Section 9 – Security – 6 Points
9.1 Traffic Filtering
“Configure r6 so that it only allows TCP, UDP, and ICMP traffic in from BB1 if it was originated from behind R6.”
“Ensure that users behind r6 can still traceroute to hosts beyond the Frame Relay cloud.”
Confusing wording, but I think that it means that you need to filter traffic from BB1 so that it only allows TCP, UDP, and ICMP responses from devices behind r6 – but not r6. This sounds like a reflexive ACL.
This is the type of task that I would probably skip in the actual lab. I really don’t want to fuck up my connection to a backbone router to get 3 points in Security. There’s an excellent breakdown for this task. I’d still skip it though. 🙂
9.2 DOS Prevention
Argh!!! I am SO weak in Security.
“…configure r4 to send a TCP reset to the webserver (184.108.40.206) for any TCP sessions that fail to reach the established state after 15 seconds.”
All I’m sure of in this task is that I’m going to be configuring fa0/0 on r4.
A quick look through the 12.4 Security Configuration Guide yields this document:
It looks like I need an ACL for traffic to the server:
r4(config)#access-list 192 perm tcp any host 220.127.116.11
Then it’s just a matter of picking the correct configuration items:
r4(config)#ip tcp intercept ?
connection-timeout Specify timeout for connection info
drop-mode Specify incomplete connection drop mode
finrst-timeout Specify timeout for FIN/RST
list Specify access-list to use
max-incomplete Specify maximum number of incomplete connections before
mode Specify intercepting mode
one-minute Specify one-minute-sample watermarks for clamping
watch-timeout Specify timeout for incomplete connections in watch mode
The task asks us to send a TCP reset, so that decides the TCP intercept mode that we will use:
The TCP intercept can operate in either active intercept mode or passive watch mode. The default is intercept mode.
In intercept mode, the software actively intercepts each incoming connection request (SYN) and responds on behalf of the server with an SYN-ACK, then waits for an ACK from the client. When that ACK is received, the original SYN is sent to the server and the software performs a three-way handshake with the server. When this is complete, the two half-connections are joined.
In watch mode, connection requests are allowed to pass through the router to the server but are watched until they become established. If they fail to become established within 30 seconds (configurable with the ip tcp intercept watch-timeout command), the software sends a Reset to the server to clear up its state.
r4(config)#ip tcp intercept mode ?
intercept Intercept connections
watch Watch connections
r4(config)#do sh run | i list 192|ip tcp
ip tcp intercept list 192
ip tcp intercept watch-timeout 15
ip tcp intercept mode watch
access-list 192 permit tcp any host 18.104.22.168