topic IPS/ACL/ZBF precedence on IOS router in Network Security

IPS/ACL/ZBF precedence on IOS router

darthnul — Sun, 10 Mar 2019 12:14:00 GMT

I have a number of 891 routers deployed for VPN connectivity to a central site. The routers have an ACL as well as zone-based firewalling and IPS/IPS configured on their public interfaces. They are running IOS universal 15.1.1. They have been up for over six months.

Last week I started getting logs like this from the IPS instance:

Jan 12 09:51:21 ss260 378: Jan 12 15:51:20.551: %IPS-4-SIGNATURE: Sig:3041 Subsig:0 Sev:100 TCP SYN/FIN Packet [Source-that I can't identify-IP:25 -> MY-ROUTER-IP:25] VRF:NONE RiskRating:100

I know that the interface ACL is processed before the ZBF. I've been assuming that IPS happens after the ACL as well, but this packet should never have gotten past my ACL. The ACL allows only ESP, IKE, SSH and pings, and then only if they come from about half a dozen source IPs. The source of the trigger packet is NOT among those allowed.

Because my ACL doesn't allow any un-encrypted traffic (other than some pings that I generate), I was not really expecting the IPS instance to see anything likely to trigger an alert, and up until last week, that was true.

So far all the logs are for the same SYN/FIN signature. Is this a special case type signature for some reason or can I expect to see alerts every time a packet that the ACL is going to block anyway, matches a signature?

Re: IPS/ACL/ZBF precedence on IOS router

Marcin Latosiewicz — Fri, 14 Jan 2011 17:12:43 GMT

Hi,

First of I noticed that the packets dropped by IPS have both source and destination port of 25 - odd 😉

If you're interested in order of operation with new CEF code you can check "show cef interface INTERFACE_NAME IFC_NUMBER" this is reliable and in the order they are done, but maybe in more detail than you'd need 😉

Router#sh cef interface fa0/0
FastEthernet0/0 is down (if_number 4)
  Corresponding hwidb fast_if_number 4
  Corresponding hwidb firstsw->if_number 4
  Internet address is 10.1.1.1/24
  ICMP redirects are always sent
  Per packet load-sharing is disabled
  IP unicast RPF check is disabled
  Input features: Access List
  Output features: Firewall (NAT), Firewall (inspect)
  Inbound access list is 101
  Outbound access list is not set
  IP policy routing is disabled
  BGP based policy accounting on input is disabled
  BGP based policy accounting on output is disabled
  Hardware idb is FastEthernet0/0
  Fast switching type 1, interface type 18
  IP CEF switching enabled
  IP CEF switching turbo vector
  IP CEF turbo switching turbo vector
  IP prefix lookup IPv4 mtrie 8-8-8-8 optimized
  Input fast flags 0x1, Output fast flags 0x0
  ifindex 3(3)
  Slot  Slot unit 0 VC -1
  Transmit limit accumulator 0x0 (0x0)
  IP MTU 1500

HTH,

Marcin

Re: IPS/ACL/ZBF precedence on IOS router

darthnul — Fri, 14 Jan 2011 17:38:47 GMT

Thanks Marcin!

I ran the command and it (unfortunately) shows that IPS is evaluated before the ACL:

GigabitEthernet0 is up (if_number 12)
Corresponding hwidb fast_if_number 12
Corresponding hwidb firstsw->if_number 12
Internet address is 173.84.169.126/30
ICMP redirects are never sent
Per packet load-sharing is disabled
IP unicast RPF check is disabled
Input features: Stateless IN IPS (Atomic), Access List, IPSec input classification, Post Crypto IPS Atomic
Output features: IPSec output classification, CCE Post NAT Classification, Firewall (firewall component), IPSec: to crypto engine, Post-encryption output features
IP policy routing is disabled
BGP based policy accounting on input is disabled
BGP based policy accounting on output is disabled
Hardware idb is GigabitEthernet0
Fast switching type 1, interface type 27
IP CEF switching enabled
IP CEF switching turbo vector
IP prefix lookup IPv4 mtrie 8-8-8-8 optimized
Input fast flags 0xA1, Output fast flags 0x400
ifindex 12(12)
Slot Slot unit 0 VC -1
IP MTU 1452

I really wish IPS happened AFTER the ACL because I get paged every time any router logs an IPS signature match.

Thanks ...jgm