Login | Register   
Twitter
RSS Feed
Download our iPhone app
TODAY'S HEADLINES  |   ARTICLE ARCHIVE  |   FORUMS  |   TIP BANK
Browse DevX
Sign up for e-mail newsletters from DevX


advertisement
 

Ensure Network Safety with Centralized Logging : Page 7

Virus definitions often can't keep up with the rapid proliferation of Windows-based worms, letting them slip under your radar. How can you keep your network safe? Use the access lists on your routers along with a centralized logging database to help you quickly find and isolate infected hosts.


advertisement
Setting Up the Access Lists
Now that you've got the syslog viewer operational, you need to configure an access list to help identify "interesting" traffic. You'll need to have a basic understanding of access lists to set them up. It would be particularly helpful if you had a non-production router to test access lists out on before trying them out on your production network.

An access list is simply a method in a Cisco router to limit access to network resources. Incoming packets are evaluated against a list of rules, and then accepted or rejected according to these rules. Cisco's IOS has two different types of access lists, standard and extended; essentially, extended access lists allow for a lot more specific settings to traffic than standard access lists do. After an access list is created, it's then applied to either the incoming or outgoing traffic on a given interface.

As a warning, adding these access lists WILL create some additional router overhead. However, it's better than completely over-working the CPU on your router processing viral packets, which will make it so it will completely stop routing packets. In short, use at your own risk, however, these are the access lists that I use on my network, and they work fine for me.



Recently, a new variant of the Welchia worm has been making the rounds. The earlier versions of this worm would infect one host, and then search for other hosts to infect on port 135. Windows networking also uses port 445 for NetBios, and the new worm authors have been sure to overcome this shortcoming in the new variant.

You can create an access list to monitor for this traffic. Rules are evaluated from the top down. Each rule is followed by an explanation of what the rule does.

access-list 199 permit tcp any any established ! keep track of the tcp sessions that have been opened. Don't evaluate them ! because after the session has been initiated, the port 135/445 requests will ! not happen. access-list 199 permit tcp any any eq 135 log ! a rule to ‘make a note’ of permitted port 135 traffic. This rule does not ! block the traffic, it simply will log it. access-list 199 permit tcp any any eq 445 log ! a rule to ‘make a note’ of permitted port 445 traffic. This rule does not ! block the traffic, it simply will log it. access-list 199 permit ip any any ! allow any additional ip traffic through.

This access list then needs to be applied to the interface on the router:

RouterA(config)##int f0/0 RouterA(config-if)##ip access-group 199 in RouterA(config-if)##ip access-group 199 out RouterA(config-if)##end

You should be able to see the access list counters increment by typing ‘sh ip access’:

Extended IP access list 199 permit tcp any any established (1497360 matches) permit tcp any any eq 135 log (4168 matches) permit tcp any any eq 445 log (53641 matches) permit ip any any (257847 matches)

You can also see exactly which hosts are generating the traffic by doing a ‘show log’:

May 3 05:15:25.217 UTC: %SEC-6-IPACCESSLOGP: list 199 permitted tcp 10.0.40.16(3059) -> 10.0.4.101(1060), 2 packets May 3 05:15:27.302 UTC: %SEC-6-IPACCESSLOGP: list 199 permitted tcp 10.0.16.16(2179) -> 10.0.4.101(1060), 1 packet May 3 05:15:40.362 UTC: %SEC-6-IPACCESSLOGP: list 199 permitted tcp 10.0.32.16(4206) -> 10.0.4.101(1060), 2 packets May 3 05:15:42.790 UTC: %SEC-6-IPACCESSLOGP: list 199 permitted tcp 10.131.5.17(3737) -> 10.0.4.101(445), 1 packet May 3 05:15:44.146 UTC: %SEC-6-IPACCESSLOGP: list 199 permitted tcp 10.0.69.131(4839) -> 10.0.4.101(1060), 2 packets May 3 05:15:45.750 UTC: %SEC-6-IPACCESSLOGP: list 199 permitted tcp 10.0.20.16(3186) -> 10.0.4.100(1637), 1 packet May 3 05:15:48.202 UTC: %SEC-6-IPACCESSLOGP: list 199 permitted tcp 10.131.5.76(2462) -> 10.0.4.100(445), 1 packet May 3 05:15:57.338 UTC: %SEC-6-IPACCESSLOGP: list 199 permitted tcp 10.0.12.16(4318) -> 10.0.4.101(1060), 2 packets

Now, you should also be able to go to the Web site, select the router in question, and see the same results.

This is where this method falls down a bit. It could probably be solved programatically, but it's not too difficult to educate your helpdesk staff as to what to look for when it comes to infected hosts. Here's an example of a real syslog with an infected host behind it:

May 3 05:23:33.404 UTC: %SEC-6-IPACCESSLOGP: list 199 denied tcp 10.0.61.108(1477) -> 10.0.127.20(445), 1 packet May 3 05:23:34.416 UTC: %SEC-6-IPACCESSLOGP: list 199 denied tcp 10.0.61.108(1469) -> 10.0.127.12(445), 1 packet May 3 05:23:35.524 UTC: %SEC-6-IPACCESSLOGP: list 199 denied tcp 10.0.61.108(1473) -> 10.0.127.16(445), 1 packet May 3 05:23:36.528 UTC: %SEC-6-IPACCESSLOGP: list 199 denied tcp 10.0.61.108(1478) -> 10.0.127.21(445), 1 packet May 3 05:23:37.528 UTC: %SEC-6-IPACCESSLOGP: list 199 denied tcp 10.0.61.108(1496) -> 10.0.127.39(445), 1 packet May 3 05:23:38.540 UTC: %SEC-6-IPACCESSLOGP: list 199 denied tcp 10.0.61.108(1484) -> 10.0.127.27(445), 1 packet May 3 05:23:39.620 UTC: %SEC-6-IPACCESSLOGP: list 199 denied tcp 10.0.61.108(1508) -> 10.0.127.51(445), 1 packet May 3 05:23:41.372 UTC: %SEC-6-IPACCESSLOGP: list 199 denied tcp 10.0.61.108(1518) -> 10.0.127.61(445), 1 packet May 3 05:23:42.480 UTC: %SEC-6-IPACCESSLOGP: list 199 denied tcp 10.0.61.108(1523) -> 10.0.127.66(445), 1 packet May 3 05:23:43.568 UTC: %SEC-6-IPACCESSLOGP: list 199 denied tcp 10.0.61.108(1480) -> 10.0.127.23(445), 1 packet May 3 05:23:44.576 UTC: %SEC-6-IPACCESSLOGP: list 199 denied tcp 10.0.61.108(1484) -> 10.0.127.27(445), 1 packet May 3 05:23:45.652 UTC: %SEC-6-IPACCESSLOGP: list 199 denied tcp 10.0.61.108(1536) -> 10.0.127.79(445), 1 packet

Most noticeable is the source address—see how it's all the same, and how the destination address varies from packet to packet? A better example is when a particular internal host has a 10.x IP address and is looking for hosts on the outside networks, such as 64.1.2.3, 64.1.2.4, 64.1.2.5 and so on. The other thing you should note is that I've set the rule to deny the traffic. Remember: this most likely will break other traffic on your network, but sometimes having a broken network is better than no network at all. Here's what infected traffic will look like:

May 4 14:01:02.327 UTC: %SEC-6-IPACCESSLOGP: list 199 denied tcp 10.0.57.66(4516) -> 121.62.240.140(445), 1 packet May 4 14:01:03.363 UTC: %SEC-6-IPACCESSLOGP: list 199 denied tcp 10.0.57.66(4595) -> 125.35.99.227(445), 1 packet May 4 14:01:04.427 UTC: %SEC-6-IPACCESSLOGP: list 199 denied tcp 10.0.57.66(4621) -> 118.37.66.126(445), 1 packet May 4 14:01:05.427 UTC: %SEC-6-IPACCESSLOGP: list 199 denied tcp 10.0.57.66(4528) -> 67.56.245.188(445), 1 packet May 4 14:01:06.427 UTC: %SEC-6-IPACCESSLOGP: list 199 denied tcp 10.0.57.66(4603) -> 163.5.60.243(445), 1 packet May 4 14:01:07.431 UTC: %SEC-6-IPACCESSLOGP: list 199 denied tcp 10.0.57.66(4622) -> 87.129.2.231(445), 1 packet May 4 14:01:11.335 UTC: %SEC-6-IPACCESSLOGP: list 199 denied tcp 10.0.57.66(4516) -> 121.62.240.140(445), 1 packet May 4 14:01:12.439 UTC: %SEC-6-IPACCESSLOGP: list 199 denied tcp 10.0.57.66(4603) -> 163.5.60.243(445), 1 packet

The second access list type is simply a method for monitoring your network traffic. It's a long access list that matches all ports, so you can see if any excessive traffic is being created on any non-standard port. The key to this access list is that the source portion of the access list must originate from your network, so you'll need to modify the '10.0.0.0 0.255.255.255' accordingly. Since most hosts are connecting to remote hosts in the low numbered ports, it's pretty easy to find non-standard traffic. If there's a range that's getting a lot of traffic, simply add a 'log' after it to get the hosts in that range dumped to the syslog:

access-list 2001 permit tcp any any established access-list 2001 permit tcp 10.0.0.0 0.255.255.255 any range 1 99 access-list 2001 permit tcp 10.0.0.0 0.255.255.255 any range 100 199 access-list 2001 permit tcp 10.0.0.0 0.255.255.255 any range 200 299 access-list 2001 permit tcp 10.0.0.0 0.255.255.255 any range 300 399 access-list 2001 permit tcp 10.0.0.0 0.255.255.255 any range 400 499 access-list 2001 permit tcp 10.0.0.0 0.255.255.255 any range 500 599 access-list 2001 permit tcp 10.0.0.0 0.255.255.255 any range 600 699 access-list 2001 permit tcp 10.0.0.0 0.255.255.255 any range 700 799 access-list 2001 permit tcp 10.0.0.0 0.255.255.255 any range 800 899 access-list 2001 permit tcp 10.0.0.0 0.255.255.255 any range 900 999 access-list 2001 permit tcp 10.0.0.0 0.255.255.255 any range 1000 5000 access-list 2001 permit tcp 10.0.0.0 0.255.255.255 any range 6000 9999 access-list 2001 permit tcp 10.0.0.0 0.255.255.255 any range 10000 14999 access-list 2001 permit tcp 10.0.0.0 0.255.255.255 any range 15000 19999 access-list 2001 permit tcp 10.0.0.0 0.255.255.255 any range 20010 24999 access-list 2001 permit tcp 10.0.0.0 0.255.255.255 any range 25000 29999 access-list 2001 permit tcp 10.0.0.0 0.255.255.255 any range 30000 34999 access-list 2001 permit tcp 10.0.0.0 0.255.255.255 any range 35000 39999 access-list 2001 permit tcp 10.0.0.0 0.255.255.255 any range 40000 44999 log access-list 2001 permit tcp 10.0.0.0 0.255.255.255 any range 45000 49999 log access-list 2001 permit tcp 10.0.0.0 0.255.255.255 any range 50000 54999 log access-list 2001 permit tcp 10.0.0.0 0.255.255.255 any range 55000 59999 log access-list 2001 permit tcp 10.0.0.0 0.255.255.255 any range 60000 64999 access-list 2001 permit tcp 10.0.0.0 0.255.255.255 any range 65000 65535 access-list 2001 permit ip any any

It's critical to monitor your CPU usage on your router (by 'sh proc cpu') while you implement this list. Since it's rather lengthy, it's entirely possible it'll kill your router. I have a 3640 router with a heavily utilized 6 MB frame relay circuit coming into it, and I noticed a 5-10 percent CPU increase with the access list. Obviously, your mileage may vary.



Comment and Contribute

 

 

 

 

 


(Maximum characters: 1200). You have 1200 characters left.

 

 

Sitemap