topic Hello; in Network Security

Protocol ACL in Zone Based Policy Firewall

m.griffith — Tue, 12 Mar 2019 07:05:57 GMT

Hello,

I am working on developing configurations for IOS Zone Based Firewall and have this question.

When creating a class-map to inspect traffic traversing from my trusted INSIDE zone to the OUTSIDE zone, and I want to inspect all protocols, I would create a class-map such as:

class-map type inspect match-any ALLOWED-PROTOCOLS
match protocol tcp
match protocol udp
match protocol icmp

but I have read that this could create problems with certain protocols under tcp (such as ftp), and that ordering matters, so the more specific protocols need to be put before tcp like so:

class-map type inspect match-any ALLOWED-PROTOCOLS
match protocol ftp
match protocol tcp
match protocol udp
match protocol icmp

Another option I have seen mentioned is to use a permit any any ACL instead like this:

ip access-list extended ALLOW-ALL-PROTOCOLS
permit ip any any

class-map type inspect match-any ALLOWED-PROTOCOLS-CMAP
match access-group name ALLOW-ALL-PROTOCOLS

policy-map type inspect IN-TO-OUT-POLICY
class type inspect ALLOWED-PROTOCOLS-CMAP
inspect
class class-default
drop log

This generates a warning when configuring the policy map that no protocols are defined, and so all protocols will be inspected.

This seems to work fine in the lab, but I am wondering if there is something incorrect about doing it this way that I am missing, and that will come back to bite me later when this starts rolling out to production installations. It seems like a way to avoid any ordering issues if I am trusting all protocols anyway, but I have only seen one example of someone doing it this way instead of matching specific protocols.

Any opinions and input would be appreciated.

Hello;

Maykol Rojas — Mon, 04 Jan 2016 20:09:29 GMT

Hello;

Excellent question. So, all 3 are correct, what you need to be very careful is exactly what you mentioned, protocols that open dynamic ports (I.E passive FTP) where the control channel may not be inspected using the protocol, hence treating it like a normal TCP connection and the secondary connection, if not allowed explicitly, would be dropped.

Rather than doing this:

class-map type inspect match-any ALLOWED-PROTOCOLS
match protocol ftp
match protocol tcp
match protocol udp
match protocol icmp

I would probably create different class maps for specific protocols and pile them just like you did, more specific first.

Many people configure ZBFW but they normally just leave it like wide open, it is very important to be sure you are locking your device down and not just inspecting traffic.

Cheers.

Mike.

Thanks for your response. I

m.griffith — Tue, 05 Jan 2016 00:51:51 GMT

Thanks for your response. I am locking down my router with C3PL and the self zone. Just did not include that here to avoid confusion from my main question, which as you pointed out, is protocols which may create a secondary connection.

The crux of the questions is, do you know if you just inspect all protocols without defining them specifically with individual match protocol statements (using a permit any any ACL instead), is the ZBF smart enough to order them correctly on its own and compensate for any situations, such as passive ftp secondary channels? It would make the configuration less error-prone if it did work, but if not, it could have the exact opposite result.

Thanks,

Mark