Design Question 1

[STF26]

We have a client that has a Cisco 3725 for the internet router. The router has two connections to the internet that are hosted by different ISPS. The router runs BGP for load balancing and failover. The client has a Class C block of outside IPs and has assigned every computer, server and printer one of these outside IPs. I know that this was popular a few years ago but I feel that it is a security flaw. The router has ACLs that deny all traffic except what they want to pass however, I do not feel that this is the most secure solution. I would rather see a dedicated firewall and a trusted / DMZ type design. From the way that I see the design, the client has no IDS capability nor statefull packet inspection. I know that some of the newer IOS builds have more powerful firewall capabilities. Not sure what version the router is on currently. I assume that the client has the firewall feature set beacuse they have existing ipsec tunnels. My suggestion would be to protect the LAN comptuers and critical servers behind some NAT and IDS then put the machines that offer up outside services in the DMZ. Can anyone comment???? Thanks

Thanks

 

[themut]

You are right the best approach would be a network with a DMZ protected by a dedicated statefull firewall and IDS sensors deployed in strategic places.

However if budget doesn't allow this setup, Cisco routers can be upgraded to an IOS version that has firewall and IDS capabilities as well as IPSec. The IOS feature set is "IP/FW/IDS PLUS IPSEC 3DES" and you can determine it from the IOS image name because it always has the keywords "ik9o3s" as part of the name.

The firewall is statefull and the IDS built in is pretty basic, the downside is you cannot update the signatures unless they are updated in a new IOS release. However, there is an IDS module (NM-CIDS-K9) that you can install on the 3700 routers and you can update the signatures as well as manage the IDS using a variety of management software such as CiscoWorks VPNMS. This module has a dedicated CPU which frees the router's CPU from process-intensive IDS tasks, hence preventing an overload on the router.

If you are running IPSec tunnels you can also install an AIM-VPN module, helping the router's CPU with the encryption burden.

As you have stated, using NAT on the router for your internal network provides an extra layer of security and it is the way to go.

 

[STF26]

Thanks for your reply!

After evaluating the configuration, I did not see any IP audit commands or for that matter any commands that would suggest stateful packet inspection. Do you think that you could use a spoof attack to get around the currect ACL based firewall configuration? I also did not notice any ACLs that would apply to UDP traffic + some stale ACLs. I have to confirm the IOS version on the firewall tomorrow.

Thanks again!

 

[themut]

Well since normal ACLs deny or permit traffic based on source and destination address of the packet, IP spoofing can be an effective method for initiating attacks. The IOS firewall (IP/FW/IDS PLUS IPSEC 3DES feature set) has a feature that can help you mitigate source address spoofing by checking that a packet's return path uses the same interface it arrives on. This feature is configured with the command:

ip verify unicast reverse-path

and it is applied to the interface where you want to enable this anti spoofing feature.

 

[JoeBloggssss]

Most firewalls like Check Point allow you to specify in Global Properties, non-addressable ip ranges, which means apart from RFC1918 ranges, you could specify the leased public range here, then they would be blocked by default, thus no need to have rules doing it for added security. Our client has a entire class a public address range , they have not implemented NAT for political and cost issues, this is a process we implement, as if a hacker can reach your network via a dialup modem or other unmanaged backdoor, all targets are accessible.