Pages

Monday, December 21, 2015

IOS Zone Based Firewall



So far we have two different methods to do firewall
ACL and Proxy

The third option is stateful filtering, also called as remembering. Remember session ie source ip dest ip, source port, dest port, tcp flag. All these are stored on tcp session table.  If returned traffic matches the session table then traffic is dynamically allowed.

Earlier we had :

1. Reflexive ACLs
config t

! Create an ACL that we will apply
! outbound on Fa 4/0.
! The "reflect REMEMBER" will create
! a reflexive ACL entry called "REMEMBER"
! that we can apply on a second ACL inbound.

ip access-list extended GOING-OUT
permit tcp any any reflect REMEMBER
permit udp any any reflect REMEMBER
permit icmp any any reflect REMEMBER
deny ip any any log
exit

interface fa 4/0
ip access-group GOING-OUT out

do show access-list

ip access-list extended COMING-IN
evaluate REMEMBER
deny ip any any log
exit

int fa 4/0
ip access-group COMING-IN in
exit

do show access-list

2. Context-Based Access Control
Deny everything coming in and inspect traffic when it goes out. inspect traffic out so that returned traffic is dynamically allowed. 

conf t

! Deny any initial inbound traffic

ip access-list extended DENY
deny ip any any log

int fa 4/0
ip access-group DENY in
exit

! Create a Context-Based Access Control
! (CBAC) inspection rule to remember
! TCP, UDP and ICMP
ip inspect name REMEMBER TCP
ip inspect name REMEMBER UDP
ip inspect name REMEMBER ICMP

! Apply the inspection rule outbound
! on Fa 4/0

int fa 4/0
ip inspect REMEMBER out
exit

do show ip inspect interfaces

show ip inspect sessions

3. ZBF
Identify zones (add interfaces)
Identify traffic (class maps) ie traffic on particular subnet
Identify the action (policy maps) ie inspect, allow/pass, drop
Identify the zones involved (zone pair) ie IN-TO-OUT
Specify the policy to use on the zone pair(service-policy); policy-map match to a zone pair.
































No comments:

Post a Comment