CertCities.com -- The Ultimate Site for Certified IT Professionals
Keep on Top of the Latest Certification News: Subscribe to CertCities.com Newsletter Share share | bookmark | e-mail
  Microsoft®
  Cisco®
  Security
  Oracle®
  A+/Network+"
  Linux/Unix
  More Certs
  Newsletters
  Salary Surveys
  Forums
  News
  Exam Reviews
  Tips
  Columns
  Features
  PopQuiz
  RSS Feeds
  Press Releases
  Contributors
  About Us
  Search
 

Advanced Search
  Free Newsletter
  Sign-up for the #1 Weekly IT
Certification News
and Advice.
Subscribe to CertCities.com Free Weekly E-mail Newsletter
CertCities.com

See What's New on
Redmondmag.com!

Cover Story: IE8: Behind the 8 Ball

Tech-Ed: Let's (Third) Party!

A Secure Leap into the Cloud

Windows Mobile's New Moves

SQL Speed Secrets


CertCities.com
Let us know what you
think! E-mail us at:



 
 
...Home ... Editorial ... Columns ..Column Story Saturday: April 5, 2014


 Link State Update  
Eric Quinn
Eric Quinn


 The NBAR Defense
Using Network Based Application Recognition to block (and log) the worm invasion.
by Eric Quinn , courtesy of TCPMag.com
10/31/2001 -- Code Red and Nimda have spurred interest in filtering packets containing hazardous data before they ever enter the network. But what's the best tool for accomplishing this?

While many people understand how Access Control Lists (ACLs) work, ACLs can't look inside packets for bad data. A PIX can examine several applications for certain contents; but while it can check HTTP traffic for the presence of Java or Active X and filter the packets, there is no setting for worms. Intrusion detection equipment can be configured to look for packets that contain worms and, when detected, have a router filter the connection; however, in order for the IDS sensor to detect the worm, it has to get inside the network -- something we want to avoid.

This is where Network Based Application Recognition (NBAR) comes in. NBAR, first introduced in experimental versions of IOS v12.1, is a "classification engine" designed to analyze packets for Quality of Service purposes. It's an ideal solution for filtering worm packets, although you'll want to avoid code versions earlier than 12.1(5)T.

Implementing NBAR
The first thing you need to do is decide what type of traffic you want to deny. In the case of Code Red and Nimda, we want to prevent HTTP packets containing a URL. We don't want to filter every URL though, just incoming requests for certain URLs. To do this, filter requests for ".ida," "cmd.exe," "root.exe" and "readme.eml." You need to build all of this into a class map like so:

Router(config)#class-map match-any worms
Router(config-cmap)#match protocol http url "*.ida*"
Router(config-cmap)#match protocol http url "*cmd.exe*"
Router(config-cmap)#match protocol http url "*root.exe*"
Router(config-cmap)#match protocol http url "*readme.eml*"

Notice the asterisks before and after each of the strings we're looking for. By doing this, we can find the given string in the middle of other text.

Once we've figured out what we want to look for, we need to tell the router what to do with this traffic once it finds it -- i.e., create a policy map that will router very specific traffic to a given destination. We could route this traffic directly to null0, but I prefer to have some sort of indication that these requests are being made. In order to log this info, we need to be a bit trickier. The class "worms" is what we referenced above in the "class-map" configuration. The command "set ip dscp 1" sets a marker in the IP header to a value that isn't likely to be seen in most networks. I recommend that if your network has complex QoS that you use a DSCP number not in use. If you haven't implemented QoS then there's nothing to worry about.

Router(config)#policy-map worm-requests
Router(config-pmap)#class worms
Router(config-pmap)#set ip dscp 1

We'll configure an access list to log whenever we block the offending traffic. We want to deny any traffic that has the DSCP set to 1 and log that this was done.

Router(config)#access-list 100 deny ip any any dscp 1 log
Router(config)#access-list 100 permit ip any any

Finally, we need to paste the access list on interfaces we don't want the traffic leaving from.

Router(config)#interface ethernet 0/0
Router(config-if)#ip access-group 100 out

Note that you will need to enable Cisco Express Forwarding (CEF) in order to make use of NBAR.

Design Considerations
The design issues for this are simple: Implementing it will soak up a large amount of available processor time. If you are currently running at greater than 40 percent processor utilization, I recommend extreme caution. You may wish to place a router in your network just for the purpose of monitoring how much of a processing hit your perimeter router would take.


Eric Quinn, CCNP, CCDP, CCSI, is a security instructor and consultant. He is also co-author of the CCNP Remote Access Exam Cram by Coriolis Press. He writes the “Link State Update” column for TCPmag.com, and is a contributing editor for CertCities.com. Reach him at .

 


More articles by Eric Quinn:

-- advertisement --


There are 22 CertCities.com user Comments for “The NBAR Defense”
Page 1 of 3
2/13/02: Brian says: Is NBAR ready for prime time? I'm not so sure. I implemented NBAR several months ago using a method not mentioned here, QoS policing, because Cisco docs say it has the least impact on the CPU. You give up source logging, but if you're mostly worried about stopping the traffic it's easier on the router itself. The only problem is, while it seems to have stopped SadMind and CodeRed dead in their tracks, some Nimda scans are still getting through -- as seen in my HTTP server logs. Showing the policy results on the router, at least some of the ".ida" traffic is being caught. But the majority is still getting through. I'm working with Cisco on this right now, but their suggestions so far have been disappointing: they'll point me to some doc from which they've pulled a small piece of config I should try, but a more complete reading of the doc shows that their suggestions will not work. I get the feeling that they're grasping for straws at this point. Has anyone else had a similar experience with NBAR?
3/26/02: vivaek from nashik (India) says: sir, give me information about CCNA exam. papers in india
8/5/03: Oliver says: This article has some substantial technical flaws. Whilst it correctly classifies and marks the code-red packets, you it doesn't apply a service policy, which means that no packets get marked with dscp 1 and hence your access-list doesn't deny anything ! It's missing the following lines: Router(config)# interface Ethernet 0/1 Router(config-if)#service-policy input worm-requests
12/3/03: Ben from UK says: I have implemented NBAR on a test network and I have found something very strange. It seems that with IP CEF turned on, the NBAR becomes useless. When IP CEF is turned off, th NBAR does its job very well. Anyone had this experience??
12/9/03: Jeff Lumkin from Australia says: RE: Ben's last comment : re CEF. NBAR will not work without CEF Enabled.
12/10/03: Ben Horner from UK says: Hmm - its very odd then, because something is making the network run much better. Would it be possible for me to send you my config? [email protected] (remove the NOSPAM) Thanks
12/10/03: Anonymous says: I think the best defence is automated system patching. People think system patching is too hard, but the alternatives do not look better. It is less reliable to rely on network requirement to block worms. I think the system administrators should grow up and maintain their systems appropriately. Use SMS, SUS, WindowsUpdate, login scripts, ... I would never asked my system administrators to compensate for a network issue.
5/1/04: best muchenje from zimbabwe says: At the moment I am experincing problems due scene and denial of attacks by viruses and worms, especially netsky. I am not real sure of the particular type of packets I should block so that i can effectively protect my network from any such attack in future. Please assist.
5/1/04: best muchenje from zimbabwe says: At the moment I am experincing problems due scene and denial of attacks by viruses and worms, especially netsky. I am not real sure of the particular type of packets I should block so that i can effectively protect my network from any such attack in future. Please assist.
9/19/05: Anonymous says: for you
First Page   Next Page   Last Page
Your comment about: “The NBAR Defense”
Name: (optional)
Location: (optional)
E-mail Address: (optional)
Comment:
   

-- advertisement (story continued below) --

top