Sunday, May 23, 2010

INE OLS - NETFLOW w/ KEITH BARKER

  • WHAT DOES NETFLOW DO?
    • NetFlow is an ACCOUNTING feature ON TOP of an existing switching path. Eg. CEF.
    • NetFlow provides STATISTICS on packets flowing through the router.
      • INGRESS : IP, IP to MPLS, FR/ATM and traffic destined TO THE ROUTER ITSELF.
      • EGRESS : Traffic generated BY THE ROUTER IS NOT CAPTURED.
______________________________________________________________
  • USING NETFLOW DATA
    • NetFlow data can be used for :-
      • Network application and user MONITORING.
      • Network PLANNING.
      • DOS and security ANALYSIS.
      • ACCOUNTING and BILLING.
      • TRAFFIC ENGINEERING.
____________________________________________________________
  • WHAT IS A FLOW?
    • Initially, a single flow is the combination of SEVEN key fields.
      • SOURCE IP.
      • DESTINATION IP.
      • SOURCE PORT.
      • DESTINATION PORT.
      • LAYER-3 PROTOCOL TYPE.
      • TOS BIT.
      • LOGICAL INTERFACE (ifIndex).
    • Flows are subject to TIMEOUTS. 15 seconds by default.
    • Flows are STORED in NETFLOW CACHE.
______________________________________________________________
  • LIFE CYCLE
    • Router notices network traffic and CREATES flows in NetFlow cache LOCALLY.
    • ACTIVE FLOWS EXPIRE. Nothing lasts forever.
    • Router EXPORTS flow records to COLLECTORS.
      • Non aggregated flows only in Version 5 or 9.
      • Aggregated flows in Version 8 and 9.
      • Transparent protocol UDP or SCTP is used.
        • SCTP – Stream Control Transparent Protocol.
      • An OPTIONAL aggregation cache may be created and exported as well.
    • FLOW HAS TO EXPIRE BEFORE IT IS EXPORTED.
    • Flows can be AGGREGATED OR SUMMARIZED on SOME of the key-fields.
________________________________________________________________
  • NETFLOW PRE-PROCESSING
    • Packet sampling.
      • Sets up STATISTICAL SAMPLING of network traffic for TE or capacity planning.
    • Filtering.
      • Sets up a SPECIFIC SUBSET of network traffic for CLASS-BASED traffic analysis.
__________________________________________________________________
  • EXPIRATION OF A FLOW

    • Inactivity timer – 15 seconds by default.
    • Active timer expiration – 30 mins by default.

      • Simply means that the information is sent for a flow active for LONGER than 30 mins.
      • Router NO LONGER waits for expiration.
      • SESSION IS NOT BROKEN. Just the information about it is sent.
    • NetFlow cache is FULL (FIFO).
    • TCP RST or FIN is observed.
_________________________________________________________________
  • NETFLOW POST PROCESSING

    • Aggregation schemes.

      • Quite simply summarization.
      • Sets up EXTRA aggregation caches with different combinations of fields that determine WHICH TRADITIONAL FLOWS are GROUPED TOGATHER.

        • Several NON-TOS and TOS based schemes.
        • Uses ADMIN-DEFINED NON-STANDARD KEY-FIELDS.
    • Export to MULTIPLE destinations.

      • Sets up IDENTICAL streams of NetFlow data to be sent to MULTIPLE hosts.
__________________________________________________________________________
  • EXPORTING NETFLOW

    • Version 5 INCLUDES BGP AS information.
    • Version 7 ONLY supported on CATALYST switches.
    • Version 9 defined in RFC 3954.

      • FLEXIBLE AND EXTENSIBLE using templates.
    • Version 10 – IETF IP Flow Information eXport – IPFIX.
___________________________________________________________________________
  • TERMINOLOGY

    • FLOW

      • The ACTUAL traffic that occurred.
    • FLOW-RECORD

      • Information about the traffic.
    • EXPORT-PACKET

      • Transported to the collector.
    • PACKET HEADER

      • Has VERSION, SEQ #, # OF RECORDS etc.
    • TEMPLATE RECORD (SCHEMA)

      • DEFINES fields and structure in flow-record.
    • OPTIONS RECORD

      • Data ABOUT the CONFIGURATION OF NETFLOW.
      • Examples include – SCOPE, SAMPLING LEVELS etc.
______________________________________________________________________________
  • STREAM CONTROL TRANSPORT PROTOCOL

    • RFC 2960 and extension RFC 3758.
    • Reliable transport protocol for EXPORT.
    • Stream 0 is the CONTROL channel.
    • Additional streams are for carrying data.
____________________________________________________________________________
  • COMMANDS.

    • Ip flow-capture
    • ip flow-cache
    • ip flow-export
    • (config-if)# ip flow ingress|egress
    • show ip flow export|interface
    • show ip cache flow <------------------ IMPORTANT
    • show ip cache flow verbose flow
    • sho ip flow top-talkers
    • flow-sampler-map

      • mode
    • (config-if)# flow-sampler egress|ingress
_______________________________________________________________________________
  • FLEXIBLE NETFLOW

    • Basic ingredients are :

      • RECORDS.

        • Pre-defined.
        • User-defined.
      • Flow exporters.

        • Used by FLOW MONITORS for exporting NetFlow data.
      • Flow MONITORS.

        • Linked to an exporter and record.
        • Applied to interfaces.
        • Creates its OWN cache.

          • Normal.
          • Immediate
          • Permanent.
Posted by at No comments:
Labels: , ,

Tuesday, May 11, 2010

INE OLS - ADVANCED ZONE BASED FIREWALL

INSTRUCTOR - MARVIN GREENLEE


ZBF vs. IOS FIREWALL

  • IOS FW is INTERFACE BASED
  • ZFW is based on LOGICAL GROUPINGS of interfaces.
    • Adds a degree of VIRTUALIZATION.
    • Zones can have ONE or MANY interfaces.
___________________________________________________
ZONES

  • Logical groupings of ONE or MORE interfaces.
  • Have a set of DEFAULT behaviors, SOME of which can be changed via policy.
_______________________________________________________
SELF ZONE

  • SPECIAL zone used for traffic TERMINATING on the router itself.
    • Eg. Telnet, TFTP, HTTP traffic etc.
    • Can be though of LOOSELY as CONTROL PLANE.
    • Traffic TO an interface on the router.
_______________________________________________________
ZONE PAIR

  • LOGICAL pairings of TWO zones for a UNIDIRECTIONAL policy.
_________________________________________________________
ZONE CONFIGURATION

  • Defined GLOBALLY.
  • Interfaces ASSIGNED to zones.
  • REFERENCED IN ZONE PAIRS.
_________________________________________________________
GENERAL RULES

  • Zones need to be configured BEFORE interfaces are assigned.
  • An interface can ONLY be assigned to a SINGLE ZONE.
    • Transparent ZFW works differently.
  • Traffic BETWEEN interfaces in the SAME zone is NOT FILTERED.
  • Traffic TO or FROM the SELF zone will PASS by default.
  • Traffic WILL NOT pass from a ZONE MEMBER to a NON-ZONE MEMBER.
  • Traffic WILL pass from a NON-ZONE to a NON-ZONE member.
________________________________________________________
HIERARCHY 

  • ZFW uses MQC structure.
  • All structures - Class-maps, Policy-maps and Service policy are of TYPE INSPECT.
_________________________________________________________
CLASS MAP

  • TYPE INSPECT.
  • BEWARE of match-any vs. match-all.
    • DEFAULT IS MATCH-ALL.
  • MATCH PROTOCOL options based on IOS FW protocol definitions.
    • NOT NBAR!
___________________________________________________________
POLICY MAP

  • Match CLASSES and define ACTIONS.
  • Options are DROP, PASS and INSPECT.
    • Drop - Straightforward drop.
    • Pass - Traffic is allowed to PASS.
    • Inspect - Traffic is allowed to pass AND ADDED to STATE TABLE to ALLOW RETURN traffic.
  • Additional options such as LOGGING, CONNECTION LIMITS, POLICE etc. are available.
__________________________________________________________
SERVICE POLICY

  • BINDING the policy to ZONE-PAIRS.
__________________________________________________________
COMMANDS
    
      1. DEFINE ZONES

    • (config)# zone security NAME
      2. DEFINE ZONE-PAIRS

    • (config)# zone-pair security NAME source ZONE-1 destination ZONE-2
      3. DEFINE CLASS-MAPS AND POLICY-MAPS

    • (config)# class-map type inspect NAME
      • match protocol|access-group etc.
    • (config)# policy-map type inspect NAME
      • class NAME
        • drop|pass|inspect|police|urlfilter
        • service-policy type inspect
      4. APPLY POLICY-MAP TO ZONE-PAIRS

    • (config)# zone-pair security NAME
      • service-policy type inspect NAME
      5. ASSIGN INTERFACES TO ZONES

    • (config)# interface NAME
      • zone-member security NAME
      6. VERIFICATION

    • show policy-map type inspect zone-pair NAME
________________________________________________________
COMMON PROBLEMS

  • PASS vs. INSPECT - Return traffic depends on this.
  • "Self" zone is NOT BLOCKED by default.
  • CLASS-DEFAULT with a DEFAULT ACTION OF DROP.
  • Drop log can be used to LOG to CONSOLE.
  • Ip inspect log drop-pkt logs ALL drops.
  • For some protocols, actions such as INSPECT are LIMITED under SELF zone.
  • Policies for SELF zone are IMPORTANT FOR ROUTING PROTOCOLS.
_______________________________________________________
PAM

  • Port Application Mapping.
  • Allows MAPPING for CUSTOM ports and protocols.
  • Available in BOTH IOS and ZONE FW.
  • ip port-map NAME port PROTOCOL NUMBER
    • This MAPPED protocol can be referenced in match protocol NAME.
    • This creates a NEW mapping.
  • An EXISTING mapping can also be ADJUSTED.
  • Eg. ip port-map telnet port tcp 1024
    • Match protocol telnet will now match TCP port 1024 in ADDITION to port 23.
________________________________________________________
PARAMETER MAP

  • ADDITIONAL OPTIONS for inspect -
    • Audit trails, maximum connections, incomplete connections etc.
  • DEFAULTS VARY WITH IOS VERSION.
  • Values can be TUNED as needed for specific environment.
  • The values of PARAMETER MAP in ZFW are PER CLASS.
  • parameter-map type inspect NAME
    • Choose parameters in this sub-menu.
    • The map should then be applied to a POLICY via inspect keyword.
    • Inspect NAME
________________________________________________________
TRANSPARENT ZONE FIREWALL

  • Allows configuration of a policy BETWEEN TWO LOGICAL VLANS.
  • Utilizes BRIDGE-GROUPS and BRIDGING for the VLANs.
    • BRIDGED interfaces are simply assigned to ZONES..
  • Policy can still be configured for traffic leaving via ANOTHER interface.
  • The idea is to ENFORCE policy BETWEEN TWO INTERFACES IN SAME ZONE.
    • The BVI can be used to this effect.
  • The fact that should be remembered that as long as packets are BRIDGED, the policy in effect is the one on BRIDGED interfaces BUT when packets are ROUTED out to OTHER domains, the POLICY on BVI is in effect.
  • It is POSSIBLE (NOT RECOMMENDED) to configure Layer-2 and Layer-3 interfaces in the SAME ZONE.
    • Desirable in MOST cases to keep these domains separate.
  • Any BVIs on the routers belong to SELF zone.
    • An ACL may still be applied to BVI if no security zone is assigned.
    • If the WHOLE L-2 domain BEHIND the BVI needs to be treated as a SINGLE Layer-3 security zone, a zone may be applied to BVI, BUT NOT BRIDGED interfaces.
  • MC/BC are NOT inspected.
    • Moreover in transparent mode, BOTH are permitted across FW configured with ZONES.
Posted by at No comments:
Labels: , , , , , ,
Subscribe to: Comments (Atom)