This post will take you through some advanced configuration scenarios of Cisco IOS Zone Based Firewall. This is a continuation of my previous blog entry Cisco IOS Zone-Based Firewall Step-by-step Configuration Guide.
Following are the features and scenarios we are going to see in this post.
1.) Zone Based Firewall Layer 7 Application Inspection and Control
2.) Traffic Policing in Zone-Based Policy Firewall
3.) Session Control in Zone Based Firewall
4.) Out-of-Order Packet Processing Support in the Zone-Based Firewall Application
5.) Tuning Zone-Based Policy Firewall Denial-of-Service Protection
6.) Content Filtering with IOS Zone Based Firewall
7.) Self-Zone Configuration in Zone Based Firewall
8.) Allow SSL WebVPN through Zone Based Firewall
9.) Allow Cisco Configuration Professional through Zone Based Firewall
10.) Using IPSec VPN with Zone-Based Policy Firewall
1. Zone Based Firewall Layer 7 Application Inspection and Control
ZBFW is capable of doing a layer 7 application inspection for the below protocols:
IM application inspection and control
This feature is currently applicable for the following IM Services:
Layer 4 inspection is configured similarly to other application services:
class-map type inspect match-any IM-CLASS
match protocol [aol | msnmsgr | ymsgr ]
policy-map type inspect IN-TO-OUT-POLICY
class type inspect IM-CLASS
[drop | inspect | pass]
IM application have got the port hopping capability and it contact their servers on multiple port. In order to allow an IM service we need to simply apply a layer 4 inspect action but if you want to deny a particular IM service you need to define server list so that ZBFW can identify the traffic associated with IM application.
First configure the server-list parameter-map:
parameter-map type protocol-info
server name
server ip a.b.c.d
server ip range a.b.c.d a.b.c.d
Parameter Map
For example, the AOL and Yahoo! IM server list is defined as such:
parameter-map type protocol-info AOL-SERVERS
server name login.oscar.aol.com
server name toc.oscar.aol.com
server name oam-d09a.blue.aol.com
server ip x.x.x.x
server ip range x.x.x.x y.y.y.y
parameter-map type protocol-info YAHOO-SERVERS
server name scs.msg.yahoo.com
server name scsa.msg.yahoo.com
server name scsb.msg.yahoo.com
Class Map
You need to apply the server-list to the protocol definition:
class-map type inspect match-any AOL-BLOCK-CLASS
match protocol aol AOL-SERVERS
match protocol ymsgr YAHOO-SERVERS
exit
class-map type inspect match-all IM-PROTOCOL-CLASS
match class-map IM-BLOCK-CLASS
exit
Policy Map
policy-map type inspect IN-TO-OUT-POLICY
class type inspect IM-PROTOCOL-CLASS
drop log
exit
You must configure the 'ip domain lookup' and 'ip name-server x.x.x.x' commands in order to enable name resolution.
IM server names are fairly dynamic. You will need to periodically check that your configured IM server lists are complete and correct. IM Application Inspection also offers the capability to differentiate between text-chat activity and all other application services such as selectively blocking or allowing text-chat capabilities, while denying other service capabilities.
2. Traffic Policing in Zone-Based Policy Firewall
Using a ZBFW we can limit the transmission rate of specific traffic. This will help us to limit lower priority traffic over business-essential traffic. ZBFW policing can only specify bandwidth use in bytes/second, packet/second and bandwidth percentage policing are not offered.
Configuring ZBFW Policing
ZBFW policing limits traffic in a policy-map’s class-map to a user-defined rate value between 8,000 and 2,000,000,000 bits per second, with a configurable burst value in the range of 1,000 to 512,000,000 bytes.
In this example I am policing HTTP traffic. The rate policing part is highlighted in bold text.ZFW policing is configured in the policy-map,which is applied after the policy action:
class-map type inspect match-all HTTP-TRAFFIC
match protocol http
policy-map type inspect IN-TO-OUT-POLICY
class type inspect http-class
inspect
police rate [bps rate value {8000-2000000000}] burst [value in bytes {1000-512000000}]
3. Session Control in Zone Based Firewall
ZBFW adds the functionality to limit the session where it allows granular control on the number of sessions matching any given class-map that cross a zone-pair.
In order to configure session control you have to define a parameter map that contain the session limit and attach that to the class-map which is attached with the policy-map.
parameter-map type inspect HTTP-SESSION-CONTROL
sessions maximum [1-2147483647]
policy-map type inspect IN-TO-OUT-POLICY
class type inspect HTTP-TRAFFIC
inspect HTTP-SESSION-CONTROL
4. Out-of-Order Packet Processing Support in the Zone-Based Firewall Application
Out-of-Order (OoO) packet processing support for Common Classification Engine (CCE) firewall application and CCE adoptions of the Intrusion Prevention System (IPS) allows packets that arrive out of order to be copied and reassembled in the correct order. The OoO packet processing reduces the need to retransmit dropped packets and reduces the bandwidth needed for the transmission of traffic on a network. To configure OoO support, use the parameter-map type ooo global command.
parameter-map type ooo global
tcp reassembly timeout 5
tcp reassembly queue length 16
tcp reassembly memory limit 1024
tcp reassembly alarm off
5. Tuning Zone-Based Policy Firewall Denial-of-Service Protection
Refer Tuning Zone-Based Policy Firewall Denial-of-Service Protection
6. Content Filtering with IOS Zone Based Firewall
Refer Cisco IOS Local Content Filtering
7. Self-Zone Configuration in Zone Based Firewall
For self-zone configuration refer ZBFW Self-Zone Integration
8. Allow SSL WebVPN through Zone Based Firewall
[ Cisco IOS SSL VPN Configuration Guide : http://yadhutony.blogspot.in/2013/06/cisco-ios-ssl-vpn-configuration-guide.html ]
ACL
ip access-list extended SSL_WEBVPN_ACL
permit tcp any any eq 443 *
exit
access-list 104 permit ip any host
Class Map
class-map type inspect match-any SSL_CLASS
match access-group name SSL_WEBVPN_ACL
exit
class-map type inspect match-all SSL_WEBVPN_TRAFFIC
match class-map SSL_CLASS
match access-group 104
exit
Policy Map
policy-map type inspect OUT-TO-SELF
class type inspect SDM_WEBVPN_TRAFFIC
no drop
inspect
exit
Zone Pair
zone-pair security OUT-TO-SELF source OUTSIDE destination self
service-policy type inspect OUT-TO-SELF
exit
* By default port 443 is being used by Cisco SSL VPN.
9. Allow Cisco Configuration Professional through Zone Based Firewall
ACL
ip access-list extended CCP_SSH
permit tcp any any eq 22
exit
ip access-list extended CCP_HTTPS
permit tcp any any eq 443
exit
ip access-list extended CCP_SHELL
permit tcp any any eq cmd
exit
access-list 102 permit ip any any
Class Map
class-map type inspect match-any CCP_SSH_CLASS
match access-group name CCP_SSH
exit
class-map type inspect match-any CCP_HTTPS_CLASS
match access-group name CCP_HTTPS
exit
class-map type inspect match-any CCP_SHELL_CLASS
match access-group name CCP_SHELL
exit
class-map type inspect match-any CCP-ACCESS_CLASS
match class-map CCP_SSH_CLASS
match class-map CCP_HTTPS_CLASS
match class-map CCP_SHELL_CLASS
exit
class-map type inspect match-all CCP-ACCESS
match class-map CCP-ACCESS_CLASS
match access-group 102
exit
Policy Map
policy-map type inspect OUTSIDE-TO-SELF
class type inspect CCP-ACCESS
no drop
inspect
exit
Zone Pair
zone-pair security OUT-TO-SELF source OUTSIDE destination self
service-policy type inspect OUTSIDE-TO-SELF
exit
10. Using IPSec VPN with Zone-Based Policy Firewall
Refer Using VPN with Zone-Based Policy Firewall
Useful Links
Following are the features and scenarios we are going to see in this post.
1.) Zone Based Firewall Layer 7 Application Inspection and Control
2.) Traffic Policing in Zone-Based Policy Firewall
3.) Session Control in Zone Based Firewall
4.) Out-of-Order Packet Processing Support in the Zone-Based Firewall Application
5.) Tuning Zone-Based Policy Firewall Denial-of-Service Protection
6.) Content Filtering with IOS Zone Based Firewall
7.) Self-Zone Configuration in Zone Based Firewall
8.) Allow SSL WebVPN through Zone Based Firewall
9.) Allow Cisco Configuration Professional through Zone Based Firewall
10.) Using IPSec VPN with Zone-Based Policy Firewall
1. Zone Based Firewall Layer 7 Application Inspection and Control
ZBFW is capable of doing a layer 7 application inspection for the below protocols:
- HTTP
- SMTP
- POP3
- IMAP
- Sun RPC
- P2P Applications (Refer How to block P2P Traffic on a Cisco Router)
- IM Applications
IM application inspection and control
This feature is currently applicable for the following IM Services:
- AOL Instant Messenger
- MSN Messenger
- Yahoo! Messenger
Layer 4 inspection is configured similarly to other application services:
class-map type inspect match-any IM-CLASS
match protocol [aol | msnmsgr | ymsgr ]
policy-map type inspect IN-TO-OUT-POLICY
class type inspect IM-CLASS
[drop | inspect | pass]
IM application have got the port hopping capability and it contact their servers on multiple port. In order to allow an IM service we need to simply apply a layer 4 inspect action but if you want to deny a particular IM service you need to define server list so that ZBFW can identify the traffic associated with IM application.
First configure the server-list parameter-map:
parameter-map type protocol-info
server name
server ip a.b.c.d
server ip range a.b.c.d a.b.c.d
Parameter Map
For example, the AOL and Yahoo! IM server list is defined as such:
parameter-map type protocol-info AOL-SERVERS
server name login.oscar.aol.com
server name toc.oscar.aol.com
server name oam-d09a.blue.aol.com
server ip x.x.x.x
server ip range x.x.x.x y.y.y.y
parameter-map type protocol-info YAHOO-SERVERS
server name scs.msg.yahoo.com
server name scsa.msg.yahoo.com
server name scsb.msg.yahoo.com
Class Map
You need to apply the server-list to the protocol definition:
class-map type inspect match-any AOL-BLOCK-CLASS
match protocol aol AOL-SERVERS
match protocol ymsgr YAHOO-SERVERS
exit
class-map type inspect match-all IM-PROTOCOL-CLASS
match class-map IM-BLOCK-CLASS
exit
Policy Map
policy-map type inspect IN-TO-OUT-POLICY
class type inspect IM-PROTOCOL-CLASS
drop log
exit
You must configure the 'ip domain lookup' and 'ip name-server x.x.x.x' commands in order to enable name resolution.
IM server names are fairly dynamic. You will need to periodically check that your configured IM server lists are complete and correct. IM Application Inspection also offers the capability to differentiate between text-chat activity and all other application services such as selectively blocking or allowing text-chat capabilities, while denying other service capabilities.
2. Traffic Policing in Zone-Based Policy Firewall
Using a ZBFW we can limit the transmission rate of specific traffic. This will help us to limit lower priority traffic over business-essential traffic. ZBFW policing can only specify bandwidth use in bytes/second, packet/second and bandwidth percentage policing are not offered.
Configuring ZBFW Policing
ZBFW policing limits traffic in a policy-map’s class-map to a user-defined rate value between 8,000 and 2,000,000,000 bits per second, with a configurable burst value in the range of 1,000 to 512,000,000 bytes.
In this example I am policing HTTP traffic. The rate policing part is highlighted in bold text.ZFW policing is configured in the policy-map,which is applied after the policy action:
class-map type inspect match-all HTTP-TRAFFIC
match protocol http
policy-map type inspect IN-TO-OUT-POLICY
class type inspect http-class
inspect
police rate [bps rate value {8000-2000000000}] burst [value in bytes {1000-512000000}]
3. Session Control in Zone Based Firewall
ZBFW adds the functionality to limit the session where it allows granular control on the number of sessions matching any given class-map that cross a zone-pair.
In order to configure session control you have to define a parameter map that contain the session limit and attach that to the class-map which is attached with the policy-map.
parameter-map type inspect HTTP-SESSION-CONTROL
sessions maximum [1-2147483647]
policy-map type inspect IN-TO-OUT-POLICY
class type inspect HTTP-TRAFFIC
inspect HTTP-SESSION-CONTROL
4. Out-of-Order Packet Processing Support in the Zone-Based Firewall Application
Out-of-Order (OoO) packet processing support for Common Classification Engine (CCE) firewall application and CCE adoptions of the Intrusion Prevention System (IPS) allows packets that arrive out of order to be copied and reassembled in the correct order. The OoO packet processing reduces the need to retransmit dropped packets and reduces the bandwidth needed for the transmission of traffic on a network. To configure OoO support, use the parameter-map type ooo global command.
parameter-map type ooo global
tcp reassembly timeout 5
tcp reassembly queue length 16
tcp reassembly memory limit 1024
tcp reassembly alarm off
5. Tuning Zone-Based Policy Firewall Denial-of-Service Protection
Refer Tuning Zone-Based Policy Firewall Denial-of-Service Protection
6. Content Filtering with IOS Zone Based Firewall
Refer Cisco IOS Local Content Filtering
7. Self-Zone Configuration in Zone Based Firewall
For self-zone configuration refer ZBFW Self-Zone Integration
8. Allow SSL WebVPN through Zone Based Firewall
[ Cisco IOS SSL VPN Configuration Guide : http://yadhutony.blogspot.in/2013/06/cisco-ios-ssl-vpn-configuration-guide.html ]
ACL
ip access-list extended SSL_WEBVPN_ACL
permit tcp any any eq 443 *
exit
access-list 104 permit ip any host
Class Map
class-map type inspect match-any SSL_CLASS
match access-group name SSL_WEBVPN_ACL
exit
class-map type inspect match-all SSL_WEBVPN_TRAFFIC
match class-map SSL_CLASS
match access-group 104
exit
Policy Map
policy-map type inspect OUT-TO-SELF
class type inspect SDM_WEBVPN_TRAFFIC
no drop
inspect
exit
Zone Pair
zone-pair security OUT-TO-SELF source OUTSIDE destination self
service-policy type inspect OUT-TO-SELF
exit
* By default port 443 is being used by Cisco SSL VPN.
9. Allow Cisco Configuration Professional through Zone Based Firewall
ACL
ip access-list extended CCP_SSH
permit tcp any any eq 22
exit
ip access-list extended CCP_HTTPS
permit tcp any any eq 443
exit
ip access-list extended CCP_SHELL
permit tcp any any eq cmd
exit
access-list 102 permit ip any any
Class Map
class-map type inspect match-any CCP_SSH_CLASS
match access-group name CCP_SSH
exit
class-map type inspect match-any CCP_HTTPS_CLASS
match access-group name CCP_HTTPS
exit
class-map type inspect match-any CCP_SHELL_CLASS
match access-group name CCP_SHELL
exit
class-map type inspect match-any CCP-ACCESS_CLASS
match class-map CCP_SSH_CLASS
match class-map CCP_HTTPS_CLASS
match class-map CCP_SHELL_CLASS
exit
class-map type inspect match-all CCP-ACCESS
match class-map CCP-ACCESS_CLASS
match access-group 102
exit
Policy Map
policy-map type inspect OUTSIDE-TO-SELF
class type inspect CCP-ACCESS
no drop
inspect
exit
Zone Pair
zone-pair security OUT-TO-SELF source OUTSIDE destination self
service-policy type inspect OUTSIDE-TO-SELF
exit
10. Using IPSec VPN with Zone-Based Policy Firewall
Refer Using VPN with Zone-Based Policy Firewall
Useful Links
Excellent Article :-)
ReplyDeleteThat was awesome thank you
ReplyDeleteThe Diary Of A Networker: Zone Based Firewall Advanced Configuration >>>>> Download Now
ReplyDelete>>>>> Download Full
The Diary Of A Networker: Zone Based Firewall Advanced Configuration >>>>> Download LINK
>>>>> Download Now
The Diary Of A Networker: Zone Based Firewall Advanced Configuration >>>>> Download Full
>>>>> Download LINK