|
The first time you configure the Cisco
IOS Firewall, it is helpful to start with a basic access-list
configuration that makes the operation of the firewall easy to
understand without compromising security. The basic configuration
allows all network traffic from the protected networks access to the
unprotected networks, while blocking all network traffic (with some
exceptions) from the unprotected networks to the protected networks.
Any firewall configuration depends on your site security policy.
If the basic configuration does not meet your initial site security
requirements, configure the firewall to meet your policy. If you are
unfamiliar with that policy or need help with the configuration,
contact your network administration group for assistance.
Use the following guidelines for configuring the initial firewall
access lists:
- Do not configure an access list for traffic from the protected
networks to the unprotected networks, meaning that all traffic
from the protected networks can flow through the interface.
This helps to simplify firewall management by reducing the
number of access lists applied at the interfaces. Of course this
assumes a high level of trust for the users on the protected
networks, and it assumes there are no malicious users on the
protected networks who might launch attacks from the
"inside." You can fine-tune network access for users on
the protected networks as you gain experience with access-list
configuration and the operation of the firewall.
- Configure an access list that includes entries permitting
certain ICMP traffic from unprotected networks.
Although an access list that denies all IP traffic not part of
a connection inspected by CBAC seems most secure, it is not
practical for normal operation of the router. The router expects
to see ICMP traffic from other routers in the network.
Additionally, ICMP traffic is not inspected by CBAC, meaning
specific entries are needed in the access list to permit return
traffic for ICMP commands. For example, a user on a protected
network uses the
ping
command to get the status of a host
on an unprotected network; without entries in the access list that
permit
echo reply
messages, the user on the protected
network gets no response to the
ping
command.
Include access-list entries to permit the ICMP messages. (see
the main Figure).
-
Add an access-list entry denying any network traffic from a
source address matching an address on the protected network.
This is known as antispoofing protection because it prevents
traffic from an unprotected network from assuming the identity of
a device on the protected network.
-
Add an entry denying broadcast messages with a source address
of 255.255.255.255.
This entry helps to prevent broadcast attacks.
-
By default, the last entry in an extended access list is an
implicit denial of all IP traffic not specifically allowed by
other entries in the access list.
Although this is the default setting, this final deny statement
is not shown by default in an access list. Optionally, you can add
an entry to the access list denying IP traffic with any source or
destination address with no undesired effects.
External Interface
Following are some tips for your access lists when you will be
configuring CBAC on an external interface:
-
If you have an outbound IP access list at the external
interface, the access list can be a standard or extended access
list. This outbound access list should permit traffic that you
want to be inspected by CBAC. If traffic is not permitted, it
will not be inspected by CBAC, but will be simply dropped.
-
The inbound IP access list at the external interface must be
an extended access list. This inbound access list should deny
traffic that you want to be inspected by CBAC. (CBAC will create
temporary openings in this inbound access list as appropriate to
permit only return traffic that is part of a valid, existing
session.)
Internal Interface
Following are some tips for your access lists when you will be
configuring CBAC on an internal interface:
-
If you have an inbound IP access list at the internal
interface or an outbound IP access list at external interface(s),
these access lists can be either standard or extended access
lists. These access lists should permit traffic that you want to
be inspected by CBAC. If traffic is not permitted, it will not
be inspected by CBAC, but will be simply dropped.
-
The outbound IP access list at the internal interface and the
inbound IP access list at the external interface must be
extended access lists. These outbound access lists should deny
traffic that you want to be inspected by CBAC. (CBAC will create
temporary openings in these outbound access lists as appropriate
to permit only return traffic that is part of a valid, existing
session.) You do not necessarily need to configure an extended
access list at both the outbound internal interface and the
inbound external interface, but at least one is necessary to
restrict traffic flowing through the firewall into the internal
protected network.
-
For complete information about how to configure IP access
lists, refer to the "Configuring IP Services" chapter
of the Cisco IOS Release 12.0 Network Protocols
Configuration Guide, Part 1.
|