Jeff Moore
Lab Extension Report #3
Professor Shaffer
INT 685 VA Fall‘13
10/22/13

Chapter 4 Lab A:
Configuring CBAC and Zone-Based Firewalls

Introduction

Originally, Cisco IOS firewalls were configured with access control lists, also known as ACLs, with filtering IP traffic and monitoring established traffic patterns. Today, Cisco IOS firewall configurations have evolved into a process called context-based access control, or CBAC. CBAC makes configuring firewalls easier and gives the administrator greater jurisdiction over various types of application traffic originating from inside and outside of the protected network. For simple networks with a single inside and outside interface, CBAC is easier to configure than traditional Cisco IOS firewalls. Configurations with multiple interfaces and DMZ requirements can become complex and difficult to manage using CBAC. In this case, Cisco Configuration Professional, or CCP, uses a method called a zone-based policy firewall, also known as ZBF, ZPF or ZFW. A zone-based policy firewall provides the same type of functionality as CBAC, but is better suited for multiple interfaces that have similar or varying security requirements. Zone-Based Policy Firewall changes the firewall configuration from the older interface-based model to a more flexible, more easily understood zone-based model. While Auto Secure generates a CBAC firewall, CCP generates a ZBF firewall by default.

Overview

In this report, chapter 4 lab A is used as a base lab. In this lab a multi-router network is built and routers and hosts are configured with names, interface IP addresses, and access passwords. EIGRP dynamic routing protocol is also configured and Nmap port scanner is utilized to check for router vulnerabilities. Auto Secure is implemented to configure a basic CBAC firewall and verification of firewall functionality is ensured by examining the resulting configuration of the CBAC firewall. Cisco Configuration Professional, CCP, is used to configure a simple zone-based policy firewall. Interfaces are assigned to zones, and inspection policy is applied to traffic moving between the zones. Inter-zone policies offer considerable flexibility and granularity. This allows different inspection policies to be applied to multiple host groups connected to the same router interface. Zones establish the security borders of the network. A zone defines a boundary where traffic is subjected to policy restrictions as it crosses to another region of your network. Zone-based firewall’s default policy between zones is deny-all and if no policy is explicitly configured, all traffic moving between zones will be blocked by default.

Proposed Question or Problem Investigated

Both CBAC and ZFW are capable of application layer filtering, in addition to their duties at the network and transport layers, however, ZFW is fully capable of deep packet inspection, and has the advantage of being able to apply policy across groups of interfaces. Data networks frequently benefit with the ability to limit the transmission rate of specific types of network traffic, and to limit lower-priority traffic’s impact to more business-essential traffic. Cisco IOS software offers this capability with traffic policing, which limits traffic’s nominal rate and burst called Rate Policing. This provides the convenience of offering one configuration point to describe specific traffic, apply firewall policy, and police that traffic’s bandwidth consumption. ZFW policing also introduced session control to limit the session count for traffic in a policy-map matching a class-map. This adds to the existing capability to apply DoS protection policy per class-map. Effectively, this allows granular control on the number of sessions matching any given class-map that cross a zone-pair.
Preparation and Procedure
Configuring ZFW Policing: ZFW policing limits traffic in a policy-map’s class-map to a user-defined rate value between 8,000 and 2,000,000,000 bits per second, with a configurable burst value in the range of 1,000 to 512,000,000 bytes. ZFW policing is configured by an additional line of configuration in the policy-map, which is applied after the policy action: policy-map type inspect private-allowed-policy class type inspect http-class inspect police rate [bps rate value <8000-2000000000>] burst [value in bytes <1000-512000000>]
Session control is applied by configuring a parameter-map that contains the desired session volume, then appending the parameter-map to the inspection action applied to a class-map under a policy-map: parameter-map type inspect my-parameters sessions maximum [1-2147483647] policy-map type inspect private-allowed-policy class type inspect http-class inspect my-parameters

Results

Parameter-maps can only be applied to the inspect action, and are not available on pass or drop actions. ZFW’s session control and policing activities are visible with this command:

show policy-map type inspect zone-pair

policy exists on zp zp Zone-pair: zp Service-policy inspect : fw Class-map: x (match-any) Match: class-map match-any y 2 packets, 48 bytes <======== Cumulative class map counters are incrementing. 30 second rate 0 bps Match: protocol tcp 0 packets, 0 bytes <===== The match for the protocol is not incrementing. 30 second rate 0 bps Match: protocol icmp 0 packets, 0 bytes 30 second rate 0 bps Inspect Number of Established Sessions = 1 Established Sessions Session 53105C0 (1.1.1.2:19180)=>(2.1.1.2:23) tacacs:tcp SIS_OPEN Created 00:00:02, Last heard 00:00:02 Bytes sent (initiator:responder) [30:69] Class-map: class-default (match-any) Match: any Drop 0 packets, 0 bytes

Conclusion

In conclusion, ZFW is a very effective firewall feature, which can reduce firewall implementations when compared to basic methods like static ACLs. It has a great potential to help you secure your network when combined with other technologies. It can also add value to core routers by limiting the transmission rate of specific types of network traffic, and to limit lower-priority traffic’s impact to more business-essential traffic.