topic Re: CCP Firewall is that bad? in Network Security

CCP Firewall is that bad?

oren.hecht — Mon, 11 Mar 2019 18:12:55 GMT

Hi,

I got a Cisco 877W set up and have problems with the Firewall setup using Cisco Configuration Professional.

I am new to the security field so I decided to use CCP to configure the firewall. I would like to block all traffic from the internet and allow all traffic originating inside the LAN, I do not care which traffic is originating as I consider the LAN to be completely trusted.

After I configured the default template of Low Security my connection dropped dramatically, from a 10Mbps ADSL connection that I fully utilized, I started getting 150kbps just after I enabled the firewall.

I checked the router's CPU and it showed peaks of up to 87% (Usually was jumping around between 20%-87%).

I turned the firewall off since I need to use my connection, but am I missing something? How come my $20 D-Link router blocks incoming traffic from the internet and performs well while my pricey 877W can't run the firewall.

If I will drop the zone based firewall and go back to the classic one will it be better?

Thanks a lot!

Re: CCP Firewall is that bad?

Jitendriya Athavale — Mon, 19 Jul 2010 04:41:12 GMT

i think for you r setup the classic firewall makes sense

since you need to block everything from wan and allow everything from lan, i think cbac or classid firewall should be enough to begin with

Re: CCP Firewall is that bad?

oren.hecht — Mon, 19 Jul 2010 07:13:04 GMT

Hey Jathaval,

I indeed used CBAC eventually and got it working, but got some weird results while trying to do so.

At first I set up these rules:

ip inspect name FIREWALL_RULES dns
ip inspect name FIREWALL_RULES ftp
ip inspect name FIREWALL_RULES http
ip inspect name FIREWALL_RULES https
ip inspect name FIREWALL_RULES icmp
ip inspect name FIREWALL_RULES imap
ip inspect name FIREWALL_RULES smtp
ip inspect name FIREWALL_RULES pop3
ip inspect name FIREWALL_RULES tftp
ip inspect name FIREWALL_RULES tcp
ip inspect name FIREWALL_RULES udp

But I got the same behavior as I did with the ZBF, my bandwidth usage dropped to 10%.

Eventually I left it with:

ip inspect name FIREWALL_RULES icmp
ip inspect name FIREWALL_RULES tcp
ip inspect name FIREWALL_RULES udp

And then it started behaving normally.

But I don't get it, lets say I wanted to do some VOIP classifications. According to the results above If I started to match protocols and classify them, the traffic would drop dramatically and both the web traffic and VOIP traffic will be useless (I didn't check the delays but I bet they suffered too).

How come Cisco manufactures a SOHO product that can't handle more than 3 classifications? Luckily it does what I need it to.

Oren.

Re: CCP Firewall is that bad?

Jitendriya Athavale — Mon, 19 Jul 2010 07:16:24 GMT

i think the issue is caused because of inspecting http and https

can you disable them and verify the results again with the rest of the inspections

Re: CCP Firewall is that bad?

oren.hecht — Mon, 19 Jul 2010 07:53:58 GMT

Yep, you are dead on. And since I don't use https that often it's probably the http, wow that is very shameful isn't it?

Luckily I don't do classification between HTTP and other traffic or my connection would be very bad...

I got two questions though:

1. Do I need all the other inspections rules? Cause most of them are TCP & UDP anyway, won;t be enough to inspect them?

2. Does the order of the inspection matter? Does it behave like an ACL, when it identifies something as one of the inspections it stops inspecting?

Thanks!

Re: CCP Firewall is that bad?

Jitendriya Athavale — Mon, 19 Jul 2010 08:04:52 GMT

choosing inspection rules is your choice depending what you need

for example you might or might not need ftp depending on whether it is active or passive

but definately http is not advisable becuase it will leed to slowing of traffic especially if you line has lot of out of order packets

as far as layer 7 inspections r concerned you will need them only if the server/client on the outside needs to open any ports

with cbac you are options are as such limited to basic inspection, so i think u can probably continue with just icmp, tcp and udp and if there is requirement you can use layer 7 inspection for ftp or voice or something like that

hope this answers your questions, if so i request you to mark this as answered for the benifit of the other users

Re: CCP Firewall is that bad?

oren.hecht — Mon, 19 Jul 2010 08:16:32 GMT

Hey Jathaval,

Thank you very much for the help!

One last question I have regarding this issue is if the inspection list behaves as an ACL and if the order matters.

If one inspection rule is identified, does it continue inspecting or does it break the inspection list?

Thanks again,

Oren.

Re: CCP Firewall is that bad?

Jitendriya Athavale — Mon, 19 Jul 2010 08:28:37 GMT

i think such a situation will never arise because if we are talking about at layer 3-4 it will be tcp or udp

if at layer 7 http, ftp smtp etc

so the question of order doesnt arise as each rule is unique

Re: CCP Firewall is that bad?

oren.hecht — Mon, 19 Jul 2010 08:33:41 GMT

Fair Enough.

Thank you very much for you kind help, I really appreciate it!

Re: CCP Firewall is that bad?

Jitendriya Athavale — Mon, 19 Jul 2010 08:37:10 GMT

hi oren, i just confirmed with one of my collegue i

would like to correct myself

the order does matter

more specific ones first and then general ones

so layer 7 first and then layer 4 like tcp/udp

so it does go like access-list if it finds the match in the first rule it will not look at others

inspect tcp

inspect http

inspect http has no effect

inspect http

inspect ftp

inspect tcp

sorry for the confusion

Re: CCP Firewall is that bad?

oren.hecht — Mon, 19 Jul 2010 09:16:23 GMT

That makes more sense.

Thank you, and thank your colleague too

Oren.