Section 6.0: IOS Firewall Configuration
6.1.1: Basic CBAC Configuration
Configure basic IOS Firewall ip inspect commands and inspect tcp/udp/http only. Apply inspect outbound on serial links and ingress ACL for filtering.
6.1.2: Firewall Filtering
Inbound ACL on serial links, permit ICMP, OSPF, BGP, and replies from tacacs+ server and host 18.104.22.168 to be able to Telnet to R2.
For anti-spoofing, do a show ip route connected. Whichever networks are listed should be denied in the ACL for source network:
r2#show access-lists 120 Extended IP access list 120 deny ip 22.214.171.124 0.0.0.255 any deny ip 126.96.36.199 0.0.0.255 any deny ip 10.50.22.0 0.0.0.15 any permit ospf any any (73740 matches) permit tcp any any eq bgp (29682 matches) permit tcp any eq bgp any (5155 matches) permit icmp any any (314 matches) permit tcp host 10.50.31.6 eq tacacs any (100 matches) permit tcp host 188.8.131.52 any eq telnet (636 matches)
6.1.3: Advanced CBAC Configuration
Configure TCP embryonic (half-open) connections as follows:
ip inspect tcp max-incomplete host 200 block-time 0
6.2: Intrusion Detection System (IDS)
6.2.1: Basic IDS Configuration
Configure basic IDS on R4 using the ip audit command set. Use the first example that follows to configure IDS, and use the second example for logs generated when you detect an attack/signature.
Note that communication between IDS and Director is on UDP port 45000.
ip audit name lab1 info action alarm ip audit name lab1 attack action alarm ! interface FastEthernet2/0 ip address 10.10.45.4 255.255.255.0 ip audit lab1 in ip audit lab1 out duplex half 6d23h: %IDS-4-ICMP_FRAGMENT_SIG: Sig:2150:Fragmented ICMP Traffic - from 10.10.45.5 to 10.10.45.4
6.2.2: Signature Tuning
If you receive false positive alarms from the IDS on R4, you need to disable signature 3050 for host 10.50.16.5 on R4. The following example demonstrates tuning IDS signatures on R4:
ip audit signature 3050 list 5 ! access-list 5 deny 10.50.16.5 access-list 5 permit any
6.2.3: Spam Attack
Configure R4 protection against SMTP mail spamming using the following command:
ip audit smtp spam 500