Tuesday, May 11, 2010

INE OLS - ADVANCED ZONE BASED FIREWALL

INSTRUCTOR - MARVIN GREENLEE


ZBF vs. IOS FIREWALL

  • IOS FW is INTERFACE BASED
  • ZFW is based on LOGICAL GROUPINGS of interfaces.
    • Adds a degree of VIRTUALIZATION.
    • Zones can have ONE or MANY interfaces.
___________________________________________________
ZONES

  • Logical groupings of ONE or MORE interfaces.
  • Have a set of DEFAULT behaviors, SOME of which can be changed via policy.
_______________________________________________________
SELF ZONE

  • SPECIAL zone used for traffic TERMINATING on the router itself.
    • Eg. Telnet, TFTP, HTTP traffic etc.
    • Can be though of LOOSELY as CONTROL PLANE.
    • Traffic TO an interface on the router.
_______________________________________________________
ZONE PAIR

  • LOGICAL pairings of TWO zones for a UNIDIRECTIONAL policy.
_________________________________________________________
ZONE CONFIGURATION

  • Defined GLOBALLY.
  • Interfaces ASSIGNED to zones.
  • REFERENCED IN ZONE PAIRS.
_________________________________________________________
GENERAL RULES

  • Zones need to be configured BEFORE interfaces are assigned.
  • An interface can ONLY be assigned to a SINGLE ZONE.
    • Transparent ZFW works differently.
  • Traffic BETWEEN interfaces in the SAME zone is NOT FILTERED.
  • Traffic TO or FROM the SELF zone will PASS by default.
  • Traffic WILL NOT pass from a ZONE MEMBER to a NON-ZONE MEMBER.
  • Traffic WILL pass from a NON-ZONE to a NON-ZONE member.
________________________________________________________
HIERARCHY 

  • ZFW uses MQC structure.
  • All structures - Class-maps, Policy-maps and Service policy are of TYPE INSPECT.
_________________________________________________________
CLASS MAP

  • TYPE INSPECT.
  • BEWARE of match-any vs. match-all.
    • DEFAULT IS MATCH-ALL.
  • MATCH PROTOCOL options based on IOS FW protocol definitions.
    • NOT NBAR!
___________________________________________________________
POLICY MAP

  • Match CLASSES and define ACTIONS.
  • Options are DROP, PASS and INSPECT.
    • Drop - Straightforward drop.
    • Pass - Traffic is allowed to PASS.
    • Inspect - Traffic is allowed to pass AND ADDED to STATE TABLE to ALLOW RETURN traffic.
  • Additional options such as LOGGING, CONNECTION LIMITS, POLICE etc. are available.
__________________________________________________________
SERVICE POLICY

  • BINDING the policy to ZONE-PAIRS.
__________________________________________________________
COMMANDS
    
      1. DEFINE ZONES

    • (config)# zone security NAME
      2. DEFINE ZONE-PAIRS

    • (config)# zone-pair security NAME source ZONE-1 destination ZONE-2
      3. DEFINE CLASS-MAPS AND POLICY-MAPS

    • (config)# class-map type inspect NAME
      • match protocol|access-group etc.
    • (config)# policy-map type inspect NAME
      • class NAME
        • drop|pass|inspect|police|urlfilter
        • service-policy type inspect
      4. APPLY POLICY-MAP TO ZONE-PAIRS

    • (config)# zone-pair security NAME
      • service-policy type inspect NAME
      5. ASSIGN INTERFACES TO ZONES

    • (config)# interface NAME
      • zone-member security NAME
      6. VERIFICATION

    • show policy-map type inspect zone-pair NAME
________________________________________________________
COMMON PROBLEMS

  • PASS vs. INSPECT - Return traffic depends on this.
  • "Self" zone is NOT BLOCKED by default.
  • CLASS-DEFAULT with a DEFAULT ACTION OF DROP.
  • Drop log can be used to LOG to CONSOLE.
  • Ip inspect log drop-pkt logs ALL drops.
  • For some protocols, actions such as INSPECT are LIMITED under SELF zone.
  • Policies for SELF zone are IMPORTANT FOR ROUTING PROTOCOLS.
_______________________________________________________
PAM

  • Port Application Mapping.
  • Allows MAPPING for CUSTOM ports and protocols.
  • Available in BOTH IOS and ZONE FW.
  • ip port-map NAME port PROTOCOL NUMBER
    • This MAPPED protocol can be referenced in match protocol NAME.
    • This creates a NEW mapping.
  • An EXISTING mapping can also be ADJUSTED.
  • Eg. ip port-map telnet port tcp 1024
    • Match protocol telnet will now match TCP port 1024 in ADDITION to port 23.
________________________________________________________
PARAMETER MAP

  • ADDITIONAL OPTIONS for inspect -
    • Audit trails, maximum connections, incomplete connections etc.
  • DEFAULTS VARY WITH IOS VERSION.
  • Values can be TUNED as needed for specific environment.
  • The values of PARAMETER MAP in ZFW are PER CLASS.
  • parameter-map type inspect NAME
    • Choose parameters in this sub-menu.
    • The map should then be applied to a POLICY via inspect keyword.
    • Inspect NAME
________________________________________________________
TRANSPARENT ZONE FIREWALL

  • Allows configuration of a policy BETWEEN TWO LOGICAL VLANS.
  • Utilizes BRIDGE-GROUPS and BRIDGING for the VLANs.
    • BRIDGED interfaces are simply assigned to ZONES..
  • Policy can still be configured for traffic leaving via ANOTHER interface.
  • The idea is to ENFORCE policy BETWEEN TWO INTERFACES IN SAME ZONE.
    • The BVI can be used to this effect.
  • The fact that should be remembered that as long as packets are BRIDGED, the policy in effect is the one on BRIDGED interfaces BUT when packets are ROUTED out to OTHER domains, the POLICY on BVI is in effect.
  • It is POSSIBLE (NOT RECOMMENDED) to configure Layer-2 and Layer-3 interfaces in the SAME ZONE.
    • Desirable in MOST cases to keep these domains separate.
  • Any BVIs on the routers belong to SELF zone.
    • An ACL may still be applied to BVI if no security zone is assigned.
    • If the WHOLE L-2 domain BEHIND the BVI needs to be treated as a SINGLE Layer-3 security zone, a zone may be applied to BVI, BUT NOT BRIDGED interfaces.
  • MC/BC are NOT inspected.
    • Moreover in transparent mode, BOTH are permitted across FW configured with ZONES.
Posted by at
Labels: , , , , , ,

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)