Difference between revisions of "Netband Project - Zone based Firewall(ZFW)"
From Teknologisk videncenter
| Line 12: | Line 12: | ||
vlan 4 | vlan 4 | ||
name DMZ | name DMZ | ||
| − | + | </pre> | |
| − | interface vlan 2 | + | Declaring Zones witch will be mapped to the interfaces |
| + | <pre>zone security INSIDE-ZONE | ||
| + | zone security OUTSIDE-ZONE | ||
| + | zone security DMZ-ZONE | ||
| + | </pre> | ||
| + | Creating vlan interfaces for the different zones | ||
| + | <pre>interface vlan 2 | ||
description Inside interface | description Inside interface | ||
ip address 10.0.0.1 255.255.255.0 | ip address 10.0.0.1 255.255.255.0 | ||
| Line 26: | Line 32: | ||
description DMZ interface | description DMZ interface | ||
zone-member security DMZ-ZONE | zone-member security DMZ-ZONE | ||
| + | </pre> | ||
| + | If you need a custom tcp port to be allowed to pass through the zones | ||
| + | <pre>ip port-map user-streaming port tcp 8000 description Custom Video Streaming port | ||
| + | </pre> | ||
| + | This will specify what traffic the class-maps will match on. | ||
| + | <pre>class-map type inspect match-any INSIDE-OUTSIDE-CMAP | ||
| + | match protocol tcp | ||
| + | match protocol udp | ||
| + | match protocol icmp | ||
| + | class-map type inspect match-any INSIDE-DMZ-CMAP | ||
| + | match protocol tcp | ||
| + | match protocol udp | ||
| + | match protocol icmp | ||
| + | class-map type inspect match-any OUTSIDE-DMZ-CMAP | ||
| + | match protocol http | ||
| + | match protocol https | ||
| + | match protocol user-streaming | ||
| + | </pre> | ||
| + | This will make a policy-map witch will descripe what actions to take on the trafik that matches our class-maps | ||
| + | <pre>policy-map type inspect OUTSIDE-DMZ-PMAP | ||
| + | class type inspect OUTSIDE-DMZ-CMAP | ||
| + | inspect | ||
| + | class class-default | ||
| + | drop | ||
! | ! | ||
| − | + | policy-map type inspect INSIDE-OUTSIDE-PMAP | |
| − | + | class type inspect INSIDE-OUTSIDE-CMAP | |
| − | + | inspect | |
| − | + | class class-default | |
| + | drop | ||
! | ! | ||
| − | + | policy-map type inspect INSIDE-DMZ-PMAP | |
| − | class | + | class type inspect INSIDE-DMZ-CMAP |
| − | + | inspect | |
| − | + | class class-default | |
| − | + | drop | |
</pre> | </pre> | ||
===HTTP Aplication inspection=== | ===HTTP Aplication inspection=== | ||
Revision as of 12:32, 27 April 2009
<accesscontrol>NetBand</accesscontrol>
This page is part of the Netband Project
Branch router with DMZ
In this exaple the configuration will what you would expect from a branch office with an inside, outside and a DMZ interface for local servers. ZFW is not like IOS firewalling with ip inspect, the inspect firewall is a per interface rule firewall where ZFW is a direction firewall with one-to-one, one-to-many or many-to-many.
vlan 2 name INSIDE vlan 3 name OUTSIDE vlan 4 name DMZ
Declaring Zones witch will be mapped to the interfaces
zone security INSIDE-ZONE zone security OUTSIDE-ZONE zone security DMZ-ZONE
Creating vlan interfaces for the different zones
interface vlan 2 description Inside interface ip address 10.0.0.1 255.255.255.0 zone-member security INSIDE-ZONE ! interface vlan 3 description Outside interface ip address 80.225.34.13 255.255.255.0 zone-member security OUTSIDE-ZONE ! interface vlan 4 description DMZ interface zone-member security DMZ-ZONE
If you need a custom tcp port to be allowed to pass through the zones
ip port-map user-streaming port tcp 8000 description Custom Video Streaming port
This will specify what traffic the class-maps will match on.
class-map type inspect match-any INSIDE-OUTSIDE-CMAP match protocol tcp match protocol udp match protocol icmp class-map type inspect match-any INSIDE-DMZ-CMAP match protocol tcp match protocol udp match protocol icmp class-map type inspect match-any OUTSIDE-DMZ-CMAP match protocol http match protocol https match protocol user-streaming
This will make a policy-map witch will descripe what actions to take on the trafik that matches our class-maps
policy-map type inspect OUTSIDE-DMZ-PMAP class type inspect OUTSIDE-DMZ-CMAP inspect class class-default drop ! policy-map type inspect INSIDE-OUTSIDE-PMAP class type inspect INSIDE-OUTSIDE-CMAP inspect class class-default drop ! policy-map type inspect INSIDE-DMZ-PMAP class type inspect INSIDE-DMZ-CMAP inspect class class-default drop
HTTP Aplication inspection
parameter-map type regex uri_regex_cm pattern ..*cmd.exe. pattern ..*sex. pattern ..*gambling. ! class-map type inspect http match-all uri_check_cm match request uri regex uri_regex_cm ! class-map type inspect match-any INSIDE-OUT-HTTP match protocol http ! policy-map type inspect http uri_check_pm class type inspect http uri_check_cm reset class class-default ! policy-map type inspect INSIDE-OUT-PMAP class type inspect INSIDE-OUT-HTTP inspect service-policy http uri_check_pm
External links
http://www.cisco.com/en/US/products/sw/secursw/ps1018/products_tech_note09186a00808bc994.shtml
http://www.cisco.com/en/US/docs/ios/sec_data_plane/configuration/guide/sec_zone_polcy_firew.html