Saturday, January 30, 2010

Auth-proxy on Cisco IOS

Here´s a simple lab to test a simple auth-proxy configuration on IOS.
The goal of this lab is to get auth-proxy configured on R1, so that when the client tries to establish a http session to the web-server (10.0.0.111 which also happens to be the AAA/ACS server in my scenario) he will have to authenticate to access the server (as per CCIE security LAB i won't be covering basic connectivity configs).

Here's a breakdown of the tasks we have to do in order to acomplish this:
1- Configure AAA on the router, and make the required configurations on the ACS
2- Configure http server on the router
3- Configure auth-proxy
4- Apply auth proxy to the interface

Now let's go about it point by point:

1- AAA

For auth-proxy to work the router must get a auth-proxy ACL from to the ACS server, for this to work using ACS and TACACS+ you will have to configure the TACACS+ interface and add a new service to it as shown in the picture below:

After you configured the interface, you must configure the group that you will using for auth-proxy with custom-attributes for auth-proxy, the attributes are actually the ACL that the router will receive upon sucessfull authentication of a user for the auth-proxy service:
Now that we've configured the ACS side (i'm skipping the basics like configuring clients and key, and users), let´s move on to the router.
R1(config)# aaa new-model R1(config)# tacacs-server host 10.0.0.111 key 1234 R1(config)# aaa authentication login default group tacacs+

Take care not to lock yourself out :-)

2- Configure http server on the router

R1(config)# ip http server R1(config)# ip http authentication aaa R1(config)# ip http access-class 10

In my case i just configured ACL 10 to allow any host.

3- Configure auth-proxy

R1(config)# ip auth-proxy auth-cache-time 2 R1(config)# ip auth-proxy name teste_auth http

I set the innactivity timer to 2 minutes.
4- Apply auth proxy to the interface

R1(config)# int fastEthernet 1/0
R1(config-if)# ip auth-proxy teste_auth

And now let's test it:



And we're done!

For more resources on auth proxy look at:
http://www.cisco.com/en/US/docs/ios/12_0t/12_0t5/feature/guide/iosfw2_1.html
http://www.wr-mem.com/?p=111
Posted by at No comments:
Labels: , , ,

Saturday, January 23, 2010

Cisco IOS firewall CBAC

From Cisco's IOS Security Configuration Guide:
"CBAC creates temporary openings in access lists at firewall interfaces. These openings are created when specified traffic exits your internal network through the firewall. The openings allow returning traffic (that would normally be blocked) and additional data channels to enter your internal network back through the firewall. The traffic is allowed back through the firewall only if it is part of the same session as the original traffic that triggered CBAC when exiting through the firewall. "
This is a simple example that you can build on:


For this example i'll apply the ACL and the inspection on the outside interface to allow telnet from R1 to R3 and deny all other TCP or UDP traffic, ICMP will be allowed in the ACL for connectivity testing purposes.

After the basic connectivity and routing is set up we need to set up the ACL to apply inbound on the outside interface of R2, which will look something like this:

R2(config)#ip access-list extended OUTSIDE_in
R2(config-ext-nacl)#10000 deny ip any any
R2(config-ext-nacl)#10 permit icmp any any echo-reply
R2(config-ext-nacl)#20 permit icmp any any time-exceeded
R2(config-ext-nacl)#30 permit icmp any any packet-too-big
R2(config-ext-nacl)#40 permit icmp any any unreachable

And apply it inbound on the outside interface:

R2(config)#int fa1/1
R2(config-if)#ip access-group OUTSIDE_in in

Now testing the connectivity pings from R1 to 10.0.0.3 (R3) should go through, but not from R3 to R1, and telnet from R1 to R3 should not be working. To get telnet working we need to configure our inspect rule and apply it:

R2(config)#ip inspect name OUTSIDE_inspect telnet

And apply it outbound on the outside interface:

R2(config)#int fa1/1
R2(config-if)#ip inspect OUTSIDE_inspect out

Now telnet should be working and by using the debug commands "debug ip inspect object-creation" and "debug ip inspect object-deletion" the temporary objects to permit telnet traffic should show something like this on the routers output (R2):

Jan 23 19:00:56.531: CBAC* OBJ_CREATE: Pak 65728BAC sis 65CCA99C initiator_addr (192.168.1.1:42057) responder_addr (10.0.0.3:23) initiator_alt_addr (192.168.1.1:42057) responder_alt_addr (10.0.0.3:23)
Jan 23 19:00:56.531: CBAC OBJ-CREATE: sid 660F56F4 acl OUTSIDE_in Prot: tcp
Jan 23 19:00:56.535: Src 10.0.0.3 Port [23:23]
Jan 23 19:00:56.535: Dst 192.168.1.1 Port [42057:42057]
Jan 23 19:00:56.535: CBAC OBJ_CREATE: create host entry 660E5690 addr 10.0.0.3 bucket 9 (vrf 0:0) insp_cb 0x66435074
Jan 23 19:00:56.767: CBAC OBJ_DELETE: delete host entry 660E5690 addr 10.0.0.3
R2#
Jan 23 19:01:04.959: CBAC OBJ_DELETE: delete sis 65CCA99C
Jan 23 19:01:04.959: CBAC OBJ-DELETE: sid 660F56F4 on acl OUTSIDE_in Prot: tcp
Jan 23 19:01:04.959: Src 10.0.0.3 Port [23:23]
Jan 23 19:01:04.959: Dst 192.168.1.1 Port [42057:42057]

more info @ http://www.cisco.com/en/US/docs/ios/sec_data_plane/configuration/guide/sec_cfg_content_ac_ps6441_TSD_Products_Configuration_Guide_Chapter.html
Posted by at No comments:
Labels: , , , ,
Subscribe to: Comments (Atom)