IP Inspects — Why do we need them?

A little while back, I wrote about the basic application of extended IP Access-lists.  There are a couple of points that I hope everyone fully grasped the significance of.  The first point is that nearly all traffic is bidirectional in nature.  Thus two-way communication is almost always required.  The second point is that when access-lists are applied, each packet is compared and evaluated.  This creates a bit of dilemma when we try to create a firewall using an IOS based router.  If we want to block all traffic coming into our network, a “deny ip any any” will do the trick.   However, when we consider the implications we soon realize that return will be blocked.  Let’s take a look.

Using the above image as a reference, let’s assume that the IOS Router is going to be our firewall.  Our task is to permit all outbound communication, but deny all inbound communication.

ip access-list extended OUTBOUND

 permit ip any any

ip access-list extended INBOUND

deny ip any any

interface serial0/0/0

ip access-group OUTBOUND out

ip access-group INBOUND in

 

From this we can see that the OUTBOUND access-list is really not doing anything.  However, it is a good way for us to keep our goal of permitting all outbound traffic in mind.  The INBOUND access-list is blocking everything.  This includes return traffic from the server back to the client.  So as this configuration stands, almost nothing will work properly.  The exception might be something that is connectionless at the transport and above layers of the OSI model.  For example, something internally could send a syslog message to an outside syslog server.

The solution to this problem is in IOS is something Cisco calls Context-Based Access Control, or CBAC.  CBAC accomplishes a few goals.  The first thing it does is “inspects” traffic.  When this traffic is inspected, various items can be checked depending on the protocol.  For example, a TCP connection should start with a “SYN” flag only.  CBAC could be configured to enforce that.  After CBAC has blessed the start of a traffic flow, it will build a table that tracks the status of connections going through the IOS Firewall.  Traffic returning, that is part of a previously established flow, will be permitted regardless of the access-list configuration.  Basically, the returning traffic is allowed to bypass the access-list configuration.

Let’s look at the image once again and make our configuration work.

CBAC Definition

ip inspect name FWOUT tcp

Outbound access-list

ip access-list extended OUTBOUND

permit ip any any

 

Inbound access-list

ip access-list extended INBOUND

deny ip any any

interface serial0/0/0

ip inspect FWOUT out

ip access-group OUTBOUND out

ip access-group INBOUND in

Notice that we defined a CBAC policy to inspect only TCP.  We applied this to interface Serial 0/0/0 in an outbound direction.  So if the client attempts to communicate with any TCP service on the Server, it should work.  TCP traffic that is a response to traffic that exits or egresses Serial 0/0/0 will be allowed to bypass the INBOUND acl.  This would not, however, permit a DNS request.  Simple DNS request use the UDP protocol.  In order to allow UDP and ICMP (Ping) to work, we can extend our CBAC definition as follows.

CBAC Definition

ip inspect name FWOUT tcp

ip inspect name FWOUT udp

ip inspect name FWOUT icmp

Seems pretty complete doesn’t it?  With this simple configuration, most things will work.  Earlier, I said that all TCP services would work.  That is mostly true, but we’ll soon see an exception to this.  If we look at the context sensitive help for ip inspect name FWOUT, we see several other protocols listed.

Skip List

c1841(config)#ip inspect name FWOUT ?

802-11-iapp          IEEE 802.11 WLANs WG IAPP

ace-svr              ACE Server/Propagation

appfw                Application Firewall

appleqtc             Apple QuickTime

bgp                  Border Gateway Protocol

bliff                Bliff mail notification

bootpc               Bootstrap Protocol Client

bootps               Bootstrap Protocol Server

cddbp                CD Database Protocol

cifs                 CIFS

cisco-fna            Cisco FNATIVE

cisco-net-mgmt       cisco-net-mgmt

cisco-svcs           cisco license/perf/GDP/X.25/ident svcs

cisco-sys            Cisco SYSMAINT

cisco-tdp            Cisco TDP

cisco-tna            Cisco TNATIVE

citrix               Citrix IMA/ADMIN/RTMP

citriximaclient      Citrix IMA Client

clp                  Cisco Line Protocol

creativepartnr       Creative Partnr

creativeserver       Creative Server

cuseeme              CUSeeMe Protocol

daytime              Daytime (RFC 867)

dbase                dBASE Unix

dbcontrol_agent      Oracle dbControl Agent po

ddns-v3              Dynamic DNS Version 3

dhcp-failover        DHCP Failover

discard              Discard port

dns                  Domain Name Server

dnsix                DNSIX Securit Attribute Token Map

echo                 Echo port

entrust-svc-handler  Entrust KM/Admin Service Handler

entrust-svcs         Entrust sps/aaas/aams

esmtp                Extended SMTP

exec                 Remote Process Execution

fcip-port            FCIP

finger               Finger

fragment             IP fragment inspection

ftp                  File Transfer Protocol

ftps                 FTP over TLS/SSL

gdoi                 GDOI

giop                 Oracle GIOP/SSL

gopher               Gopher

gtpv0                GPRS Tunneling Protocol Version 0

gtpv1                GPRS Tunneling Protocol Version 1

h323                 H.323 Protocol (e.g, MS NetMeeting, Intel Video

h323callsigalt       h323 Call Signal Alternate

h323gatestat         h323gatestat

hp-alarm-mgr         HP Performance data alarm manager

hp-collector         HP Performance data collector

hp-managed-node      HP Performance data managed node

hsrp                 Hot Standby Router Protocol

http                 HTTP Protocol

https                Secure Hypertext Transfer Protocol

ica                  ica (Citrix)

icabrowser           icabrowser (Citrix)

icmp                 ICMP Protocol

ident                Authentication Service

igmpv3lite           IGMP over UDP for SSM

imap                 IMAP Protocol

imap3                Interactive Mail Access Protocol 3

imaps                IMAP over TLS/SSL

ipass                IPASS

ipsec-msft           Microsoft IPsec NAT-T

ipx                  IPX

irc                  Internet Relay Chat Protocol

irc-serv             IRC-SERV

ircs                 IRC over TLS/SSL

ircu                 IRCU

isakmp               ISAKMP

iscsi                iSCSI

iscsi-target         iSCSI port

kazaa                KAZAA

kerberos             Kerberos

kermit               kermit

l2tp                 L2TP/L2F

ldap                 Lightweight Directory Access Protocol

ldap-admin           LDAP admin server port

ldaps                LDAP over TLS/SSL

login                Remote login

lotusmtap            Lotus Mail Tracking Agent Protocol

lotusnote            Lotus Note

microsoft-ds         Microsoft-DS

ms-cluster-net       MS Cluster Net

ms-dotnetster        Microsoft .NETster Port

ms-sna               Microsoft SNA Server/Base

ms-sql               Microsoft SQL

ms-sql-m             Microsoft SQL Monitor

msexch-routing       Microsoft Exchange Routing

mysql                MySQL

n2h2server           N2H2 Filter Service Port

ncp-tcp              NCP (Novell)

net8-cman            Oracle Net8 Cman/Admin

netbios-dgm          NETBIOS Datagram Service

netbios-ns           NETBIOS Name Service

netbios-ssn          NETBIOS Session Service

netshow              Microsoft NetShow Protocol

netstat              Variant of systat

nfs                  Network File System

nntp                 Network News Transport Protocol

ntp                  Network Time Protocol

oem-agent            OEM Agent (Oracle)

oracle               Oracle

oracle-em-vp         Oracle EM/VP

oraclenames          Oracle Names

orasrv               Oracle SQL*Net v1/v2

parameter            Specify inspection parameters

pcanywheredata       pcANYWHEREdata

pcanywherestat       pcANYWHEREstat

pop3                 POP3 Protocol

pop3s                POP3 over TLS/SSL

pptp                 PPTP

pwdgen               Password  Generator Protocol

qmtp-tcp             Quick Mail Transfer Protocol

r-winsock            remote-winsock

radius               RADIUS & Accounting

rcmd                 R commands (r-exec, r-login, r-sh)

rdb-dbs-disp         Oracle RDB

realaudio            Real Audio Protocol

realsecure           ISS Real Secure Console Service Port

router               Local Routing Process

rpc                  Remote Prodedure Call Protocol

rsvd-tcp             RSVD

rsvp-encap           RSVP ENCAPSULATION-1/2

rsvp_tunnel          RSVP Tunnel

rtc-pm-port          Oracle RTC-PM port

rtelnet              Remote Telnet Service

rtsp                 Real Time Streaming Protocol

send-tcp             SEND

shell                Remote command

sip                  SIP Protocol

sip-tls              SIP-TLS

skinny               Skinny Client Control Protocol

sms                  SMS RCINFO/XFER/CHAT

smtp                 Simple Mail Transfer Protocol

snmp                 Simple Network Management Protocol

snmptrap             SNMP Trap

socks                Socks

sqlnet               SQL Net Protocol

sqlserv              SQL Services

sqlsrv               SQL Service

ssh                  SSH Remote Login Protocol

sshell               SSLshell

ssp                  State Sync Protocol

streamworks          StreamWorks Protocol

stun                 cisco STUN

syslog               SysLog Service

syslog-conn          Reliable Syslog Service

tacacs               Login Host Protocol (TACACS)

tacacs-ds            TACACS-Database Service

tarantella           Tarantella

tcp                  Transmission Control Protocol

telnet               Telnet

telnets              Telnet over TLS/SSL

tftp                 TFTP Protocol

time                 Time

timed                Time server

tr-rsrb              cisco RSRB

ttc                  Oracle TTC/SSL

udp                  User Datagram Protocol

uucp                 UUCPD/UUCP-RLOGIN

vdolive              VDOLive Protocol

vqp                  VQP

webster              Network Disctionary

who                  Who’s service

wins                 Microsoft WINS

x11                  X Window System

xdmcp                XDM Control Protocol

Why would we need these other protocols?  For example, FTP and SMTP are TCP, right?  The answer is like all good things in technology, it depends.  When the router looks at specific upper layer protocols, there are more parameters that can be loaded into that state table.  These can be used for dropping misused connections, or for more intelligently allowing traffic around an access-list.  For example, consider our sample network one more time.

Let’s assume that the client is accessing the FTP services on the server.  Will it work as configured?  The answer is it can, but it depends on the type of FTP connection that is being formed.  FTP has a passive and an active mode.  In both modes, there are two communications streams to be found.  One is for control and the other is for data transfer.  With passive mode both of these communication streams are outbound.  Below is a simple diagram of Passive Mode FTP.  This mode will work with our current configuration.

Active mode, on the other hand, has a data transfer stream that is established from the server to the client.  Notice in the diagram below that with active FTP, there is a DATA channel that is opened from the server to the client.  With our example, the server is on the outside.  Since this is a separate TCP session, the IOS Firewall does not realize that it should bypass the ACL.  Therefore, the OUTSIDE acl will deny the DATA session.

In order to resolve this issue, we can expand our CBAC definition to include intelligent inspection of FTP —

 

CBAC Definition

ip inspect name FWOUT tcp

ip inspect name FWOUT udp

ip inspect name FWOUT icmp

ip inspect name FWOUT ftp

 

This will tell our IOS firewall to properly inspect and handle ftp traffic.  In other words, this adds the some specific protocol intelligence that is required to handle ftp.

 What about other protocols, like SMTP?  Shouldn’t that work since there are no secondary channels?  The answer is yes, but by specifying the protocol, it enhances the inspection capabilities.  For example, without SMTP inspection specified in our configuration, any TCP traffic could flow on TCP port 25.  With SMTP specified, the IOS Firewall expects to see SMTP commands in TCP traffic destined to port 25.  Additionally, it may only permit certain SMTP commands that are deemed safe.  Each protocol that can be specified and is above the OSI transport layer, simply adds to the router’s inspection capabilities.  However, there are no blanket statements that can describe how each one enhances these capabilities.  Each protocol has specific characteristics and challenges.  Depending on traffic load some protocol inspections can cause performance issues.

CBAC, or Context-Based Access Control, is the Cisco terminology for allowing a router to behave like a firewall.  With CBAC, an IOS Router can truly be a Stateful Firewall.  A key requirement for a stateful firewall is to safely build a state table and allow properly qualified return traffic to bypass the interface access-list.  Without this ability, an IOS Router would have to allow nearly all traffic in order to permit network applications to function properly.  There have been other technologies along the way that attempted to solve these problems.  However, CBAC is really the first attempt at creating this state table and validating the protocol simultaneously.  With CBAC, return traffic is implicitly permitted. Therefore, the proper validation of the initiating traffic is crucial to protecting the network and networked applications.

No related content found.

About Paul Stewart, CCIE 26009 (Security)

Paul is a Network and Security Engineer, Trainer and Blogger who enjoys understanding how things really work. With over 15 years of experience in the technology industry, Paul has helped many organizations build, maintain and secure their networks and systems.
This entry was posted in Design. Bookmark the permalink.

One Response to IP Inspects — Why do we need them?

  1. Pingback: Simple ASA to IOS VPN - PacketU

Comments are closed.