Context-Based Access Control CBAC 1
8/3/2019 CBAC_ZPF
http://slidepdf.com/reader/full/cbaczpf 1/102
Context-Based Access Control
CBAC
1
8/3/2019 CBAC_ZPF
http://slidepdf.com/reader/full/cbaczpf 2/102
CBAC Characteristics
Context-based access control (CBAC) is a solution available within theCisco IOS Firewall.
CBAC intelligently filters TCP and UDP packets based on Application Layerprotocol session information.
It provides stateful Application Layer filtering, including protocols that are
specific to unique applications, as well as multimedia applications andprotocols that require multiple channels for communication, such as FTPand H.323.
CBAC can also examine supported connections for embedded NAT andPAT information and perform the necessary address translations.
CBAC can block peer-to-peer (P2P) connections, such as those used by theGnutella and KaZaA applications.
Instant messaging traffic can be blocked, such as Yahoo!, AOL, and MSN.
2
8/3/2019 CBAC_ZPF
http://slidepdf.com/reader/full/cbaczpf 3/102
CBAC Functions
CBAC performs four main functions:
Traffic filtering
Traffic inspection
Intrusion detection Generation of audits and alerts.
3
8/3/2019 CBAC_ZPF
http://slidepdf.com/reader/full/cbaczpf 4/102
Traffic Filtering
CBAC can be configured to permit specified TCP and UDP returntraffic through a firewall when the connection is initiated from withinthe network.
It accomplishes this by creating temporary openings in an ACL that
would otherwise deny the traffic.
CBAC can inspect traffic for sessions that originate from either sideof the firewall.
It can also be used for intranet, extranet, and Internet perimeters of
the network.
4
8/3/2019 CBAC_ZPF
http://slidepdf.com/reader/full/cbaczpf 5/102
Traffic Filtering – cont’d
CBAC examines not only Network Layer and Transport Layerinformation but also examines the Application Layer protocolinformation (such as FTP connection information) to learn about thestate of the session.
This allows support of protocols that involve multiple channels
created as a result of negotiations in the control channel.
Most of the multimedia protocols as well as some other protocols(such as FTP, RPC, and SQL*Net) involve multiple channels.
5
8/3/2019 CBAC_ZPF
http://slidepdf.com/reader/full/cbaczpf 6/102
Traffic Inspection
Because CBAC inspects packets at the Application Layer and
maintains TCP and UDP session information, it can detect andprevent certain types of network attacks such as SYN-flooding.
A SYN-flood attack occurs when a network attacker floods a serverwith a barrage of connection requests and does not complete the
connection. The resulting volume of half-open connections (embryonic)
overwhelms the server, causing it to deny service to valid requests.
CBAC also helps to protect against DoS attacks in other ways. It
inspects packet sequence numbers in TCP connections to see ifthey are within expected ranges and drops any suspicious packets.
CBAC can also be configured to drop half-open connections, whichrequire firewall processing and memory resources to maintain.
6
8/3/2019 CBAC_ZPF
http://slidepdf.com/reader/full/cbaczpf 7/102
Intrusion Detection
CBAC provides a limited amount of intrusion detection to protectagainst specific SMTP attacks.
With intrusion detection, syslog messages are reviewed andmonitored for specific attack signatures.
Certain types of network attacks have specific characteristics orsignatures.
When CBAC detects an attack based on those specificcharacteristics, it resets the offending connections and sends syslog
information to the syslog server.
7
8/3/2019 CBAC_ZPF
http://slidepdf.com/reader/full/cbaczpf 8/102
Alert and Audit Generation
CBAC also generates real-time alerts and audit trails.
Enhanced audit trail features use syslog to track all networktransactions and record timestamps, source and destination hosts,ports used, and the total number of transmitted bytes for advanced
session-based reporting.
Real-time alerts send syslog error messages to central managementconsoles upon detecting suspicious activity.
8
8/3/2019 CBAC_ZPF
http://slidepdf.com/reader/full/cbaczpf 9/102
Traffic Filtering from CBAC
9
8/3/2019 CBAC_ZPF
http://slidepdf.com/reader/full/cbaczpf 10/102
CBAC Characteristics – cont’d
The first CBAC commands were introduced to Cisco IOS software in1997.
CBAC is a dramatic improvement over the TCP established andreflexive ACL firewall options in several fundamental ways:
Monitors TCP connection setup
Maintains UDP session information
Tracks TCP sequence numbers
Inspects DNS queries and replies
Inspects common ICMP message types
Supports applications that rely on multiple connections
Inspects embedded addresses
Inspects Application Layer information
10
8/3/2019 CBAC_ZPF
http://slidepdf.com/reader/full/cbaczpf 11/102
CBAC Characteristics – cont’d
It is important to note that CBAC only provides filtering for thoseprotocols that are specified by an administrator .
If a protocol is not specified, the existing ACLs determine how thatprotocol is filtered, and no temporary opening is created.
Additionally, CBAC only detects and protects against attacks thattravel through the firewall . It does not typically protect againstattacks originating from within the protected network unless thattraffic travels through an internal router with the Cisco IOS Firewallenabled.
While there is no such thing as a perfect defense, CBAC detectsand prevents most of the popular attacks on a network. However,since there is no impenetrable defense, determined and skilledattackers can still find ways to launch effective attacks.
11
8/3/2019 CBAC_ZPF
http://slidepdf.com/reader/full/cbaczpf 12/102
12
8/3/2019 CBAC_ZPF
http://slidepdf.com/reader/full/cbaczpf 13/102
13
8/3/2019 CBAC_ZPF
http://slidepdf.com/reader/full/cbaczpf 14/102
14
8/3/2019 CBAC_ZPF
http://slidepdf.com/reader/full/cbaczpf 15/102
15
8/3/2019 CBAC_ZPF
http://slidepdf.com/reader/full/cbaczpf 16/102
16
8/3/2019 CBAC_ZPF
http://slidepdf.com/reader/full/cbaczpf 17/102
17
8/3/2019 CBAC_ZPF
http://slidepdf.com/reader/full/cbaczpf 18/102
18
8/3/2019 CBAC_ZPF
http://slidepdf.com/reader/full/cbaczpf 19/102
CBAC Operation
Without CBAC, traffic filtering is limited to ACL implementations thatexamine packets at the Network Layer or, at most, the TransportLayer. CBAC relies on a stateful packet filter that is application-aware.
This means that the filter is able to recognize all sessions of adynamic application. CBAC examines not only Network Layer andTransport Layer information but also examines Application Layerprotocol information (such as FTP connection information) to learnabout the state of the session.
19
8/3/2019 CBAC_ZPF
http://slidepdf.com/reader/full/cbaczpf 20/102
CBAC Stateful Traffic Inspection
The state table tracks the sessionsand inspects all packets that passthrough the stateful packet filterfirewall. CBAC then uses the statetable to build dynamic ACL entriesthat permit returning traffic throughthe perimeter router or firewall.
20
8/3/2019 CBAC_ZPF
http://slidepdf.com/reader/full/cbaczpf 21/102
How Does CBAC Work?
CBAC creates openings in ACLs at firewall interfaces by adding a
temporary ACL entry for a specific session.
These openings are created when specified traffic exits the internalprotected network through the firewall.
The temporary openings allow returning traffic that would normallybe blocked and additional data channels to enter the internalnetwork back through the firewall.
The traffic is allowed back through the firewall only if it is part of thesame session and has the expected properties as the original traffic
that triggered CBAC when exiting through the firewall.
Without this temporary ACL entry, this traffic would be denied by thepre-existing ACL. The state table dynamically changes and adaptswith the traffic flow.
21
8/3/2019 CBAC_ZPF
http://slidepdf.com/reader/full/cbaczpf 22/102
CBAC Operation
CBAC is flexible in its configuration, especially in choosing whichdirection to inspect traffic.
In a typical setup, CBAC is used on the perimeter router or firewallto allow returning traffic into the network.
CBAC can also be configured to inspect traffic in two directions - inand out. This is useful when protecting two parts of a network,where both sides initiate certain connections and allow the returningtraffic to reach its source.
Assume that a user initiates an outbound connection, such asTelnet, from a protected network to an external network, and CBAC
is enabled to inspect Telnet traffic.
Also assume that an ACL is applied on the external interfacepreventing Telnet traffic from entering the protected network. Thisconnection goes through a multistep operation.
22
8/3/2019 CBAC_ZPF
http://slidepdf.com/reader/full/cbaczpf 23/102
1. When the traffic is first generated, as it passes through therouter, the ACL is processed first if an inbound ACL is applied.If the ACL denies this type of outbound connection, the packetis dropped. If the ACL permits this outbound connection, theCBAC inspection rules are examined.
2. Based on the inspection rules for CBAC, the Cisco IOS softwaremight inspect the connection. If Telnet traffic is not inspected, thepacket is allowed through, and no other information is gathered.Otherwise, the connection goes to the next step.
3. The connection information is compared to entries in the state table.If the connection does not currently exist, the entry is added. If itdoes exist, the idle timer for the connection is reset.
4. If a new entry is added, a dynamic ACL entry is added on the external interface in theinbound direction (from the external network to the internal protected network). This allowsthe returning Telnet traffic, that is, packets that are part of the same Telnet connectionpreviously established with the outbound packet, back into the network. This temporaryopening is only active for as long as the session is open. These dynamic ACL entries arenot saved to NVRAM.
5. When the session terminates, the dynamic information from thestate table and the dynamic ACL entry are removed.
23
8/3/2019 CBAC_ZPF
http://slidepdf.com/reader/full/cbaczpf 24/102
CBAC – TCP Handling
Recall that TCP uses a three-way handshake. The first packet
contains a random sequence number and sets the TCP SYN flag.
When the first packet from a TCP flow with the TCP SYN flag isreceived by the router, the inbound ACL on the inside securedinterface is checked.
If the packet is permitted, a dynamic session entry is created. Thesession is described by endpoint addresses, port numbers,sequence numbers, and flags.
All subsequent packets belonging to this session are checkedagainst the current state and discarded if the packets are invalid.
How does CBAC determine if a packet is a subsequent packetbelonging to an already established session?
24
8/3/2019 CBAC_ZPF
http://slidepdf.com/reader/full/cbaczpf 25/102
CBAC – TCP Handling
When the TCP SYN packet is transmitted, the second packet contains a
random sequence number that the responding host generates, as well asan acknowledgment sequence number (the received sequence numberincremented by one), and the TCP SYN and ACK flags are set.
The third packet acknowledges the received packet by incrementing thepacket sequence number in the acknowledgment sequence, raising the
sequence number by the appropriate number of transmitted octets, andsetting the ACK flag.
All subsequent segments increment their sequence numbers by the numberof transmitted octets and acknowledge the last received segment by anincrement of one, according to the TCP state machine.
After the three-way handshake, all packets have the ACK flag set until thesession is terminated. The router determines which session each packetbelongs to by tracking sequence numbers and flags.
25
8/3/2019 CBAC_ZPF
http://slidepdf.com/reader/full/cbaczpf 26/102
26
8/3/2019 CBAC_ZPF
http://slidepdf.com/reader/full/cbaczpf 27/102
CBAC – UDP Handling
With UDP, the router cannot track the sequence numbers and flags.
There is no three-way handshake and no teardown process.
If the first packet from a UDP flow is permitted through the router, aUDP entry is created in the connection table.
The endpoint addresses and port numbers describe the UDPconnection entry.
When no data is exchanged within the connection for a configurableUDP timeout, the connection description is deleted from the
connection table.
27
8/3/2019 CBAC_ZPF
http://slidepdf.com/reader/full/cbaczpf 28/102
28
8/3/2019 CBAC_ZPF
http://slidepdf.com/reader/full/cbaczpf 29/102
CBAC – Handling Other Protocols
Stateful firewalls do not usually track other protocols, such as GRE and
IPsec, but handle protocols in a stateless manner, similar to how a classicpacket filter handles these protocols.
If stateful support is provided for other protocols, the support is usuallysimilar to the support for UDP. When a protocol flow is initially permitted, allpackets matching the flow are permitted until an idle timer expires.
Dynamic applications, such as FTP, SQLnet, and many protocols that areused for voice and video signaling and media transfer, open a channel on awell-known port and then negotiate additional channels through the initialsession.
Stateful firewalls support these dynamic applications through application
inspection features. The stateful packet filter snoops the initial session andparses the application data to learn about the additional negotiatedchannels. Then the stateful packet filter enforces the policy that if the initialsession was permitted, any additional channels of that application should bepermitted as well.
29
8/3/2019 CBAC_ZPF
http://slidepdf.com/reader/full/cbaczpf 30/102
CBAC Operations – Inspection Rules
With CBAC, the protocols to inspect are specified in an inspection
rule.
An inspection rule is applied to an interface in a direction (in or out)where the inspection applies. The firewall engine inspects only thespecified protocol packets if they first pass the inbound ACL that is
applied to the inside interface. If a packet is denied by the ACL, the packet is dropped and not inspected by the firewall.
Packets that match the inspection rule generate a dynamic ACLentry that allows return traffic back through the firewall.
The firewall creates and removes ACLs as required by theapplications. When the application terminates, CBAC removes alldynamic ACLs for that session.
30
8/3/2019 CBAC_ZPF
http://slidepdf.com/reader/full/cbaczpf 31/102
CBAC Operations – Inspection Rules
The Cisco IOS Firewall engine can recognize application-specificcommands such as illegal SMTP commands in the control channeland detect and prevent certain Application Layer attacks.
When an attack is detected, the firewall can take several actions:
Generate alert messages Protect system resources that could impede performance
Block packets from suspected attackers
31
8/3/2019 CBAC_ZPF
http://slidepdf.com/reader/full/cbaczpf 32/102
CBAC Operations – Inspection Rules
The timeout and threshold values are used to manage connectionstate information.
These values help determine when to drop connections that do notbecome fully established or that time out.
Cisco IOS Firewall provides three thresholds against TCP-basedDoS attacks:
Total number of half-opened TCP sessions
Number of half-opened sessions in a time interval
Number of half-opened TCP sessions per host
32
8/3/2019 CBAC_ZPF
http://slidepdf.com/reader/full/cbaczpf 33/102
CBAC Operations – Inspection Rules
If a threshold for the number of half-opened TCP sessions isexceeded, the firewall has two options:
It sends a reset message to the endpoints of the oldest half-opened session, making resources available to service newlyarriving SYN packets.
It blocks all SYN packets temporarily for the duration that thethreshold value is configured. When the router blocks a SYNpacket, the TCP three-way handshake is never initiated, whichprevents the router from using memory and processing resourcesthat valid connections need.
33
8/3/2019 CBAC_ZPF
http://slidepdf.com/reader/full/cbaczpf 34/102
34
8/3/2019 CBAC_ZPF
http://slidepdf.com/reader/full/cbaczpf 35/102
Configuring CBAC
There are four steps to configure CBAC:
Step 1. Pick an interface - internal or external.
Step 2. Configure IP ACLs at the interface.
Step 3. Define inspection rules.
Step 4. Apply an inspection rule to an interface.
35
8/3/2019 CBAC_ZPF
http://slidepdf.com/reader/full/cbaczpf 36/102
Step 1 – Pick an Interface
First determine the internal and external interfaces for applyinginspection.
With CBAC, internal and external refers to the direction of conversation.
The interface in which sessions can be initiated must be selected asthe internal interface.
Sessions that originate from the external interface will be blocked.
36
8/3/2019 CBAC_ZPF
http://slidepdf.com/reader/full/cbaczpf 37/102
Two Interface
In a typical two-interface scenario in which one interface connects tothe external network and the other connects to the protectednetwork, CBAC prevents the specified protocol traffic from enteringthe firewall and the internal network, unless the traffic is part of asession initiated from within the internal network.
37
8/3/2019 CBAC_ZPF
http://slidepdf.com/reader/full/cbaczpf 38/102
Three Interface In a three-interface scenario in which the first interface connects to the
external network, the second interface connects to a network in a DMZ, and
the third interface connects to the internal protected network, the firewallcan permit external traffic to resources within the DMZ, such as DNS andweb services.
The same firewall can then prevent specified protocol traffic from enteringthe internal network unless the traffic is part of a session initiated fromwithin the internal network.
38
8/3/2019 CBAC_ZPF
http://slidepdf.com/reader/full/cbaczpf 39/102
CBAC – Two Directions
CBAC can also be configured in two directions at one or moreinterfaces.
Configure the firewall in two directions when the networks on bothsides of the firewall require protection, such as with extranet orintranet configurations, and for protection against DoS attacks.
If configuring CBAC in two directions, configure one direction first,using the appropriate internal and external interface designations.
When configuring CBAC in the other direction, the interfacedesignations must be swapped
39
8/3/2019 CBAC_ZPF
http://slidepdf.com/reader/full/cbaczpf 40/102
Step 2 – Configure IP ACLs at the Interface
For Cisco IOS Firewall to work properly, an administrator must configure IP
ACLs at the inside, outside, and DMZ interfaces.
To provide the security benefits of ACLs, an administrator should, at aminimum, configure ACLs on border routers situated at the edge of thenetwork between the internal and external networks.
ACLs can also be used on a router positioned between two internal parts ofa network to control traffic flow.
ACLs can be configured on an interface to filter inbound traffic, outboundtraffic, or both.
The administrator must define ACLs for each protocol enabled on aninterface to control traffic flow for that protocol.
Use ACLs to determine what types of traffic to forward or block at the routerinterfaces.
40
8/3/2019 CBAC_ZPF
http://slidepdf.com/reader/full/cbaczpf 41/102
8/3/2019 CBAC_ZPF
http://slidepdf.com/reader/full/cbaczpf 42/102
Guidelines for IOS Firewall ACLs
Set up antispoofing protection by denying any inbound traffic (incoming on
an external interface) from a source address that matches an address onthe protected network.
Antispoofing protection prevents traffic from an unprotected network fromassuming the identity of a device on the protected network.
Deny broadcast messages with a source address of 255.255.255.255. Thisentry helps prevent broadcast attacks.
REMEMBER: the last entry in an ACL is an implicit denial of all IP trafficthat is not specifically allowed by other entries in the ACL.
Optionally, an administrator can add an entry to the ACL that denies IP
traffic with any source or destination address, thus making the denial ruleexplicit. Adding this entry is especially useful if it is necessary to loginformation about the denied packets.
42
8/3/2019 CBAC_ZPF
http://slidepdf.com/reader/full/cbaczpf 43/102
43
8/3/2019 CBAC_ZPF
http://slidepdf.com/reader/full/cbaczpf 44/102
Step 3 – Define Inspection Rules
You must define inspection rules to specify which Application Layer
protocols to inspect at an interface. Normally, it is only necessary to defineone inspection rule. The only exception occurs if it is necessary to enablethe firewall engine in two directions at a single firewall interface. In thisinstance, you can configure two rules, one for each direction.
An inspection rule should specify each desired Application Layer protocol to
inspect, as well as generic TCP, UDP, or ICMP, if desired.
Generic TCP and UDP inspection dynamically permits return traffic ofactive sessions.
ICMP inspection allows ICMP echo reply packets forwarded as aresponse to previously seen ICMP echo messages.
The inspection rule consists of a series of statements, each listing aprotocol and specifying the same inspection rule name. Inspection rulesinclude options for controlling alert and audit trail messages.
44
8/3/2019 CBAC_ZPF
http://slidepdf.com/reader/full/cbaczpf 45/102
Inspection Rules Configuration
Inspection rules are configured in global configuration.
Router(config)# ip inspect name inspection_name protocol [alert {on | off}] [audit-trail {on | off}] [timeout seconds]
Example 1
In this example, the IP inspection rule is named FWRULE. FWRULEinspects extended SMTP and FTP with alert and audit trailsenabled. FWRULE has an idle timeout of 300 seconds.
ip inspect name FWRULE smtp alert on audit-trail on timeout 300
ip inspect name FWRULE ftp alert on audit-trail on timeout 300
45
8/3/2019 CBAC_ZPF
http://slidepdf.com/reader/full/cbaczpf 46/102
Inspection Rules Configuration
Example 2
In this example, the PERMIT_JAVA rule allows all users permittedby standard ACL 10 to download Java applets.
ip inspect name PERMIT_JAVA http java-list 10
access-list 10 permit 10.224.10.0 0.0.0.255
46
8/3/2019 CBAC_ZPF
http://slidepdf.com/reader/full/cbaczpf 47/102
Inspection Rules Configuration
Example 3
In this example, a list of protocols, including generic TCP with anidle timeout of 12 hours (normally 1 hour), is defined for the CiscoIOS Firewall to inspect.
ip inspect name in2out rcmd
ip inspect name in2out ftp ip inspect name in2out tftp
ip inspect name in2out tcp timeout 43200
ip inspect name in2out http
ip inspect name in2out udp
47
8/3/2019 CBAC_ZPF
http://slidepdf.com/reader/full/cbaczpf 48/102
48
8/3/2019 CBAC_ZPF
http://slidepdf.com/reader/full/cbaczpf 49/102
Step 4 – Apply an Inspection Rule to an
Interface
The last step for configuring CBAC is to apply an inspection rule toan interface.
This is the command syntax used to activate an inspection rule onan interface.
Router(config-if)# ip inspect inspection_name {in | out}
49
8/3/2019 CBAC_ZPF
http://slidepdf.com/reader/full/cbaczpf 50/102
Step 4 – Apply an Inspection Rule to an
Interface
For the Cisco IOS Firewall to be effective, both inspection rules andACLs must be strategically applied to all router interfaces.
There are two guiding principles for applying inspection rules andACLs on the router:
1. On the interface where traffic initiates, apply the ACL in theinward direction that permits only wanted traffic and apply therule in the inward direction that inspects wanted traffic.
2. On all other interfaces, apply the ACL in the inward direction
that denies all traffic, except traffic that has not been inspectedby the firewall, such as GRE and ICMP traffic that is not relatedto echo and echo reply messages.
50
8/3/2019 CBAC_ZPF
http://slidepdf.com/reader/full/cbaczpf 51/102
CBAC Configuration Example
An administrator needs to permit inside users to initiate TCP, UDP,
and ICMP traffic with all external sources.
Outside clients are allowed to communicate with the SMTP server(209.165.201.1) and HTTP server (209.165.201.2) that are locatedin the enterprise DMZ.
It is also necessary to permit certain ICMP messages to allinterfaces. All other traffic from the external network is denied.
For this example, first create an ACL that allows TCP, UDP, andICMP sessions and denies all other traffic.
R1(config)# access-list 101 permit tcp 10.10.10.0 0.0.0.255 any R1(config)# access-list 101 permit udp 10.10.10.0 0.0.0.255 any
R1(config)# access-list 101 permit icmp 10.10.10.0 0.0.0.255 any
R1(config)# access-list 101 deny ip any any
51
8/3/2019 CBAC_ZPF
http://slidepdf.com/reader/full/cbaczpf 52/102
CBAC Configuration Example
This ACL is applied to theinternal interface in the inbounddirection.
The ACL processes trafficinitiating from the internalnetwork prior to leaving thenetwork.
R1(config)# interface Fa0/0
R1(config-if)# ip access-group 101 in
52
C AC C fi i l
8/3/2019 CBAC_ZPF
http://slidepdf.com/reader/full/cbaczpf 53/102
CBAC Configuration Example
Next, create an extended ACL in which SMTP and HTTP traffic is
permitted from the external network to the DMZ network only, and allother traffic is denied.
R1(config)# access-list 102 permit tcp any host 209.165.201.1 eq www
R1(config)# access-list 102 permit tcp any host 209.165.201.2 eq smtp
R1(config)# access-list 102 permit icmp any any echo-reply
R1(config)# access-list 102 permit icmp any any unreachable R1(config)# access-list 102 permit icmp any any administratively-prohibited
R1(config)# access-list 102 permit icmp any any packet-too-big
R1(config)# access-list 102 permit icmp any any echo
R1(config)# access-list 102 permit icmp any any time-exceeded
R1(config)# access-list 102 deny ip any any
53
CBAC C fi i E l
8/3/2019 CBAC_ZPF
http://slidepdf.com/reader/full/cbaczpf 54/102
CBAC Configuration Example
This ACL is applied to theinterface connecting to the
external network in the inbounddirection.
R1(config)# interface S0/0/0
R1(config-if)# ip access-group 102 in
54
CBAC C fi i E l
8/3/2019 CBAC_ZPF
http://slidepdf.com/reader/full/cbaczpf 55/102
CBAC Configuration Example
If the configuration stopped here, all returning traffic, with theexception of ICMP messages, is denied because of the externalACL.
Next, create inspection rules for TCP inspection and UDPinspection.
R1(config)# ip inspect name MYSITE tcp
R1(config)# ip inspect name MYSITE udp
55
CBAC C fi i E l
8/3/2019 CBAC_ZPF
http://slidepdf.com/reader/full/cbaczpf 56/102
CBAC Configuration Example
These inspection rules areapplied to the internal interfacein the inbound direction.
R1(config)# interface Fa0/0
R1(config-if)# ip inspect MYSITE in
56
CBAC C fi i E l
8/3/2019 CBAC_ZPF
http://slidepdf.com/reader/full/cbaczpf 57/102
CBAC Configuration Example
The inspection list automatically creates temporary ACL statements
in the inbound ACL applied to the external interface for TCP andUDP connections. This permits TCP and UDP traffic that is inresponse to requests generated from the internal network.
To remove CBAC from the router, use the global no ip inspectcommand.
Router(config)# no ip inspect
This command removes all CBAC commands, the state table, andall temporary ACL entries created by CBAC. It also resets all timeoutand threshold values to their factory defaults.
After CBAC is removed, all inspection processes are no longeravailable, and the router uses only the current ACL implementationsfor filtering.
57
8/3/2019 CBAC_ZPF
http://slidepdf.com/reader/full/cbaczpf 58/102
58
A di
8/3/2019 CBAC_ZPF
http://slidepdf.com/reader/full/cbaczpf 59/102
Audits
59
Auditing keeps track of the connections that CBAC inspects,including valid and invalid access attempts.
Sh C d
8/3/2019 CBAC_ZPF
http://slidepdf.com/reader/full/cbaczpf 60/102
Show Commands
60
D b C d
8/3/2019 CBAC_ZPF
http://slidepdf.com/reader/full/cbaczpf 61/102
Debug Commands
61
8/3/2019 CBAC_ZPF
http://slidepdf.com/reader/full/cbaczpf 62/102
Zone-Based Firewalls
62
Wh t i Z n ???
8/3/2019 CBAC_ZPF
http://slidepdf.com/reader/full/cbaczpf 63/102
What is a Zone???
Zones are simple enough. You create them to group interfaces together thatyou want to have common firewall rules on.
You could have internal interfaces in an zone called Inside, and externalfacing interfaces in one called Outside.
You apply a policy map in one direction between the two zones, whichspecifies what traffic is to be inspected (in that direction only), and what's to
be done with it.
Without a policy to say differently, traffic between zones is denied bydefault.
The self zone is a zone created by default by the router . It has a permitpolicy by default, and it used to manage traffic directed to or generated by the router, NOT traffic that just travels through it. If you wanted to applyfirewall rules to traffic directed to the router itself, you'd have to make a zonepair of the self zone and the zone the traffic is coming from, and apply apolicy to the pair.
63
What is a Zone Pair???
8/3/2019 CBAC_ZPF
http://slidepdf.com/reader/full/cbaczpf 64/102
What is a Zone Pair???
A zone-pair allows you to specify a unidirectional firewall policy between twosecurity zones.
To define a zone-pair, use the zone-pair security command. The directionof the traffic is specified by specifying a source and destination zone. Thesource and destination zones of a zone-pair must be security zones. Thesame zone cannot be defined as both the source and the destination.
If desired, you can select the default self zone as either the source or thedestination zone. The self zone is a system-defined zone. It does not have any interfaces as members. A zone-pair that includes the self zone, alongwith the associated policy, applies to traffic directed to the router or trafficgenerated by the router. It does not apply to traffic through the router.
The most common usage of firewalls is to apply them to traffic through arouter, so you usually need at least two zones (that is, you cannot use theself zone).
64
ZBF
8/3/2019 CBAC_ZPF
http://slidepdf.com/reader/full/cbaczpf 65/102
ZBF
In 2006, Cisco Systems introduced the zone-based policy firewallconfiguration model with Cisco IOS Release 12.4(6)T.
Interfaces are assigned to zones and then an inspection policy isapplied to traffic moving between the zones.
A zone-based firewall allows different inspection policies to beapplied to multiple host groups connected to the same routerinterface.
It also has the ability to prohibit traffic via a default deny-all policy
between firewall zones.
65
ZBF
8/3/2019 CBAC_ZPF
http://slidepdf.com/reader/full/cbaczpf 66/102
ZBF
The zone-based policy firewall (ZPF or ZBF or ZFW) inspectioninterface supports previous firewall features, including statefulpacket inspection, application inspection, URL filtering, and DoSmitigation.
Firewall policies are configured using the Cisco CommonClassification Policy Language (C3PL), which uses a hierarchicalstructure to define network protocol inspection and allows hosts tobe grouped under one inspection policy.
66
8/3/2019 CBAC_ZPF
http://slidepdf.com/reader/full/cbaczpf 67/102
67
Zone Based Policy Firewall Characteristics
8/3/2019 CBAC_ZPF
http://slidepdf.com/reader/full/cbaczpf 68/102
Zone-Based Policy Firewall Characteristics
The primary motivations for network security professionals to migrate to theZPF model are structure and ease of use.
The structured approach is useful for documentation andcommunication.
The ease of use makes network security implementations moreaccessible to a larger community of security professionals.
Implementing CBAC is complex and can be overwhelming. Unlike ZPF,CBAC does not utilize any dedicated hierarchical data structures tomodularize the implementation. CBAC has these limitations:
Multiple inspection policies and ACLs on several interfaces on a routermake it difficult to correlate the policies for traffic between multiple
interfaces. Policies cannot be tied to a host group or subnet with an ACL. All traffic
through a given interface is subject to the same inspection.
The process relies too heavily on ACLs.
68
Zone Based Policy Firewall Characteristics
8/3/2019 CBAC_ZPF
http://slidepdf.com/reader/full/cbaczpf 69/102
Zone-Based Policy Firewall Characteristics
Zones establish the security borders of a network. The zone itself
defines a boundary where traffic is subjected to policy restrictions asit crosses over into another region of a network.
The default policy between zones is deny all . If no policy is explicitlyconfigured, all traffic moving between zones is blocked. This is a
significant departure from the CBAC model in which traffic wasimplicitly allowed until it was explicitly blocked with an ACL.
While many ZPF commands appear similar to CBAC commands,they are not the same .
A second significant change is the introduction of Cisco CommonClassification Policy Language (C3PL). This new configurationpolicy language allows a modular approach to firewallimplementation.
69
Zone Based Policy Firewall Characteristics
8/3/2019 CBAC_ZPF
http://slidepdf.com/reader/full/cbaczpf 70/102
Zone-Based Policy Firewall Characteristics
Some of the benefits of ZPF include the following:
Not dependent on ACLs.
The router security posture is to block unless explicitly allowed.
Policies are easy to read and troubleshoot with C3PL.
One policy affects any given traffic, instead of needing multiple
ACLs and inspection actions.
70
8/3/2019 CBAC_ZPF
http://slidepdf.com/reader/full/cbaczpf 71/102
71
Designing Zone-Based Firewall – Step 1
8/3/2019 CBAC_ZPF
http://slidepdf.com/reader/full/cbaczpf 72/102
Designing Zone-Based Firewall – Step 1
Determine the Zones - The internetworking infrastructure under
consideration must be split into separate zones with various securitylevels.
In this step, the administrator does not consider physicalimplementation of the firewall (number of devices, defense depth,
redundancy, etc.), but focuses instead on the separation of theinfrastructure into zones.
For example, the public network to which the internal network isconnected is one zone.
72
Designing Zone-Based Firewall – Step 2
8/3/2019 CBAC_ZPF
http://slidepdf.com/reader/full/cbaczpf 73/102
Designing Zone-Based Firewall – Step 2
Establish policies between zones - For each pair of "source-
destination" zones (for example, from inside network to Internet),define the sessions that clients in the source zones can request fromservers in destination zones.
These sessions are most commonly TCP and UDP sessions, but
also ICMP sessions such as ICMP echo. For traffic that is not based on the concept of sessions, such as
IPsec Encapsulating Security Payload [ESP], the administrator mustdefine unidirectional traffic flows from source to destination and viceversa.
As in Step 1, this step is about the traffic requirements betweenzones, not the physical setup.
73
Designing Zone-Based Firewall – Step 3
8/3/2019 CBAC_ZPF
http://slidepdf.com/reader/full/cbaczpf 74/102
Designing Zone-Based Firewall Step 3
Design the physical infrastructure - After the zones have beenidentified and the traffic requirements between them documented,the administrator must design the physical infrastructure, taking intoaccount security and availability requirements.
This includes stating the number of devices between most-secureand least-secure zones and determining redundant devices.
74
Designing Zone-Based Firewall – Step 4
8/3/2019 CBAC_ZPF
http://slidepdf.com/reader/full/cbaczpf 75/102
Designing Zone-Based Firewall Step 4
Identify subset within zones and merge traffic requirements - For
each firewall device in the design, the administrator must identifyzone subsets connected to its interfaces and merge the trafficrequirements for those zones.
For example, multiple zones might be indirectly attached to a single
interface of a firewall, resulting in a device-specific inter-zone policy.
75
Common ZPF Designs
8/3/2019 CBAC_ZPF
http://slidepdf.com/reader/full/cbaczpf 76/102
Common ZPF Designs
76
LAN –
to - Internet
Common ZPF Designs
8/3/2019 CBAC_ZPF
http://slidepdf.com/reader/full/cbaczpf 77/102
Common ZPF Designs
77
Public Servers
Common ZPF Designs
8/3/2019 CBAC_ZPF
http://slidepdf.com/reader/full/cbaczpf 78/102
Common ZPF Designs
78
Redundant Firewalls
Common ZPF Designs
8/3/2019 CBAC_ZPF
http://slidepdf.com/reader/full/cbaczpf 79/102
Common ZPF Designs
79
Complex Firewalls
Common ZPF Designs
8/3/2019 CBAC_ZPF
http://slidepdf.com/reader/full/cbaczpf 80/102
Common ZPF Designs
80
Complex FirewallSimplified with Zones
Zone-Based Policy Firewall Actions
8/3/2019 CBAC_ZPF
http://slidepdf.com/reader/full/cbaczpf 81/102
Zone Based Policy Firewall Actions
The Cisco IOS zone-based policy firewall can take three possible
actions:
Inspect - Configures Cisco IOS stateful packet inspection. This action isequivalent to the CBAC ip inspect command. It automatically allows forreturn traffic and potential ICMP messages. For protocols requiringmultiple parallel signaling and data sessions (for example, FTP or
H.323), the inspect action also handles the proper establishment of datasessions.
Drop - Similar to a deny statement in an ACL. A log option is available tolog the rejected packets.
Pass - Similar to a permit statement in an ACL. The pass action doesnot track the state of connections or sessions within the traffic. Passallows the traffic only in one direction. A corresponding policy must beapplied to allow return traffic to pass in the opposite direction.
81
Zone-Based Policy Firewall Operation
8/3/2019 CBAC_ZPF
http://slidepdf.com/reader/full/cbaczpf 82/102
Zone Based Policy Firewall Operation
The membership of the router network interfaces in zones is subject toseveral rules governing interface behavior, as is the traffic moving between
zone member interfaces:
A zone must be configured before an administrator can assign interfacesto the zone.
If traffic is to flow between all interfaces in a router, each interface must
be a member of a zone.
An administrator can assign an interface to only one security zone.
Traffic is implicitly allowed to flow by default among interfaces that aremembers of the same zone.
To permit traffic to and from a zone member interface, a policy allowingor inspecting traffic must be configured between that zone and any otherzone.
82
Zone-Based Policy Firewall Operation – cont’d
8/3/2019 CBAC_ZPF
http://slidepdf.com/reader/full/cbaczpf 83/102
Zone Based Policy Firewall Operation co t d
The membership of the router network interfaces in zones is subject to
several rules governing interface behavior, as is the traffic moving betweenzone member interfaces:
Traffic cannot flow between a zone member interface and any interfacethat is not a zone member. An administrator can apply pass, inspect,and drop actions only between two zones.
Interfaces that have not been assigned to a zone function can still use aCBAC stateful packet inspection configuration.
If an administrator does not want an interface on the router to be part ofthe zone-based firewall policy, it might still be necessary to put thatinterface in a zone and configure a pass-all policy (also known as a
dummy policy) between that zone and any other zone to which trafficflow is desired.
83
Zone-Based Policy Firewall Operation
8/3/2019 CBAC_ZPF
http://slidepdf.com/reader/full/cbaczpf 84/102
y p
84
Zone-Based Policy Firewall Operation
8/3/2019 CBAC_ZPF
http://slidepdf.com/reader/full/cbaczpf 85/102
y p
The rules for a zone-based policy firewall are different when the router is
involved in the traffic flow. In addition, the rules depend on whether therouter is the source or the destination of the traffic.
When an interface is configured to be a zone member, the hosts that areconnected to the interface are included in the zone, but traffic flowing to andfrom the interfaces of the router is not controlled by the zone policies.
Instead, all the IP interfaces on the router are automatically made part of theself zone.
To limit IP traffic moving to the IP addresses of the router from the variouszones on a router, policies must be applied. The policies can be set toblock, allow, or inspect traffic between the zone and the self zone of the
router, and vice versa. If there are no policies between a zone and the selfzone, all traffic is permitted to the interfaces of the router without beinginspected.
85
Zone-Based Policy Firewall Operation
8/3/2019 CBAC_ZPF
http://slidepdf.com/reader/full/cbaczpf 86/102
y p
A policy can be defined using the self zone as either the source orthe destination zone.
Remember – the self zone is a system-defined zone. It does notrequire any interfaces to be configured as members.
A zone-pair that includes the self zone, along with the associatedpolicy, applies to traffic that is directed to the router or traffic that therouter generates. It does not apply to traffic traversing the router.
86
Zone-Based Policy Firewall Operation
8/3/2019 CBAC_ZPF
http://slidepdf.com/reader/full/cbaczpf 87/102
y p
When the router is involved in the traffic flow, additional rules for zone-
based policy firewalls govern interface behaviour:
All traffic to and from a given interface is implicitly blocked when theinterface is assigned to a zone, except traffic to or from other interfacesin the same zone and traffic to any interface on the router.
All the IP interfaces on the router are automatically made part of the self
zone when ZPF is configured. The self zone is the only exception to the default deny all policy. All traffic to any router interface is alloweduntil traffic is explicitly denied.
The only exception to the deny-by-default approach is the traffic to and fromthe router itself. This traffic is permitted by default. An explicit policy can be
configured to restrict such traffic.
87
Zone-Based Policy Firewall Operation
8/3/2019 CBAC_ZPF
http://slidepdf.com/reader/full/cbaczpf 88/102
y p
88
Configuring ZPF with the CLI
8/3/2019 CBAC_ZPF
http://slidepdf.com/reader/full/cbaczpf 89/102
g g
There are several steps for configuring ZPF with the CLI:
Step 1. Create the zones for the firewall with the zone securitycommand.
Step 2. Define traffic classes with the class-map type inspect command.
Step 3. Specify firewall policies with the policy-map type inspectcommand.
Step 4. Apply firewall policies to pairs of source and destination zonesusing the zone-pair security command.
Step 5. Assign router interfaces to zones using the zone-membersecurity interface command.
89
Configuring ZPF with the CLI
8/3/2019 CBAC_ZPF
http://slidepdf.com/reader/full/cbaczpf 90/102
g g
When configuring ZPF with the CLI, there are several factors to consider:
Only policy maps defined with type inspect can be used in the zone-pairsecurity command.
Only class maps defined with type inspect can be used in policy mapswith type inspect.
There can be no name overlap with other types of class maps or policy
maps. There cannot be a quality-of-service class map and an inspectclass map with the same name.
A zone must be configured with the zone security global commandbefore it can be used in the zone-member security interfaceconfiguration command.
An interface cannot belong to multiple zones. To create a union ofsecurity zones, specify a new zone and appropriate policy map and zonepairs.
90
Configuring ZPF with the CLI
8/3/2019 CBAC_ZPF
http://slidepdf.com/reader/full/cbaczpf 91/102
g g
When configuring ZPF with the CLI, there are several factors to consider:
The zone-based policy firewall feature is a replacement for CBAC.
Remove the ip inspect interface configuration command before applyingthe zone-member security command.
The zone-based policy firewall can coexist with CBAC. The ip inspectcommand can still be used on interfaces that are not members ofsecurity zones.
Traffic can never flow between an interface assigned to a zone and an interface without a zone assignment. Applying the zone-memberconfiguration command always results in temporary interruption ofservice.
The default inter-zone policy is to drop all traffic unless specifiedotherwise in the zone-pair configuration command.
The router never filters the traffic between interfaces in the same zone.
The zone-member command does not protect the router itself (traffic toand from the router is not affected) unless the zone pairs are configuredusing the predefined self zone.
91
Step 1 – Create the Zones
8/3/2019 CBAC_ZPF
http://slidepdf.com/reader/full/cbaczpf 92/102
p
The administrator creates the zones for the firewall with the zone securitycommand. An optional description is recommended.
Router(config)# zone security zone-name
Router(config-sec-zone)# description line-of-description
92
Step 2 – Define Traffic Classes
8/3/2019 CBAC_ZPF
http://slidepdf.com/reader/full/cbaczpf 93/102
p
ZPF traffic classes enables you to define traffic flows in as granular
a fashion as desired.
This is the syntax for creating ZPF traffic classes:
Router(config)# class-map type inspect [match-any | match-all] class-map- name
For Layer 3 and Layer 4, top-level class maps, the match-any optionis the default behavior.
Router(config)# class-map type inspect protocol-name [match-any | match-all] class-map-name
For Layer 7, application-specific class maps, see www.cisco.com forconstruction details.
93
Step 2 – Define Traffic Classes
8/3/2019 CBAC_ZPF
http://slidepdf.com/reader/full/cbaczpf 94/102
p
The syntax for referencing access lists from within the class map is:
Router(config-cmap)# match access-group {access-group | name access- group-name}
Protocols are matched from within the class map with the syntax:
Router(config-cmap)# match protocol protocol-name
Nested class maps can be configured as well using the syntax:
Router(config-cmap)# match class-map class-map-name
The ability to create a hierarchy of classes and policies by nesting isone of the reasons that ZPF is such a powerful approach to creating
Cisco IOS firewalls.
94
Step 2 – Define Traffic Classes
8/3/2019 CBAC_ZPF
http://slidepdf.com/reader/full/cbaczpf 95/102
95
Step 3 – Define Firewall Policies
8/3/2019 CBAC_ZPF
http://slidepdf.com/reader/full/cbaczpf 96/102
Similar to other modular CLI constructs with Cisco IOS software, theadministrator has to specify what to do with the traffic matching the desired
traffic class. The options are pass, inspect, drop, and police.
This is the syntax for creating ZPF policy maps.
Router(config)# policy-map type inspect policy-map-name
Traffic classes on which an action must be performed are specified within
the policy map.
Router(config-pmap)# class type inspect class-name
The default class (matching all remaining traffic) is specified using thiscommand.
Router(config-pmap)# class class-default
Finally, the action to take on the traffic is specified.
Router(config-pmap-c)# pass | inspect | drop [log]| police
96
Step 3 – Define Firewall Policies
8/3/2019 CBAC_ZPF
http://slidepdf.com/reader/full/cbaczpf 97/102
97
Assign Policy Maps to Zone Pairs
8/3/2019 CBAC_ZPF
http://slidepdf.com/reader/full/cbaczpf 98/102
After the firewall policy has been configured, you must apply it totraffic between a pair of zones using the zone-pair security command. To apply a policy, a zone pair must first be created.Specify the source zone, the destination zone, and the policy forhandling the traffic between them.
Router(config)# zone-pair security zone-pair-name [source source-zone-name | self] destination [self | destination-zone-name ]
Use the service-policy type inspect policy-map-name command toattach a policy-map and its associated actions to a zone-pair. Enterthe command after entering the zone-pair security command.
98
Assign Policy Maps to Zone Pairs – cont’d
8/3/2019 CBAC_ZPF
http://slidepdf.com/reader/full/cbaczpf 99/102
Deep-packet inspection (attaching a Layer 7 policy map to a top-level policy map) can also be configured. This is the syntax usedwith Cisco IOS Release 12.4(20)T.
Router(config-pmap-c)# service-policy {h323 | http | im | imap | p2p | pop3 | sip | smtp | sunrpc | urlfilter} policy-map
The policy map is the name of the Layer 7 policy map being appliedto the top-level Layer 3 or Layer 4 policy map.
99
Step 5 – Assign Interfaces to the Zones
8/3/2019 CBAC_ZPF
http://slidepdf.com/reader/full/cbaczpf 100/102
Finally, the administrator must assign interfaces to the appropriatesecurity zones using the zone-member interface command.
Router(config-if)# zone-member security zone-name
The zone-member security command puts an interface into asecurity zone. When an interface is in a security zone, all traffic toand from that interface (except traffic going to the router or initiatedby the router) is dropped by default.
To permit traffic through an interface that is a zone member, thezone must be part of a zone pair to which a policy is applied. If thepolicy permits traffic (via inspect or pass actions), traffic can flow
through the interface.
ZPF configuration can also be done with the SDM
100
8/3/2019 CBAC_ZPF
http://slidepdf.com/reader/full/cbaczpf 101/102
101
Resource material for PowerPoints from:
8/3/2019 CBAC_ZPF
http://slidepdf.com/reader/full/cbaczpf 102/102