Friday, November 28, 2008

Network-Based Application Recognition and ACLs

From Cisco.

NBAR requires ip cef.
NBAR configuration:

Router(config)#class-map match-any http-hacks
Router(config-cmap)#match protocol http url "*default.ida*"
Router(config-cmap)#match protocol http url "*cmd.exe*"
Router(config-cmap)#match protocol http url "*root.exe*"



Notes:
To block a traffic using NBAR, you have three choise:

1. Using ACL
Build a policy and use the set command to mark inbound "Code Red" hacks with a policy map. This document uses a DSCP value of 1 (in decimal) since it is unlikely that any other network traffic is carrying this value.

Router(config)#policy-map mark-inbound-http-hacks
Router(config-pmap)#class http-hacks
Router(config-pmap-c)#set ip dscp 1
Router(config)#interface serial 0/0 //ingress interface
Router(config-if)#service-policy input mark-inbound-http-hacks

Configure an ACL that matches on the DSCP value of 1, as set by the service policy.
Router(config)#access-list 105 deny ip any any dscp 1
Router(config)#access-list 105 permit ip any any
Router(config)#interface ethernet 0/1 //egress interface
Router(config-if)#ip access-group 105 out



2. Using Police-Based routing to route the traffic to Null0.

Use the service-policy command to apply the policy as an inbound policy on the input interface to mark arriving "Code Red" packets. See method 1.

Create an extended IP ACL that matches on the marked "Code Red" packets.
Router(config)#access-list 106 permit ip any any dscp 1

Use the route-map command to build a routing policy.
Router(config)#route-map null_policy_route 10
Router(config-route-map)#match ip address 106
Router(config-route-map)#set interface Null0

Apply the route-map to the input interface.
Router(config)#interface serial 0/0 //ingress interface.
Router(config-if)#ip policy route-map null_policy_route

We are able to make the discard decision at the ingress interface of the router, rather than needing an output ACL on every egress interface. Again, we recommend disabling the sending IP unreachable messages with the command no ip unreachables command.


3. Using Class-based Policy.

Router(config)#policy-map drop-inbound-http-hacks
Router(config-pmap)#class http-hacks
Router(config-pmap-c)#police 1000000 31250 31250 conform-action drop exceed-action drop violate-action drop
or new IOS supoort
Router(config-pmap-c)#drop

This will be the best solution of all.
Posted by at
Labels:

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)