CCNA Security Certification Tutorial:

The Cisco IOS Firewall Set (Part 4)

Generic Inspection And SDM Prerequisites

Chris Bryant, CCIE #12933

In the previous installment of this CCNA Security and ISCW exam tutorial, we were introduced to CBAC.

In this segment, we'll be introduced to generic inspection and... ta da! ... Cisco's Security Device Manager (SDM).

Before we get to SDM, let's answer these two questions:

What's so generic about generic inspection?

If it's generic, why do we want it?

TCP And UDP Generic Inspection

I'm not going to show you the entire IOS Help readout for the following command, but believe me - it's a long, long list.  On this particular router, I had over 150 options.

R1(config)#ip inspect name CCNP ?
  802-11-iapp       IEEE 802.11 WLANs WG IAPP
  ace-svr           ACE Server/Propagation
  appfw             Application Firewall
  appleqtc          Apple QuickTime
  bgp               Border Gateway Protocol
  biff              Bliff mail notification
  bootpc            Bootstrap Protocol Client

Let's say you wanted to inspect all TCP-based traffic. You could write an ip inspect line for every single TCP-based protocol, or you could specify TCP itself as the inspected protocol, rather than a more-specific entry. 

This is generic inspection and is configured by entering tcp or udp at that same point in the ip inspect command.

tcp               Transmission Control Protocol

udp               User Datagram Protocol

This will inspect any TCP and/or UDP protocol traffic, even if the specific application isn't named in the inspection rule.  Generic inspection is designed to allow return traffic for all TCP and/or UDP connections that are initiated on the inside network.

So why don't we just configure all TCP and UDP traffic to be inspected generically and leave it at that?  Why do we need those 150 options if we can just use generic inspection?

You may have already guessed that generic inspection doesn't sound like a complete inspection. 

Application-specific commands are not interpreted by generic inspection, and that means that the return packets may not be allowed to enter the inside network.   If the return traffic is using a different port number than the original traffic, generic inspection may not allow that return traffic to enter the network.

Luckily, we can configure both generic and specific inspection.  The configuration below configures application-specific inspection for FTP and ESMTP while using TCP and UDP generic inspection for all other traffic. 

R1(config)#ip inspect name CCNP ftp
R1(config)#ip inspect name CCNP esmtp
R1(config)#ip inspect name CCNP tcp
R1(config)#ip inspect name CCNP udp

Branch#show ip inspect name CCNP
Inspection name CCNP
    ftp alert is on audit-trail is off timeout 3600
    esmtp max-data 20000000 alert is on audit-trail is off timeout 3600
    tcp alert is on audit-trail is off timeout 3600
    udp alert is on audit-trail is off timeout 30

Application-specific statements take precedence over generic inspection. In this case, FTP and ESMTP packets will undergo a more detailed inspection than all other TCP and UDP traffic, and application-specific commands for FTP and ESMTP will be correctly interpreted.

In the previous installment of this tutorial, I mentioned that CBAC tracks TCP sequence numbers.  Obviously, CBAC can't track sequence numbers with UDP, since UDP doesn't have them. 

By default, if a UDP connection is idle for 30 seconds, that connection is deleted from the state table.  You can change timer values, audit trails, alerts, and other values at the end of the ip inspect command.

Here are the configurable UDP values:

Branch(config)#ip inspect name CCNP udp ?
  alert           Turn on/off alert
  audit-trail     Turn on/off audit trail
  router-traffic  Enable inspection of sessions to/from the router
  timeout         Specify the inactivity timeout time
  <cr>

Now it's time to get our router ready to run Security Device Manager - and we'll do that right after this vital (and short!) message!

I'm Paying It Forward Bigger Than Ever.

My Famous CCNA Study Package Is Now $25.

And if you're working on the CCNA Security certification instead - click that link and earn that certification for twenty bucks!

Now let's get to SDM...

SDM "Fun Facts"

Okay, they're not really that much fun. But you need to know them and have these commands up and running before working with SDM, which we'll be doing in just a moment.

The username/password combination used to log in to SDM must have privilege level 15 assigned.

You'll need to enable HTTP, HTTPS and HTTP local authentication with the ip http secure-server and ip http authentication local commands.

R1(config)#ip http server
R1(config)#ip http authentication local
R1(config)#ip http secure-server

% Generating 1024 bit RSA keys, keys will be non-exportable...[OK]

R1(config)#
11:44:05: %SSH-5-ENABLED: SSH 1.99 has been enabled
R1(config)#
11:44:06: %PKI-4-NOAUTOSAVE: Configuration was modified.  Issue "write memory" to save new certificate

We have two separate firewall wizards in SDM - Basic and Advanced.  While the Basic Firewall Wizard allows you to configure a single outside interface and multiple inside interfaces, you'll need to use the Advanced Firewall Wizard to configure DMZ interfaces and/or multiple outside interfaces.

There are major differences between the two Wizards, and I'd know those cold before taking either the CCNA Security or CCNP ISCW exams.

We're going to use the Basic wizard for a full configuration now, and we'll then take a look at some options available only in the Advanced wizard.

Configuring The Firewall From SDM (And The CLI)

By default, SDM will show you a summary of the commands that will be written to the router, but doesn't show you the actual commands before delivery.

I like to see the actual commands, especially when running a lab, so I'll change the default by clicking Edit > Preferences from the Home screen of SDM.

To preview the commands before they're written to the router, just put a check mark in the one empty box. I strongly recommend you check this box.   (Several of the following illustrations are cropped.)

Anytime we're in SDM to configure a router, we just need to click  Configure.  By default, the Configure screen opens to Interfaces and Connections. 

To configure a firewall in SDM, just click the Firewall And ACL button located right under the Interfaces and Connections button.

Clicking that button presents you with the two options we discussed earlier, Basic and Advanced.

The text we'll see in SDM windows is great review material for the exam, and here SDM reminds you that only the Advanced option allows configuration of a DMZ or of custom rules.  Additionally, you'll see this illustration to the right when the Basic wizard is selected:

The Basic Firewall Wizard allows multiple inside interfaces, one outside interface, and no DMZ.  As always, SDM will remind you of this, but the ISCW and CCNA Security exam questions probably won't! :)

We'll proceed with a Basic configuration, looking at the CLI commands along the way.  That CCNA Security tutorial is now availabl, as is my $20 CCNA Security certification offer!

Chris Bryant

CCIE #12933

"The Computer Certification Bulldog"

chris@thebryantadvantage.com

No Gimmicks -- Just Results.

Get CCNA Security Certified Today For $20.

I'm Paying It Forward Bigger Than Ever.

My Famous CCNA Study Package Is Now $25.

Chris Bryant

CCIE #12999

"The Computer Certification Bulldog"

chris@thebryantadvantage.com