Cisco ZBF (Zone Based Firewall) and Address-book, Zone, Policy at Juniper Srx

Cisco 

CLI kullanarak Zone-Based Firewall Yapılandırması

viagra generic http://pharmacy-canadianon-online.com/ propecia works forever nolva vs clomid pct how soon does cialis work day 15 clomid levitra duration of effect generic cialis

1- zone security komutu ile firewall için gerekli zone’lar yaratılır.

2- class-map type inspect komutu ile trafik sınıfları tanımlanır.

3- policy-map type inspect komutu ile firewall policyleri belirlenir.

4- zone-pair security komutu ile kaynak ve hedef zone çiftlerine belirlenen policyler uygulanır.

5- zone-member security komutu ile router interfaceleri zone’lara atanır.

CLI ile ZPF yapılandırırken dikkat edilmesi gerekenler:

-Sadece type inspect komutu ile tanımlanmış policy map’ler zone-pair security komutu ile kullanılabilir.
– type inspect policy map’ler sadece type inspect ile tanımlanmış class map’ler ile kullanılabilir.
-Aynı isimde bir QoS class map ve inspect class map olamaz.
-Bir zone, zone-member security interface configuration komutu ile kullanılmadan önce zone security global configuration mode komutu ile oluşturulmalıdır.
-Bir interface birden çok zone’a atanamaz.
-Zone-based policy firewall CBAC yerine getirilen bir yeniliktir. ZPF devreye almadan önce CBAC kullanılıyorsa interface configuration komutu olan ip inspect kaldırımalıdır ve zone-member securitykomutu ile ZPF devreye alınmalıdır.
– Bir router’da ZPF ve CBAC aynı interface’lerde kullanılmamak koşulu ile beraber kullanılabilir. Herhangi bir security zone’una üye olmayan interface’lerde ip inspect komutu ile CBAC devreye alınır.
-Belirli bir zone’a ait bir interface ve herhangi bir zone’a atanmamış bir interface arasında trafik akışı olmaz. Bu nedenle zone-member interface configuration komutu kullanımı sırasında verilen hizmetlerde geçici bir kesinti yaşanır.
-Varsayılanda zone’lar arası trafik akışına zone-pair komutu ile zone çiftleri tanımlanmadıkça izin verilmez.
-Router hiçbir zaman aynı zone’a üye interface’ler arasındaki trafiği filtrelemez.
-Zone-member komutu router’in kendisini korumaz. Yani router’a gelen ve router kaynaklı trafik etkilenmez. Öntanımlı gelen self zone ile zone pair’ları oluşturularak gerekli önlem alınabilir.

CBAC dinamik olarak ip inspect komutu uygulanan interface’lerdeki ACL’lerde ilgili değişikliklerin gerektirdiği satırları yaratır. ZPF ACL’lerde herhangi bir değişiklik yapmaz. Bu nedenle zone-member komutu girilmeden önce interface’deki ACL kullanımı gözden geçirilmelidir.

1) Zone’ların Yaratılması

Network yöneticisi firewall için gerekli zone’ları zone security komutu ile yaratır. İsteğe bağlı olan description kullanılması tavsiye edilir.

Router(config)# zone security zone-nameRouter(config-sec-zone)# description line-of-description

2) Trafik Sınıflarının Tanımlanması

ZPF trafik sınıflarının tanımlanması aşağıdaki gibidir.

Router(config)# class-map type inspect [match-any | match-all] class-map-name

3. ve 4. katman, top-level class map, için match-any seçeneği varsayılandır.

Router(config)# class-map type inspect protocol-name [match-any | match-all] class-map-name

7. katman, application-specific class map, ise yukarıdaki gibi tanımlanır.

Class map configuration mode’da istenilen ACL’lerin kullanılması ise aşağıdaki komutla sağlanır.

Router(config-cmap)# match access-group {access-group | name access-group-name}

Class map içinde protokollerin eşleştirilmesinde aşağıdaki komut kullanılır.

Router(config-cmap)# match protocol protocol-name

Yine class map configuration mode’da başka bir class map’in referans alınması ise aşağıdaki komutla sağlanır.

Router(config-cmap)# match class-map class-map-name

ZPF’nin class map’lerin birbiri içinde(nested) kullanılarak hiyerarşik bir yapı oluşturabilme imkanı sunması Cisco IOS Firewall’ların oluşturulması açısından önemli bir güçtür.

3) Firewall Policy’lerinin Belirlenmesi

Network yöneticisinin istenilen class’lar ile eşleşen trafiğin nasıl ele alınacağını belirlemesi gerekir. Seçenekler pass, inspect, drop ve police’dir.

ZFP policy map’lerinin oluşturulması için aşağıdaki komut kullanılır.

Router(config)# policy-map type inspect policy-map-name

Firewall’un ilgili class’larla eşleşen trafik için sergileyeceği davranışı tanımlamak için öncelikle policy-map configuration mode’dayken aşağıdaki komut girilerek ilgili class belirtilir.

Router(config-pmap)# class type inspect class-name

Default class (class’lar ile tanımlanan trafiğin dışında kalan tüm trafik) ise aşağıdaki gibi belirtilir.

Router(config-pmap)# class class-default

Son olarak ilgili trafiğin nasıl ele alınacağı belirtilir.

Router(config-pmap-c)# pass | inspect | drop [log] | police

4) Firewall Policy’lerinin uygulanması

Firewall policy yapılandırması tamamlandıktan sonra zone çiftleri arasındaki trafiğe ilgili policy zone-pair security komutu kullanılarak uygulanır. Bu işlem, kaynak zone, hedef zone ve bu zone’lar arasındaki trafiği ele alıcak policy’nin belirtilmesini kapsar.

Öncelikle zone çiftleri tanımlanır.

Router(config)# zone-pair security zone-pair-name [source source-zone-name | self] destination [self | destination-zone-name]

Daha sonra yukarıdaki gibi zone-pair security komutu girildikten sonra ilgili zone çiftleri için service-policy type inspect policy-map-name komutu ile istenilen policy ve onun yaptırımları bir önceki adımda belirtilen zone çiftine uygulanmış olur.

Deep-packet inspection (top-level security policy’e 7 katman policy map dahil etmek) Cisco IOS Release 12.4(20)T ve sonrası IOS’larda aşağıdaki komut ile uygulanabilir.

Router(config-pmap-c)# service-policy {h323 | http | im | imap | p2p | pop3 | sip | smtp | sunrpc | urlfilter} policy-map

Policy-map, 3. ya da 4. katman top-level policy map içinde uygulanan 7. katman policy-map’in adıdır.

5) Interface’lerin Atanması

Son olarak ilgili interface’lerin zone-member interface configrutaion mode komutu ile uygun security zone’larına atanması gerekir.

Router(config-if)# zone-member security zone-name

zone-member security komutu uygulandığı interface’i belirtilen security zone’a dahil eder. Bir interface herhangi bir security zone’a dahil olduğu zaman o interface’e giren ve o interface’ten çıkan tüm trafik reddedilir(drop edilir). Router’a giren ya da router tarafından oluşturulan trafik bu durumun dışında kalır(predefined self zone). Bir zone’a üye olan bir interface trafik akışının sağlanması için ait olunan zone’un bir zone çifti ile tanımlanmış olması ve bu zone çifti için uygulanan policy’nin trafiğe izin veriyor(pass ya da inspect) olması gerekir.

ZFP yapılandırılması CLI ile yapılabildiği gibi Cisco SDM ile de yapılabilmektedir.

First step is you should create new zones;

zone security TEST
zone security TRUSTED
zone security INTERNET

 interface GigabitEthernet1/0/5.252
 encapsulation dot1Q 252
 ip address 10.34.1.1 255.255.255.0
 zone-member security TRUSTED

 interface GigabitEthernet1/0/4
 ip address 10.34.20.1 255.255.255.0
 zone-member security TEST

You should specify your source and destination address then attach the policy zone .
Zonepair task is necessary for packet traffic control.

 zone-pair security TEST->TRUSTED source TEST destination TRUSTED
 service-policy type inspect TEST_TO_TRUSTED_PMAP
zone-pair security TRUSTED->TEST source TRUSTED destination TEST
 service-policy type inspect TRUSTED_TO_TEST_PMAP

Policy and class map apply for rules.

policy-map type inspect TEST_TO_TRUSTED_PMAP
 class type inspect TEST_TO_TRUSTED_CMAP
  pass
 class class-default
  drop log

policy-map type inspect TRUSTED_TO_TEST_PMAP
 class type inspect TRUSTED_TO_TEST_CMAP
  pass
 class class-default
  drop log
!

class-map type inspect match-all TEST_TO_TRUSTED_CMAP
 match access-group name TEST_ACL           (This is Access list rule)
class-map type inspect match-all TRUSTED_TO_TEST_CMAP
 match access-group name TRUSTED_ACL  (This is Access list rule)

 ip access-list extended TEST_ACL
 permit icmp 10.34.0.0 0.0.0.255 host 10.34.20.212
 permit tcp 10.34.0.0 0.0.0.255 host 10.34.20.212 eq 9000
 permit tcp 10.34.0.0 0.0.0.255 host 10.34.20.212 eq www

ip access-list extended INTERNET_NAT_ACL
 deny   ip 10.0.0.0 0.255.255.255 172.20.82.0 0.0.0.15
 permit ip 10.0.0.0 0.255.255.255 any

ip access-list extended TRUSTED_ACL
 permit ip any any
 permit icmp any any



Zone Based Firewall is the most advanced method of a stateful firewall that is available on Cisco IOS routers. The idea behind ZBF is that we don’t assign access-lists to interfaces but we will create different zones. Interfaces will be assigned to the different zones and security policies will be assigned to traffic between zones. To show you why ZBF is useful, let me show you a picture:

Above you see a small network that has a LAN, DMZ and WAN with two ISPs. Let’s say our security policy looks like this:

• Traffic from the LAN is allowed to the WAN but only to HTTP and HTTPS servers.
• Traffic from the LAN is allowed to the DMZ unrestricted.
• Traffic from the DMZ is not allowed to the LAN.
• Traffic from the DMZ is allowed to the WAN but only for the DNS and HTTP servers.
• Traffic from the WAN is allowed to the LAN, but only to a FTP server.

If you want to achieve this using access-lists, you’ll have to create multiple access-lists and attach them to different interfaces inbound and/or outbound. To say the least, it becomes an administrative pain to do this. It’s possible but annoying.
With the zone based firewall, we won’t apply the security policies to the interfaces but to security zones. Interfaces will become members of the different zones. Here’s an example of the topology above with zones:

Above you see 3 zones; LAN, WAN and DMZ. The interfaces are assigned to the correct zone and now we can apply security policies to traffic between zones. For example:

• LAN to WAN
• LAN to DMZ
• WAN to LAN
• WAN to DMZ
• DMZ to WAN
• DMZ to LAN

To create a security policy for traffic between zones we have to create a zone pair. We have to configure zone pairs ourselves and apply a security policy to them to determine what traffic is permitted from one zone to another. All security policies are attached to the zone pairs. Now you have an idea what a zone based firewall is, let me show you how to configure this.

Configuration

We will use the following topology:

Above you see 3 routers and two zones called LAN and WAN. We will configure ZBF on R2. For connectivity, I’ll create a static route on R1 and R3 that points to R2:

R1(config)#ip route 0.0.0.0 0.0.0.0 192.168.12.2

R3(config)#ip route 0.0.0.0 0.0.0.0 192.168.23.2

Now we can configure the firewall.

Configure the Zones

First we will create the two zones, we only have two of them:

R2(config)#zone security LAN
R2(config)#zone security WAN

Secondly we will assign the interfaces to the correct zone:

R2(config)#interface fastEthernet 0/0
R2(config-if)#zone-member security LAN

R2(config)#interface fastEthernet 0/1 
R2(config-if)#zone-member security WAN

Let’s verify the configuration of the zones:

R2#show zone security 
zone self
  Description: System defined zone

zone LAN
  Member Interfaces:
    FastEthernet0/0

zone WAN
  Member Interfaces:
    FastEthernet0/1

The zones are active and interfaces have been assigned to them, now we can create the zone pairs.

Configure the Zone Pairs

R2(config)#zone-pair security LAN-TO-WAN source LAN destination WAN
R2(config-sec-zone-pair)#description LAN-TO-WAN TRAFFIC

R2(config)#zone-pair security WAN-TO-LAN source WAN destination LAN
R2(config-sec-zone-pair)#description WAN-TO-LAN TRAFFIC

Above I create two zone pairs. One for traffic from our LAN to the WAN, and another for traffic from the WAN to our LAN. A description is optional but recommended if you have many zones. Let’s verify our configuration:

R2#show zone-pair security 
Zone-pair name LAN-TO-WAN
Description: LAN-TO-WAN TRAFFIC
    Source-Zone LAN  Destination-Zone WAN 
    service-policy not configured
Zone-pair name WAN-TO-LAN
Description: WAN-TO-LAN TRAFFIC
    Source-Zone WAN  Destination-Zone LAN 
    service-policy not configured

Now we have zones, zone pairs and interfaces that are assigned to the zones. By default all traffic will be blocked. Let’s see if this is true:

R1#ping 192.168.23.3

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.23.3, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)

As you can see I’m unable to ping from one zone to another by default. Our next step is to implement some security policies to decide what we are allowed to do or not.

Security Policies

Security policies are similar to policy-maps for QoS with the MQC where we use class-maps to select traffic. There are three actions that we can apply to traffic:

• Pass: traffic is permitted.
• Drop: traffic is dropped.
• Inspect: traffic is permitted and inspected so that return traffic is allowed.

We’ll start with a simple security policy that allows ICMP traffic from the LAN to the WAN:

R2(config)#class-map type inspect ICMP
R2(config-cmap)#match protocol icmp

R2(config)#policy-map type inspect LAN-TO-WAN
R2(config-pmap)#class type inspect ICMP
R2(config-pmap-c)#inspect

I will create an inspect class-map that uses NBAR to match ICMP traffic and a policy-map called LAN-TO-WAN to assign an action to the class-map. I will use inspect as it will allow the traffic to pass from the LAN zone to the WAN zone but also allows the return traffic. Now we can apply the policy-map to the zone pair:

R2(config)#zone-pair security LAN-TO-WAN
R2(config-sec-zone-pair)#service-policy type inspect LAN-TO-WAN

Policy-maps are directly attached to the zone pair that we created earlier. Let’s verify that our configuration is working:

R1#ping 192.168.23.3

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.23.3, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 8/9/12 ms

As you can see our ping from R1 to R3 is now successful. What about the other way around?

R3#ping 192.168.12.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.12.1, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)

ICMP traffic from R3 to R1 is now allowed as expected. To check the current active security policies you can use the following command:

R2#show policy-map type inspect zone-pair 
 Zone-pair: LAN-TO-WAN

  Service-policy inspect : LAN-TO-WAN

    Class-map: ICMP (match-all)
      Match: protocol icmp
      Inspect
        Packet inspection statistics [process switch:fast switch]
        icmp packets: [0:30]

        Session creations since subsystem startup or last reset 2
        Current session counts (estab/half-open/terminating) [1:0:0]
        Maxever session counts (estab/half-open/terminating) [1:1:0]
        Last session created 00:00:05
        Last statistic reset never
        Last session creation rate 1
        Maxever session creation rate 1
        Last half-open session total 0

    Class-map: class-default (match-any)
      Match: any 
      Drop (default action)
        4 packets, 96 bytes

Above you can see that ICMP traffic is allowed from the LAN zone to the WAN zone while all other traffic (class-default) will be dropped.
Let’s create another rule, let’s say that R3 is allowed to telnet to R1. We’ll create a new class-map, policy-map and attach it to the correct zone-pair:

R2(config)#class-map type inspect TELNET
R2(config-cmap)#match protocol telnet

R2(config)#policy-map type inspect WAN-TO-LAN
R2(config-pmap)#class type inspect TELNET
R2(config-pmap-c)#inspect

R2(config)#zone-pair security WAN-TO-LAN
R2(config-sec-zone-pair)#service-policy type inspect WAN-TO-LAN

Let’s verify our configuration:

R3#telnet 192.168.12.1
Trying 192.168.12.1 ... Open

As you can see above we are now able to telnet from R3 to R1.

R2#show policy-map type inspect zone-pair | begin WAN-TO-LAN
 Zone-pair: WAN-TO-LAN

  Service-policy inspect : WAN-TO-LAN

    Class-map: TELNET (match-all)
      Match: protocol telnet
      Inspect
        Packet inspection statistics [process switch:fast switch]
        tcp packets: [0:20]

        Session creations since subsystem startup or last reset 1
        Current session counts (estab/half-open/terminating) [0:0:0]
        Maxever session counts (estab/half-open/terminating) [1:1:1]
        Last session created 00:01:11
        Last statistic reset never
        Last session creation rate 0
        Maxever session creation rate 1
        Last half-open session total 0

    Class-map: class-default (match-any)
      Match: any 
      Drop (default action)
        0 packets, 0 bytes

As you can see telnet traffic is allowed, all other traffic will be dropped.

Zone Self

With the configuration above we have security rules between the LAN and WAN zones, but what about R2 itself? Is it protected by our zone based firewall? Let’s find out!

R3#telnet 192.168.23.2
Trying 192.168.23.2 ... Open

R3 is able to telnet to R2 without any problems. This is because R2 doesn’t belong to the WAN or LAN zone but to another zone called the self zone. By default all zones are allowed to reach the self zone, so if we don’t want this we’ll have to create another zone pair:

R2(config)#policy-map type inspect WAN-TO-SELF

I will create a policy-map called WAN-TO-SELF but I won’t use any class-maps. By default there is always the class-default and it will drop all traffic. Let’s create the zone pair:

R2(config)#zone-pair security WAN-TO-SELF source WAN destination self
R2(config-sec-zone-pair)#service-policy type inspect WAN-TO-SELF

Let’s verify our work:

R3#ping 192.168.23.2

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.12.1, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)

R2#show policy-map type inspect zone-pair WAN-TO-SELF
 Zone-pair: WAN-TO-SELF

  Service-policy inspect : WAN-TO-SELF

    Class-map: class-default (match-any)
      Match: any 
      Drop (default action)
        15 packets, 360 bytes

Above you can see the drops in the class-default. This will prevent the WAN zone from sending traffic to the self zone. The LAN zone will still be able to reach R2


.

hostname R2
!
ip cef
!
class-map type inspect match-all TELNET
 match protocol telnet
class-map type inspect match-all ICMP
 match protocol icmp
!
policy-map type inspect LAN-TO-WAN
 class type inspect ICMP
  inspect
 class class-default
  drop
policy-map type inspect WAN-TO-LAN
 class type inspect TELNET
  inspect
 class class-default
  drop
policy-map type inspect WAN-TO-SELF
 class class-default
  drop
!
zone security LAN
zone security WAN
zone-pair security LAN-TO-WAN source LAN destination WAN
 description LAN-TO-WAN TRAFFIC
 service-policy type inspect LAN-TO-WAN
zone-pair security WAN-TO-LAN source WAN destination LAN
 description WAN-TO-LAN TRAFFIC
 service-policy type inspect WAN-TO-LAN
zone-pair security WAN-TO-SELF source WAN destination self
 service-policy type inspect WAN-TO-SELF
!
interface FastEthernet0/0
 ip address 192.168.12.2 255.255.255.0
 zone-member security LAN
!
interface FastEthernet0/1
 ip address 192.168.23.2 255.255.255.0
 zone-member security WAN
!
end

JUNIPER

First step is creating address book  ;

set security zones security-zone WAN address-book address VSPHERE 172.19.200.10/32
set security zones security-zone WAN host-inbound-traffic system-services all
set security zones security-zone WAN host-inbound-traffic protocols all
set security zones security-zone WAN interfaces reth5.0

Second step create policy;

set security policies from-zone WAN to-zone adsl-wan policy CTERA-INT match source-address VSPHERE
set security policies from-zone WAN to-zone adsl-wan policy CTERA-INT match destination-address any
set security policies from-zone WAN to-zone adsl-wan policy CTERA-INT match application any
set security policies from-zone WAN to-zone adsl-wan policy CTERA-INT then permit

If you need nat you must permit the ip address;

set security nat source rule-set WOS_INTERNET from zone WAN
set security nat source rule-set WOS_INTERNET to zone adsl-wan
set security nat source rule-set WOS_INTERNET rule WOS_INTERNET match source-address 172.19.200.10/32
set security nat source rule-set WOS_INTERNET rule WOS_INTERNET match destination-address 0.0.0.0/0
set security nat source rule-set WOS_INTERNET rule WOS_INTERNET then source-nat interface

for instances for zone rules ;

set security zones security-zone GIB host-inbound-traffic system-services http
set security zones security-zone GIB host-inbound-traffic system-services https
set security zones security-zone GIB host-inbound-traffic system-services ping
set security zones security-zone GIB host-inbound-traffic system-services ssh
set security zones security-zone GIB host-inbound-traffic protocols all
set security zones security-zone GIB interfaces ge-2/0/2.0

set security zones security-zone WAN address-book address VSPHERE 172.19.200.10/32
set security zones security-zone WAN host-inbound-traffic system-services all
set security zones security-zone WAN host-inbound-traffic protocols all
set security zones security-zone WAN interfaces reth5.0

everybody is happy with this zone :)

set security zones security-zone TEDES host-inbound-traffic system-services all
set security zones security-zone TEDES host-inbound-traffic protocols all
set security zones security-zone TEDES interfaces reth19.0