Converting CBAC to Zone-Based Policy Firewall

Posted on November 16, 2010

0



TOPOLOGY:

Requirements
1, Layer 3-4 control

Customer wants to inspect the following protocols:

  • icmp
  • dns
  • esmtp
  • https
  • imap*
  • pop3*
  • tcp
  • udp

*For IMAP and POP3 customer wants to reset the TCP connection if the client enters a non-protocol command before authentication is complete.

2, Layer 4-7 control

Customer wants to deny all kind of services of the chat applications that can be controlled by his router. Supported Chat applications:

  • AOL
  • MSN
  • YAHOO

3, Layer 4-7 control – http –

Customer wants to control the Internet traffic, mainly http.

  • On http port no other protocol allowed. Exemption server on the Internet is 212.15.14.7*.
  • The following applications that use http port also not allowed:
    • Instant Messaging applications
    • P2P applications
    • Tunneling applications

*This can be done only in ZPF, CBAC does not support exemptions (they can be used only globally)

ZPF Configuration topology – sample

ZPF Configuration structure shortly:

1. Configuring a Class Map for a Layer 3 and Layer 4 Firewall Policy
2, Creating a Policy Map for a Layer 3 and Layer 4 Firewall Policy
3, Configuring a Parameter Map
4, Configuring Layer 7 Firewall Class Map and Policies
5, Add Layer 7 Firewall Policies to a Layer 3 and Layer 4 Firewall Policy

ZPF Configuration structure longly:

1. Configuring a Class Map for a Layer 3 and Layer 4 Firewall Policy

class-map type inspect match any <class-map-name>
match access-group {access-group | name access-group-name}
match protocol <protocol_name> [signature]
match class-map <class-map-name>

2, Creating a Policy Map for a Layer 3 and Layer 4 Firewall Policy

policy-map type inspect policy-map-name
class type inspect <class-name>
inspect [parameter-map-name]
service-policy type inspect <policy-map-name>

3, Configuring a Parameter Map

A, Creating an Inspect Parameter Map

parameter-map type inspect <parameter-map-name>
alert {on | off}
audit-trail {on | off}

B, Creating a URLFILTER Parameter Map

parameter-map type inspect <parameter-map-name>
exclusive-domain {deny | permit} <domain-name>
server vendor {n2h2 | websense} {ip-address | hostname [port port-number]} [outside] [log] [retrans retransmission-count] [timeout seconds]
source-interface <interface-name>

C, Configuring a Protocol-Specific Parameter Map

parameter-map type protocol-info <parameter-map-name>
server {name string | ip {ip-address | range ip-address-start ip-address-end}

4, Configuring Layer 7 Firewall Policies

A, Configuring an HTTP Firewall Policy

A/1, Configuring an HTTP Class Map

class-map type inspect http [match-any | match-all] class-map-name
match req-resp protocol violation

A/2, Configuring an HTTP Policy Map

policy-map type inspect http <policy-map-name>
class-type inspect http <http-class-name>
allow

B, Configuring an IMAP Firewall Policy

B/1, Configuring an IMAP Class Map

class-map type inspect imap [match-any] <class-map-name>
log
match invalid-command

B/2, Configuring an IMAP Policy Map

policy-map type inspect imap policy-map-name
class-type inspect imap imap-class-name
log

C, Configuring an Instant Messenger (IM) Policy

C/1, Configuring an IM Class Map

class map type inspect {aol | msnmsgr | ymsgr} [match-any] class-map-name
match service {any | text-chat}

C/2, Configuring an IM Policy Map

policy map type inspect im policy-map-name
class type inspect {aol | msnmsgr | ymsgr} class-map-name
reset

D, Configuring a Peer-to-Peer (P2P) Policy

E, Configuring a POP3 Firewall Policy

F, Configuring an SMTP Firewall Policy

G, Configuring a SUNRPC Firewall Policy

5, Add Layer 7 Firewall Policies to a Layer 3 and Layer 4 Firewall Policy

policy-map type inspect policy-map-name
class type inspect <class-name>
inspect
service-policy <application> <policy-map-name>

Router parameters:
SW: Cisco IOS Software, C2600 Software (C2600-ADVSECURITYK9-M), Version 12.4(9)T3, R
HW: Cisco 2621XM

* This feat is available from Cisco IOS Software Release 12.4(6)T (The IM inspection is only from 12.4(9)T)

Configuration of the router:

I used some colors to make it easier to understand the configuration of ZPF. The class maps are blue, the policy maps are red and the server (msn, yahoo, etc) are brown.

With CBAC With ZPF
Router#sh run 

Building configuration…

Current configuration : 3124 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Router
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
!
resource policy
!
no network-clock-participate slot 1
no network-clock-participate wic 0
ip cef
!
!
ip inspect log drop-pkt
ip inspect name SDM_HIGH appfw SDM_HIGH
ip inspect name SDM_HIGH icmp
ip inspect name SDM_HIGH dns
ip inspect name SDM_HIGH esmtp
ip inspect name SDM_HIGH https
ip inspect name SDM_HIGH imap reset
ip inspect name SDM_HIGH pop3 reset
ip inspect name SDM_HIGH tcp
ip inspect name SDM_HIGH udp
!
!
!
appfw policy-name SDM_HIGH
application im aol
service default action reset alarm
service text-chat action reset alarm
server deny name login.oscar.aol.com
server deny name toc.oscar.aol.com
server deny name oam-d09a.blue.aol.com
application im msn
service default action reset alarm
service text-chat action reset alarm
server deny name messenger.hotmail.com
server deny name gateway.messenger.hotmail.com
server deny name webmessenger.msn.com
application http
strict-http action reset alarm
port-misuse im action reset alarm
port-misuse p2p action reset alarm
port-misuse tunneling action reset alarm
application im yahoo
service default action reset alarm
service text-chat action reset alarm
server deny name scs.msg.yahoo.com
server deny name scsa.msg.yahoo.com
server deny name scsb.msg.yahoo.com
server deny name scsc.msg.yahoo.com
server deny name scsd.msg.yahoo.com
server deny name cs16.msg.dcn.yahoo.com
server deny name cs19.msg.dcn.yahoo.com
server deny name cs42.msg.dcn.yahoo.com
server deny name cs53.msg.dcn.yahoo.com
server deny name cs54.msg.dcn.yahoo.com
server deny name ads1.vip.scd.yahoo.com
server deny name radio1.launch.vip.dal.yahoo.com
server deny name in1.msg.vip.re2.yahoo.com
server deny name data1.my.vip.sc5.yahoo.com
server deny name address1.pim.vip.mud.yahoo.com
server deny name edit.messenger.yahoo.com
server deny name messenger.yahoo.com
server deny name http.pager.yahoo.com
server deny name privacy.yahoo.com
server deny name csa.yahoo.com
server deny name csb.yahoo.com
server deny name csc.yahoo.com
!
!
!
interface FastEthernet0/0
ip address 50.50.50.1 255.255.255.0
ip access-group Outside_in in
ip inspect SDM_HIGH out
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
!
interface FastEthernet0/1
ip address 192.168.1.1 255.255.255.0
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
!
interface IDS-Sensor1/0
no ip address
shutdown
hold-queue 60 out
!
!
!
ip http server
no ip http secure-server
ip nat inside source static 192.168.1.2 50.50.50.11
!
ip access-list extended Outside_in
deny   ip any any log
!
!
!
!
!
control-plane
!
!
!
!
line con 0
line 33
no activation-character
no exec
transport preferred none
transport input all
transport output pad telnet rlogin mop udptn v120 ssh
line aux 0
line vty 0 4
!
!
end
Router#

Router#sh run 

Building configuration…

Current configuration : 4161 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Router
!
boot-start-marker
boot system flash:c2600-advsecurityk9-mz.124-9.T3.bin
boot-end-marker
!
!
no aaa new-model
!
resource policy
!
no network-clock-participate slot 1
no network-clock-participate wic 0
ip cef
!
!
!
!
ip name-server 50.50.50.71
!
parameter-map type protocol-info aol_servers
server name login.oscar.aol.com
server name toc.oscar.aol.com
server name oam-d09a.blue.aol.com
parameter-map type protocol-info msn_servers
server name messenger.hotmail.com
server name gateway.messenger.hotmail.com
server name webmessenger.msn.com
parameter-map type protocol-info yahoo_servers
server name scs.msg.yahoo.com
server name scsa.msg.yahoo.com
server name scsb.msg.yahoo.com
server name scsc.msg.yahoo.com
server name scsd.msg.yahoo.com
server name cs16.msg.dcn.yahoo.com
server name cs19.msg.dcn.yahoo.com
server name cs42.msg.dcn.yahoo.com
server name cs53.msg.dcn.yahoo.com
server name cs54.msg.dcn.yahoo.com
server name ads1.vip.scd.yahoo.com
server name radio1.launch.vip.dal.yahoo.com
server name in1.msg.vip.re2.yahoo.com
server name data1.my.vip.sc5.yahoo.com
server name address1.pim.vip.mud.yahoo.com
server name edit.messenger.yahoo.com
server name messenger.yahoo.com
server name http.pager.yahoo.com
server name privacy.yahoo.com
server name csa.yahoo.com
server name csb.yahoo.com
server name csc.yahoo.com
!
!
!
!
!
class-map type inspect http match-all cm_protocol_violation
match  req-resp protocol-violation
class-map type inspect match-all cm_http_traffic
match access-group 101
match protocol http
class-map type inspect match-any cm_internet_protocols
match protocol http
match protocol https
match protocol dns
match protocol icmp
match protocol imap
match protocol smtp extended
match protocol pop3
match protocol tcp
match protocol udp
class-map type inspect msnmsgr match-any cm_msnmsgr-text-any
match  service text-chat
match  service any
class-map type inspect ymsgr match-any cm_ymsgr-text-any
match  service text-chat
match  service any
class-map type inspect aol match-any cm_aol-text-any
match  service text-chat
match  service any
class-map type inspect match-any cm_im_protocols
match protocol aol aol_servers
match protocol msnmsgr msn_servers
match protocol ymsgr yahoo_servers
!
!
policy-map type inspect http pm_protocol_violation
class type inspect http cm_protocol_violation
reset
class class-default
policy-map type inspect im pm_ims-text-any
class type inspect ymsgr cm_ymsgr-text-any
reset
class type inspect msnmsgr cm_msnmsgr-text-any
reset
class type inspect aol cm_aol-text-any
reset
class class-default
policy-map type inspect pm_Inside_to_Outside
class type inspect cm_im_protocols
inspect
service-policy im pm_ims-text-any
class type inspect cm_http_traffic
inspect
service-policy http pm_protocol_violation
class type inspect cm_internet_protocols
inspect
!
zone security inside
description inside
zone security outside
description outside
zone-pair security Inside_to_Outside source inside destination outside
service-policy type inspect pm_Inside_to_Outside
!
!
!
!
!
interface FastEthernet0/0
ip address 50.50.50.1 255.255.255.0
ip nat outside
ip virtual-reassembly
zone-member security outside
duplex auto
speed auto
!
interface FastEthernet0/1
ip address 192.168.1.1 255.255.255.0
ip nat inside
ip virtual-reassembly
zone-member security inside
duplex auto
speed auto
!
interface IDS-Sensor1/0
no ip address
shutdown
hold-queue 60 out
!
!
!
ip http server
no ip http secure-server
ip nat inside source static 192.168.1.2 50.50.50.11
!
!
logging history debugging
access-list 101 deny ip any host 212.15.14.7
access-list 101 permit ip any any
!
!
!
!
control-plane
!
!
!
!
line con 0
exec-timeout 0 0
logging synchronous
line 33
no activation-character
no exec
transport preferred none
transport input all
transport output pad telnet rlogin mop udptn v120 ssh
line aux 0
line vty 0 4
login
!
!
end
Router#

Source Documentations for ZPF:

Link for Zone-Based Policy Firewall:
http://www.cisco.com/univercd/cc/td/doc/product/software/ios124/124newft/124t/124t6/htzonebp.htm

Design Guide link:
http://www.cisco.com/en/US/products/ps6350/products_feature_guide09186a008072c6e3.html

Advertisements