ZONE BASED FIREWALLS PART – 2 SELF-ZONE is related to traffic originated by the router or traffic coming to the router. E.g. Router to access the AAA Server Router to telnet to other elements. Routing protocols to send their updates to their neighbours. In this part below are the topics to be concluded. 1. Configure inspection of Control-Plane and management-plane traffic. 2. Tune stateful engine and connection settings. 3. Configure transparent mode, VRF support and NAT integration. CONFIGURING INSPECTION OF CONTROL-PLANE AND MANAGEMENT PLANE TRAFFIC This is achieved through self-zone. Which is automatically created on created any INSIDE or OUTSIDE zone.
Transcript
ZONE BASED FIREWALLS PART – 2SELF-ZONE is related to traffic originated by the router or traffic coming to the router. E.g.
Router to access the AAA Server Router to telnet to other elements. Routing protocols to send their updates to their neighbours.
In this part below are the topics to be concluded.
1. Configure inspection of Control-Plane and management-plane traffic.2. Tune stateful engine and connection settings.3. Configure transparent mode, VRF support and NAT integration.
CONFIGURING INSPECTION OF CONTROL-PLANE AND MANAGEMENT PLANE TRAFFIC
This is achieved through self-zone. Which is automatically created on created any INSIDE or OUTSIDE zone.
By default SELF-ZONE can communicate with all the interfaces and all the interfaces can communication with the SELF-ZONE.
We can control the traffic originated by the SELF-ZONE or destined to SELF-ZONE.
Configuration Tasks.
Configure an inbound policy for the SELF-ZONE (Optional). Configure an outbound policy for the SELF-ZONE (Optional).
CISCO_ISR(config-sec-zone-pair)#service-policy type inspect PM_ICMP
CISCO_ISR#show policy-map type inspect zone-pair (VERIFICATION COMMAND)
This configuration has only implemented the ping from the INSIDE zone to the OUTSIDE zone through the router it self. But if we want to implement a policy on ping from INSIDE zone to the SELF-ZONE and vice versa; we can do it as below.
In below example; We will allow the incoming ping from the INSIDE to SELF zone.
In below example; we will deny any incoming traffic from DMZ to SELF or from OUT-TO-SELF.
Finally configuring an outbound policy for the SELF zone. i.e. allow router to ping to any host in INSIDE zone. And then allow router to send traffic to TACACS server.
Implementation Guidelines:
Consider the following implementation Guide-Lines.
Use the SELF-ZONE to protect the router against attached by permitting minimal required connectivity.
Use the SELF-ZONE to avoid creation stateless rules for TCP sessions from the router (SSH, TACACS+, H.323, DLSw, and so on).
Not creating SELF related zone pairs and policies will result in a default permissive policy.
TUNING STATEFUL ENGINE & CONNECTION SETTINGS
It is not recommended to change these timers as CISCO has already tuned these timers to fit anyone needs. But still these timers are changeable.
Default inspection timers are as below.
There are also TCP Normalizer functions in Zone Based Firewalls. Zone. If some packets are changed or are trying to hide their protocols; Zone based firewall can reassemble the packets and then can check what is inside the packet.
We can use Parameter Maps to tune the inspection behaviour and can achieve the results for TCP Normalizer. But we can only do it when we are inspecting traffic.
audit-trail on will do the auditing of the inspected session. Sessions maximum 500 will limit the sessions to 500 only.
To enable the TCP normalization Globally on the Zone Based Firewall.
Type OOO is Out of Order packets.
ip port-map ftp tcp 2121 will be used to match the tcp port 2121 with ftp port number.
Implementation Guidelines:
Only tune when you need to tune these. It could cause an application to break.
Exercise Care if you are relaxing TCP normalizer parameters. It may cause unreliable application-layer filtering.
CONFIGURING SUPPORT FOR TRANSPARENT MODE, VRF, and NAT
The Zone-based firewall can run in two modes.
Routed (Default) : Layer 3 firewall where forwarding of traffic is based on IP addresses.
Transparent : Layer 2 Firewall, where forwarding of traffic is based on MAC addresses; all routing decisions done by neighbouring routers and hosts.
Transparent mode firewall is also called a BUMP-IN-THE-WIRE. Transparent firewall is not routing the traffic but it is operating based on MAC-ADDRESSES.
To setup the Transparent firewall; we need to configure integrated Routing & Bridging (IRB) on our IOS router.
VRF-Aware FIREWALL
Zone-Based Policy Firewall supports CISCO IOS Software virtualization by being VRF-Aware.
You can configure zones on VRF-enabled interfaces to virtualize policy. Special Zone-Based Policy Firewall configuration is not required.
Document everything as additional layer of complexity is being added to IOS Configuration by implementing VRF Configuration into Zone-Based Firewalls.
NAT and Zone-Based Policy Firewall Configuration Example
Other than above; also create the Zone-Pair and assign the Service-Policy to those Zone-Pairs and we are good to do with Natting on Zone-Based Firewall.
TROUBLESHOOTING LOGIC FOR ZONE-BASED FIREWALL
Session Allowed by Policy : NO If YES : Goto Check Classes and Policy
Verify Policy Permissions
show logging show policy-map type inspect zone-pair sessions debug policy-firewall events debug policy-firewall list
Check Classes and Policy : NO If YES: Go to Check PAM
verify that session is permitted by the expected rule
show policy-map type inspect zone-pair
Check PAM : NO If YES: Go to Verify Proper Inspection
verify Proper port mapping for non-standard ports.
show ip port-map
Verify Proper Inspection : NO Keep Checking from above until Session is allowed
Verify absence of TCP queries and application layer issues.
debug policy-firewall protocol debug policy-firewall list
Remember that debug can be minimized to only problematic hosts and destinations using IP ACL having the IP Addresses of Problematic HOSTS and DESTINATIONS.
