Saturday, 16 March 2013

IOS - Zone Based Firewall - Part I

Zone-Based Policy Firewall (also known as Zone-Policy Firewall, or ZFW) changes the firewall configuration from the older interface-based model to a more flexible, more easily understood zone-based model. Interfaces are assigned to zones, and inspection policy is applied to traffic moving between the zones. Inter-zone policies offer considerable flexibility and granularity, so different inspection policies can be applied to multiple host groups connected to the same router interface.

Firewall policies are configured with the Cisco Policy Language (CPL), which employs a hierarchical structure to define inspection for network protocols and the groups of hosts to which the inspection will be applied.

Rules For Applying Zone-Based Policy Firewall

Router network interfaces’ membership in zones is subject to several rules that govern interface behavior, as is the traffic moving between zone member interfaces:
  • A zone must be configured before interfaces can be assigned to the zone.
  • An interface can be assigned to only one security zone.
  • All traffic to and from a given interface is implicitly blocked when the interface is assigned to a zone, except traffic to and from other interfaces in the same zone, and traffic to any interface on the router.
  • Traffic is implicitly allowed to flow by default among interfaces that are members of the same zone.
  • In order to permit traffic to and from a zone member interface, a policy allowing or inspecting traffic must be configured between that zone and any other zone.
  • The self zone is the only exception to the default deny all policy. All traffic to any router interface is allowed until traffic is explicitly denied.
  • Traffic cannot flow between a zone member interface and any interface that is not a zone member. Pass, inspect, and drop actions can only be applied between two zones.
  • Interfaces that have not been assigned to a zone function as classical router ports and might still use classical stateful inspection/CBAC configuration.
  • If it is required that an interface on the box not be part of the zoning/firewall policy. It might still be necessary to put that interface in a zone and configure a pass all policy (sort of a dummy policy) between that zone and any other zone to which traffic flow is desired.
  • From the preceding it follows that, if traffic is to flow among all the interfaces in a router, all the interfaces must be part of the zoning model (each interface must be a member of one zone or another).
  • The only exception to the preceding deny by default approach is the traffic to and from the router, which will be permitted by default. An explicit policy can be configured to restrict such traffic.
Cisco Policy Language (CPL) Configuration
  1. Define zones.
  2. Define zone-pairs.
  3. Define class-maps that describe traffic that must have policy applied as it crosses a zone-pair.
  4. Define policy-maps to apply action to your class-maps’ traffic.
  5. Apply policy-maps to zone-pairs.
  6. Assign interfaces to zones.
Configuring Zone-Based Policy Firewall Class-Maps

Class-maps define the traffic that the firewall selects for policy application. Layer 4 class-maps sort the traffic based on these criteria listed here. These criteria are specified using the match command in a class-map:
  • Access-group—A standard, extended, or named ACL can filter traffic based on source and destination IP address and source and destination port.
  • Protocol—The Layer 4 protocols (TCP, UDP, and ICMP) and application services such as HTTP, SMTP, DNS, etc. Any well-known or user-defined service known to Port-Application Mapping can be specified.
  • Class-map—A subordinate class-map that provides additional match criteria can be nested inside another class-map.
  • Not—The not criterion specifies that any traffic that does not match a specified service (protocol), access-group or subordinate class-map will be selected for the class-map.
Class-maps can apply match-any or match-all operators to determine how to apply the match criteria. If match-any is specified, traffic must meet only one of the match criteria in the class-map. If match-all is specified, traffic must match all of the class-map’s criteria in order to belong to that particular class.

Configuring Zone-Based Policy Firewall Policy-Maps

The policy-map applies firewall policy actions to one or more class-maps to define the service-policy that will be applied to a security zone-pair. When an inspect-type policy-map is created, a default class named class class-default is applied at the end of the class. The class class-default’s default policy action is drop, but can be changed to pass. The log option can be added with the drop action. Inspect cannot be applied on class class-default.

Zone-Based Policy Firewall Actions:
  • Drop—This is the default action for all traffic, as applied by the "class class-default" that terminates every inspect-type policy-map. Other class-maps within a policy-map can also be configured to drop unwanted traffic. Traffic that is handled by the drop action is "silently" dropped by the ZFW, as opposed to an ACL's behavior of sending an ICMP “host unreachable” message to the host that sent the denied traffic. Currently, there is not an option to change the "silent drop" behavior. The log option can be added with drop for syslog notification that traffic was dropped by the firewall.
  • Pass—This action allows the router to forward traffic from one zone to another. The pass action does not track the state of connections or sessions within the traffic. Pass only allows the traffic in one direction. A corresponding policy must be applied to allow return traffic to pass in the opposite direction. The pass action is useful for protocols such as IPSec ESP, IPSec AH, ISAKMP, and other inherently secure protocols with predictable behavior. However, most application traffic is better handled in the ZFW with the inspect action.
  • Inspect—The inspect action offers state-based traffic control.Also, inspect can provide application inspection and control for certain service protocols that might carry vulnerable or sensitive application traffic. Audit-trail can be applied with a parameter-map to record connection/session start, stop, duration, the data volume transferred, and source and destination addresses.
Controlling Access to the Router

The self zone is a zone created by default by the router. It has a permit policy by default, and it used to manage traffic directed to or generated by the router.
To control traffic to and from the IP addresses on the router itself one or many policies are needed.
If a policy is configured from any zone to the self zone, and no policy is configured from self zone to the router’s user-configurable interface-connected zones, all router-originated traffic encounters the connected-zone to self-zone policy on its return the router and is blocked. Thus, router-originated traffic must be inspected to allow its return to the self zone.

Self-zone policy has limited functionality as compared to the policies available for transit-traffic zone-pairs:
  • As was the case with classical stateful inspection, router-generated traffic is limited to TCP, UDP, ICMP, and complex-protocol inspection for H.323.
  • Application Inspection is not available for self-zone policies.
  • Session and rate limiting cannot be configured on self-zone policies.
Scenario

Requirements:
  • Define 3 security zones: inside, outside, dmz
zone security inside
zone security outside
zone security dmz
  • Protocols allowed from INSIDE to OUTSIDE: http, https, ftp, icmp, dns, ssh, telnet, ntp, ymsgr
 class-map type inspect match-any CMAP_INSIDE_TO_OUTSIDE_PROTOCOLS
 match protocol http
 match protocol https
 match protocol ftp
 match protocol icmp
 match protocol dns
 match protocol ssh
 match protocol telnet
 match protocol ntp
 match protocol ymsgr
  • Protocols allowed from OUTSIDE to DMZ: http, https, ftp, tacacs
class-map type inspect match-any CMAP_OUTSIDE_TO_DMZ_PROTOCOLS
 match protocol http
 match protocol https
 match protocol ftp
 match protocol tacacs
  • Protocols allowed from INSIDE to DMZ: http, https, ftp, icmp, tacacs, ssh 
class-map type inspect match-any CMAP_INSIDE_TO_DMZ_PROTOCOLS
 match protocol http
 match protocol https
 match protocol ftp
 match protocol icmp
 match protocol tacacs
 match protocol ssh
  • Match only traffic generated from inside zone(to outside)
class-map type inspect match-all CMAP_INSIDE_TO_OUTSIDE_TRAFFIC
 match access-group name FROM_INSIDE_NETWORK
 match class-map CMAP_INSIDE_TO_OUTSIDE_PROTOCOLS
  • Match only traffic generated to dmz zone(from outside)
class-map type inspect match-all CMAP_OUTSIDE_TO_DMZ_TRAFFIC
 match access-group name TO_DMZ_NETWORK
 match class-map CMAP_OUTSIDE_TO_DMZ_PROTOCOLS
  • Match only traffic generated from inside zone to dmz
class-map type inspect match-all CMAP_INSIDE_TO_DMZ_TRAFFIC
 match access-group name FROM_INSIDE_NETWORK
 match access-group name TO_DMZ_NETWORK
 match class-map CMAP_INSIDE_TO_DMZ_PROTOCOLS
ip access-list extended FROM_INSIDE_NETWORK
 permit ip 10.1.1.0 0.0.0.255 any
ip access-list extended TO_DMZ_NETWORK
 permit ip any 192.168.223.0 0.0.0.255
  • Configure policy-map for every zone-pair security
policy-map type inspect PMAP_INSIDE_TO_OUTSIDE
 class type inspect CMAP_INSIDE_TO_OUTSIDE_TRAFFIC
  inspect
 class class-default
  drop log
policy-map type inspect PMAP_INSIDE_TO_DMZ
 class type inspect CMAP_INSIDE_TO_DMZ_TRAFFIC
  inspect
 class class-default
  drop log
policy-map type inspect PMAP_OUTSIDE_TO_DMZ
 class type inspect CMAP_OUTSIDE_TO_DMZ_TRAFFIC
  inspect
 class class-default
  drop log
  • Apply policies to security zone-pairs
zone-pair security INSIDE_TO_OUTSIDE source inside destination outside
 service-policy type inspect PMAP_INSIDE_TO_OUTSIDE
zone-pair security INSIDE_TO_DMZ source inside destination dmz
 service-policy type inspect PMAP_INSIDE_TO_DMZ
zone-pair security OUTSIDE_TO_DMZ source outside destination dmz
 service-policy type inspect PMAP_OUTSIDE_TO_DMZ
  • Assign interfaces to zones
interface Ethernet1/0
 ip address 10.1.1.1 255.255.255.0
 zone-member security inside
interface Ethernet1/1
 ip address 192.168.223.100 255.255.255.0
 zone-member security dmz
interface FastEthernet2/0
 ip address 172.20.1.2 255.255.255.0
 zone-member security outside
  • Permit traceroute traffic from inside to outside
ip access-list extended UDP_TRACEROUTE_PORTS
 permit udp any any range 33434 33464
ip access-list extended ICMP_TRACEROUTE
 permit icmp any any time-exceeded
 permit icmp any any port-unreachable
class-map type inspect match-all CMAP_INSIDE_TO_OUTSIDE_TRACEROUTE
 match access-group name UDP_TRACEROUTE_PORTS
class-map type inspect match-all CMAP_OUTSIDE_TO_INSIDE_TRACEROUTE
 match access-group name ICMP_TRACEROUTE
policy-map type inspect PMAP_INSIDE_TO_OUTSIDE
 class type inspect CMAP_INSIDE_TO_OUTSIDE_TRAFFIC
  inspect
 class type inspect CMAP_INSIDE_TO_OUTSIDE_TRACEROUTE
  pass
 class class-default
  drop log
policy-map type inspect PMAP_OUTSIDE_TO_INSIDE
 class type inspect CMAP_OUTSIDE_TO_INSIDE_TRACEROUTE
  pass
 class class-default
  drop log
  •  Allow  only SSH and HTTPs access to router from zones outside and dmz.
ip access-list extended SSH_HTTPS_TRAFFIC
permit tcp any any eq 22
permit tcp any any eq 443
class-map type inspect match-all CMAP_HTTPS_SSH
match access-group name SSH_HTTPS_TRAFFIC
match protocol tcp
 policy-map type inspect PMAP_OUTSIDE_TO_SELF
class CMAP_HTTPS_SSH
inspect
policy-map type inspect PMAP_DMZ_TO_SELF
class CMAP_HTTPS_SSH
inspect
zone-pair security ZP_OUTSIDE_TO_SELF source outside destination self
service-policy type inspect PMAP_OUTSIDE_TO_SELF
!
zone-pair security ZP_DMZ_TO_SELF source dmz destination self
service-policy type inspect PMAP_DMZ_TO_SELF
  • Permit icmp from router to any destination
class-map type inspect match-all CMAP_ICMP
match protocol icmp
policy-map type inspect PMAP_SELF_TO_ANY
class CMAP_ICMP
inspect
zone-pair security ZP_SELF_TO_OUTSIDE source self destination outside
service-policy type inspect PMAP_SELF_TO_ANY
zone-pair security ZP_SELF_TO_DMZ source self destination dmz
service-policy type inspect PMAP_SELF_TO_ANY
Verification
R1#show zone security  
zone self
  Description: System defined zone
zone inside
  Member Interfaces:
    Ethernet1/0
zone outside
  Member Interfaces:
    FastEthernet2/0
zone dmz
  Member Interfaces:
    Ethernet1/1

 R1#show zone-pair security     
Zone-pair name INSIDE_TO_OUTSIDE
    Source-Zone inside  Destination-Zone outside
    service-policy PMAP_INSIDE_TO_OUTSIDE
Zone-pair name INSIDE_TO_DMZ
    Source-Zone inside  Destination-Zone dmz
    service-policy PMAP_INSIDE_TO_DMZ
Zone-pair name OUTSIDE_TO_DMZ
    Source-Zone outside  Destination-Zone dmz
    service-policy PMAP_OUTSIDE_TO_DMZ
Zone-pair name OUTSIDE_TO_INSIDE
    Source-Zone outside  Destination-Zone inside
    service-policy PMAP_OUTSIDE_TO_INSIDE
Zone-pair name ZP_OUTSIDE_TO_SELF
    Source-Zone outside  Destination-Zone self
    service-policy PMAP_OUTSIDE_TO_SELF
Zone-pair name ZP_DMZ_TO_SELF
    Source-Zone dmz  Destination-Zone self
    service-policy PMAP_DMZ_TO_SELF
Zone-pair name ZP_SELF_TO_OUTSIDE
    Source-Zone self  Destination-Zone outside
    service-policy PMAP_SELF_TO_ANY
Zone-pair name ZP_SELF_TO_DMZ
    Source-Zone self  Destination-Zone dmz
    service-policy PMAP_SELF_TO_ANY

R1#show policy-map type inspect zone-pair INSIDE_TO_OUTSIDE
 Zone-pair: INSIDE_TO_OUTSIDE
  Service-policy inspect : PMAP_INSIDE_TO_OUTSIDE
    Class-map: CMAP_INSIDE_TO_OUTSIDE_TRAFFIC (match-all)
      Match: access-group name FROM_INSIDE_NETWORK
      Match: class-map match-any CMAP_INSIDE_TO_OUTSIDE_PROTOCOLS
        Match: protocol http
          14 packets, 560 bytes
          30 second rate 0 bps
        Match: protocol ftp
          0 packets, 0 bytes
          30 second rate 0 bps
        Match: protocol icmp
          1 packets, 64 bytes
          30 second rate 0 bps
        Match: protocol dns
          64 packets, 2967 bytes
          30 second rate 0 bps
        Match: protocol ssh
          0 packets, 0 bytes
          30 second rate 0 bps
        Match: protocol telnet
          0 packets, 0 bytes
          30 second rate 0 bps
        Match: protocol ymsgr
          2 packets, 80 bytes
          30 second rate 0 bps
        Match: protocol https
          23 packets, 920 bytes
          30 second rate 0 bps
        Match: protocol ntp
          105 packets, 5880 bytes
          30 second rate 0 bps
      Inspect
        Packet inspection statistics [process switch:fast switch]
        tcp packets: [2:1782]
        udp packets: [0:338]
        icmp packets: [0:6]
        im-yahoo packets: [0:85]
        Session creations since subsystem startup or last reset 208
        Current session counts (estab/half-open/terminating) [4:0:0]
        Maxever session counts (estab/half-open/terminating) [27:4:5]
        Last session created 00:00:03
        Last statistic reset never
        Last session creation rate 3
        Maxever session creation rate 33
        Last half-open session total 0
    Class-map: CMAP_INSIDE_TO_OUTSIDE_TRACEROUTE (match-all)
      Match: access-group name UDP_TRACEROUTE_PORTS
      Pass
        84 packets, 3360 bytes
    Class-map: class-default (match-any)
      Match: any
      Drop
        93 packets, 3800 bytes

No comments:

Post a Comment