101communication LLC CertCities.com -- The Ultimate Site for Certified IT Professionals
   Certification Communities:  Home  Microsoft®  Cisco®  Oracle®  A+/Network+"  Linux/Unix  More  
    CertCities.com is proud to present our sponsor this month: Thomson Prometric
Editorial
Choose a Cert
News
Exam Reviews
Features
Columns
Salary Surveys
Free Newsletter
Cert on the Cheap
Resources
Forums
Practice Exams
Cert Basics
Links Library
Tips
Pop Quiz
Industry Releases
Windows Certs
Job Search
Conferences
Contributors
About Us
Search


Advanced Search
CertCities.com

CertCities.com
Let us know what you
think! E-mail us at:
.. Home .. Certifications .. Cisco .. Columns ..Cisco Column Thursday, August 21, 2003

TechMentor Conference & Expo PDF Brochure - Download It Now!

Save 30% on CertCities.com's Guide to IT Certification on the Cheap

Link State Update   Eric Quinn
Eric Quinn

The NBAR Defense
Using Network Based Application Recognition to block (and log) the worm invasion.
by Eric Quinn , courtesy of TCPMag.com
10/31/2001 -- Code Red and Nimda have spurred interest in filtering packets containing hazardous data before they ever enter the network. But what's the best tool for accomplishing this?

While many people understand how Access Control Lists (ACLs) work, ACLs can't look inside packets for bad data. A PIX can examine several applications for certain contents; but while it can check HTTP traffic for the presence of Java or Active X and filter the packets, there is no setting for worms. Intrusion detection equipment can be configured to look for packets that contain worms and, when detected, have a router filter the connection; however, in order for the IDS sensor to detect the worm, it has to get inside the network -- something we want to avoid.

This is where Network Based Application Recognition (NBAR) comes in. NBAR, first introduced in experimental versions of IOS v12.1, is a "classification engine" designed to analyze packets for Quality of Service purposes. It's an ideal solution for filtering worm packets, although you'll want to avoid code versions earlier than 12.1(5)T.

Implementing NBAR
The first thing you need to do is decide what type of traffic you want to deny. In the case of Code Red and Nimda, we want to prevent HTTP packets containing a URL. We don't want to filter every URL though, just incoming requests for certain URLs. To do this, filter requests for ".ida," "cmd.exe," "root.exe" and "readme.eml." You need to build all of this into a class map like so:

Router(config)#class-map match-any worms
Router(config-cmap)#match protocol http url "*.ida*"
Router(config-cmap)#match protocol http url "*cmd.exe*"
Router(config-cmap)#match protocol http url "*root.exe*"
Router(config-cmap)#match protocol http url "*readme.eml*"

Notice the asterisks before and after each of the strings we're looking for. By doing this, we can find the given string in the middle of other text.

Once we've figured out what we want to look for, we need to tell the router what to do with this traffic once it finds it -- i.e., create a policy map that will router very specific traffic to a given destination. We could route this traffic directly to null0, but I prefer to have some sort of indication that these requests are being made. In order to log this info, we need to be a bit trickier. The class "worms" is what we referenced above in the "class-map" configuration. The command "set ip dscp 1" sets a marker in the IP header to a value that isn't likely to be seen in most networks. I recommend that if your network has complex QoS that you use a DSCP number not in use. If you haven't implemented QoS then there's nothing to worry about.

Router(config)#policy-map worm-requests
Router(config-pmap)#class worms
Router(config-pmap)#set ip dscp 1

We'll configure an access list to log whenever we block the offending traffic. We want to deny any traffic that has the DSCP set to 1 and log that this was done.

Router(config)#access-list 100 deny ip any any dscp 1 log
Router(config)#access-list 100 permit ip any any

Finally, we need to paste the access list on interfaces we don't want the traffic leaving from.

Router(config)#interface ethernet 0/0
Router(config-if)#ip access-group 100 out

Note that you will need to enable Cisco Express Forwarding (CEF) in order to make use of NBAR.

Design Considerations
 The design issues for this are simple: Implementing it will soak up a large amount of available processor time. If you are currently running at greater than 40 percent processor utilization, I recommend extreme caution. You may wish to place a router in your network just for the purpose of monitoring how much of a processing hit your perimeter router would take.

Eric Quinn, CCNP, CCDP, CCSI, is a security instructor and consultant. He is also co-author of the CCNP Remote Access Exam Cram by Coriolis Press. He writes the “Link State Update” column for TCPmag.com, and is a contributing editor for CertCities.com. Reach him at .
 

More articles by Eric Quinn:
Post your comment below, or better yet, go to our Discussion Forums and really post your mind.
Current CertCities.com user Comments for "The NBAR Defense"
2/13/02 - Brian  says: Is NBAR ready for prime time? I'm not so sure. I implemented NBAR several months ago using a method not mentioned here, QoS policing, because Cisco docs say it has the least impact on the CPU. You give up source logging, but if you're mostly worried about stopping the traffic it's easier on the router itself. The only problem is, while it seems to have stopped SadMind and CodeRed dead in their tracks, some Nimda scans are still getting through -- as seen in my HTTP server logs. Showing the policy results on the router, at least some of the ".ida" traffic is being caught. But the majority is still getting through. I'm working with Cisco on this right now, but their suggestions so far have been disappointing: they'll point me to some doc from which they've pulled a small piece of config I should try, but a more complete reading of the doc shows that their suggestions will not work. I get the feeling that they're grasping for straws at this point. Has anyone else had a similar experience with NBAR?
3/26/02 - vivaek  from nashik (India) says: sir, give me information about CCNA exam. papers in india
8/5/03 - Oliver  says: This article has some substantial technical flaws. Whilst it correctly classifies and marks the code-red packets, you it doesn't apply a service policy, which means that no packets get marked with dscp 1 and hence your access-list doesn't deny anything ! It's missing the following lines: Router(config)# interface Ethernet 0/1 Router(config-if)#service-policy input worm-requests
Add your comment here:
Name: (optional)
Location: (optional)
E-mail Address: (optional)
Comments:  
 
top

Sponsored Link:
Don’t let your IT Investment Go to Waste: Get Certified with Thomson Prometric!

Home | Microsoft | Cisco | Oracle | A+/Network+ | Linux/Unix | MOUS | List of Certs
Advertise | Certification Basics | Conferences | Contact Us | Contributors | Features | Forums | Links | News | Pop Quiz | Industry Releases | Reviews | Tips
Search | Site Map | MCPmag.com | TCPmag.com | OfficeCert.com | TechMentor Conferences | 101communications | Privacy Policy
This Web site is not sponsored by, endorsed by or affiliated with Cisco Systems, Inc., Microsoft Corp., Oracle Corp., The Computing Technology Industry Association, Linus Torvolds, or any other certification or technology vendor. Cisco® and Cisco Systems® are registered trademarks of Cisco Systems, Inc. Microsoft, Windows and Windows NT are either registered trademarks or trademarks of Microsoft Corp. Oracle® is a registered trademark of Oracle Corp. A+®, i-Net+™, Network+™, and Server+™ are trademarks and registered trademarks of The Computing Technology Industry Association. (CompTIA). Linux™ is a registered trademark of Linus Torvalds. All other trademarks belong to their respective owners.
All content copyright 2000-03 101communications LLC, unless otherwise noted. All rights reserved.
Reprints allowed with written permission from the publisher. For more information, e-mail