hale
Published on 2024-10-23 / 36 Visits
0
0

Cisco Zone Base FireWall介绍及配置

#FW

ZFW技术对原有的CBAC功能进行了增强,ZFW策略防火墙改变了基于接口的配置模式,并且提供了更容易理解和更灵活的配置方法。接口需要加入区域,针对流量的审查策略在区域间内部生效。区域内部策略提供了更灵活和更细致的流量审查,不同的审查策略可以应用在与路由器相同接口相连的多个组上。

ZFW提供了状态型的包检测,URL过滤,对DOS攻击的减缓等功能,同时提供了多种协议的支持,例如HTTP、POP3、IMAP、SMTP、ESMTP、SUN RPC、IM、P2P等协议。但是需要注意的是,以下特性ZFW暂时还不能支持:

  • Authentication proxy

  • Stateful firewall failover

  • Unified firewall MIB

  • IPv6 stateful inspection

  • TCP out of order support

与CBAC相比较而言第一点主要的改变是,ZFW是基于区域的配置。ZFW不在使用CBAC的命令。两种技术可以同时配置在路由器上,但是需要注意的是,这两种技术不能同时在接口上叠加。接口在加入了安全区域以后不能同时在该接口上配置ip inspect命令。

ZFW默认的策略为拒绝所有流量。如果没有配置放行策略,那么所有在区域间进行转发的流量将会被拒绝。而CBAC默认情况下允许转发所有的流量,除非通过使用ACL来对流量进行丢弃。

第二点主要的改变是ZFW的配置命令使用了MQC命令格式。可以使用更灵活的方式来定义ZFW的策略。

ZFW的策略规定如下:

  1. 在为接口指定区域之前,必须先配置这个区域。

  2. 一个接口只能被指定到一个区域内。

  3. 当一个接口被指定了一个区域后,除了在相同的区域内从这个接口始发终结的流量,以及从该接口到其他本路由器接口的流量,默认允许转发外,其他关于这个接口的流量都隐式的拒绝。

  4. 相同区域成员间的流量,默认转发。

  5. 如果要求流量从其他区域来或者到其他区域去,那么必须配置再要通信的区域间允许策略或者审查策略。

  6. 自身区域是唯一一个默认策略不是DENY的区域。从自身区域到任何区域的流量都是默认允许的,除非明确的配置了拒绝语句。

  7. 流量不能在一个设置了区域成员的接口和一个没有加入区域的接口间转发。pass,inspect和drop行为只能在两个区域之间进行配置。

  8. 一个没有加入任何区域的接口是可以使用CBAC特性的。

  9. 根据上面所提到的相关问题,我们可以知道,如果流量要在这个路由器的所有接口间转发,那么所有的接口都必须是区域的成员。

  10. 唯一一个例外是,到达或者从这个路由器始发的流量默认情况下是允许的(默认情况下路由器的自身接口属于self区域)。如果要限制这样的流量,则需要配置明确的限制策略。

ZFP策略包括三种:pass,deny,intercept。deny是默认行为,intercept是指对流量进行审查,返回流量通过查看路由器的session表来决定是否允许进入。pass行为不会跟踪连接的状态或者是流量的session。并且pass策略只能允许单方向的流量通过。必须定义一个相对应返回流量的策略来允许返回流量进入。

同时ZFW对与VPN流量也进行了特别的定义,当VPN配置以后,路由器动态的生成一个名叫VTI的接口(virtual tunnel interface),如果我们需要对VPN流量进行bypass或者是审查时,我们可以通过将VTI接口加入不同的区域来进行区分。

配置案例如下:

ip port-map user-tcp9527 port tcp 9527
ip port-map user-tcp8000 port tcp 8000
ip port-map user-tcp9528 port tcp 9528
#定义外到内的访问端口
!
class-map type inspect match-any Inside-To-Outside-Class
 match protocol icmp
 match protocol tcp
 match protocol udp
class-map type inspect match-any Outside-To-Inside-Class
 match protocol user-tcp9527
 match protocol user-tcp9528
 match protocol user-tcp8000
!
policy-map type inspect Inside-To-Outside-Policy
 class type inspect Inside-To-Outside-Class
  inspect 
 class class-default
  drop
policy-map type inspect Outside-To-Inside-Policy
 class type inspect Outside-To-Inside-Class
  inspect 
 class class-default
  drop
!
zone security Inside
zone security Outside
zone-pair security Inside-To-Outside source Inside destination Outside
 service-policy type inspect Inside-To-Outside-Policy
zone-pair security Outside-To-Inside source Outside destination Inside
 service-policy type inspect Outside-To-Inside-Policy
! 
interface Dialer1
 zone-member security Outside
!
interface Vlan50
 zone-member security Inside

相关状态查看

NJ-Home-C897#show zone-pair security 
Zone-pair name Inside-To-Outside
    Source-Zone Inside  Destination-Zone Outside 
    service-policy Inside-To-Outside-Policy
Zone-pair name Outside-To-Inside
    Source-Zone Outside  Destination-Zone Inside 
    service-policy Outside-To-Inside-Policy

NJ-Home-C897#show zone security 
zone self
Description: System Defined Zone 

zone Inside
 Member Interfaces: 
 Vlan50 

zone Outside
 Member Interfaces: 
 Dialer1 

NJ-Home-C897#show policy-map type inspect zone-pair sessions 

policy exists on zp Inside-To-Outside
  Zone-pair: Inside-To-Outside 

  Service-policy inspect : Inside-To-Outside-Policy

    Class-map: Inside-To-Outside-Class (match-any)  
      Match: protocol icmp
        2407 packets, 395177 bytes
        30 second rate 0 bps
      Match: protocol tcp
        68578 packets, 2723688 bytes
        30 second rate 0 bps
      Match: protocol udp
        109486 packets, 6559699 bytes
        30 second rate 0 bps

   Inspect

      Number of Established Sessions = 15
      Established Sessions
        Session 25110E0 (192.168.50.164:51488)=>(118.26.252.11:5222) tcp SIS_OPEN/TCP_ESTAB 
          Created 20:35:53, Last heard 00:00:33
          Bytes sent (initiator:responder) [58254:58481]
        Session 113136A0 (192.168.50.188:53620)=>(17.252.156.153:5223) tcp SIS_OPEN/TCP_ESTAB 
          Created 14:11:15, Last heard 00:19:06
          Bytes sent (initiator:responder) [30146:8997]
        Session 2514C60 (192.168.50.164:33448)=>(118.26.252.75:443) tcp SIS_OPEN/TCP_CLOSEWAIT 
          Created 00:25:18, Last heard 00:24:12
          Bytes sent (initiator:responder) [1860:5779]
        Session 25164E0 (192.168.50.164:41084)=>(117.48.116.17:443) tcp SIS_OPEN/TCP_CLOSEWAIT 
          Created 00:25:18, Last heard 00:24:12
          Bytes sent (initiator:responder) [1890:5808]
        Session 251D160 (192.168.50.164:42362)=>(117.48.116.23:443) tcp SIS_OPEN/TCP_CLOSEWAIT 
          Created 00:25:18, Last heard 00:24:11
          Bytes sent (initiator:responder) [1209:4839]
        Session 2516BE0 (192.168.50.164:56901)=>(118.26.252.47:443) tcp SIS_OPEN/TCP_CLOSEWAIT 
          Created 00:25:17, Last heard 00:24:11
          Bytes sent (initiator:responder) [1249:13662]
        Session 2516860 (192.168.50.164:39796)=>(118.26.252.165:80) tcp SIS_OPEN/TCP_CLOSEWAIT 
          Created 00:25:03, Last heard 00:23:57
          Bytes sent (initiator:responder) [1042:324]
        Session 2511EE0 (192.168.50.164:37948)=>(118.26.252.147:443) tcp SIS_OPEN/TCP_CLOSEWAIT 
          Created 00:23:48, Last heard 00:22:42
          Bytes sent (initiator:responder) [836:5846]
        Session 2517660 (192.168.50.164:57774)=>(101.89.15.105:8080) tcp SIS_OPEN/TCP_ESTAB 
          Created 00:08:15, Last heard 00:01:14
          Bytes sent (initiator:responder) [337:222]
        Session 2514FE0 (192.168.50.6:50184)=>(220.200.165.43:5877) tcp SIS_OPEN/TCP_ESTAB 
          Created 00:08:02, Last heard 00:00:11
          Bytes sent (initiator:responder) [385:1059]
        Session 251DBE0 (192.168.50.164:58339)=>(203.100.92.156:443) tcp SIS_OPEN/TCP_CLOSEWAIT 
          Created 00:04:33, Last heard 00:03:27
          Bytes sent (initiator:responder) [2226:6158]
        Session 250F4E0 (192.168.50.6:6881)=>(90.151.93.101:3856) udp SIS_OPEN
          Created 00:00:39, Last heard 00:00:20
          Bytes sent (initiator:responder) [152:0]
        Session 251DF60 (192.168.50.6:6881)=>(76.229.128.227:1045) udp SIS_OPEN
          Created 00:00:20, Last heard 00:00:20
          Bytes sent (initiator:responder) [58:70]
        Session 2518B60 (192.168.50.6:6881)=>(73.36.178.128:10520) udp SIS_OPEN
          Created 00:00:02, Last heard 00:00:01
          Bytes sent (initiator:responder) [94:268]
        Session 2515A60 (192.168.50.6:6881)=>(64.30.117.225:45682) udp SIS_OPEN
          Created 00:00:01, Last heard 00:00:01
          Bytes sent (initiator:responder) [58:70]


    Class-map: class-default (match-any)  
      Match: any 
      Drop
        0 packets, 0 bytes

policy exists on zp Outside-To-Inside
  Zone-pair: Outside-To-Inside 

  Service-policy inspect : Outside-To-Inside-Policy

    Class-map: Outside-To-Inside-Class (match-any)  
      Match: protocol user-tcp9527
        1 packets, 20 bytes
        30 second rate 0 bps
      Match: protocol user-tcp9528
        18944 packets, 637901 bytes
        30 second rate 0 bps
      Match: protocol user-tcp8000
        0 packets, 0 bytes
        30 second rate 0 bps

   Inspect

      Number of Established Sessions = 3
      Established Sessions
        Session 2512CE0 (110.7.216.97:28041)=>(192.168.50.6:9528) user-tcp9528:tcp SIS_OPEN/TCP_CLOSEWAIT 
          Created 00:13:17, Last heard 00:03:27
          Bytes sent (initiator:responder) [354:374]
        Session 250FBE0 (27.19.66.146:56963)=>(192.168.50.6:9528) user-tcp9528:tcp SIS_OPEN/TCP_ESTAB 
          Created 00:02:28, Last heard 00:00:17
          Bytes sent (initiator:responder) [381:252]
        Session 251C6E0 (114.219.17.12:65496)=>(192.168.50.6:9528) user-tcp9528:tcp SIS_OPEN/TCP_ESTAB 
          Created 00:00:03, Last heard 00:00:02
          Bytes sent (initiator:responder) [477:232]


    Class-map: class-default (match-any)  
      Match: any 
      Drop
        39475 packets, 3069891 bytes
NJ-Home-C897# 


Comment