06-29-2012 10:41 AM - edited 03-11-2019 04:24 PM
With Julio Carvajal Segura
Welcome to the Cisco Support Community Ask the Expert conversation with Cisco expert Julio Carvajal Segura. This is an opportunity to learn and ask questions on how to make your IOS router devices (Zone-Base Firewall, Intrusion Prevention Systems, & Context-Base Access Control) more secure.
Julio Carvajal Segura is a support engineer at the Cisco Technical Center in Costa Rica. His expertise is in security topics such as Cisco Security Content, intrusion prevention systems, Cisco Adaptive Security Appliances (ASA), Cisco Firewall Services Modules, zone based firewalls, and context-based access control. He has over a year of experience working and resolving customer problems.
Remember to use the rating system to let Julio know if you have received an adequate response.
Julio might not be able to answer each question due to the volume expected during this event. Remember that you can continue the conversation on the Security sub-community Firewalling forum shortly after the event. This event lasts through July 13, 2012. Visit this forum often to view responses to your questions and the questions of other community members.
07-11-2012 06:04 AM
Hello Rogelio,
It's my pleasure to help.
Regards,
Julio
07-11-2012 01:13 AM
Hi Julio,
Can you please check the link https://supportforums.cisco.com/message/3680429#3680429 where i have posted a query about VPN. Could you please refer the configuration. I just wanted to know whether the VPN access problem is due to the ZBF or not.
Regards,
Tony
07-11-2012 06:14 AM
Hello Yadhu,
Can you remove the following configuration:
zone security VPN
interface Virtual-Template1 type tunnel
zone-member security VPN
policy-map type inspect VPN-TO-IN-POLICY
class type inspect vpn-access
inspect
zone-pair security VPN-TO-IN source VPN destination INSIDE service-policy type inspect VPN-TO-IN-POLICY
Then add the following:
interface Virtual-Template1 type tunnel
zone-member security OUTSIDE
Then take the tunnel down and generate some traffic,
let me know how it goes
Julio
07-12-2012 02:51 AM
Hello Julio,
Thank you for your reply.
I removed the same and added :
interface Virtual-Template1 type tunnel
zone-member security OUTSIDE
The moment i added the above configuration i cannot even ping the LAN interface of my router. Instead of adding 'Virtual-Template1' interface to the OUTSIDE zone i tried to include it in the INSIDE zone like:
interface Virtual-Template1 type tunnel
zone-member security INSIDE
and its started working i.e i can access the LAN of my company. Can u please tell me whether it is a correct approach or not ?
Please see the zones :
Router#sh zone security
zone self
Description: System defined zone
zone INSIDE
Member Interfaces:
GigabitEthernet0/0
Virtual-Template1
zone OUTSIDE
Member Interfaces:
GigabitEthernet0/1
Regards,
Tony
07-12-2012 09:39 AM
Hello Yadhu,
Great to hear it is working,
The first problem you had was that the zone was not applied to any zone security and we needed it to have it on one to make it work.
The approach looks good to me, actually if the change on the outside zone the next step would be on the inside.
This will still be safe as in order to any user to get into the in-zone he will need to authenticate itself first to this Ezvpn server.
Regards,
Julio
07-12-2012 10:17 AM
Thank you so much for your support Julio.
Regards,
Tony
07-12-2012 10:29 AM
Hello Tony,
My pleasure,
Regards
Julio
07-11-2012 03:08 AM
Hi Julio,
since the "aes-256-cbc"-cipher can't be used anymore if security is needed -any production-grade network?- (see for example http://lwn.net/Articles/307873/
) and the RFC 4344 which addresses and solves the issue (using "ctr" instead of the "cbc" cipher) isn't implemented in IOS today - what would you recommend to do:
- switch to sshv1 using 3des
- switch to telnet and use vpn-client/ezvpn to provide encryption
any better idea?
Cheers,
//Ronald
07-11-2012 06:40 AM
Hello Ronald,
You might want to take a look at the following bug CSCsx30944
http://tools.cisco.com/squish/b1Cc1
So as you already said implementing the CTR cipher instead of CBC on an IOS router is not an option.
From the two options you point I would say that the implementation of sshv1 is the easiest of the two options( it offers encryption (It can be reversible so it also has some vulnerabilitys)
Now talking about the VPN ezvpn option it would require way more administration but it will provide more security so I will choose that one if this were my case ( We are trying to get rid of a vulnerability and by using this option we can make it happen)
Hope this helps,
Julio
07-11-2012 07:41 AM
Hi Julio, thank you for the very quick answer!
...do you know - for the case that SSHv1/3DES is an option - if there's a posibillity to specify (decrease) the "key-lifetime" to increase the ssh-3DES-security like we*'ve done it in IPSec-VPNs as AES wasn't available?
I didn't find anything on the web how to fine-tune the IOS-SSH-Daemon regarding the cipher-suites used.
Since there is no official "security advisory" and the Bug mentions "Workaround: None", are there some best practices beyond "config)# ip ssh version 1"?
Best Regards,
//Ronald
07-11-2012 07:52 AM
Hello Ronald,
Since there is no official "security advisory" and the Bug mentions "Workaround: None", are there some best practices beyond "config)# ip ssh version 1"?
A/ No,Given the low probability of this being successfully exploited.
Do you know - for the case that SSHv1/3DES is an option - if there's a posibillity to specify (decrease) the "key-lifetime" to increase the ssh-3DES-security like we*'ve done it in IPSec-VPNs as AES wasn't available?
A/ No, there are only a few commands to tune SSH paramaters:
ip ssh time-out 60
ip ssh authentication-retries 2
You will need to re-generate the RSA key manually.
Regards,
07-12-2012 08:47 PM
Hi Julio
I have a quick question regarding ZBFW running on ASR platform. I have an asr1001-universalk9.03.06.01.S.152-2.S1 version and I'm trying to configure SMTP inspection, I have found information but I'm not sure if I'm in the correct path.
Security Configuration Guide: Zone- Based Policy Firewall, Cisco IOS XE Release 3S
Restrictions for Zone-Based Policy Firewall
• Application-level maps (also referred to as Layer 7 class maps) are not supported in Cisco IOS XE
software.
Layer 3 and Layer 4 Class Maps and Policy Maps
Supported Protocols
The following protocols are supported:
• FTP
• H.323
• ICMP
• Lightweight Directory Access Protocol (LDAP)
• LDAP over Transport Layer Security/Secure Socket Layer (LDAPS)
• Real-time Streaming Protocol (RTSP)
• Session Initiation Protocol (SIP)
• SCCP (Skinny Client Control Protocol)
• TCP
• TFTP
• UDP
Then I got
http://www.cisco.com/en/US/partner/hmpgs/index.html
Cisco IOS XE 3S Release Notes Release 3.2S Features and Important Notes
New Software Features in Cisco IOS XE Release 3.2.0S
Application Inspection and Control for SMTP
The Application Inspection for SMTP feature provides an intense provisioning mechanism that can be configured to inspect packets on a granular level so that malicious network activity, related to the transfer of e-mail at the application level, can be identified and controlled. This feature qualifies the Cisco IOS firewall extended Simple Mail Transfer Protocol (ESMTP) module as an "SMTP application firewall," which protects in a similar way to that of an HTTP application firewall.
For more information, see the following document:
If I go to the last link I'm getting
Networking Software (IOS & NX-OS)
Application Inspection and Control for SMTP
So at this point is talking about regular IOS and NX-OS but not IOS-XE. So I thin that statement "Application-level maps (also referred to as Layer 7 class maps) are not supported in Cisco IOS XE software." still applies right?
I have this configuration but I'm not able to get SMTP inpection working.
class-map type inspect match-any InspProtocol
match protocol http
match protocol https
match protocol smtp
match protocol ftp
match protocol dns
match protocol icmp
match protocol ntp
match protocol isakmp
match protocol ssh
match protocol tcp
match protocol udp
policy-map type inspect PInspect
class type inspect InspProtocol
inspect
class class-default
pass log
I just want to inspect specific traffic and permit the rest.
zone security INSIDE
zone security OUTSIDE
zone-pair security IN-to-Out-ZONE source INSIDE destination OUTSIDE
service-policy type inspect PInspect
interface GigabitEthernet0/0/0
description Red Interna
ip address 192.168.100.1 255.255.255.0
ip access-group privated in
ip nat inside
ip virtual-reassembly
zone-member security INSIDE
interface GigabitEthernet0/1/1
bandwidth 8192ip address x.x.x.x
ip access-group antispoofing in
ip access-group monitoreo out
ip nat outside
ip flow ingress
ip virtual-reassembly
zone-member security OUTSIDE
speed 1000
no negotiation auto
crypto map VPNs-Internet
hold-queue 4096 in
sh policy-map type inspect zone-pair sessions
Zone-pair: IN-to-Out-ZONE
Service-policy inspect : PInspect
Class-map: InspProtocol (match-any)
Match: protocol http
Match: protocol https
Match: protocol smtp
Match: protocol ftp
Match: protocol dns
Match: protocol icmp
Match: protocol ntp
Match: protocol isakmp
Match: protocol ssh
Match: protocol tcp
Match: protocol udp
Inspect
Half-open Sessions
Session 1920248 (192.168.100.6:1115)=>(200.x.x.x:25) smtp SIS_OPENING
Created 00:00:18, Last heard 00:00:18
Bytes sent (initiator:responder) [0:0]
Session 1920294 (192.168.100.6:1247)=>(174.x.x.x:25) smtp SIS_OPENING
Created 00:00:23, Last heard 00:00:23
Bytes sent (initiator:responder) [0:0]
Session 19202E0 (192.168.100.6:1220)=>(193.x.x.x:25) smtp SIS_OPENING
Created 00:00:12, Last heard 00:00:03
Thanks in advance
07-13-2012 05:41 AM
Hello Mario,
That is correct, Application-level maps (also referred to as Layer 7 class maps) are not supported in Cisco IOS XE
software.
You will not be able to inspect the SMTP protocol.
You can inspect it but at layer 3 and 4 based on an ACL
ip access-list e SMTP
permit tcp any any eq 25
class-map type inspect SMTP
match access-group name SMTP
policy-map type inspect PInspect
class SMTP
inspect
class InspProtocol
inspect
class class-default
pass log
Then you can remove the match protocol SMTP from the class InspProtocol
Regards,
Julio
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide