cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2114
Views
0
Helpful
2
Replies

Zone-based Firewall and Applicaiton Inspect

cstep
Level 1
Level 1

We're having trouble determining whether the ZBF match protocol statements provide deep inspection. For example, the following doesn't appear to actually allow the ephemerous ports to open. Or at least in what I've found to try and test, attempting to make an RPC call across the firewall, the call fails with communication failure.

Router# show ip port msrpc

Default mapping:  msrpc                tcp port 135                        system defined

Router# configure terminal

Router(config)# class-map type inspect match-any msrpc-cmap

Router(config-cmap)# match protocol msrpc

Router(config-cmap)# exit

Router(config)# policy-map type inspect msrpc-pmap

Router(config-pmap)# class type inspect msrpc-cmap

Router(config-pmap-c)# inspect

Router(config-pmap-c)# end

Using PortQry, shows that the port is listening and dumps a bunch of data to the screen about the RPC End Point Mapper.

So I know that TCP port 135 is at least opened. But I don't think the port is being inspected at layer 7 and hence the End Point Mapper is allocating the ephemerous ports, but the firewall doesn't know to open the pinholes. Is there a way, other than simply statically opening the ports to pinhole the RPC EPM Ports? Amy I missing an obvious here?

I have noticed that in IOS-XR and IOS-XE DPI is available in the ALG for msrpc, for example:

http://www.cisco.com/en/US/docs/routers/asr1000/technical_references/asr1000alg_support.pdfhttp://www.cisco.com/en/US/docs/ios-xml/ios/ipaddr_nat/configuration/xe-3s/fw-msrpc-supp.pdf

I also have done this on an ASA before using the following:

policy-map type inspect dcerpc dcerpc_map

timeout pinhole 0:10:00

!

class-map dcerpc

match port tcp eq 135

!

policy-map global-policy

class dcerpc

  inspect dcerpc dcerpc-map

!

service-policy global-policy global

At this point, I'm thinking IOS doesn't support ALG functions except for whats actually listed in the 'show ip inspect ?' list:

aol           Configure Firewall class-map for IM-AOL protocol

edonkey       eDonkey

fasttrack     FastTrack Traffic - KaZaA, Morpheus, Grokster...

gnutella      Gnutella Version2 Traffic - BearShare, Shareeza, Morpheus ...

h323          Configure Firewall class-map for H323 protocol

http          Configure Firewall class-map for HTTP protocol

icq           Configure Firewall class-map for IM-ICQ protocol

imap          Configure Firewall class-map for IMAP protocol

kazaa2        Kazaa Version 2

msnmsgr       Configure Firewall class-map for IM-MSN protocol

pop3          Configure Firewall class-map for POP3 protocol

sip           Configure Firewall class-map for SIP protocol

smtp          Configure Firewall class-map for SMTP protocol

sunrpc        Configure Firewall class-map for RPC protocol

winmsgr       Configure Firewall class-map for IM-WINMSGR protocol

ymsgr         Configure Firewall class-map for IM-YAHOO protocol

Thoughts?

It would also be nice if I could create a custom nbar match criteria and map a udp port number and timeout to the match. This could make a hell of an ALG within IOS.

2 Replies 2

cstep
Level 1
Level 1

Short of modifying TCP parameters / timeouts I haven't played with parameter maps much, but I did just see this in the reference: (http://www.cisco.com/en/US/docs/ios/security/command/reference/sec_p1.html#wp1091787)

parameter-map type protocol-info

To create or modify a protocol-specific parameter map and enter parameter-map type configuration mode, use the parameter-map type protocol-info command in global configuration mode. To delete a protocol-specific parameter map from the configuration, use the no form of this command.

parameter-map type protocol-info [msrpc | sip | stun-ice] parameter-map-name

no parameter-map type protocol-info [msrpc | sip | stun-ice] parameter-map-name

It also goes on to state that this command became available in 15.1(4)M, so I'll upgrade when I get a second and play with this rev. Hopefully the full inpsect will be available for MSRPC. (To include the EPM pinholes)

Hello Christopher,

Configuring an MSRPC Firewall Policy


Note If you are inspecting an RPC protocol (that is, you specified the match protocol msrpc command in the Layer 4 class map), the Layer 7 Microsoft Remote Procedure Call (MSRPC) policy map is required.

http://www.cisco.com/en/US/docs/ios/sec_data_plane/configuration/guide/sec_zone_polcy_firew.html#wp1138391

Regards,

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
Review Cisco Networking for a $25 gift card