Example: Cisco Systems Routers as Chokes
Many organizations use high-performance routers both to connect their companies to the Internet and to perform limited packet filtering. Because routers made by Cisco Systems, Inc., are widely used within the Internet community as this tutorial is being written, we decided that a look at the security configuration for a Cisco router might be helpful.
NOTE: Bear in mind that this description is not a definitive reference for configuring Cisco routers, but is intended to demonstrate highlights of how a router is configured as a choke. Further examples of Cisco configurations may be obtained via FTP from ftp://ftp.cisco.com/pub/acl-examples.
Please also note that we do not intend that our inclusion of vendor-specific information for Cisco routers be taken as an endorsement of their routers over any other vendor's products.
Cisco Systems routers run a complicated operating system called Internetwork Operating System (IOS), which is specially tailored to perform high-speed routing. It is a real-time operating system that is not based on UNIX.
IOS maintains a set of internal configuration tables that are associated with the router, each protocol that the router understands, each network interface, and each physical "line" interface. These configuration tables are consulted by the IOS operating system each time a packet is received for routing.
The IOS internal tables are configured from the console when the router is in configuration mode. The current configuration can be extracted from the router using the write command; this command produces a text file of commands that can be stored in the router's nonvolatile memory or saved using a network TFTP server. The router then interprets these commands when it boots as if they were typed on the router's console.
access-list Command: Creating an Access List
IOS uses the access-list command to define the set of IP addresses and protocols with which a particular router will communicate. The access-list command creates an access list; each access list has a unique number. IOS sets aside specific ranges of access-list numbers for specific purposes.
access-list: standard form
The standard form of the access-list command for the IP protocol has the form:
access-list access-list-number {deny|permit} source [source-mask]
Where:
- access-list-number
- Denotes the number of the access list you are defining. For the standard form of the access-list command, the access-list-number must be a decimal integer from 1 though 99.
- deny | permit
- Specifies whether IP packets matching this access list should be denied (not transmitted) or permitted (transmitted).
- source
- Specifies the IP address of the host or network from which this packet is being sent. Source must be in the standard form ii.jj.kk.ll.
- source-mask
- An optional mask that is applied to the source. As with the source, the source-mask is specified in four-part dotted-decimal notation. A 1 in a position indicates that it should be masked (ignored). Thus, 0.0.0.255 means that only the first three octets of the source address will be considered.
If you specify an access-list, IOS will add an implicit rule to deny all packets that do not match the rules that you have provided.
For example, this command would permit all packets from the host 204.17.195.100:
access-list 1 permit 204.17.195.100
This command would deny all packets from the IP subclass C network 198.3.4:
access-list 1 deny 198.3.4.0 0.0.0.255
access-list: extended form
The access-list command has an extended form which allows you to make distinctions based on the particular IP protocol and service.[8] In the case of the TCP/IP protocol, you can even create restrictions based on the connection's direction - whether it is outgoing or incoming.
[8] In addition to IP, Cisco routers support many other protocols as well, including AppleTalk and IPX, but we won't discuss them here.
The extended version of the access-list command has syntax that is similar to the standard form; the key difference is that the access-list-number must be in the range 100 to 199, and there are additional parameters:
access-list access-list-number {deny|permit} protocol\ source source-mask destination destination-mask [established]
Where:
- access-list-number
- Denotes the number of the access list that you are defining. For the extended form of the access-list command, the access-list-number must be a decimal integer from 100 though 199.
- deny | permit
- Specifies whether IP packets matching this access list should be denied (not transmitted) or permitted (transmitted).
- protocol
- Specifies the protocol name or number. Specify ip, tcp, udp, icmp, igmp, gre, igrp, or the IP protocol number (range 0 through 255). Use ip to specify all IP protocols, including TCP, UDP, and ICMP.
- source
- Specifies the IP address of the host or network from which this packet is being sent; must be in the standard form ii.jj.kk.ll.
- source-mask
- An optional mask that is applied to the source. As with the source, the source-mask is specified in four-part dotted-decimal notation. A 1 in a position indicates that it should be masked. Thus, 0.0.0.255 means that only the first three octets of the source addresses should be considered.
- destination
- Specifies the address of the host or network to which this packet is being sent; must be in the standard form ii.jj.kk.ll.
- destination-mask
- An optional mask that is applied to the destination. As with the source-mask, the destination-mask is specified in four-part dotted-decimal notation, where a 1 in a position indicates that it should be masked.
- operator
- This optional argument allows you to specify a particular TCP or UDP port, or even a range of ports. Allowable values are described in Table 21.1.
- operand
- A number, in decimal, used to refer to a specific TCP or UDP port.
| Operator | Meaning | Example | Result |
|---|---|---|---|
| eq | equal to | eq 23 | Selects Telnet port. |
| gt | greater than | gt 1023 | Selects all non-privileged ports. |
| lt | less than | lt 1024 | Selects all privileged ports. |
| neq | not equal to | neq 25 | Selects all protocols other than SMTP. |
- established
- If present, indicates packets for an established connection. This is only applicable to the TCP protocol, and selects for packets that have the ACK or RST bits set. By blocking packets that do not have either the ACK or RST bits set that are traveling into your organization's network, you can block incoming connections while still allowing outgoing connections.
- log
- If present, causes violations of access lists to be logged via syslog to the specified logging host.
show access-lists Command: Seeing the Current Access Lists
You can use the CIOS show access-lists command to display all of the current access lists. For example:
router>show access-lists Standard IP access list 1 permit 204.17.195.0 permit 199.232.92.0 Extended IP access list 108 deny ip 199.232.92.0 0.0.0.255 any deny ip 204.17.195.0 0.0.0.255 any permit ip any any (1128372 matches) router>
In this example, there are two IP access lists: access list #1, which is a standard list, and access list #108, which is an extended list. The standard list permits the transmission of any packet that comes from the IP networks 204.17.195 or 199.232.92; the extended list denies any packet coming from these two networks.
The pair of rules in this example can be used to erect a barrier to IP spoofing for an organization that is connected to the Internet. The organization, with two internal IP networks (204.17.195 and 199.232.92), could apply the first access list to its outbound interface, and the extended list to inbound packets from its serial interface. As a result, any incoming packets that claim to be from the organization's internal network would be rejected.
Be aware that the show access-lists command is normally not a privileged command; anybody who can log into your router can see all of your access lists. You can make it privileged by using the IOS privilege commands added in IOS Version 10.3.
access-class Command: Protecting Virtual Terminals
After you have created one or more access lists, you can use the access-class command to assign the access-control list to a particular Cisco virtual-terminal line. You assign access lists to a particular Cisco interface by using the access-class command. You should use the access-class command to configure your router so that it will reject login attempts from any host outside your organization. You may also wish to configure your router so that it rejects all login attempts from inside your organization as well, with the exception of a specially designed administrative machine.
The access-class command has the following syntax:
access-class access-list-number {in|out}
Where:
- access-list-number
- Specifies the number of an access list. This must be a number between 1 and 199.
- in | out
- Specifies whether incoming connections or outgoing connections should be blocked.
You can use this command to prevent people from logging directly onto your router (using one of the vty interfaces) unless they are coming from a specially designated network. For example, to configure your router so that it will only accept logins from the subclass C network 198.3.3, you could use the following sequence of IOS commands:
router#config t Enter configuration commands, one per line. End with CNTL/Z. router(config)#access-list 12 permit 198.3.3.0 0.0.0.255 router(config)#line vty 0 4 router(config-line)#access-class 12 in router(config-line)#^Z router#
ip access-group Command: Protecting IP Interfaces
You can also use access lists to specify packets that should be blocked from crossing an IP interface. For example, if you are using the Cisco interface to create a conventional choke-and-gate interface, and you have a serial connection to an Internet service provider, you can specify that the only IP packets that should be transmitted in from the interface should be those that are destined for the gate machine, and that the only IP packets that should be transmitted out from the serial interface are those that are from your gate.
The command that associates an access list with a particular interface is the access-group command. This is an interface-configuration command, which means that it is typed when the router is in interface-configuration mode.
The access-group command has the following syntax:
ip access-group access-list-number {in | out}
Where:
- access-list-number
- Specifies the number of an access list. This must be a number between 1 and 199.
- in | out
- Specifies whether incoming connections or outgoing connections should be blocked.
For example, to configure your serial 0 interface so that it will only send packets to or from a gate computer located at IP address 204.17.100.200, you might configure your router as explained in the following paragraphs.
First, create one access list that selects for packets that have the gate as their source (access list #10) and a second access list that selects for packets that have the gate as their destination (access list #110):
router#config t Enter configuration commands, one per line. End with CNTL/Z. router(config)#access-list 10 permit 204.17.100.200 0.0.0.0 router(config)#access-list 110 permit ip 0.0.0.0 255.255.255.255 204.17.100.200 0.0.0.0
Now, assign these access lists to the serial 0 interface:
router(config)#int serial 1 router(config-if)#ip access-group 10 out router(config-if)#ip access-group 110 in
Remember, use the IOS write command to save the configuration.
accounting access-violations Command: Using IP Accounting
IOS has an IP accounting feature that can track the number of IP packets that are passed by the router and then rejected. You can use this feature to detect whether somebody is trying to bypass your firewall security. If logging is enabled, you will be told the IP address of the attacker and the protocol being used.
To turn on IP accounting to check for access violations on a specific interface use the command:
router(config-if)#ip accounting access-violations
Access Control vs. Performance
IOS consults the entire access control list every time a packet is received for routing. As a result, the more complicated your access lists, the slower you will find your router's resulting performance.
You can maximize your router's performance, and improve overall security, by making your access lists as simple as possible. You can also improve performance by using route filtering. If you have a complex list of hosts to which you do or do not wish to offer particular services, you can supplement your access lists by using a program on your gate such as tcpwrapper, in addition to implementing them on your choke. This will give you extra protection.