Secured_Branch_Router_Configuration_Example.pdf

(217 KB) Pobierz

Secured Branch Router Configuration Example

Contents

•

Introduction, page 1

Before You Begin, page 2

Configure, page 3

Verify, page 6

Troubleshoot, page 10

Related Information, page 11

Introduction

This document provides a sample configuration for securing a branch router by implementing the

following features:

•

Context-Based Access Control (CBAC)—CBAC

creates temporary openings in access lists at

firewall interfaces. These openings are created when specified traffic exits your internal network

through the firewall. The openings allow returning traffic (that would normally be blocked) and

additional data channels to enter your internal network back through the firewall. The traffic is

allowed back through the firewall only if the traffic is part of the same session as the original traffic

that triggered CBAC when exiting through the firewall.

Cisco IOS Intrusion Prevention System (IPS)—The

Cisco IOS IPS feature restructures the

existing Cisco IOS Intrusion Detection System (IDS), allowing customers to choose to load the

default, built-in signatures or to load a Signature Definition File (SDF) called

attack-drop.sdf

onto

the router. The attack-drop.sdf file contains 118 high-fidelity Intrusion Prevention System (IPS)

signatures, providing customers with the latest available detection of security threats.

Cisco IOS Firewall Authentication Proxy—Authentication

proxy provides dynamic, per-user

authentication and authorization, authenticating users against industry standard TACACS+ and

RADIUS authentication protocols. Per-user authentication and authorization of connections provide

more robust protection against network attacks.

•

Corporate Headquarters:

Cisco Systems, Inc., 170 West Tasman Drive, San Jose, CA 95134-1706 USA

Secured Branch Router Configuration Example

Before You Begin

•

Firewall Websense URL Filtering—The

Firewall Websense URL Filtering feature enables your

Cisco IOS firewall (also known as Cisco Secure Integrated Software) to interact with the Websense

URL filtering software, thereby allowing you to prevent users from accessing specified websites on

the basis of some policy. The Cisco IOS firewall works with the Websense server to know whether

a particular URL should be allowed or denied (blocked).

Before You Begin

Conventions

For more information on document conventions, see

Conventions Used in Cisco Technical Tips.

Components Used

The information in this document is based on the software and hardware versions below.

•

Cisco 2801 router

Cisco IOS Release 12.3(8)T4

Advanced IP Services feature set

Note

The information in this document was created from the devices in a specific lab environment. All of the

devices used in this document started with a cleared (default) configuration. If your network is live, make

sure that you understand the potential impact of any command.

Related Products

This configuration can also be used with the following hardware:

•

Cisco 1800 series integrated services router (modular)

Cisco 2800 series integrated services router

Cisco 3800 series integrated services router

A similar configuration can also be used with a Cisco 3800 series integrated services router that is

equipped with a Cisco Content Engine network module (NM-CE-BP), which has an embedded Websense

URL filtering server (UFS).

OL-6329-01

Secured Branch Router Configuration Example

Configure

In this section, you are presented with the information to configure the features described in this

document.

Tip

To find additional information on the commands used in this document, use the

Command Lookup Tool.

You must have an account on Cisco.com. If you do not have an account or have forgotten your username

or password, click Cancel at the login dialog box and follow the instructions that appear.

Network Diagram

This document uses the network setup shown in the diagram below.

Branch office

192.168.1.118/24

FE 0/0

FE 0/1

192.168.1.2/24

192.168.101.2/24

Secured branch

router

Websense URL

Filtering Server (UFS)

192.168.1.116/24

121239

Cisco Secure

Authentication

Control Server (ACS)

192.168.101.119/24

Not shown in the diagram is an HTTP server with IP address 192.168.102.119/24. The HTTP server may

be located anywhere in the network. In this case, it is on the Fast Ethernet 0/1 side of the secured branch

router.

Configurations

This document uses the configuration shown below.

router#

show running-config

Building configuration...

!---Enable the authentication, authorization, and accounting (AAA) access control model.

aaa new-model

!---Identify the Cisco Secure Authentication Control Server (ACS) as a member of a

!---AAA server group. In this example, the AAA server group is called “SJ.”

aaa group server tacacs+ SJ

server 192.168.101.119

!---Enable AAA authentication at login and specify the authentication methods to try.

aaa authentication login default local group SJ none

OL-6329-01

Secured Branch Router Configuration Example

Configure

!---Restrict user access to the network:

!---(a) Run authorization to determine if the user is allowed to run an EXEC shell.

!---(b) Enable authorization that applies specific security policies on a per-user basis.

!---You must use the “aaa authorization auth-proxy” command together with the

!---”ip auth-proxy <name>” command (later in this configuration). Together, these

!---commands set up the authorization policy to be retrieved by the firewall.

aaa authorization exec default group SJ none

aaa authorization auth-proxy default group SJ

!---Make sure that the same session ID is used for each AAA accounting service type

!---within a call.

aaa session-id common

!---Define a set of inspection rules. In this example, the set is called “myfw.”

!---Include each protocol that you want the Cisco IOS firewall to inspect.

ip inspect name myfw cuseeme timeout 3600

ip inspect name myfw ftp timeout 3600

ip inspect name myfw http urlfilter timeout 3600

ip inspect name myfw rcmd timeout 3600

ip inspect name myfw realaudio timeout 3600

ip inspect name myfw smtp timeout 3600

ip inspect name myfw sqlnet timeout 3600

ip inspect name myfw streamworks timeout 3600

ip inspect name myfw tftp timeout 30

ip inspect name myfw udp timeout 15

ip inspect name myfw tcp timeout 3600

ip inspect name myfw vdolive

!---(Optional) Set the length of time an authentication cache entry, along with its

!---associated dynamic user access control list, is managed after a period of inactivity.

ip auth-proxy inactivity-timer 120

!---Create an authentication proxy rule; in this example it is named “aprule.”

!---Set HTTP to trigger the authentication proxy.

ip auth-proxy name aprule http

!---Configure the Cisco IOS Intrusion Protection System (IPS) feature:

!---Specify the location from which the router loads the Signature Definition File (SDF).

!---(Optional) Specify the maximum number of event notifications that are placed

!---in the router's event queue.

!---Disable the audit of any signatures that your deployment scenario deems unnecessary.

!---Name the IPS rule, so that you can apply the rule to an interface.

!---Later in this example, this rule (named “ids-policy”) is applied to FE 0/0.

ip ips sdf location tftp://192.168.1.3/attack-drop.sdf

ip ips po max-events 100

ip ips signature 1107 0 disable

ip ips signature 3301 0 disable

ip ips name ids-policy

!---Configure the Firewall Websense URL Filtering feature:

!---(Optional) Set the maximum number of destination IP addresses that can be cached

!---into the cache table, which consists of the most recently requested IP addresses

!---and respective authorization status for each IP address.

!---Specify domains for which the firewall should permit or deny all traffic

!---without sending lookup requests to the Firewall Websense URL filtering server (UFS).

!---Specify the IP address of the Firewall Websense UFS.

ip urlfilter cache 0

ip urlfilter exclusive-domain permit www.cisco.com

ip urlfilter server vendor websense 192.168.1.116

OL-6329-01

Secured Branch Router Configuration Example

Configure

!---Configure the firewall interface that connects to the branch office PCs

!---and the Firewall Websense UFS:

!---Apply access lists and inspection rules to control access to the interface.

!---In this example, access list 116 is used to filter outbound packets, and

!---the inspection rule named “myfw” is used to filter inbound packets.

!---Enable the authentication proxy rule for dynamic, per-user authentication

!---and authorization. See the previous “aaa authorization auth-proxy default group SJ”

!---and “ip auth-proxy name aprule http” command entries.

!---Apply the Cisco IPS rule to outbound traffic.

interface FastEthernet0/0

ip address 192.168.1.2 255.255.255.0

ip access-group 116 out

ip inspect myfw in

ip auth-proxy aprule

ip ips ids-policy out

!---Configure the interface that connects to the

!---Cisco Secure Authentication Control Server (Cisco Secure ACS).

!---Apply access lists to control access to the interface.

!---In this example, access list 111 is used to filter inbound packets.

interface FastEthernet0/1

ip address 192.168.101.2 255.255.255.0

ip access-group 111 in

ip classless

!---The following command establishes a static route to the HTTP server,

!---which in this example has an IP address of 192.168.102.119.

ip route 192.168.102.0 255.255.255.0 FastEthernet0/1

!---Enable the HTTP server on your system.

!---Also, specify that the authentication method used for AAA login service

!---should be used for authenticating HTTP server users.

ip http server

ip http authentication aaa

no ip http secure-server

!---Configure the access list for the interface that connects to the

!---Cisco Secure ACS.

access-list 111 permit tcp host 192.168.101.119 eq tacacs host 192.168.101.2

access-list 111 permit udp host 192.168.101.119 eq tacacs host 192.168.101.2

access-list 111 permit icmp any any

access-list 111 deny

ip any any

!---Configure the access list for the firewall interface that connects to the

!---branch office PCs and the Websense URL Filtering Server (UFS).

access-list 116 permit tcp host 192.168.1.118 host 192.168.1.2 eq www

access-list 116 deny

tcp host 192.168.1.118 any

access-list 116 deny

udp host 192.168.1.118 any

access-list 116 deny

icmp host 192.168.1.118 any

access-list 116 permit tcp 192.168.1.0 0.0.0.255 any

access-list 116 permit udp 192.168.1.0 0.0.0.255 any

access-list 116 permit icmp 192.168.1.0 0.0.0.255 any

OL-6329-01

Plik z chomika:

musli_com

Inne pliki z tego folderu:

28hwinst.pdf (13596 KB)
Addressing_and_Services.pdf (4015 KB)
2800_qsg.pdf (3460 KB)
IP_Communication_Solution_for_Group_Applications_Configuration_Example.pdf (1733 KB)
basic_config_cli.pdf (270 KB)

Secured_Branch_Router_Configuration_Example.pdf

Plik z chomika:

Inne pliki z tego folderu:

Inne foldery tego chomika: