Nov 6

URL Filtering using IOS

Posted by Radu

Today, while I was trying to keep my students awake during a CCNA1 presentation I noticed that two of them were looking at 9Gag and they ignored me. Not that I was saying something so deep and meaningful but it was a little bit frustrating for me. So, as soon I finished my presentation, I opened a console to the local router (a Cisco 2821 ) and began to filter 9gag.

Obviously you cannot do that with ACLs when you want to filter a website running on multiple addresses like 9gag. Even if you use hostname instead of an IP address, that hostname is resolved once using dns servers defined in your configuration and that’s it.

So I used a policy and five minutes later those two were the frustrated ones. This is how I did it :

!
class-map match-any URLFILTER
    match protocol http host *9gag.com
!
policy-map DROPURL
    class URLFILTER
      drop
!
!
interface FastEthernet 0/1
    desc Internal
    service-policy input DROPURL
!

And that was it. Next time, facebook, prepare your url, I wanna filter you.

Or, using CBAC (Context-Based Access Control) :

!
ip inspect name WEBFILTER http urlfilter
ip urlfilter allow-mode on
ip urlfilter exclusive-domain deny .9gag.com
!
!
interface FastEthernet 0/1
   desc Internal
   ip inspect WEBFILTER in
!

Oh, and if you’re wondering how to do url filtering with linux the answer is “it’s complicated”. You need either a proxy (squid, privoxy) or, if you are shameless, you can do it using DNS hijacking.

Dec 13

Unlike Linux’s iptables, Cisco’s filtering via Access Control Lists sometimes has hidden behavior.

Let us test how ACL filtering works using the following topology. We assume that we have Layer 3 connectivity via static routes. We will apply ACLs on the outbound direction of F1/0 on R2 (we want it to be somewhere in the path from R1 to R3)

3r

With no ACLs applied anywhere, all traffic will flow.

R1#ping 3.3.3.3 source 1.1.1.1
Packet sent with a source address of 1.1.1.1
!!!!!
Success rate is 100 percent

Let’s start with the basics and make a classic standard access list that denies R1’s loopback.

R2(config)#access-list 42 deny host 1.1.1.1
R2(config)#int f1/0
R2(config-if)#ip access-group 42 out

The loopback on R1 is blocked…

R1#ping 3.3.3.3 source 1.1.1.1
U.U.U
Success rate is 0 percent (0/5)

… but so is any other traffic that goes out of R2’s F1/0.

R1#ping 3.3.3.3 source F0/0
U.U.U
Success rate is 0 percent (0/5)

The first rule of Cisco’s ACLs is that there is an implicit deny (ip) all (all) rule at the end of every ACL. But this is not visible anywhere. You have to know it.

R2#sh access-lists
Standard IP access list 42
10 deny   1.1.1.1 (8 matches)
Extended IP access list BLOCK_HTTP

But if that ACL is empty? What if you apply an access list that does not contain any rules (was not declared)?

R2(config)#int f1/0
R2(config-if)#ip access-group 28 out
R2(config-if)#do sh access-lists
Standard IP access list 42
10 deny   1.1.1.1 (8 matches)
Extended IP access list BLOCK_HTTP

R1#ping 3.3.3.3 source 1.1.1.1

Type escape sequence to abort.
!!!!!
Success rate is 100 percent

Traffic passes. The inexistent ACL applied on an interface is ignored. But this is because you can’t have an empty classical (numbered) ACL. What if you do the same thing with a named ACL?

R2(config)#ip access-list standard EMPTY_ACL
R2(config-std-nacl)#exit
R2(config)#do sh ip access-list
Standard IP access list 42
10 deny   1.1.1.1 (8 matches)
Standard IP access list EMPTY_ACL
Extended IP access list BLOCK_HTTP
R2(config)#int f1/0
R2(config-if)#ip access-group EMPTY_ACL out

R1#ping 3.3.3.3 source 1.1.1.1

Type escape sequence to abort.
!!!!!
Success rate is 100 percent

Traffic is still not filtered. So, the rule is that a empty (inexistant or deleted)  ACL is ignored by the interface filter.

One more ACL applied on R2 with a deny all rule (no traffic should pass out of F1/0).

R2(config)#ip access-list standard DENY_ALL_ACL
R2(config-std-nacl)#deny any
R2(config-std-nacl)#do sh ip access
Standard IP access list 42
10 deny   1.1.1.1 (8 matches)
Standard IP access list DENY_ALL_ACL
10 deny   any (8 matches)
Standard IP access list EMPTY_ACL
10 deny   any (8 matches)
Extended IP access list BLOCK_HTTP
R2(config-std-nacl)#int f1/0
R2(config-if)#ip access-group DENY_ALL_ACL out

Ping form R1 is filtered.

R1#ping 3.3.3.3 source 1.1.1.1
Packet sent with a source address of 1.1.1.1
U.U.U
Success rate is 0 percent (0/5)

Since no traffic should go out the interface, a ping from R2 to R3 should also fail, yet it doesn’t.

R2#ping 3.3.3.3
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 8/20/44 ms

As a final rule, traffic generated by a router is never filtered by an ACL applied any interface of that router.

Jul 23

Anti-lockout best practice

Posted by Alex Juncu

ACL are usually configured for firewall configurations, for traffic filtering. When configuring ACLs, careful planing should be made so that in the moment when you are applying an ACL, things get filtered exactly the way you want it. In a lab environment tests can be made and if somethings doesn’t work right, you can start over. But in a live network router, filtering the wrong traffic could cause network outages.

If you are connected to the router via telnet or ssh (most likely in productions routers) it is very easy to lock yourself out of the router by denying the telnet or ssh traffic on an interface between you to that router. This is mostly because how IOS works. Any commands given in IOS are instantly commited to the live configuration. And, for example, if you make a configuration with an ACL and you forget about the implicit deny any (any) and you also forget to permit the telnet/ssh traffic, you might find yourself with the router not responding to any input after you apply the rules. It might take a while to figure out that you can’t access the router anymore and need to get physically to its location and either reload it or  use the console port to remove the ACL from the running-config.

One way of avoiding this is to schedule an automated reload in 10-15 minutes, while you are configuring, From enable mode issue the command:

#reload in MINUTES

This will reload the router after the specified number of minutes. It will ensure that if you lock yourself out, the router will revert back to the working startup-config. If the configuration was applied successfully, you can cancel the scheduled reload with the command

#reload cancel

http://www.youtube.com/watch?v=SMWi7CLoZ2Q
Jun 11

Basic packet crafting

Posted by Dragos Draghicescu

Ok, this will be a short one :) . I just want to raise attention on how can one bypass an extended (or standard) ACL (or access-list).

So, for this example, i have one router with an IP address of 10.10.10.2, which can be accessed only by the admin, only from 20.20.20.20. That is done with an inbound ACL, put on the egress interface of the router. Looks like this:

Extended IP access list 111
20 permit ip host 20.20.20.20 host 10.10.10.2 log

There is a little problem with spoofing: the return traffic has to be routed back to the attacker. But everything will work just fine if you happen to be in the same network with the admin (you can achieve bidirectional communication). In case the attack is done over the Internet, there is still the possibility of a DOS (Denial Of Service), by sending tons of packets that will be accepted. I assumed another thing: your ISP does not check for the source of the packets (DOS attacks are less frequent if that simple measure is taken).

For the demonstration, i chose a well-known packet crafter named HPING3. It allows one to customize a packet at different layers and it`s well documented, but for now we will only use a fraction of it`s power:

$ sudo hping3 -S 10.10.10.2 -a 20.20.20.20

The result could be:

*Mar 1 05:52:01.702: %SEC-6-IPACCESSLOGP:
list 111 permitted tcp 20.20.20.20(0) -> 10.10.10.2(0), 360 packets

To check the amount of pings, you can issue the command “show ip traffic | section ICMP“. You can “clear ip traffic” before that.

Despite this, ACLs are still adding a serious amount of security to your network. But in front of a determined attacker, one should do more than that in order to have a healthy network.