PG1X WIKI

My Knowledge Base

User Tools

Site Tools


tech:network:cisco:security:network-security:acl:cbac:cbac

Cisco: ACL: CBAC (Context-Based Access Control)

CBAC protocol suggestion

I know FTP Active mode, SIP protocol are includes port sensitive information.

CBAC includes many protocol support…?

CBAC protocols

Topology CBAC (Context-Based Access Control) 69408227-2393-4611-ae2e-2c2e22cdb775

network-security.acl.cbac.2rt.1sw.2node.1ext-conn.static.69408227
- Topology Description: CBAC (Context-Based Access Control)
- Topology ID: ''69408227-2393-4611-ae2e-2c2e22cdb775''
- Design and Technology:
  - CBAC (Context-Based Access Control)
  - Routing Protocol
    - static
  - 2 routers
  - 1 switches
  - 2 servers
- Remarks: N/A

### Links

Cisco: ACL: CBAC (Context-Based Access Control) [PG1X WIKI]
https://pg1x.com/tech:network:cisco:security:network-security:acl:cbac:cbac

Base Configuration

Common Configuration Snippet

ubuntu-0

ubuntu-1

R1

R2

Lab Configuration

sudo apt install netcat-openbsd vsftpd

Verification without CBAC configuration f6fd380c-6455-41db-9530-157157f06c36

clear Linux terminal.

Ctrl + L
clear

Wireshark Display Filter

icmp || tcp || udp
  • ubuntu-0
ping -c4 198.51.100.253
# TCP client
nc 198.51.100.253 33333
# UDP client
nc -u 198.51.100.253 33333
ftp 198.51.100.253
  • ubuntu-1
ping -c4 10.1.1.253
# TCP server
nc -l 33333
# UDP server
nc -lu 33333
systemctl status vsftpd.service
  • FTP commands(Active Mode)
passive off
cd /etc
dir
get machine-id
quit
  • FTP commands(Passive Mode)
passive
cd /etc
dir
get vsftpd.conf
quit
  • FTP active mode port decision
PORT 10,1,1,254,191,147\r\n
191 * 256 + 147 = 49043
  • FTP passive mode port decision
PASV\r\n
227 Entering Passive Mode (198,51,100,253,182,46).\r\n
182 * 256 + 46 = 46638

Wireshark Packet Capture Result

ubuntu-0 Console Log

ubuntu-1 Console Log

Configuring deny any 3fd1c6ee-d48a-4cfd-adac-d8766402708c

  • R1
configure terminal
!
ip access-list extended ACL_INTERNET_IN
 deny ip any any
!
interface GigabitEthernet 0/1
 ip access-group ACL_INTERNET_IN in
!
end

Verification deny any 3fd1c6ee-d48a-4cfd-adac-d8766402708c

clear Linux terminal.

Ctrl + L
clear

Wireshark Display Filter

icmp || tcp || udp
  • ubuntu-0
ping -c4 198.51.100.253
# TCP client
nc 198.51.100.253 33333
# UDP client
nc -u 198.51.100.253 33333
ftp 198.51.100.253
  • ubuntu-1
ping -c4 10.1.1.253
# TCP server
nc -l 33333
# UDP server
nc -lu 33333
systemctl status vsftpd.service

Communication is success only send from ubuntu-0 to ubuntu-1 direction UDP packet “hello”. Everything else cases fails.

R1 Console Log

ubuntu-0 Console Log

ubuntu-1 Console Log

Wireshark Packet Capture Result

Configuring CBAC 7101876b-86ae-463c-b214-3fb15e7c95b0

  • R1
configure terminal
!
ip access-list extended ACL_INTERNET_IN
 deny ip any any
!
ip inspect name CBAC icmp
ip inspect name CBAC tcp
ip inspect name CBAC udp
ip inspect name CBAC ftp
!
interface GigabitEthernet 0/1
 ip inspect CBAC out
 ip access-group ACL_INTERNET_IN in
!
end

Verification CBAC 7101876b-86ae-463c-b214-3fb15e7c95b0

clear Linux terminal.

Ctrl + L
clear

debugging

debug ip inspect detailed
debug ip inspect protocol icmp
debug ip inspect protocol tcp
debug ip inspect protocol udp
debug ip inspect protocol ftp-cmd
debug ip inspect protocol ftp-token

Wireshark Display Filter

icmp || tcp || udp
  • ubuntu-0
ping -c4 198.51.100.253
# TCP client
nc 198.51.100.253 33333
# UDP client
nc -u 198.51.100.253 33333
ftp 198.51.100.253
  • ubuntu-1
ping -c4 10.1.1.253
# TCP server
nc -l 33333
# UDP server
nc -lu 33333
systemctl status vsftpd.service
  • FTP commands(Active Mode)
passive off
cd /etc
dir
get machine-id
quit
  • FTP commands(Passive Mode)
passive
cd /etc
dir
get vsftpd.conf
quit
  • FTP active mode port decision
PORT 10,1,1,254,222,195\r\n
222 * 256 + 195 = 57027
  • FTP passive mode port decision
PASV\r\n
227 Entering Passive Mode (198,51,100,253,183,204).\r\n
183 * 256 + 204 = 47052

disable all debug

undebug all
!
no debug all
R1#debug ip inspect ?
  detailed         Inspection Detailed Debug Records
  events           Inspection events
  function-trace   Inspection function trace
  mib              Debug IOS firewall MIB
  object-creation  Inspection Object Creations
  object-deletion  Inspection Object Deletions
  policy           policy firewall
  protocol         protocol-specific-debug
  timers           Inspection Timer related events

R1#debug ip inspect detai
R1#debug ip inspect pr       
R1#debug ip inspect protocol ?
  aol-msgr     Inspection IM AOL
  cuseeme      Inspection CUSeeMe
  dns          Inspection DNS
  ftp-cmd      Inspection ftp commands and responses
  ftp-token    Inspection ftp tokens
  h225ras      Inspection H.225 RAS
  h323         Inspection H.323
  http         Inspection HTTP
  icmp         Inspection ICMP
  imap         Inspection IMAP
  msn-msgr     Inspection IM MSN
  netshow      Inspection NetShow
  p2p          Inspection Peer-to-peer
  pop3         Inspection POP3
  rcmd         Inspection R commands (r-exec, r-login, r-sh)
  realaudio    Inspection RealAudio
  rpc          Inspection RPC
  rtsp         Inspection RTSP
  sip          Inspection SIP
  skinny       Inspection SKINNY
  smtp         Inspection smtp
  sqlnet       Inspection SQL Net
          

R1 Console Log

ubuntu-0 Console Log

ubuntu-1 Console Log

FTP Active Mode CBAC debug output

Wireshark Packet Capture Result

  • R1
configure terminal
!
ip inspect audit-trail
no ip inspect alert-off
!
logging host 10.1.1.254
!
end
  • ubuntu-0 configure rsyslog to receive syslog
/etc/rsyslog.conf
# provides UDP syslog reception
module(load="imudp")
input(type="imudp" port="514")
 
# provides TCP syslog reception
module(load="imtcp")
input(type="imtcp" port="514")
sudo vim /etc/rsyslog.conf
sudo rsyslogd -N1
sudo systemctl restart rsyslog
ubuntu@ubuntu-0:~$ sudo rsyslogd -N1
rsyslogd: version 8.32.0, config validation run (level 1), master config /etc/rsyslog.conf
rsyslogd: End of config validation run. Bye.
R1#
R1#sh run | i inspect
ip inspect name CBAC icmp
ip inspect name CBAC tcp
ip inspect name CBAC udp
ip inspect name CBAC ftp
 ip inspect CBAC out
R1#sh run all | i inspect audit|alert
 alert on
file prompt alert
R1#sh run all | i inspect audit      
R1#sh run all | i inspect alert
R1#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
R1(config)#ip ins
R1(config)#ip inspect au
R1(config)#ip inspect audit-trail ?
  vrf  Specify VRF
  <cr>

R1(config)#ip inspect audit-trail 
R1(config)#ip ins
R1(config)#ip inspect aler
R1(config)#ip inspect alert-off ?
  vrf  Specify VRF
  <cr>

R1(config)#ip inspect ?         
  alert-off       Disable alert
  audit-trail     Enable the logging of session information (addresses and
                  bytes)
  dns-timeout     Specify timeout for DNS
  hashtable-size  Specify size of hashtable
  log             Inspect packet logging
  max-incomplete  Specify maximum number of incomplete connections before
                  clamping
  name            Specify an inspection rule
  one-minute      Specify one-minute-sample watermarks for clamping
  tcp             Config timeout values for tcp connections
  udp             Config timeout values for udp flows
  <cr>

R1(config)#ip inspect aler
R1(config)#ip inspect alert-off 
R1(config)#do sh run | i inspect
ip inspect audit-trail
ip inspect alert-off
ip inspect name CBAC icmp
ip inspect name CBAC tcp
ip inspect name CBAC udp
ip inspect name CBAC ftp
 ip inspect CBAC out
R1(config)#ip ins               
R1(config)#ip inspect CBAC sip
R1(config)#ip inspect CBAC sip al
R1(config)#ip inspect CBAC sip ale
R1(config)#ip inspect CBAC sip ?  
% Unrecognized command
R1(config)#ip inspect na       
R1(config)#ip inspect name CBAC aler
R1(config)#ip inspect name CBAC sip aler
R1(config)#ip inspect name CBAC sip alert ?
  off  Turn off alert
  on   Turn on alert

R1(config)#ip inspect name CBAC sip alert on audi
R1(config)#ip inspect name CBAC sip alert on audit-trail ?
  off  Turn off audit trail
  on   Turn on audit trail

R1(config)#ip inspect name CBAC sip alert on audit-trail on
R1(config)#do sh run | i inspect                           
ip inspect audit-trail
ip inspect alert-off
ip inspect name CBAC icmp
ip inspect name CBAC tcp
ip inspect name CBAC udp
ip inspect name CBAC ftp
ip inspect name CBAC sip alert on audit-trail on
 ip inspect CBAC out
R1(config)#ip ins
R1(config)#ip inspect ?
  alert-off       Disable alert
  audit-trail     Enable the logging of session information (addresses and
                  bytes)
  dns-timeout     Specify timeout for DNS
  hashtable-size  Specify size of hashtable
  log             Inspect packet logging
  max-incomplete  Specify maximum number of incomplete connections before
                  clamping
  name            Specify an inspection rule
  one-minute      Specify one-minute-sample watermarks for clamping
  tcp             Config timeout values for tcp connections
  udp             Config timeout values for udp flows
  <cr>

R1(config)#ip inspect tc
R1(config)#ip inspect tcp syn
R1(config)#ip inspect tcp fin          
R1(config)#ip inspect tcp id           
R1(config)#ip inspect ud            
R1(config)#ip inspect udp id
R1(config)#ip inspect udp dns-tim   
R1(config)#ip inspect udp dns-time
R1(config)#ip inspect dns         
R1(config)#ip inspect max-inco    
R1(config)#ip inspect max-incomplete ?
  high  Specify high-watermark for clamping
  low   Specify low-watermark for clamping

R1(config)#ip inspect max-incomplete hi
R1(config)#ip inspect max-incomplete high ?
  <1-2147483647>  Number of connections

R1(config)#ip inspect max-incomplete lo   
R1(config)#ip inspect max-incomplete low ?
  <1-2147483647>  Number of connections

R1(config)#ip inspect one                
R1(config)#ip inspect one-minute ?
  high  Specify high-watermark for clamping
  low   Specify low-watermark for clamping

R1(config)#ip inspect one-minute hi
R1(config)#ip inspect one-minute high ?
  <1-2147483647>  Number of connections

R1(config)#ip inspect on              
R1(config)#ip inspect one-minute lo
R1(config)#no ip inspect alert-off                         
R1(config)#logging host 10.1.1.254
R1(config)#
*Oct 25 08:51:17.128: %SYS-6-LOGGINGHOST_STARTSTOP: Logging to host 10.1.1.254 port 514 started - CLI initiated
ubuntu@ubuntu-0:~$ ftp 198.51.100.253
Connected to 198.51.100.253.
220 (vsFTPd 3.0.3)
Name (198.51.100.253:ubuntu): ubuntu
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> passive off
Passive mode on.
ftp> passive off
Passive mode off.
ftp> cd /etc
250 Directory successfully changed.
ftp> dir
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
drwxr-xr-x    3 0        0            4096 Oct 23  2019 NetworkManager
drwxr-xr-x    4 0        0            4096 Oct 23  2019 X11
drwxr-xr-x    3 0        0            4096 Oct 23  2019 acpi
-rw-r--r--    1 0        0            3028 Oct 23  2019 adduser.conf
drwxr-xr-x    2 0        0            4096 Oct 23  2019 alternatives
drwxr-xr-x    3 0        0            4096 Oct 23  2019 apm
(snip)
-rw-r--r--    1 0        0            5850 Feb 05  2018 vsftpd.conf
lrwxrwxrwx    1 0        0              23 Oct 23  2019 vtrgb -> /etc/alternatives/vtrgb
-rw-r--r--    1 0        0            4942 Apr 08  2019 wgetrc
drwxr-xr-x    4 0        0            4096 Oct 23  2019 xdg
-rw-r--r--    1 0        0             477 Mar 16  2018 zsh_command_not_found
226 Directory send OK.
ftp> cd /var/log/
250 Directory successfully changed.
ftp> get syslog
local: syslog remote: syslog
200 PORT command successful. Consider using PASV.
150 Opening BINARY mode data connection for syslog (239073 bytes).
226 Transfer complete.
239073 bytes received in 0.06 secs (3.7014 MB/s)
ftp> quit
221 Goodbye.
R1(config)#
*Oct 25 08:52:53.701: %FW-6-SESS_AUDIT_TRAIL_START: Start ftp session: initiator (10.1.1.254:38958) -- responder (198.51.100.253:21)
R1(config)#
*Oct 25 08:53:31.530: %FW-6-SESS_AUDIT_TRAIL_START: Start ftp-data session: initiator (198.51.100.253:20) -- responder (10.1.1.254:38069)
R1(config)#
*Oct 25 08:53:36.540: %FW-6-SESS_AUDIT_TRAIL: Stop ftp-data session: initiator (198.51.100.253:20) sent 11973 bytes -- responder (10.1.1.254:38069) sent 0 bytes
R1(config)#
*Oct 25 08:54:06.512: %FW-6-SESS_AUDIT_TRAIL_START: Start ftp-data session: initiator (198.51.100.253:20) -- responder (10.1.1.254:43549)
R1(config)#
*Oct 25 08:54:11.366: %FW-6-SESS_AUDIT_TRAIL: Stop ftp-data session: initiator (198.51.100.253:20) sent 239073 bytes -- responder (10.1.1.254:43549) sent 0 bytes
R1(config)#
*Oct 25 08:54:15.974: %FW-6-SESS_AUDIT_TRAIL: Stop ftp session: initiator (10.1.1.254:38958) sent 138 bytes -- responder (198.51.100.253:21) sent 472 bytes
R1(config)#
ubuntu@ubuntu-0:~$ tail -f /var/log/syslog
Oct 25 08:17:01 ubuntu-0 CRON[31061]: (root) CMD (   cd / && run-parts --report /etc/cron.hourly)
Oct 25 08:50:24 ubuntu-0 systemd[1]: Stopping System Logging Service...
Oct 25 08:50:24 ubuntu-0 rsyslogd:  [origin software="rsyslogd" swVersion="8.32.0" x-pid="18612" x-info="http://www.rsyslog.com"] exiting on signal 15.
Oct 25 08:50:24 ubuntu-0 systemd[1]: Stopped System Logging Service.
Oct 25 08:50:24 ubuntu-0 systemd[1]: Starting System Logging Service...
Oct 25 08:50:24 ubuntu-0 systemd[1]: Started System Logging Service.
Oct 25 08:50:24 ubuntu-0 rsyslogd: imuxsock: Acquired UNIX socket '/run/systemd/journal/syslog' (fd 3) from systemd.  [v8.32.0]
Oct 25 08:50:24 ubuntu-0 rsyslogd: rsyslogd's groupid changed to 106
Oct 25 08:50:24 ubuntu-0 rsyslogd: rsyslogd's userid changed to 102
Oct 25 08:50:24 ubuntu-0 rsyslogd:  [origin software="rsyslogd" swVersion="8.32.0" x-pid="31118" x-info="http://www.rsyslog.com"] start
Oct 25 08:51:05 ubuntu-0 systemd[1]: Started Session 15 of user ubuntu.
Oct 25 08:52:51 10.1.1.1 36: *Oct 25 08:51:17.128: %SYS-6-LOGGINGHOST_STARTSTOP: Logging to host 10.1.1.254 port 514 started - CLI initiated
Oct 25 08:52:51 ubuntu-0 systemd-resolved[3873]: Server returned error NXDOMAIN, mitigating potential DNS violation DVE-2018-0001, retrying transaction with reduced feature level UDP.
Oct 25 08:54:28 10.1.1.1 37: *Oct 25 08:52:53.701: %FW-6-SESS_AUDIT_TRAIL_START: Start ftp session: initiator (10.1.1.254:38958) -- responder (198.51.100.253:21)
Oct 25 08:55:05 10.1.1.1 38: *Oct 25 08:53:31.530: %FW-6-SESS_AUDIT_TRAIL_START: Start ftp-data session: initiator (198.51.100.253:20) -- responder (10.1.1.254:38069)
Oct 25 08:55:11 10.1.1.1 39: *Oct 25 08:53:36.540: %FW-6-SESS_AUDIT_TRAIL: Stop ftp-data session: initiator (198.51.100.253:20) sent 11973 bytes -- responder (10.1.1.254:38069) sent 0 bytes
Oct 25 08:55:40 10.1.1.1 40: *Oct 25 08:54:06.512: %FW-6-SESS_AUDIT_TRAIL_START: Start ftp-data session: initiator (198.51.100.253:20) -- responder (10.1.1.254:43549)
Oct 25 08:55:45 10.1.1.1 41: *Oct 25 08:54:11.366: %FW-6-SESS_AUDIT_TRAIL: Stop ftp-data session: initiator (198.51.100.253:20) sent 239073 bytes -- responder (10.1.1.254:43549) sent 0 bytes
Oct 25 08:55:50 10.1.1.1 42: *Oct 25 08:54:15.974: %FW-6-SESS_AUDIT_TRAIL: Stop ftp session: initiator (10.1.1.254:38958) sent 138 bytes -- responder (198.51.100.253:21) sent 472 bytes

References

tech/network/cisco/security/network-security/acl/cbac/cbac.txt · Last modified: 2020/10/25 19:29 by wnoguchi