Zone-Based Policy Firewall (ZFW) は、一般的なFirewall製品と同様、片方向の通信を許可したりZoneを定義したりする事ができる機能です。
設定方法
概要
Firewallは以下のような3つのZoneで構成されます。(ただし、BtoCの業界ではDMZの存在意義が疑われDMZなしの構成も多く見られます)
│DMZ
│
OUTSIDE+---+----+INSIDE
----+ FW +------
+--------+
このようなZoneに対するアクセス制御がZone Based Firewallです。設定手順が多いですが、慎重に読み解けば理解できないほど難しい設定ではありません。
Zone 定義
まずはZONE名を定義します。INSIDE, OUTSIDEなどの名前をつけるのが一般的です。
Router(config)# zone security <ZONE>
Zone PAIR 定義
ZONEの組み合わせであるZONE PAIRを定義します。destinationであるZONEは上記で定義した
Router(config)# zone-pair security <ZONE_PAIR> source <ZONE> destination <ZONE>
class-map 定義
パケットを分類するclass-mapを定義します。通常のclass-map設定と異なり、type inspectを指定しなければならない事に注意して下さい。
Router(config)# class-map type inspect <CLASS_MAP>
policy-map 定義
上記class-mapをもとに、policy-mapを定義します。通常のpolicy-map設定と異なり、type inspectを指定しなければならない事に注意して下さい。actionはpass, drop, inspectを指定する事ができます。
Router(config)# policy-map type inspect <POLICY_MAP>
Router(config-pmap)# class <CLASS_MAP>
Router(config-pmap-c)# { pass | drop | inspect }
policy-map 適用
上記policy-mapをZONE-PAIRに対して適用します。
Router(config)# zone-pair security <ZONE_PAIR> source <ZONE> destination <ZONE> Router(config-sec-zone-pair)# service-policy type inspect <POLICY_MAP>
zone member 定義
どのinterfaceがどのZONEに属すのかを定義します。
Router(config)# interface <interface> Router(config-if)# zone-member security <ZONE>
動作確認
構成図
Internet Expert Workbook Volume Iの構成を用いて動作確認を行います。構成図の必要な部分を図示すると以下の通りです。
INSIDE OUTSIDE
+--------+VL67 Fa0/0.67+--------+Fa0/0.146 Fa0/0+--------+
+ SW 1 +----------------+ R6 +----------------+ R1 +
+--------+.7 .6+--------+.6 .1+--------+
155.X.67.0/24 155.X.146.0/24
Loopback 0 Loopback 0 Loopback 0
150.X.7.7/24 150.X.6.6/24 150.X.1.1/24
[/code]
Internet Expert Workbook Volume I Section 11 Securityの初期設定を読み込みます。その後、R1, SW1がR6経由で疎通するようにR1 s0/0とs0/1をshutdownします。設定の必要な部分のみを抜粋すると以下の通りです。
[R1]
interface Loopback0
ip address 150.14.1.1 255.255.255.0
!
interface FastEthernet0/0
ip address 155.14.146.1 255.255.255.0
!
interface Serial0/0
shutdown
!
interface Serial0/1
shutdown
!
router rip
version 2
no auto-summary
timers basic 10 40 30 60
network 150.14.0.0
network 155.14.0.0
[R6]
interface Loopback0
ip address 150.14.6.6 255.255.255.0
!
interface FastEthernet0/0
!
interface FastEthernet0/0.67
encapsulation dot1Q 67
ip address 155.14.67.6 255.255.255.0
!
interface FastEthernet0/0.146
encapsulation dot1Q 146
ip address 155.14.146.6 255.255.255.0
!
router rip
version 2
no auto-summary
timers basic 10 40 30 60
network 150.14.0.0
network 155.14.0.0
[SW1]
interface Vlan67
ip address 155.14.67.7 255.255.255.0
!
router rip
version 2
no auto-summary
timers basic 10 40 30 60
network 150.14.0.0
network 155.14.0.0
ブラックリスト形式
ブラックリスト形式の設定について考察します。例えば、次のようなシナリオを想定します。
OUTSIDE(R1)からINSIDE(SW1)へのtelnetによる侵入がありました。今後は侵入されないようOUTSIDEからINSIDEへのtelnetを禁止してください。ただし、INSIDEからOUTSIDEへのtelnetは阻害しないようにして下さい。
設定例は以下の通りです。
[R6]
class-map type inspect CMAP_TELNET
match protocol telnet
!
policy-map type inspect PMAP_OUTSIDE_TO_INSIDE
class CMAP_TELNET
drop
class class-default
pass
!
policy-map type inspect PMAP_INSIDE_TO_OUTSIDE
class class-default
pass
!
zone security OUTSIDE
zone security INSIDE
!
zone-pair security ZP_OUTSIDE_TO_INSIDE source OUTSIDE destination INSIDE
service-policy type inspect PMAP_OUTSIDE_TO_INSIDE
zone-pair security ZP_INSIDE_TO_OUTSIDE source INSIDE destination OUTSIDE
service-policy type inspect PMAP_INSIDE_TO_OUTSIDE
!
interface FastEthernet 0/0.67
zone-member security INSIDE
!
interface FastEthernet 0/0.146
zone-member security OUTSIDE
OUTSIDE(R1)からINSIDE(SW1)へのpingは可能ですが、telnetは接続不能である事を確認します。
[R1]
Rack14R1#ping 155.14.67.7
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 155.14.67.7, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 4/4/4 ms
Rack14R1#
Rack14R1#telnet 155.14.67.7
Trying 155.14.67.7 ...
% Connection timed out; remote host not responding
Rack14R1#
一方、INSIDE(SW1)からOUTSIDE(R1)へのtelnetは可能である事を確認します。
[SW1]
Rack14SW1#telnet 155.14.146.1
Trying 155.14.146.1 ... Open
User Access Verification
Password:
Rack14R1>exit
[Connection to 155.14.146.1 closed by foreign host]
Rack14SW1#
ホワイトリスト形式
ホワイトリスト形式の設定について考察します。例えば、次のようなシナリオを想定します。
OUTSIDE(R1)からINSIDE(SW1)へのtelnetによる侵入がありました。今後は侵入されないようOUTSIDEからINSIDEへのアクセスは、HTTP, HTTPS, DNS問い合わせのみ許可するようにして下さい。ただし、INSIDEからOUTSIDEへあらゆる通信を阻害してはいけません。
設定例は以下の通りです。ルーティングプロトコルを拒否しないよう注意して下さい。
[R6]
no zone-pair security ZP_OUTSIDE_TO_INSIDE source OUTSIDE destination INSIDE
no zone-pair security ZP_INSIDE_TO_OUTSIDE source INSIDE destination OUTSIDE
no policy-map type inspect PMAP_OUTSIDE_TO_INSIDE
no policy-map type inspect PMAP_INSIDE_TO_OUTSIDE
no class-map type inspect CMAP_TELNET
!
ip access-list extended ACL_RIP
10 permit udp any any eq rip
!
class-map type inspect match-any CMAP_OUTSIDE_TO_INSIDE
match protocol http
match protocol https
match protocol dns
!
class-map type inspect CMAP_INSIDE_TO_SELF
match access-group name ACL_RIP
!
class-map type inspect CMAP_OUTSIDE_TO_SELF
match access-group name ACL_RIP
!
policy-map type inspect PMAP_OUTSIDE_TO_INSIDE
class CMAP_OUTSIDE_TO_INSIDE
inspect
class class-default
drop
!
policy-map type inspect PMAP_INSIDE_TO_OUTSIDE
class class-default
drop
!
policy-map type inspect PMAP_INSIDE_TO_SELF
class CMAP_INSIDE_TO_SELF
pass
!
policy-map type inspect PMAP_OUTSIDE_TO_SELF
class CMAP_OUTSIDE_TO_SELF
pass
!
zone security OUTSIDE
zone security INSIDE
!
zone-pair security ZP_OUTSIDE_TO_INSIDE source OUTSIDE destination INSIDE
service-policy type inspect PMAP_OUTSIDE_TO_INSIDE
zone-pair security ZP_INSIDE_TO_OUTSIDE source INSIDE destination OUTSIDE
service-policy type inspect PMAP_INSIDE_TO_OUTSIDE
zone-pair security ZP_INSIDE_TO_SELF source INSIDE destination self
service-policy type inspect PMAP_INSIDE_TO_SELF
zone-pair security ZP_OUTSIDE_TO_SELF source OUTSIDE destination self
service-policy type inspect PMAP_OUTSIDE_TO_SELF
!
interface FastEthernet 0/0.67
zone-member security INSIDE
interface FastEthernet 0/0.146
zone-member security OUTSIDE
http, httpsによる疎通を確認するため、SW1に以下の設定を投入します。
[SW1]
ip http server
ip http secure-server
ip http path flash:
copyコマンドやtelnetコマンドを用いて、http, httpsの疎通を確認します。(port 443に対してはtimeoutではなく接続拒否ですので、Layer4では疎通可能である事が読み取れます。)
[R1]
Rack14R1#copy http://cisco:cisco@155.14.67.7/config.text null:
Loading http://***********@155.14.67.7/config.text !
2409 bytes copied in 0.056 secs (43018 bytes/sec)
Rack14R1#
Rack14R1#
Rack14R1#telnet 155.14.67.7 80
Trying 155.14.67.7, 80 ... Open
GET /
WWW-Authenticate: Basic realm="level_15_access"
401 Unauthorized
[Connection to 155.14.67.7 closed by foreign host]
Rack14R1#
Rack14R1#
Rack14R1#telnet 155.14.67.7 443
Trying 155.14.67.7, 443 ... Open
[Connection to 155.14.67.7 closed by foreign host]
Rack14R1#
pingやtelnetはtimeoutになる事を確認します。
[R1]
Rack14R1#ping 155.14.67.7
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 155.14.67.7, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
Rack14R1#
Rack14R1#
Rack14R1#telnet 155.14.67.7
Trying 155.14.67.7 ...
% Connection timed out; remote host not responding
Rack14R1#
ルーティングプロトコルを誤って拒否していない事も重要な確認ポイントです。
[R6]
Rack14R6#show ip protocols
Routing Protocol is "rip"
Outgoing update filter list for all interfaces is not set
Incoming update filter list for all interfaces is not set
Sending updates every 10 seconds, next due in 7 seconds
Invalid after 40 seconds, hold down 30, flushed after 60
Redistributing: rip
Default version control: send version 2, receive version 2
Interface Send Recv Triggered RIP Key-chain
FastEthernet0/0.67 2 2
FastEthernet0/0.146 2 2
Serial0/0/0 2 2
Loopback0 2 2
Automatic network summarization is not in effect
Maximum path: 4
Routing for Networks:
54.0.0.0
150.14.0.0
155.14.0.0
Routing Information Sources:
Gateway Distance Last Update
155.14.146.4 120 00:00:09
155.14.146.1 120 00:00:04
54.14.1.254 120 00:00:22
155.14.67.7 120 00:00:04
Distance: (default is 120)
Rack14R6#
IPアドレスによる制御
class-mapを組み合わせる事によって、IPアドレスによる制御をZone Based Firewallに組み込む事ができます。
OUTSIDEからINSIDEへの通信は、送信元がR1 Lo0(150.X.1.1/24)であるHTTP, HTTPS, DNS問い合わせのみ許可します。設定例は以下の通りです。
no zone-pair security ZP_OUTSIDE_TO_INSIDE source OUTSIDE destination INSIDE
no zone-pair security ZP_INSIDE_TO_OUTSIDE source INSIDE destination OUTSIDE
no zone-pair security ZP_INSIDE_TO_SELF source OUTSIDE destination self
no zone-pair security ZP_OUTSIDE_TO_SELF source OUTSIDE destination self
no policy-map type inspect PMAP_OUTSIDE_TO_INSIDE
no policy-map type inspect PMAP_INSIDE_TO_OUTSIDE
no policy-map type inspect PMAP_INSIDE_TO_SELF
no policy-map type inspect PMAP_OUTSIDE_TO_SELF
no class-map type inspect CMAP_OUTSIDE_TO_INSIDE
no class-map type inspect CMAP_INSIDE_TO_SELF
no class-map type inspect CMAP_OUTSIDE_TO_SELF
no ip access-list extended ACL_RIP
!
ip access-list extended ACL_RIP
10 permit udp any any eq rip
ip access-list extended ACL_OUTSIDE_TO_INSIDE
10 permit ip 150.14.1.0 0.0.0.255 any
!
class-map type inspect CMAP_OUTSIDE_TO_INSIDE_ACL
match access-group name ACL_OUTSIDE_TO_INSIDE
class-map type inspect match-any CMAP_OUTSIDE_TO_INSIDE_PTOROCOL
match protocol http
match protocol https
match protocol dns
class-map type inspect CMAP_OUTSIDE_TO_INSIDE
match class-map CMAP_OUTSIDE_TO_INSIDE_ACL
match class-map CMAP_OUTSIDE_TO_INSIDE_PTOROCOL
!
class-map type inspect CMAP_INSIDE_TO_SELF
match access-group name ACL_RIP
!
class-map type inspect CMAP_OUTSIDE_TO_SELF
match access-group name ACL_RIP
!
policy-map type inspect PMAP_OUTSIDE_TO_INSIDE
class CMAP_OUTSIDE_TO_INSIDE
inspect
class class-default
drop
!
policy-map type inspect PMAP_INSIDE_TO_OUTSIDE
class class-default
drop
!
policy-map type inspect PMAP_INSIDE_TO_SELF
class CMAP_INSIDE_TO_SELF
pass
!
policy-map type inspect PMAP_OUTSIDE_TO_SELF
class CMAP_OUTSIDE_TO_SELF
pass
!
zone security OUTSIDE
zone security INSIDE
!
zone-pair security ZP_OUTSIDE_TO_INSIDE source OUTSIDE destination INSIDE
service-policy type inspect PMAP_OUTSIDE_TO_INSIDE
zone-pair security ZP_INSIDE_TO_OUTSIDE source INSIDE destination OUTSIDE
service-policy type inspect PMAP_INSIDE_TO_OUTSIDE
zone-pair security ZP_INSIDE_TO_SELF source INSIDE destination self
service-policy type inspect PMAP_INSIDE_TO_SELF
zone-pair security ZP_OUTSIDE_TO_SELF source OUTSIDE destination self
service-policy type inspect PMAP_OUTSIDE_TO_SELF
!
interface FastEthernet 0/0.67
zone-member security INSIDE
interface FastEthernet 0/0.146
zone-member security OUTSIDE
R1 Fa0/0(155.14.146.1)が送信元であるhttp通信は遮断されている事を確認します。
[R1]
Rack14R1#telnet 155.14.67.7 80
Trying 155.14.67.7, 80 ...
% Connection timed out; remote host not responding
Rack14R1#
送信元をLoopback0(150.14.1.1)に変更すると、疎通可能になる事を確認します。
[R1]
Rack14R1#telnet 155.14.67.7 80 /source-interface Loopback 0
Trying 155.14.67.7, 80 ... Open
GET /
WWW-Authenticate: Basic realm="level_15_access"
401 Unauthorized
[Connection to 155.14.67.7 closed by foreign host]
Rack14R1#
policing 併用
Zone Based FirewallはPolicingと併用する事もできます。ICMPに対してPolicingを行う設定は以下の通りです。
[R6]
no zone-pair security ZP_OUTSIDE_TO_INSIDE source OUTSIDE destination INSIDE
no zone-pair security ZP_INSIDE_TO_OUTSIDE source INSIDE destination OUTSIDE
no zone-pair security ZP_INSIDE_TO_SELF source OUTSIDE destination self
no zone-pair security ZP_OUTSIDE_TO_SELF source OUTSIDE destination self
no policy-map type inspect PMAP_OUTSIDE_TO_INSIDE
no policy-map type inspect PMAP_INSIDE_TO_OUTSIDE
no policy-map type inspect PMAP_INSIDE_TO_SELF
no policy-map type inspect PMAP_OUTSIDE_TO_SELF
no class-map type inspect CMAP_OUTSIDE_TO_INSIDE
no class-map type inspect CMAP_INSIDE_TO_SELF
no class-map type inspect CMAP_OUTSIDE_TO_SELF
no class-map type inspect CMAP_OUTSIDE_TO_INSIDE_ACL
no class-map type inspect CMAP_OUTSIDE_TO_INSIDE_PTOROCOL
no ip access-list extended ACL_RIP
!
class-map type inspect CMAP_ICMP
match protocol icmp
!
policy-map type inspect PMAP_OUTSIDE_TO_INSIDE
class CMAP_ICMP
inspect
police rate 8000 burst 1000
class class-default
pass
!
policy-map type inspect PMAP_INSIDE_TO_OUTSIDE
class class-default
pass
!
zone security OUTSIDE
zone security INSIDE
!
zone-pair security ZP_OUTSIDE_TO_INSIDE source OUTSIDE destination INSIDE
service-policy type inspect PMAP_OUTSIDE_TO_INSIDE
zone-pair security ZP_INSIDE_TO_OUTSIDE source INSIDE destination OUTSIDE
service-policy type inspect PMAP_INSIDE_TO_OUTSIDE
!
interface FastEthernet 0/0.67
zone-member security INSIDE
!
interface FastEthernet 0/0.146
zone-member security OUTSIDE
OUTSIDE(R1)からINSIDE(SW1)へのpingを送信します。policingの結果、一部パケットがdropされる事を確認します。
[R1]
Rack14R1#ping 155.14.67.7 repeat 50
Type escape sequence to abort.
Sending 50, 100-byte ICMP Echos to 155.14.67.7, timeout is 2 seconds:
!!!!.!!!!.!!!!.!!!!.!!!!.!!!!.!!!!.
Success rate is 80 percent (28/35), round-trip min/avg/max = 1/2/4 ms
Rack14R1#
以下のようなshowコマンドでどの程度dropされたのかを確認する事ができます。
Rack14R6#show policy-map type inspect zone-pair ZP_OUTSIDE_TO_INSIDE
policy exists on zp ZP_OUTSIDE_TO_INSIDE
Zone-pair: ZP_OUTSIDE_TO_INSIDE
Service-policy inspect : PMAP_OUTSIDE_TO_INSIDE
Class-map: CMAP_ICMP (match-all)
Match: protocol icmp
Inspect
Packet inspection statistics [process switch:fast switch]
icmp packets: [0:56]
Session creations since subsystem startup or last reset 1
Current session counts (estab/half-open/terminating) [0:0:0]
Maxever session counts (estab/half-open/terminating) [0:1:0]
Last session created 00:00:35
Last statistic reset never
Last session creation rate 1
Maxever session creation rate 1
Last half-open session total 0
Police
rate 8000 bps,1000 limit
conformed 56 packets, 6608 bytes; actions: transmit
exceeded 7 packets, 826 bytes; actions: drop
conformed 0 bps, exceed 0 bps
Class-map: class-default (match-any)
Match: any
Pass
0 packets, 0 bytes
Rack14R6#
tcp intercept 併用
Zone Based Firewallはtcp interceptと併用する事もできます。HTTP通信に対するhalf connectionを拒否する設定例は以下の通りです。
[R6]
no zone-pair security ZP_OUTSIDE_TO_INSIDE source OUTSIDE destination INSIDE
no zone-pair security ZP_INSIDE_TO_OUTSIDE source INSIDE destination OUTSIDE
no policy-map type inspect PMAP_OUTSIDE_TO_INSIDE
no policy-map type inspect PMAP_INSIDE_TO_OUTSIDE
no class-map type inspect CMAP_ICMP
!
parameter-map type inspect PARAM
max-incomplete low 50
max-incomplete high 100
one-minute low 5
one-minute high 10
tcp max-incomplete host 3 block-time 1
!
class-map type inspect CMAP_HTTP
match protocol http
!
policy-map type inspect PMAP_OUTSIDE_TO_INSIDE
class CMAP_HTTP
inspect PARAM
class class-default
pass
!
policy-map type inspect PMAP_INSIDE_TO_OUTSIDE
class class-default
pass
!
zone security OUTSIDE
zone security INSIDE
!
zone-pair security ZP_OUTSIDE_TO_INSIDE source OUTSIDE destination INSIDE
service-policy type inspect PMAP_OUTSIDE_TO_INSIDE
zone-pair security ZP_INSIDE_TO_OUTSIDE source INSIDE destination OUTSIDE
service-policy type inspect PMAP_INSIDE_TO_OUTSIDE
!
interface FastEthernet 0/0.67
zone-member security INSIDE
!
interface FastEthernet 0/0.146
zone-member security OUTSIDE
show policy-mapコマンドで設定を確認する事ができます。
[R6]
Rack14R6#show policy-map type inspect zone-pair ZP_OUTSIDE_TO_INSIDE
policy exists on zp ZP_OUTSIDE_TO_INSIDE
Zone-pair: ZP_OUTSIDE_TO_INSIDE
Service-policy inspect : PMAP_OUTSIDE_TO_INSIDE
Class-map: CMAP_HTTP (match-all)
Match: protocol http
Inspect
Packet inspection statistics [process switch:fast switch]
tcp packets: [0:18]
Session creations since subsystem startup or last reset 1
Current session counts (estab/half-open/terminating) [0:0:0]
Maxever session counts (estab/half-open/terminating) [1:1:1]
Last session created 00:01:25
Last statistic reset never
Last session creation rate 0
Maxever session creation rate 1
Last half-open session total 0
Class-map: class-default (match-any)
Match: any
Pass
0 packets, 0 bytes
Rack14R6#
