Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1634
Views
0
Helpful
2
Replies

ZBF vs. interface ACL

Go to solution
lcaruso
Level 6
Level 6

‎07-30-2011 07:54 PM - edited ‎03-11-2019 02:05 PM

Hi,

I know interface ACLs are not applicable with ZBF, so a different implementation is used. That's documented elsehwere.

What I don't know is, given the outside interface ACL for my router (below), how do I implement some of those features? For example, the Guide to Harden Cisco IOS Devices recommends dropping fragments. How would I do that with ZBF?

Another question is with ZBF are some of these ACEs shown below no longer necessary?

ip access-list extended outside_in
 deny   tcp any any fragments
 deny   udp any any fragments
 deny   icmp any any fragments
 deny   ip any any fragments
 deny   ip host 0.0.0.0 any
 deny   ip host 255.255.255.255 any
 deny   ip 0.0.0.0 0.255.255.255 any
 deny   ip 10.0.0.0 0.255.255.255 any
 deny   ip 127.0.0.0 0.255.255.255 any
 deny   ip 169.254.0.0 0.0.255.255 any
 deny   ip 172.16.0.0 0.15.255.255 any
 deny   ip 192.0.0.0 0.0.0.255 any
 deny   ip 192.0.2.0 0.0.0.255 any
 deny   ip 192.168.0.0 0.0.255.255 any
 deny   ip 198.18.0.0 0.1.255.255 any
 deny   ip 198.51.100.0 0.0.0.255 any
 deny   ip 203.0.113.0 0.0.0.255 any
 deny   ip 224.0.0.0 31.255.255.255 any

Thanks.

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Maykol Rojas
Cisco Employee
Cisco Employee

‎07-30-2011 08:47 PM

Hi Larry,

Fragments are not entire bad on an IP network, it is common that if the packets are too big it will fragment them. ZBF has a queue for the fragments and it the packet has an anomaly, it will drop it. Now, if you want to control the IP fragments coming into your network, you can use the command IP virtual reassembly, that way you can limit the amount of fragments that come in to the network.

Fragmentation attacks should not be a problem if you have Stateful firewall such as zone based firewall.

Hope this helps.

Mike

Mike

View solution in original post

0 Helpful
2 Replies 2

Go to solution
Maykol Rojas
Cisco Employee
Cisco Employee

‎07-30-2011 08:47 PM

Hi Larry,

Fragments are not entire bad on an IP network, it is common that if the packets are too big it will fragment them. ZBF has a queue for the fragments and it the packet has an anomaly, it will drop it. Now, if you want to control the IP fragments coming into your network, you can use the command IP virtual reassembly, that way you can limit the amount of fragments that come in to the network.

Fragmentation attacks should not be a problem if you have Stateful firewall such as zone based firewall.

Hope this helps.

Mike

Mike
0 Helpful

Go to solution
lcaruso
Level 6
Level 6
In response to Maykol Rojas

‎07-31-2011 06:38 PM

Hi Mike,

Thanks for the information. I'm using RBE on an 887VA dsl interface, and I was informed that turning off ip virtual reassembly was recommended for this scenario. However, when I tried that on v15.1 it took the command but displayed nothing even in show run all. So I don't know if it is on or off or even exists.

When it is used, how does ip virtural reassembly control fragments?

I like the ZBF. I'm just not very comfortable with how to accomplish certain tasks yet.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card