Zone-Based Firewall

I was browsing Cisco white pages while studying for my Cisco CCNA security exam and decided to run this config to get some practice on ZBF.

The example network denies any traffic initiated from the public Internet to the private network, and allows the following traffic from the private network to the public Internet: Domain Name System (DNS) lookup, Simple Mail Transfer Protocol (SMTP), Post Office Protocol Version 3 (POP3), HTTP/HTTPS, Network Time Protocol (NTP), File Transfer Protocol (FTP), Internet Control Message Protocol (ICMP), any services provided in Yahoo! Messenger, and only text-chat in eDonkey. Furthermore, application inspection is applied on HTTP connections to help ensure that supported instant messaging and peer-to-peer applications are not carried on TCP port 80 (HTTP).

The private to public policy applies Layer 4 inspection to DNS, SMTP, POP3, HTTP/HTTPS, NTP, FTP, ICMP, Yahoo! Messenger, and eDonkey passing from the private zone to the public zone. This allows connections from the private zone to the public zone, as well as return traffic.

Layer 7 inspection (application inspection and control) policy is applied to control specific services within instant messaging and peer-to-peer applications, and unwanted use of HTTP’s service port for other applications such as instant messaging, peer-to-peer, and tunneling applications that can redirect otherwise firewalled applications through TCP port 80 (HTTP).

To configure firewall policy, follow these steps:
1. Write the Layer 4 class map.
Define a class map that describes the traffic permitted from private zone to the public zone. Separate Layer 4 class maps are defined for HTTP, Yahoo! Messenger, and eDonkey. This is because Layer 7 application inspection policy for these protocols needs to be applied to their respective Layer 4 policy maps. The match protocol smtp extended command is used to inspect Extended SMTP (ESMTP) traffic.

class-map type inspect match-any L4-cmap
match protocol dns
match protocol smtp extended
match protocol pop3
match protocol https
match protocol ntp
match protocol ftp
match protocol icmp
class-map type inspect match-any P2P-L4-cmap
match protocol edonkey
class-map type inspect match-any IM-L4-cmap
match protocol ymsgr
class-map type inspect match-any HTTP-L4-cmap
match protocol http

2. Write the peer-to-peer application inspection and control (Layer 7) class map and policy map.
Peer-to-peer application inspection and control (Layer 7) augments Layer 4 stateful inspection with the capability to recognize and apply service-specific actions, such as selectively blocking or allowing file-search, file-transfer, and text-chat capabilities. Service-specific capabilities vary by service.
In the example, the allowed peer-to-peer traffic from the private zone to the public zone is text-chat only in eDonkey.

class-map type inspect edonkey match-any P2P-L7-allow-cmap
match text-chat
class-map type inspect edonkey match-any P2P-L7-block-cmap
match file-transfer
match search-file-name
policy-map type inspect p2p P2P-L7-pmap
class type inspect edonkey P2P-L7-allow-cmap
allow
class type inspect edonkey P2P-L7-block-cmap
reset
log

3. Develop the instant messaging application inspection and control (Layer 7) class map and policy map.
In the example, the allowed instant messaging traffic from the private zone to the public zone is any services in Yahoo! Messenger.

class-map type inspect ymsgr match-any IM-L7-allow-cmap
match service any
policy-map type inspect im IM-L7-pmap
class type inspect ymsgr IM-L7-allow-cmap
allow

4. Define the HTTP application inspection and control (Layer 7) class map and policy map.
Layer 7 HTTP application inspection and control is used to control unwanted use of the HTTP service port for other applications such as instant messaging, peer-to-peer, and tunneling applications that can redirect otherwise firewalled applications through TCP port 80 (HTTP).
When you use “protocol-violation” HTTP application inspection, the content of some websites may be blocked by this option because they may not be compliant with RFCs.

class-map type inspect http match-any HTTP-L7-cmap
match req-resp protocol-violation
match request port-misuse any
policy-map type inspect http HTTP-L7-pmap
class type inspect http HTTP-L7-cmap
reset
log

5. Write the Layer 4 policy map.
Configure the Layer 4 policy map to inspect traffic on the class maps defined earlier.

policy-map type inspect L4-pmap
class type inspect HTTP-L4-cmap
inspect
service-policy http HTTP-L7-pmap
class type inspect P2P-L4-cmap
inspect
service-policy p2p p2p-L7-pmap
class type inspect IM-L4-cmap
inspect
service-policy im IM-L7-pmap
class type inspect L4-cmap
inspect
class class-default
drop

6. Create the zones and assign interfaces to the zones.
Create the private and public zones and assign router interfaces to the respective zones, as follows:

zone security Private
zone security Public
interface f0/1
zone-member security Private
interface s0/0
zone-member security Public

7. Create a zone-pair and apply the policy map.
Create a zone-pair and apply the appropriate policy map:

zone-pair security Private-to-Public source Private destination Public
service-policy type inspect L4-pmap

BE.

Advertisements

~ by bigevil on January 26, 2010.

 
%d bloggers like this: