1. 設定方法

1.1. 概要

一般的なFirewallは以下のような3つのZoneで構成されます。 (最近では、DMZの存在意義が疑われ、DMZなしの構成も多く見られるようになりましたが・・・)

            │DMZ
            │
 OUTSIDE+---+----+INSIDE
    ----+   FW   +------
        +--------+

このようなZoneに対するアクセス制御がZone Based Firewallです。 設定手順が多いですが、慎重に読み解けば理解できないほど難しい設定ではありません。

1.2. Zone 定義

まずはZONE名を定義します。INSIDE, OUTSIDEなどの名前をつけるのが一般的です。

Router(config)# zone security <ZONE>

1.3. Zone PAIR 定義

ZONEの組み合わせであるZONE PAIRを定義します。 destinationであるZONEは上記で定義した<ZONE>以外にもselfを指定する事ができます

Router(config)# zone-pair security <ZONE_PAIR> source <ZONE> destination <ZONE>

1.4. class-map 定義

パケットを分類するclass-mapを定義します。 通常のclass-map設定と異なり、type inspectを指定しなければならない事に注意して下さい。

Router(config)# class-map type inspect <CLASS_MAP>

1.5. policy-map 定義

上記class-mapをもとに、policy-mapを定義します。 通常のpolicy-map設定と異なり、type inspectを指定しなければならない事に注意して下さい。 actionはpass, drop, inspectを指定する事ができます。

Router(config)# policy-map type inspect <POLICY_MAP>
Router(config-pmap)# class <CLASS_MAP>
Router(config-pmap-c)# { pass | drop | inspect }

1.6. policy-map 適用

上記policy-mapをZONE-PAIRに対して適用します。

Router(config)# zone-pair security <ZONE_PAIR> source <ZONE> destination <ZONE>
Router(config-sec-zone-pair)# service-policy type inspect <POLICY_MAP>

1.7. zone member 定義

どのinterfaceがどのZONEに属すのかを定義します。

Router(config)# interface <interface>
Router(config-if)# zone-member security <ZONE>

2. 動作確認

2.1. 構成図

Internet Expert Workbook Volume Iの構成を用いて動作確認を行います。 構成図の必要な部分を図示すると以下の通りです。

              INSIDE                    OUTSIDE

 +--------+VL67    Fa0/0.67+--------+Fa0/0.146  Fa0/0+--------+
 +  SW 1  +----------------+   R6   +----------------+   R1   +
 +--------+.7            .6+--------+.6            .1+--------+
            155.X.67.0/24             155.X.146.0/24

 Loopback 0                Loopback 0                Loopback 0
 150.X.7.7/24              150.X.6.6/24              150.X.1.1/24

Internet Expert Workbook Volume I Section 11 Securityの初期設定を読み込みます。 その後、R1, SW1がR6経由で疎通するようにR1 s0/0とs0/1をshutdownします。 設定の必要な部分のみを抜粋すると以下の通りです。

 [R1]
interface Loopback0
 ip address 150.14.1.1 255.255.255.0
!
interface FastEthernet0/0
 ip address 155.14.146.1 255.255.255.0
!
interface Serial0/0
 shutdown
!
interface Serial0/1
 shutdown
!
router rip
 version 2
 no auto-summary
 timers basic 10 40 30 60
 network 150.14.0.0
 network 155.14.0.0

 [R6]
interface Loopback0
 ip address 150.14.6.6 255.255.255.0
!
interface FastEthernet0/0
!
interface FastEthernet0/0.67
 encapsulation dot1Q 67
 ip address 155.14.67.6 255.255.255.0
!
interface FastEthernet0/0.146
 encapsulation dot1Q 146
 ip address 155.14.146.6 255.255.255.0
!
router rip
 version 2
 no auto-summary
 timers basic 10 40 30 60
 network 150.14.0.0
 network 155.14.0.0

 [SW1]
interface Vlan67
 ip address 155.14.67.7 255.255.255.0
!
router rip
 version 2
 no auto-summary
 timers basic 10 40 30 60
 network 150.14.0.0
 network 155.14.0.0

2.2. ブラックリスト形式

ブラックリスト形式の設定について考察します。例えば、次のようなシナリオを想定します。

OUTSIDE(R1)からINSIDE(SW1)へのtelnetによる侵入がありました。 今後は侵入されないようOUTSIDEからINSIDEへのtelnetを禁止してください。 ただし、INSIDEからOUTSIDEへのtelnetは阻害しないようにして下さい。

設定例は以下の通りです。

 [R6]
class-map type inspect CMAP_TELNET
 match protocol telnet
!
policy-map type inspect PMAP_OUTSIDE_TO_INSIDE
 class CMAP_TELNET
  drop
 class class-default
  pass
!
policy-map type inspect PMAP_INSIDE_TO_OUTSIDE
 class class-default
  pass
!
zone security OUTSIDE
zone security INSIDE
!
zone-pair security ZP_OUTSIDE_TO_INSIDE source OUTSIDE destination INSIDE
 service-policy type inspect PMAP_OUTSIDE_TO_INSIDE
zone-pair security ZP_INSIDE_TO_OUTSIDE source INSIDE destination OUTSIDE
 service-policy type inspect PMAP_INSIDE_TO_OUTSIDE
!
interface FastEthernet 0/0.67
 zone-member security INSIDE
!
interface FastEthernet 0/0.146
 zone-member security OUTSIDE

OUTSIDE(R1)からINSIDE(SW1)へのpingは可能ですが、telnetは接続不能である事を確認します。

 [R1]
Rack14R1#ping 155.14.67.7

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 155.14.67.7, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 4/4/4 ms
Rack14R1#
Rack14R1#telnet 155.14.67.7
Trying 155.14.67.7 ...
% Connection timed out; remote host not responding

Rack14R1#

一方、INSIDE(SW1)からOUTSIDE(R1)へのtelnetは可能である事を確認します。

 [SW1]
Rack14SW1#telnet 155.14.146.1
Trying 155.14.146.1 ... Open


User Access Verification

Password:
Rack14R1>exit

[Connection to 155.14.146.1 closed by foreign host]
Rack14SW1#

2.3. ホワイトリスト形式

ホワイトリスト形式の設定について考察します。例えば、次のようなシナリオを想定します。

OUTSIDE(R1)からINSIDE(SW1)へのtelnetによる侵入がありました。 今後は侵入されないようOUTSIDEからINSIDEへのアクセスは、HTTP, HTTPS, DNS問い合わせのみ許可するようにして下さい。 ただし、INSIDEからOUTSIDEへあらゆる通信を阻害してはいけません。

設定例は以下の通りです。ルーティングプロトコルを拒否しないよう注意して下さい。

 [R6]
no zone-pair security ZP_OUTSIDE_TO_INSIDE source OUTSIDE destination INSIDE
no zone-pair security ZP_INSIDE_TO_OUTSIDE source INSIDE destination OUTSIDE
no policy-map type inspect PMAP_OUTSIDE_TO_INSIDE
no policy-map type inspect PMAP_INSIDE_TO_OUTSIDE
no class-map type inspect CMAP_TELNET
!
ip access-list extended ACL_RIP
 10 permit udp any any eq rip
!
class-map type inspect match-any CMAP_OUTSIDE_TO_INSIDE
 match protocol http
 match protocol https
 match protocol dns
!
class-map type inspect CMAP_INSIDE_TO_SELF
 match access-group name ACL_RIP
!
class-map type inspect CMAP_OUTSIDE_TO_SELF
 match access-group name ACL_RIP
!
policy-map type inspect PMAP_OUTSIDE_TO_INSIDE
 class CMAP_OUTSIDE_TO_INSIDE
  inspect
 class class-default
  drop
!
policy-map type inspect PMAP_INSIDE_TO_OUTSIDE
 class class-default
  drop
!
policy-map type inspect PMAP_INSIDE_TO_SELF
 class CMAP_INSIDE_TO_SELF
  pass
!
policy-map type inspect PMAP_OUTSIDE_TO_SELF
 class CMAP_OUTSIDE_TO_SELF
  pass
!
zone security OUTSIDE
zone security INSIDE
!
zone-pair security ZP_OUTSIDE_TO_INSIDE source OUTSIDE destination INSIDE
 service-policy type inspect PMAP_OUTSIDE_TO_INSIDE
zone-pair security ZP_INSIDE_TO_OUTSIDE source INSIDE destination OUTSIDE
 service-policy type inspect PMAP_INSIDE_TO_OUTSIDE
zone-pair security ZP_INSIDE_TO_SELF source INSIDE destination self
 service-policy type inspect PMAP_INSIDE_TO_SELF
zone-pair security ZP_OUTSIDE_TO_SELF source OUTSIDE destination self
 service-policy type inspect PMAP_OUTSIDE_TO_SELF
!
interface FastEthernet 0/0.67
 zone-member security INSIDE
interface FastEthernet 0/0.146
 zone-member security OUTSIDE

http, httpsによる疎通を確認するため、SW1に以下の設定を投入します。

 [SW1]
ip http server
ip http secure-server
ip http path flash:

copyコマンドやtelnetコマンドを用いて、http, httpsの疎通を確認します。 (port 443に対してはtimeoutではなく接続拒否ですので、Layer4では疎通可能である事が読み取れます。)

 [R1]
Rack14R1#copy http://cisco:cisco@155.14.67.7/config.text null:
Loading http://***********@155.14.67.7/config.text !
2409 bytes copied in 0.056 secs (43018 bytes/sec)
Rack14R1#
Rack14R1#
Rack14R1#telnet 155.14.67.7 80
Trying 155.14.67.7, 80 ... Open
GET /
WWW-Authenticate: Basic realm="level_15_access"

401 Unauthorized

[Connection to 155.14.67.7 closed by foreign host]
Rack14R1#
Rack14R1#
Rack14R1#telnet 155.14.67.7 443
Trying 155.14.67.7, 443 ... Open

[Connection to 155.14.67.7 closed by foreign host]
Rack14R1#

pingやtelnetはtimeoutになる事を確認します。

 [R1]
Rack14R1#ping 155.14.67.7

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 155.14.67.7, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
Rack14R1#
Rack14R1#
Rack14R1#telnet 155.14.67.7
Trying 155.14.67.7 ...
% Connection timed out; remote host not responding

Rack14R1#

ルーティングプロトコルを誤って拒否していない事も重要な確認ポイントです。

 [R6]
Rack14R6#show ip protocols
Routing Protocol is "rip"
  Outgoing update filter list for all interfaces is not set
  Incoming update filter list for all interfaces is not set
  Sending updates every 10 seconds, next due in 7 seconds
  Invalid after 40 seconds, hold down 30, flushed after 60
  Redistributing: rip
  Default version control: send version 2, receive version 2
    Interface             Send  Recv  Triggered RIP  Key-chain
    FastEthernet0/0.67    2     2
    FastEthernet0/0.146   2     2
    Serial0/0/0           2     2
    Loopback0             2     2
  Automatic network summarization is not in effect
  Maximum path: 4
  Routing for Networks:
    54.0.0.0
    150.14.0.0
    155.14.0.0
  Routing Information Sources:
    Gateway         Distance      Last Update
    155.14.146.4         120      00:00:09
    155.14.146.1         120      00:00:04
    54.14.1.254          120      00:00:22
    155.14.67.7          120      00:00:04
  Distance: (default is 120)

Rack14R6#

2.4. IPアドレスによる制御

class-mapを組み合わせる事によって、IPアドレスによる制御をZone Based Firewallに組み込む事ができます。

OUTSIDEからINSIDEへの通信は、送信元がR1 Lo0(150.X.1.1/24)であるHTTP, HTTPS, DNS問い合わせのみ許可します。 設定例は以下の通りです。

no zone-pair security ZP_OUTSIDE_TO_INSIDE source OUTSIDE destination INSIDE
no zone-pair security ZP_INSIDE_TO_OUTSIDE source INSIDE destination OUTSIDE
no zone-pair security ZP_INSIDE_TO_SELF source OUTSIDE destination self
no zone-pair security ZP_OUTSIDE_TO_SELF source OUTSIDE destination self
no policy-map type inspect PMAP_OUTSIDE_TO_INSIDE
no policy-map type inspect PMAP_INSIDE_TO_OUTSIDE
no policy-map type inspect PMAP_INSIDE_TO_SELF
no policy-map type inspect PMAP_OUTSIDE_TO_SELF
no class-map type inspect CMAP_OUTSIDE_TO_INSIDE
no class-map type inspect CMAP_INSIDE_TO_SELF
no class-map type inspect CMAP_OUTSIDE_TO_SELF
no ip access-list extended ACL_RIP
!
ip access-list extended ACL_RIP
 10 permit udp any any eq rip
ip access-list extended ACL_OUTSIDE_TO_INSIDE
 10 permit ip 150.14.1.0 0.0.0.255 any
!
class-map type inspect CMAP_OUTSIDE_TO_INSIDE_ACL
 match access-group name ACL_OUTSIDE_TO_INSIDE
class-map type inspect match-any CMAP_OUTSIDE_TO_INSIDE_PTOROCOL
 match protocol http
 match protocol https
 match protocol dns
class-map type inspect CMAP_OUTSIDE_TO_INSIDE
 match class-map CMAP_OUTSIDE_TO_INSIDE_ACL
 match class-map CMAP_OUTSIDE_TO_INSIDE_PTOROCOL
!
class-map type inspect CMAP_INSIDE_TO_SELF
 match access-group name ACL_RIP
!
class-map type inspect CMAP_OUTSIDE_TO_SELF
 match access-group name ACL_RIP
!
policy-map type inspect PMAP_OUTSIDE_TO_INSIDE
 class CMAP_OUTSIDE_TO_INSIDE
  inspect
 class class-default
  drop
!
policy-map type inspect PMAP_INSIDE_TO_OUTSIDE
 class class-default
  drop
!
policy-map type inspect PMAP_INSIDE_TO_SELF
 class CMAP_INSIDE_TO_SELF
  pass
!
policy-map type inspect PMAP_OUTSIDE_TO_SELF
 class CMAP_OUTSIDE_TO_SELF
  pass
!
zone security OUTSIDE
zone security INSIDE
!
zone-pair security ZP_OUTSIDE_TO_INSIDE source OUTSIDE destination INSIDE
 service-policy type inspect PMAP_OUTSIDE_TO_INSIDE
zone-pair security ZP_INSIDE_TO_OUTSIDE source INSIDE destination OUTSIDE
 service-policy type inspect PMAP_INSIDE_TO_OUTSIDE
zone-pair security ZP_INSIDE_TO_SELF source INSIDE destination self
 service-policy type inspect PMAP_INSIDE_TO_SELF
zone-pair security ZP_OUTSIDE_TO_SELF source OUTSIDE destination self
 service-policy type inspect PMAP_OUTSIDE_TO_SELF
!
interface FastEthernet 0/0.67
 zone-member security INSIDE
interface FastEthernet 0/0.146
 zone-member security OUTSIDE

R1 Fa0/0(155.14.146.1)が送信元であるhttp通信は遮断されている事を確認します。

 [R1]
Rack14R1#telnet 155.14.67.7 80
Trying 155.14.67.7, 80 ...
% Connection timed out; remote host not responding

Rack14R1#

送信元をLoopback0(150.14.1.1)に変更すると、疎通可能になる事を確認します。

 [R1]
Rack14R1#telnet 155.14.67.7 80 /source-interface Loopback 0
Trying 155.14.67.7, 80 ... Open
GET /
WWW-Authenticate: Basic realm="level_15_access"

401 Unauthorized

[Connection to 155.14.67.7 closed by foreign host]
Rack14R1#

2.5. policing 併用

Zone Based FirewallはPolicingと併用する事もできます。 ICMPに対してPolicingを行う設定は以下の通りです。

 [R6]
no zone-pair security ZP_OUTSIDE_TO_INSIDE source OUTSIDE destination INSIDE
no zone-pair security ZP_INSIDE_TO_OUTSIDE source INSIDE destination OUTSIDE
no zone-pair security ZP_INSIDE_TO_SELF source OUTSIDE destination self
no zone-pair security ZP_OUTSIDE_TO_SELF source OUTSIDE destination self
no policy-map type inspect PMAP_OUTSIDE_TO_INSIDE
no policy-map type inspect PMAP_INSIDE_TO_OUTSIDE
no policy-map type inspect PMAP_INSIDE_TO_SELF
no policy-map type inspect PMAP_OUTSIDE_TO_SELF
no class-map type inspect CMAP_OUTSIDE_TO_INSIDE
no class-map type inspect CMAP_INSIDE_TO_SELF
no class-map type inspect CMAP_OUTSIDE_TO_SELF
no class-map type inspect CMAP_OUTSIDE_TO_INSIDE_ACL
no class-map type inspect CMAP_OUTSIDE_TO_INSIDE_PTOROCOL
no ip access-list extended ACL_RIP
!
class-map type inspect CMAP_ICMP
 match protocol icmp
!
policy-map type inspect PMAP_OUTSIDE_TO_INSIDE
 class CMAP_ICMP
  inspect
  police rate 8000 burst 1000
 class class-default
  pass
!
policy-map type inspect PMAP_INSIDE_TO_OUTSIDE
 class class-default
  pass
!
zone security OUTSIDE
zone security INSIDE
!
zone-pair security ZP_OUTSIDE_TO_INSIDE source OUTSIDE destination INSIDE
 service-policy type inspect PMAP_OUTSIDE_TO_INSIDE
zone-pair security ZP_INSIDE_TO_OUTSIDE source INSIDE destination OUTSIDE
 service-policy type inspect PMAP_INSIDE_TO_OUTSIDE
!
interface FastEthernet 0/0.67
 zone-member security INSIDE
!
interface FastEthernet 0/0.146
 zone-member security OUTSIDE

OUTSIDE(R1)からINSIDE(SW1)へのpingを送信します。 policingの結果、一部パケットがdropされる事を確認します。

 [R1]
Rack14R1#ping 155.14.67.7 repeat 50

Type escape sequence to abort.
Sending 50, 100-byte ICMP Echos to 155.14.67.7, timeout is 2 seconds:
!!!!.!!!!.!!!!.!!!!.!!!!.!!!!.!!!!.
Success rate is 80 percent (28/35), round-trip min/avg/max = 1/2/4 ms
Rack14R1#

以下のようなshowコマンドでどの程度dropされたのかを確認する事ができます。

Rack14R6#show policy-map type inspect zone-pair ZP_OUTSIDE_TO_INSIDE

policy exists on zp ZP_OUTSIDE_TO_INSIDE
 Zone-pair: ZP_OUTSIDE_TO_INSIDE

  Service-policy inspect : PMAP_OUTSIDE_TO_INSIDE

    Class-map: CMAP_ICMP (match-all)
      Match: protocol icmp

   Inspect
        Packet inspection statistics [process switch:fast switch]
        icmp packets: [0:56]

        Session creations since subsystem startup or last reset 1
        Current session counts (estab/half-open/terminating) [0:0:0]
        Maxever session counts (estab/half-open/terminating) [0:1:0]
        Last session created 00:00:35
        Last statistic reset never
        Last session creation rate 1
        Maxever session creation rate 1
        Last half-open session total 0
       Police
        rate 8000 bps,1000 limit
        conformed 56 packets, 6608 bytes; actions: transmit
        exceeded 7 packets, 826 bytes; actions: drop
        conformed 0 bps, exceed 0 bps

    Class-map: class-default (match-any)
      Match: any
      Pass
        0 packets, 0 bytes
Rack14R6#

2.6. tcp intercept 併用

Zone Based Firewallはtcp interceptと併用する事もできます。 HTTP通信に対するhalf connectionを拒否する設定例は以下の通りです。

 [R6]
no zone-pair security ZP_OUTSIDE_TO_INSIDE source OUTSIDE destination INSIDE
no zone-pair security ZP_INSIDE_TO_OUTSIDE source INSIDE destination OUTSIDE
no policy-map type inspect PMAP_OUTSIDE_TO_INSIDE
no policy-map type inspect PMAP_INSIDE_TO_OUTSIDE
no class-map type inspect CMAP_ICMP
!
parameter-map type inspect PARAM
 max-incomplete low  50
 max-incomplete high 100
 one-minute low 5
 one-minute high 10
 tcp max-incomplete host 3 block-time 1
!
class-map type inspect CMAP_HTTP
 match protocol http
!
policy-map type inspect PMAP_OUTSIDE_TO_INSIDE
 class CMAP_HTTP
  inspect PARAM
 class class-default
  pass
!
policy-map type inspect PMAP_INSIDE_TO_OUTSIDE
 class class-default
  pass
!
zone security OUTSIDE
zone security INSIDE
!
zone-pair security ZP_OUTSIDE_TO_INSIDE source OUTSIDE destination INSIDE
 service-policy type inspect PMAP_OUTSIDE_TO_INSIDE
zone-pair security ZP_INSIDE_TO_OUTSIDE source INSIDE destination OUTSIDE
 service-policy type inspect PMAP_INSIDE_TO_OUTSIDE
!
interface FastEthernet 0/0.67
 zone-member security INSIDE
!
interface FastEthernet 0/0.146
 zone-member security OUTSIDE

show policy-mapコマンドで設定を確認する事ができます。

 [R6]
Rack14R6#show policy-map type inspect zone-pair ZP_OUTSIDE_TO_INSIDE

policy exists on zp ZP_OUTSIDE_TO_INSIDE
 Zone-pair: ZP_OUTSIDE_TO_INSIDE

  Service-policy inspect : PMAP_OUTSIDE_TO_INSIDE

    Class-map: CMAP_HTTP (match-all)
      Match: protocol http

   Inspect
        Packet inspection statistics [process switch:fast switch]
        tcp packets: [0:18]

        Session creations since subsystem startup or last reset 1
        Current session counts (estab/half-open/terminating) [0:0:0]
        Maxever session counts (estab/half-open/terminating) [1:1:1]
        Last session created 00:01:25
        Last statistic reset never
        Last session creation rate 0
        Maxever session creation rate 1
        Last half-open session total 0

    Class-map: class-default (match-any)
      Match: any
      Pass
        0 packets, 0 bytes
Rack14R6#