Tag Archives: Inspection

Notas Zone-Based Firewall (ZBFW)

As policies do classic IOS inspection aplicam-se a todo o tréfego na interface, não é possível aplicar policies distintas a diferentes grupos de users. O Zone-based firewall (ZFW), disponivel apartir da IOS Release 12.4(6)T já o permite.

O tráfego pode circular livremente entre interface da mesma zone, mas é bloqueado by default entre zones.

As Zone Policies são configuradas usando o Class-Based Policy Language (CPL), que é muito similar á CLI do Modular QoS Command Line Interface (MQC) que usa class/policy maps.

Foi introduzida uma nova class e policy map type (inspect  type) para usar nas zone-based firewalls.

O ZBF permite o inspection e controlos de diversos protocolos tais como:

  • HTTP e HTTPS
  • SMTP, Extended SMTP (ESMTP), POP3 e IMAP
  • Aplicações Peer-to-peer, com a habilidade para usar heuristics to track port hopping
  • Instant messaging applications (AOL, Yahoo!, and MSM)
  • Remote Procedure Calls (RPC)

Passos para configurar o ZFW:

  1. Decidir as zones necessárias, e criá-las no router
  2. Decidir que tráfego deve circular entre as zones, e criar as zone-pairs no router
  3. Criar class maps para identificar o tráfego a ser inspect pelo firewall entre zones
  4. Assignar policies ao tráfego criando policy maps e associando class maps
  5. Assignar policy maps ás zone-pair apropriados
  6. Assignar as interfaces ás zones. Uma interface apenas pode pertencer a uma security zone

O router cria automaticamente uma zona para o seu próprio tráfego, de nome self zone. Todo o tráfego de/para esta zona é permitido, pode no entanto ser alterado.

As Policy maps podem tomar as seguintes acções para cada class:

  • Drop — Drop the packet
  • Inspect — Use Context-based Access Control Engine
  • Pass — Pass the packet
  • Police — Police the traffic
  • Service-policy — Use Deep Packet Inspection Engine
  • Urlfilter — Use URL Filtering Engine

Podem ser usados parameters maps para gerar alertas, audit trails, e controlar os parâmetros de sessão p.ex. o nº sessões half-open, Idle das sessões,etc.

Exemplo:

Ligações:

R1——s2/1-R2-f0/1———-f0/0-R3

Acessos:

Garantir o telnet e http apartir do R3 para qualquer destino, devem ser ainda inspecionados os requests GET no http e gerado log.Qualquer acesso apartir do INSIDE excluindo os mencionados anteriormente, devem ter o idle-timeout para 100 segundos. Será ainda possível ter respostas ao PING apartir do OUTSIDE

zone security INSIDE
zone security OUTSIDE

Interface S2/1
zone-member security OUTSIDE

Interface F0/1
zone-member security INSIDE

zone-pair security INSIDE-OUTSIDE source INSIDE destination OUTSIDE
zone-pair security OUTSIDE-INSIDE source OUTSIDE destination INSIDE

ip access-list extended TELNET
permit tcp any any eq telnet

ip access-list extended other_Traffic
permit ip any any

parameter-map type inspect TIMEOUT
udp idle-time 100
tcp idle-time 100

class-map type inspect match-all other_Traffic
match access-group name other_Traffic

class-map type inspect match-all TELNET
match access-group name INSIDE-OUTSIDE
match protocol telnet

! Os requests Get no protocolo HTTP serao inspect
class-map type inspect http method_HTTP
 match  request method get

class-map type inspect match-all _HTTP
match protocol http
!
!Esta policy para DPI tem que ser criada separadamente
policy-map type inspect http DPI_HTTP
class type inspect http method_HTTP
log

policy-map type inspect zbf_INSIDE-OUTSIDE
class type inspect TELNET
inspect
 class type inspect _HTTP
  inspect
 service-policy http DPI_HTTP
class type inspect other_Traffic
inspect TIMEOUT
!
!Definir os acessos apartir do OUTSIDE
zone-pair security INSIDE-OUTSIDE source INSIDE destination OUTSIDE

class-map type inspect match-all ICMP
match protocol icmp

policy-map type inspect zbf_OUTSIDE-INSIDE
class type inspect ICMP
inspect

zone-pair security OUTSIDE-INSIDE source OUTSIDE destination INSIDE
 service-policy type inspect zbf_OUTSIDE-INSIDE

R2#sh zone security
zone self
Description: System defined zone

zone INSIDE
Member Interfaces:
FastEthernet0/1

zone OUTSIDE
Member Interfaces:
Multilink1

R2#sh parameter-map type inspect

parameter-map type inspect TIMEOUT
audit-trail off
alert on
max-incomplete low  unlimited
max-incomplete high unlimited
one-minute low  unlimited
one-minute high unlimited
udp idle-time 100
icmp idle-time 10
dns-timeout 5
tcp idle-time 100
tcp finwait-time 5
tcp synwait-time 30
tcp max-incomplete host unlimited block-time 0
sessions maximum 2147483647

R2#sh policy-map type inspect zone-pair
Zone-pair: INSIDE-OUTSIDE

Service-policy inspect : zbf_INSIDE-OUTSIDE

Class-map: TELNET (match-all)
Match: access-group name INSIDE-OUTSIDE
Match: protocol telnet
Inspect
Packet inspection statistics [process switch:fast switch]
tcp packets: [0:43]

Session creations since subsystem startup or last reset 2
Current session counts (estab/half-open/terminating) [1:0:0]
Maxever session counts (estab/half-open/terminating) [1:1:1]
Last session created 00:00:02
Last statistic reset never
Last session creation rate 1
Maxever session creation rate 1
Last half-open session total 0

Class-map: _HTTP (match-all)
Match: protocol http
Inspect
Packet inspection statistics [process switch:fast switch]
tcp packets: [1:32]
http packets: [0:6]

Session creations since subsystem startup or last reset 2
Current session counts (estab/half-open/terminating) [0:0:0]
Maxever session counts (estab/half-open/terminating) [1:1:1]
Last session created 00:41:05
Last statistic reset never
Last session creation rate 0
Maxever session creation rate 1
Last half-open session total 0
Deep packet inspection
        Policy: http DPI_HTTP
        3 packets, 72 bytes

Class-map: other_Traffic (match-all)
Match: access-group name other_Traffic
Inspect
Session creations since subsystem startup or last reset 0
Current session counts (estab/half-open/terminating) [0:0:0]
Maxever session counts (estab/half-open/terminating) [0:0:0]
Last session created never
Last statistic reset never
Last session creation rate 0
Maxever session creation rate 0
Last half-open session total 0

Class-map: class-default (match-any)
Match: any
Drop (default action)
30 packets, 2400 bytes
Zone-pair: OUTSIDE-INSIDE

Service-policy inspect : zbf_OUTSIDE-INSIDE

Class-map: ICMP (match-all)
Match: protocol icmp
Inspect
Packet inspection statistics [process switch:fast switch]
icmp packets: [0:1054]

Session creations since subsystem startup or last reset 2
Current session counts (estab/half-open/terminating) [1:0:0]
Maxever session counts (estab/half-open/terminating) [1:1:0]
Last session created 00:00:23
Last statistic reset never
Last session creation rate 1
Maxever session creation rate 1
Last half-open session total 0

Class-map: class-default (match-any)
Match: any
Drop (default action)
0 packets, 0 bytes

!Ping R3
R1#ping 192.168.20.1 re 2
Success rate is 100 percent (2/2), round-trip min/avg/max = 44/52/60 ms

!!Telnet R1

R3#telnet 192.168.10.1
Trying 192.168.10.1 … Open

User Access Verification

Password:
R2#sh policy-map type inspect zone-pair sessions
Zone-pair: INSIDE-OUTSIDE

Service-policy inspect : zbf_INSIDE-OUTSIDE

Class-map: TELNET (match-all)
Match: access-group name INSIDE-OUTSIDE
Match: protocol telnet
Inspect
   Established Sessions
         Session 670375D0 (192.168.20.1:21612)=>(192.168.10.1:23) telnet SIS_OPEN
Created 00:00:08, Last heard 00:00:07
Bytes sent (initiator:responder) [24:113]

Class-map: _HTTP (match-all)
Match: protocol http
Inspect
Deep packet inspection
Policy: http DPI_HTTP
3 packets, 72 bytes

Class-map: other_Traffic (match-all)
Match: access-group name other_Traffic
Inspect

Class-map: class-default (match-any)
Match: any
Drop (default action)
30 packets, 2400 bytes
Zone-pair: OUTSIDE-INSIDE

Service-policy inspect : zbf_OUTSIDE-INSIDE

Class-map: ICMP (match-all)
Match: protocol icmp
Inspect
Established Sessions
         Session 67037898 (192.168.2.1:8)=>(192.168.20.1:0) icmp SIS_OPEN
Created 00:00:26, Last heard 00:00:00
ECHO request
Bytes sent (initiator:responder) [36360:36288]

Class-map: class-default (match-any)
Match: any
Drop (default action)
0 packets, 0 bytes

Share

Notas Context-Based Access Control (CBAC)

O CBAC permite fazer inspeção das sessões (com base no tipo de protocolo inspecionado) de forma a garantir o retorno do tráfego facilitando assim a implementação de ACLs em ambos os sentidos.

Sintaxe:

ip inspect name inspection-name [parameter max-sessions number] protocol [alert {on | off}] [audit-trail {on | off}] [timeoutseconds]

interface interface-id
ip inspect rule-name {in | out}

Notas:
O trafego ICMP nao e inspecionado pelo CBAC, sendo necessario permitir este trafego (na ACL IN) com origem na interface OUTSIDE. Caso contrario o ping/traceroute serao filtrados
Permite criar medidas contra DDoS, contabilizando o n de sessoes por host/num periodo de tempo e bloqueando caso necessario
Caso o protocolo nao seja conhecido, e possivel fazer inspection atraves das assinaturas genericas do TC/UDP. Neste caso todas as sessoes serao analisadas.

Mensagens ICMP a permitir:
echo reply – Outgoing ping commands require echo-reply messages to come back.
time-exceeded – Outgoing traceroute commands require time-exceeded messages to come back.
traceroute – Allow an incoming traceroute.
unreachable – Permit all “unreachable” messages to come back. If a router cannot forward or deliver a datagram, it sends an ICMP unreachable message back to the source and drops the datagram.

Exemplo:

Ligações:

R1-s2/0-R2-f0/1—–f0/0-R3

R2(config)#

ip access-list extended BLOCK_CBAC
deny   ip any any

interface Serial2/0
ip address 192.168.2.2 255.255.255.0
ip access-group BLOCK_CBAC in
ip inspect CBAC out

!Logging da informação gerada pela sessão
ip inspect name CBAC icmp audit-trail on
ip inspect name CBAC telnet audit-trail on

!Efectua inspeccao ao trafego originado no router
ip inspect name CBAC icmp router-traffic

R3(config-if)#do tracer 192.168.10.1
Type escape sequence to abort.
Tracing the route to 192.168.10.1

  1 192.168.20.2 40 msec 40 msec 28 msec
  2  *

R2(config)#
!Permitir o retorno do trafego para o traceroute
ip access-list extended BLOCK_CBAC
1 permit icmp any any host-unreachable
2 permit icmp any any port-unreachable

R3(config-if)#do tracer 192.168.10.1
Type escape sequence to abort.
Tracing the route to 192.168.10.1

  1 192.168.20.2 36 msec 32 msec 32 msec
  2 192.168.2.1 64 msec 64 msec 56 msec

R2(config)#do sh ip inspe all
Session audit trail is disabled
Session alert is enabled
one-minute (sampling period) thresholds are [unlimited : unlimited] connections
max-incomplete sessions thresholds are [unlimited : unlimited]
max-incomplete tcp connections per host is unlimited. Block-time 0 minute.
tcp synwait-time is 30 sec — tcp finwait-time is 5 sec
tcp idle-time is 3600 sec — udp idle-time is 30 sec
tcp reassembly queue length 16; timeout 5 sec; memory-limit 1024 kilo bytes
dns-timeout is 5 sec
Inspection Rule Configuration
 Inspection name CBAC
    icmp alert is on audit-trail is on timeout 10
    telnet alert is on audit-trail is on timeout 3600

Interface Configuration
Interface Serial2/0
Inbound inspection rule is not set
Outgoing inspection rule is CBAC
icmp alert is on audit-trail is on timeout 10
telnet alert is on audit-trail is on timeout 3600
  Inbound access list is BLOCK_CBAC
Outgoing access list is not set

Established Sessions
 Session 670378D8 (192.168.20.1:8)=>(192.168.10.1:0) icmp SIS_OPEN
 Session 670378D8 (192.168.20.1:43496)=>(192.168.10.1:23) telnet SIS_OPEN

R2#
*Mar  1 14:07:06.260: %FW-6-SESS_AUDIT_TRAIL: Stop telnet session: initiator (192.168.20.1:38877) sent 42 bytes — responder (192.168.10.1:23) sent 162 bytes

Share

ESMTP/TLS no Cisco ASA

A configuração do Cisco ASA tem diversos inspections por default, um dos problemas é justamente no inspection esmtp quando existe implementado SMTP sobre Transport Layer Security (TLS), todo o tráfego é negado. Após alguma pesquisa no site da Cisco, apartir da vesão 8.0 inclusivé é possível ter o inspection activo com suporte SMTP/TLS. No entanto na documentação da versão 7.2 indica que já é suportado. Vá-se lá perceber…..

Vamos ao que interessa.

Config c/ inspection activo

CiscoASA#conf t
CiscoASA(config)# policy-map type inspect esmtp esmtp_mapa
CiscoASA(config-pmap)# parameters
CiscoASA(config-pmap-p)# allow-tls
CiscoASA(config-pmap-p)# inspect esmtp esmtp_mapa
CiscoASA(config-pmap)# exit
CiscoASA(config)# exit
CiscoASA#wr mem

Caso a versão de firmware seja anterior à mencionada, deverá remover o inspection para que os emails sejam entregues.

Config c/ inspection inactivo

CiscoASA(config)#policy-map global_policy
CiscoASA(config-pmap)#class inspection_default
CiscoASA(config-pmap-c)#no inspect esmtp
CiscoASA(config-pmap-c)#exit
CiscoASA(config-pmap)#exit

Poderá consultar o link seguinte para mais informações.
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a008067cf3b.shtml#esmtp

Share