Difference between revisions of "Netband Project - Zone based Firewall(ZFW)"
From Teknologisk videncenter
m (→Security zones) |
|||
| (21 intermediate revisions by 3 users not shown) | |||
| Line 1: | Line 1: | ||
| − | + | =Zone based Firewall(ZFW)= | |
This page is part of the [[Netband_Project|Netband Project]]<br/> | This page is part of the [[Netband_Project|Netband Project]]<br/> | ||
| − | + | __NOTOC__ | |
==Branch router with DMZ== | ==Branch router with DMZ== | ||
| − | In this | + | In this example the configuration will what you would expect from a branch office with an inside, outside and a DMZ interface for local servers. |
ZFW is not like IOS firewalling with ip inspect, the inspect firewall is a per interface rule firewall where ZFW is a direction firewall with one-to-one, one-to-many or many-to-many. | ZFW is not like IOS firewalling with ip inspect, the inspect firewall is a per interface rule firewall where ZFW is a direction firewall with one-to-one, one-to-many or many-to-many. | ||
| − | + | ===Vlans=== | |
| + | Creating vlans to make the vlan interfaces on | ||
<pre>vlan 2 | <pre>vlan 2 | ||
name INSIDE | name INSIDE | ||
| Line 13: | Line 14: | ||
name DMZ | name DMZ | ||
</pre> | </pre> | ||
| − | Declaring Zones | + | ===Security zones=== |
| + | Declaring Zones which will be mapped to the interfaces | ||
<pre>zone security INSIDE-ZONE | <pre>zone security INSIDE-ZONE | ||
zone security OUTSIDE-ZONE | zone security OUTSIDE-ZONE | ||
zone security DMZ-ZONE | zone security DMZ-ZONE | ||
</pre> | </pre> | ||
| + | |||
| + | ===Vlan interfaces=== | ||
Creating vlan interfaces for the different zones | Creating vlan interfaces for the different zones | ||
<pre>interface vlan 2 | <pre>interface vlan 2 | ||
| Line 33: | Line 37: | ||
zone-member security DMZ-ZONE | zone-member security DMZ-ZONE | ||
</pre> | </pre> | ||
| + | ===Customizing your matches=== | ||
If you need a custom tcp port to be allowed to pass through the zones | If you need a custom tcp port to be allowed to pass through the zones | ||
<pre>ip port-map user-streaming port tcp 8000 description Custom Video Streaming port | <pre>ip port-map user-streaming port tcp 8000 description Custom Video Streaming port | ||
</pre> | </pre> | ||
| + | Create a parameter map of regular expressions your http requests will be matched against | ||
| + | <pre>parameter-map type regex URLS-PARAMAP | ||
| + | pattern ..*cmd.exe. | ||
| + | pattern ..*sex. | ||
| + | pattern ..*gambling. | ||
| + | </pre> | ||
| + | |||
| + | ===Class-maps=== | ||
This will specify what traffic the class-maps will match on. | This will specify what traffic the class-maps will match on. | ||
<pre>class-map type inspect match-any INSIDE-OUTSIDE-CMAP | <pre>class-map type inspect match-any INSIDE-OUTSIDE-CMAP | ||
| − | match protocol tcp | + | match protocol tcp |
| − | match protocol udp | + | match protocol udp |
| − | match protocol icmp | + | match protocol icmp |
| + | ! | ||
class-map type inspect match-any INSIDE-DMZ-CMAP | class-map type inspect match-any INSIDE-DMZ-CMAP | ||
| − | match protocol tcp | + | match protocol tcp |
| − | match protocol udp | + | match protocol udp |
| − | match protocol icmp | + | match protocol icmp |
| + | ! | ||
class-map type inspect match-any OUTSIDE-DMZ-CMAP | class-map type inspect match-any OUTSIDE-DMZ-CMAP | ||
| − | match protocol http | + | match protocol http |
| − | match protocol https | + | match protocol https |
| − | match protocol user-streaming | + | match protocol user-streaming |
| + | ! | ||
| + | class-map type inspect http match-all URLS-CMAP | ||
| + | match request uri regex URLS-PARAMAP | ||
</pre> | </pre> | ||
| + | ===Policy-maps=== | ||
This will make a policy-map witch will descripe what actions to take on the trafik that matches our class-maps | This will make a policy-map witch will descripe what actions to take on the trafik that matches our class-maps | ||
| − | <pre>policy-map type inspect OUTSIDE-DMZ-PMAP | + | <pre>policy-map type inspect http URLS-PMAP |
| − | class type inspect OUTSIDE-DMZ-CMAP | + | class type inspect http URLS-CMAP |
| − | inspect | + | reset |
| − | class class-default | + | class class-default |
| − | drop | + | ! |
| + | policy-map type inspect OUTSIDE-DMZ-PMAP | ||
| + | class type inspect OUTSIDE-DMZ-CMAP | ||
| + | inspect | ||
| + | class class-default | ||
| + | drop | ||
! | ! | ||
policy-map type inspect INSIDE-OUTSIDE-PMAP | policy-map type inspect INSIDE-OUTSIDE-PMAP | ||
| − | class type inspect INSIDE-OUTSIDE-CMAP | + | class type inspect INSIDE-OUTSIDE-CMAP |
| − | inspect | + | inspect |
| − | class class-default | + | service-policy http URLS-PMAP |
| − | drop | + | class class-default |
| + | drop | ||
! | ! | ||
policy-map type inspect INSIDE-DMZ-PMAP | policy-map type inspect INSIDE-DMZ-PMAP | ||
| − | class type inspect INSIDE-DMZ-CMAP | + | class type inspect INSIDE-DMZ-CMAP |
| − | inspect | + | inspect |
| − | class class-default | + | class class-default |
| − | drop | + | drop |
</pre> | </pre> | ||
| − | === | + | ===Zone-pairs=== |
| − | <pre> | + | And the we need to map zones together in zone-pairs with a traffic direction and connect the policy-maps to them |
| − | + | <pre>zone-pair security INSIDE-OUTSIDE-ZONEP source INSIDE-ZONE destination OUTSIDE-ZONE | |
| − | + | service-policy type inspect INSIDE-OUTSIDE-PMAP | |
| − | |||
! | ! | ||
| − | + | zone-pair security INSIDE-DMZ-ZONEP source INSIDE-ZONE destination DMZ-ZONE | |
| − | + | service-policy type inspect INSIDE-DMZ-PMAP | |
! | ! | ||
| − | + | zone-pair security OUTSIDE-DMZ-ZONEP source OUTSIDE-ZONE destination DMZ-ZONE | |
| − | + | service-policy type inspect OUTSIDE-DMZ-PMAP | |
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | policy | ||
| − | |||
| − | |||
| − | |||
</pre> | </pre> | ||
| + | |||
| + | ==Nifty Features== | ||
| + | All this zone-based firewalling is not only a layer3 thing.<br/> | ||
| + | Try creating a bridging interface and make it your Layer3 link and assign two vlan to that bridge group. Now it is possible to place 2 servers in different vlans, but in the same layer 2 subnet and still have a firewall between them.<br/> | ||
| + | Now you have a Layer 2 firewall:-) | ||
==External links== | ==External links== | ||
| Line 96: | Line 115: | ||
<br> | <br> | ||
http://www.cisco.com/en/US/docs/ios/sec_data_plane/configuration/guide/sec_zone_polcy_firew.html | http://www.cisco.com/en/US/docs/ios/sec_data_plane/configuration/guide/sec_zone_polcy_firew.html | ||
| + | [[Category:network]][[Category:CCNP]][[category:students]][[category:CCNP4]] | ||
Latest revision as of 14:25, 15 October 2009
Zone based Firewall(ZFW)
This page is part of the Netband Project
Branch router with DMZ
In this example the configuration will what you would expect from a branch office with an inside, outside and a DMZ interface for local servers. ZFW is not like IOS firewalling with ip inspect, the inspect firewall is a per interface rule firewall where ZFW is a direction firewall with one-to-one, one-to-many or many-to-many.
Vlans
Creating vlans to make the vlan interfaces on
vlan 2 name INSIDE vlan 3 name OUTSIDE vlan 4 name DMZ
Security zones
Declaring Zones which will be mapped to the interfaces
zone security INSIDE-ZONE zone security OUTSIDE-ZONE zone security DMZ-ZONE
Vlan interfaces
Creating vlan interfaces for the different zones
interface vlan 2 description Inside interface ip address 10.0.0.1 255.255.255.0 zone-member security INSIDE-ZONE ! interface vlan 3 description Outside interface ip address 80.225.34.13 255.255.255.0 zone-member security OUTSIDE-ZONE ! interface vlan 4 description DMZ interface zone-member security DMZ-ZONE
Customizing your matches
If you need a custom tcp port to be allowed to pass through the zones
ip port-map user-streaming port tcp 8000 description Custom Video Streaming port
Create a parameter map of regular expressions your http requests will be matched against
parameter-map type regex URLS-PARAMAP pattern ..*cmd.exe. pattern ..*sex. pattern ..*gambling.
Class-maps
This will specify what traffic the class-maps will match on.
class-map type inspect match-any INSIDE-OUTSIDE-CMAP match protocol tcp match protocol udp match protocol icmp ! class-map type inspect match-any INSIDE-DMZ-CMAP match protocol tcp match protocol udp match protocol icmp ! class-map type inspect match-any OUTSIDE-DMZ-CMAP match protocol http match protocol https match protocol user-streaming ! class-map type inspect http match-all URLS-CMAP match request uri regex URLS-PARAMAP
Policy-maps
This will make a policy-map witch will descripe what actions to take on the trafik that matches our class-maps
policy-map type inspect http URLS-PMAP class type inspect http URLS-CMAP reset class class-default ! policy-map type inspect OUTSIDE-DMZ-PMAP class type inspect OUTSIDE-DMZ-CMAP inspect class class-default drop ! policy-map type inspect INSIDE-OUTSIDE-PMAP class type inspect INSIDE-OUTSIDE-CMAP inspect service-policy http URLS-PMAP class class-default drop ! policy-map type inspect INSIDE-DMZ-PMAP class type inspect INSIDE-DMZ-CMAP inspect class class-default drop
Zone-pairs
And the we need to map zones together in zone-pairs with a traffic direction and connect the policy-maps to them
zone-pair security INSIDE-OUTSIDE-ZONEP source INSIDE-ZONE destination OUTSIDE-ZONE service-policy type inspect INSIDE-OUTSIDE-PMAP ! zone-pair security INSIDE-DMZ-ZONEP source INSIDE-ZONE destination DMZ-ZONE service-policy type inspect INSIDE-DMZ-PMAP ! zone-pair security OUTSIDE-DMZ-ZONEP source OUTSIDE-ZONE destination DMZ-ZONE service-policy type inspect OUTSIDE-DMZ-PMAP
Nifty Features
All this zone-based firewalling is not only a layer3 thing.
Try creating a bridging interface and make it your Layer3 link and assign two vlan to that bridge group. Now it is possible to place 2 servers in different vlans, but in the same layer 2 subnet and still have a firewall between them.
Now you have a Layer 2 firewall:-)
External links
http://www.cisco.com/en/US/products/sw/secursw/ps1018/products_tech_note09186a00808bc994.shtml
http://www.cisco.com/en/US/docs/ios/sec_data_plane/configuration/guide/sec_zone_polcy_firew.html