Tuesday, 17 July 2012

ZBF Overview.


• MQC-like syntax wrapper for CBAC
– Makes configuration more modular than CBAC
– Uses same CBAC inspection engine behind the
scenes.
• Allows for more granular control than CBAC
– Interfaces grouped together based on zone assignment
• E.g. zone “outside”, “inside”, “dmz”, etc.
– Firewall policy applies based on association of zones
• Called zone pairing
• E.g. “inside-to-outside” pairing, “outside-to-dmz” pairing, etc.
– Decoupling of interface and zone allows for better
maintenance
• Easy to add new “inside” or “outside” interfaces
• New interfaces automatically inherit policy applied to zone pairing.

ZBF Zone Types
• Two types of zones
– User defined zones
• E.g. “outside”, “inside”, etc.
– Self zone
• Traffic locally originated from and destined to router.

ZBF Traffic Filtering
• Intra zone traffic allowed
– E.g. “inside” to “inside”
• Inter zone traffic denied
– E.g. “outside” to “inside”
– Policy must manually define inspected/allowed
traffic flows.
 • Self traffic allowed by default
– Allows for control plane sessions
• E.g. OSPF adjacency
– Can be manually filtered with policy applied to
zone pairing
• E.g. “outside-to-self” pairing.

 ZBF Classification
 • Like MQC, ZBPF uses class-map to match traffic flows
– class-map type inspect
– match-all vs. match-any
• Two different types of inspection classes
– Layer 3/4 class-maps
• Matches ACLs or protocols
• E.g. TCP port 23 from host 1.2.3.4
– Layer 7 class-maps
• Deep Packet Inspection (DPI)
• Application specific inspections
• E.g. HTTP POST message, SMTP recipient count, etc.

 ZBF Policies
 • Like MQC, ZBPF uses policy-map to apply actions
– policy-map type inspect
• Two different types of inspection policies
– Layer 3/4 policy-maps
• Calls Layer 3/4 class-map
– Layer 7 policy-maps
• Calls Layer 7 class-map
• Like MQC policy-map ends in class-default
– class-default drops all traffic by default.

 ZBF Layer 3/4 Policy Map Actions
 • Inspect
– CBAC stateful inspection, similar to ASA MPF inspection
– Automatically allows return flows based on state table
• Pass
– One-way manual exception
– Traffic passed inside to outside does not automatically
pass outside to inside
• Drop
• Discard packets.
 • Log
– Generate syslog message
• Police
– Rate limit traffic to specified value
• Service-Policy
– Call Layer 7 policy-map for Deep Packet
Inspection.

 ZBF Layer 7 Policy Map Actions.
 • Applies application specific action
– Different protocols support different actions
• Actions are…
– Allow
• Allow the session through
– Reset
• Send TCP RST to terminate session
– Log
• Generate syslog message
Posted by at No comments:

Monday, 16 July 2012

Context Based Access Control

• CBAC adds true stateful inspection to IOS
• Performs protocol-specific inspection
– Protocols matched based on port-number
– Port-map table defined with ip port-map
• Inspection rule defines protocols to inspect
– ip inspect name <NAME>
– Applies to an interface inbound or outbound
– Opens hole in ACL applied in opposite direction.

Context Based Access Control
CBAC TCP Intercept
• TCP Intercept is always on with CBAC inspection
– Only Watch Mode supported
• Configurable options:
– ip inspect max-incomplete {high|low}
– ip inspect one-minute {high|low}
– ip inspect tcp max-incomplete host (perhost
limit)
– ip inspect tcp synwait-time (watch timeout).
CBAC Scenarios.
• Users protection
– CBAC inspects users’ traffic
– Only specific protocols inspected, e.g. HTTP/DNS
– All incoming traffic blocked, returning sessions allowed
• Server protection
– CBAC inspects traffic to server
– Only selected traffic allowed from server.
– TCP Intercept + Protocol Enforcement.
Posted by at No comments:
Subscribe to: Posts (Atom)