Difference between revisions of "Netband Project - Zone based Firewall(ZFW)"
From Teknologisk videncenter
m (→HTTP Aplication inspection) |
|||
| Line 35: | Line 35: | ||
If you need a custom tcp port to be allowed to pass through the zones | If you need a custom tcp port to be allowed to pass through the zones | ||
<pre>ip port-map user-streaming port tcp 8000 description Custom Video Streaming port | <pre>ip port-map user-streaming port tcp 8000 description Custom Video Streaming port | ||
| + | </pre> | ||
| + | Create a parameter map of regular expressions your http requests will be matched against | ||
| + | <pre>parameter-map type regex URLS-PARAMAP | ||
| + | pattern ..*cmd.exe. | ||
| + | pattern ..*sex. | ||
| + | pattern ..*gambling. | ||
</pre> | </pre> | ||
This will specify what traffic the class-maps will match on. | This will specify what traffic the class-maps will match on. | ||
<pre>class-map type inspect match-any INSIDE-OUTSIDE-CMAP | <pre>class-map type inspect match-any INSIDE-OUTSIDE-CMAP | ||
| − | match protocol tcp | + | match protocol tcp |
| − | match protocol udp | + | match protocol udp |
| − | match protocol icmp | + | match protocol icmp |
class-map type inspect match-any INSIDE-DMZ-CMAP | class-map type inspect match-any INSIDE-DMZ-CMAP | ||
| − | match protocol tcp | + | match protocol tcp |
| − | match protocol udp | + | match protocol udp |
| − | match protocol icmp | + | match protocol icmp |
class-map type inspect match-any OUTSIDE-DMZ-CMAP | class-map type inspect match-any OUTSIDE-DMZ-CMAP | ||
| − | match protocol http | + | match protocol http |
| − | match protocol https | + | match protocol https |
| − | match protocol user-streaming | + | match protocol user-streaming |
| + | class-map type inspect http match-all URLS-CMAP | ||
| + | match request uri regex URLS-PARAMAP | ||
</pre> | </pre> | ||
This will make a policy-map witch will descripe what actions to take on the trafik that matches our class-maps | This will make a policy-map witch will descripe what actions to take on the trafik that matches our class-maps | ||
| − | <pre>policy-map type inspect OUTSIDE-DMZ-PMAP | + | <pre>policy-map type inspect http URLS-PMAP |
| − | class type inspect OUTSIDE-DMZ-CMAP | + | class type inspect http URLS-CMAP |
| − | inspect | + | reset |
| − | class class-default | + | class class-default |
| − | drop | + | ! |
| + | policy-map type inspect OUTSIDE-DMZ-PMAP | ||
| + | class type inspect OUTSIDE-DMZ-CMAP | ||
| + | inspect | ||
| + | class class-default | ||
| + | drop | ||
! | ! | ||
policy-map type inspect INSIDE-OUTSIDE-PMAP | policy-map type inspect INSIDE-OUTSIDE-PMAP | ||
| − | class type inspect INSIDE-OUTSIDE-CMAP | + | class type inspect INSIDE-OUTSIDE-CMAP |
| − | inspect | + | inspect |
| − | class class-default | + | service-policy http URLS-PMAP |
| − | drop | + | class class-default |
| + | drop | ||
! | ! | ||
policy-map type inspect INSIDE-DMZ-PMAP | policy-map type inspect INSIDE-DMZ-PMAP | ||
| − | class type inspect INSIDE-DMZ-CMAP | + | class type inspect INSIDE-DMZ-CMAP |
| − | inspect | + | inspect |
| − | class class-default | + | class class-default |
| − | drop | + | drop |
</pre> | </pre> | ||
And the we need to map zones together in zone-pairs with a traffic direction and connect the policy-maps to them | And the we need to map zones together in zone-pairs with a traffic direction and connect the policy-maps to them | ||
Revision as of 14:38, 27 April 2009
<accesscontrol>NetBand</accesscontrol>
This page is part of the Netband Project
Branch router with DMZ
In this exaple the configuration will what you would expect from a branch office with an inside, outside and a DMZ interface for local servers. ZFW is not like IOS firewalling with ip inspect, the inspect firewall is a per interface rule firewall where ZFW is a direction firewall with one-to-one, one-to-many or many-to-many.
vlan 2 name INSIDE vlan 3 name OUTSIDE vlan 4 name DMZ
Declaring Zones witch will be mapped to the interfaces
zone security INSIDE-ZONE zone security OUTSIDE-ZONE zone security DMZ-ZONE
Creating vlan interfaces for the different zones
interface vlan 2 description Inside interface ip address 10.0.0.1 255.255.255.0 zone-member security INSIDE-ZONE ! interface vlan 3 description Outside interface ip address 80.225.34.13 255.255.255.0 zone-member security OUTSIDE-ZONE ! interface vlan 4 description DMZ interface zone-member security DMZ-ZONE
If you need a custom tcp port to be allowed to pass through the zones
ip port-map user-streaming port tcp 8000 description Custom Video Streaming port
Create a parameter map of regular expressions your http requests will be matched against
parameter-map type regex URLS-PARAMAP pattern ..*cmd.exe. pattern ..*sex. pattern ..*gambling.
This will specify what traffic the class-maps will match on.
class-map type inspect match-any INSIDE-OUTSIDE-CMAP match protocol tcp match protocol udp match protocol icmp class-map type inspect match-any INSIDE-DMZ-CMAP match protocol tcp match protocol udp match protocol icmp class-map type inspect match-any OUTSIDE-DMZ-CMAP match protocol http match protocol https match protocol user-streaming class-map type inspect http match-all URLS-CMAP match request uri regex URLS-PARAMAP
This will make a policy-map witch will descripe what actions to take on the trafik that matches our class-maps
policy-map type inspect http URLS-PMAP class type inspect http URLS-CMAP reset class class-default ! policy-map type inspect OUTSIDE-DMZ-PMAP class type inspect OUTSIDE-DMZ-CMAP inspect class class-default drop ! policy-map type inspect INSIDE-OUTSIDE-PMAP class type inspect INSIDE-OUTSIDE-CMAP inspect service-policy http URLS-PMAP class class-default drop ! policy-map type inspect INSIDE-DMZ-PMAP class type inspect INSIDE-DMZ-CMAP inspect class class-default drop
And the we need to map zones together in zone-pairs with a traffic direction and connect the policy-maps to them
zone-pair security INSIDE-OUTSIDE-ZONEP source INSIDE-ZONE destination OUTSIDE-ZONE service-policy type inspect INSIDE-OUTSIDE-PMAP ! zone-pair security INSIDE-DMZ-ZONEP source INSIDE-ZONE destination DMZ-ZONE service-policy type inspect INSIDE-DMZ-PMAP ! zone-pair security OUTSIDE-DMZ-ZONEP source OUTSIDE-ZONE destination DMZ-ZONE service-policy type inspect OUTSIDE-DMZ-PMAP
HTTP Aplication inspection
parameter-map type regex URLS-PARAMAP pattern ..*cmd.exe. pattern ..*sex. pattern ..*gambling. ! class-map type inspect http match-all URLS-CMAP match request uri regex URLS-PARAMAP ! class-map type inspect match-any INSIDE-OUT-HTTP match protocol http ! policy-map type inspect http URLS-PMAP class type inspect http URLS-CMAP reset class class-default ! policy-map type inspect INSIDE-OUT-PMAP class type inspect INSIDE-OUT-HTTP inspect service-policy http URLS-PMAP
External links
http://www.cisco.com/en/US/products/sw/secursw/ps1018/products_tech_note09186a00808bc994.shtml
http://www.cisco.com/en/US/docs/ios/sec_data_plane/configuration/guide/sec_zone_polcy_firew.html