Internetwork Expert Volume II: Lab 3 – Section 9

Section 9 – Security – 6 Points

9.1  Traffic Filtering

“Configure r6 so that it only allows TCP, UDP, and ICMP traffic in from BB1 if it was originated from behind R6.”

“Ensure that users behind r6 can still traceroute to hosts beyond the Frame Relay cloud.”

Confusing wording, but I think that it means that you need to filter traffic from BB1 so that it only allows TCP, UDP, and ICMP responses from devices behind r6 – but not r6.  This sounds like a reflexive ACL.

This is the type of task that I would probably skip in the actual lab.  I really don’t want to fuck up my connection to a backbone router to get 3 points in Security.  There’s an excellent breakdown for this task.  I’d still skip it though.  🙂

9.2 DOS Prevention

Argh!!!  I am SO weak in Security.

“…configure r4 to send a TCP reset to the webserver (136.1.4.100) for any TCP sessions that fail to reach the established state after 15 seconds.”

All I’m sure of in this task is that I’m going to be configuring fa0/0 on r4.

A quick look through the 12.4 Security Configuration Guide yields this document:

Configuring TCP Intercept (Preventing Denial-of-Service Attacks)

It looks like I need an ACL for traffic to the server:

r4(config)#access-list 192 perm tcp any host 136.1.4.100

Then it’s just a matter of picking the correct configuration items:

r4(config)#ip tcp intercept ?
  connection-timeout  Specify timeout for connection info
  drop-mode           Specify incomplete connection drop mode
  finrst-timeout      Specify timeout for FIN/RST
  list                Specify access-list to use
  max-incomplete      Specify maximum number of incomplete connections before
                      clamping
  mode                Specify intercepting mode
  one-minute          Specify one-minute-sample watermarks for clamping
  watch-timeout       Specify timeout for incomplete connections in watch mode

The task asks us to send a TCP reset, so that decides the TCP intercept mode that we will use:

The TCP intercept can operate in either active intercept mode or passive watch mode. The default is intercept mode.

In intercept mode, the software actively intercepts each incoming connection request (SYN) and responds on behalf of the server with an SYN-ACK, then waits for an ACK from the client. When that ACK is received, the original SYN is sent to the server and the software performs a three-way handshake with the server. When this is complete, the two half-connections are joined.

In watch mode, connection requests are allowed to pass through the router to the server but are watched until they become established. If they fail to become established within 30 seconds (configurable with the ip tcp intercept watch-timeout command), the software sends a Reset to the server to clear up its state.

r4(config)#ip tcp intercept mode ?
  intercept  Intercept connections
  watch      Watch connections

r4(config)#do sh run | i list 192|ip tcp
ip tcp intercept list 192
ip tcp intercept watch-timeout 15
ip tcp intercept mode watch
!
access-list 192 permit tcp any host 136.1.4.100