Solved: Re: Help with Class-map configuration - ZBFW

Yadhu Tony · ‎01-10-2013

Hello,

I need some clarification regarding the class-map configuration in a ZBFW. I need to allow https,http,ftp & rdp traffic from Internet to few of the servers inside our LAN. So I put the below configuration to accomplish the task (example shows class-map for only https protocol) :

a.)

class-map type inspect match-all HTTPS-ACCESS

match protocol https

match access-group name HTTPS-SERVER-ACCESS

ip access-list extended HTTPS-SERVER-ACCESS

permit tcp any host 172.17.0.55 eq 443

permit tcp any host 172.17.0.56 eq 443

permit tcp any host 172.17.0.36 eq 443

permit tcp any host 172.17.0.45 eq 443

permit tcp any host 172.17.0.60 eq 443

Where 55,56,36,45,60 are the servers inside the LAN (12 more servers are there) that need to be accessed via https,http,ftp & rdp from Internet.

Is it a correct approach? or do I need to change my configuation so that I have to match ACL with my class-map like below:

b.)

ip access-list extended OUTSIDE-TO-INSIDE-ACL

permit tcp any host 172.17.0.55 eq 443

permit tcp any host 172.17.0.55 eq www

permit tcp any host 172.17.0.55 eq 21

permit tcp any host 172.17.0.55 eq 3389

permit tcp any host 172.17.0.56 eq 443

permit tcp any host 172.17.0.56 eq www

permit tcp any host 172.17.0.56 eq 21

permit tcp any host 172.17.0.56 eq 3389

permit tcp any host 172.17.0.36 eq 443

permit tcp any host 172.17.0.36 eq www

permit tcp any host 172.17.0.36 eq 21

permit tcp any host 172.17.0.36 eq 3389

permit tcp any host 172.17.0.45 eq 443

permit tcp any host 172.17.0.45 eq www

permit tcp any host 172.17.0.45 eq 21

permit tcp any host 172.17.0.45 eq 3389

class-map type inspect match-all OUT-IN-CLASS

match access-group name OUTSIDE-TO-INSIDE-ACL

Which one is the correct approach when we consider the performance of the firewall ? Please help me.

Regards,

Yadhu

Regards,
Tony

http://yadhutony.blogspot.com

varrao · ‎01-10-2013

There is not much difference in terms of performance and approach, both are correct and there is not going to be any difference in terms performance. What you need to make sure is the ease of understanding and less amount of programming needed. So I feel the second approach is the best approach and anyone having a look at your configuration can understand the logic behind it.

Hope that helps.

Thanks,
Varun Rao
Security Team,
Cisco TAC

Thanks,
Varun Rao

View solution in original post

varrao · ‎01-10-2013

There is not much difference in terms of performance and approach, both are correct and there is not going to be any difference in terms performance. What you need to make sure is the ease of understanding and less amount of programming needed. So I feel the second approach is the best approach and anyone having a look at your configuration can understand the logic behind it.

Hope that helps.

Thanks,
Varun Rao
Security Team,
Cisco TAC

Thanks,
Varun Rao

Henrik Grankvist · ‎01-10-2013

Hey

I do not agree with Varun, I think the first approach is the best one.

Why? Because when you issue the "match protocol ..." you are usig NBAR wich is an application inspection software, which means that https or whatever protocol is inspected at layer 7, not layer 3 and 4 which the seconds approach does (IP and port-number).

Lets say you use the second approach and an attacker uses some malicious protocol that runs over port 443 or whatever (a port that you opened). That attack would be successfull because all you say, you are going to IP-address 172.17.0.56 over port 443 so go ahead.

But if you are using NBAR, this would not work because NBAR will look at layer 7, inside the protocol itself and look if this really is HTTPS (or whatever protocol).

That's my two cents. Hope it helped!

cadet alain · ‎01-10-2013

Hi,

ZFW doesn't use NBAR( only Qos does) but it uses PAM and using the match protocol doesn't inspect the layer 7, what it does is for example for match protocol http: look for tcp traffic to port 80

Regards.

Alain

Don't forget to rate helpful posts.

Henrik Grankvist · ‎01-10-2013

It doesn't? And all this time I've been sure of it...

A while a go there was a "Ask the expert" and I asked about the "match protocol ..." and he gave me this answer:

"Class-map type inspect INSIDE-TO-OUTSIDE_CMAP

Match protocol http

(This configuration will provide application level inspection EX opening control-connection, translating embedded ip address)"

https://supportforums.cisco.com/message/3592024

But he didn't mentioned NBAR though, but still, layer 7?

cadet alain · ‎01-10-2013

Hi,

if this was the case we can assume it would treat a telnet to port 80 differently than a HTTP request and it would not inspect telnet traffic which would be dropped vs normal http traffic.

i just tested it and it let the telnet to port 80 through so maybe an expert can confirm/infirm my understanding of the application-level inspection but i believe my remark is correct.

Regards.

Alain

Don't forget to rate helpful posts.

Henrik Grankvist · ‎01-10-2013

I guess I have to trust you on this because earlier I did the exact same testing (without thinking about this) and that worked, so I guess it's not layer 7 inspection after all.

Thanks

Yadhu Tony · ‎01-10-2013

Hello,

Thank you all for your input and insight. So can someone help me to conclude this discussion? Which approach do I need to adopt in my case?

Regards,
Tony

http://yadhutony.blogspot.com

Henrik Grankvist · ‎01-11-2013

Any solution, but solution B is less config so I guess that one takes less time.