ZBFW: which protocols break if not inspected?

b.julin · ‎03-20-2013

At my last count there were 182 different "match protocol" statements

one could put in an inspection class-map.

Some of these inspections are there only to allow you to filter on L7

fields. Some, FTP for example, must be in your class map or active-mode

FTP will be broken. Still others need to be there for NAT traffic,

or the service will be broken, but are not needed when the traffic does

not NAT on the same box.

If you enable all the inspections (and keep the list fresh as new ones are

added) then you are asking for trouble because that will be a lot of work

for the firewall.

I've asked sales engineers from time to time whether Cisco maintains any

organized list of which protocols are in which category; nobody has produced

such a list. While I would love (not) to go through RFCs for every protocol

to figure it out, I'm busy and have more useful things to do with my time.

So I invite folks to crowdsource here and let us know which protocols

you have found inspection to be necessary on for reasons other than

L7 filtering.

Or if anyone knows of such a list, please do speak up.

Julio Carvajal · ‎03-20-2013

Hello,

All protocols that need to open dinamically pinholes on the firewall like FTP as you said...

Regards,

Julio Carvajal

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

b.julin · ‎03-20-2013

Yes, this is the reason why some protocols need to be inspected.

Others need to be inspected to do rewrites in the case of traffic undergoing NAT on the same ZBFW.

My question is, of the inspections available to us, which perform such functions?

Julio Carvajal · ‎03-20-2013

Well there are a bunch Sr.. So I am going to mention a few

FTP

VocalTech

Microsoft Netmeeting

Microsoft Netshow

SIP

H323

H225

And the list keeps going

Regards

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

b.julin · ‎03-20-2013

>> And the list keeps going

Thanks for helping us get it started :-)

Julio Carvajal · ‎03-20-2013

Hey men,

My pleasure,

Something else that I can answered for you or should you mark the question as answered ?

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

b.julin · ‎03-20-2013

I'd like to keep this question open a while to see what others in the community may have to add.

By the way, one way I have found to figure out which protocols may need this is to look at what

protocols the Linux netfilter suite provides "helpers" for. The following is a pretty good descriptive

writeup:

https://github.com/regit/secure-conntrack-helpers/blob/master/secure-conntrack-helpers.rst

...however it misses some of the ones that you can see in any linux with a complete netfilter module set:

nf_conntrack_amanda.ko nf_conntrack_proto_dccp.ko nf_conntrack_broadcast.ko nf_conntrack_proto_gre.ko

nf_conntrack_ftp.ko nf_conntrack_proto_sctp.ko nf_conntrack_h323.ko nf_conntrack_proto_udplite.ko

nf_conntrack_irc.ko nf_conntrack_sane.ko nf_conntrack_sip.ko nf_conntrack_netbios_ns.ko nf_conntrack_snmp.ko

nf_conntrack_netlink.ko nf_conntrack_tftp.ko nf_conntrack_pptp.ko

Note the snmp module, and perhaps a few others, are only for use with Linux NAT, and is not needed for setups where there is no NAT. Also one has to consult the documentation as to exactly what the corresponding Cisco inspection does, and hope it goes into detail.

So my hope is maybe we could get a document going, something like the above link, telling us which inspections we would need to enable if we are permitting all protocols to be initiated from one zone but not others, and a separate list saying which additional inspections are needed when you are doing NAT.