As policies do classic IOS inspection aplicam-se a todo o tréfego na interface, não é possível aplicar policies distintas a diferentes grupos de users. O Zone-based firewall (ZFW), disponivel apartir da IOS Release 12.4(6)T já o permite.
O tráfego pode circular livremente entre interface da mesma zone, mas é bloqueado by default entre zones.
As Zone Policies são configuradas usando o Class-Based Policy Language (CPL), que é muito similar á CLI do Modular QoS Command Line Interface (MQC) que usa class/policy maps.
Foi introduzida uma nova class e policy map type (inspect type) para usar nas zone-based firewalls.
O ZBF permite o inspection e controlos de diversos protocolos tais como:
- HTTP e HTTPS
- SMTP, Extended SMTP (ESMTP), POP3 e IMAP
- Aplicações Peer-to-peer, com a habilidade para usar heuristics to track port hopping
- Instant messaging applications (AOL, Yahoo!, and MSM)
- Remote Procedure Calls (RPC)
Passos para configurar o ZFW:
- Decidir as zones necessárias, e criá-las no router
- Decidir que tráfego deve circular entre as zones, e criar as zone-pairs no router
- Criar class maps para identificar o tráfego a ser inspect pelo firewall entre zones
- Assignar policies ao tráfego criando policy maps e associando class maps
- Assignar policy maps ás zone-pair apropriados
- Assignar as interfaces ás zones. Uma interface apenas pode pertencer a uma security zone
O router cria automaticamente uma zona para o seu próprio tráfego, de nome self zone. Todo o tráfego de/para esta zona é permitido, pode no entanto ser alterado.
As Policy maps podem tomar as seguintes acções para cada class:
- Drop — Drop the packet
- Inspect — Use Context-based Access Control Engine
- Pass — Pass the packet
- Police — Police the traffic
- Service-policy — Use Deep Packet Inspection Engine
- Urlfilter — Use URL Filtering Engine
Podem ser usados parameters maps para gerar alertas, audit trails, e controlar os parâmetros de sessão p.ex. o nº sessões half-open, Idle das sessões,etc.
Exemplo:
Ligações:
R1——s2/1-R2-f0/1———-f0/0-R3
Acessos:
Garantir o telnet e http apartir do R3 para qualquer destino, devem ser ainda inspecionados os requests GET no http e gerado log.Qualquer acesso apartir do INSIDE excluindo os mencionados anteriormente, devem ter o idle-timeout para 100 segundos. Será ainda possível ter respostas ao PING apartir do OUTSIDE
zone security INSIDE
zone security OUTSIDE
Interface S2/1
zone-member security OUTSIDE
Interface F0/1
zone-member security INSIDE
zone-pair security INSIDE-OUTSIDE source INSIDE destination OUTSIDE
zone-pair security OUTSIDE-INSIDE source OUTSIDE destination INSIDE
ip access-list extended TELNET
permit tcp any any eq telnet
ip access-list extended other_Traffic
permit ip any any
parameter-map type inspect TIMEOUT
udp idle-time 100
tcp idle-time 100
class-map type inspect match-all other_Traffic
match access-group name other_Traffic
class-map type inspect match-all TELNET
match access-group name INSIDE-OUTSIDE
match protocol telnet
! Os requests Get no protocolo HTTP serao inspect
class-map type inspect http method_HTTP
match request method get
class-map type inspect match-all _HTTP
match protocol http
!
!Esta policy para DPI tem que ser criada separadamente
policy-map type inspect http DPI_HTTP
class type inspect http method_HTTP
log
policy-map type inspect zbf_INSIDE-OUTSIDE
class type inspect TELNET
inspect
class type inspect _HTTP
inspect
service-policy http DPI_HTTP
class type inspect other_Traffic
inspect TIMEOUT
!
!Definir os acessos apartir do OUTSIDE
zone-pair security INSIDE-OUTSIDE source INSIDE destination OUTSIDE
class-map type inspect match-all ICMP
match protocol icmp
policy-map type inspect zbf_OUTSIDE-INSIDE
class type inspect ICMP
inspect
zone-pair security OUTSIDE-INSIDE source OUTSIDE destination INSIDE
service-policy type inspect zbf_OUTSIDE-INSIDE
R2#sh zone security
zone self
Description: System defined zone
zone INSIDE
Member Interfaces:
FastEthernet0/1
zone OUTSIDE
Member Interfaces:
Multilink1
R2#sh parameter-map type inspect
parameter-map type inspect TIMEOUT
audit-trail off
alert on
max-incomplete low unlimited
max-incomplete high unlimited
one-minute low unlimited
one-minute high unlimited
udp idle-time 100
icmp idle-time 10
dns-timeout 5
tcp idle-time 100
tcp finwait-time 5
tcp synwait-time 30
tcp max-incomplete host unlimited block-time 0
sessions maximum 2147483647
R2#sh policy-map type inspect zone-pair
Zone-pair: INSIDE-OUTSIDE
Service-policy inspect : zbf_INSIDE-OUTSIDE
Class-map: TELNET (match-all)
Match: access-group name INSIDE-OUTSIDE
Match: protocol telnet
Inspect
Packet inspection statistics [process switch:fast switch]
tcp packets: [0:43]
Session creations since subsystem startup or last reset 2
Current session counts (estab/half-open/terminating) [1:0:0]
Maxever session counts (estab/half-open/terminating) [1:1:1]
Last session created 00:00:02
Last statistic reset never
Last session creation rate 1
Maxever session creation rate 1
Last half-open session total 0
Class-map: _HTTP (match-all)
Match: protocol http
Inspect
Packet inspection statistics [process switch:fast switch]
tcp packets: [1:32]
http packets: [0:6]
Session creations since subsystem startup or last reset 2
Current session counts (estab/half-open/terminating) [0:0:0]
Maxever session counts (estab/half-open/terminating) [1:1:1]
Last session created 00:41:05
Last statistic reset never
Last session creation rate 0
Maxever session creation rate 1
Last half-open session total 0
Deep packet inspection
Policy: http DPI_HTTP
3 packets, 72 bytes
Class-map: other_Traffic (match-all)
Match: access-group name other_Traffic
Inspect
Session creations since subsystem startup or last reset 0
Current session counts (estab/half-open/terminating) [0:0:0]
Maxever session counts (estab/half-open/terminating) [0:0:0]
Last session created never
Last statistic reset never
Last session creation rate 0
Maxever session creation rate 0
Last half-open session total 0
Class-map: class-default (match-any)
Match: any
Drop (default action)
30 packets, 2400 bytes
Zone-pair: OUTSIDE-INSIDE
Service-policy inspect : zbf_OUTSIDE-INSIDE
Class-map: ICMP (match-all)
Match: protocol icmp
Inspect
Packet inspection statistics [process switch:fast switch]
icmp packets: [0:1054]
Session creations since subsystem startup or last reset 2
Current session counts (estab/half-open/terminating) [1:0:0]
Maxever session counts (estab/half-open/terminating) [1:1:0]
Last session created 00:00:23
Last statistic reset never
Last session creation rate 1
Maxever session creation rate 1
Last half-open session total 0
Class-map: class-default (match-any)
Match: any
Drop (default action)
0 packets, 0 bytes
!Ping R3
R1#ping 192.168.20.1 re 2
Success rate is 100 percent (2/2), round-trip min/avg/max = 44/52/60 ms
!!Telnet R1
R3#telnet 192.168.10.1
Trying 192.168.10.1 … Open
User Access Verification
Password:
R2#sh policy-map type inspect zone-pair sessions
Zone-pair: INSIDE-OUTSIDE
Service-policy inspect : zbf_INSIDE-OUTSIDE
Class-map: TELNET (match-all)
Match: access-group name INSIDE-OUTSIDE
Match: protocol telnet
Inspect
Established Sessions
Session 670375D0 (192.168.20.1:21612)=>(192.168.10.1:23) telnet SIS_OPEN
Created 00:00:08, Last heard 00:00:07
Bytes sent (initiator:responder) [24:113]
Class-map: _HTTP (match-all)
Match: protocol http
Inspect
Deep packet inspection
Policy: http DPI_HTTP
3 packets, 72 bytes
Class-map: other_Traffic (match-all)
Match: access-group name other_Traffic
Inspect
Class-map: class-default (match-any)
Match: any
Drop (default action)
30 packets, 2400 bytes
Zone-pair: OUTSIDE-INSIDE
Service-policy inspect : zbf_OUTSIDE-INSIDE
Class-map: ICMP (match-all)
Match: protocol icmp
Inspect
Established Sessions
Session 67037898 (192.168.2.1:8)=>(192.168.20.1:0) icmp SIS_OPEN
Created 00:00:26, Last heard 00:00:00
ECHO request
Bytes sent (initiator:responder) [36360:36288]
Class-map: class-default (match-any)
Match: any
Drop (default action)
0 packets, 0 bytes