In my previous post I touched on the four parts (Zones & Zone Members, Class Maps, Policy Maps and Zone Pairs) which make up a ZFW configuration. In this post I will explain the “actions” which are used to tell the router how to handle inbound and outbound traffic flows.
Actions are applied to Class Maps which as they’re being nested in Policy Maps. (Don’t worry if that sentence confuses you, it’ll all become clear when I show you an example a little later on). As per Cisco’s website, there are three actions to choose from:
- Drop – Drops packets which are matched by the Class Map.
- Pass – Allows packets which are matched by the Class Map through in one direction
- Inspect – Works exactly like CBAC.
The “drop” action does exactly what its name implies – it drops traffic which is matched by a Class Map. A great place to use this action is the connection between your WAN interface and the router’s “self” zone. You might recall at the end of my last post I mentioned that all traffic destined for and sourced from the router (aka the “self” zone) is allowed by default. By implementing the “drop” action you can close off this security hole.
Cisco’s Zone-Based Policy Firewall (ZFW) can be quite confusing when you first start looking in to it, so over the next couple of blog posts I hope to provide readers with some useful information. Having said that, I’ll do my best to avoid reinventing the wheel given that Cisco has already done a great job of documenting ZFW.
ZFW is made up of several “parts”, which, once all put together form a fully functional firewall. These parts are:
- Zones & Zone Members
- Class Maps
- Policy Maps
- Zone Pairs
Zones & Zone Members
As the name suggests, ZFW requires that you put interfaces in to zones. The idea is that you put your interfaces in to zones and then apply inter-zone firewall rules which will permit or deny traffic flows.
There are two types of you need to be aware of:
There are many ways you can block users from accessing websites they shouldn’t be, such as firewalls, proxy servers, DNS servers, etc. However, if you have a small setup, chances are you may not have any of these in place already, and you may be reluctant add another piece of equipment to your network.
This is where your Cisco router can come to the rescue again.
(Note: No matter how small your network is, it is highly recommended that you do use firewall(s) to protect your network, whether they come in the form of software installed on each PC, or CBAC configured on your border router).
Using NBAR and a policy map, you can have your URL filtering set up in a matter of seconds. Here’s an example:
class-map match-any BLOCKED_SITES
match protocol http host "*facebook*"
match protocol http host "*youtube*"
service-policy output DROP_TRAFFIC
In my previous CBAC post I covered how to deny all external traffic unless it is in response to a request someone on the LAN has made, e.g If you send a ping, CBAC will allow the ping reply traffic to come through the firewall.
However, this situation may not be ideal for everyone. What if you wanted to allow one or more protocols in to your network but still have the security that CBAC provides? For example, if you wanted a contractor to be able to SSH in to your network any time, day or night? I will show you how using the same topology as last time (except you will see that R3 has been renamed to SSH Source). Our goal is to allow R3 to SSH in to R2 without being blocked, while still blocking R4 (hacker) completely.
In a previous post I talked about CBAC and a few of the ways in which it, in conjunction with NBAR can be used to secure your network. Today I will create a lab to show you how to put it to good use.
In this lab we have four routers, R1, R2, R3 and R4 (very original I know). Here are there designations:
- R1 = Local LAN – Your network
- R2 = Core – The core of your network and your internet connection
- R3 = Ping Destination – A location you want to ping to
- R4 = Hacker – A hacker that is trying to access your network
Now in order to protect the network we need to apply access lists and CBAC rules to the interfaces which are connected to untrusted networks. As per the diagram, this would be interface Fa0/0 and Fa1/0.
In my previous post I mentioned the Cisco IOS firewall feature known as CBAC (Context-Based Access Control). Today I will describe it in more detail and explain how you can use it to increase the security of your network.
As you may know, a firewall is used to protect your network from the outside world and all of the nasty hackers out there. With each passing day hackers’ intrusion techniques are become more advanced and highly complex, and unfortunately basic ACLs are simply not good enough to protect you anymore. Thankfully CBAC (more commonly known to the wider I.T community as Stateful Packet Inspection, (SPI)) has come to the rescue.
CBAC, with the help of NBAR, reads the packets coming in to and going out of your network and creates dynamic ACL entries that will either permit or deny these traffic flows.
NBAR, also known as Network Based Application Recognition is an invaluable tool that many people do not know exists or simply just don’t use it enough.
As the name suggests, NBAR reads packets that flow through a router and “recognises” the types of applications that are sending the packets. Examples of applications that can be recognised include:
- HTTP URL Addresses
- Bit Torrent
- Many, many more!
And the good news is that this handy little feature can be put to use in many different ways, some of which I have discussed below.
NBAR & Access Control
Before NBAR came along, one of the techniques Network Administrators woulduse to stop users from getting up to mischief was blocking “bad” ports. However, with a little bit of know how it is very easy to change ports thereby making the “bad” traffic look like legitimate traffic. By using NBAR you don’t need to specify port numbers, you just specify the application that you would like to block, apply it to an interface and you’re done. Because NBAR reads the packets (up to, and including Layer 7 information), it is still able to block the traffic even if the users change their port numbers.
Note: NBAR can be used in conjunction with Context-Based Access Control (CBAC) to create an extremely effective firewall on a Cisco router.