Difference between revisions of "Netband Project - Zone based Firewall(ZFW)"
From Teknologisk videncenter
m (→Branch router with DMZ) |
m (→Security zones) |
||
| (24 intermediate revisions by 3 users not shown) | |||
| Line 1: | Line 1: | ||
| − | + | =Zone based Firewall(ZFW)= | |
This page is part of the [[Netband_Project|Netband Project]]<br/> | This page is part of the [[Netband_Project|Netband Project]]<br/> | ||
| − | + | __NOTOC__ | |
==Branch router with DMZ== | ==Branch router with DMZ== | ||
| − | In this | + | In this example the configuration will what you would expect from a branch office with an inside, outside and a DMZ interface for local servers. |
ZFW is not like IOS firewalling with ip inspect, the inspect firewall is a per interface rule firewall where ZFW is a direction firewall with one-to-one, one-to-many or many-to-many. | ZFW is not like IOS firewalling with ip inspect, the inspect firewall is a per interface rule firewall where ZFW is a direction firewall with one-to-one, one-to-many or many-to-many. | ||
| − | + | ===Vlans=== | |
| + | Creating vlans to make the vlan interfaces on | ||
<pre>vlan 2 | <pre>vlan 2 | ||
name INSIDE | name INSIDE | ||
| Line 12: | Line 13: | ||
vlan 4 | vlan 4 | ||
name DMZ | name DMZ | ||
| − | + | </pre> | |
| − | + | ===Security zones=== | |
| − | interface vlan 2 | + | Declaring Zones which will be mapped to the interfaces |
| + | <pre>zone security INSIDE-ZONE | ||
| + | zone security OUTSIDE-ZONE | ||
| + | zone security DMZ-ZONE | ||
| + | </pre> | ||
| + | |||
| + | ===Vlan interfaces=== | ||
| + | Creating vlan interfaces for the different zones | ||
| + | <pre>interface vlan 2 | ||
description Inside interface | description Inside interface | ||
ip address 10.0.0.1 255.255.255.0 | ip address 10.0.0.1 255.255.255.0 | ||
| Line 27: | Line 36: | ||
description DMZ interface | description DMZ interface | ||
zone-member security DMZ-ZONE | zone-member security DMZ-ZONE | ||
| − | |||
| − | |||
</pre> | </pre> | ||
| − | === | + | ===Customizing your matches=== |
| − | <pre>parameter-map type regex | + | If you need a custom tcp port to be allowed to pass through the zones |
| + | <pre>ip port-map user-streaming port tcp 8000 description Custom Video Streaming port | ||
| + | </pre> | ||
| + | Create a parameter map of regular expressions your http requests will be matched against | ||
| + | <pre>parameter-map type regex URLS-PARAMAP | ||
pattern ..*cmd.exe. | pattern ..*cmd.exe. | ||
pattern ..*sex. | pattern ..*sex. | ||
pattern ..*gambling. | pattern ..*gambling. | ||
| + | </pre> | ||
| + | |||
| + | ===Class-maps=== | ||
| + | This will specify what traffic the class-maps will match on. | ||
| + | <pre>class-map type inspect match-any INSIDE-OUTSIDE-CMAP | ||
| + | match protocol tcp | ||
| + | match protocol udp | ||
| + | match protocol icmp | ||
! | ! | ||
| − | class-map type inspect | + | class-map type inspect match-any INSIDE-DMZ-CMAP |
| − | match | + | match protocol tcp |
| + | match protocol udp | ||
| + | match protocol icmp | ||
! | ! | ||
| − | class-map type inspect match-any | + | class-map type inspect match-any OUTSIDE-DMZ-CMAP |
match protocol http | match protocol http | ||
| + | match protocol https | ||
| + | match protocol user-streaming | ||
! | ! | ||
| − | policy-map type inspect http | + | class-map type inspect http match-all URLS-CMAP |
| − | class type inspect http | + | match request uri regex URLS-PARAMAP |
| + | </pre> | ||
| + | ===Policy-maps=== | ||
| + | This will make a policy-map witch will descripe what actions to take on the trafik that matches our class-maps | ||
| + | <pre>policy-map type inspect http URLS-PMAP | ||
| + | class type inspect http URLS-CMAP | ||
reset | reset | ||
class class-default | class class-default | ||
! | ! | ||
| − | policy-map type inspect INSIDE- | + | policy-map type inspect OUTSIDE-DMZ-PMAP |
| − | class type inspect INSIDE- | + | class type inspect OUTSIDE-DMZ-CMAP |
| + | inspect | ||
| + | class class-default | ||
| + | drop | ||
| + | ! | ||
| + | policy-map type inspect INSIDE-OUTSIDE-PMAP | ||
| + | class type inspect INSIDE-OUTSIDE-CMAP | ||
| + | inspect | ||
| + | service-policy http URLS-PMAP | ||
| + | class class-default | ||
| + | drop | ||
| + | ! | ||
| + | policy-map type inspect INSIDE-DMZ-PMAP | ||
| + | class type inspect INSIDE-DMZ-CMAP | ||
inspect | inspect | ||
| − | service-policy | + | class class-default |
| + | drop | ||
| + | </pre> | ||
| + | ===Zone-pairs=== | ||
| + | And the we need to map zones together in zone-pairs with a traffic direction and connect the policy-maps to them | ||
| + | <pre>zone-pair security INSIDE-OUTSIDE-ZONEP source INSIDE-ZONE destination OUTSIDE-ZONE | ||
| + | service-policy type inspect INSIDE-OUTSIDE-PMAP | ||
| + | ! | ||
| + | zone-pair security INSIDE-DMZ-ZONEP source INSIDE-ZONE destination DMZ-ZONE | ||
| + | service-policy type inspect INSIDE-DMZ-PMAP | ||
| + | ! | ||
| + | zone-pair security OUTSIDE-DMZ-ZONEP source OUTSIDE-ZONE destination DMZ-ZONE | ||
| + | service-policy type inspect OUTSIDE-DMZ-PMAP | ||
</pre> | </pre> | ||
| + | |||
| + | ==Nifty Features== | ||
| + | All this zone-based firewalling is not only a layer3 thing.<br/> | ||
| + | Try creating a bridging interface and make it your Layer3 link and assign two vlan to that bridge group. Now it is possible to place 2 servers in different vlans, but in the same layer 2 subnet and still have a firewall between them.<br/> | ||
| + | Now you have a Layer 2 firewall:-) | ||
==External links== | ==External links== | ||
| Line 57: | Line 115: | ||
<br> | <br> | ||
http://www.cisco.com/en/US/docs/ios/sec_data_plane/configuration/guide/sec_zone_polcy_firew.html | http://www.cisco.com/en/US/docs/ios/sec_data_plane/configuration/guide/sec_zone_polcy_firew.html | ||
| + | [[Category:network]][[Category:CCNP]][[category:students]][[category:CCNP4]] | ||
Latest revision as of 15:25, 15 October 2009
Zone based Firewall(ZFW)
This page is part of the Netband Project
Branch router with DMZ
In this example the configuration will what you would expect from a branch office with an inside, outside and a DMZ interface for local servers. ZFW is not like IOS firewalling with ip inspect, the inspect firewall is a per interface rule firewall where ZFW is a direction firewall with one-to-one, one-to-many or many-to-many.
Vlans
Creating vlans to make the vlan interfaces on
vlan 2 name INSIDE vlan 3 name OUTSIDE vlan 4 name DMZ
Security zones
Declaring Zones which will be mapped to the interfaces
zone security INSIDE-ZONE zone security OUTSIDE-ZONE zone security DMZ-ZONE
Vlan interfaces
Creating vlan interfaces for the different zones
interface vlan 2 description Inside interface ip address 10.0.0.1 255.255.255.0 zone-member security INSIDE-ZONE ! interface vlan 3 description Outside interface ip address 80.225.34.13 255.255.255.0 zone-member security OUTSIDE-ZONE ! interface vlan 4 description DMZ interface zone-member security DMZ-ZONE
Customizing your matches
If you need a custom tcp port to be allowed to pass through the zones
ip port-map user-streaming port tcp 8000 description Custom Video Streaming port
Create a parameter map of regular expressions your http requests will be matched against
parameter-map type regex URLS-PARAMAP pattern ..*cmd.exe. pattern ..*sex. pattern ..*gambling.
Class-maps
This will specify what traffic the class-maps will match on.
class-map type inspect match-any INSIDE-OUTSIDE-CMAP match protocol tcp match protocol udp match protocol icmp ! class-map type inspect match-any INSIDE-DMZ-CMAP match protocol tcp match protocol udp match protocol icmp ! class-map type inspect match-any OUTSIDE-DMZ-CMAP match protocol http match protocol https match protocol user-streaming ! class-map type inspect http match-all URLS-CMAP match request uri regex URLS-PARAMAP
Policy-maps
This will make a policy-map witch will descripe what actions to take on the trafik that matches our class-maps
policy-map type inspect http URLS-PMAP class type inspect http URLS-CMAP reset class class-default ! policy-map type inspect OUTSIDE-DMZ-PMAP class type inspect OUTSIDE-DMZ-CMAP inspect class class-default drop ! policy-map type inspect INSIDE-OUTSIDE-PMAP class type inspect INSIDE-OUTSIDE-CMAP inspect service-policy http URLS-PMAP class class-default drop ! policy-map type inspect INSIDE-DMZ-PMAP class type inspect INSIDE-DMZ-CMAP inspect class class-default drop
Zone-pairs
And the we need to map zones together in zone-pairs with a traffic direction and connect the policy-maps to them
zone-pair security INSIDE-OUTSIDE-ZONEP source INSIDE-ZONE destination OUTSIDE-ZONE service-policy type inspect INSIDE-OUTSIDE-PMAP ! zone-pair security INSIDE-DMZ-ZONEP source INSIDE-ZONE destination DMZ-ZONE service-policy type inspect INSIDE-DMZ-PMAP ! zone-pair security OUTSIDE-DMZ-ZONEP source OUTSIDE-ZONE destination DMZ-ZONE service-policy type inspect OUTSIDE-DMZ-PMAP
Nifty Features
All this zone-based firewalling is not only a layer3 thing.
Try creating a bridging interface and make it your Layer3 link and assign two vlan to that bridge group. Now it is possible to place 2 servers in different vlans, but in the same layer 2 subnet and still have a firewall between them.
Now you have a Layer 2 firewall:-)
External links
http://www.cisco.com/en/US/products/sw/secursw/ps1018/products_tech_note09186a00808bc994.shtml
http://www.cisco.com/en/US/docs/ios/sec_data_plane/configuration/guide/sec_zone_polcy_firew.html