topic Re: Application Inspection of ZBF Router in Network Security

Application Inspection of ZBF Router

Odys (CSC) — Tue, 12 Mar 2019 02:51:24 GMT

Hello there,

I just wanna verify what I've learned about:

Stateful Inspection (packet filtering up to L5) and

Application Inspection (packet filtering up to L7)

Regarding an IOS ZBF (IOS ver 12.4(20)T on a router, do these commands implement Application Inspection ?

(I mean: do they satisfy a protocol like ftp and enable the router to learn about dynamic ports and unwanted activities?)

class-map type inspect match-any CM

match protocol ftp

match protocol http

policy-map type inspect PM

class type inspect CM

inspect

zone-pair security IN-OUT source inside destination outside

service-policy type inspect PM

or do they implement Stateful Inspection only ? if so yes, how to add Application Inspection feature (on ftp traffic ,for example)?

1 more question, is "application-specific matching" another expression of "application inspection feature" ?

thanks !

Application Inspection of ZBF Router

Julio Carvajal — Sat, 12 Oct 2013 19:31:41 GMT

Hello Odysious,

When you match traffic on a class-map with the match protocol http or ftp you are indeed matching a L7 protocol so when you inspect this class-map on a policy-map you will be handeling a L7 policy-map which means application stateful (so if a protocol like FTP that uses additional channels the Router will be able to open the right pinholes).

I hope I was clear hehe

Let me know anyway

Re: Application Inspection of ZBF Router

Odys (CSC) — Sun, 13 Oct 2013 17:43:30 GMT

Julio,

Refering to the following doc, I think you're wrong. L7 inspection uses "parameter-maps" or something like that.

http://www.cisco.com/en/US/products/sw/secursw/ps1018/products_tech_note09186a00808bc994.shtml

Actually that doc is too tough to me and I can't get the answer from it. I know it's there, but it's very hard to me to find it.

Re: Application Inspection of ZBF Router

Julio Carvajal — Sun, 13 Oct 2013 18:33:42 GMT

Hello,

No I am not.. 101 % sure about it!.

You use parameter-maps, L7 class maps and L7 policy-maps in order to do specific L7 tasks such as blocking files that contains certaing strings or block websites, etc. etc.

But still matching traffic with a match protocol and using the keyword inspect will be a l7 action as the router will get into the content of the packets to make sure the protocol is honored.

Hey remember to rate all of the helpful posts,

If you do not know how, just let me know.

Regards

Re: Application Inspection of ZBF Router

Odys (CSC) — Mon, 14 Oct 2013 08:25:39 GMT

Have u looked at the example in the above maintioned link ?

Define class-maps that describe the traffic that you want to permit between zones, according to policies described earlier:

conf t
 class-map type inspect match-any internet-traffic-class
  match protocol http  match protocol https  match protocol dns  match protocol icmp

Configure a policy-map to inspect traffic on the class-maps you just defined:

conf t
 policy-map type inspect private-internet-policy
  class type inspect internet-traffic-class
   inspect

Configure the private and Internet zones and assign router interfaces to their respective zones:

conf t
zone security private
zone security internet
int bvi1            
zone-member security private
int fastethernet 0
zone-member security internet

Configure the zone-pair and apply the appropriate policy-map.
Note: You only need to configure the private Internet zone pair at present in order to inspect connections sourced in the private zone traveling to the Internet zone:
```
conf t
 zone-pair security private-internet source private destination internet
  service-policy type inspect private-internet-policy
```
This completes the configuration of the Layer 7 inspection policy on the private Internet zone-pair to allow HTTP, HTTPS, DNS, and ICMP connections from the clients zone to the servers zone and to apply application inspection to HTTP traffic to assure that unwanted traffic is not allowed to pass on TCP 80, HTTP’s service port.

Define class-maps that describe the traffic that you want to permit between zones, according to policies described earlier:
```
conf t
 class-map type inspect match-any L4-inspect-class
 match protocol tcp match protocol udp match protocol icmp
```

Configure policy-maps to inspect traffic on the class-maps you just defined:

conf t
 policy-map type inspect clients-servers-policy
 class type inspect L4-inspect-class
  inspect

Configure the clients and servers zones and assign router interfaces to their respective zones:

conf t
zone security clients
zone security servers
int vlan 1            
zone-member security clients
int vlan 2
zone-member security servers

Configure the zone-pair and apply the appropriate policy-map.
Note: You only need to configure the clients-servers zone-pair at present, to inspect connections sourced in the clients zone traveling to the servers zone:
```
conf t
 zone-pair security clients-servers source clients destination servers
  service-policy type inspect clients-servers-policy
```
This completes the configuration of the Layer 4 inspection policy for the clients-servers zone-pair to allow all TCP, UDP, and ICMP connections from the client zone to the server zone. The policy does not apply fixup for subordinate channels, but provides an example of simple policy to accommodate most application connections.

Obviously, "Inspect" is used for both L4 (tcp, udp) and L7 (http, dns) inspection.

So, It depends on the protocol being inspected, not on the keyword "inspect".

But I'm not sure what's going on with icmp ? It is in both cases matched and inspected.

Re: Application Inspection of ZBF Router

cadet alain — Mon, 14 Oct 2013 08:43:26 GMT

Hi,

match protocol is using PAM entries( show ip port-map) to categorize traffic and the inspect keyword in the policy-map is for enabling stateful inspection. Now according to Cisco:

http://www.cisco.com/en/US/docs/ios-xml/ios/sec_data_zbf/configuration/12-4t/sec-zone-pol-fw.html#GUID-0FA87F61-EC84-44BC-B2FD-7DFE01F9AC39

Layer 7 Class Maps and Policy Maps

 Layer 7 class maps can be used in inspect policy maps only for  deep packet inspection (DPI). The DPI functionality is delivered through  Layer 7 class maps and policy maps. 
 To create a Layer 7 class map, use the            class-map              type              inspect command for the desired protocol. For example, for the HTTP protocol, enter the            class-map              type              inspect              http command. 
 The type of class map (for example, HTTP) determines the match  criteria that you can use. If you want to specify HTTP traffic that  contains Java applets, you must specify a “match response body java”  statement in the context of an “inspect HTTP” class map. 
 A Layer 7 policy map provides application level inspection of traffic. The policy map can include class maps of the same type. 
 To create a Layer 7 policy map, specify the protocol in the                          policy-map              type              inspect command. For example, to create a Layer 7 HTTP policy map, use the            policy-map              type              inspect              http              policy-map-name command. Enter the name of the HTTP policy-map for the            policy-map-name argument. 
 If you do not specify a protocol name (for example, if you use the            policy-map              type              inspect command), you will create a Layer 3 or Layer 4 policy map, which can only be an inspect type policy map. 
 A Layer 7 policy map must be contained in a Layer 3 or Layer 4  policy map; it cannot be attached directly to a target. To attach a  Layer 7 policy map to a top-level policy map, use the            service-policy  command and specify the application name (that is, HTTP, Internet  Message Access Protocol [IMAP], Post Office Protocol, version 3 [POP3],  Simple Mail Transfer Protocol [SMTP], or SUN Remote Procedure Call  [SUNRPC]). The parent class for a Layer 7 policy should have an explicit  match criterion that matches only one Layer 7 protocol before the  policy is attached. 
 If the Layer 7 policy map is in a lower level, you must specify the            inspect action at the parent level for a Layer 7 policy map.

So there is indeed a difference between a L3-L4 inspection and a L7 inspection according to this document.

Regards

Alain

Don't forget to rate helpful posts.

Re: Application Inspection of ZBF Router

Odys (CSC) — Mon, 14 Oct 2013 12:12:55 GMT

Cadet,

This is a very helpful reply from you. the following line reveals the mystery of "inspect" within ZFW:

If you do not specify a protocol name (for example, if you use the policy-map type inspect command), you will create a Layer 3 or Layer 4 policy map, which can only be an inspect type policy map.

In short, it depends on the "type inspect" in the policy-map, not on the "match" in the class-map neither on the "action" in the policy-map.

This implements a L4 inspection

class-map type inspect match-all c-name   match protocol httppolicy-map type inspect p-name  class type inspect c-name

inspect

And this implements a L7 inspection:

class-map type inspect http match-any c-name-httpmethods

match request method bpropfind

match request method bproppatch

match request method connect

match request method index

match request method notify

policy-map type inspect http p-name-app-http

class type inspect http c-name-httpmethods

log

reset

Thank you !

Re: Application Inspection of ZBF Router

Julio Carvajal — Mon, 14 Oct 2013 13:20:13 GMT

Hello Oydious,

Obviously, "Inspect" is used for both L4 (tcp, udp) and L7 (http, dns) inspection.

So, It depends on the protocol being inspected, not on the keyword "inspect".

But I'm not sure what's going on with icmp ? It is in both cases matched and inspected.

Answer/

Here is were most people get confused.

Using class-maps:

You can match traffic at layer 7,layer 3 or Layer4.

Using match access-list = Layer 4 or layer 3 depending on the structure.

Using match protocol = Matching layer 7 ( layer 4 if match protocol tcp,udp)

Now, what happens if you want to inspect FTP packets to open additional channels?

You should use a class-map matching the protocol (L7) and then inspect it otherwise the Router will only care about matching the TCP port 21 for FTP.

I know, it might be difficult to understand it but after taking cases for more than 2 years on TAC regarding this feature I can ensure that I know what I am talking about

So when talking about Class-maps you can match L7 or L4, what to use will depend on the protocol and what you want to do.

!!!

Application Inspection of ZBF Router

cadet alain — Mon, 14 Oct 2013 13:41:23 GMT

HI Julio,

So why does Cisco seem to tell the opposite, it's very confusing from them especially when using protocol is only using PAM to get the match instead of an access-list. I didn't say I don't believe you because you seem to have much experience about this but in this case the Cisco documentation is rather misleading( not to say the least).

To add to the confusion this link says exactly what you're telling: http://www.cisco.com/en/US/products/sw/secursw/ps1018/products_tech_note09186a00808bc994.shtml#stateful-1

If you're still working with TAC it could be interesting pointing out to Cisco that their docs are inconsistent and/or misleading about this subject.

Regards

Alain

Don't forget to rate helpful posts.

Re: Application Inspection of ZBF Router

Julio Carvajal — Mon, 14 Oct 2013 13:53:07 GMT

Hello Cadet,

How are you man?

I am not with Cisco any more, I moved to a different company last week actually

Now, as we all know there has been always problems with some Cisco documentation (I have found at least 2 documentation bugs related to ZBFW).

At the end all comes to this:

if you use a class-map as follows

ip access-list extended test

permit tcp any any eq 21

class-map type inspect test

match access-group name test

You are basically telling the router whenever you see a packet with TCP destination port 21, it's a match for this class-map

And U have a policy like this

policy-map type inspect In-out

class test

inspect

You will be inspecting that traffic but what the router will care about is:

Just inspect traffic that matches destination port 21.

If you do it like this instead

class-map type inspect test

match protocol ftp

The router will now inspect the traffic as FTP traffic not just as TCP destination port 21.

That's it

Hope that I explained it properly

Regards,

Jcarvaja

Application Inspection of ZBF Router

cadet alain — Mon, 14 Oct 2013 14:08:47 GMT

Hi Julio,

I'm doing fine,thanks and I hope you too

I wish you the best in your new position.

Thanks for the explanation and sorry for misleading the OP with this link content which is very confusing.

Regards

Alain

Don't forget to rate helpful posts.

Re: Application Inspection of ZBF Router

Julio Carvajal — Mon, 14 Oct 2013 14:41:22 GMT

Hello Cadet,

Thank U man,

It's always a pleasure to help.

Regards,

Jcarvaja

Re: Application Inspection of ZBF Router

Odys (CSC) — Mon, 14 Oct 2013 15:00:19 GMT

Great Example... Jcarvaja

I've got it

Would you please post your answer here too:

https://learningnetwork.cisco.com/thread/61307?tstart=0

It's the same question, but no one could answer it yet.

thanks a lot !

Re: Application Inspection of ZBF Router

Julio Carvajal — Mon, 14 Oct 2013 15:07:27 GMT

Hello,

Sure, I will.

Was a pleasure to help