Introduction to Firewalls using Cisco ACLs

The goal of this lab is to implement a hardware firewall solution using the access control lists on a Cisco 2500 series router. You will need to turn in a hard copy of your running-config file FOR EACH SCENARIO for this assignment. NOTE: The scenarios will require some router configurations that were presented in the Cisco IOS presentation, so please download it and review it if you have any questions. Google is still your friend! While not required, it helps if you draw a topology diagram for the assignment scenarios so you can visualize the network. Preparing the Router The two most popular methods that network engineers use to connect to a Cisco router are via the Console Port and via Telnet. 1. Connecting locally via the Console Port requires an RJ-45 rollover cable and an RJ-45 to DB9 serial adapter. Due to the lack of availability of rollover cables from the Systems Group, we cannot use this method of connection. 2. Connecting remotely via Telnet requires that the router be set up to receive Telnet connections, as it does not do so out of the box. There will be one rollover cable that we will use to set up each router to receive Telnet connections. To set up the Cisco router to receive connections you must: a. Connect the RJ-45 end of the rollover cable to the CONSOLE port on the Cisco router and connect the DB9 end to the serial port on your Windows machine. b. Plug the AUI into eth0 and assign an IP to eth0. You may now bring up the interface. i. The command ip address 10.0.0.1 255.255.255.0 when in interfaceconfiguration mode will assign the IP address 10.0.0.1 with a 255.255.255.0 subnet to the interface. ii. The command no shutdown when in interface-configuration mode will bring up an interface. c. Assign a password to vty connections 0 through 4 and require password verification at login (choose your own password). This will activate Telnet on the router. d. Assign eth0 of your Windows machine an IP address on the same subnet as eth0 of the Cisco router. Make sure that the default gateway of the Windows machine is the IP address of eth0 on the Cisco router. e. Plug one end of the crossover CAT5e cable into the AUI and plug the other end into your Windows machines eth0. f. Test your Telnet connection. If Telnet is insecure, why does Cisco still support Telnet as its default remote console protocol? Describe a network topology that would secure the Telnet session as much as possible if one had to Telnet to the router from within the LAN. What about if one had to Telnet to the router from over a WAN? What about if one had to Telnet to the router from over the Internet? Basic Cisco Router Setup and Lockdown

Now you will be setting up the remaining router parameters and locking down the Cisco router (this is to get you used to the IOS interface). 1. Make the routers hostname your team name. 2. Set the console password to one of your choosing. 3. Set the enable password to one of your choosing. 4. Set the enable secret password to one of your choosing. 5. Prevent log on from line aux 0. 6. Save the running-config to the startup-config, restart the router and make sure your router does all that it should. Cisco ACL Examples Recall from lecture that for IP there are two forms of access lists, standard and extended. Since the extended ACLs are far more versatile, you will only have to write extended ACLs. Because the format of extended ACLs is different for each protocol, here are some examples (Recall that you must be in Global Configuration mode to write the ACLs, and then you must apply the ACL to a specific interface). To create an ACL with a number of 101 that will deny telnet traffic originating from network 192.168.10.0 and destined for network 192.168.11.0: access-list 101 deny tcp 192.168.10.0 0.0.0.255 192.168.11.0 0.0.0.255 eq telnet To create an ACL with a number of 102 that will allow SSH traffic originating from a single host 192.168.10.11 and destined for network 192.168.11.0: access-list 101 permit tcp host 192.168.10.11 192.168.11.0 0.0.0.255 eq 22 Notice that in both examples, only the destination port is blocked. While you could also block via the source port, it is possible to change the source port of a service, so an ACL could be circumvented. If you specified a source port range of 0-65535, this would be the same as omitting the source port altogether, as it will be applied to all source ports, thus the router would only effectively enforce the destination port. REMEMBER THAT AT ANY TIME WHEN BUILDING ACCESS LISTS YOU MAY ADD THE ? WILD CARD AND THE IOS WILL TELL YOU WHICH OPTIONS YOU MAY USE AT THAT LOCATION. IMPORTANT NOTE!!! DO NOT GLANCE OVER THIS!!! REMEMBER THAT YOU WILL BE WORKING VIA TELNET SESSION OVER ETHERNET 0. IF YOU MAKE CHANGES TO THE IP ADDRESS OF E0, YOU MUST CHANGE THE IP ADDRESS OF YOUR WINDOWS MACHINE SO IT REMAINS ON THE SAME SUBNET AS E0!!! Assignment Scenarios 1. You are setting up a router in Miami that will be connected via leased line (T-1) on serial 0 to a router in New York. Both New York and Miami only have a single LAN (yours is connected via eth1). The Miami router is the DCE and the New York is the DTE. The IP configuration is as follows:

a. New York S0 is 172.16.1.1 255.255.255.252, Miami S0 is 172.16.1.2 255.255.255.252. b. New York LAN is 172.16.2.0 255.255.255.0, Miami LAN is 172.16.3.0 255.255.255.0. c. Network traffic should be controlled as follows: i. Permit ICMP traffic from New York and Miami. ii. Deny all telnet traffic. iii. Permit ssh traffic to your Unix Server located at 172.16.3.20. iv. Permit file sharing traffic to the Windows servers located at 172.16.3.21, 172.16.3.22, 172.16.2.20, and 172.16.2.21. v. Permit Remote Desktop traffic to the Windows 2003 servers located at 172.16.2.20, 172.16.2.21, 172.16.3.21, and 172.16.3.22. 2. Write the set of firewall rules for each of the routers, in order to implement the specified policies (notice that this is almost identical to the previous labs scenario):

Visibility Rules: - The machine named Net monitor should be visible to no machine, except to a single administrative machine in the general Intranet, on TCP port 8080 - The machine labeled www server is the server for the outside world. It should be visible to Internet users and the www proxy server only on TCP ports 80/443 and to the administrative machine on TCP port 8080. No other access allowed. - The general servers (www proxy server, mail server, and print server) are visible on their

respective TCP ports (80, 25, 8000) to machines in the Intranet only. All of them are administered via TCP port 8080 from the admin machine. - The servers located on the Intranet are accessible on TCP port 8000 to machines in the Intranet and on TCP port 8080 for administration by the admin machine Since they now reside on the same subnet, plan accordingly (DO NOT MAKE UNNECESSARY RULES). - Internet hosts are visible from the DMZ, but not from the Intranet, or the LANs, except that external web servers (TCP port 80) are visible by the www proxy server and external mail servers (port 25) are visible by the mail server. - Traffic coming from the Internet to the DMZ is only filtered if it has addresses valid in the Internal networks. - The www server has IP address 123.123.123.1 - The net monitor has IP address 123.123.123.2 - The Intranet is a class B private network 192.168.0.0/16 - The general servers LAN is a class B private network 10.10.0.0/16, with the internal router having an IP address of 10.10.0.1 (on Ethernet 1). - The internal router has IP address 123.123.123.3 (on serial 1, which serves as the DTE) in the DMZ which it uses for address translation, representing both www proxy server and mail server when their requests go into the Internet. - The internal router has IP address 192.168.0.1 (on Ethernet 0) in the internal network for administration by the admin machine (TCP port 8080). It has no addresses in the server LANs. - The external router should only enforce that source addresses of incoming packets are not valid internally, and source addresses of outgoing packets have only valid IP addresses that are assigned to our network. 3. You are setting up a router in Miami that will be connected via leased line (T-1) on serial 0 to a router in New York. Both New York and Miami have two LANs (one on eth0, one on eth1). The Miami router is the DCE and the New York is the DTE. There is a pipe to the Internet through serial 1. The IP configuration is as follows: a. New York S0 is 172.16.1.1 255.255.255.252, Miami S0 is 172.16.1.2 255.255.255.252. b. Miami S1 is 128.186.122.1 255.255.255.252. c. New York LAN1 (located on E0, whose IP address is 172.17.1.1) is 172.17.1.0 255.255.255.0, and New York LAN2 (located on E1, whose IP address is 172.17.2.1) is 172.17.2.0 255.255.255.0. Miami LAN1 (located on E0, whose IP

address is 172.18.1.1) is 172.18.1.0 255.255.255.0, and Miami LAN2 (located on E1, whose IP address is 172.18.2.1) is 172.18.2.0 255.255.255.0. d. Network traffic should be controlled as follows: i. Permit ICMP traffic from New York and Miami. ii. Deny all telnet traffic. iii. Permit ssh traffic to your Unix Servers located at 172.18.2.20 and 172.17.2.20 from all LANs. iv. Permit file sharing traffic to the Windows servers located at 172.18.1.20, 172.18.1.21, 172.17.1.20, and 172.17.1.21 from all LANs. v. Permit Remote Desktop traffic to the Windows 2003 servers located at 172.18.1.20, 172.18.1.21, 172.17.1.20, and 172.17.1.21 only from the 172.18.1.0 subnet. vi. Permit http and https traffic through the Internet pipe for the 172.17.2.0 and the 172.18.2.0 subnets only. vii. Permit smtp traffic to the Exchange server located at 172.17.1.21 for the 172.17.1.0 and the 172.17.2.0 subnets. Also allow smtp traffic to this server from the Internet and vice versa. viii. Permit smtp traffic to the Unix sendmail server located at 172.18.2.20 for the 172.18.1.0 and the 172.18.2.0 subnets only. Also allow smtp traffic to this server from the Internet and vice versa.