ebook img

Cisco ASR 5000 Personal Stateful Firewall Administration Guide PDF

64 Pages·2013·1.05 MB·English
by  
Save to my drive
Quick download
Download
Most books are stored in the elastic cloud where traffic is expensive. For this reason, we have a limit on daily download.

Preview Cisco ASR 5000 Personal Stateful Firewall Administration Guide

Cisco ASR 5000 Personal Stateful Firewall Administration Guide Version 15.0 Last Updated: September 30, 2013 Americas Headquarters Cisco Systems, Inc. 170 West Tasman Drive San Jose, CA 95134-1706 USA http://www.cisco.com Tel: 408 526-4000 800 553-NETS (6387) Fax: 408 527-0883 THE SPECIFICATIONS AND INFORMATION REGARDING THE PRODUCTS IN THIS MANUAL ARE SUBJECT TO CHANGE WITHOUT NOTICE. ALL STATEMENTS, INFORMATION, AND RECOMMENDATIONS IN THIS MANUAL ARE BELIEVED TO BE ACCURATE BUT ARE PRESENTED WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED. USERS MUST TAKE FULL RESPONSIBILITY FOR THEIR APPLICATION OF ANY PRODUCTS. THE SOFTWARE LICENSE AND LIMITED WARRANTY FOR THE ACCOMPANYING PRODUCT ARE SET FORTH IN THE INFORMATION PACKET THAT SHIPPED WITH THE PRODUCT AND ARE INCORPORATED HEREIN BY THIS REFERENCE. IF YOU ARE UNABLE TO LOCATE THE SOFTWARE LICENSE OR LIMITED WARRANTY, CONTACT YOUR CISCO REPRESENTATIVE FOR A COPY. The Cisco implementation of TCP header compression is an adaptation of a program developed by the University of California, Berkeley (UCB) as part of UCB’s public domain version of the UNIX operating system. All rights reserved. Copyright © 1981, Regents of the University of California. NOTWITHSTANDING ANY OTHER WARRANTY HEREIN, ALL DOCUMENT FILES AND SOFTWARE OF THESE SUPPLIERS ARE PROVIDED “AS IS” WITH ALL FAULTS. CISCO AND THE ABOVE-NAMED SUPPLIERS DISCLAIM ALL WARRANTIES, EXPRESSED OR IMPLIED, INCLUDING, WITHOUT LIMITATION, THOSE OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OR ARISING FROM A COURSE OF DEALING, USAGE, OR TRADE PRACTICE. IN NO EVENT SHALL CISCO OR ITS SUPPLIERS BE LIABLE FOR ANY INDIRECT, SPECIAL, CONSEQUENTIAL, OR INCIDENTAL DAMAGES, INCLUDING, WITHOUT LIMITATION, LOST PROFITS OR LOSS OR DAMAGE TO DATA ARISING OUT OF THE USE OR INABILITY TO USE THIS MANULA, EVEN IF CISCO OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES . Cisco and the Cisco Logo are trademarks of Cisco Systems, Inc. and/or its affiliates in the U.S. and other countries. A linstgi of Cisco's trademarks can be found at www.cisco.com/go/trademarks. Third party trademarks mentioned are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. Any Internet Protocol (IP) addresses and phone numbers used in this document are not intended to be actual addresses and phone numbers. Any examples, command display output, network topology diagrams, and other figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses or phone numbers in illustrative content is unintentional and coincidental. Cisco ASR 5000 Personal Stateful Firewall Administration Guide © 2013 Cisco Systems, Inc. All rights reserved. CONTENTS About this Guide ................................................................................................. v Conventions Used ....................................................................................................................................vi Contacting Customer Support ................................................................................................................. vii Additional Information ............................................................................................................................. viii Personal Stateful Firewall Overview ................................................................. 9 Firewall Overview ................................................................................................................................... 10 Platform Requirements....................................................................................................................... 10 License Requirements........................................................................................................................ 10 Supported Features ................................................................................................................................ 11 Protection against Denial-of-Service Attacks ..................................................................................... 11 Types of Denial-of-Service Attacks ................................................................................................ 11 Protection against Port Scanning .................................................................................................. 13 Application-level Gateway Support .................................................................................................... 14 PPTP ALG Support ........................................................................................................................ 14 TFTP ALG Support ........................................................................................................................ 15 Stateful Packet Inspection and Filtering Support ............................................................................... 15 Stateless Packet Inspection and Filtering Support ............................................................................ 15 Host Pool, IMSI Pool, and Port Map Support ..................................................................................... 16 Host Pool Support .......................................................................................................................... 16 IMSI Pool Support .......................................................................................................................... 16 Port Map Support ........................................................................................................................... 16 Port Control Protocol Support ............................................................................................................ 16 Bulk Statistics Support ................................................................................................................... 17 Flow Recovery Support ...................................................................................................................... 18 SNMP Thresholding Support ............................................................................................................. 19 Logging Support ................................................................................................................................. 19 How Personal Stateful Firewall Works ................................................................................................... 20 Disabling Firewall Policy .................................................................................................................... 20 Mid-session Firewall Policy Update ................................................................................................... 21 How it Works ...................................................................................................................................... 21 Understanding Rules with Stateful Inspection ........................................................................................ 25 Connection State and State Table in Personal Stateful Firewall ....................................................... 26 Transport and Network Protocols and States ................................................................................ 26 Application-Level Traffic and States .............................................................................................. 27 Personal Stateful Firewall Configuration ....................................................... 29 Before You Begin ................................................................................................................................... 30 Configuring the System .......................................................................................................................... 31 Configuring Stateful Firewall................................................................................................................... 32 Enabling the ECS Subsystem and Creating the ECS Service ........................................................... 33 Configuring Port Maps........................................................................................................................ 33 Configuring Host Pools....................................................................................................................... 33 Configuring IMSI Pools....................................................................................................................... 34 Configuring Access Ruledefs ............................................................................................................. 34 Configuring Server IP Address ...................................................................................................... 35 Cisco ASR 5000 Personal Stateful Firewall Administration Guide ▄ iii ▀ Contents Configuring Firewall-and-NAT Policies ............................................................................................... 36 Configuring Protection from DoS and Other Attacks .......................................................................... 36 Configuring Server Protection Support for Uplink flows ................................................................. 39 Configuring Maximum Number of Servers to Track for DoS Attacks ............................................ 40 Configuring Action on Packets Dropped by Stateful Firewall ........................................................ 40 Configuring Dynamic Pinholes/ALGs ................................................................................................. 40 Creating Routing Ruledefs ............................................................................................................. 40 Configuring Routing Ruledefs in the Rulebase .............................................................................. 41 Configuring SIP ALG Parameters .................................................................................................. 41 Enabling Stateful Firewall Support for APN/Subscribers ................................................................... 42 Enabling Stateful Firewall for APN ................................................................................................. 42 Enabling Stateful Firewall for Subscribers ..................................................................................... 42 Enabling IPv4/IPv6 Stateful Firewall for Subscribers ..................................................................... 42 Configuring Default Firewall-and-NAT Policy ..................................................................................... 43 Configuring PCP Service .................................................................................................................... 43 Configuring PCP Service and PCP Policy Control......................................................................... 43 Enable/Disable PCP Service in Rulebase ..................................................................................... 44 Configuring Stateful Firewall Thresholds ............................................................................................ 44 Enabling Thresholds ...................................................................................................................... 44 Configuring Threshold Poll Interval ................................................................................................ 45 Configuring Threshold Limits ......................................................................................................... 45 Configuring Bulk Statistics Schema ................................................................................................... 45 Configuring Flow Recovery ................................................................................................................ 46 Optional Configurations .......................................................................................................................... 47 Changing Stateful Firewall Policy in Mid-session ............................................................................... 47 Configuring Stateless Firewall ............................................................................................................ 47 Gathering Stateful Firewall Statistics ...................................................................................................... 49 Managing Your Configuration ................................................................................................................. 50 Sample Personal Stateful Firewall Configuration ........................................ 53 ▄ Cisco ASR 5000 Personal Stateful Firewall Administration Guide iv About this Guide This document pertains to the features and functionality that run on and/or that are related to the Cisco® ASR 5000 Chassis. Cisco ASR 5000 Personal Stateful Firewall Administration Guide ▄ v About this Guide ▀ Conventions Used Conventions Used The following tables describe the conventions used throughout this documentation. Icon Notice Type Description Information No teProvides information about important features or ins tructions. Cautio n Alerts you of potential damage to a program, device, or system. Warnin g Alerts you of potential personal injury or fatality. May also alert you of potential ele ctrical hazards. Typeface Conventions Description Text represented as a screen This typeface represents displays that appear on your terminal screen, for example: display Login: Text represented as commands This typeface represents commands that you enter, for example: show ip access-list This document always gives the full form of a command in lowercase letters. Commands are not case sensitive. Text represented as a command This typeface represents a variable that is part of a command, for example: variable show card slot_number slot_number is a variable representing the desired chassis slot number. Text represented as menu or sub- This typeface represents menus and sub-menus that you access within a software menu names application, for example: Click the File menu, then click New ▄ Cisco ASR 5000 Personal Stateful Firewall Administration Guide vi About this Guide Contacting Customer Support ▀ Contacting Customer Support Use the information in this section to contact customer support. Refer to the support area of http://www.cisco.com for up-to-date product documentation or to submit a service request. A valid username and password are required to access this site. Please contact your Cisco sales or service representative for additional information. Cisco ASR 5000 Personal Stateful Firewall Administration Guide ▄ vii About this Guide ▀ Additional Information Additional Information Refer to the following guides for su pplemental information about the system:  Cisco ASR 5000 Installation Guide  Cisco ASR 5000 System Administration Guide  Cisco ASR 5x00 Command Line Interface Reference  Cisco ASR 5x00 Thresholding Configuration Guide  Cisco ASR 5x00 SNMP MIB Reference  StarOS IP Security (IPSec) Reference  Web Element Manager Installation and Administration Guide  Cisco ASR 5x00 AAA Interface Administration and Reference  Cisco ASR 5x00 GTPP Interface Administration and Reference  Cisco ASR 5x00 Release Change Reference  Cisco ASR 5x00 Statistics and Counters Reference  Cisco ASR 5x00 Gateway GPRS Support Node Administration Guide  Cisco ASR 5x00 HRPD Serving Gateway Administration Guide  Cisco ASR 5000 IP Services Gateway Administration Guide  Cisco ASR 5x00 Mobility Management Entity Ad ministration Guide  Cisco ASR 5x00 Packet Data Network Gateway Administration Guide  Cisco ASR 5x00 Packet Data Serving Node Administration Guide  Cisco ASR 5x00 System Architecture Evolution Gateway Administration Guide  Cisco ASR 5x00 Serving GPRS Support No de Administration Guide  Cisco ASR 5x00 Serving Gateway Administration Guide  Cisco ASR 5000 Session Control Manager Administration Guide  Cisco ASR 5000 Packet Data Gateway/Tunnel Termination Gateway Administration Guide  Release notes that accompany updates and upgrades to the StarOS for your service and platform ▄ Cisco ASR 5000 Personal Stateful Firewall Administration Guide viii Chapter 1 Personal Stateful Firewall Overview This chapter provides an overview of the Personal Statef ul Firewall In-line Service. This chapter covers the following topics:  Firewall Overview  Supported Features  How Personal Stateful Firewall Works  Understanding Firewall Rules with Stateful Inspection Cisco ASR 5000 Personal Stateful Firewall Administration Guide ▄ 9 Personal Stateful Firewall Overview ▀ Firewall Overview Firewall Overview The Personal Stateful Firewall is an in -line service feature that inspects subscriber traffic and performs IP session -based access control of individual subscriber sessions to protect the subscribers fro m malicious security attacks. The Personal Stateful Firewall in -line service works in conjuction with the following products:  GGSN  HA  IPSG  PDSN  P-GW The Personal Stateful Firewall supports stateless and stateful inspection and filtering based on the configuration. In stateless inspection, the firewall inspects a packet to determine the 5-tuple—source and destination IP addresses and ports, and protocol—information contained in the packet. This static information is then compared against configurable rules to determine whether to allow or drop the packet. In stateless inspection the firewall examines each packet individually, it is unaware of the packets that have passed through before it, and has no way of knowing if any given packet is part of an existing connection, is trying to establish a new connection, or is a rogue packet. In stateful inspection, the firewall not only inspects packets up through the application layer / layer 7 determining a packet's header information and data content, but also monitors and keeps track of the connection's state. For all active connections traversing the firewall, the state information, which may include IP addresses and ports involved, the sequence numbers and acknowledgement numbers of the packets traversing the connection, TCP packet flags, etc. is maintained in a state table. Filtering decisions are based not only on rules but also on the connection state established by prior packets on that connection. This enables to prevent a variety of DoS, DDoS, and other security violations. Once a connection is torn down, or is timed out, its entry in the state table is discarded. For more information see the Connection State and State Table in Personal Stateful Firewall section. The Enhanced Charging Service (ECS) / Active Charging Service (ACS) in-line service is the primary vehicle that performs packet inspection and charging. For more information on ECS, see the Enhanced Charging Service Administration Guide. Platform Requirements The Personal Stateful Firewall in-line service runs on a Cisco® ASR 5x00 chassis running StarOS. The chassis can be configured with a variety of components to meet specific network deployment requirements. For additional information, refer to the Installation Guide for the chassis and/or contact your Cisco account representative. License Requirements The Personal Stateful Firewall is a licensed Cisco feature. A separate feature license may be required. Contact your Cisco account representative for detailed information on specific licensing requirements. For information on installing and verifying licenses, refer to the Managing License Keys section of the Software Management Operations chapter in the System Administration Guide. ▄ Cisco ASR 5000 Personal Stateful Firewall Administration Guide 10

See more

The list of books you might like

Most books are stored in the elastic cloud where traffic is expensive. For this reason, we have a limit on daily download.