Tag Archives: L7 Inspection

Cisco IOS Zone-based Policy Firewall: L7 inspection for FTP over IPv6

In a previous post we examined the main usages of L7 inspection on a stateful firewall (IPv4 perspective):

  1. Fixing up misbehaved protocols, such as those that dynamically negotiate data connections inside the control channel. Classic examples are FTP and the telephony signaling protocols (SIP, H.323 framework, SCCP, MGCP).
  2. Perform Network Address Translation (NAT) at the application level for those protocols that embed the IP address in the L7 messages. This is critical within NAT and Port Address Translation (PAT) environments.
  3. Use the application knowledge to filter based on additional criteria pertaining to the specific L7 protocol, rather than just L4/L3.

On another article of the IPv6 series, we analyzed a basic L4 inspection policy for a v6 environment. Now we will apply the Cisco Zone-based Policy Firewall (ZFW) L7 awareness to a simple FTP scenario built upon IPv6. But, before we jump to the example itself, there are some relevant facts to highlight :

  • Current support for IPv6 in the ZFW covers case 1 of the main usages of L7 inspection listed before.
  • If you need to fixup an application protocol that is running over non-standard ports, you can leverage the ipv6 port-map command (pretty much in the same fashion we employed  the ip port-map command before).
  • The application knowledge is not used for filtering purposes yet.

The figure below depicts not only the ZFW policy structure but also the audit-trail logs for the FTP session (both the control and thedynamically  negotiated data channels). Notice that the match protocol statement uses the ftp keyword, which instructs the ZFW to use its understanding of the FTP application to handle this session. (It is not generic TCP !)

Sample Zone-based Policy Firewall scenario for FTP over IPv6 inspection

** Topics for Study:

  • What are the FTP over IPv6 commands that correspond, respectively, to the PORT and PASV commands ?
  • Examine the output of the show ipv6 port-map command
  • Play with the appropriate show commands for this setup. Good starting points are show zone security and show policy-firewall config zone-pair.

** Related Posts:

Leave a comment

Filed under English, Firewalls, IPv6, Security

HTTP Inspection on non-standard ports with the Cisco Zone-based Policy Firewall

The current post uses the ip port-map command as an auxiliary resource to enable HTTP inspection on the Cisco Zone-based Policy Firewall (ZFW).

In our reference topology HTTP is enabled on ports 2002 and 2003 for host 172.17.3.40. The ip port-map command simply instructs the router to treat these ports as HTTP and not as generic TCP. With this type of setup, any specific L7 configuration that applies to HTTP (on its default port) would equally be valid for the non-standard range of ports.

Inspecting HTTP on non-standard ports with the Cisco Zone-based Policy Firewall

** Topics for Study:

  • Play with the ip port-map command for other protocols. What is the default port for SIP ? And for MGCP ?
  • What is different in the audit-trail message in this example when contrasted to the connection logging messages for a single channel protocol like telnet ? (If needed, revisit previous posts in the ZFW series).
  • Does the ip port-map command apply to Context Based Access Control (CBAC) ?

** Related Posts:

Leave a comment

Filed under English, Firewalls, Security

FTP Inspection with the Cisco Zone-based Policy Firewall

Having analyzed the basic L4/L3 configuration  principles for the Cisco Zone-based Policy Firewall (ZFW), we will now illustrate some L7 options.

Before we start the practical examples, it is interesting to characterize the main usages of L7 inspection on a stateful firewall:

  • Fixing up misbehaved protocols, such as those that dynamically negotiate data connections inside the control channel. Classic examples are FTP and the telephony signaling protocols (SIP, H.323 framework, SCCP, MGCP).
  • Perform Network Address Translation (NAT) at the application level for those protocols that embed the IP address in the L7 messages. This is critical within NAT and Port Address Translation (PAT) environments.
  • Use the application knowledge to filter based on additional criteria pertaining to the specific L7 protocol, rather than just L4/L3.

The figure depicts a reference scenario for FTP inspection on the ZFW:

  • The INSIDE client 192.168.2.72 starts an FTP session to the translated address of the server (192.168.2.102).
  • Instead of matching based on an L4 clause, there is a match protocol ftp statement under the class-map named L7-CLASS1.
  • The first audit-trail message shows the creation of the FTP control connection (over port TCP/21).
  • The second log message shows a sample FTP data session (and the corresponding NAT operation).

It is important to emphasize that in this sample network we are not performing any special filtering. We are just using L7 knowledge for fixup purposes.

Reference topology for FTP inspection with the Cisco Zone-based Policy Firewall
** Topics for Study:
  • Review basic FTP operations
  • What are typical commands (inside an FTP control channel) that trigger the setup of a data channel ?
  • It is important to compare these new audit-trail messages with those for single channel protocols that use TCP as transport (such as telnet in previous ZFW-related posts). What has changed ?

** Related Posts:

Leave a comment

Filed under English, Firewalls, Security