Home > Articles > Cisco Certification > CCIE > CCIE Security Practice Labs

CCIE Security Practice Labs

Section 6.0: IOS Firewall Configuration

6.1: CBAC

6.1.1: Basic CBAC Configuration

  1. Configure basic IOS Firewall ip inspect commands and inspect tcp/udp/http only. Apply inspect outbound on serial links and ingress ACL for filtering.

6.1.2: Firewall Filtering

  1. Inbound ACL on serial links, permit ICMP, OSPF, BGP, and replies from tacacs+ server and host 111.111.111.111 to be able to Telnet to R2.

  2. For anti-spoofing, do a show ip route connected. Whichever networks are listed should be denied in the ACL for source network:

  3. r2#show access-lists 120
    Extended IP access list 120
     deny ip 12.12.12.0 0.0.0.255 any
     deny ip 122.122.122.0 0.0.0.255 any
     deny ip 10.50.22.0 0.0.0.15 any
     permit ospf any any (73740 matches)
     permit tcp any any eq bgp (29682 matches)
     permit tcp any eq bgp any (5155 matches)
     permit icmp any any (314 matches)
     permit tcp host 10.50.31.6 eq tacacs any (100 matches)
     permit tcp host 111.111.111.111 any eq telnet (636 matches) 

6.1.3: Advanced CBAC Configuration

  1. Configure TCP embryonic (half-open) connections as follows:

  2. ip inspect tcp max-incomplete host 200 block-time 0

6.2: Intrusion Detection System (IDS)

6.2.1: Basic IDS Configuration

  1. Configure basic IDS on R4 using the ip audit command set. Use the first example that follows to configure IDS, and use the second example for logs generated when you detect an attack/signature.

  2. NOTE

    Note that communication between IDS and Director is on UDP port 45000.

    ip audit name lab1 info action alarm
    ip audit name lab1 attack action alarm
    !
    interface FastEthernet2/0
     ip address 10.10.45.4 255.255.255.0
     ip audit lab1 in
     ip audit lab1 out
     duplex half
    
    
    6d23h: %IDS-4-ICMP_FRAGMENT_SIG: Sig:2150:Fragmented ICMP Traffic - from 10.10.45.5 to 10.10.45.4

6.2.2: Signature Tuning

  1. If you receive false positive alarms from the IDS on R4, you need to disable signature 3050 for host 10.50.16.5 on R4. The following example demonstrates tuning IDS signatures on R4:

  2. ip audit signature 3050 list 5
    !
    access-list 5 deny 10.50.16.5
    access-list 5 permit any

6.2.3: Spam Attack

  1. Configure R4 protection against SMTP mail spamming using the following command:

  2. ip audit smtp spam 500
21. Section 7.0: AAA | Next Section Previous Section