26 August, 2014

IOS Zone Based Firewalls

In the Zone, with IOS Zone Based Firewalls:
Stateful and Application Layer Filtering Services

 ZBF Ingredients: 
- Zones
- Inspect Class Maps
- Inspect Policy Maps
- Zone-Pairs
- Inspect Service Policy

 Application Layer Options: 
- APP inspect Class Maps
- APP inspect Policy Maps


! Create 3 Security Zones
R1#configure terminal
R1(config)#zone security IN
R1(config-sec-zone)#exit
R1(config)#zone security OUT
R1(config-sec-zone)#exit
R1(config)#zone security DMZ
R1(config-sec-zone)#exit

 ! Configure Interface modes
R1(config)#interface gig 1/0
R1(config-if)#zone-member security OUT
R1(config-if)#exit
R1(config)#interface gig 2/0
R1(config-if)#zone-member security IN
R1(config-if)#exit
R1(config)#interface gig 3/0
R1(config-if)#zone-member security DMZ
R1(config-if)#exit

 ! Verify the configuration
R1# show zone security
! Note: No Traffic is allowed by default.

 ! IN-OUT Traffic
! Create ACL and Inspect Class Map 
R1(config)#ip access-list extended IN-OUT-ACL
R1(config-ext-nacl)#permit ip any any
R1(config-ext-nacl)#exit

 R1(config)#class-map type inspect match-all IN-OUT-CLASS
R1(config-cmap)#match access-group name IN-OUT-ACL
R1(config-cmap)#exit

 ! Verify the configuration
R1# show class-map type inspect

 ! Create Inspect Policy Maps
R1(config)#policy-map type inspect IN-OUT-POLICY
R1(config-pmap)#class type inspect IN-OUT-CLASS
R1(config-pmap-c)#inspect
R1(config-pmap-c)#exit
R1(config-pmap)#exit

 ! Verify the configuration
R1# show policy-map type inspect

 ! Create Zone Pairs
R1(config)#zone-pair security IN-OUT-ZP source IN dest OUT
R1(config-sec-zone-pair)#service-policy type inspect IN-OUT-POLICY
R1(config-sec-zone-pair)#exit

 ! Verify the configuration
R1# show zone-pair security 
R1# show policy-map type inspect zone-pair
R1# show policy-map type inspect zone-pair sessions

 ! OUT-DMZ Traffic
! Create Inspect Class Map
R1(config)#class-map type inspect match-any WEB-CLASS
R1(config-cmap)#match protocol http
R1(config-cmap)#exit

 ! Verify the configuration
R1# show class-map type inspect

 ! Create Inspect Policy Maps
R1(config)#policy-map type inspect WEB-POLICY
R1(config-pmap)#class type inspect WEB-CLASS
R1(config-pmap-c)#inspect
R1(config-pmap-c)#exit
R1(config-pmap)#exit

 ! Verify the configuration
R1# show policy-map type inspect

 ! Create Zone Pairs
R1(config)#zone-pair security OUT-DMZ-ZP source OUT dest DMZ
R1(config-sec-zone-pair)#service-policy type inspect WEB-POLICY
R1(config-sec-zone-pair)#exit

 ! Verify the configuration
R1# show zone-pair security 
R1# show policy-map type inspect zone-pair
R1# show policy-map type inspect zone-pair sessions

 ! #Create Application Layer Security
! Create Class Map
 R1(config)#class-map type inspect http match-any BAD-HTTP-CLASS
R1(config-cmap)#match request uri regex COM
R1(config-cmap)#match req-resp protocol-violation
R1(config-cmap)#exit

 ! Verify the configuration
R1# show class-map type inspect http 

 ! Create Policy Map R1(config)#policy-map type inspect http BAD-HTTP-POLICY
R1(config-pmap)#class type inspect http BAD-HTTP-CLASS
R1(config-pmap-c)#log
R1(config-pmap-c)#reset
R1(config-pmap-c)#exit
R1(config-pmap)#exit

 ! Verify the configuration
R1# show policy-map type inspect http

 ! Tag it on
R1(config)#policy-map type inspect WEB-POLICY
R1(config-pmap)#class type inspect WEB-CLASS
R1(config-pmap-c)#inspect
R1(config-pmap-c)#service-policy http BAD-HTTP-POLICY
R1(config-pmap-c)#exit
R1(config-pmap)#exit

At
Tags:: , , ,