Cisco releases new security features, a capture feature, and new IOS upgrade tools

Cisco just released updated router IOS code,12.4(20)T, with several very interesting new security features and a packet capture feature you might be interested in. You can even use the new warm upgrade and Auto-upgrade Manager features that released with 12.4(15)T IOS code to streamline the upgrade process and minimize your downtime. Let’s dive into the new security features and the new upgrade tools that Cisco is offering.

Cisco packed in some pretty hefty security features in this release, 24 new ones to be exact. Here are the highlights:

• Object Grouping support – Finally, IOS FW gets support for object groups, just like those found in the Cisco ASA platform. This provides you with the ability to create protocol and IP objects and then use them in ACLs. It makes your ACLs a lot more human readable. For example: 10 permit object-group Web-ports object-group Engineering object-group Web-Servers
• Embedded IOS Content Filtering - provides URL, spyware, malware, and phishing attack protection native to the router. It uses the categories and security ratings from Trend Micro’s Trendlabs threat database in the cloud.
• VRF aware IOS IPS – Provides you with the ability to configure IOS IPS on only certain VRFs or to configure IPS rules differently on each VRF. It also separates IPS events/alerts based on VRF segment using the VRF ID.
• User-based IOS FW – This feature introduces the concept of per user security TAGS. The User-Based Firewall feature was designed to provide identity or user-group based security that provides differentiated access for different classes of users. Classification can be provided on the basis of user identity, device type (for example, IP phones), location (for example, building) and role (for example, engineer). The security TAGS are assigned to users from Cisco ACS but are interpreted locally by each router. User authentication can be achieved using all of the typical methods, 802.1x, auth-proxy, or IKE.
• SIP Inspection Enhancements - Prevents unauthorized calls, call hijacking, SIP protocol exploits, and related DoS attacks. It supports both pass-through and local traffic.
• IOS FW adds support for H.323 version 3 and version 4
• Instant Messaging Control Enhancements – Allows for very granular control over ICQ and Windows Messenger traffic. IOS FW can detect, block, or throttle the IM traffic. This also includes managing things such as file transfers and attachments, application sharing, games, video/audio conferencing, and pop-ups.
• Several SSLVPN enhancements – The Anyconnect full tunneling client is supported, and performance improvements have been made in the code so you can support higher sslvpn throughput.

Here is a little more detail on the new embedded content filtering feature added to IOS:
The URL database server lives in on the internet at Trend Micro. Once you purchase a subscription for the IOS router it will then contact the Trend Server to categorize and rate each URL. On the router you configure up the categories that are allowed, white/black lists, etc. so it knows what to do with the response it receives from the Trend threat database server. Configuration is accomplished using either the CLI or the new IOS configuration professional device GUI (it replaces SDM). Here is an example of the content filtering flow:


Here is the flow step by step:



Two other features that are worth noting in this release are the new packet capture feature and the Auto-Upgrade manager. Long overdue in my opinion, IOS routers now have the ability to easily capture packets going through or to a router. These captures can then be viewed locally or exported in PCAP format so you can use wireshark to view them.
Here is a look at the cli commands for packet capture:
First define a capture buffer size, this one is circular:
Router# monitor capture buffer mycapture size 128 max-size 128 circular

Next define the capture point, btw capture does support both cef and processed switching data paths. You can associate several capture points with a single interface, so you could set one to capture all port 80 traffic to one buffer and a second one to capture all mail traffic to a different buffer. Here is an example:
Router# monitor capture point ip cef mycapturepoint1 fastEthernet 0/1 both

Finally, you need to associate the buffer and capture point you created with each other. Here is an example:
Router# monitor cap point associate mycapturepoint1 mycapture

You can view the capture via cli like so:
Router# show monitor capture buffer mycapture dump

Or you can export the capture file in PCAP format, using ftp, scp, http, https, or rcp like this:
monitor capture buffer mycapture export [location]

To upgrade your router to the 12.4(20)T code you might want to give the Auto-upgrade manager feature a try. It was first released to 12.4(15)T, so if you are upgrading from that code your all set. Basically this feature allows you to upgrade your router with one cli command. This includes downloading the code, even directly from CCO, installing it on your router, making the necessary config changes, and finally reloading the router according to your schedule. It even can send you a confirmation email and has a roll-back feature if the upgrade fails. Here is a look at what it can provide:



One of the features it uses that greatly minimizes your downtime due to a code upgrade is call warm upgrade. In a nutshell warm upgrade provides the capability for a Cisco IOS image to read and decompress another Cisco IOS image and then transfer control to this new image. It uses the reload warm command. According to Cisco, “Prior to the Warm Upgrade feature, a Cisco IOS image transferred control to ROM monitor mode (ROMMON) to perform a Cisco IOS software upgrade or downgrade. ROMMON, along with the help of the boot loader image, carried out the required upgrade or downgrade procedures. While this process is in progress, the networking device is down. With the introduction of the Warm Upgrade feature, packet forwarding is able to continue while the new Cisco IOS image is read and decompressed. The device is down only when the current image is overwritten with the new image, and the new image loads and reconfigures the operating system.”

To configure auto-upgrade manager do the following:
configure terminal
autoupgrade disk-cleanup crashinfo
autoupgrade ida url https://www.cisco.com/cgi-bin/new-ida/locator/locator.pl
autoupgrade status status email smtp-server
Now issue the interactive mode command to step you through the upgrade process
upgrade automatic

As always, I recommend you exercise due diligence testing before deploying any new IOS releases in a production environment. Have fun!

Here is more information on how to configure auto-upgrade manager
http://www.cisco.com/en/US/docs/ios/12_4t/cfg_fund/configuration/guide/osin_aum.html

The Cisco release notes for 12.4(20)T can be found here http://www.cisco.com/en/US/prod/collateral/iosswrel/ps8802/ps6968/ps6441/product_bulletin_c25-409474.html

For more information on the Content filtering feature see here
http://www.cisco.com/en/US/partner/products/ps6643/index.html

The opinions expressed in this article are my own and not those of my employeer