Cisco IOS Zone-based Policy Firewall: L7 inspection for FTP over IPv6

In a previous post we examined the main usages of L7 inspection on a stateful firewall (IPv4 perspective):

  1. Fixing up misbehaved protocols, such as those that dynamically negotiate data connections inside the control channel. Classic examples are FTP and the telephony signaling protocols (SIP, H.323 framework, SCCP, MGCP).
  2. Perform Network Address Translation (NAT) at the application level for those protocols that embed the IP address in the L7 messages. This is critical within NAT and Port Address Translation (PAT) environments.
  3. Use the application knowledge to filter based on additional criteria pertaining to the specific L7 protocol, rather than just L4/L3.

On another article of the IPv6 series, we analyzed a basic L4 inspection policy for a v6 environment. Now we will apply the Cisco Zone-based Policy Firewall (ZFW) L7 awareness to a simple FTP scenario built upon IPv6. But, before we jump to the example itself, there are some relevant facts to highlight :

  • Current support for IPv6 in the ZFW covers case 1 of the main usages of L7 inspection listed before.
  • If you need to fixup an application protocol that is running over non-standard ports, you can leverage the ipv6 port-map command (pretty much in the same fashion we employed  the ip port-map command before).
  • The application knowledge is not used for filtering purposes yet.

The figure below depicts not only the ZFW policy structure but also the audit-trail logs for the FTP session (both the control and thedynamically  negotiated data channels). Notice that the match protocol statement uses the ftp keyword, which instructs the ZFW to use its understanding of the FTP application to handle this session. (It is not generic TCP !)

Sample Zone-based Policy Firewall scenario for FTP over IPv6 inspection

** Topics for Study:

  • What are the FTP over IPv6 commands that correspond, respectively, to the PORT and PASV commands ?
  • Examine the output of the show ipv6 port-map command
  • Play with the appropriate show commands for this setup. Good starting points are show zone security and show policy-firewall config zone-pair.

** Related Posts:

Leave a comment

Filed under English, Firewalls, IPv6, Security

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s