event Risk Rating (ERR) feedback
Event Monitoring
Syslog messages and/or SDEE** alerts for events generated by IOS IPS
* Version 5.x Signature Format Only (i.e. 12.4(11)T or later)
** SDEE = Security Device Event Exchange
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation_ID 65
Router#sh ip ips category ?
adware/spyware Adware/Spyware (more sub-categories)
attack Attack (more sub-categories)
ddos DDoS (more sub-categories)
dos DoS (more sub-categories)
email Email (more sub-categories)
instant_messaging Instant Messaging (more sub-categories)
ios_ips IOS IPS (more sub-categories)
l2/l3/l4_protocol L2/L3/L4 Protocol (more sub-categories)
network_services Network Services (more sub-categories)
os OS (more sub-categories)
other_services Other Services (more sub-categories)
p2p P2P (more sub-categories)
reconnaissance Reconnaissance (more sub-categories)
releases Releases (more sub-categories)
viruses/worms/trojans Viruses/Worms/Trojans (more sub-categories)
web_server Web Server (more sub-categories)
Signature Categories
IOS IPS with Cisco 5.x/6.x format signatures operate with signature categories
Signature category is a group of relevant signatures represented by a meaningful name
All signatures are pre-grouped into categories
An individual signature can belong to more than one category
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation_ID 66
Packet Flow
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation_ID 67
Cisco IOS IPS Packet Flow—Inbound
Layer 2 decapsulation IPSEC? Inbound ACL
IPSecdecryption
Stateless IPSY
N
Packet Re-injection
Auth Proxy
Inbound ACL
NAT Forwarding
Inbound crypto map ACL
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation_ID 68
IPSec/IPS Packet Flow—Outbound
NATStateless IPSForwardingFragmentInspection
Outbound ACL
Stateful IPS &Firewall
IPSEC?Outbound
crypto map ACL
N
Y
IPSecencryption
Layer 2 encapsulation
Forwarding
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation_ID 69
Troubleshooting IPS
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation_ID 70
The Problem Solving Process
Assess
What‘s going on
Prioritize
Ask the right questions to better define and clarify the problem
Acquire
What information do we need but we don‘t have?
How to get that information?
Analyze
Understand the flow
What‘s supposed to happen vs. What actually happened
Act
Test assumptions
Deploy changes
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation_ID 71
Basic Configuration Example
ip ips config location flash:ips/ retries 1ip ips notify SDEEip ips name iosips
ip ips signature-categorycategory allretired truecategory ios_ips advancedretired false
crypto key pubkey-chain rsanamed-key realm-cisco.pub signaturekey-string30820122 300D0609 2A864886 F70D0101 01050003 82010F00 3082010A 02820101|snip|F3020301 0001quit
interface GigabitEthernet0/1ip address 10.1.1.6 255.255.255.0ip ips iosips inip virtual-reassemblyduplex autospeed auto
enable IOS IPS policy on interface
IOS IPS crypto key
ALWAYS remember first select category ―all‖ AND retire all signatures
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation_ID 72
Configure Event Notification Using SDEE
SDEE messages are transported over HTTP/HTTPS
You must enable HTTP/HTTPS in order to use SDEE
Recommend to set the number of concurrent subscriptions to three when using IME
Router(config)#ip sdee subscriptions ?<1-3> Number of concurrent SDEE subscriptions
IOS IPS log message format:
*Mar 22 03:53:13.827: %IPS-4-SIGNATURE: Sig:5114 Subsig:1 Sev:75 WWW IIS Unicode Attack [10.1.1.252:4150 -> 192.168.1.249:80] RiskRating:75
*Mar 22 03:53:13.827: %IPS-4-SIGNATURE: Sig:5081 Subsig:0 Sev:100WWW WinNT cmd.exe Access [10.1.1.252:4150 -> 192.168.1.249:80]
RiskRating:100
SDEE = Security Device Event Exchange
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation_ID 73
Common Troubleshooting Steps
1. Check IOS IPS configuration, to confirm policy is applied to the right interface in the right direction
show run
2. Check signatures status, to confirm signatures are compiled
show ip ips config
show ip ips signatures count
3. Check flows inspected by IOS IPS, to verify IOS IPS is inspecting traffic
show ip ips sessions detail
4. Check SDEE alerts / syslog messages, to verify attacks are being detected
show ip sdee alerts
show logging
5. Use appropriate debug commands
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation_ID 74
IOS IPS Troubleshooting Commands
Step 1: Check IOS IPS configurationRouter#sh run
Building configuration...
-- output skipped --
!ip ips config location flash:ips/ retries 1ip ips notify SDEEip ips name iosips!ip ips signature-categorycategory allretired true
category ios_ips advancedretired false
!crypto key pubkey-chain rsanamed-key realm-cisco.pub signaturekey-string30820122 300D0609 2A864886 F70D0101 01050003 82010F00 3082010A 02820101
-- output skipped --
F3020301 0001quit
!interface GigabitEthernet0/1ip address 10.1.1.6 255.255.255.0ip ips iosips inip virtual-reassembly
Configure IPS signature
storage location
Enable IPS SDEE event
notification
Configure IOS IPS to use one
of the pre-defined signature
categories
Configure an IOS IPS crypto
key which is used to verify the
digital signature on the
signature package
Enable IPS rule on the desired
interface and specify the
direction the rule will be
applied to
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation_ID 75
Router#sh ip ips all
IPS Signature File Configuration StatusConfigured Config Locations: flash:ips/Last signature default load time: 16:42:08 PST Mar 1 2008Last signature delta load time: 22:59:57 PST Mar 3 2008Last event action (SEAP) load time: -none-
General SEAP Config:Global Deny Timeout: 3600 secondsGlobal Overrides Status: EnabledGlobal Filters Status: Enabled
IPS Auto Update is not currently configured
IPS Syslog and SDEE Notification StatusEvent notification through syslog is enabledEvent notification through SDEE is enabled
IPS Signature StatusTotal Active Signatures: 581Total Inactive Signatures: 1623
IPS Packet Scanning and Interface StatusIPS Rule ConfigurationIPS name iosips
IPS fail closed is disabledIPS deny-action ips-interface is falseFastpath ips is enabledQuick run mode is enabledInterface ConfigurationInterface GigabitEthernet0/1Inbound IPS rule is iosipsOutgoing IPS rule is not set
IPS Category CLI Configuration:Category all:
Retire: TrueCategory ios_ips advanced:
Retire: False
IOS IPS Troubleshooting CommandsStep 2: Check IOS IPS Configuration and Signatures Status
Determine the # of active signatures
Verify the IOS IPS policy is applied to the right interface in the right direction
Verify the signature category being used
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation_ID 76
Router#show ip ips signatures count
Cisco SDF release version S318.0Trend SDF release version V0.0
Signature Micro-Engine: multi-string: Total Signatures 8multi-string enabled signatures: 8multi-string retired signatures: 8
- output omitted -
Signature Micro-Engine: service-msrpc: Total Signatures 27service-msrpc enabled signatures: 27service-msrpc retired signatures: 19service-msrpc compiled signatures: 1service-msrpc inactive signatures - invalid params: 7
Total Signatures: 2204Total Enabled Signatures: 873Total Retired Signatures: 1617Total Compiled Signatures: 580Total Signatures with invalid parameters: 7Total Obsoleted Signatures: 11
IOS IPS Troubleshooting Commands
Step 2: Check Signatures Status
Check signature release version
Check there are signatures being compiled
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation_ID 77
Router#show ip ips sessions detail Established Sessions
Session 47506A34 (10.1.1.252:3959)=>(192.168.1.249:21) tcp SIS_OPENCreated 00:02:49, Last heard 00:02:44Bytes sent (initiator:responder) [25:95]sig cand list ID 14272sig cand list ID 14273
IOS IPS Troubleshooting Commands
Step 3: Check Flows Inspected by IOS IPS
Src.address/port & dest.address/port
Bytes sent and received
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation_ID 78
IOS IPS Troubleshooting Commands
Step 4: Check Alert Messages
Router#sh logging Syslog logging: enabled (12 messages dropped, 7 messages rate-limited,
0 flushes, 0 overruns, xml disabled, filtering disabled)
-- output skipped --
Log Buffer (4096 bytes):
*Mar 22 03:53:13.827: %IPS-4-SIGNATURE: Sig:5114 Subsig:1 Sev:75 WWW IIS Unicode Attack [10.1.1.252:4150 -> 192.168.1.249:80] RiskRating:75*Mar 22 03:53:13.827: %IPS-4-SIGNATURE: Sig:5081 Subsig:0 Sev:100 WWW WinNT cmd.exe Access [10.1.1.252:4150 -> 192.168.1.249:80] RiskRating:100
Router#sh ip sdee alerts Alert storage: 200 alerts using 75200 bytes of memory
SDEE AlertsSigID Sig Name SrcIP:SrcPort DstIP:DstPort
or Summary Info1: 5114:1 WWW IIS Unicode Attack 10.1.1.252:4150 192.168.1.249:80 2: 5081:0 WWW WinNT cmd.exe Access 10.1.1.252:4150 192.168.1.249:80
Verify that the router is seeing IOS IPS related event and alert
messages.
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation_ID 79
Cisco IOS IPS Debugging Commands
Enable debugs on specified IOS IPS enginesRouter# debug ip ips timers
Router# debug ip ips [object-creation | object-deletion]
Router# debug ip ips function trace
Router# debug ip ips detail
L3/L4 debug commands:Router# debug ip ips [ip | icmp | tcp | udp]
Application-level debug commands:Router# debug ip ips [tftp | smtp | ftp-cmd | ftp-token]
Enable debug on specified SDEE attributesRouter# debug ip sdee [alerts | details | messages | requests |
subscriptions ]
Not recommended in production network
Step 5: Use Debug Commands
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation_ID 80
Common Issues and Resolutions
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation_ID 81
Common Issues
Misunderstanding of terms used for signature status
Memory allocation errors when compiling signatures
Total number of signatures that can be compiled
Signature failed to compile
Configuration steps
Cisco IOS IPS policy is applied at the wrong direction and/or interface
Signature does not fire with matching traffic
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation_ID 82
Misunderstanding of Terms Used for Signature Status
Retire vs. unretire
Enable vs. disable
Compiled vs. loaded
Cisco IOS IPS inherited these terms from IPS 4200 series appliance
Due to memory constraints, most of the signatures on router are retired by default
IOS IPS users need to worry about enable/disable as well as retire/unretire
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation_ID 83
Misunderstanding of Terms Used for Signature Status (Cont.)
Retire vs. Unretire
Select/de-select which signatures are being used by IOS IPS to scan traffic
Retiring a signature means IOS IPS will NOT compile that signature into memory for scanning
Unretiring a signature instructs IOS IPS to compile the signature into memory and use the signature to scan traffic
You can use IOS command-line interface (CLI) or CCP to retire or unretire individual signatures or a signature category
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation_ID 84
Misunderstanding of Terms Used for Signature Status (Cont.)
Enable vs. Disable
Enabling a signature means that when triggered by a matching packet (or packet flow), the signature takes the appropriate action associated with it
However, only unretired AND successfully compiled signatures will take the action when they are enabled. In other words, if a signature is retired, even though it is enabled, it will not be compiled (because it is retired) and it will not take the action associated with it
Disabling a signature means that when triggered by a matching packet (or packet flow), the signature DOES NOT take the appropriate action associated with it
In other words, when a signature is disabled, even though it is unretired and successfully compiled, it will not take the action associated with it
You can use IOS command-line interface (CLI) or CCP to enable or disable individual signatures or a signature category
Enable/disable is NOT used to select/de-select signatures to be used by IOS IPS
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation_ID 85
Misunderstanding of Terms Used for Signature Status (Cont.)
Compiled vs. Loaded
Loading refers to the process where IOS IPS parse the signature files (XML files in the config location) and fill in the signature database
This happens when signatures are loaded via ―copy <sig file> idconf‖ or the router reboots with IOS IPS already configured
Compiling refers to the process where the parameter values from unretired signatures are compiled into a regular expression table
This happens when signatures are unretired or when other parameters of signatures belonging to that regular expression table changes
Once signatures are compiled, traffic is scanned against the compiled signatures
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation_ID 86
Memory Allocation Errors When Compiling Signatures
The number of signatures that can be compiled depends on the free memory available on the router
When router does not have enough memory to compile signatures, memory allocation failure messages are logged
Already compiled signatures will still be used to scan traffic. No additional signatures will be compiled for that engine during the compiling process. IOS IPS will proceed with compiling signatures for the next engine
*Mar 18 07:09:36.887: %SYS-2-MALLOCFAIL: Memory allocation of 65536 bytes failed from 0x400C1024, alignment 0
Pool: Processor Free: 673268 Cause: Memory fragmentation
Alternate Pool: None Free: 0 Cause: No Alternate pool
-Process= "Exec", ipl= 0, pid= 3, -Traceback= 0x4164F41C 0x400AEF1C 0x400B4D58 0x400B52C4 0x400C102C
0x400C0820 0x400C23EC 0x400C0484 0x424C1DEC 0x424C2A4C 0x424C2FF0 0x424C31A0 0x430D6ECC 0x430D7864 0x430F0210
0x430FA0E8
*Mar 18 07:09:36.911: %SYS-2-CHUNKEXPANDFAIL: Could not expand chunk pool for regex. No memory available -
Process= "Chunk Manager", ipl= 3, pid= 1, -Traceback= 0x4164F41C 0x400C06FC
*Mar 18 07:09:37.115: %IPS-4-SIGNATURE_COMPILE_FAILURE: service-http 12024:0 - compilation of regular
expression failed
*Mar 18 07:09:41.535: %IPS-4-SIGNATURE_COMPILE_FAILURE: service-http 5280:0 - compilation of regular
expression failed
*Mar 18 07:09:44.955: %IPS-4-SIGNATURE_COMPILE_FAILURE: service-http 5284:0 - compilation of regular
expression failed
*Mar 18 07:09:44.979: %IPS-4-SIGNATURE_COMPILE_FAILURE: service-http 12023:0 - compiles discontinued for this
engine
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation_ID 87
Memory Allocation Errors When Compiling Signatures—Resolution
The pre-defined IOS IPS Basic and Advanced signature categories contain optimum combination of signatures for all standard memory configurations, providing a good starting point
Never unretire the ―all‖ category
For routers with 128MB memory, start with the IOS IPS Basic category
For routers with 256MB memory, start with the IOS IPS Advanced category
Then customize the signature set by unretiring/retiring few signatures at a time according to your network needs
Pay attention to the free memory every time after you unretiring/retiring signatures
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation_ID 88
Total Number of Signatures Can Be Compiled
There is no magic number!
Many factors can have impact:
Available free memory on router
Type of signatures being unretired, e.g. signatures in the complex STRING.TCP engine
When router free memory drops below 10% of the total installed memory, then stop unretiringsignatures
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation_ID 89
Signature Failed to Compile
There are mainly three reasons that could cause a signature fail to compile
Memory constraint, running out of memory
Signatures are not supported in IOS IPS: META signatures
Regular Expression table for a particular engine exceeds 32MB entries
Check the list of supported signatures in IOS IPS at:
http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6586/ps6634/prod_white_paper0900aecd8062ac75.html
Retire signatures not supported by IOS IPS and signatures not applicable to your network to save memory
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation_ID 90
Configuration Steps
Follow the steps in the following order for initial Cisco IOS IPS configuration:
Step 1: Download IOS IPS signature package to PC
Step 2: Create IOS IPS configuration directory
Step 3: Configure IOS IPS crypto key
Step 4: Create IOS IPS policy and apply to interface(s)
Remember to FIRST retire the ―all‖ category
Step 5: Load IOS IPS signature package
Next verify the configuration and signatures are compiled:
show ip ips configuration
show ip ips signatures count
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation_ID 91
Configuration Steps (Cont.)
Next you can start to tune the signature set with the following options:
Retire/unretire signatures (i.e. add/remove signatures to/from the compiled list)
Enable/disable signatures (i.e. enforce/disregard actions)
Change actions associated with signatures
Refer to Getting Started Guide at:
http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6586/ps6634/prod_white_paper0900aecd805c4ea8.html
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation_ID 92
IOS IPS Policy Is Applied at the Wrong Direction/Interface—Incorrect Configuration
Protecting Attacks from Inside
Head Office
Application Servers
Head Office PCs
Web Clusters
Branch Office
Cisco 28xxCisco 18xxIPSec Tunnel
Branch Office PCs/Laptops
Internet Traffic
Internet
Interface FastEthernet0/0
ip ips ips-policy out
Worms
Inside Outside
Policy applied to the wrong direction
FE0/0 FE0/1
Case A:Issue
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation_ID 93
IOS IPS Policy Is Applied at the Wrong Direction/Interface—Resolution
Protecting Attacks from Inside
Head Office
Application Servers
Head Office PCs
Web Clusters
Branch Office
Cisco 28xxCisco 18xxIPSec Tunnel
Branch Office PCs/Laptops
Internet Traffic
Internet
Interface FastEthernet0/0
ip ips ips-policy in
Worms
Inside Outside
FE0/0 FE0/1
Policy applied to the right direction
Case A:Solution
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation_ID 94
IOS IPS Policy Is Applied at the Wrong Direction/Interface—Incorrect Configuration
Protecting Attacks from Outside
Head Office
Application Servers
Head Office PCs
Web Clusters
Branch Office
Cisco 28xxCisco 18xxIPSec Tunnel
Branch Office PCs/Laptops
Internet Traffic
Internet
DMZ
attacks
Interface FastEthernet0/1
ip ips ips-policy out
Inside Outside
FE0/0 FE0/1
Policy applied to the wrong direction
Case B:Issue
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation_ID 95
IOS IPS Policy Is Applied at the Wrong Direction/Interface—Resolution
Protecting Attacks from Outside
Head Office
Application Servers
Head Office PCs
Web Clusters
Branch Office
Cisco 28xxCisco 18xxIPSec Tunnel
Internet Traffic
Internet
DMZ
attacks
Interface FastEthernet0/1
ip ips ips-policy in
Outside
Branch Office PCs/Laptops
Inside
FE0/0 FE0/1
Policy applied to the right direction
Case B:Solution
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation_ID 96
Signature Does Not Fire with Matching Traffic
Verify IOS IPS is applied in the right direction (inbound/outbound) and on the right interface
Is IOS IPS event notification enabled? i.e. syslog/SDEE
Do you see alarms/alerts showing signature matching?
It is essential that we see whether signatures are triggered by the traffic
Use ―show ip ips signatures statistics | i <sig id>‖ to see signature hits
Run debugs:
debug ip ips <engine name>
debug ip ips detailed
debug ip ips function-trace (if the above two do not show anything)
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation_ID 97
IPS Summary
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation_ID 98
ENHANCEMENT BENEFIT
1
Lightweight IPS Engines for existing and
new signatures optimized for HTTP,
SMTP and FTP protocols
Memory efficient traffic scanning for attack
signatures consuming up to 40 % less memory on
the router.
2
New Default IOS IPS Category
signatures updated frequently by Cisco
Signature Team
More comprehensive and effective attack coverage
by default. Much quicker inclusion of most relevant
new threat signatures within the default set
(category).
3Chaining of Traffic Scanning (Regular
Expression) Tables
Capability to load more signatures simultaneously
and provide protection for larger number of threats
and vulnerabilities
4Configurable Threshold (Upper Limit) to
be dedicated to IPS feature
Avoid large amount of router memory by IPS
signature Tables. Prevent IPS feature to consume
all the free processing memory available and cause
performance and other operational problems
Cisco IOS IPS Enhancements
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation_ID 99
IPS Summary
Use the ―Getting Started Guide‖ as a reference to check that IOS IPS is configured properly.
Always remember to RETIRE ALL signatures first.
ip ips signature-category
category all
retired true
Recommendation is to use pre-defined IOS IPS Basic or Advanced signature category and tune the signature set based on your network applications
Cisco IOS IPS ―show Commands‖ and SDEE are the most essential component for troubleshooting
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation_ID 100
Documentation and Links
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation_ID 101
Documentation for Cisco IOS Security
Router Security
www.cisco.com/go/routersecurity
Cisco IOS Security Commands Referencehttp://www.cisco.com/en/US/products/sw/iosswrel/ps5207/products_command_reference_chapter09186a00801a7f84.html#wp1187286
Cisco IOS Firewall
www.cisco.com/go/iosfw
Cisco Zone-based Firewall Design and Application Guide
http://www.cisco.com/en/US/products/sw/secursw/ps1018/products_tech_note09186a00808bc994.shtml
Cisco IOS IPShttp://www.cisco.com/go/iosips
Cisco Configuration Professional (CCP)http://www.cisco.com/go/ccp
Q&A
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation_ID 103
Complete Your Online Session Evaluation
Give us your feedback and you could win fabulous prizes. Winners announced daily.
Receive 20 Cisco Preferred Access points for each session evaluation you complete.
Complete your session evaluation online now (open a browser through our wireless network to access our portal) or visit one of the Internet stations throughout the Convention Center.
Don‘t forget to activate your
Cisco Live and Networkers Virtual
account for access to all session
materials, communities, and on-demand
and live activities throughout the year.
Activate your account at any internet
station or visit www.ciscolivevirtual.com.
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation_ID 105
Appendix : Classic IOS Firewall
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation_ID 106
Simple Classic IOS Firewall Configuration
access-list 101 deny ip any any
interface serial0
ip access-group 101 in
access-list 102 permit any any eq smtp
access-list 102 permit any any eq ftp
access-list 102 permit any any eq http
ip inspect name foo smtp
ip inspect name foo http
ip inspect name foo ftp
interface ethernet0
ip inspect foo in
ip access-group 102 in
1. Define the security policy
Deny any connections initiating from outside
Allow only SMTP, ftp, and http connections from inside
2. Convert the security policy into IOS configuration
Inside Outside
e0 s0Internet
ACL to deny inbound
connection
ACL to allow only
SMTP, FTP, and HTTP
from inside to outside
Inspection rule, and
ACL both applied as
inbound on ethernet 0
interface
Inspection for
necessary protocols
CBAC
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation_ID 107
Show Commands—Classic IOS Firewall
Router# show ip inspect all
Session audit trail is disabled
Session alert is enabled
one-minute (sampling period) thresholds are [400:20000] connections
max-incomplete sessions thresholds are [400:20000]
max-incomplete tcp connections per host is 100000. Block-time 0 minute
tcp synwait-time is 30 sec -- tcp finwait-time is 5 sec
tcp idle-time is 3600 sec -- udp idle-time is 30 sec
dns-timeout is 5 sec
Outgoing inspection rule is TESTING_REALWORD
smtp max-data 20000 alert is on audit-trail is off timeout 3600
ftp alert is on audit-trail is off timeout 3600
tcp alert is on audit-trail is off timeout 3600
udp alert is on audit-trail is off timeout 30
Inbound access list is 101
Outgoing access list is not set
Established Sessions
Session 49AA929C (106.0.0.6:14320)=>(100.0.0.6:53) udp SIS_OPEN
Half-open Sessions
Session 467479EC (106.0.0.6:20150)=>(100.0.0.3:25) smtp SIS_OPENING
To display the firewall policy and sessions
CBAC
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation_ID 108
Show Commands—Classic IOS Firewall
Router# show ip inspect statistics
Packet inspection statistics [process switch:fast switch]
tcp packets: [616668:0]
http packets: [178912:0]
Interfaces configured for inspection 1
Session creations since subsystem startup or last reset 42940
Current session counts (estab/half-open/terminating) [0:0:0]
Maxever session counts (estab/half-open/terminating) [98:68:50]
Last session created 5d21h
Last statistic reset never
Last session creation rate 0
Last half-open session total 0
To display the firewall statistics
CBAC
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation_ID 109
Show Commands—Classic IOS Firewall
Displays session related information
Connection states
Router# show ip inspect session
Established Sessions
Session 25A3318 (10.0.0.1:20)=>(10.1.0.1:46068) ftp-data SIS_OPEN
Session 25A6E1C (10.1.0.1:46065)=>(10.0.0.1:21) ftp SIS_OPEN
SIS_OPENING – SYN has been received but Three way Hand-shake is not completeSIS_OPEN – When Three WAY Hand-Shake is completeSIS_CLOSING – FIN is received but the entire closing sequence has not been achievedSIS_CLOSE – When FIN and FIN-ACK have been received from both sides
3ACK
1SYN
2SYN+ACK
3ACK
1FIN
2FIN+ACK
ServerClient
OutsideInside
ServerClient
OutsideInside
CBAC
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation_ID 110
Common Issues and Resolutions
Performance degrades ―When I turn on IOS Firewall‖
Cisco IOS Firewall dropping valid packets
Inspect applied in wrong direction
Fragmentation and Cisco IOS Firewall
IPSec and Cisco IOS FW issues
HTTP connection resets
Multi-channel protocol not working (FTP, VoIP)
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation_ID 111
access-list 101 deny ip any any
interface Serial0
description outside
ip access-group 101 in
s0 e0Internet
Public
Network
Cisco IOS
Firewall
ACL
101
ip inspect name IOSFW tcp
ip inspect name IOSFW udp
interface Serial0
description outside
ip inspect IOSFW in
Inbound inspection and ACL are both applied on the outside
interface and return traffic gets dropped by ACL 101
Inspect
Inspect Applied in Wrong DirectionSymptom:No return traffic is making it through the router, possibly getting dropped by the ACL
Private
Network
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation_ID 112
Inspect Applied in Wrong Direction
Troubleshooting Steps:
Do a ‗show ip inspect sessions‘ on the router to see if we built anything into the session table, don‘t see anything
Check the direction of the applied interface ACL vs. inspection; both are applied in the same inbound direction
Resolution: Apply Inspection Outbound on the Internet facinginterface (while, ACL is applied Inbound)
Inspect
s0
e0
ACL
101
Public
Network
Private
NetworkCisco IOS
Firewall
Internet
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation_ID 113
Fragmentation and Cisco IOS Firewall
Before IOS release 12.3(8)T
Applying fragmentation control in situations where legitimate fragments are likely to arrive out of order, may have an impact on application performance as they are discarded
Router(config)# ip inspect name inspection-name
fragment
As of 12.3(8)T release
IOSFW now takes advantage of ―virtual fragmentation reassembly‖. VFR provides a mechanism to buffer incoming IP fragments for re-ordering and ―virtual‖ reassembly. This now enables IOS FW to manage sessions that include fragmented packets. Should be enabled on both public/private interfaceRouter(config-if)# ip virtual-reassembly
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation_ID 114
Performance Degrades (Cont.)
s0e0
Public
Network
Cisco IOS
Firewall
Troubleshooting Steps:
Step2a: Check Firewall Statistics
Router# show ip inspect statistics
< Removed >
Session creations since subsystem startup or last reset 2
Current session counts (estab/half-open/terminating)
[4214:16853:566]
Maxever session counts (estab/half-open/terminating)
[4214:16853:566]
Step2b: Check the DoS settings
ip inspect max-incomplete high value (default 500)
ip inspect max-incomplete low value (default 400)
ip inspect one-minute high value (default 500)
ip inspect one-minute low value (default 400)
ip inspect tcp max-incomplete host value (default 50) [block-time
minutes
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation_ID 115
Performance Degrades (Cont.)
Troubleshooting Steps:Step3: Verify the IOS Firewall Policy to see if the HTTP traffic is inspected
ip inspect name IOSFirewall http
ip inspect name IOSFirewall https
ip inspect name IOSFirewall pop3
ip inspect name IOSFirewall smtp
ip inspect name IOSFirewall dns
―Inspect http" adds capability to inspect returned content for java applets hence get substantial performance hit
Solution: If Java Applet filter is NOT required, turn off http inspection. Otherwise, create Java-list to bypass inspection from the known trusted sites.
ip inspect name IOSFirewall http java-list 20
ip inspect name IOSFirewall smtp
ip inspect name IOSFirewall dns
access-list 20 permit 10.1.1.0 0.0.0.255
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation_ID 116
Performance Degrades (Cont.)
Troubleshooting Steps:
Step4: Check to see if the default UDP & DNS-Timeout is reset
If the DNS and UDP timeout is set too high, the router will ended up building too many UDP and DNS unused sessions
If UDP & DNS timeout is set too LOW, session may pre-maturely get reset causing creating many more connections than needed
Solution:
Set the UDP timeout to 30 seconds (default) and DNS timeout to 5 Seconds (default) unless otherwise required.
Router(config)#ip inspect dns-timeout 5
Configuring DNS in the firewall policy results in performance degradation bug ID (CSCse35588). This was fixed in 12.4(11)T
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation_ID 117
Step1: Be sure your network is not infected with viruses or worms that
could lead to erroneously large embryonic connection values
Step2: Set the max-incomplete high values to very high values initially, and see if the performance improve, then base-line traffic in your network, and see the value accordingly
ip inspect max-incomplete high 20000000
ip inspect one-minute high 100000000
ip inspect tcp max-incomplete host 100000 block-time 0
Prior 12.4(11)T default DoS settings were set lowhttp://www.cisco.com/en/US/products/sw/secursw/ps1018/products_white_paper0900aec
12.4(11)T onwards DoS settings are max out by default
Performance Degrades (Cont.)
Solution:Tune the DoS protection parameters
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation_ID 118
Multi-Channel Protocol Not Working
Symptoms:
Example1: Can FTP to a server but unable to list the directory (ls)
Example2: Can call and receive call, but unable to hear anything
Troubleshooting Steps:
Use ―show ip inspect session‖, and check the state of the data connection
Analyze Syslog Message
Resolution:
Every multi-channel protocol needs to be inspected
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation_ID 119
Matching Traffic Is Detected but Not Dropped by Default
In version 4.x signature format releases (i.e. prior to 12.4(11)T), pre-built signature files (128/256MB.sdf) with version 5 or earlier versions have signatures with Risk Rating of 95 or higher have a default action to drop packets
This default action setting has caused issues with customers
To be consistent with the Cisco IPS appliance, starting from version 6 of pre-built signature files (128/256MB.sdf), the default action for signatures in IOS IPS is set to ―produce-alert‖
12.4(11)T or later releases (version 5.x signature format) have the default action for signatures in IOS IPS set to ―produce-alert‖
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation_ID 120
FW Drops Out-of-Order Packet
After turn on IPS, web traffic response time slows down. Go to the router and find out there are syslog messages dropping out of order packets.
*Jan 6 19:08:45.507: %FW-6-DROP_PKT: Dropping tcp pkt10.10.10.2:1090 => 199.200.9.1:443*Jan 6 19:09:47.303: %FW-6-DROP_PKT: Dropping tcp pkt10.10.10.2:1091 => 199.200.9.1:443*Jan 6 19:13:38.223: %FW-6-DROP_PKT: Dropping tcp pkt66.102.7.99:80 => 192.168.18.21:1100
*Jan 6 19:15:28.931: CBAC* sis 84062FEC L4 inspectresult: SKIP packet 83A6F83C (199.200.9.1:443) (192.168.18.21:1118) bytes 174 ErrStr = Out-Of-OrderSegment tcp*Jan 6 19:15:28.931: CBAC* sis 84062FEC pak 83A6FF64SIS_OPEN/ESTAB TCP ACK 842755785 SEQ 2748926608 LEN 0 (10.10.10.2:1118) => (199.200.9.1:443)*Jan 6 19:15:28.931: CBAC* sis 84062FEC pak 83A6F83CSIS_OPEN/ESTAB TCP ACK 2748926608 SEQ 842755785 LEN 1317 (199.200.9.1:443) <= (192.168.18.21:1118)*Jan 6 19:15:28.931: CBAC* sis 84062FEC L4 inspectresult: SKIP packet 83A6F83C (199.200.9.1:443) (192.168.18.21:1118) bytes 1317 ErrStr = RetransmittedSegment tcp*Jan 6 19:15:28.935: CBAC* sis 84062FEC pak 83A6F83CSIS_OPEN/ESTAB TCP PSH ACK 2748926608 SEQ 842758636 LEN 137 (199.200.9.1:443) <=(192.168.18.21:1118)*Jan 6 19:15:28.935: CBAC* sis 84062FEC L4 inspectresult: SKIP packet 83A6F83C (199.200.9.1:443) (192.168.18.21:1118) bytes 137 ErrStr = Out-Of-OrderSegment tcp
debug ip inspect detail shows Out-Of-Order packet
FW Drops Out-of-Order Packet Slows Down Network Traffic
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation_ID 121
FW Drops Out-of-Order Packet—Resolution
IPS requires packets arrive in order to perform signature scanning, thus drops out-of-order packet; this is one of the reasons for slow response and longer latency in network traffic
IOS IPS supports Out-of-Order packet starting from 12.4(9)T2 and later 12.4T releases
Not fixed in 12.4 mainline releases
Out-of-Order fix also applies to application firewall
Out-of-order fix DOES NOT work when IOS IPS interface is included in a Zone-Based FW zone
Out-of-order fix works between IOS IPS and Classic IOS FW (ip inspect)
If using a release that does not have the fix, workaround is to use ACL to bypass IOS IPS inspection for the traffic flow in question
In the example, ACL 120 denies traffic and remove the traffic from IPS scanning; the network traffic between the two site do not experience slow response
FW Drops Out-of-Order Packet Slows Down Network Traffic
router(config)#access-list 120 deny ip any host 199.200.9.1router(config)#access-list 120 deny ip host 199.200.9.1 anyrouter(config)#access-list 120 permit ip any anyrouter(config)#ip ips name myips list 120
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation_ID 122
Cisco IOS Firewall Configuration Models
Two Configuration Models
Conceptual Difference Between Cisco IOS Classic and Zone-Based Firewalls http://www.cisco.com/en/US/prod/collateral/vpndevc/ps5708/ps5710/ps1018/prod_white_paper0900aecd806f31f9.html
Zone-Based Policy Firewall is supported since 12.4(6)T
Classic IOS Firewall Zone-Based Policy Firewall
Interface-based statefulinspection
Firewall Policy = Inspection policy combined with ACL policy
Policy correlation is difficult
Zone-based stateful inspection
Firewall policies are configured on traffic moving between zones
Policy correlation is simple, and therefore easier to troubleshoot
More granular inspection policy
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation_ID 123
Zone Based Firewall – IPsec Configurationcrypto isakmp policy 1
authentication pre-share
crypto isakmp key p address 0.0.0.0 0.0.0.0
!
crypto ipsec transform-set e esp-des
!
crypto map blah 1 ipsec-isakmp
set peer 10.2.3.3
set transform-set e
match address 101
!
interface Ethernet1/0
ip address 10.2.1.1 255.255.255.0
crypto map blah
!
access-list 101 permit ip host 10.2.1.1 host 10.2.3.3
R3
http server
R1R2
R4
Zone Outside Zone Inside
Zone DMZ