IOS Firewall/IDS/CBAC etc. - Securing a router the best

Discussion in 'Cisco' started by Paul Stewart, Jan 7, 2004.

  1. Paul Stewart

    Paul Stewart Guest

    Hi there...

    As a bit of a pet project I would like to examine the ***best***
    possible method of securing a network via a Cisco 1710 router running
    IOS IDS/FW feature sets with version 12.3.5

    My goal is to provide a NAT gateway for a client workstation and a
    Windows 2000 server that has certain ports open (web, smtp etc.) kind
    of like a traditional small office setup might be. In this case it's
    my home network. The dangerous assumption will be made that no
    vulnerabilities exist on the Win2k server for those ports that are
    open (in this case, everything up to date).

    Right now, this setup is working fine with only SSH access to the
    router and only limited ports open.

    I'd like to take this as far as is reasonable with ideas like:

    -Identify all p2p traffic across the link using NBAR
    -Identify and log all inbound traffic that is Code Red, Nimba, and
    other viruses (as many as possible)
    -log any port scans that hit the routers edge
    -run as much IDS as possible for further protection

    I'm look at this as a stock configuration that could be applied in
    future at multiple customer sites etc. Also I realize that memory/cpu
    might take a severe hit if we load a lot of options onto a 1700
    router.

    Has anyone done a "master config" that does most of this? Looking for
    ideas and configs that merge the "best options for protection" into an
    IOS.

    Thanks.
     
    Paul Stewart, Jan 7, 2004
    #1
    1. Advertisements

  2. Paul Stewart

    RM Guest

    I think there is a lockdown tool built into the web interface of that
    router.

    -D
     
    RM, Jan 8, 2004
    #2
    1. Advertisements

  3. :As a bit of a pet project I would like to examine the ***best***
    :possible method of securing a network via a Cisco 1710 router running
    :IOS IDS/FW feature sets with version 12.3.5

    :I'd like to take this as far as is reasonable with ideas like:

    :-Identify all p2p traffic across the link using NBAR
    :-Identify and log all inbound traffic that is Code Red, Nimba, and
    :eek:ther viruses (as many as possible)
    :-log any port scans that hit the routers edge
    :-run as much IDS as possible for further protection

    :I'm look at this as a stock configuration that could be applied in
    :future at multiple customer sites etc.

    And who at the customer site is going to *read* those logs? What should
    the customer -do- with the 15000 logged Code Red probes per day?

    It's certainly true that if you don't log the information, it won't
    be there in case you need it later, but your goal has to be to
    provide the customer with *quality* information about real threats
    to the customer, not with -quantity- of information that they
    don't know what to do with.

    I've spent several person-months working on firewall log analysis tools,
    and I am not nearly satisfied with what I have. Analyzing the data takes
    a *lot* of work.
     
    Walter Roberson, Jan 8, 2004
    #3
  4. Hello, Walter!
    You wrote on 8 Jan 2004 05:40:27 GMT:

    WR> And who at the customer site is going to *read* those logs?
    WR> What should the customer -do- with the 15000 logged Code Red
    WR> probes per day?

    WR> I've spent several person-months working on firewall log
    WR> analysis tools, and I am not nearly satisfied with what I
    WR> have. Analyzing the data takes a *lot* of work.

    That's true. On the other hand creating a Perl/shell/etc script which do one
    thing only - say reports PC infected by Code Red - is not very time consuming.

    With best regards,
    Andrey.
     
    Andrey Tarasov, Jan 8, 2004
    #4
  5. Paul Stewart

    Jason Kau Guest

    Why not use multiple devices? Cisco IOS makes a greater router but a pretty
    poor firewall, IDS, etc. IMO. If I was having to sell a single box to
    customers and security was important or a selling point, I'd probably go
    with a Nokia or Crossbeam running CheckPoint Firewall-1/FloodGate NG-AI w/ a
    SmartDefense subscription. The Nokias are OK routers and can be had with T1
    interfaces.

    IOS IDS/FW feature set can also be reall expensive and sometimes a separate
    PIX or NetScreen firewall is actually cheaper.

    NBAR seems like an OK tool to do traffic blocking or policing on known
    traffic but not necessarily a great tool to block and/or identify
    worms/attacks/trojans or write your own custom signatures.
     
    Jason Kau, Jan 8, 2004
    #5
  6. Paul Stewart

    Paul Stewart Guest

    Thanks to everyone for their responses. This is a proof of concept at
    this point to see how much stuff can be done effectively on a low
    volume connection using a 1710 as an example. To what level and using
    what type of configuration can this be accomplished?

    Taking the log information and analysing it I agree *can* be an issue
    and when we do get this to the level of presenting it to the customer
    it will be "pretty and accurate" but that's not the concern at the
    moment (although thanks for bringing that up).
    Most of "these" customers have enough time spending money on the 1710
    solution let alone adding a PIX, more SmartNet (potentionally) etc...
    some of these target customers have three people in their office using
    the Internet for example.
    With the 1710 it's completely integrated at time of sale so very
    economical for our needs. But I definately agree that in other larger
    models it adds up really quick :)
    This is more like what I"m looking for.... basically I'm asking what
    people are doing and how well it works along with config information
    if possible.

    Thanks again,

    Paul
     
    Paul Stewart, Jan 9, 2004
    #6
  7. Alan Strassberg, Jan 10, 2004
    #7
  8. Paul Stewart

    Paul Stewart Guest

    Awesome!!! That's a great tool... thanks Alan..:)
     
    Paul Stewart, Jan 22, 2004
    #8
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.