So far we have two different methods to do firewall
ACL and Proxy
The third option is stateful filtering, also called as remembering. Remember session ie source ip dest ip, source port, dest port, tcp flag. All these are stored on tcp session table. If returned traffic matches the session table then traffic is dynamically allowed.
Earlier we had :
1. Reflexive ACLs
config t
! Create an ACL that we will apply
! outbound on Fa 4/0.
! The "reflect REMEMBER" will create
! a reflexive ACL entry called "REMEMBER"
! that we can apply on a second ACL inbound.
ip access-list extended GOING-OUT
permit tcp any any reflect REMEMBER
permit udp any any reflect REMEMBER
permit icmp any any reflect REMEMBER
deny ip any any log
exit
interface fa 4/0
ip access-group GOING-OUT out
do show access-list
ip access-list extended COMING-IN
evaluate REMEMBER
deny ip any any log
exit
int fa 4/0
ip access-group COMING-IN in
exit
do show access-list
2. Context-Based Access Control
Deny everything coming in and inspect traffic when it goes out. inspect traffic out so that returned traffic is dynamically allowed.
conf t
! Deny any initial inbound traffic
ip access-list extended DENY
deny ip any any log
int fa 4/0
ip access-group DENY in
exit
! Create a Context-Based Access Control
! (CBAC) inspection rule to remember
! TCP, UDP and ICMP
ip inspect name REMEMBER TCP
ip inspect name REMEMBER UDP
ip inspect name REMEMBER ICMP
! Apply the inspection rule outbound
! on Fa 4/0
int fa 4/0
ip inspect REMEMBER out
exit
do show ip inspect interfaces
show ip inspect sessions
3. ZBF
Identify zones (add interfaces)
Identify traffic (class maps) ie traffic on particular subnet
Identify the action (policy maps) ie inspect, allow/pass, drop
Identify the zones involved (zone pair) ie IN-TO-OUT
Specify the policy to use on the zone pair(service-policy); policy-map match to a zone pair.
No comments:
Post a Comment