| How would you do this? To note, this is mostly an intellectual exercise on my part and to see
how other people would do things.
Currently I'm using a reflexive ACL FW setup and while it works good
at blocking unsolicited inbound traffic, it doesn't work too good for
blocking unsolicited / uncontrolled outbound traffic like NetBIOS.
Cisco's own docs on configuring reflexive ACLs seems to imply that DENY
statements can't be configured in the ACLs however I haven't had a chance
to test whether this is true or not.
I'm thinking of moving to a CBAC setup and while the protocols it can
inspect in 12.4T is pretty extensive, again there doesn't seem to be a
way to deny certain protocols / traffic out other than not putting them
in the inspection set. In addition, I'm not sure if in enabling generic
TCP / UDP inspection to catch those 'don't know about but might be there'
user traffic on your network, you open yourself again to letting
unsolicited / uncontrolled outbound traffic like NetBIOS out.
So, given only a Cisco router (any model) running Cisco IOS (any version,
though I am interested if you could do something like this on 12.3 code as
well) and nothing else how would you go about setting up the device to
inspect and allow specific inside traffic out (eg. HTTP/S, POP, IMAP,
generic TCP / UDP) but block other specific traffic (eg. NetBIOS, known
DDoS / virus exploits, known apps / games / websites not permitted by the
company AUP, etc.) and what sort of config would you use?
Regards |
|
2 edits | ZBFW.
Have a backside zone and external zone and apply whatever policies you see fit between them. You can even inspect (on some ios's) and drop on the class-default to catch "everything else" (just make a "any" class and inspect that to catch the rest of the traffic in the other ios's)
In your case you would have your zone-pair internal to external, match the traffic you want to block with access-lists/class-maps or nbar and drop it and inspect everything else. Or go vice versa and do an inspect on only things you need and drop everything else. |
|
| reply to HELLFIRE
@cooldude9919
I kind of figured ZBFW would be the first answer but I'm hoping it isn't the only
answer out there. I've done some reading on ZBFW and the theory of operation's
easy enough but from the two or three config examples I've found I've got a ways
to go in understanding the command syntax.
Any other suggestions, or anyone have to do something similar on the cheap and find
a brilliant workable alternative that they've kept for future reference?
Regards |
|
| Its really not very hard at all. If you want i can post a sample config and then you can ask any questions you have. |
|
1 edit | here is a quick example from a corp zone to inet zone. Basically you specify the zone-pair statement, then put in what policy-map will be in place between these two zone-pairs in that direction of traffic. Then you put in the class-maps within the policy-map that can drop,inspect,pass ect, and those class-maps match access-lists that match the traffic.
zone-pair security zp-corp-inet source zone-corp destination zone-inet
service-policy type inspect pol-corp-inet
FSTL0001#show policy-map type inspect pol-corp-inet
Policy Map type inspect pol-corp-inet
Class cls-block-web
Drop log
Class class-default
Inspect
FSTL0001#show class-map type inspect cls-block-web
Class Map type inspect match-all cls-block-web (id 35)
Match access-group 110
FSTL0001#show access-l 110
Extended IP access list 110
10 deny ip 10.0.0.0 0.255.255.255 10.0.0.0 0.255.255.255 (123901 matches)
40 deny icmp 10.3.0.0 0.0.255.255 any
50 permit ip 10.3.0.xx 0.0.255.0 any
60 permit ip 10.3.0.xxx 0.0.255.0 any
70 deny tcp 10.3.0.0 0.0.255.255 any eq www (192 matches)
80 deny tcp 10.3.0.0 0.0.255.255 any eq 443 (300 matches)
90 permit ip 10.3.0.0 0.0.255.255 any (28 matches)
This example allows web traffic for a group of computers but drops everything else to do with them.
The inspect on class-default allows all other traffic sessions through the firewall and back in the firewall, meaning the inspect makes a hole in the firewall for that session that allows all incomming traffic for that session through the firewall without needing policys on the reverse zone-pair statement to allow it. |
|
| reply to HELLFIRE
@cooldude9919
Thanks for the sample config and explanation. Like I said, the theory of ZBFW's
easy enough for me, and I've done alot of reading into MQC that I have a pretty
solid foundation on how to read and do the class / policy maps, the b***h is in
applying it and I've been looking for any config examples online to get more
familar with ZBFW.
This a config example from a live router you have here? If I got it right, this
could just have easily been accomplished as:
# zone-pair security zp-corp-inet source zone-corp destination zone-inet
# service-policy type inspect pol-corp-inet
#
# class-match type inspect match-all cls-block-web
# match protocol http
#
# Policy Map type inspect pol-corp-inet
# Class cls-block-web
# inspect
# Class class-default
# drop log
Right?
Regards |
|
| said by HELLFIRE:@cooldude9919 Thanks for the sample config and explanation. Like I said, the theory of ZBFW's easy enough for me, and I've done alot of reading into MQC that I have a pretty solid foundation on how to read and do the class / policy maps, the b***h is in applying it and I've been looking for any config examples online to get more familar with ZBFW. This a config example from a live router you have here? If I got it right, this could just have easily been accomplished as: # zone-pair security zp-corp-inet source zone-corp destination zone-inet # service-policy type inspect pol-corp-inet # # class-match type inspect match-all cls-block-web # match protocol http # # Policy Map type inspect pol-corp-inet # Class cls-block-web # inspect # Class class-default # drop log Right? Regards Yea pretty much if you didnt care about the source IP that would work fine (though you would want to add https probably). In our case we only want toe 10.3.x.x range to have this applied, not other machines in the 10.x.x range.
Along with your config, and adding the https, you could add another access-list that matches the IP address range, and because it is a match-all it would have to match both.
example,
# zone-pair security zp-corp-inet source zone-corp destination zone-inet
# service-policy type inspect pol-corp-inet
#
# class-match type inspect match-all cls-block-web
# match protocol http
# match access-group 110
#
#access-list 110 permit ip 10.3.0.0 0.0.255.255 any
#
#
# Policy Map type inspect pol-corp-inet
# Class cls-block-web
# inspect
# Class class-default
# drop log
This would also work.
Also yes it is from a live router.
As you have noticed you can either allow what you want and block everything else, or block what you want and allow everything else. What way is better/easier just depends on what you are doing and which case works best for you. |
|
| reply to HELLFIRE
Thanks for the tutorial on ZBFW cooldude9919... got a long climb to go in figuring
it out, but I'll get there eventually. Actually the idea I had in mind for this
originally was to use MQC to match the traffic I wanted to drop and use CBAC as the
means of inspection, ie.
# class-map match-any DROP_THIS
# match (on NetBIOS)
# match (on condition)
# match (on condition)
#
# policy-map MyQoS
# class DROP_THIS
# drop log
# class (other)
# ...
I got something useful out of this exercise, and I'm not complaining 
Regards |
|
| reply to HELLFIRE
Just out of curiousity, got any resources / websites you'd recommend for more
ZBFW config examples? Cisco unfortunately is pretty good with the really simple
and the really complex, but nothing in between.
Regards |
|
