CBAC_ZPF

8/3/2019 CBAC_ZPF

http://slidepdf.com/reader/full/cbaczpf 1/102

Context-Based Access Control

CBAC

1

8/3/2019 CBAC_ZPF


CBAC Characteristics

Context-based access control (CBAC) is a solution available within theCisco IOS Firewall.

CBAC intelligently filters TCP and UDP packets based on Application Layerprotocol session information.

It provides stateful Application Layer filtering, including protocols that are

specific to unique applications, as well as multimedia applications andprotocols that require multiple channels for communication, such as FTPand H.323.

CBAC can also examine supported connections for embedded NAT andPAT information and perform the necessary address translations.

CBAC can block peer-to-peer (P2P) connections, such as those used by theGnutella and KaZaA applications.

Instant messaging traffic can be blocked, such as Yahoo!, AOL, and MSN.

2

8/3/2019 CBAC_ZPF


CBAC Functions

CBAC performs four main functions:

Traffic filtering

Traffic inspection

Intrusion detection Generation of audits and alerts.

3

8/3/2019 CBAC_ZPF


Traffic Filtering

CBAC can be configured to permit specified TCP and UDP returntraffic through a firewall when the connection is initiated from withinthe network.

It accomplishes this by creating temporary openings in an ACL that

would otherwise deny the traffic.

CBAC can inspect traffic for sessions that originate from either sideof the firewall.

It can also be used for intranet, extranet, and Internet perimeters of

the network.

4

8/3/2019 CBAC_ZPF


Traffic Filtering – cont’d

CBAC examines not only Network Layer and Transport Layerinformation but also examines the Application Layer protocolinformation (such as FTP connection information) to learn about thestate of the session.

This allows support of protocols that involve multiple channels

created as a result of negotiations in the control channel.

Most of the multimedia protocols as well as some other protocols(such as FTP, RPC, and SQL*Net) involve multiple channels.

5

8/3/2019 CBAC_ZPF


Traffic Inspection

Because CBAC inspects packets at the Application Layer and

maintains TCP and UDP session information, it can detect andprevent certain types of network attacks such as SYN-flooding.

A SYN-flood attack occurs when a network attacker floods a serverwith a barrage of connection requests and does not complete the

connection. The resulting volume of half-open connections (embryonic)

overwhelms the server, causing it to deny service to valid requests.

CBAC also helps to protect against DoS attacks in other ways. It

inspects packet sequence numbers in TCP connections to see ifthey are within expected ranges and drops any suspicious packets.

CBAC can also be configured to drop half-open connections, whichrequire firewall processing and memory resources to maintain.

6

8/3/2019 CBAC_ZPF


Intrusion Detection

CBAC provides a limited amount of intrusion detection to protectagainst specific SMTP attacks.

With intrusion detection, syslog messages are reviewed andmonitored for specific attack signatures.

Certain types of network attacks have specific characteristics orsignatures.

When CBAC detects an attack based on those specificcharacteristics, it resets the offending connections and sends syslog

information to the syslog server.

7

8/3/2019 CBAC_ZPF


Alert and Audit Generation

CBAC also generates real-time alerts and audit trails.

Enhanced audit trail features use syslog to track all networktransactions and record timestamps, source and destination hosts,ports used, and the total number of transmitted bytes for advanced

session-based reporting.

Real-time alerts send syslog error messages to central managementconsoles upon detecting suspicious activity.

8

8/3/2019 CBAC_ZPF


Traffic Filtering from CBAC

9

8/3/2019 CBAC_ZPF


CBAC Characteristics – cont’d

The first CBAC commands were introduced to Cisco IOS software in1997.

CBAC is a dramatic improvement over the TCP established andreflexive ACL firewall options in several fundamental ways:

Monitors TCP connection setup

Maintains UDP session information

Tracks TCP sequence numbers

Inspects DNS queries and replies

Inspects common ICMP message types

Supports applications that rely on multiple connections

Inspects embedded addresses

Inspects Application Layer information

10

8/3/2019 CBAC_ZPF


CBAC Characteristics – cont’d

It is important to note that CBAC only provides filtering for thoseprotocols that are specified by an administrator .

If a protocol is not specified, the existing ACLs determine how thatprotocol is filtered, and no temporary opening is created.

Additionally, CBAC only detects and protects against attacks thattravel through the firewall . It does not typically protect againstattacks originating from within the protected network unless thattraffic travels through an internal router with the Cisco IOS Firewallenabled.

While there is no such thing as a perfect defense, CBAC detectsand prevents most of the popular attacks on a network. However,since there is no impenetrable defense, determined and skilledattackers can still find ways to launch effective attacks.

11

8/3/2019 CBAC_ZPF


12

8/3/2019 CBAC_ZPF


13

8/3/2019 CBAC_ZPF


14

8/3/2019 CBAC_ZPF


15

8/3/2019 CBAC_ZPF


16

8/3/2019 CBAC_ZPF


17

8/3/2019 CBAC_ZPF


18

8/3/2019 CBAC_ZPF


CBAC Operation

Without CBAC, traffic filtering is limited to ACL implementations thatexamine packets at the Network Layer or, at most, the TransportLayer. CBAC relies on a stateful packet filter that is application-aware.

This means that the filter is able to recognize all sessions of adynamic application. CBAC examines not only Network Layer andTransport Layer information but also examines Application Layerprotocol information (such as FTP connection information) to learnabout the state of the session.

19

8/3/2019 CBAC_ZPF


CBAC Stateful Traffic Inspection

The state table tracks the sessionsand inspects all packets that passthrough the stateful packet filterfirewall. CBAC then uses the statetable to build dynamic ACL entriesthat permit returning traffic throughthe perimeter router or firewall.

20

8/3/2019 CBAC_ZPF


How Does CBAC Work?

CBAC creates openings in ACLs at firewall interfaces by adding a

temporary ACL entry for a specific session.

These openings are created when specified traffic exits the internalprotected network through the firewall.

The temporary openings allow returning traffic that would normallybe blocked and additional data channels to enter the internalnetwork back through the firewall.

The traffic is allowed back through the firewall only if it is part of thesame session and has the expected properties as the original traffic

that triggered CBAC when exiting through the firewall.

Without this temporary ACL entry, this traffic would be denied by thepre-existing ACL. The state table dynamically changes and adaptswith the traffic flow.

21

8/3/2019 CBAC_ZPF


CBAC Operation

CBAC is flexible in its configuration, especially in choosing whichdirection to inspect traffic.

In a typical setup, CBAC is used on the perimeter router or firewallto allow returning traffic into the network.

CBAC can also be configured to inspect traffic in two directions - inand out. This is useful when protecting two parts of a network,where both sides initiate certain connections and allow the returningtraffic to reach its source.

Assume that a user initiates an outbound connection, such asTelnet, from a protected network to an external network, and CBAC

is enabled to inspect Telnet traffic.

Also assume that an ACL is applied on the external interfacepreventing Telnet traffic from entering the protected network. Thisconnection goes through a multistep operation.

22

8/3/2019 CBAC_ZPF


1. When the traffic is first generated, as it passes through therouter, the ACL is processed first if an inbound ACL is applied.If the ACL denies this type of outbound connection, the packetis dropped. If the ACL permits this outbound connection, theCBAC inspection rules are examined.

2. Based on the inspection rules for CBAC, the Cisco IOS softwaremight inspect the connection. If Telnet traffic is not inspected, thepacket is allowed through, and no other information is gathered.Otherwise, the connection goes to the next step.

3. The connection information is compared to entries in the state table.If the connection does not currently exist, the entry is added. If itdoes exist, the idle timer for the connection is reset.

4. If a new entry is added, a dynamic ACL entry is added on the external interface in theinbound direction (from the external network to the internal protected network). This allowsthe returning Telnet traffic, that is, packets that are part of the same Telnet connectionpreviously established with the outbound packet, back into the network. This temporaryopening is only active for as long as the session is open. These dynamic ACL entries arenot saved to NVRAM.

5. When the session terminates, the dynamic information from thestate table and the dynamic ACL entry are removed.

23

8/3/2019 CBAC_ZPF


CBAC – TCP Handling

Recall that TCP uses a three-way handshake. The first packet

contains a random sequence number and sets the TCP SYN flag.

When the first packet from a TCP flow with the TCP SYN flag isreceived by the router, the inbound ACL on the inside securedinterface is checked.

If the packet is permitted, a dynamic session entry is created. Thesession is described by endpoint addresses, port numbers,sequence numbers, and flags.

All subsequent packets belonging to this session are checkedagainst the current state and discarded if the packets are invalid.

How does CBAC determine if a packet is a subsequent packetbelonging to an already established session?

24

8/3/2019 CBAC_ZPF


CBAC – TCP Handling

When the TCP SYN packet is transmitted, the second packet contains a

random sequence number that the responding host generates, as well asan acknowledgment sequence number (the received sequence numberincremented by one), and the TCP SYN and ACK flags are set.

The third packet acknowledges the received packet by incrementing thepacket sequence number in the acknowledgment sequence, raising the

sequence number by the appropriate number of transmitted octets, andsetting the ACK flag.

All subsequent segments increment their sequence numbers by the numberof transmitted octets and acknowledge the last received segment by anincrement of one, according to the TCP state machine.

After the three-way handshake, all packets have the ACK flag set until thesession is terminated. The router determines which session each packetbelongs to by tracking sequence numbers and flags.

25

8/3/2019 CBAC_ZPF


26

8/3/2019 CBAC_ZPF


CBAC – UDP Handling

With UDP, the router cannot track the sequence numbers and flags.

There is no three-way handshake and no teardown process.

If the first packet from a UDP flow is permitted through the router, aUDP entry is created in the connection table.

The endpoint addresses and port numbers describe the UDPconnection entry.

When no data is exchanged within the connection for a configurableUDP timeout, the connection description is deleted from the

connection table.

27

8/3/2019 CBAC_ZPF


28

8/3/2019 CBAC_ZPF


CBAC – Handling Other Protocols

Stateful firewalls do not usually track other protocols, such as GRE and

IPsec, but handle protocols in a stateless manner, similar to how a classicpacket filter handles these protocols.

If stateful support is provided for other protocols, the support is usuallysimilar to the support for UDP. When a protocol flow is initially permitted, allpackets matching the flow are permitted until an idle timer expires.

Dynamic applications, such as FTP, SQLnet, and many protocols that areused for voice and video signaling and media transfer, open a channel on awell-known port and then negotiate additional channels through the initialsession.

Stateful firewalls support these dynamic applications through application

inspection features. The stateful packet filter snoops the initial session andparses the application data to learn about the additional negotiatedchannels. Then the stateful packet filter enforces the policy that if the initialsession was permitted, any additional channels of that application should bepermitted as well.

29

8/3/2019 CBAC_ZPF


CBAC Operations – Inspection Rules

With CBAC, the protocols to inspect are specified in an inspection

rule.

An inspection rule is applied to an interface in a direction (in or out)where the inspection applies. The firewall engine inspects only thespecified protocol packets if they first pass the inbound ACL that is

applied to the inside interface. If a packet is denied by the ACL, the packet is dropped and not inspected by the firewall.

Packets that match the inspection rule generate a dynamic ACLentry that allows return traffic back through the firewall.

The firewall creates and removes ACLs as required by theapplications. When the application terminates, CBAC removes alldynamic ACLs for that session.

30

8/3/2019 CBAC_ZPF



The Cisco IOS Firewall engine can recognize application-specificcommands such as illegal SMTP commands in the control channeland detect and prevent certain Application Layer attacks.

When an attack is detected, the firewall can take several actions:

Generate alert messages Protect system resources that could impede performance

Block packets from suspected attackers

31

8/3/2019 CBAC_ZPF



The timeout and threshold values are used to manage connectionstate information.

These values help determine when to drop connections that do notbecome fully established or that time out.

Cisco IOS Firewall provides three thresholds against TCP-basedDoS attacks:

Total number of half-opened TCP sessions

Number of half-opened sessions in a time interval

Number of half-opened TCP sessions per host

32

8/3/2019 CBAC_ZPF



If a threshold for the number of half-opened TCP sessions isexceeded, the firewall has two options:

It sends a reset message to the endpoints of the oldest half-opened session, making resources available to service newlyarriving SYN packets.

It blocks all SYN packets temporarily for the duration that thethreshold value is configured. When the router blocks a SYNpacket, the TCP three-way handshake is never initiated, whichprevents the router from using memory and processing resourcesthat valid connections need.

33

8/3/2019 CBAC_ZPF


34

8/3/2019 CBAC_ZPF


Configuring CBAC

There are four steps to configure CBAC:

Step 1. Pick an interface - internal or external.

Step 2. Configure IP ACLs at the interface.

Step 3. Define inspection rules.

Step 4. Apply an inspection rule to an interface.

35

8/3/2019 CBAC_ZPF


Step 1 – Pick an Interface

First determine the internal and external interfaces for applyinginspection.

With CBAC, internal and external refers to the direction of conversation.

The interface in which sessions can be initiated must be selected asthe internal interface.

Sessions that originate from the external interface will be blocked.

36

8/3/2019 CBAC_ZPF


Two Interface

In a typical two-interface scenario in which one interface connects tothe external network and the other connects to the protectednetwork, CBAC prevents the specified protocol traffic from enteringthe firewall and the internal network, unless the traffic is part of asession initiated from within the internal network.

37

8/3/2019 CBAC_ZPF


Three Interface In a three-interface scenario in which the first interface connects to the

external network, the second interface connects to a network in a DMZ, and

the third interface connects to the internal protected network, the firewallcan permit external traffic to resources within the DMZ, such as DNS andweb services.

The same firewall can then prevent specified protocol traffic from enteringthe internal network unless the traffic is part of a session initiated fromwithin the internal network.

38

8/3/2019 CBAC_ZPF


CBAC – Two Directions

CBAC can also be configured in two directions at one or moreinterfaces.

Configure the firewall in two directions when the networks on bothsides of the firewall require protection, such as with extranet orintranet configurations, and for protection against DoS attacks.

If configuring CBAC in two directions, configure one direction first,using the appropriate internal and external interface designations.

When configuring CBAC in the other direction, the interfacedesignations must be swapped

39

8/3/2019 CBAC_ZPF


Step 2 – Configure IP ACLs at the Interface

For Cisco IOS Firewall to work properly, an administrator must configure IP

ACLs at the inside, outside, and DMZ interfaces.

To provide the security benefits of ACLs, an administrator should, at aminimum, configure ACLs on border routers situated at the edge of thenetwork between the internal and external networks.

ACLs can also be used on a router positioned between two internal parts ofa network to control traffic flow.

ACLs can be configured on an interface to filter inbound traffic, outboundtraffic, or both.

The administrator must define ACLs for each protocol enabled on aninterface to control traffic flow for that protocol.

Use ACLs to determine what types of traffic to forward or block at the routerinterfaces.

40

8/3/2019 CBAC_ZPF


8/3/2019 CBAC_ZPF


Guidelines for IOS Firewall ACLs

Set up antispoofing protection by denying any inbound traffic (incoming on

an external interface) from a source address that matches an address onthe protected network.

Antispoofing protection prevents traffic from an unprotected network fromassuming the identity of a device on the protected network.

Deny broadcast messages with a source address of 255.255.255.255. Thisentry helps prevent broadcast attacks.

REMEMBER: the last entry in an ACL is an implicit denial of all IP trafficthat is not specifically allowed by other entries in the ACL.

Optionally, an administrator can add an entry to the ACL that denies IP

traffic with any source or destination address, thus making the denial ruleexplicit. Adding this entry is especially useful if it is necessary to loginformation about the denied packets.

42

8/3/2019 CBAC_ZPF


43

8/3/2019 CBAC_ZPF


Step 3 – Define Inspection Rules

You must define inspection rules to specify which Application Layer

protocols to inspect at an interface. Normally, it is only necessary to defineone inspection rule. The only exception occurs if it is necessary to enablethe firewall engine in two directions at a single firewall interface. In thisinstance, you can configure two rules, one for each direction.

An inspection rule should specify each desired Application Layer protocol to

inspect, as well as generic TCP, UDP, or ICMP, if desired.

Generic TCP and UDP inspection dynamically permits return traffic ofactive sessions.

ICMP inspection allows ICMP echo reply packets forwarded as aresponse to previously seen ICMP echo messages.

The inspection rule consists of a series of statements, each listing aprotocol and specifying the same inspection rule name. Inspection rulesinclude options for controlling alert and audit trail messages.

44

8/3/2019 CBAC_ZPF


Inspection Rules Configuration

Inspection rules are configured in global configuration.

Router(config)# ip inspect name inspection_name protocol [alert {on | off}] [audit-trail {on | off}] [timeout seconds]

Example 1

In this example, the IP inspection rule is named FWRULE. FWRULEinspects extended SMTP and FTP with alert and audit trailsenabled. FWRULE has an idle timeout of 300 seconds.

ip inspect name FWRULE smtp alert on audit-trail on timeout 300

ip inspect name FWRULE ftp alert on audit-trail on timeout 300

45

8/3/2019 CBAC_ZPF



Example 2

In this example, the PERMIT_JAVA rule allows all users permittedby standard ACL 10 to download Java applets.

ip inspect name PERMIT_JAVA http java-list 10

access-list 10 permit 10.224.10.0 0.0.0.255

46

8/3/2019 CBAC_ZPF



Example 3

In this example, a list of protocols, including generic TCP with anidle timeout of 12 hours (normally 1 hour), is defined for the CiscoIOS Firewall to inspect.

ip inspect name in2out rcmd

ip inspect name in2out ftp ip inspect name in2out tftp

ip inspect name in2out tcp timeout 43200

ip inspect name in2out http

ip inspect name in2out udp

47

8/3/2019 CBAC_ZPF


48

8/3/2019 CBAC_ZPF


Step 4 – Apply an Inspection Rule to an

Interface

The last step for configuring CBAC is to apply an inspection rule toan interface.

This is the command syntax used to activate an inspection rule onan interface.

Router(config-if)# ip inspect inspection_name {in | out}

49

8/3/2019 CBAC_ZPF


Step 4 – Apply an Inspection Rule to an

Interface

For the Cisco IOS Firewall to be effective, both inspection rules andACLs must be strategically applied to all router interfaces.

There are two guiding principles for applying inspection rules andACLs on the router:

1. On the interface where traffic initiates, apply the ACL in theinward direction that permits only wanted traffic and apply therule in the inward direction that inspects wanted traffic.

2. On all other interfaces, apply the ACL in the inward direction

that denies all traffic, except traffic that has not been inspectedby the firewall, such as GRE and ICMP traffic that is not relatedto echo and echo reply messages.

50

8/3/2019 CBAC_ZPF


CBAC Configuration Example

An administrator needs to permit inside users to initiate TCP, UDP,

and ICMP traffic with all external sources.

Outside clients are allowed to communicate with the SMTP server(209.165.201.1) and HTTP server (209.165.201.2) that are locatedin the enterprise DMZ.

It is also necessary to permit certain ICMP messages to allinterfaces. All other traffic from the external network is denied.

For this example, first create an ACL that allows TCP, UDP, andICMP sessions and denies all other traffic.

R1(config)# access-list 101 permit tcp 10.10.10.0 0.0.0.255 any R1(config)# access-list 101 permit udp 10.10.10.0 0.0.0.255 any

R1(config)# access-list 101 permit icmp 10.10.10.0 0.0.0.255 any

R1(config)# access-list 101 deny ip any any

51

8/3/2019 CBAC_ZPF



This ACL is applied to theinternal interface in the inbounddirection.

The ACL processes trafficinitiating from the internalnetwork prior to leaving thenetwork.

R1(config)# interface Fa0/0

R1(config-if)# ip access-group 101 in

52

C AC C fi i l

8/3/2019 CBAC_ZPF



Next, create an extended ACL in which SMTP and HTTP traffic is

permitted from the external network to the DMZ network only, and allother traffic is denied.

R1(config)# access-list 102 permit tcp any host 209.165.201.1 eq www

R1(config)# access-list 102 permit tcp any host 209.165.201.2 eq smtp

R1(config)# access-list 102 permit icmp any any echo-reply

R1(config)# access-list 102 permit icmp any any unreachable R1(config)# access-list 102 permit icmp any any administratively-prohibited

R1(config)# access-list 102 permit icmp any any packet-too-big

R1(config)# access-list 102 permit icmp any any echo

R1(config)# access-list 102 permit icmp any any time-exceeded

R1(config)# access-list 102 deny ip any any

53

CBAC C fi i E l

8/3/2019 CBAC_ZPF



This ACL is applied to theinterface connecting to the

external network in the inbounddirection.

R1(config)# interface S0/0/0

R1(config-if)# ip access-group 102 in

54

CBAC C fi i E l

8/3/2019 CBAC_ZPF



If the configuration stopped here, all returning traffic, with theexception of ICMP messages, is denied because of the externalACL.

Next, create inspection rules for TCP inspection and UDPinspection.

R1(config)# ip inspect name MYSITE tcp

R1(config)# ip inspect name MYSITE udp

55

CBAC C fi i E l

8/3/2019 CBAC_ZPF



These inspection rules areapplied to the internal interfacein the inbound direction.

R1(config)# interface Fa0/0

R1(config-if)# ip inspect MYSITE in

56

CBAC C fi i E l

8/3/2019 CBAC_ZPF



The inspection list automatically creates temporary ACL statements

in the inbound ACL applied to the external interface for TCP andUDP connections. This permits TCP and UDP traffic that is inresponse to requests generated from the internal network.

To remove CBAC from the router, use the global no ip inspectcommand.

Router(config)# no ip inspect

This command removes all CBAC commands, the state table, andall temporary ACL entries created by CBAC. It also resets all timeoutand threshold values to their factory defaults.

After CBAC is removed, all inspection processes are no longeravailable, and the router uses only the current ACL implementationsfor filtering.

57

8/3/2019 CBAC_ZPF


58

A di

8/3/2019 CBAC_ZPF


Audits

59

Auditing keeps track of the connections that CBAC inspects,including valid and invalid access attempts.

Sh C d

8/3/2019 CBAC_ZPF


Show Commands

60

D b C d

8/3/2019 CBAC_ZPF


Debug Commands

61

8/3/2019 CBAC_ZPF


Zone-Based Firewalls

62

Wh t i Z n ???

8/3/2019 CBAC_ZPF


What is a Zone???

Zones are simple enough. You create them to group interfaces together thatyou want to have common firewall rules on.

You could have internal interfaces in an zone called Inside, and externalfacing interfaces in one called Outside.

You apply a policy map in one direction between the two zones, whichspecifies what traffic is to be inspected (in that direction only), and what's to

be done with it.

Without a policy to say differently, traffic between zones is denied bydefault.

The self zone is a zone created by default by the router . It has a permitpolicy by default, and it used to manage traffic directed to or generated by the router, NOT traffic that just travels through it. If you wanted to applyfirewall rules to traffic directed to the router itself, you'd have to make a zonepair of the self zone and the zone the traffic is coming from, and apply apolicy to the pair.

63

What is a Zone Pair???

8/3/2019 CBAC_ZPF


What is a Zone Pair???

A zone-pair allows you to specify a unidirectional firewall policy between twosecurity zones.

To define a zone-pair, use the zone-pair security command. The directionof the traffic is specified by specifying a source and destination zone. Thesource and destination zones of a zone-pair must be security zones. Thesame zone cannot be defined as both the source and the destination.

If desired, you can select the default self zone as either the source or thedestination zone. The self zone is a system-defined zone. It does not have any interfaces as members. A zone-pair that includes the self zone, alongwith the associated policy, applies to traffic directed to the router or trafficgenerated by the router. It does not apply to traffic through the router.

The most common usage of firewalls is to apply them to traffic through arouter, so you usually need at least two zones (that is, you cannot use theself zone).

64

ZBF

8/3/2019 CBAC_ZPF


ZBF

In 2006, Cisco Systems introduced the zone-based policy firewallconfiguration model with Cisco IOS Release 12.4(6)T.

Interfaces are assigned to zones and then an inspection policy isapplied to traffic moving between the zones.

A zone-based firewall allows different inspection policies to beapplied to multiple host groups connected to the same routerinterface.

It also has the ability to prohibit traffic via a default deny-all policy

between firewall zones.

65

ZBF

8/3/2019 CBAC_ZPF


ZBF

The zone-based policy firewall (ZPF or ZBF or ZFW) inspectioninterface supports previous firewall features, including statefulpacket inspection, application inspection, URL filtering, and DoSmitigation.

Firewall policies are configured using the Cisco CommonClassification Policy Language (C3PL), which uses a hierarchicalstructure to define network protocol inspection and allows hosts tobe grouped under one inspection policy.

66

8/3/2019 CBAC_ZPF


67

Zone Based Policy Firewall Characteristics

8/3/2019 CBAC_ZPF


Zone-Based Policy Firewall Characteristics

The primary motivations for network security professionals to migrate to theZPF model are structure and ease of use.

The structured approach is useful for documentation andcommunication.

The ease of use makes network security implementations moreaccessible to a larger community of security professionals.

Implementing CBAC is complex and can be overwhelming. Unlike ZPF,CBAC does not utilize any dedicated hierarchical data structures tomodularize the implementation. CBAC has these limitations:

Multiple inspection policies and ACLs on several interfaces on a routermake it difficult to correlate the policies for traffic between multiple

interfaces. Policies cannot be tied to a host group or subnet with an ACL. All traffic

through a given interface is subject to the same inspection.

The process relies too heavily on ACLs.

68


8/3/2019 CBAC_ZPF



Zones establish the security borders of a network. The zone itself

defines a boundary where traffic is subjected to policy restrictions asit crosses over into another region of a network.

The default policy between zones is deny all . If no policy is explicitlyconfigured, all traffic moving between zones is blocked. This is a

significant departure from the CBAC model in which traffic wasimplicitly allowed until it was explicitly blocked with an ACL.

While many ZPF commands appear similar to CBAC commands,they are not the same .

A second significant change is the introduction of Cisco CommonClassification Policy Language (C3PL). This new configurationpolicy language allows a modular approach to firewallimplementation.

69


8/3/2019 CBAC_ZPF



Some of the benefits of ZPF include the following:

Not dependent on ACLs.

The router security posture is to block unless explicitly allowed.

Policies are easy to read and troubleshoot with C3PL.

One policy affects any given traffic, instead of needing multiple

ACLs and inspection actions.

70

8/3/2019 CBAC_ZPF


71

Designing Zone-Based Firewall – Step 1

8/3/2019 CBAC_ZPF



Determine the Zones - The internetworking infrastructure under

consideration must be split into separate zones with various securitylevels.

In this step, the administrator does not consider physicalimplementation of the firewall (number of devices, defense depth,

redundancy, etc.), but focuses instead on the separation of theinfrastructure into zones.

For example, the public network to which the internal network isconnected is one zone.

72


8/3/2019 CBAC_ZPF



Establish policies between zones - For each pair of "source-

destination" zones (for example, from inside network to Internet),define the sessions that clients in the source zones can request fromservers in destination zones.

These sessions are most commonly TCP and UDP sessions, but

also ICMP sessions such as ICMP echo. For traffic that is not based on the concept of sessions, such as

IPsec Encapsulating Security Payload [ESP], the administrator mustdefine unidirectional traffic flows from source to destination and viceversa.

As in Step 1, this step is about the traffic requirements betweenzones, not the physical setup.

73


8/3/2019 CBAC_ZPF


Designing Zone-Based Firewall Step 3

Design the physical infrastructure - After the zones have beenidentified and the traffic requirements between them documented,the administrator must design the physical infrastructure, taking intoaccount security and availability requirements.

This includes stating the number of devices between most-secureand least-secure zones and determining redundant devices.

74


8/3/2019 CBAC_ZPF


Designing Zone-Based Firewall Step 4

Identify subset within zones and merge traffic requirements - For

each firewall device in the design, the administrator must identifyzone subsets connected to its interfaces and merge the trafficrequirements for those zones.

For example, multiple zones might be indirectly attached to a single

interface of a firewall, resulting in a device-specific inter-zone policy.

75

Common ZPF Designs

8/3/2019 CBAC_ZPF


Common ZPF Designs

76

LAN –

to - Internet

Common ZPF Designs

8/3/2019 CBAC_ZPF


Common ZPF Designs

77

Public Servers

Common ZPF Designs

8/3/2019 CBAC_ZPF


Common ZPF Designs

78

Redundant Firewalls

Common ZPF Designs

8/3/2019 CBAC_ZPF


Common ZPF Designs

79

Complex Firewalls

Common ZPF Designs

8/3/2019 CBAC_ZPF


Common ZPF Designs

80

Complex FirewallSimplified with Zones

Zone-Based Policy Firewall Actions

8/3/2019 CBAC_ZPF


Zone Based Policy Firewall Actions

The Cisco IOS zone-based policy firewall can take three possible

actions:

Inspect - Configures Cisco IOS stateful packet inspection. This action isequivalent to the CBAC ip inspect command. It automatically allows forreturn traffic and potential ICMP messages. For protocols requiringmultiple parallel signaling and data sessions (for example, FTP or

H.323), the inspect action also handles the proper establishment of datasessions.

Drop - Similar to a deny statement in an ACL. A log option is available tolog the rejected packets.

Pass - Similar to a permit statement in an ACL. The pass action doesnot track the state of connections or sessions within the traffic. Passallows the traffic only in one direction. A corresponding policy must beapplied to allow return traffic to pass in the opposite direction.

81

Zone-Based Policy Firewall Operation

8/3/2019 CBAC_ZPF


Zone Based Policy Firewall Operation

The membership of the router network interfaces in zones is subject toseveral rules governing interface behavior, as is the traffic moving between

zone member interfaces:

A zone must be configured before an administrator can assign interfacesto the zone.

If traffic is to flow between all interfaces in a router, each interface must

be a member of a zone.

An administrator can assign an interface to only one security zone.

Traffic is implicitly allowed to flow by default among interfaces that aremembers of the same zone.

To permit traffic to and from a zone member interface, a policy allowingor inspecting traffic must be configured between that zone and any otherzone.

82

Zone-Based Policy Firewall Operation – cont’d

8/3/2019 CBAC_ZPF


Zone Based Policy Firewall Operation co t d

The membership of the router network interfaces in zones is subject to

several rules governing interface behavior, as is the traffic moving betweenzone member interfaces:

Traffic cannot flow between a zone member interface and any interfacethat is not a zone member. An administrator can apply pass, inspect,and drop actions only between two zones.

Interfaces that have not been assigned to a zone function can still use aCBAC stateful packet inspection configuration.

If an administrator does not want an interface on the router to be part ofthe zone-based firewall policy, it might still be necessary to put thatinterface in a zone and configure a pass-all policy (also known as a

dummy policy) between that zone and any other zone to which trafficflow is desired.

83


8/3/2019 CBAC_ZPF


y p

84


8/3/2019 CBAC_ZPF


y p

The rules for a zone-based policy firewall are different when the router is

involved in the traffic flow. In addition, the rules depend on whether therouter is the source or the destination of the traffic.

When an interface is configured to be a zone member, the hosts that areconnected to the interface are included in the zone, but traffic flowing to andfrom the interfaces of the router is not controlled by the zone policies.

Instead, all the IP interfaces on the router are automatically made part of theself zone.

To limit IP traffic moving to the IP addresses of the router from the variouszones on a router, policies must be applied. The policies can be set toblock, allow, or inspect traffic between the zone and the self zone of the

router, and vice versa. If there are no policies between a zone and the selfzone, all traffic is permitted to the interfaces of the router without beinginspected.

85


8/3/2019 CBAC_ZPF


y p

A policy can be defined using the self zone as either the source orthe destination zone.

Remember – the self zone is a system-defined zone. It does notrequire any interfaces to be configured as members.

A zone-pair that includes the self zone, along with the associatedpolicy, applies to traffic that is directed to the router or traffic that therouter generates. It does not apply to traffic traversing the router.

86


8/3/2019 CBAC_ZPF


y p

When the router is involved in the traffic flow, additional rules for zone-

based policy firewalls govern interface behaviour:

All traffic to and from a given interface is implicitly blocked when theinterface is assigned to a zone, except traffic to or from other interfacesin the same zone and traffic to any interface on the router.

All the IP interfaces on the router are automatically made part of the self

zone when ZPF is configured. The self zone is the only exception to the default deny all policy. All traffic to any router interface is alloweduntil traffic is explicitly denied.

The only exception to the deny-by-default approach is the traffic to and fromthe router itself. This traffic is permitted by default. An explicit policy can be

configured to restrict such traffic.

87


8/3/2019 CBAC_ZPF


y p

88

Configuring ZPF with the CLI

8/3/2019 CBAC_ZPF


g g

There are several steps for configuring ZPF with the CLI:

Step 1. Create the zones for the firewall with the zone securitycommand.

Step 2. Define traffic classes with the class-map type inspect command.

Step 3. Specify firewall policies with the policy-map type inspectcommand.

Step 4. Apply firewall policies to pairs of source and destination zonesusing the zone-pair security command.

Step 5. Assign router interfaces to zones using the zone-membersecurity interface command.

89


8/3/2019 CBAC_ZPF


g g

When configuring ZPF with the CLI, there are several factors to consider:

Only policy maps defined with type inspect can be used in the zone-pairsecurity command.

Only class maps defined with type inspect can be used in policy mapswith type inspect.

There can be no name overlap with other types of class maps or policy

maps. There cannot be a quality-of-service class map and an inspectclass map with the same name.

A zone must be configured with the zone security global commandbefore it can be used in the zone-member security interfaceconfiguration command.

An interface cannot belong to multiple zones. To create a union ofsecurity zones, specify a new zone and appropriate policy map and zonepairs.

90


8/3/2019 CBAC_ZPF


g g

When configuring ZPF with the CLI, there are several factors to consider:

The zone-based policy firewall feature is a replacement for CBAC.

Remove the ip inspect interface configuration command before applyingthe zone-member security command.

The zone-based policy firewall can coexist with CBAC. The ip inspectcommand can still be used on interfaces that are not members ofsecurity zones.

Traffic can never flow between an interface assigned to a zone and an interface without a zone assignment. Applying the zone-memberconfiguration command always results in temporary interruption ofservice.

The default inter-zone policy is to drop all traffic unless specifiedotherwise in the zone-pair configuration command.

The router never filters the traffic between interfaces in the same zone.

The zone-member command does not protect the router itself (traffic toand from the router is not affected) unless the zone pairs are configuredusing the predefined self zone.

91

Step 1 – Create the Zones

8/3/2019 CBAC_ZPF


p

The administrator creates the zones for the firewall with the zone securitycommand. An optional description is recommended.

Router(config)# zone security zone-name

Router(config-sec-zone)# description line-of-description

92

Step 2 – Define Traffic Classes

8/3/2019 CBAC_ZPF


p

ZPF traffic classes enables you to define traffic flows in as granular

a fashion as desired.

This is the syntax for creating ZPF traffic classes:

Router(config)# class-map type inspect [match-any | match-all] class-map- name

For Layer 3 and Layer 4, top-level class maps, the match-any optionis the default behavior.

Router(config)# class-map type inspect protocol-name [match-any | match-all] class-map-name

For Layer 7, application-specific class maps, see www.cisco.com forconstruction details.

93


8/3/2019 CBAC_ZPF


p

The syntax for referencing access lists from within the class map is:

Router(config-cmap)# match access-group {access-group | name access- group-name}

Protocols are matched from within the class map with the syntax:

Router(config-cmap)# match protocol protocol-name

Nested class maps can be configured as well using the syntax:

Router(config-cmap)# match class-map class-map-name

The ability to create a hierarchy of classes and policies by nesting isone of the reasons that ZPF is such a powerful approach to creating

Cisco IOS firewalls.

94


8/3/2019 CBAC_ZPF


95

Step 3 – Define Firewall Policies

8/3/2019 CBAC_ZPF


Similar to other modular CLI constructs with Cisco IOS software, theadministrator has to specify what to do with the traffic matching the desired

traffic class. The options are pass, inspect, drop, and police.

This is the syntax for creating ZPF policy maps.

Router(config)# policy-map type inspect policy-map-name

Traffic classes on which an action must be performed are specified within

the policy map.

Router(config-pmap)# class type inspect class-name

The default class (matching all remaining traffic) is specified using thiscommand.

Router(config-pmap)# class class-default

Finally, the action to take on the traffic is specified.

Router(config-pmap-c)# pass | inspect | drop [log]| police

96

Step 3 – Define Firewall Policies

8/3/2019 CBAC_ZPF


97

Assign Policy Maps to Zone Pairs

8/3/2019 CBAC_ZPF


After the firewall policy has been configured, you must apply it totraffic between a pair of zones using the zone-pair security command. To apply a policy, a zone pair must first be created.Specify the source zone, the destination zone, and the policy forhandling the traffic between them.

Router(config)# zone-pair security zone-pair-name [source source-zone-name | self] destination [self | destination-zone-name ]

Use the service-policy type inspect policy-map-name command toattach a policy-map and its associated actions to a zone-pair. Enterthe command after entering the zone-pair security command.

98

Assign Policy Maps to Zone Pairs – cont’d

8/3/2019 CBAC_ZPF


Deep-packet inspection (attaching a Layer 7 policy map to a top-level policy map) can also be configured. This is the syntax usedwith Cisco IOS Release 12.4(20)T.

Router(config-pmap-c)# service-policy {h323 | http | im | imap | p2p | pop3 | sip | smtp | sunrpc | urlfilter} policy-map

The policy map is the name of the Layer 7 policy map being appliedto the top-level Layer 3 or Layer 4 policy map.

99

Step 5 – Assign Interfaces to the Zones

8/3/2019 CBAC_ZPF


Finally, the administrator must assign interfaces to the appropriatesecurity zones using the zone-member interface command.

Router(config-if)# zone-member security zone-name

The zone-member security command puts an interface into asecurity zone. When an interface is in a security zone, all traffic toand from that interface (except traffic going to the router or initiatedby the router) is dropped by default.

To permit traffic through an interface that is a zone member, thezone must be part of a zone pair to which a policy is applied. If thepolicy permits traffic (via inspect or pass actions), traffic can flow

through the interface.

ZPF configuration can also be done with the SDM

100

8/3/2019 CBAC_ZPF


101

Resource material for PowerPoints from:

8/3/2019 CBAC_ZPF


CBAC_ZPF

Documents