Having analyzed the basic L4/L3 configuration principles for the Cisco Zone-based Policy Firewall (ZFW), we will now illustrate some L7 options.
Before we start the practical examples, it is interesting to characterize the main usages of L7 inspection on a stateful firewall:
- Fixing up misbehaved protocols, such as those that dynamically negotiate data connections inside the control channel. Classic examples are FTP and the telephony signaling protocols (SIP, H.323 framework, SCCP, MGCP).
- Perform Network Address Translation (NAT) at the application level for those protocols that embed the IP address in the L7 messages. This is critical within NAT and Port Address Translation (PAT) environments.
- Use the application knowledge to filter based on additional criteria pertaining to the specific L7 protocol, rather than just L4/L3.
The figure depicts a reference scenario for FTP inspection on the ZFW:
- The INSIDE client 192.168.2.72 starts an FTP session to the translated address of the server (192.168.2.102).
- Instead of matching based on an L4 clause, there is a match protocol ftp statement under the class-map named L7-CLASS1.
- The first audit-trail message shows the creation of the FTP control connection (over port TCP/21).
- The second log message shows a sample FTP data session (and the corresponding NAT operation).
It is important to emphasize that in this sample network we are not performing any special filtering. We are just using L7 knowledge for fixup purposes.
Review basic FTP operations
What are typical commands (inside an FTP control channel) that trigger the setup of a data channel ?
It is important to compare these new audit-trail messages with those for single channel protocols that use TCP as transport (such as telnet in previous ZFW-related posts). What has changed ?
** Related Posts:
- Zone Firewall Series: https://alexandremspmoraes.wordpress.com/tag/zone-firewall/
- L7 Inspection Series: https://alexandremspmoraes.wordpress.com/tag/l7-inspection/