17 August 2011

Zone Based FireWall OverView

1. Creates zones

zone security OUTSIDE
zone security INSIDE

2. Create zone-pairs

zone-pair security IN-AND-OUT source INSIDE destination OUTSIDE

3. Create class-maps - A class map defines traffic to be acted upon

class-map type inspect match-any CCNASEC
match protocol dns
match protocol http
class-map type inspect match-any LIST10
match access-group 110 (traffic that matches ACL 110)

4. Create policy maps - Policy maps are then written that define the
ACTION to be taken on the traffic matching specific class maps.

policy-map type inspect CCNAPOLICY (name of the policy)
 class type inspect CCNASEC
   inspect
class type inspect LIST10
   pass

5. Apply policy maps to zone-pairs

zone-pair security IN-AND-OUT source INSIDE destination OUTSIDE
 service-policy type inspect CCNAPOLICY

6. Assign interfaces to zones

int ser0/0
 zone-member security OUTSIDE

int fast0/0
 zone-member security INSIDE


[*] There is a third map type, a parameter map, that defines additional
(what else?) parameters to match on.

parameter-map type protocol-info msn-servers
 server name messenger.hotmail.com
 server name gateway.messenger.hotmail.com

========== + ==========

Preview SDM Low Policy config:

class-map type inspect match-any sdm-cls-insp-traffic
 match protocol cuseeme
 match protocol dns
 match protocol ftp
 match protocol h323
 match protocol https
 match protocol icmp
 match protocol imap
 match protocol pop3
 match protocol netshow
 match protocol shell
 match protocol realmedia
 match protocol rtsp
 match protocol smtp extended
 match protocol sql-net
 match protocol streamworks
 match protocol tftp
 match protocol vdolive
 match protocol tcp
 match protocol udp
 exit
class-map type inspect match-all sdm-insp-traffic
 match class-map sdm-cls-insp-traffic
 exit
class-map type inspect match-all sdm-protocol-http
 match protocol http
 exit
class-map type inspect match-any sdm-cls-icmp-access
 match protocol icmp
 exit
class-map type inspect match-all sdm-icmp-access
 match class-map sdm-cls-icmp-access
 exit

policy-map type inspect sdm-permit-icmpreply
 class type inspect sdm-icmp-access
  no drop
  inspect
  exit
 class class-default
  no drop
  pass
  exit
 exit

policy-map type inspect sdm-inspect
 class type inspect sdm-invalid-src
  drop log
  exit
 class type inspect sdm-insp-traffic
  no drop
  inspect
  exit
 class type inspect sdm-protocol-http
  no drop
  inspect
  exit
 class class-default
 exit

policy-map type inspect sdm-permit
 class class-default
 exit

zone security out-zone
zone security in-zone

zone-pair security sdm-zp-self-out source self destination out-zone
 service-policy type inspect sdm-permit-icmpreply
 exit

zone-pair security sdm-zp-out-self source out-zone destination self
 service-policy type inspect sdm-permit
 exit

zone-pair security sdm-zp-in-out source in-zone destination out-zone
 service-policy type inspect sdm-inspect
 exit

========== + ==========

ZFW Lab example:



SHOW RUN from R1:

!
version 12.4
no service pad
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
no service password-encryption
service sequence-numbers
!
hostname R1
!
boot-start-marker
boot-end-marker
!
security authentication failure rate 3 log
security passwords min-length 6
no logging buffered
enable secret 5 $1$zN0S$A8is3LslTPKVnFV.y6Ksh1 = cisco
!
aaa new-model
!
!
aaa authentication login default local
!
!
aaa session-id common
memory-size iomem 5
no ip source-route
ip cef
!
no ip bootp server
ip domain name syn.local
ip auth-proxy max-nodata-conns 3
ip admission max-nodata-conns 3
!
multilink bundle-name authenticated
!
!
crypto pki trustpoint TP-self-signed-4279256517
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-4279256517
 revocation-check none
 rsakeypair TP-self-signed-4279256517
!
!
crypto pki certificate chain TP-self-signed-4279256517
 certificate self-signed 01 nvram:IOS-Self-Sig#2.cer
!
!
username admin privilege 15 secret 5 $1$r0.F$rSz0MEK12I7BEacAGX.d01 = cisco
archive
 log config
  hidekeys
!
!
ip tcp synwait-time 10
!
class-map type inspect match-any SDM_ACCESS
 match access-group name SDM_ACCESS
!
class-map type inspect match-any SDM_SSH
 match access-group name SDM_SSH
!
class-map type inspect match-any SDM_SHELL
 match access-group name SDM_SHELL
!
class-map type inspect match-any sdm-cls-access
 match class-map SDM_ACCESS
 match class-map SDM_SSH
 match class-map SDM_SHELL
!
class-map type inspect match-any sdm-cls-insp-traffic
 match protocol cuseeme
 match protocol dns
 match protocol ftp
 match protocol h323
 match protocol https
 match protocol icmp
 match protocol imap
 match protocol pop3
 match protocol netshow
 match protocol shell
 match protocol realmedia
 match protocol rtsp
 match protocol smtp extended
 match protocol sql-net
 match protocol streamworks
 match protocol tftp
 match protocol vdolive
 match protocol tcp
 match protocol udp
!
class-map type inspect match-all sdm-insp-traffic
 match class-map sdm-cls-insp-traffic
!
class-map type inspect match-any SDM-Voice-permit
 match protocol h323
 match protocol skinny
 match protocol sip
!
class-map type inspect match-any sdm-cls-icmp-access
 match protocol icmp
 match protocol tcp
 match protocol udp
!
class-map type inspect match-all sdm-access
 match class-map sdm-cls-access
 match access-group 101
!
class-map type inspect match-any sdm-dmz-protocols
 match protocol http
 match protocol smtp
!
class-map type inspect match-all sdm-dmz-traffic
 match access-group name dmz-traffic
 match class-map sdm-dmz-protocols
!
class-map type inspect match-all sdm-icmp-access
 match class-map sdm-cls-icmp-access
!
class-map type inspect match-all sdm-invalid-src
 match access-group 100
!
class-map type inspect match-all sdm-protocol-http
 match protocol http
!
!
policy-map type inspect sdm-permit-icmpreply
 class type inspect sdm-icmp-access
  inspect
 class class-default
  pass
!
policy-map type inspect sdm-inspect
 class type inspect sdm-invalid-src
  drop log
 class type inspect sdm-insp-traffic
  inspect
 class type inspect sdm-protocol-http
  inspect
 class type inspect SDM-Voice-permit
  inspect
 class class-default
  pass
!
policy-map type inspect sdm-permit
 class type inspect sdm-access
  inspect
 class class-default
!
policy-map type inspect sdm-permit-dmzservice
 class type inspect sdm-dmz-traffic
  inspect
 class class-default
!
zone security out-zone
zone security in-zone
zone security dmz-zone
!
zone-pair security sdm-zp-self-out source self destination out-zone
 service-policy type inspect sdm-permit-icmpreply
!
zone-pair security sdm-zp-out-self source out-zone destination self
 service-policy type inspect sdm-permit
!
zone-pair security sdm-zp-in-out source in-zone destination out-zone
 service-policy type inspect sdm-inspect
!
zone-pair security sdm-zp-out-dmz source out-zone destination dmz-zone
 service-policy type inspect sdm-permit-dmzservice
!
zone-pair security sdm-zp-in-dmz source in-zone destination dmz-zone
 service-policy type inspect sdm-permit-dmzservice
!
!
interface Null0
 no ip unreachables
!
interface FastEthernet0/0
 description R1 <-> INSIDE$FW_INSIDE$
 ip address 192.168.0.1 255.255.255.0
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 zone-member security in-zone
 ip route-cache flow
 duplex auto
 speed auto
 no mop enabled
!
interface Serial0/0
 no ip address
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip route-cache flow
 shutdown
 clock rate 2000000
!
interface FastEthernet0/1
 description R1 <-> DMZ$FW_DMZ$
 ip address 10.0.0.1 255.255.255.0
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 zone-member security dmz-zone
 ip route-cache flow
 duplex auto
 speed auto
 no mop enabled
!
interface Serial0/1
 no ip address
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip route-cache flow
 shutdown
 clock rate 2000000
!
interface Serial0/2
 no ip address
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip route-cache flow
 shutdown
 clock rate 2000000
!
interface FastEthernet1/0
 description $FW_OUTSIDE$
 ip address 172.16.0.10 255.255.255.0
 ip verify unicast reverse-path
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 zone-member security out-zone
 ip route-cache flow
 duplex auto
 speed auto
 no mop enabled
!
ip forward-protocol nd
!
!
ip http server
ip http authentication local
ip http secure-server
!
ip access-list extended SDM_ACCESS
 remark SDM_ACL Category=1
 permit tcp any any eq 80
 permit tcp any any eq 443
!
ip access-list extended SDM_SHELL
 remark SDM_ACL Category=1
 permit tcp any any eq cmd
!
ip access-list extended SDM_SSH
 remark SDM_ACL Category=1
 permit tcp any any eq 22
!
ip access-list extended dmz-traffic
 remark SDM_ACL Category=1
 permit ip any host 10.0.0.10
 permit ip any host 10.0.0.11
!
access-list 100 remark SDM_ACL Category=128
access-list 100 permit ip host 255.255.255.255 any
access-list 100 permit ip 127.0.0.0 0.255.255.255 any
access-list 100 permit ip 172.16.0.0 0.0.0.255 any
access-list 100 permit ip 10.0.0.0 0.0.0.255 any
access-list 101 remark SDM_ACL Category=128
access-list 101 permit ip any any
!
!
control-plane
!
!
line con 0
 logging synchronous
line aux 0
line vty 0 4
 logging synchronous
line vty 5 903
 logging synchronous
!
!
end



Other Example:







See Also:






Deploying Zone-Based Firewalls, Digital Shortcut

XXXXXXXXXXXXXXXXXA1
XXXXXXXXXXXXXXXXXA2
XXXXXXXXXXXXXXXXXA3
XXXXXXXXXXXXXXXXXA4
XXXXXXXXXXXXXXXXXA5
XXXXXXXXXXXXXXXXXA6



biOos
Posted by at
Labels:

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)