Deploying IOS Security

BRKSEC-2007
Agenda
 Borderless Networks Overview
 Drivers for Integrated Security
 Integrated Threat Control
 Design Considerations
 Deployment Models
 Real World Use Cases
 Case Study
 Summary
Presentation_ID © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 2
 The Transformation:
The World Is Our New Workspace

Any Resource Any Location

Any Device

The BORDERLESS NETWORK

Anyone
A Next Generation
AnywhereArchitecture to Deliver
the New Workspace Experience
Presentation_ID © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 3
Agenda
 Borderless Networks Overview
 Drivers for Integrated Security
 Integrated Threat Control
 Design Considerations
 Deployment Models
 Real World Use Cases
 Case Study
 Summary
Presentation_ID © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 4
Threats and Challenges
Threats at the Branch Office and HQ
Branch Office

Attack on the
infrastructure
Attack on HQ
Router/DMZ
Attacks on branch
servers QFP

Internet
Head Quarter

Web surfing
Branch Office
Malicious Branch
Client Activities Voice
attacks

Wireless attacks
Branch Office

Presentation_ID © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 5
 Requirement of Integrated Security Solution
IOS Security
Securing the Branch Office and HQ
Branch Office
 Secure Internet
Network
Foundation access to branch,
Protection without the need for
Attack on the
infrastructure
additional devices
Application
Firewall
•Campus Edge
 Control worms and
Attacks on •DC Edge
viruses right at the
branch servers QFP
•DMZ
remote site, conserve
Malicious IPS FPM Internet
Head Quarter WAN bandwidth
Branch
 Protect the router
011111101010101

Client
Activities
itself from hacking
Regulate and DoS attacks
Content surfing Voice Wireless
Filtering Security Security Wireless
Voice attacks
attacks

Branch Office

Presentation_ID © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 6
Agenda

 Drivers for Integrated Security

 Integrated Threat Control
 Design Considerations
 Deployment Models
 Real World Use Cases
 Case Study
 Summary

Presentation_ID © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 7
 All-in-One Security for the WAN
Only Cisco® Security Routers
Deliver All of This

Secure Network Solutions

Business Secure Secure

Compliance
Continuity Voice Mobility

Integrated Threat Control

011111101010101

Advanced Content Intrusion Flexible TrustSec 802.1x/ Network

Firewall Filtering Prevention Packet Identity Foundation
Matching Protection
Firewall

Secure Connectivity Management and Instrumentation

Role-Based
GET VPN DMVPN Easy VPN AnyConnect Cisco NetFlow IP SLA
Access
Configuration
professional

Presentation_ID © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 8
Integrated Threat Control
 Network Foundation Protection (NFP)
 Zone based Firewall
 Application Intelligence Control
 Intrusion Prevention System
 Content Filtering Solution
 Flexible Packet Matching (FPM)

Presentation_ID © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 9
Network Foundation Protection (NFP) Network
Foundation
Protection

A router can be logically divided

Data Plane into three functional planes:
Ability to forward 1. Data plane: The vast majority of
data packets handled by a router travel
through the router by way of the
data plane
Control Plane
2. Management plane: Traffic from
Ability to route management protocols and other
interactive access protocols, such
as Telnet, Secure Shell (SSH)
protocol, and SNMP, passes
Cisco NFP Management through the management plane
Plane
3. Control plane: Routing control
Ability to manage protocols, keepalives, ICMP with
IP options, and packets destined
to the local IP addresses of the
Think ―Divide and Conquer‖: router pass through the control
plane
Methodical Approach to Protect
Three Planes

Presentation_ID © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 10
 Cisco IOS AutoSecure Network
Foundation
Protection
One Touch Automated Router Lockdown

Disables Non-Essential Services

 Eliminates DoS attacks based on fake
requests
 Disables mechanisms that could be
used to exploit security holes

Enforces Secure Access

 Enforces enhanced security in
accessing device
 Enhanced security logs
 Prevents attackers from knowing
packets have been dropped

Secures Forwarding Plane

 Protects against SYN attacks
 Anti-Spoofing
 Enforces stateful firewall configuration
on external interfaces, where available http://www.cisco.com/go/autosecure

Presentation_ID © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 11
 Cisco IOS Firewall
Overview
Stateful firewall: Full Layer 3 through 7 deep
packet inspection Selected List of
Flexible embedded application layer gateway Recognized Protocols
(ALG): Dynamic protocol and application engines  HTTP, HTTPS, and JAVA
for seamless granular control
 E-mail: POP, SMTP, ESMTP,
Application inspection and control (AIC): IMAP
Visibility into both control and data channels to help
ensure protocol and application conformance  P2P and IM (AIM, MSN, and
Yahoo!)
Virtual firewall: Separation between virtual
contexts, addressing overlapping IP addresses  FTP, TFTP, and Telnet

Transparent (Layer 2) firewall: Deploy in existing  Voice: H.323, SIP, and SCCP
network without changing the statically defined IP  Database: Oracle, SQL, and
addresses MYSQL
Intuitive GUI management: Easy policy setup and  Citrix: ICA and CitrixImaClient
refinement with CCP and CSM
 Multimedia: Apple and RealAudio
Resiliency: High availability for users and
applications with stateful firewall failover  IPSec VPN: GDOI and ISAKMP
Interfaces: Most WAN and LAN interfaces  Microsoft: MSSQL and NetBIOS
 Tunneling: L2TP and PPTP

Presentation_ID
BRKSEC-2007_c1 © 2006 Cisco Systems, Inc.©All
2010 Cisco
rights and/or its affiliates.
reserved. All rights reserved.
Cisco Confidential Cisco Public 12
 Zone based Policy Firewall (ZBPF) Use Cases
Branch Firewall:
 Split Tunnel – Branch/Remote HQ Firewall :
Office/Store/Clinic •Campus Internet Edge
•DC Internet Edge
 Virtual Firewall --virtual contexts (VRFs) •DMZ
within a branch
 Direct Internet Connection – Small Office,
Managed Service
 Internal Firewall – International or untrusted
locations or segments, often for PCI
compliance requirements
Transparent or routed environments
Wireless to wired segments
Protect key resources (e.g. servers)
International financial branches
Presentation_ID © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 13
Zone-Based Firewall
(aka Zone-Based Policy Firewall) Advanced
Firewall

Supported Features
 Allows grouping of physical and  Stateful Inspection
virtual interfaces into zones  Application Inspection: IM, POP,
IMAP, SMTP/ESMTP, HTTP
 Firewall policies are applied to traffic  Content filtering
traversing zones  Per-policy parameter
 Simple to add or remove interfaces  Transparent firewall
and integrate into firewall policy  VRF-aware firewall (Virtual
Firewall)
 User-Based ZBF

Private-DMZ
Policy DMZ
DMZ-Private
Public-DMZ
Policy
Policy

Trusted Internet Untrusted

Private-Public
Policy
Presentation_ID © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 14
 Cisco IOS Zone-Based Policy Firewall
Configuration (Command Line Interface (CLI)
class-map type inspect match-any services
match protocol tcp Define Services Inspected by
Policy
!
policy-map type inspect firewall-policy
class type inspect services Configure Firewall Action for
inspect
Traffic

!
zone security private
zone security public Define Zones
!
zone-pair security private-public source private destination public
service-policy type inspect firewall-policy Establish Zone Pair, Apply
! Policy
interface fastethernet 0/0
zone-member security private
!
Assign Interfaces to Zones
interface fastethernet 0/1
zone-member security public

Presentation_ID © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 15
Cisco IOS Zone-Based Firewall—
Rule Table (CCP) Advanced
Firewall

Presentation_ID © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 16
User-Group Firewall

 Users grouped based on Identity and IP addresses

 Policies applied on whole group
 Easy to segregate business specific functions
 Inspect class-maps support UG-ZBF
 Authentication Protocols supported – TACACS+, RADIUS
 Classification provided based on
• Device type (Computer, IP Phones etc.)
• Location (Building / Floor)
• Role (Engineer, Manager, Accountant)

Presentation_ID © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 17
 Principles and Operation
Server Farm Authentication Server
IP Phone
Network

Internet Cloud
Engineering

 Router Intercepts Auth-traffic

Firewall /Authproxy / NAC
 Updates its tag database
 User-group policies applied
 Traffic allowed/denied based on
config

Vendor / guest network

HR & Accounts
Presentation_ID © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 18
Implementation details

 Uses existing Authentication/Authorization methods

Authentication Proxy
Network Admission Control (Reference-Section only)

 Receives AAA attribute to associate IP-Address

with group-membership
 Zone-Based Firewall uses additional
match <user-group> criterion

Presentation_ID © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 19
 Transparent Firewall
 Introduces ―stealth firewall‖ capability
No IP address associated with firewall (nothing to attack)
No need to renumber or break up IP subnets
IOS Router is bridging between the two ―halves‖ of the network
Use Case: Firewall Between Wireless and Wired LANs
 Both ―wired‖ and wireless segments are in same subnet 192.168.1.0/24
 VLAN 1 is the ―private‖ protected network.
 Wireless is not allowed to access wired LAN

192.168.1.4

192.168.1.3

Wireless

Fa 0/0
Internet
VLAN 1
Transparent
192.168.1.2 Firewall

Presentation_ID © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 20
 Transparent Firewall Configuration
(Command Line Interface (CLI)
Classification: Security Zone Policy:

zone-pair security zone-policy source wired destination wireless

class-map type inspect match-any protocols
service-policy type inspect firewall-policy
match protocol dns
match protocol https !

match protocol icmp interface VLAN 1

match protocol imap description private interface

match protocol pop3 bridge-group 1
match protocol tcp zone-member security wired
match protocol udp !

interface VLAN2
Security Policy: description public interface

policy-map type inspect firewall-policy bridge-group 1

zone-member security wireless

class type inspect protocols
Inspect
Layer2 Configuration:

bridge configuration

Security Zones: bridge irb

zone security wired bridge 1 protocol ieee

bridge 1 route ip
zone security wireless
Presentation_ID © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 21
 IOS Firewall for IPv6
Current Status of IPv6 Firewall

 Provides stateful protocol inspection (anomaly detection) of

IPv6 fragmented packets, TCP, UDP, ICMPv6 and FTP traffic
 Cisco IOS Firewall for IPv6 can coexists with Cisco IOS
Firewall for IPv4 networks and is supported on all dual-stack
routers.
 Cisco IOS Firewall for IPv6 features are as follows:
Fragmented packet inspection
IPv6 DoS attack mitigation
Tunneled packet inspection
Stateful inspection of packets originating from the IPv4 network and
terminating in an IPv6 environment
Interpretation or recognition of most IPv6 extension header
information
Port-to-application mapping (PAM)

Presentation_ID © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 22
 Cisco IOS Zone based Firewall July - 15.1(2)T

 IPv6 Support
 Extend IPv6 classification capability to include Zone Based FW.
 Global Parameter Map and Default parameter-map support.
 Unified MIB support for IPv6
 Intra-zone traffic support for IPv6
 Conditional debugging support for ZBFW IPv6
 Log summarization support for ZBFW IPv6
 IPv4 FTP engine is changed to dual stack and is capable of
processing control stream packets in CEF path itself.

 SCCP v17 Video Support

 Support to handle and inspect SCCP (v17) Video messages

Projects and Priorities are subject to change

Presentation_ID © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 23
 Cisco IOS Flexible Packet 011111101010101

Matching (FPM) Flexible

Packet
Matching
Rapid Response to New and Emerging Attacks
 Network managers require tools to filter day-zero
attacks, such as before IPS signatures are
available
 Traditional ACLs take a shotgun approach—
legitimate traffic could be blocked
Example: Stopping Slammer with ACLs meant
blocking
port 1434—denying business transactions
involving
Microsoft SQL
 FPM delivers flexible, granular Layer 2–7
matching
Example: port 1434 + packet length 404B +
specific pattern within payload  Slammer

0111111010101010000111000100111110010001000100100010001001

Match Pattern AND OR NOT

Cisco.com/go/fpm
Presentation_ID © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 24
 Cisco IOS Flexible Packet Matching
Configuration - Slammer Filter
Class-map stack ip-udp
Match field ip protocol eq 17 next udp

Class-map access-control slammer

Match field udp dport eq 1434
Match start ip version offset 224 size 4 eq 0x04011010
Match start network-start offset 224 size 4 eq 0x04011010

Policy-map access-control udp-policy access-control typed class

Class slammer defines traffic pattern: udp
dst port 1434, starting from
Drop
IP header, offset 224 byte,
the 4 byte value should be
Poliyc-map access-control fpm-policy 0x04041010
Class ip-udp
service-policy udp-policy

Presentation_ID © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 25
 Cisco IOS Intrusion Prevention (IPS) IPS
Distributed Defense Against Worms and Viruses
 Cisco IOS IPS stops attacks at the entry point, conserves WAN bandwidth,
and protects the router and remote network from DoS attacks
 Integrated form factor makes it cost-effective and viable to deploy IPS in
Small and Medium Business and Enterprise branch/telecommuter sites
 Supports 2000+ signatures sharing the same signature database available
with Cisco IPS sensors
 Allows custom signature sets and actions to react quickly to new threats

Protect router
and local network Stop attacks
from DoS attacks before they fill
Branch Office up the WAN

Internet Corporate Office

Apply IPS on traffic from

Small Branch branches to kill worms
Small Office and
Telecommuter from infected PCs

http://www.cisco.com/go/iosips
Presentation_ID © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 26
 Cisco IOS IPS Use Cases

1 2 3
Protect Branch PCs Move Worm Protection Protect Branch-Office
from Internet Worms to the Network Edge Servers
Use IPS and Firewall on a Apply IPS on Traffic From Apply IPS and Firewall on
Cisco Router for Worm Branch to HQ to Stop Branch Router to Protect
Protection Worms and Attacks From Local Servers at the Branch
Infected Branch PCs From Attacks
Avoid Need for a Separate
Device to Protect Servers

4 5
Satisfy PCI Compliance Transparent (layer 2)
Requirements IPS

Presentation_ID © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 27
 Cisco IOS Intrusion Prevention System (IPS)
Configuration (Command Line Interface (CLI)
Download Cisco IOS IPS Files to your PC Cisco IOS IPS Configuration (Con’t)
http://www.cisco.com/pcgi-bin/tablebuild.pl/ios-v5sigup retired false
IOS-Sxxx-CLI.pkg
realm-cisco.pub.key.txt interface fast Ethernet 0
ip ips ips-policy in
Configure Cisco IOS IPS Crypto Key
mkdir ipstore (Create directory on flash) Load the signatures from TFTP server
Paste the crypto key from copy tftp://192.168.10.4/IOS-S289-CLI.pkg idconf

realm-cisco.pub.key.txt Loading IOS-S259-CLI.pkg from 192.168.10.4 :!!!

Cisco IOS IPS Configuration show ip ips signature count

ip ips config location flash:ipstore retries 1 Total Compiled Signatures:

ip ips notify SDEE 338 -Total active compiled signatures

ip ips name ips-policy

ip ips signature-category
category all
retired true
category ios_ips basic

Presentation_ID © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 28
Cisco IOS Transparent IPS
Use Case: IPS Between Wireless and Wired LANs IPS

 Introduces ―stealth IPS‖ capability

No IP address associated with IPS (nothing to attack)
IOS Router is bridging between the two ―halves‖ of the network

 Both ―wired‖ and wireless segments are in same subnet

192.168.1.0/24
 VLAN 1 is the ―private‖ protected network.

192.168.1.3

Wireless
Fa 0/0
Internet
VLAN 1
Transparent
192.168.1.2 IPS

Presentation_ID © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 30
 Cisco IOS Intrusion Prevention System (IPS)
Configuration (Command Line Interface (CLI)
Download Cisco IOS IPS Files to your PC Cisco IOS IPS Configuration (Con’t)
http://www.cisco.com/pcgi-bin/tablebuild.pl/ios-v5sigup interface VLAN 1
IOS-Sxxx-CLI.pkg description private interface
realm-cisco.pub.key.txt bridge-group 1
ip ips ips-policy out
Configure Cisco IOS IPS Crypto Key
mkdir ips5 (Create directory on flash)
interface VLAN 2
Paste the crypto key from
description private interface
realm-cisco.pub.key.txt
bridge-group 1
ip ips ips-policy in
Cisco IOS IPS Configuration
ip ips config location flash:ips5 retries 1
Load the signatures from TFTP server
ip ips notify SDEE
copy tftp://192.168.10.4/IOS-S289-CLI.pkg idconf
ip ips name ips-policy
Loading IOS-S259-CLI.pkg from 192.168.10.4 :!!!
ip ips signature-category
category all
show ip ips signature count
retired true
Total Compiled Signatures:
category ios_ips basic
338 -Total active compiled signatures
retired false
Presentation_ID © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 31
 Cisco IOS® Content Filtering
A Web Security Solution That Protects Organizations from Known
and New Internet Threats, While Improving Employee Productivity

 Ideal for Enterprise Branch and Small-Medium Businesses

 Block malicious sites and enforce corporate policies
 Offers category based security and productivity ratings
 Regulations such as HIPAA, FISMA, CIPA (Children’s Internet Protection
Act) mandate reliable content filtering.
 Policy is enforced and maintained on the router locally

Internet
Internet
URL Cache
Trend Micro
Rating Server
Categories: Porn,
Violence, Gambling,
Sports,…
Presentation_ID © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 32
 Cisco IOS Content Filtering
Subscription Service Architecture
Cisco IOS URL
Filtering Policy
Deny Gaming
Deny Weapons Cache:
Permit Entertainment www.poker.net
Gaming

Internet

1 3
HTTP Request Match Category 2
www.poker.net Information from Trend
Micro to Cisco IOS URL Request Category
Filtering Policy Information from Trend
Deny www.poker.net: Micro:
Gaming Denied in Policy What Category Does
poker.net Belong To?

Presentation_ID © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 33
 Management and Instrumentation
Instrumentation and
Management CCP
Role Based
NetFlow IP SLA
Access

Presentation_ID © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 34
 Security Management

Cisco® Configuration Multi-Device Security

Professional Management
• Quickest way to
setupway
Quickest a device
to setup a device New solution for configuring
• Configures all routers, appliances, switches
Wizards toparameters
device configure firewall,
• IPS, Ships
VPN,with
QoS, and wireless
device New user-centered design

Ships with device New levels of scalability

Security Monitoring

Solution for monitoring

and mitigation

Uses control capabilities within

infrastructure to eliminate attacks

Visualizes attack paths

Presentation_ID © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 35
Cisco IOS IPS Configuration(CCP) IPS

Presentation_ID © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 36
Cisco IOS® Content Filtering Management:
Cisco® Configuration Professional

Presentation_ID © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 37
Cisco Security Manager 3.3
Cisco IOS IPS Signature List View

Presentation_ID © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 38
 Instrumentation
Your network management system is only as good as the data you can
get from the devices in the network

IP Service Level Agent Network performance data (latency & jitter)

(IP SLAs)
NetFlow and NBAR Detailed statistics for all data flows in the
network
SNMP V3 and Reliable traps using SNMP informs
SNMP informs
Syslog Manager and Total flexibility to parse and control syslog
XML-formatted syslog messages on the router itself
Tcl Scripting and Flexible, programmatic control of the router
Kron (Cron) jobs
Role-Based CLI Access Provides partitioned, non-hierarchical, access
(e.g. Network and Security Operations)
EEM Solving Security Challenges using EEM

Presentation_ID © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 39
Design Considerations

Presentation_ID © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 40
 Design Considerations
Cisco IOS Firewall Advanced
Firewall
 Classic or Zone based Firewall
Zone based Firewall 12.4(4)T or Classic Firewall
All new features would be offered in zone based policy firewall configuration model;
no end-of-life plan for Classic Cisco IOS Firewall but there will be no new features
ASR1000 only supports IOS Zone-based Firewall with Network Security Event Logging
ASR1000 supports 4K zones and 2K zone pairs

 Manageability
Provisioning firewall policies: Cisco Security Manager, Cisco Configuration Professional
and Config Engine and CLI
Monitoring firewall activity:
Syslog, snmp, screen-scrapes from "show" commands
Modifying Security policies
CCP supports zone-based Firewall

 Interoperate
Cisco IOS Firewall interoperate with other features: NAT, VPN,
Intrusion Prevention System (IPS), WCCP/WAAS, proxy, URL Filtering and QoS

 Memory Usage
Single TCP or UDP (layer3/4) session takes 600 bytes of memory
Multi-channel protocol sessions use more than 600 bytes of memory

Presentation_ID © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 41
 Design Consideration
Cisco IOS Zone based Firewall

Cisco IOS Firewall Went Through a Paradigm Shift

12.4(4)T and Onward Supports Zone-Based IOS Firewall
Before Release 12.4(4)T &
Release 12.4(4)T & Later
12.4 Mainline
Interface based policies Zone based policies
No granular support Very granular Firewall policies
Support for Classic IOS Firewall Support for Classic IOS Firewall continued.
No new features on Classic IOS Firewall
No advanced AIC support Advanced protocol conformance support
(P2P, IM, VoIP, etc.)

Classic IOS Firewall Cisco IOS and IOS XE

Supported in CSM and CCP
MIB support MIB—Roadmap
IPv6 support IPv6—Roadmap

Active/Passive failover support Active/Passive failover—Roadmap

Presentation_ID © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 42
 Design Consideration Anti-DoS
Parameters
Default
Value

Cisco IOS Firewall Max-incomplete

high
Unlimited
Advanced
Firewall
Max-incomplete Unlimited
low

 Denial of Service (DoS) Protection Settings On-minute high

One-minute low
Unlimited
Unlimited
Tcp max- Unlimited
Prior 12.4(11)T default DoS settings were set low incomplete host

http://www.cisco.com/en/US/products/sw/secursw/ps1018/products_white_
paper0900aecd804e5098.shtml
12.4(11)T and IOS XE have DOS settings that are max out by default

 Addressing
Firewall policies can be made much more efficient with a well thought-out IP
address scheme

 Performance Consideration
Cisco IOS Firewall Performance Guidelines for ISRs (800-3800)
http://www.cisco.com/en/US/partner/products/ps5855/products_white_
paper0900aecd8061536b.shtml
ASR1000 TCP/ICMP/UDP Inspection Performance (Up to 20Gbps) with select
ALGs (SIP UDP, active FTP, TFTP, DNS, H.323v2, SCCP, RTSP)

Presentation_ID © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 43
Zone-based Firewall (ZBPF) Performance

Platform Bandwidth Throughput

Packets-per-sec
(pps)
3945 2.93 Gbps 272,331 pps

3925 2.40 Gbps 238,031 pps

2951 1.26 Gbps 150,360 pps

2921 749 Mbps 65,476 pps

1941 532 Mbps 47,618 pps

* 64K HTTP object Size (95% CPU)

Presentation_ID © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 44
 Zone-based Firewall – ASR1000
Real World Performance: HTTP
Max HTTP Throughput - ESP5 Max HTTP Throughput - ESP20
5 25
4.5
4 20
3.5
3 15
Gbps 2.5 Gbps
2 10
1.5
1 5
0.5
0 0
4k 16k 64k 256k 512k Realworld 4k 16k 64k 256k 512k Realworld

Max HTTP Throughput - ESP10 Max UDP Forwarding Performance

12 14

10 12

10
8
8
Gbps 6 Mpps
6
4
4
2 2

0 0
4k 16k 64k 256k 512k Realworld ESP5 ESP10 ESP20

•UDP packets with fixed IP packet

size of 64 bytes

Presentation_ID © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 45
 Design Consideration
Cisco IOS Firewall Voice Features Advanced
Firewall

Protocol ISR G2s ASR1000 Comments

H.323 V1 & V2 Yes Yes Tested using CME 4.0

H.323 V3 & V4 Yes Yes

H.323 RAS Yes No
H.323 T.38 Fax No No
CCM 4.2 supported
SIP UDP Yes Yes RFC 2543, RFC 3261 not
supported
SIP TCP Yes No
SCCP Yes Yes Tested with CCM 4.2/CME 4.0
Locally generated traffic
Yes No
inspection for SIP/SCCP
ASR1000 ALG support:
http://www.cisco.com/en/US/docs/routers/asr1000/technical_references/asr1000alg
_support.pdf
Presentation_ID © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 46
 Design Consideration
Cisco IOS IPS 4.x and 5.x IOS IPS
Cisco IOS IPS Went Through a Paradigm Shift
12.4(11)T2 and Onward Supports IPS 5.x

Before Release 12.4(11)T2 Release 12.4(11)T2 &

& 12.4 Mainline later
IOS IPS Internal 2.xxx.xxx 3.000.000
Version (show
subsys name ips)
Signature Format 4.x 5.x
Signature http://www.cisco.com/cgi- http://www.cisco.com/cgi-
Download URL bin/tablebuild.pl/ios-sigup bin/tablebuild.pl/ios-v5sigup
Signature Pre Tuned Signature Files Signature package
Distribution Basic/Advanced SDF Files IOS-Sxxx-CLI.pkg
Loading Signatures From a single SDF file From a set of configuration
files
Configuration of Flat single SDF file approach Hierarchical multi-
Signatures level/multi-file approach

Signature Update for Cisco IOS IPS 4.X (12.4(9)T or Prior)

Presentation_ID © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 47
Design Considerations
Migrating to Cisco IOS IPS 5.x (12.4(11)T2) IOS IPS

 Option 1: Existing customer using non-customized pre-built

signature files (SDFs)
No signature migration needed
Signatures in 128MB.sdf are in IOS-Basic Category
Signatures in 256MB.sdf are in IOS-Advanced Category
 Option 2: Existing customer using customized pre-built
signature files (SDFs)
Signature migration (TCL) script available on Cisco.com to convert
customized SDF to 5.x format
This migration script does not migrate user-defined (non-Cisco)
signatures
 Migration Guide:
http://www.cisco.com/en/US/products/ps6634/products_
white_paper0900aecd8057558a.shtml

Presentation_ID © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 48
 Design Consideration
Cisco IOS IPS—12.4(11)T2 and Later Release IOS IPS

Manageability
 Provisioning IPS policies:
CLI, Cisco Security Manager, CCP and Config Engine

 Signature Tuning and Update:

The basic category is the Cisco recommended signature set
for routers with 128 MB RAM and the advanced category is
for 256MB RAM
Signature tuning with Command line Interface (CLI) is available after 12.4(11)T
Signature package update align with Cisco sensors 42xx. (Auto Update via CSM)

 Monitoring IPS activity:

Reporting via CS-MARS (SDEE and Syslog support) and screen-scrapes from
"show" commands

 Modifying Security policies:

CCP/CSM supports IPS

Presentation_ID © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 49
Design Consideration
Cisco IOS Intrusion Prevention System (IPS) IOS IPS

 Performance Consideration
Performance of router is not effected by adding more
signatures

 Memory Usage
Signature compilation process is highly CPU-intensive
while the signatures are being compiled. The number of
signatures that can be loaded on a router is memory-
dependent

 Fragmentation
Cisco IOS IPS uses VFR (Virtual Fragmentation
Reassembly) to detect fragmentation attacks

Presentation_ID © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 50
 Design Consideration
IOS IPS and IPS Appliances/Modules IOS IPS

Cisco IOS IPS Cisco IOS IPS Cisco IPS 42xx sensors, IDSM2,
Release 12.4(9)T Release 12.4(11)T SSM-AIP, NM-CIDS modules

Signature Format 4.x 5.x/6.0 5.x/6.0

Signature Updates & Tuning using SDF using IDCONF using IDCONF

Subset of 1700+ signatures (depends 1900+ signatures selected by

Signatures Supported
on router model/DRAM) default
IOS-Basic or IOS-
Recommended (pre-built or Basic or
Advanced
default) Signature Set Advanced SDF All signatures alarm-only
Category

Day-Zero Anomaly Detection No Available in 6.0 release

Transparent (L2) IPS Yes Yes

Rate Limiting No Yes

IPv6 Detection No Yes

Signature Event Action Proc. No Yes Yes

Meta Signatures No Yes

Voice, Sweep & Flood Engines No Yes (H.225 for voice)

Event Notification Syslog & SDEE SDEE

Presentation_ID © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 51
Agenda

 Drivers for IOS Security

 Technology Overview
 Design Considerations
 Deployment Models
 Real World Use Cases
 Case Study
 Summary

Presentation_ID © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 52
Real World Use Cases

Presentation_ID © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 53
Real World Branch Use Cases

1. Healthcare/Retail sites: Addressing PCI

Requirement Separating out Card holder
data in to a separate zone (Point of Sale e.g.)
and Handheld devices accessing the zone
2. Protecting Branch Servers
3. Virtual Firewall and IPS at the Branch Office
4. Secure Mobility at Branch
5. Secure Unified Communication at Branch

Presentation_ID © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 54
 Cisco IOS Firewall Deployment Scenario
Retail Outlet or HealthCare Clinic

Security Zone ―PoS‖

Store/Clinic Private WAN
Router QFP
Security Zone
―LAN‖
Head Office
Cisco®
Integrated
Services
Security Zone Router
―wireless‖

 PCI compliance requires firewalling of Point-of-Sale

systems, wired and wireless network segments
 Cisco IOS Firewall creates separate security zones for
Point-of-Sale (Server/Electronic Cash register), LAN
and wireless LAN network segments
 Cisco has its retail design guide certified through a third
party (CyberTrust)
Presentation_ID © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 55
 1. Firewall Configuration Snippet at
Branch
Classification: Security Zones:

class-map type inspect match-any protocols zone security pos

match protocol dns zone security lan

match protocol https
match protocol icmp
Security Zone Policy:
match protocol imap
match protocol pop3 zone-pair security zone-policy source lan destination pos

match protocol tcp service-policy type inspect firewall-policy

match protocol udp
!

Order of match statement interface VLAN 1

is important description private interface

zone-member security pos

Security Policy:
!
policy-map type inspect firewall-policy interface fastethernet 0
class type inspect protocols description public interface
inspect zone-member security lan

Presentation_ID © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 56
 1. Firewall Configuration Snippet at HQ
Classification: Security Zones:

zone security public

class-map type inspect match-any fw-class
zone security dmz

match protocol udp

Security Zone Policy:
match protocol tcp zone-pair security zone-policy source public destination dmz

policy-map type inspect fw-policy service-policy type inspect firewall-policy

class type inspect fw-class interface G0/1/0

inspect log description public interface

zone-member security public

class class-default !

interface g0/1/1
parameter-map type inspect firewall-policy
description dmz interface

log dropped-packets zone-member security dmz

log flow-export v9 udp destination 1.1.28.199

2055
log flow-export template timeout-rate 30

Presentation_ID © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 57
1. Cisco IOS Zone-Based Firewall (CCP)
for ISRs

Presentation_ID © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 58
 1. IPS Configuration Snippet
Download Cisco IOS IPS Files to your PC Cisco IOS IPS Configuration (Con’t)
http://www.cisco.com/pcgi-bin/tablebuild.pl/ios-v5sigup retired false
IOS-Sxxx-CLI.pkg
realm-cisco.pub.key.txt interface fast Ethernet 0
ip ips ips-policy in
Configure Cisco IOS IPS Crypto Key
mkdir ipstore (Create directory on flash) Load the signatures from TFTP server
Paste the crypto key from copy tftp://192.168.10.4/IOS-S289-CLI.pkg idconf

realm-cisco.pub.key.txt Loading IOS-S259-CLI.pkg from 192.168.10.4 :!!!

Cisco IOS IPS Configuration show ip ips signature count

ip ips config location flash:ipstore retries 1 Total Compiled Signatures:

ip ips notify SDEE 338 -Total active compiled signatures

ip ips name ips-policy

ip ips signature-category
category all
retired true
category ios_ips basic

Presentation_ID © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 59
Cisco IOS Firewall Deployment Scenario
Protecting the Branch Servers Advanced
Firewall

 Cisco IOS® Firewall and IPS policies applied to DMZ

protect distributed application servers and Web servers hosted
at remote sites
Servers
192.168.3.14-16/24
Servers
hosted
separately
in DMZ

IPsec
Employees Tunnel
192.168.1.x/24

Internet
Branch Office
Router Head Quarter

Wireless Guests
192.168.2.x/24
Presentation_ID © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 60
 2. Firewall Configuration Snippet
Classification: Security Zone Policy:

class-map type inspect match-all web-dmz zone-pair security zone-policy source public destination dmz
match protocol http
service-policy type inspect firewall-policy
match access-group 199
!

access-list 199 permit tcp any host 192.168.10.3 interface VLAN 1

description private interface

Security Policy: zone-member security private

policy-map type inspect firewall-policy !

class type inspect web-dmz interface fastethernet 0

Inspect description public interface

zone-member security public

Security Zones:

zone security private interface fastethernet 1

zone security public description dmz interface

zone security dmz zone-member security dmz

Presentation_ID © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 61
 2. IPS Configuration Snippet
a. Download Cisco IOS IPS Files to your PC d. Cisco IOS IPS Configuration (Con’t)

http://www.cisco.com/pcgi-bin/tablebuild.pl/ios-v5sigup retired false

IOS-Sxxx-CLI.pkg
realm-cisco.pub.key.txt interface fast Ethernet 1

description DMZ interface

b. Configure Cisco IOS IPS Crypto Key ip ips ips-policy out

mkdir ips5 (Create directory on flash)

Paste the crypto key from e. Load the signatures from TFTP server
copy tftp://192.168.10.4/IOS-S289-CLI.pkg idconf
realm-cisco.pub.key.txt
Loading IOS-S259-CLI.pkg from 192.168.10.4 :!!!

c .Cisco IOS IPS Configuration

show ip ips signature count
ip ips config location flash:ips5 retries 1
Total Compiled Signatures:
ip ips notify SDEE
338 -Total active compiled signatures
ip ips name ips-policy
ip ips signature-category
category all
retired true
category ios_ips basic

Presentation_ID © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 62
 3. Virtual Firewall and IPS Advanced
Firewall

 Cisco IOS Firewall, NAT, and URL-filtering policies are virtual route
forwarding (VRF) aware, providing support for overlapping address
space, which simplifies troubleshooting and operations
Photo Shop
192.168.1.x/24

Separate IPsec tunnels

for Photo Shop and IPsec
Retail Store traffic Tunnel

VRF A
Photo Shop Head
Retail Store Cash Register VRF B Quarter
192.168.2.x/24
VRF C
Internet
Store Router IPsec
Tunnel
Supports
overlapping
Internet Services address space Retail Store
192.168.2.x/24 Head Quarter
Presentation_ID © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 63
 3. Firewall Configuration Snippet
Classification: Security Policy (Continued):
class-map type inspect retail-hq
policy-map type inspect hq-retail
match protocol ftp
class type inspect hq-retail
match protocol http
inspect
match protocol smtp extended
class-map type inspect hq-retail class class-default
match protocol smtp extended drop log
class-map type inspect photo-hq policy-map type inspect photo-hq
match protocol http class type inspect photo-hq
match protocol rtsp inspect
class-map type inspect hq-photo class class-default
match protocol h323 drop log
Security Policy policy-map type inspect hq-photo-
policy-map type inspect retail-hq class type inspect hq-photo
class type inspect retail-hq inspect
inspect class class-default
class class-default drop log
drop log

Presentation_ID © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 64
 Secure Mobility Solution - Wireless WAN
3G WAN Backup with leased line (Primary WAN)
IPSec Tunnel 3G Network
Branch Office
Split Tunnel IPSec Tunnel
Internet
POS

Leased Line T1/E1

Local LAN

Internet User Cisco® AAA

Integrated
SSID A Corporate Services Head Quarter
SSID B Router

 Cellular network backup with primary leased line

 Use a combination of the cellular network and a different VPN
service such as Cisco IOS Easy VPN or DMVPN (Dynamic
Multipoint VPN) for securing the data
 In case of Split Tunneling Cisco IOS Zone based Firewall,
Intrusion Prevention and Content Filtering can be implemented
with the VPN technology
Presentation_ID © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 65
 Secure Mobility Solution - Wireless LAN
Branch Segmentation (using SSID)

WCS
POS

Broadband Access
Local LAN Internet

LWAPP Tunnel
Cisco® AAA
802.11n
Integrated
Services Wireless LAN Controller
Internet User Devices Router
SSID A SSID B

 Cisco 880W Series support default Autonomous Mode,

upgradeable to Unified mode (LWAPP)
Cisco Unified Wireless Network architecture
 H-REAP mode support for Branch Office and Teleworker Solutions
Local switching of wireless data traffic with centralized wireless management
 Cisco IOS Zone based firewall is used with scenarios where you have
different SSIDs for different applications such as corporate SSID will be
assigned to vlan 1 and internet SSID will be assigned to vlan2.
Presentation_ID © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 66
 Secure Unified Communication
SMB/Commercial Deployment (PSTN)

Cisco Trusted
IOS Firewall
CCME
Broadband Access
Internet
IPSec Tunnel

AAA
Cisco®
Integrated Head Quarter
Services Toll Fraud
Wireless Net.
Router

 Most of the SMB/Commercial Customers prefer Cisco Call Manager

Express (CCME) with PSTN
 Split Tunneling is very common in such deployment, corporate phone calls
will go over encrypted tunnels
 Toll Fraud and Theft of Service: A network-authorized or
unauthorized user makes unauthorized calls that incur company-
paid charges
 Recommendation: Use ACLs to protect CCME (specially from
VoIP traffic coming from internet) and enable Cisco Trusted IOS
Firewall Solution to block unauthorized calls from inside
Presentation_ID © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 67
 Secure Unified Communication
SMB/Commercial Deployment (SP-SIP Trunk)

Cisco Trusted
IOS Firewall
CCME
Broadband Access
Internet
IPSec Tunnel

AAA
Cisco®
Integrated Head Quarter
Services SP (SIP Toll Fraud
Wireless Net.
Router Trunk)

 Most of the SMB/Commercial Customers prefer Cisco Call Manager

Express (CCME) with SP (SIP Trunk)
 Split Tunneling is very common in such deployment, corporate phone calls
will go over encrypted tunnels
 Toll Fraud and Theft of Service: A network-authorized or
unauthorized user makes unauthorized calls that incur company-
paid charges
 Recommendation: Use ACLs to protect CCME (specially from VoIP traffic
coming from internet) and enable Cisco Trusted IOS Firewall Solution at SIP trunk
and internal Interfaces for preventing unauthorized calls
Presentation_ID © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 68
 NetFlow Security Even Logging
for Zone-based Firewalling Advanced
Firewall

 On ASR1000 Cisco Firewall can be configured to use NetFlowv9

to export the firewall audit-trail records from the data plane itself

Cisco NF
Collector

NF V9
IPsec
Safe Tunnel
192.168.1.x/24
QFP
Internet
HQ ASR1000
Branch Office
DMVPN Hub

Netflow Security Event Logging is disabled by default

Presentation_ID © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 69
 Network Security Event Logging
Configuration
parameter-map type inspect global
log flow-export v9 udp destination 10.20.30.40 4444
log flow-export template timeout-rate 30
log dropped-packets
parameter-map type inspect custom_para_map
audit-trail on
alert on
policy-map type inspect fw-policy
class type inspect fw-class1
inspect custom_para_map
•Up to 40K events per second
•With IOS syslogging, the ESP sends messages to the RP and have RP generate the
corresponding Syslog message. So syslog is always rate-limited on ASR 1000 platform
to protect the control plane

•If using IOS Syslog for this type of message, it’s rate-limited at one message every 30
seconds. If using HSL, it is rate-limited at one message every 1ms to protect the firewall
from Presentation_ID
malicious attack.
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 70
Case Study

Presentation_ID © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 71
 Router Security Case Study
Retail
 ISR 2800/3800s -- Deployed IOS Zone based Firewall at 500 stores
 Challenges
Customers systems at the branch office got compromised recently,
by a piece of malware that they discovered was a Botnet that
was specially crafted to steal certain types of data. They found
out that this Botnet was used to steal customers CC information
They felt that they spent so money protecting the data center that
they did not pay too much attention to the branch that might
have been why the hackers targeted the branch networks

 Key factors for selecting Cisco IOS Security

PCI Compliance
Integrated Security on ISRs
They choose ZBFW because it supports WAAS -

Presentation_ID © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 72
Summary

Presentation_ID © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 73
Summary

• PROTECT THE ROUTER ITSELF – your first line of

defense
• A SINGLE BREACH could gravely impact the business
• COMPLY with Government data and network privacy laws
• Consolidate voice/video/data and wired/wireless
SECURELY
• Easy to MANAGE a single-box
Router/VPN/Firewall/IPS/CF Soln.
• REDUCE COST of service and subscription: single contract
• All in One Security for the WAN
Only Cisco® Security Routers Deliver All of This

Presentation_ID © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 74
Q and A

Presentation_ID © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 75
 Please Visit the Cisco Booth in the
World of Solutions
See the technology in action
 Security
SEC1 – Data Loss Prevention Solutions
and Services
SEC2 – Global Correlation Stops Threats
SEC3 – Cisco Identity-Based Security
Solutions
SEC4 – Cisco Virtual Office Securing
Remote Workers

Presentation_ID © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 76
 Recommended Reading

 Continue your Cisco Live

learning experience with further
reading from Cisco Press
 Check the Recommended
Reading flyer for suggested
books

Available Onsite at the Cisco Company Store

Presentation_ID © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 77
Complete Your Online
Session Evaluation

 Give us your feedback and you

could win fabulous prizes.
Winners announced daily.
 Receive 20 Cisco Preferred
Access points for each session
evaluation you complete.
 Complete your session
evaluation online now (open a
browser through our wireless
network to access our portal)
or visit one of the Internet Don’t forget to activate your
stations throughout the Cisco Live and Networkers Virtual
Convention Center. account for access to all session
materials, communities, and on-demand
and live activities throughout the year.
Activate your account at any internet
station or visit www.ciscolivevirtual.com.

Presentation_ID © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 78
Presentation_ID © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 79