Sunday, 18 August 2013

Zone Based Firewall Advanced Configuration

This post will take you through some advanced configuration scenarios of Cisco IOS Zone Based Firewall. This is a continuation of my previous blog entry Cisco IOS Zone-Based Firewall Step-by-step Configuration Guide.

Following are the features and scenarios we are going to see in this post.

1.)  Zone Based Firewall Layer 7 Application Inspection and Control
 

2.)  Traffic Policing in Zone-Based Policy Firewall
 

3.)  Session Control in Zone Based Firewall
 

4.)  Out-of-Order Packet Processing Support in the Zone-Based Firewall Application
 

5.)  Tuning Zone-Based Policy Firewall Denial-of-Service Protection
 

6.)  Content Filtering with IOS Zone Based Firewall
 

7.)  Self-Zone Configuration in Zone Based Firewall
 

8.)  Allow SSL WebVPN through Zone Based Firewall
 

9.)  Allow Cisco Configuration Professional through Zone Based Firewall
 

10.) Using IPSec VPN with Zone-Based Policy Firewall

1. Zone Based Firewall Layer 7 Application Inspection and Control

ZBFW is capable of doing a layer 7 application inspection for the below protocols:
Here we are going to discuss about the IM layer 7 inspection capability of a Zone Based Firewall.

IM application inspection and control

This feature is currently applicable for the following IM Services:
  • AOL Instant Messenger
  • MSN Messenger
  • Yahoo! Messenger
IM inspection and control offers both Layer 4 Stateful Inspection and Layer 7 Application Control.

Layer 4 inspection is configured similarly to other application services:

 class-map type inspect match-any IM-CLASS
   match protocol [aol | msnmsgr | ymsgr ]

 
 policy-map type inspect IN-TO-OUT-POLICY
   class type inspect IM-CLASS
      [drop | inspect | pass]


IM application have got the port hopping capability and it contact their servers on multiple port. In order to allow an IM service we need to simply apply a layer 4 inspect action but  if you want to deny a particular IM service you need to define server list so that ZBFW can identify the traffic associated with IM application.

First configure the server-list parameter-map:

    parameter-map type protocol-info
      server name
      server ip a.b.c.d
      server ip range a.b.c.d a.b.c.d


Parameter Map

For example, the AOL and Yahoo! IM server list is defined as such:

    parameter-map type protocol-info AOL-SERVERS
     server name login.oscar.aol.com
     server name toc.oscar.aol.com
     server name oam-d09a.blue.aol.com
     server ip x.x.x.x
     server ip range x.x.x.x y.y.y.y

  parameter-map type protocol-info YAHOO-SERVERS
    server name scs.msg.yahoo.com
    server name scsa.msg.yahoo.com
    server name scsb.msg.yahoo.com


Class Map

You need to apply the server-list to the protocol definition:

    class-map type inspect match-any AOL-BLOCK-CLASS
     match protocol aol AOL-SERVERS
     match protocol ymsgr YAHOO-SERVERS
     exit

    class-map type inspect match-all IM-PROTOCOL-CLASS
      match class-map IM-BLOCK-CLASS
      exit


Policy Map

   policy-map type inspect IN-TO-OUT-POLICY
    class type inspect IM-PROTOCOL-CLASS
    drop log
    exit

You must configure the 'ip domain lookup' and 'ip name-server x.x.x.x' commands in order to enable name resolution.

IM server names are fairly dynamic. You will need to periodically check that your configured IM server lists are complete and correct. IM Application Inspection also offers the capability to differentiate between text-chat activity and all other application services such as selectively blocking or allowing text-chat capabilities, while denying other service capabilities.

2. Traffic Policing in Zone-Based Policy Firewall

Using a ZBFW we can limit the transmission rate of specific traffic. This will help us to limit lower priority traffic over business-essential traffic. ZBFW policing can only specify bandwidth use in bytes/second, packet/second and bandwidth percentage policing are not offered.

Configuring ZBFW Policing

ZBFW policing limits traffic in a policy-map’s class-map to a user-defined rate value between 8,000 and 2,000,000,000 bits per second, with a configurable burst value in the range of 1,000 to 512,000,000 bytes.

In this example I am policing HTTP traffic. The rate policing part is highlighted in bold text.ZFW policing is configured in the policy-map,which is applied after the policy action:

 class-map type inspect match-all HTTP-TRAFFIC
   match protocol http

    policy-map type inspect IN-TO-OUT-POLICY
     class type inspect http-class
      inspect
      police rate [bps rate value {8000-2000000000}] burst [value in bytes {1000-512000000}]


3. Session Control in Zone Based Firewall

ZBFW adds the functionality to limit the session where it allows granular control on the number of sessions matching any given class-map that cross a zone-pair.

In order to configure session control you have to define a parameter map that contain the session limit and attach that to the class-map which is attached with the policy-map.

parameter-map type inspect HTTP-SESSION-CONTROL
 sessions maximum [1-2147483647]

policy-map type inspect IN-TO-OUT-POLICY
 class type inspect HTTP-TRAFFIC
  inspect HTTP-SESSION-CONTROL


4. Out-of-Order Packet Processing Support in the Zone-Based Firewall Application

Out-of-Order (OoO) packet processing support for Common Classification Engine (CCE) firewall application and CCE adoptions of the Intrusion Prevention System (IPS) allows packets that arrive out of order to be copied and reassembled in the correct order. The OoO packet processing reduces the need to retransmit dropped packets and reduces the bandwidth needed for the transmission of traffic on a network. To configure OoO support, use the parameter-map type ooo global command.

 parameter-map type ooo global
   tcp reassembly timeout 5
   tcp reassembly queue length 16
   tcp reassembly memory limit 1024
   tcp reassembly alarm off


5.  Tuning Zone-Based Policy Firewall Denial-of-Service Protection

Refer Tuning Zone-Based Policy Firewall Denial-of-Service Protection

6. Content Filtering with IOS Zone Based Firewall

Refer Cisco IOS Local Content Filtering

7. Self-Zone Configuration in Zone Based Firewall

For self-zone configuration refer ZBFW Self-Zone Integration

8. Allow SSL WebVPN through Zone Based Firewall 

[ Cisco IOS SSL VPN Configuration Guide : http://yadhutony.blogspot.in/2013/06/cisco-ios-ssl-vpn-configuration-guide.html ]

ACL

ip access-list extended SSL_WEBVPN_ACL
 permit tcp any any eq 443 *
 exit

access-list 104 permit ip any host

Class Map

class-map type inspect match-any SSL_CLASS
 match access-group name SSL_WEBVPN_ACL
 exit
class-map type inspect match-all SSL_WEBVPN_TRAFFIC
 match class-map SSL_CLASS
 match access-group 104
 exit

Policy Map

policy-map type inspect OUT-TO-SELF
 class type inspect SDM_WEBVPN_TRAFFIC
  no drop
  inspect
  exit

Zone Pair

zone-pair security OUT-TO-SELF source OUTSIDE destination self
 service-policy type inspect OUT-TO-SELF
 exit

* By default port 443 is being used by Cisco SSL VPN.

9. Allow Cisco Configuration Professional through Zone Based Firewall

ACL

ip access-list extended CCP_SSH
 permit tcp any any eq 22
 exit

ip access-list extended CCP_HTTPS
 permit tcp any any eq 443
 exit

ip access-list extended CCP_SHELL
 permit tcp any any eq cmd
 exit

access-list 102 permit ip any any

Class Map

class-map type inspect match-any CCP_SSH_CLASS
 match access-group name CCP_SSH
 exit

class-map type inspect match-any CCP_HTTPS_CLASS
 match access-group name CCP_HTTPS
 exit

class-map type inspect match-any CCP_SHELL_CLASS
 match access-group name CCP_SHELL
 exit

class-map type inspect match-any CCP-ACCESS_CLASS
 match class-map CCP_SSH_CLASS
 match class-map CCP_HTTPS_CLASS
 match class-map CCP_SHELL_CLASS
 exit

class-map type inspect match-all CCP-ACCESS
 match class-map CCP-ACCESS_CLASS
 match access-group 102
 exit

Policy Map

policy-map type inspect OUTSIDE-TO-SELF
 class type inspect CCP-ACCESS
  no drop
  inspect
  exit

Zone Pair

zone-pair security OUT-TO-SELF source OUTSIDE destination self
 service-policy type inspect OUTSIDE-TO-SELF
 exit

10. Using IPSec VPN with Zone-Based Policy Firewall

Refer Using VPN with Zone-Based Policy Firewall

Useful Links