Advanced Zone-based Firewall Configuration
Date: Mar 7, 2011
The advanced configuration of zone based firewalls, while not hard, can be confusing to understand without proper perspective of what is possible. While my previous article, “Basic Zone-Based Firewall Configuration” reviewed the steps required for configuring a basic zone based firewall, it did not review all of the capabilities of the feature. The zone based firewall feature is not just restricted to matching and applying policy to traffic based on layer 3/4 criteria. It also has application inspection and control (AIC) capability that enables deeper packet inspection; this provides the capability to apply policy based on layer 5 through 7 criteria.
It is important to understand the basic configuration of the zone-based firewall as the more advanced capabilities like URL filtering and HTTP inspection are configured by being nested inside an existing layer 3/4 policy. For example, all HTTP traffic could be matched and then be configured to be inspected by the stateful packet engine; it is only after this is already configured that these additional capabilities can be used. Because of this overlap, a primer section has been included.
Primer
This article adds to the concepts and configuration covered in the “Basic Zone-Based Firewall Fundamentals” and “Basic Zone Based Firewall Configuration” articles. Some of these are covered in this section.
As was covered in the other two articles, a zone based firewall configuration requires knowledge of a zone and a zone-pair. A zone (or security zone) is created for each part of the network that has an access/traffic control policy, the common ones being a private zone for inside the organizational network and a public zone for the Internet. A zone-pair is used to link different zones together and to apply policies between the two linked zones; these zone-pairs are unidirectional.
A zone-based firewall configuration is implemented on Cisco equipment through the Cisco Common Classification Policy Language (C3PL) that closely resembles the Modular QoS CLI (MQC) structure. This configuration requires that the traffic subject to a policy be matched using a class-map which is in turn used inside a policy-map statement to link that traffic with a specific policy; this policy-map is then applied to a specific zone-pair using the service-policy command. The more advanced policy options are configured using C3PL as well, after an existing basic configuration has been completed.
IOS Zone Based Firewall Configuration
There are a number of different protocols which are supported with AIC; these are shown in following list:
- America Online (AOL) Instant Messenger
- eDonkey P2P protocol
- FastTrack traffic P2P protocol
- Gnutella Version 2 traffic P2P protocol
- H.323 VoIP Protocol version 4
- Hypertext Transfer Protocol (HTTP) (URL Filtering and HTTP inspection)
- Internet Message Access Protocol (IMAP)
- I Seek You (ICQ) IM protocol
- Kazaa Version 2 P2P protocol
- MSN Messenger IM protocol
- Post Office Protocol version 3 (POP3)
- Session Initiation Protocol (SIP)
- Simple Mail Transfer Protocol (SMTP)
- Sun RPC (SUNRPC)
- Windows Messenger IM protocol
- Yahoo IM protocol
As the coverage of each specific one of these options would make this article into a book, this article will be limited to the HTTP inspection configuration options. However, know that capabilities similar to those shown are available for each of the protocols shown in the above list.
The HTTP inspection option provides the ability to match traffic based not only on the fact that it is using port 80 or 443 (or others using Port to Application (PAM) matching) but also based on much more specific criteria inside HTTP. These matching criteria include:
- Whether the HTTP traffic is compliant
- HTTP body length
- HTTP content type
- HTTP encoding method
- URI or argument length
- HTTP request method
- HTTP port misuse (For example, p2p or chat protocols)
- URI or argument matching expressions (Using Regex)
The steps to configure a layer 5-7 class-map are very similar to those used for the layer 3/4 class-map. The main difference is the addition of an extra keyword (in this case http). The example syntax of this for HTTP inspection is shown below:
router(config)#class-map type inspect http [match-any | match-all] class-map-name
The large portion of what makes the layer 5-7 class-maps different is the match options. As shown above, there are a number of different deeper HTTP packet options that can be used to match with. The following commands can be used to match; these are listed in order listed above.
router(config-cmap)#match req-resp protocol violation
router(config-cmap)#match req-resp body length {lt | gt} {bytes}
router(config-cmap)#match req-resp header content-type { violation | mismatch | unknown}
router(config-cmap)#match req-resp header transfer-encoding {chunked | compress |
deflate | gzip | identity | all}
router(config-cmap)#match request {uri | arg} length gt bytes
router(config-cmap)#match request method {connect | copy | delete | edit |
get | getattribute | getattributenames | getproperties | head | index | lock |
mkdir | move | options | post | put | revadd | revlabel | revlog | revnum |
save | setattribute | startrev | stoprev | trace | unedit | unlock}
router(config-cmap)#match request port-misuse {im | p2p | tunneling | any}
router(config-cmap)#match request {not} {uri | arg} regex parameter-map-name
As with the class-map shown above, the difference between layer 3/4 and layer 5-7 policy-maps is a single keyword (again http). The example syntax of this for HTTP inspection is shown below:
router(config)#policy-map type inspect http policy-map-name
The policy-map actions are also very similar; the following are the supported layer 5-7 policy actions:
- Allow—Permits the matched traffic
- Log—Logs the matched traffic
- Reset—Resets the connection of the matched traffic
The following commands would be used to match based on a configured class-map and assign a policy action:
router(config-pmap)#class type inspect http class-map-name router(config-pmap-c)#allow router(config-pmap-c)#log router(config-pmap-c)#reset
The application of a layer 5-7 policy-map is where there is a major difference in implementation from a layer 3/4 policy. A layer 5-7 policy-map is not applied to a specific zone-pair but to an existing layer 3/4 policy-map. This is done by nesting inside a layer 3/4 policy-map. The example syntax for this is shown below:
router(config-pmap-c)#service-policy http policy-map-name
Because the concept of nesting different policies can be rather confusing, and in order to wrap the material presented here, the following example is presented. This example is based on a simple topology shown in Figure 1. This policy inspects all HTTP traffic going from the private to the public zones and resets the connection of any non-compliant HTTP traffic.
Figure 1 Advanced Zone Configuration Example
- Configure the 5-7 class-map:
- Configure the 5-7 policy-map:
- Configure the 3/4 class-map:
- Configure the 3/4 policy-map:
- Configure the zones:
- Configure the zone-pairs:
- Assign a zone onto the interface:
router(config)#class-map type inspect http AIC-sample-class router(config-cmap)match req-resp protocol violation
router(config)#policy-map type inspect http AIC-sample-policy router(config-pmap)#class type inspect http AIC-sample-class router(config-pmap-c)#reset
router(config)#class-map type inspect sample-class router(config-cmap)#match protocol http
router(config)#policy-map type inspect sample-policy router(config-pmap)#class type inspect sample-class router(config-pmap-c)#inspect router(config-pmap-c)#service-policy http AIC-sample-policy
router(config)# zone security Public router(config)# zone security Private
router(config)# zone-pair security private-pubic-pair source Private destination Public router(config-sec-zone-pair)# service-policy type inspect sample-policy
router(config)#interface F0/0 router(config-if)#zone-member security Private router(config)#interface F0/1 router(config-if)#zone-member security Public
Summary
The additional capabilities of the zone-based firewall feature offer a large number of different options to match and control traffic going between and within zones.