Zone-based Firewall and Applicaiton Inspect

cstep — Tue, 12 Mar 2019 00:18:46 GMT

We're having trouble determining whether the ZBF match protocol statements provide deep inspection. For example, the following doesn't appear to actually allow the ephemerous ports to open. Or at least in what I've found to try and test, attempting to make an RPC call across the firewall, the call fails with communication failure.

Router# show ip port msrpc

Default mapping: msrpc tcp port 135 system defined

Router# configure terminal

Router(config)# class-map type inspect match-any msrpc-cmap

Router(config-cmap)# match protocol msrpc

Router(config-cmap)# exit

Router(config)# policy-map type inspect msrpc-pmap

Router(config-pmap)# class type inspect msrpc-cmap

Router(config-pmap-c)# inspect

Router(config-pmap-c)# end

Using PortQry, shows that the port is listening and dumps a bunch of data to the screen about the RPC End Point Mapper.

So I know that TCP port 135 is at least opened. But I don't think the port is being inspected at layer 7 and hence the End Point Mapper is allocating the ephemerous ports, but the firewall doesn't know to open the pinholes. Is there a way, other than simply statically opening the ports to pinhole the RPC EPM Ports? Amy I missing an obvious here?

I have noticed that in IOS-XR and IOS-XE DPI is available in the ALG for msrpc, for example:

http://www.cisco.com/en/US/docs/routers/asr1000/technical_references/asr1000alg_support.pdf http://www.cisco.com/en/US/docs/ios-xml/ios/ipaddr_nat/configuration/xe-3s/fw-msrpc-supp.pdf

I also have done this on an ASA before using the following:

policy-map type inspect dcerpc dcerpc_map

timeout pinhole 0:10:00

class-map dcerpc

match port tcp eq 135

policy-map global-policy

class dcerpc

inspect dcerpc dcerpc-map

service-policy global-policy global

At this point, I'm thinking IOS doesn't support ALG functions except for whats actually listed in the 'show ip inspect ?' list:

aol Configure Firewall class-map for IM-AOL protocol

edonkey eDonkey

fasttrack FastTrack Traffic - KaZaA, Morpheus, Grokster...

gnutella Gnutella Version2 Traffic - BearShare, Shareeza, Morpheus ...

h323 Configure Firewall class-map for H323 protocol

http Configure Firewall class-map for HTTP protocol

icq Configure Firewall class-map for IM-ICQ protocol

imap Configure Firewall class-map for IMAP protocol

kazaa2 Kazaa Version 2

msnmsgr Configure Firewall class-map for IM-MSN protocol

pop3 Configure Firewall class-map for POP3 protocol

sip Configure Firewall class-map for SIP protocol

smtp Configure Firewall class-map for SMTP protocol

sunrpc Configure Firewall class-map for RPC protocol

winmsgr Configure Firewall class-map for IM-WINMSGR protocol

ymsgr Configure Firewall class-map for IM-YAHOO protocol

Thoughts?

It would also be nice if I could create a custom nbar match criteria and map a udp port number and timeout to the match. This could make a hell of an ALG within IOS.

Zone-based Firewall and Applicaiton Inspect

cstep — Sun, 04 Nov 2012 04:42:13 GMT

Short of modifying TCP parameters / timeouts I haven't played with parameter maps much, but I did just see this in the reference: (http://www.cisco.com/en/US/docs/ios/security/command/reference/sec_p1.html#wp1091787)

parameter-map type protocol-info

To create or modify a protocol-specific parameter map and enter parameter-map type configuration mode, use the parameter-map type protocol-info command in global configuration mode. To delete a protocol-specific parameter map from the configuration, use the no form of this command.

parameter-map type protocol-info [msrpc | sip | stun-ice] parameter-map-name

no parameter-map type protocol-info [msrpc | sip | stun-ice] parameter-map-name

It also goes on to state that this command became available in 15.1(4)M, so I'll upgrade when I get a second and play with this rev. Hopefully the full inpsect will be available for MSRPC. (To include the EPM pinholes)

Zone-based Firewall and Applicaiton Inspect

Julio Carvajal — Sun, 04 Nov 2012 19:21:29 GMT

Hello Christopher,

Configuring an MSRPC Firewall Policy

Note If you are inspecting an RPC protocol (that is, you specified the match protocol msrpc command in the Layer 4 class map), the Layer 7 Microsoft Remote Procedure Call (MSRPC) policy map is required.

http://www.cisco.com/en/US/docs/ios/sec_data_plane/configuration/guide/sec_zone_polcy_firew.html#wp1138391

Regards,

Julio

topic Zone-based Firewall and Applicaiton Inspect in Network Security

Zone-based Firewall and Applicaiton Inspect

Zone-based Firewall and Applicaiton Inspect

Zone-based Firewall and Applicaiton Inspect

Configuring an MSRPC Firewall Policy