- Use the same inspection engine as CBAC the main difference is that it works with security zones not interfaces and can support policing
- zones group multiple interface togther traffic is allowed inside one zone but prohibted between
- A zone is defined via zone security commmand
- Special zone self is allocated to router by default all traffic to/from this zone is allowed so we do not have to manually account for the control plane traffic
- interzone communication requires "zone pairing"
- define with zone-pair then associated policy-map type inspect ot permit traffic action inspect vs action pass
- ZFQ configuarion use mqx syntax class-map/policy-map of type inspect traffic classified with match protocolapplication still defined with ip port-map
- We can also use paremeter map to define specfic features advanced features we want enabled
- 2 type of parmaeter map Parameter map type inspect - defines tcp intercept and global cbac setting or Parameter-map type inspect "protocol"- may be used to enforce application like for example smtp we can limit the recipents to 50 users or do advanced matches filtering based on regexpressions
- Parameter maps can also be used for turning on auditing
- virtual templates can be memeber of zones
- ios firewall is vrf aware
- We can apply policy in ZFW Traffic Policing Action not availible in CBAC MQC policing could be used per-interface
- Supports policing of interzone trafficintra zone traffic not policed
- We need to create zone-pair for each direction if bidirectional communication is required
- cisco ios firewall can be configured to be transparent nbar is not fully supported in transparent mode though
-command police under policy map type inspect
- Zone Self Special zone that repersents the router all traffic permitted in/out by default
- It does not support protocol inspection only tcp/udp and icmp supported
- Could be paired with other zones e.g to control acccess to the router
Creating zones
zone security 'Inside'
zone security 'outside'
Assigning interfaces to zones
int fa0/0
zone-member security inside
int fa0/2
zone-member secuirty inside
int serial 0/0
zone-member secuirty outside
Creating Zone-Pair
zone-pair security "Inside-to-Outside" source inside destination outside
Class traffic to Inspect
class-map type inspect match "HTTP"
match protocol http
Policy Map
Policy-map type inspect "HTTP-OUT"
class type inspect "HTTP"
Then apply to the zone
zone-pair security "Inside-to-Outside"
service-policy type "inspect HTTP-OUT"
Paramater map can be advanced inspection
parameter-map type inspect "httpmore"
max-incomplete high 20
audit-trail on
this is applied under the policy-map
Policy-map type inspect "HTTP-OUT"
class type inspect "HTTP"
inspect "httpmore"
LAB
OK for the lab r5 will be zone based firewall so sw2 and sw4 section of the network will be inside
the r4 section of the network will be dmz and everything else will be outside
R5
---
Ok first things first we will define our 3 zones
r5#config t
Enter configuration commands, one per line. End with CNTL/Z.
r5(config)#zone security INSIDE
r5(config-sec-zone)#exit
r5(config)#zone security OUTSIDE
r5(config-sec-zone)#exit
r5(config)#zone security DMZ
r5(config-sec-zone)#?
Zone configuration commands:
description Zone description
exit Exit from zone configuration mode
no Negate or set default values of a command
r5(config-sec-zone)#
Ok we will define the classes i have just done tcp udp and icmp we could more granular on the inspection on specfic protocols like http to look for urls via regexp
r5(config)#class-map type inspect TCP
r5(config-cmap)#match protocol tcp
r5(config-cmap)#class-map type inspect UDP
r5(config-cmap)#match protocol UDP
r5(config-cmap)#class-map type inspect ICMP
r5(config-cmap)#match protocol ICMP
r5(config-cmap)#
Now we will define a policy-map inspect so it basically what we will do with the traffic once it matched drop drop and log pass without inspection inspect ( allowing return traffic)
r5(config)#policy-map type inspect INSIDE_TO_OUTSIDE
r5(config-pmap)#class TCP
r5(config-pmap-c)#inspect
r5(config-pmap-c)#class UDP
r5(config-pmap-c)#inspect
r5(config-pmap-c)#class ICMP
r5(config-pmap-c)#inspect
r5(config-pmap-c)#
the above is my policy map for going outbound so all i want to do is allow the traffic and allow return traffic so i will inspect.
Next step is to create the zone-pair to apply the policy to
r5(config)#zone-pair security INSIDE-TO-OUTSIDE-PAIR source INSIDE destination$
r
r5(config-sec-zone-pair)#service-policy type inspect INSIDE_TO_OUTSIDE
i will just do sh run as there is bit cut off
r5#sh run | sec zone-pair
zone-pair security INSIDE-TO-OUTSIDE-PAIR source INSIDE destination OUTSIDE
service-policy type inspect INSIDE_TO_OUTSIDE
so we define the flow of traffic from source inside to outside and we assign the policy INSIDE_TO_OUTSIDE which is doing inspect of tcp
next we need to assign the interfaces i will just start with zone inside and zone outside
r5(config)#int s0/0/0
r5(config-if)#zone-member security OUTSIDE
r5(config-if)#int f0/0
r5(config-if)#zone-member security INSIDE
r5(config-if)#
ok so now that assigned at the moment from s2 we should be able to ping s1 but s1 should not be able to ping s2
So we will just make sure we are on the right track
s1#ping 22.2.2.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 22.2.2.2, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
s1#
s2#ping 2.1.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 2.1.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 58/65/68 ms
s2#
so looks good
one of the potential issue we have at the moment is that r5 as the zone self allows everything could be accessed from outside
s1
---
so i can succesifully telnet r5
s1#telnet 5.5.5.5
Trying 5.5.5.5 ... Open
User Access Verification
Username: cisco
Password:
r5>
just can not transit it
s1#telnet 22.2.2.2
Trying 22.2.2.2 ...
% Connection timed out; remote host not responding
this would be a fairly large security hole allowing outside to telnet our firewall device
what we will do is we will allow s1 to ping our device and other devices outside can not connect at all
r5
---
r5(config)#ip access-list extended PINGFRMS1
r5(config-ext-nacl)#permit icmp host 2.1.1.1 any echo
r5(config-ext-nacl)#permit eigrp any any
r5(config-ext-nacl)#
I also allowed eigrp any any just to maintain the underlying igp.
so i will create the class map
r5(config)#class-map type inspect FROMOUTSIDE
r5(config-cmap)#match access-group name PINGFRMS1
r5(config-cmap)#
now policy-map
r5(config)#policy-map type inspect OUTSIDE_TO_SELF
r5(config-pmap)#class FROMOUTSIDE
r5(config-pmap-c)#pass
r5(config-pmap-c)#class class-default
r5(config-pmap-c)#drop log
r5(config-pmap-c)#
so everything match in the class FROMOUTSIDE will be allowed (pass) and everything else will hit class default and will dropped + we have asked for it to be logged.
Ok as i tested telnet above i will also allow telent to the allowed from s1 for consistence of testing
r5(config)#ip access-list extended PINGFRMS1
r5(config-ext-nacl)#30 permit tcp any any eq 23
r5(config-ext-nacl)#40 deny ip any any
r5(config-ext-nacl)#
next we need to assign the zone pair
r5(config)#zone-pair security OUTSIDE_TO_SELF source OUTSIDE destination self
r5(config-sec-zone-pair)#service-policy type inspect OUTSIDE_TO_SELF
s1#ping 5.5.5.5
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 5.5.5.5, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
s1#ping 5.5.5.5 source 2.1.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 5.5.5.5, timeout is 2 seconds:
Packet sent with a source address of 2.1.1.1
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 59/65/68 ms
s1#
i can also telnet
s1#telnet 5.5.5.5
Trying 5.5.5.5 ... Open
User Access Verification
Username:
if i go to s3
--------------
s3#ping 5.5.5.5
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 5.5.5.5, timeout is 2 seconds:
..
i can not ping i will be able to telnet as i did not lock down the acl to 2.1.1.1 for telnet i done tcp any any but not been able to ping proves it is working.
r5
---
[Resuming connection 5 to r5 ... ]
*Feb 22 16:33:39.391: %FW-6-DROP_PKT: Dropping icmp pkt 155.0.37.1:8 => 5.5.5.5:0
*Feb 22 16:35:04.979: %FW-6-DROP_PKT: Dropping icmp pkt 155.0.79.3:8 => 5.5.5.5:0
r5#
we can see there is logging in regard to dropping the icmp packet
r5#show policy-map type inspect zone-pair OUTSIDE_TO_SELF
Zone-pair: OUTSIDE_TO_SELF
Service-policy inspect : OUTSIDE_TO_SELF
Class-map: FROMOUTSIDE (match-all)
Match: access-group name PINGFRMS1
Pass
20 packets, 735 bytes
Class-map: class-default (match-any)
Match: any
Drop
10 packets, 800 bytes
we can see matches on both passes and drops
OK we will add third zone mainly DMZ which will connect to r4 which is webserver for the sake of the lab. We will look at doing the parameter maps for more advance config
so firstly acccess list
r5(config)#ip access-list ext R4_WEB_SERVER_ACL
r5(config-ext-nacl)#permit tcp any host 4.4.4.4
next i will do my class-map
r5(config)#class-map type inspect R4
r5(config-cmap)#match protocol http
r5(config-cmap)#match access-group name R4_WEB_SERVER_ACL
r5(config-cmap)#
OK i will do a parameter for more advanced options
r5(config)#parameter-map type inspect R4-WEB-PARAMETER
r5(config-profile)#?
parameter-map commands:
alert Turn on/off alert
audit-trail Turn on/off audit trail
dns-timeout Specify timeout for DNS
exit Exit from parameter-map
icmp Config timeout values for icmp
max-incomplete Specify maximum number of incomplete connections before
clamping
no Negate or set default values of a command
one-minute Specify one-minute-sample watermarks for clamping
sessions Maximum number of inspect sessions
tcp Config timeout values for tcp connections
udp Config timeout values for udp flows
r5(config-profile)#max-incomplete ?
high Specify high-watermark for clamping
low Specify low-watermark for clamping
r5(config-profile)#max-incomplete high 20
%New high threshold 20 cannot be smaller than low threshold 400
r5(config-profile)#max-incomplete high 420
r5(config-profile)#max-incomplete low 400
r5(config-profile)#audit-trail on
r5(config-profile)#tcp ?
finwait-time Specify timeout for TCP connections after a FIN
idle-time Specify idle timeout for tcp connections
max-incomplete Specify max half-open connection per host
synwait-time Specify timeout for TCP connections after a SYN and no
further data
r5(config-profile)#tcp synwait-time ?
<1-2147483> Timeout in seconds
r5(config-profile)#tcp synwait-time 20
r5(config-profile)#
so i have created a few tcp intercept parameters and logging i need to associate this with our policy map
so a policy and within the class r4 we specify the parameter map
r5(config)#policy-map type inspect DMZ
r5(config-pmap)#class type inspect R4
r5(config-pmap-c)#inspect R4-WEB-PARAMETER
r5(config-pmap-c)#exit
r5(config-pmap)#class class-default
r5(config-pmap-c)#drop log
r5(config-pmap-c)#exit
Ok create the zone pair
r5(config)#zone-pair security OUTSIDE-TO-DMZ source OUTSIDE destination DMZ
r5(config-sec-zone-pair)#service-policy type inspect DMZ
r5(config-sec-zone-pair)#
just before i forget i need to add r5 s0/1/0 to dmz zone
r5(config-if)#int s0/1/0
r5(config-if)#zone-member security DMZ
r5(config-if)#
r4
---
r4(config)#ip http server
r4(config)#ip http authentication local
r4(config)#username cisco password cisco
s1
---
s1#connect 5.5.5.5 www
Trying 5.5.5.5, 80 ...
% Connection timed out; remote host not responding
s1#connect 4.4.4.4 www
Trying 4.4.4.4, 80 ... Open
we can make http connection to 4.4.4.4 as expected
but we can not ping it
s1#ping 4.4.4.4
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 4.4.4.4, timeout is 2 seconds:
.
r5
---
we can see some audit trail info here
access#5
[Resuming connection 5 to r5 ... ]
*Feb 22 17:36:03.551: %FW-6-SESS_AUDIT_TRAIL_START: (target:class)-(OUTSIDE-TO-DMZ:R4):Start http session: initiator (155.0.37.1:11003) -- responder (4.4.4.4:80)
*Feb 22 17:36:22.647: %FW-6-SESS_AUDIT_TRAIL: (target:class)-(OUTSIDE-TO-DMZ:R4):Stop http session: initiator (155.0.37.1:11003) sent 9 bytes -- responder (4.4.4.4:80) sent 122 bytes
r5#sh parameter-map type inspect R4-WEB-PARAMETER
parameter-map type inspect R4-WEB-PARAMETER
audit-trail on
alert on
max-incomplete low 400
max-incomplete high 420
one-minute low 400
one-minute high 500
udp idle-time 30
icmp idle-time 10
dns-timeout 5
tcp idle-time 3600
tcp finwait-time 5
tcp synwait-time 20
tcp max-incomplete host 50 block-time 0
sessions maximum 0
r5#sh policy-map type inspect zone-pair OUTSIDE-TO-DMZ
Zone-pair: OUTSIDE-TO-DMZ
Service-policy inspect : DMZ
Class-map: R4 (match-all)
Match: protocol http
Match: access-group name R4_WEB_SERVER_ACL
Inspect
Packet inspection statistics [process switch:fast switch]
tcp packets: [0:34]
Session creations since subsystem startup or last reset 2
Current session counts (estab/half-open/terminating) [0:0:0]
Maxever session counts (estab/half-open/terminating) [1:1:1]
Last session created 00:03:45
Last statistic reset never
Last session creation rate 0
Last half-open session total 0
Class-map: class-default (match-any)
Match: any
Drop
5 packets, 400 bytes
r5#
Ok if we want to allow the inside network connect to dmz
r5(config)#zone-pair security INSIDE-TO-DMZ source INSIDE destination DMZ
r5(config-sec-zone-pair)#service-policy type inspect DMZ
r5(config-sec-zone-pair)#
s2
---
s2>en
s2#connect 4.4.4.4 www
Trying 4.4.4.4, 80 ... Open
it is working
r4
---
r4#ping 2.1.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 2.1.1.1, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
r4#ping 22.2.2.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 22.2.2.2, timeout is 2 seconds:
..
can not connect out as expected
No comments:
Post a Comment