Security: Zone based firewall

1841-1 is the firewall which inspects traffic from inside to outside, traffic inspected is matched with the class map.

An alternative to ASA

Supposed your customer has budget constraint, and wanted security but does not want to pay for an ASA until more budget is planned for the next work year. You can suggest to use router as firewall as a temporary solution until your customer is ready to purchase an ASA. Zone based inspect layer 3, 4 and 7 packets and determine whether it should pass (without inspection), drop or inspect (stateful packet inspection, i.e. unsolicited traffic which is not originated from the inside will be dropped otherwise let the traffic passes.)

Zone based firewall configuration is the default behaviour of all ASA and PIX products, in ASA/PIX using ASDM you can specify which is trusted and untrusted, after specified the interfaces will be defined as inside and outside based on your choice, once interfaces are defined; a default value will be configured by ASA i.e. inside interface as security level 100 and outside as security level 0, 100 being fully trusted, 0 being not trusted at all. Default behaviour will be traffic from inside to outside will be allowed and inspected, traffic solicited from inside to outside will be allowed to return from outside to inside, unsolicited traffic that is not originated from the inside interface will be dropped unless you specify an ACL or do policy to allow certain traffic to be allowed from outside to inside.

Stateful packet inspection

Modern firewalls, hardware or software, are using stateful packet inspection. Traffic action (drop or pass) is based on the packet type (L3, L4 and L7), for TCP it is able to easily determined by firewalls as there’s a window, after certain period of time of idle firewall will close the “door” of outside interface. UDP is hard, this connectionless protocol is sent and forget, firewall has no way to know if the return udp packet is a solicited one or unsolicited one, hence for udp there will be a timer for the “door” to be opened. ICMP is worst, it is neither a tcp nor udp, it is hard to determine if the icmp is malicious or just normal testing, in ASA there’s a special statement just for icmp echo test, default icmp is dropped.

Configuration example

Step 1: Classify packet types (aka interesting traffic)

class-map type inspect match-any cmap-1
description Allow telnet and icmp traffic from inside to outside
match protocol icmp
match protocol telnet
match protocol ssh

Class map is used for MQC for classifying interesting traffic for QoS as well, for this type of class-map is exclusively for zone based firewall, this class map is a classification of traffic type which you want firewall to inspect.

Step 2: Configure policy map based on configured class map. Policy map is an action list based on traffic classified by class-map.

policy-map type inspect pmap-1
description action for telnet, ssh and icmp traffic as classified in cmap-1
class type inspect cmap-1
inspect
police rate 8000 burst 1500
class class-default
drop

Step 3: Create zones

zone security inside
description Inside zone
zone security outside
description Outside zone

Step 4: Assign zones to interfaces

interface FastEthernet0/0
description Inside zone
ip address 172.16.10.1 255.255.255.252
zone-member security inside
duplex auto
speed auto
end

interface FastEthernet0/1
description Outside zone
ip address 192.168.10.1 255.255.255.252
zone-member security outside
duplex auto
speed auto
end

Step 5: Create zone pairs. Zone pairs is unidirectional, it defines action for traffic from one location to another location, we apply policy map into zone pairs to make router works as a firewall.

zone-pair security in-to-out source inside destination outside
description Inside to outside policy is applied in this zone pair
service-policy type inspect pmap-1

Verification using icmp echo

1841-2#ping 192.168.10.2

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.10.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms
1841-2#

2651-1#ping 172.16.10.2

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.10.2, timeout is 2 seconds:
…..
Success rate is 0 percent (0/5)

ICMP from 2651-1 to 1841-2 is dropped because this is unsolicited.

Testing the rate limiter

1841-2#ping 192.168.10.2 repeat 1000

Type escape sequence to abort.
Sending 1000, 100-byte ICMP Echos to 192.168.10.2, timeout is 2 seconds:
!!!!!!.!!!!!!.!!!!!!.!!!!!!.!!!!!!.!!!!!!.!!!!!!.!!!!!!.!!!!!!.!!!!!!.
!!!!!!.!!!!!!.!!!!!!.!!!!!!.!!!!!!.!!!!!!.!!!!!!.!!!!!!.!!!!!!.!!!!!!.
!!!!!!.!!!!!!.!!!!!!.!!!!!!.!!!!!!.!!!!!!.!!!!!!.!!!!!!.!!!!!!.!!!!!!.
!!!!!!.!!!!!!.!!!!!!.!!!!!!.!!!!!!.!!!!!!.!!!!!!.!!!!!!.!!!!!!.!!!!!!.
!!!!!!.!!!!!!.!!!!!!.!!!!!!.!!!!!!.!!!!!!.!!!!!!.!!!!!!.!!!!!!.!!!!!!.
!!!!!!.!!!!!!.!!!!!!.!!!!!!.!!!!!!.!!!!!!.!!!!!!.
Success rate is 85 percent (342/399), round-trip min/avg/max = 1/1/4 ms
1841-2#

Show statistics for dropped and passed traffic

1841-1#sh policy-map type inspect zone-pair

policy exists on zp in-to-out
Zone-pair: in-to-out

Service-policy inspect : pmap-1

Class-map: cmap-1 (match-any)
Match: protocol icmp
2 packets, 160 bytes
30 second rate 0 bps
Match: protocol telnet
0 packets, 0 bytes
30 second rate 0 bps
Match: protocol ssh
0 packets, 0 bytes
30 second rate 0 bps

Inspect
Packet inspection statistics [process switch:fast switch]
icmp packets: [0:751]

Session creations since subsystem startup or last reset 2
Current session counts (estab/half-open/terminating) [0:0:0]
Maxever session counts (estab/half-open/terminating) [0:1:0]
Last session created 00:08:07
Last statistic reset never
Last session creation rate 0
Maxever session creation rate 1
Last half-open session total 0
Police
rate 8000 bps,1500 limit
conformed 751 packets, 85614 bytes; actions: transmit
exceeded 57 packets, 6498 bytes; actions: drop
conformed 0 bps, exceed 0 bps

Class-map: class-default (match-any)
Match: any
Drop
0 packets, 0 bytes

Telnet test

2651-1#telnet 172.16.10.2
Trying 172.16.10.2 …
% Connection timed out; remote host not responding

1841-2#telnet 192.168.10.2
Trying 192.168.10.2 … Open

User Access Verification

Username: cisco
Password:
2651-1#
Secure shell test

1841-2#ssh -l cisco 192.168.10.2

Password:

2651-1#

2651-1#ssh -l cisco 172.16.10.2

2651-1#

Advertisements
This entry was posted in Security and tagged , , , . Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s