ZONE BASED FIREWALLS PART 2

SELF-ZONE is related to traffic originated by the router or traffic coming to the router. E.g.
Router to access the AAA Server
Router to telnet to other elements.
Routing protocols to send their updates to their neighbours.
In this part below are the topics to be concluded.
1. Configure inspection of Control-Plane and management-plane traffic.
2. Tune stateful engine and connection settings.
3. Configure transparent mode, VRF support and NAT integration.
CONFIGURING INSPECTION OF CONTROL-PLANE AND MANAGEMENT PLANE TRAFFIC
This is achieved through self-zone. Which is automatically created on created any INSIDE or OUTSIDE
zone.


By default SELF-ZONE can communicate with all the interfaces and all the interfaces can
communication with the SELF-ZONE.
We can control the traffic originated by the SELF-ZONE or destined to SELF-ZONE.
Configuration Tasks.
Configure an inbound policy for the SELF-ZONE (Optional).
Configure an outbound policy for the SELF-ZONE (Optional).
Scenario is as below.

Verify the configuration using
CISCO_ISR#show zone security
To allow ICMP protocol from
CISCO_ISR(config)#class-map type inspect CM_ICMP
CISCO_ISR(config-cmap)#match protocol icmp
CISCO_ISR(config)#policy-map type inspect PM_ICMP
CISCO_ISR(config-pmap)#class CM_ICMP
CISCO_ISR(config-pmap-c)#inspect
CISCO_ISR(config-pmap-c)#exit
CISCO_ISR(config-pmap)#exit
CISCO_ISR(config)#zone-pair security IN-TO-OUT source INSIDE destination OUTSIDE
CISCO_ISR(config-sec-zone-pair)#service-policy type inspect PM_ICMP
CISCO_ISR#show policy-map type inspect zone-pair (VERIFICATION COMMAND)

This configuration has only implemented the ping from the INSIDE zone to the OUTSIDE zone
through the router it self. But if we want to implement a policy on ping from INSIDE zone to the
SELF-ZONE and vice versa; we can do it as below.
In below example; We will allow the incoming ping from the INSIDE to SELF zone.





In below example; we will deny any incoming traffic from DMZ to SELF or from OUT-TO-SELF.

Finally configuring an outbound policy for the SELF zone. i.e. allow router to ping to any host in
INSIDE zone. And then allow router to send traffic to TACACS server.

Implementation Guidelines:
Consider the following implementation Guide-Lines.
Use the SELF-ZONE to protect the router against attached by permitting minimal required
connectivity.
Use the SELF-ZONE to avoid creation stateless rules for TCP sessions from the router (SSH,
TACACS+, H.323, DLSw, and so on).
Not creating SELF related zone pairs and policies will result in a default permissive policy.


TUNING STATEFUL ENGINE & CONNECTION SETTINGS
It is not recommended to change these timers as CISCO has already tuned these timers to fit anyone
needs. But still these timers are changeable.

Default inspection timers are as below.

There are also TCP Normalizer functions in Zone Based Firewalls. Zone. If some packets are changed
or are trying to hide their protocols; Zone based firewall can reassemble the packets and then can
check what is inside the packet.

We can use Parameter Maps to tune the inspection behaviour and can achieve the results for TCP
Normalizer. But we can only do it when we are inspecting traffic.

Configuration Tasks :
1. Configure stateful tracking timers (Optional).
2. Configure session logging also called Auditing (Optional).
3. Configure connection limits (Optional).
4. Tune TCP normalizer parameters (Optional).
5. Tune PAM (Port-to-Application Mapping). (Optional).




SCENARIO :

Below is how we can tune it.

audit-trail on will do the auditing of the inspected session.
Sessions maximum 500 will limit the sessions to 500 only.







To enable the TCP normalization Globally on the Zone Based Firewall.
Type OOO is Out of Order packets.

ip port-map ftp tcp 2121 will be used to match the tcp port 2121 with ftp port number.
Implementation Guidelines:
Only tune when you need to tune these. It could cause an application to break.
Exercise Care if you are relaxing TCP normalizer parameters. It may cause unreliable application-
layer filtering.
CONFIGURING SUPPORT FOR TRANSPARENT MODE, VRF, and NAT
The Zone-based firewall can run in two modes.
Routed (Default) : Layer 3 firewall where forwarding of traffic is based on IP addresses.
Transparent : Layer 2 Firewall, where forwarding of traffic is based on MAC addresses; all routing
decisions done by neighbouring routers and hosts.

Transparent mode firewall is also called a BUMP-IN-THE-WIRE. Transparent firewall is not routing
the traffic but it is operating based on MAC-ADDRESSES.
To setup the Transparent firewall; we need to configure integrated Routing & Bridging (IRB) on our
IOS router.

VRF-Aware FIREWALL
Zone-Based Policy Firewall supports CISCO IOS Software virtualization by being VRF-Aware.
You can configure zones on VRF-enabled interfaces to virtualize policy.
Special Zone-Based Policy Firewall configuration is not required.

Zone-Based Policy Firewall VRF Configuration Example.

Document everything as additional layer of complexity is being added to IOS Configuration by
implementing VRF Configuration into Zone-Based Firewalls.

NAT and Zone-Based Policy Firewall Configuration Example

Other than above; also create the Zone-Pair and assign the Service-Policy to those Zone-Pairs and we
are good to do with Natting on Zone-Based Firewall.
TROUBLESHOOTING LOGIC FOR ZONE-BASED FIREWALL

Session Allowed by Policy : NO If YES : Goto Check Classes and Policy
Verify Policy Permissions
show logging
show policy-map type inspect zone-pair sessions
debug policy-firewall events
debug policy-firewall list
Check Classes and Policy : NO If YES: Go to Check PAM
verify that session is permitted by the expected rule
show policy-map type inspect zone-pair
Check PAM : NO If YES: Go to Verify Proper Inspection
verify Proper port mapping for non-standard ports.
show ip port-map
Verify Proper Inspection : NO Keep Checking from above until Session is allowed
Verify absence of TCP queries and application layer issues.
debug policy-firewall protocol
debug policy-firewall list
Remember that debug can be minimized to only problematic hosts and destinations using IP ACL
having the IP Addresses of Problematic HOSTS and DESTINATIONS.