ebook img

Cisco IOS Firewall-SIP Enhancements ALG and AIC PDF

22 Pages·2016·1.38 MB·English
by  
Save to my drive
Quick download
Download
Most books are stored in the elastic cloud where traffic is expensive. For this reason, we have a limit on daily download.

Preview Cisco IOS Firewall-SIP Enhancements ALG and AIC

Cisco IOS Firewall-SIP Enhancements ALG and AIC EnhancedSessionInitiationProtocol(SIP)inspectionintheCiscoIOSfirewallprovidesbasicSIPinspect functionality(SIPpacketinspectionandpinholesopening)aswellasprotocolconformanceandapplication security.Theseenhancementsgiveyoumorecontrolthaninpreviousreleasesonwhatpoliciesandsecurity checkstoapplytoSIPtrafficandthecapabilitytofilteroutunwantedmessagesorusers. ThedevelopmentofadditionalSIPfunctionalityinCiscoIOSsoftwareprovidesincreasedsupportforCisco CallManager(CCM),CiscoCallManagerExpress(CCME),andCiscoIP-IPGatewaybasedvoice/video systems.ApplicationLayerGateway(ALG),andApplicationInspectionandControl(AIC)SIPenhancements alsosupportRFC3261anditsextensions. • FindingFeatureInformation, page 1 • PrerequisitesforCiscoIOSFirewall-SIPEnhancementsALGandAIC, page 2 • RestrictionsforCiscoIOSFirewall-SIPEnhancementsALGandAIC, page 2 • InformationAboutCiscoIOSFirewall-SIPEnhancementsALGandAIC, page 3 • HowtoConfigureCiscoIOSFirewall-SIPEnhancementsALGandAIC, page 4 • ConfigurationExamplesforCiscoIOSFirewall-SIPEnhancementsALGandAIC, page 20 • AdditionalReferences, page 20 • FeatureInformationforCiscoIOSFirewall-SIPEnhancementsALGandAIC, page 21 Finding Feature Information Yoursoftwarereleasemaynotsupportallthefeaturesdocumentedinthismodule.Forthelatestcaveatsand featureinformation,seeBugSearchToolandthereleasenotesforyourplatformandsoftwarerelease.To findinformationaboutthefeaturesdocumentedinthismodule,andtoseealistofthereleasesinwhicheach featureissupported,seethefeatureinformationtable. UseCiscoFeatureNavigatortofindinformationaboutplatformsupportandCiscosoftwareimagesupport. ToaccessCiscoFeatureNavigator,gotowww.cisco.com/go/cfn.AnaccountonCisco.comisnotrequired. Security Configuration Guide: Zone-Based Policy Firewall, Cisco IOS Release 15M&T 1 Cisco IOS Firewall-SIP Enhancements ALG and AIC Prerequisites for Cisco IOS Firewall-SIP Enhancements ALG and AIC Prerequisites for Cisco IOS Firewall-SIP Enhancements ALG and AIC ThefollowingprerequisitesapplytotheconfigurationofCiscoIOSFirewall--SIPEnhancements:ALGand AIC. Hardware Requirements •Oneofthefollowingrouterplatforms: •Cisco861,Cisco881,orCisco881Grouters •Cisco1700routers •Cisco1800routers •Cisco2600routers •Cisco2800routers •Cisco3700routers •Cisco3800routers •Cisco7200routers •Cisco7300routers Software Requirements •CiscoIOSRelease12.4(15)XZoralaterrelease. Restrictions for Cisco IOS Firewall-SIP Enhancements ALG and AIC DNS Name Resolution AlthoughSIPmethodscanhaveDomainNameSystem(DNS)namesinsteadofrawIPaddresses,thisfeature currentlydoesnotsupportDNSnames. Earlier Releases of Cisco IOS Software SomeCiscoIOSreleasesearlierthanRelease12.4(15)XZmayaccepttheconfigurationcommandsforSIP thatareshowninthisdocument;however,thoseearlierversionswillnotfunctionproperly. Security Configuration Guide: Zone-Based Policy Firewall, Cisco IOS Release 15M&T 2 Cisco IOS Firewall-SIP Enhancements ALG and AIC Information About Cisco IOS Firewall-SIP Enhancements ALG and AIC Information About Cisco IOS Firewall-SIP Enhancements ALG and AIC Firewall and SIP Overviews ThissectionprovidesanoverviewoftheCiscoIOSfirewallandSIP. Cisco IOS Firewall TheCiscoIOSfirewallextendstheconceptofstaticaccesscontrollists(ACLs)byintroducingdynamicACL entriesthatopenonthebasisofthenecessaryapplicationportsonaspecificapplicationandclosetheseports attheendoftheapplicationsession.TheCiscoIOSfirewallachievesthisfunctionalitybyinspectingthe applicationdata,checkingforconformanceoftheapplicationprotocol,extractingtherelevantportinformation tocreatethedynamicACLentries,andclosingtheseportsattheendofthesession.TheCiscoIOSfirewall isdesignedtoeasilyallowanewapplicationinspectionwheneversupportisneeded. Session Initiation Protocol SIPisanapplication-layercontrol(signaling)protocolforcreating,modifying,andterminatingsessionswith oneormoreparticipants.ThesesessionscouldincludeInternettelephonecalls,multimediadistribution,and multimediaconferences.SIPisbasedonanHTTP-likerequest/responsetransactionmodel.Eachtransaction consistsofarequestthatinvokesaparticularmethodorfunctionontheserverandatleastoneresponse. SIPinvitationsusedtocreatesessionscarrysessiondescriptionsthatallowparticipantstoagreeonasetof compatiblemediatypes.SIPmakesuseofelementscalledproxyserverstohelprouterequeststotheuser’s currentlocation,authenticateandauthorizeusersforservices,implementprovidercall-routingpolicies,and providefeaturestousers.SIPalsoprovidesaregistrationfunctionthatallowsuserstouploadtheircurrent locationsforusebyproxyservers.SIPrunsontopofseveraldifferenttransportprotocols. Firewall for SIP Functionality Description TheFirewallforSIPSupportfeatureallowsSIPsignalingrequeststotraversedirectlybetweengatewaysor throughaseriesofproxiestothedestinationgatewayorphone.Aftertheinitialrequest,iftheRecord-Route headerfieldisnotused,subsequentrequestscantraversedirectlytothedestinationgatewayaddressasspecified intheContactheaderfield.Thus,theCiscoIOSfirewallisawareofallsurroundingproxiesandgateways andallowsthefollowingfunctionality: •SIPsignalingresponsescantravelthesamepathasSIPsignalingrequests. •Subsequentsignalingrequestscantraveldirectlytotheendpoint(destinationgateway). •Mediaendpointscanexchangedatabetweeneachother. SIP UDP and TCP Support RFC3261isthecurrentRFCforSIP,whichreplacesRFC2543.ThisfeaturesupportstheSIPUserDatagram Protocol(UDP)andtheTCPformatforsignaling. Security Configuration Guide: Zone-Based Policy Firewall, Cisco IOS Release 15M&T 3 Cisco IOS Firewall-SIP Enhancements ALG and AIC SIP Inspection SIP Inspection ThissectiondescribesthedeploymentscenariossupportedbytheCiscoIOSFirewall--SIP,ALG,andAIC Enhancementsfeature. Cisco IOS Firewall Between SIP Phones and CCM TheCiscoIOSfirewallislocatedbetweenCCMorCCMEandSIPphones.SIPphonesareregisteredtoCCM orCCMEthroughthefirewall,andanySIPcallsfromortotheSIPphonespassthroughthefirewall. Cisco IOS Firewall Between SIP Gateways TheCiscoIOSfirewallislocatedbetweentwoSIPgateways,whichcanbeCCM,CCME,oraSIPproxy. PhonesareregisteredwithSIPgatewaysdirectly.ThefirewallseestheSIPsessionortrafficonlywhenthere isaSIPcallbetweenphonesregisteredtodifferentSIPgateways.InsomescenariosanIP-IPgatewaycan alsobeconfiguredonthesamedeviceasthefirewall.WiththisscenarioallthecallsbetweentheSIPgateways areterminatedintheIP-IPgateway. Cisco IOS Firewall with Local CCME and Remote CCME/CCCM TheCiscoIOSfirewallislocatedbetweentwoSIPgateways,whichcanbeCCM,CCME,oraSIPproxy. Oneofthegatewaysisconfiguredonthesamedeviceasthefirewall.Allthephonesregisteredtothisgateway arelocallyinspectedbythefirewall.ThefirewallalsoinspectsSIPsessionsbetweenthetwogatewayswhen thereisaSIPcallbetweenthem.WiththisscenariothefirewalllocallyinspectsSIPphonesononesideand SIPgatewaysontheotherside. Cisco IOS Firewall with Local CCME TheCiscoIOSfirewallandCCMEisconfiguredonthesamedevice.AllthephonesregisteredtotheCCME arelocallyinspectedbythefirewall.AnySIPcallbetweenanyofthephonesregisteredwillalsobeinspected bytheCiscoIOSfirewall. How to Configure Cisco IOS Firewall-SIP Enhancements ALG and AIC Configuring a Policy to Allow RFC 3261 Methods PerformthistasktoconfigureapolicytoallowbasicRFC3261methodsandblockextensionmethods. Note TheCiscoIOSFirewall--SIPEnhancements:ALGandAICfeatureprovidesessentialsupportforthenew SIPmethodssuchasUPDATEandPRACK,asCCM5.xandCCME4.xalsousethesemethods. Security Configuration Guide: Zone-Based Policy Firewall, Cisco IOS Release 15M&T 4 Cisco IOS Firewall-SIP Enhancements ALG and AIC Configuring a Policy to Allow RFC 3261 Methods SUMMARY STEPS 1. enable 2. configure terminal 3. class-maptypeinspect protocol-name match-any class-map-name 4. matchrequest method method-name 5. exit 6. class-maptypeinspect protocol-name match-any class-map-name 7. matchrequest method method-name 8. exit 9. policy-maptypeinspect protocol-namepolicy-map-name 10. classtypeinspect protocol-name class-map-name 11. allow 12. exit 13. classtypeinspect protocol-name class-map-name 14. reset 15. exit DETAILED STEPS Command or Action Purpose Step 1 enable EnablesprivilegedEXECmode. •Enteryourpasswordifprompted. Example: Router> enable Step 2 configure terminal Entersglobalconfigurationmode. Example: Router# configure terminal Step 3 class-maptypeinspect protocol-name match-any Createsaninspecttypeclassmapandentersclass-map class-map-name configurationmode. Example: Router(config)# class-map type inspect sip match-any sip-class1 Step 4 matchrequest method method-name MatchesRFC3261methods.Methodsincludethe following: Example: •ack,bye,cancel,info,invite,message,notify, Router(config-cmap)# match request method invite options,prack,refer,register,subscribe,update. Security Configuration Guide: Zone-Based Policy Firewall, Cisco IOS Release 15M&T 5 Cisco IOS Firewall-SIP Enhancements ALG and AIC Configuring a Policy to Allow RFC 3261 Methods Command or Action Purpose Step 5 exit Exitsclass-mapconfigurationmode. Example: Router(config-cmap)# exit Step 6 class-maptypeinspect protocol-name match-any Createsaninspecttypeclassmapandentersclass-map class-map-name configurationmode. Example: Router(config)# class-map type inspect sip match-any sip-class2 Step 7 matchrequest method method-name MatchesRFC3261methods,whichincludethe following: Example: •ack,bye,cancel,info,invite,message,notify, Router(config-cmap)# match request method message options,prack,refer,register,subscribe,update. Step 8 exit Exitsclass-mapconfigurationmode. Example: Router(config-cmap)# exit Step 9 policy-maptypeinspect protocol-name Createsaninspecttypepolicymapandenterspolicy-map policy-map-name configurationmode. Example: Router(config)# policy-map type inspect sip sip-policy Step 10 classtypeinspect protocol-name class-map-name Specifiestheclassonwhichtheactionisperformedand enterspolicy-mapclassconfigurationmode. Example: Router(config-pmap)# class type inspect sip sip_class1 Step 11 allow AllowsSIPinspection. Example: Router(config-pmap-c)# allow Step 12 exit Exitspolicy-mapclassconfigurationmode. Example: Router(config-pmap-c)# exit Security Configuration Guide: Zone-Based Policy Firewall, Cisco IOS Release 15M&T 6 Cisco IOS Firewall-SIP Enhancements ALG and AIC Configuring a Policy to Block Messages Command or Action Purpose Step 13 classtypeinspect protocol-name class-map-name Specifiestheclassonwhichtheactionisperformedand enterspolicy-mapclassconfigurationmode. Example: Router(config-pmap)# class type inspect sip sip-class2 Step 14 reset Resetstheclassmap. Example: Router(config-pmap-c)# reset Step 15 exit Exitspolicy-mapclassconfigurationmode. Example: Router(config-pmap-c)# exit Configuring a Policy to Block Messages PerformthistasktoconfigureapolicytoblockSIPmessagescomingfromaparticularproxydevice. SUMMARY STEPS 1. enable 2. configure terminal 3. parameter-maptype regex parameter-map-name 4. pattern url-pattern 5. exit 6. class-maptypeinspect protocol-nameclass-map-name 7. matchrequest header field regex regex-param-map 8. exit 9. policy-maptypeinspect protocol-namepolicy-map-name 10. classtypeinspect protocol-nameclass-map-name 11. reset 12. exit DETAILED STEPS Command or Action Purpose Step 1 enable EnablesprivilegedEXECmode. Security Configuration Guide: Zone-Based Policy Firewall, Cisco IOS Release 15M&T 7 Cisco IOS Firewall-SIP Enhancements ALG and AIC Configuring a Policy to Block Messages Command or Action Purpose •Enteryourpasswordifprompted. Example: Router> enable Step 2 configure terminal Entersglobalconfigurationmode. Example: Router# configure terminal Step 3 parameter-maptype regex parameter-map-name Configuresaparameter-maptypetomatchaspecific trafficpatternandentersprofileconfigurationmode. Example: Router(config)# parameter-map type regex unsecure-proxy Step 4 pattern url-pattern MatchesacallbasedontheSIPuniformresource identifier(URI). Example: Router(config-profile)# pattern “compromised.server.com” Step 5 exit Exitsprofileconfigurationmode. Example: Router(config-profile)# exit Step 6 class-maptypeinspect protocol-nameclass-map-name Createsaninspecttypeclassmapandentersclass-map configurationmode. Example: Router(config)# class-map type inspect sip sip-class Step 7 matchrequest header field regex regex-param-map Configuresaclass-maptypetomatchaspecificrequest headerpattern. Example: Router(config-cmap)# match request header Via regex unsecure-proxy Step 8 exit Exitsclass-mapconfigurationmode. Example: Router(config-cmap)# exit Security Configuration Guide: Zone-Based Policy Firewall, Cisco IOS Release 15M&T 8 Cisco IOS Firewall-SIP Enhancements ALG and AIC Configuring a 403 Response Alarm Command or Action Purpose Step 9 policy-maptypeinspect protocol-namepolicy-map-name Createsaninspecttypepolicymapandenters policy-mapconfigurationmode. Example: Router(config)# policy-map type inspect sip sip-policy Step 10 classtypeinspect protocol-nameclass-map-name Specifiestheclassonwhichtheactionisperformed andenterspolicy-mapclassconfigurationmode. Example: Router(config-pmap)# class type inspect sip sip-class Step 11 reset Resetstheclassmap. Example: Router(config-pmap-c)# reset Step 12 exit Exitspolicy-mapclassconfigurationmode. Example: Router(config-pmap-c)# exit Configuring a 403 Response Alarm Performthistasktoconfigureapolicytogenerateanalarmwhenevera403responseisreturned. SUMMARY STEPS 1. enable 2. configure terminal 3. parameter-maptype regex parameter-map-name 4. pattern url-pattern 5. exit 6. class-maptypeinspect protocol-nameclass-map-name 7. matchresponse statusregex regex-parameter-map 8. exit 9. policy-maptypeinspect protocol-namepolicy-map-name 10. classtypeinspect protocol-nameclass-map-name 11. log 12. exit Security Configuration Guide: Zone-Based Policy Firewall, Cisco IOS Release 15M&T 9 Cisco IOS Firewall-SIP Enhancements ALG and AIC Configuring a 403 Response Alarm DETAILED STEPS Command or Action Purpose Step 1 enable EnablesprivilegedEXECmode. •Enteryourpasswordifprompted. Example: Router> enable Step 2 configure terminal Entersglobalconfigurationmode. Example: Router# configure terminal Step 3 parameter-maptype regex parameter-map-name Configuresaparameter-maptypetomatchaspecific trafficpatternandentersprofileconfigurationmode. Example: Router(config)# parameter-map type regex allowed-im-users Step 4 pattern url-pattern MatchesacallbasedontheSIPURI. Example: Router(config-profile)# pattern “403” Step 5 exit Exitsprofileconfigurationmode. Example: Router(config-profile)# exit Step 6 class-maptypeinspect protocol-nameclass-map-name Createsaninspecttypeclassmapandentersclass-map configurationmode. Example: Router(config)# class-map type inspect sip sip-class Step 7 matchresponse statusregex regex-parameter-map Configuresaclass-maptypetomatchaspecific responsepattern. Example: Router(config-cmap)# match response status regex allowed-im-users Step 8 exit Exitsclass-mapconfigurationmode. Example: Router(config-cmap)# exit Security Configuration Guide: Zone-Based Policy Firewall, Cisco IOS Release 15M&T 10

Description:
Security Configuration Guide: Zone-Based Policy Firewall, Cisco IOS Call Manager Express (CCME), and Cisco IP-IP Gateway based voice/video.
See more

The list of books you might like

Most books are stored in the elastic cloud where traffic is expensive. For this reason, we have a limit on daily download.