Zone-Based Policy Firewall

 Today we are going to do a step by step configuration of Zone-Based Policy Firewall (ZPF). First we will discuss about ZPF and then dive into the configuration. A good place to start is by going to Cisco.

This is what Cisco says about  Zone-Base Policy firewall.

Zone-Based Policy Firewall (also known as Zone-Policy Firewall, or ZFW) changes the firewall configuration from the older interface-based model to a more flexible, more easily understood zone-based model. Interfaces are assigned to zones, and inspection policy is applied to traffic moving between the zones. Inter-zone policies offer considerable flexibility and granularity, so different inspection policies can be applied to multiple host groups connected to the same router interface.

Firewall policies are configured with the Cisco® Policy Language (CPL), which employs a hierarchical structure to define inspection for network protocols and the groups of hosts to which the inspection will be applied. 

Rules For Applying Zone-Based Policy Firewall

Router network interfaces’ membership in zones is subject to several rules that govern interface behaviour, as is the traffic moving between zone member interfaces:

• 1. A zone must be configured before interfaces can be assigned to the zone.
  2. An interface can be assigned to only one security zone.
     
  3. All traffic to and from a given interface is implicitly blocked when the interface is assigned to a zone, except traffic to and from other interfaces in the same zone, and traffic to any interface on the router.
     
  4. Traffic is implicitly allowed to flow by default among interfaces that are members of the same zone.
     
  5. In order to permit traffic to and from a zone member interface, a policy allowing or inspecting traffic must be configured between that zone and any other zone.
     
  6. The self zone is the only exception to the default deny all policy. All traffic to any router interface is allowed until traffic is explicitly denied.
     
  7. Traffic cannot flow between a zone member interface and any interface that is not a zone member. Pass, inspect, and drop actions can only be applied between two zones.
     
  8. Interfaces that have not been assigned to a zone function as classical router ports and might still use classical stateful inspection/CBAC configuration.
     

 

 First let us do the basic configuration to establish connectivity within AS 100. Here is the basic configuration.

IOU1

====
conf t
hostname IOU1
int eth0/0
ip add 192.168.14.1 255.255.255.0
no shut
exit
int eth0/2
ip add 192.168.12.1 255.255.255.0
no shut
exit
int eth0/3
ip add 192.168.13.1 255.255.255.0
no shut
exit
int loopback0
ip add 1.1.1.1 255.255.255.255
exi

router eigrp CCIE
address-family ipv4 autonomous-system 100
network 0.0.0.0 255.255.255.255
=======================================================
IOU2
====
conf t
hostname IOU2
int eth0/2
ip add 192.168.12.2 255.255.255.0
no shut
exit
int loopback0
ip add 2.2.2.2 255.255.255.255
exit

router eigrp CCIE
address-family ipv4 autonomous-system 100
network 0.0.0.0 255.255.255.255
=======================================================
IOU3
====
conf t
hostname IOU3
int eth0/3
ip add 192.168.13.3 255.255.255.0
no shut
exit
int loopback0
ip add 3.3.3.3 255.255.255.255
exit

router eigrp CCIE
address-family ipv4 autonomous-system 100
network 0.0.0.0 255.255.255.255
=======================================================
IOU4
====
conf t
hostname IOU4
int eth0/0
ip add 192.168.14.4 255.255.255.0
no shut
exit
int loopback0
ip add 4.4.4.4 255.255.255.255
exit

router eigrp CCIE
address-family ipv4 autonomous-system 100
network 0.0.0.0 255.255.255.255

=======================================================

Lets verify connectivity. It was verified that all the devices can ping each others loopbacks.

The security policy requirement in AS 100 is as follows:

1. R1 is to be managed from the Outside network with only Telnet and SSH. It is not a good idea to use Telnet from outside  to manage a network. This is just an example to show how ZPF works. It is also required that R1 should accept Ping from the Outside network as well. You will realise that all this traffic is destined to the router itself which will require the use of the Zelf Zone. The Zelf Zone is meant for traffic destine to the router itself, while the user defined Zones are meant for traffic traversing the router.

2. The inside user simulated as R2's loopback (2.2.2.2) is allowed everything.

3. The outside user simulated by R3's loopack(3.3.3.3) is allowed to to access the DMZ web server (4.4.4.4) and also to be able to ping the DMZ to test connectivity.

Solution:

These are the basic steps in creating a ZPF:

11.  Create the Zones for the firewall.

–     zone security “zone security name”

22.  Assign Router Interfaces to zones.

–     zone-member security “zone security name”

33. Create zone-pairs

zone-pair security “zone pair name” source “source security name” destination “destination zone security name”

44. Define Traffic Classes.

- class-map type inspect “class map name”

55. Specify Firewall Policies.

- policy-map type inspect “policy map name”

66. Apply Firewall Policies to pairs of source and destination zones.

      - Zone-pair security “zone pair name” source “source zone security name” destination “destination zone security name”

 service-policy type inspect “Policy map name”

  

1. First we create the zones:

 2. Assign zones to interfaces:

Let us verify rule number 3 which states:

 All traffic to and from a given interface is implicitly blocked when the interface is assigned to a zone, except traffic to and from other interfaces in the same zone, and traffic to any interface on the router.

This results shows that the only traffic that was accepted was the one destined to the router itself R1's loopback0.

3. Create zone-pairs

The zone created are:

 

Please note that the self zone is created by default. You do not create it.

4. Define traffic class.
Let us do the first requirement and then do the others.

5. Specify Firewall policy.

Note that for a class map to be applied to the self zone the inspection type should be pass or drop but not inspect.

 6. Apply firewall policies to zone pairs.

Now we can test from the IOU3 to see if the requirements are met. We will telnet to R1. To test that hhttp (port80) is not allowed, we will telnet with a port of 80 as well.

The log messages at IOU1 also verified that port 80 was closed.

 ==================================================
Let us now do requirement two. To allow the internal users access to everything.

We will continue from step 4.
4. Define the class maps

5. Specify firewall policy

 6. Apply firewall policies to zone pairs on IOU1.

Now we can test from IOU2 to see if the requirements are met.

=========================================================
now lets do requirement 3:
The outside user simulated by IOU3's loopack(3.3.3.3) is allowed to access the DMZ web server (4.4.4.4) and also to be able to ping the DMZ to test connectivity.

At the moment  the outside user cannot do any of the above requirements.

We will continue from step 4.
4. Define the class maps

5. Specify firewall policy

  6. Apply firewall policies to zone pairs on IOU1.

Let us test our policy.

It seems we have a little bit of a challenge here. The pings are not going since we are in a learning process, it give us an opportunity to sharpen our troubleshooting skills.

Let us check what is going on IOU1. Lucky for us we have enabled the default class with log. On IOU1 the log shows that the ping was categorised in our default class. This clearly tells us that we have issues with our class called OUTSIDE_TO_DMZ. It could be that we did not reference the correct class map in our policy map or the class map itself have some issues.

Le us issue the show class-map type inspect at IOU1 to view our class-map.

Have a look at the above show command output and tell me what is wrong. With a close look you will realise that our class map is a match all. When you issue the class map command without putting match-any or match-all keywords it defaults to match-all. With match all, we are now looking for a packet that is both ICMP and HTTP at the same time!! There is no such packet and hence we are not matching anything. This is the reason why the default class is catching everything!! We need to edit the class map and make it a match any. With this done we were able to ping and test that port 80 (HTTP) was open for IOU3.

We can also verify that apart from these two services IOU3 is not allowed others services to the DMZ. It cannot do a plane telnet to it.

To verify all what we have done, we can do four important commands show class-map type inspect, show policy-map type inspect, show zone-pair security and show zone security.

Once again thanks for reading and I do hope that you really enjoyed it. Comments and feedback are highly welcome.

Cisco IOS IPsec site-to-site VPNs

This is what Cisco says about IPsec VPNs. "When a growing organization expands to multiple locations, one of the challenges it faces is how to interconnect remote sites to the corporate network. As network security risks increase and regulatory compliance becomes essential, it is important to address these critical needs.
You can dramatically increase the reach of your network without significantly expanding your infrastructure by using Cisco IOS IPsec VPNs. IPsec is a robust, standards-based encryption technology that enables your organization to securely connect branch offices and remote users and provides significant cost savings compared to traditional WAN access such as Frame Relay or ATM. One of the most widely deployed network security technologies today, IPsec VPNs provide high levels of security through encryption and authentication, protecting data from unauthorized access". Now let us set our typology.

In this scenario company A has its headquaters located in London and a branch office located in Banjul. The easiest and cheapeast way of connecting two sites one in Europe and the other in Africa is by using the Internet. In this case, we will use the Internet but one big issue about the Internet is that it is less secure than private networks. This is where the Cisco IOS IPsec VPNs can help us. With the IPsec VPNs we form two secure tunnels through the Internet. First IKE Phase 1 forms the tunnel to share the secret key information. Once this is done the second tunnel is created in IKE pahse 2 to securely transport the data between the sites.
==============================================================
Let us build the basic network without the IPsec first and examine it.
 R1
==
ena
conf t
hostname R1
int fastEthernet 0/0
ip add 192.168.1.1 255.255.255.0
no shut
exit
int serial 1/0
ip add 192.168.12.1 255.255.255.252
no shut
exit
router ospf 1
network 192.168.12.1 0.0.0.0 area 0
exit
ip route 0.0.0.0 0.0.0.0 192.168.12.2
==========================================
R2
==
ena
conf t
hostname R2
int serial 1/0
ip add 192.168.12.2 255.255.255.252
no shut
exit
int serial 1/1
ip add 192.168.23.2 255.255.255.252
no shut
exit
router ospf 1
network 192.168.12.2 0.0.0.0 area 0
network 192.168.23.2 0.0.0.0 area 0
========================================
R3
==
ena
conf t
hostname R3
int fastEthernet 0/0
ip add 10.1.1.1 255.255.255.0
no shut
exit
int serial 1/1
ip add 192.168.23.1 255.255.255.252
no shut
exit
router ospf 1
network 192.168.23.1 0.0.0.0 area 0
exit
ip route 0.0.0.0 0.0.0.0 192.168.23.2
 =============================================
Let us verify that London HQ (R1) cannot reach Banjul Branch by making an extended ping sourcing it from the FastEthernet 0/0 on London to the FastEthernet 0/0 of Banjul.

The output has clearly shown that the two sites, local networks cannot reach each other.

With IPsec, we can buld the tunnels between the two sites using the Internet. All that you need is that, there is reachibility between R1 and R3 through the Internet. We can verify this, by making an extended ping, sourcing it from the serial 1/0 on London to the serial 1/1 of Banjul. This path is what we are simulating as the Internet.

The ping was successul, meaning that there is reachibility through the Internet. We can now build the IPsec tunnels to connect the two sites. To build a tunnel between two points there must be reachibility between the points where the tunnel is going to be built.

Step 1: ISAKMP policy – This where we configure the parameters that will be used for the IKE phase 1 tunnel.
At R1
====
crypto isakmp enable

crypto isakmp policy 10
authentication pre-share
encryption aes 256
hash sha
lifetime 36000
exit
crypto isakmp key cisco address 192.168.23.1
==============================================
At R3
====
crypto isakmp enable

crypto isakmp policy 10
authentication pre-share
encryption aes 256
hash sha
lifetime 36000
exit
crypto isakmp key cisco address 192.168.12.1
===============================================
Crypto isakmp enable -- This enable isakmp, however it is good to note that it is enabled by default.
crypto isakmp policy 10 -- When a router tries to negotiates IKE phase 1 tunnel if configured with multiple policies it sends all the policies to the remote peer. The remote peer will then compare the policy  priority numbers it received to its configured isakmp polices starting with the smallest then work up in order until a match is met.

encryption aes 256 -- This configures aes as the encryption use for the IKE phase 1 tunnel.
hash sha -- This configures sha as the hashing algorithm.

===================================================

Step 2: Transform Set --  This where we configure the parameters that will be used for the IKE phase 2 tunnel  (the IPSEC tunnel).

 R1

==

crypto ipsec transform-set MYTRANSFORM esp-aes 256 esp-sha-hmac

R3

==

crypto ipsec transform-set MYTRANSFORM esp-aes 256 esp-sha-hmac

========================================================

The transform set command defines the following:  

- ESP-AES - Encryption method

- Esp-sha-hmac - Hashing algorithm

 =======================================================
Step 3 -- ACL This where we create an extended ACL to define what traffic often called the interesting traffic will be sent over the VPN.
R1
==
access-list 100 permit ip 192.168.1.0 0.0.0.255 10.1.1.0 0.0.0.255
R3
==
 access-list 100 permit ip 10.1.1.0 0.0.0.255 192.168.1.0 0.0.0.255

====================================================
The acls allows the traffic coming from R1's and R3's loopback over the tunnel

Step 4 -- Crypto map -- This is where we bind the two tunnel configuration together.

R1
==
crypto map MYMAP 10 ipsec-isakmp
 set peer 192.168.23.1
 set transform-set MYTRANSFORM
 set pfs group5
 match address 100
 exit
=======================
R3
==
crypto map MYMAP 10 ipsec-isakmp
 set peer 192.168.12.1
 set transform-set MYTRANSFORM
 set pfs group5
 match address 100
 exit
=========================

Step 5 -- Apply the crypto map to the specific interfaces.

R1
==
int serial 1/0
ip add 192.168.12.1 255.255.255.252
crypto map MYMAP
no shut
exit
===========================
R3
==
int serial 1/1
ip add 192.168.23.1 255.255.255.252
crypto map MYMAP
no shut
exit
===========================
Let us test the IPsec VPN by trying the ping that was denied previousely.

From the ping we can see that 19 packets out of the 20 have been sent. The lost packet might be lost due to arp or the time it takes to established the tunnels.

With the show crypto ipsec sa we can see that all the 19 packets have bee encrypted!!!

Configuring a Cisco Router as a Frame Relay Switch

 First we configure R4 as a frame-relay switch with the frame-relay switching command. We then configure the serial interfaces that connect the routers to the frame relay switch . Serial 1/1 connects to R1. The encapsulation frame-relay command tells the serial interface to actually run frame relay. The clock rate has also been configured. The frame-relay intf-type dce command is very important. It tell the router to be the dce device. The frame-relay route interface configuration command is used to route an incoming DLCI to an outgoing interface and corresponding outgoing DLCI. It is also very important. For example frame-relay route 102 interface Serial 1/2 201 under the serial 1/1 means that if a frame enters interface serial 1/1 with DLCI 102 in the frame-relay header, it will be switch out interface serial 1/2 with DLCI 201.

Frame Relay Switch
==================
frame-relay switching
!
interface Serial 1/1
 description R2 Serial
 no ip address
 encapsulation frame-relay
 clockrate 64000
 frame-relay intf-type dce
 frame-relay route 102 interface Serial 1/2 201
 frame-relay route 103 interface Serial 1/3 301
 no shutdown
exit
interface Serial 1/2
 description R2 Serial
 no ip address
 encapsulation frame-relay
 clockrate 64000
 frame-relay intf-type dce
 frame-relay route 201 interface Serial 1/1 102
 no shutdown
exit
interface Serial 1/3
 description R3 Serial
 no ip address
 encapsulation frame-relay
 clockrate 64000
 frame-relay intf-type dce
 frame-relay route 301 interface Serial 1/1 103
 no shutdown
=================================================
Let us test the Frame Relay switch now.

======================================================================================

With this our frame-relay switch is good to go!! Let us test it by running OSPF on it.

R1

==

conf t
int ser 1/0
encapsulation frame-relay
no shut
exit
int ser 1/0.102 point-to-point
ip add 192.168.12.1 255.255.255.252
frame-relay interface-dlci 102
exit
int ser 1/0.103 point-to-point
ip add 192.168.13.1 255.255.255.252
frame-relay interface-dlci 103
exit
interface loop 0
ip add 1.1.1.1 255.255.255.255
exit
router ospf 1
network 0.0.0.0 255.255.255.255 area 0
================
R2
==
Conf t
int ser 1/0
encapsulation frame-relay
no shut
exit
int ser 1/0.201 point-to-point
ip add 192.168.12.2 255.255.255.252
frame-relay interface-dlci 201
exit
interface loop 0
ip add 2.2.2.2 255.255.255.255
exit
router ospf 1
network 0.0.0.0 255.255.255.255 area 0

=========================
R3
==
Conf t
int ser 1/0
encapsulation frame-relay
no shut
exit
int ser 1/0.301 point-to-point
ip add 192.168.13.2 255.255.255.252
frame-relay interface-dlci 301
exit
interface loop 0
ip add 3.3.3.3 255.255.255.255
exit
router ospf 1
network 0.0.0.0 255.255.255.255 area 0

============================================
Testing with show commands and ping

Configuring frame relay switch on a Cisco Packet Tracer.

1. Setup the topology as show by simply dragging the devices.

                     







2. Double click on R1 and then switch off the power button as show in the diagram. This will enable you to add an interface card module to the router. Notice that all the interface slots are empty.

3. Drag a WIC-2T interface card to slot zero of the router.

4. Turn on the router by clicking on the power button. It will turn green. Repeat these steps for the other routers as well.

Configuring the Cloud for Frame-relay point-to-point networks.

1. Double click on the cloud icon. A window like this will open.

2. Click on the Config tab. A window like this will open. To configure the cloud as a frame-relay switch, all we are interested are the serials of the cloud that connect our routers and the Frame Relay tab, where we do the sublinks.

The topology shows that R1, R2 and R3 are using their serial 0/0/0 interfaces to connect to the cloud serial 1, 2 and 3 interfaces respectively.

The cloud, our frame-relay switch is using DLCI 102 and 103 on its serial 0 which is connected to R1’s se0/0/0. It is using DLCI 201 and 301 on its serial 2 and 3 which are connected to R2’s se0/0/0 and R3’s se0/0/0 respectively as shown above. Notice that in our DLCI naming convention e.g. DLCI 102, the 1 refers to router 1 the 0 for the cloud 0 in case you using multiple clouds and 2 refer to the other router we wish to connect to. The DLCIs are locally significant. Notice also that the DCE end of the cable connect to the frame-relay switch end.

3. Click on serial 1 of the cloud interface and add the DLCIs 102 and 103 as shown below. Notice that for simplicity, you can use the DLCI number as the name for the DLC

4. Click on serial 2 of the cloud interface and add DLCI 201.

5. Click on serial 3 of the cloud interface and add DLCI 301.

At this point all that we have done was putting DLCIs to our frame-relay switch. This is not enough to make the cloud a frame-relay switch. If you imagine that these DLCIs for our PVCs are like pipes that carry data, then you will soon realise that, if we want to carry data across the frame-relay switch, then we need to join the pipes. This is done in packet tracer by making sublinks.

6. Let us say that now we want to connect
R1 DLCI 102 to R2 DLC 201
R1 DLCI 103 to R3 DLCI 301.
Also note that the connections are bidirectional. Click on the Frame Relay tab and do the sublinks.

With this our frame-relay switch is good to go!! Let us test it by running OSPF on it.
R1
==
conf t
int ser 0/0/0
encapsulation frame-relay
no shut
exit
int ser 0/0/0.102 point-to-point
ip add 192.168.12.1 255.255.255.252
frame-relay interface-dlci 102
exit
int ser 0/0/0.103 point-to-point
ip add 192.168.13.1 255.255.255.252
frame-relay interface-dlci 103
exit
interface loop 0
ip add 1.1.1.1.1 255.255.255.255
exit
router ospf 1
network 0.0.0.0 255.255.255.255 area 0
================
R2
==
int ser 0/0/0
encapsulation frame-relay
no shut
exit
int ser 0/0/0.201 point-to-point
ip add 192.168.12.2 255.255.255.252
frame-relay interface-dlci 201
exit
interface loop 0
ip add 2.2.2.2 255.255.255.255
exit
router ospf 1
network 0.0.0.0 255.255.255.255 area 0
=========================
R3
==
int ser 0/0/0
encapsulation frame-relay
no shut
exit
int ser 0/0/0.301 point-to-point
ip add 192.168.13.2 255.255.255.252
frame-relay interface-dlci 301
exit
interface loop 0
ip add 3.3.3.3 255.255.255.255
exit
router ospf 1
network 0.0.0.0 255.255.255.255 area 0

Testing with show commands and ping