Perimeter Network
In the preceding chapter, you saw the mandatory configuration
commands used to configure the zone-based policy firewall feature of Cisco IOS. In this chapter, we use those commands to develop a complete configuration of a firewall with a perimeter network shown in Figure 4-1. The policy rules used by this firewall are documented in Table 2-3(Restrictive Policy of a Firewall with a Perimeter Network) of Chapter 2, “Typical Zone-Based Firewall Designs.”
FIGURE 4-1 Firewall with a perimeter network Outside Inside Internet Client 10.0.0.2 Mail Server 10.0.0.10 10.0.0.1 192.168.0.1 Configuring the Firewall Policy ...56 Protecting the Router ...60
Perimeter Network To include the perimeter network in the existing firewall configuration (Listing 3-1) discussed in Chapter 3, “Configuring Zone-Based Policy Firewalls in Cisco IOS,” we need to do the following:
■ Configure a separate interface to which the public web server will be connected. If you’re limited by the router’s
physical setup (for example, if it has only one Fast Ethernet interface), the best approach is to create a subinterface in a different virtual LAN (VLAN).
■ Configure the IP subnet on the perimeter interface. We’ll use subnet 192.168.0.0/24 from the private IP address
range.
■ Fix the network address translation configuration. We reduce the size of the IP address pool (to gain a public IP
address for the web server) and establish a static inside-to-outside mapping for the web server. Listing 4-1 shows the corresponding router configuration.
LISTING 4-1 Changes in IP Routing Configuration of the Firewall Router
interface FastEthernet0/0.100 description public Web server encapsulation dot1Q 100
ip address 192.168.0.1 255.255.255.0 ip nat inside
!
ip nat pool Internet 172.16.10.38 172.16.10.46 prefix-length 28 ip nat inside source static 192.168.0.2 172.16.10.34
NOTE
Using VLANs to connect interfaces in public and private zones on the same physical interface of a firewall should be done only as a last resort. Any misconfiguration of the switch to which these devices are attached could cause a security breach.
NOTE
You need to remove the previous NAT pool defi- nition before redefining it.
Perimeter Network
Configuring the Firewall Policy
The first step in firewall policy configuration is defining traffic classes. We start by defining class maps matching the basic protocol sets (ping, web traffic, mail delivery, and network management) encountered in this firewall (Listing 4-2).
LISTING 4-2 Configuring Basic Protocol Sets
class-map type inspect match-any ping match access-group name IcmpEcho !
ip access-list extended IcmpEcho permit icmp any any echo
permit icmp any any echo-reply !
! Note: Web traffic also includes ability to ping !
class-map type inspect match-any WebTraffic match protocol http
match protocol https match class-map ping !
class-map type inspect FileTransfer match protocol ftp
!
class-map type inspect match-any PublicManagement match protocol ftp
match protocol ssh match protocol snmp !
NOTE
Within this case study, we optimize the class definitions by grouping similar protocols in the same traffic class. When deploying application- level packet inspection, each protocol has to be defined as a separate traffic class (see the next chapter for more details), increasing the complexity of the configuration. It’s therefore mandatory that you understand the final firewall requirements before you start configur- ing the router.
Perimeter Network LISTING 4-2 Configuring Basic Protocol Sets continued class-map type inspect match-any SMTP
match protocol smtp extended !
class-map type inspect match-any DNS match protocol dns
Within the firewall policy, we also need refined traffic class definitions where a specific protocol (for example, SMTP) will be allowed on only a specific server (for example, the inside mail server). For convenience, we also define a broader traffic class covering all public services offered by the perimeter server: SMTP, HTTP, and DNS and ping for trou- bleshooting purposes. The perimeter server is the authoritative server for the organization’s domain and a caching DNS server for the internal clients.
Listing 4-3 shows the refined and extended traffic classes.
LISTING 4-3 Additional Traffic Class Definitions
class-map type inspect match-all MailDelivery match class-map SMTP
match access-group name InternalServer !
ip access-list extended InternalServer permit ip any host 10.0.0.10
!
class-map type inspect match-any PublicProtocols match class-map SMTP
match class-map WebTraffic match class-map DNS
match class-map ping !
Perimeter Network LISTING 4-3 Additional Traffic Class Definitions continued class-map type inspect match-all PublicTraffic
match class-map PublicProtocols
match access-group name PerimeterServer !
ip access-list extended PerimeterServer permit ip any host 192.168.0.2
Next, we configure the individual zones and the policies between pairs of zones. Finally, individual interfaces are assigned to the configured security zones (Listing 4-4).
LISTING 4-4 Firewall Policies and Zone Definitions
zone security Inside zone security Perimeter zone security Outside !
policy-map type inspect InsideToOutside class type inspect WebTraffic
inspect
class type inspect FileTransfer inspect
!
policy-map type inspect InsideToPerimeter class type inspect PublicTraffic
inspect
class type inspect PublicManagement inspect
!
NOTE
The configuration of service policies and zone pairs seems highly verbose. You will see where you can benefit from this modularity when configuring more- complex firewall policies later in this chapter.
Perimeter Network LISTING 4-4 Firewall Policies and Zone Definitions continued inspect
class type inspect SMTP inspect
class type inspect ping inspect
!
policy-map type inspect OutsideToPerimeter class type inspect PublicTraffic
inspect !
policy-map type inspect PerimeterToInside class type inspect MailDelivery
inspect !
zone-pair security InsideToOutside source Inside destination Outside service-policy type inspect InsideToOutside
zone-pair security InsideToPerimeter source Inside destination Perimeter service-policy type inspect InsideToPerimeter
zone-pair security PerimeterToInside source Perimeter destination Inside service-policy type inspect PerimeterToInside
zone-pair security PerimeterToOutside source Perimeter destination Outside service-policy type inspect PerimeterToOutside
zone-pair security OutsideToPerimeter source Outside destination Perimeter service-policy type inspect OutsideToPerimeter
!
interface FastEthernet0/0 description Inside LAN zone-member security Inside !
Perimeter Network LISTING 4-4 Firewall Policies and Zone Definitions continued interface FastEthernet0/0.100
description Perimeter network zone-member security Perimeter !
interface Serial0/0/0.100 point-to-point description Link to the Internet
zone-member security Outside
Protecting the Router
We complete the firewall configuration with the router-protection measures. Obviously, the only traffic allowed from the outside or the perimeter network to the router is ICMP echo (ping). The router itself can only perform DNS queries, ping, and traceroute to external networks. To monitor potential intrusion activities, the router should log all other connection- establishment attempts.
Because you cannot match any other protocol except TCP, UDP, and H323 in class maps used in conjunction with the self zone, we need to define a completely new set of traffic classes based exclusively on extended IP access lists.
Cisco IOS is using UDP packets to perform the traceroute function. The initial destination UDP port number is 33434 (unless modified with the extended traceroute command); the port number is increased in every probe to allow the router to match probes with ICMP replies. Therefore, the IP access list matching traceroute traffic defines a wide range of target UDP ports.
Furthermore, because the router cannot properly handle ICMP responses to the UDP packets sent with the traceroute command, we need to include special provisions for ICMP replies arriving from the public network.
The configuration commands used to define firewall policy for inbound traffic from perimeter and outside networks are
NOTE
There might be addi- tional public services the router itself needs to access (for example, the Network Time Protocol [NTP] service).
NOTE
Note that the same policy map is used twice to specify firewall policies
Perimeter Network LISTING 4-5 Firewall Policy for Inbound Traffic from Perimeter and Outside Zones
class-map type inspect match-all ICMPreply match access-group name ICMPreply
!
ip access-list extended ICMPreply permit icmp any any host-unreachable permit icmp any any port-unreachable permit icmp any any ttl-exceeded permit icmp any any packet-too-big !
policy-map type inspect PublicToRouter class type inspect ping
inspect
class type inspect ICMPreply pass
class class-default drop log
!
zone-pair security PerimeterToRouter source Perimeter destination self service-policy type inspect PublicToRouter
zone-pair security OutsideToRouter source Outside destination self service-policy type inspect PublicToRouter
Perimeter Network LISTING 4-6 Firewall Policy for Traffic from the Router Toward the Perimeter and Outside Zones
class-map type inspect match-any RouterPublicTraffic match access-group name traceroute
match access-group name domainLookup match access-group name IcmpEcho !
ip access-list extended domainLookup permit udp any any eq domain
ip access-list extended traceroute
permit udp any range 32768 65535 any range 33434 33523 !
policy-map type inspect RouterToPublic class RouterPublicTraffic
inspect !
zone-pair security RouterToPerimeter source self destination Perimeter service-policy type inspect RouterToPublic
zone-pair security RouterToOutside source self destination Outside service-policy type inspect RouterToPublic
The permitted traffic between the internal hosts and the firewall router shall obviously include ping and traceroute (as above) as well as network management access to the firewall.
Ideally, the internal hosts would be allowed to open Telnet and SSH sessions to the router and perform router manage- ment with SNMP while the router would send syslog, TFTP, and FTP traffic to the internal server. However, because
Perimeter Network Cisco IOS Release 12.4 does not perform in-depth inspection of router-generated traffic, FTP or TFTP to or from the router cannot be handled properly. (The router cannot identify the data sessions.) There are three ways to resolve this problem:
■ Full IP connectivity shall be allowed between the router and the internal server. This solution is not recommended
because anyone getting access to the firewall router would have full access to the internal server.
■ Use SSH or SCP (SSH-based Secure Copy) to download router configurations to the management station. You can
also use SCP to upgrade a router’s software.
■ Use HTTPS (preferred) or HTTP to download new software to the router and store router configurations to the inter-
nal server.
Listing 4-7 shows the configuration commands defining the firewall policy between the firewall router and the inside network.
LISTING 4-7 Securing Inside Access to the Router
!
! Define inside-to-router policy !
class-map type inspect RouterManagement match access-group name RouterManagement !
ip access-list extended RouterManagement permit tcp any any eq telnet
permit tcp any any eq 22 ! SSH
permit udp host 10.0.0.10 host 10.0.0.1 eq snmp ! Network management !
Perimeter Network LISTING 4-7 Securing Inside Access to the Router continued policy-map type inspect InsideToRouter
class type inspect ping inspect
class type inspect RouterManagement inspect
class type inspect ICMPreply pass
class class-default drop log
!
zone-pair security InsideToRouter source Inside destination self service-policy type inspect InsideToRouter
!
! Define router-to-inside policy !
class-map type inspect RouterFileTransfer match access-group name RouterFileTransfer !
ip access-list extended RouterDataTransfer
permit tcp host 10.0.0.1 host 10.0.0.10 eq 22 ! SSH/SCP permit tcp host 10.0.0.1 host 10.0.0.10 eq www ! Web (http) permit tcp host 10.0.0.1 host 10.0.0.10 eq 443 ! SSL (https) permit udp host 10.0.0.1 host 10.0.0.10 eq snmp ! SNMP traps permit udp host 10.0.0.1 host 10.0.0.10 eq syslog ! SYSLOG messages !
policy-map type inspect RouterToInside class type inspect RouterPublicTraffic
Perimeter Network LISTING 4-7 Securing Inside Access to the Router continued inspect
!
zone-pair security RouterToInside source self destination Inside service-policy type inspect RouterToInside
Summary
In this chapter, you’ve seen how you can use the basic configuration commands supported by the zone-based policy fire- wall feature of Cisco IOS to configure a firewall with public servers in a perimeter network. The configuration by itself is sufficient for smaller organizations where you would not expect heavy load on the public servers; otherwise, the router parameters have to be tuned to differentiate expected traffic load from denial-of-service attacks. In addition, this configu- ration does not detect applications that hide within the HTTP protocol (for example, instant messaging or peer-to-peer protocols). In the next chapter, you’ll see the advanced configuration commands that address these issues.
Firewall
Configuration