Monday, January 8, 2007

Router: Zone-based Firewalls part II

In the first installment of this document, I showed you a simple two-zone configuration where inside users have unrestricted access to the outside zone.

If you need to limit the services that the inside users are allowed to access, we have to define the traffic classes that will later be used in the policy-map commands to define the desired firewall policy. The traffic classes are defined with the class-map command augmented with the type inspect keyword.


!
! These are the Class maps to define
! the outgoing traffic that are permitted.
!
class-map type inspect match-any MailAndDNS
match protocol dns
match protocol smtp
match protocol pop3
class-map type inspect match-all ISP_Traffic
match class-map MailAndDNS
match access-group name ISPServers
class-map type inspect match-any InternetTraffic
match protocol http
match protocol ftp
match protocol icmp
match protocol https
!
!
policy-map type inspect InsideToOutside
!
! Action for defined class-map is inspect
!
class type inspect ISP_Traffic
 inspect
class type inspect InternetTraffic
 inspect
!
! Action for all other traffic are dropped and logged
!
class class-default
drop log
!
! we define the zones
!
zone security Inside
zone security Outside
!
! we define the security policy
!
zone-pair security InsideToOutside source Inside destination Outside
service-policy type inspect InsideToOutside
!
! we apply the zones to the interfaces
!
interface FastEthernet0/0
...
zone-member security Inside
!
interface Serial0/0.100 point-to-point
description Link to the Internet
...
zone-member security Outside
!
ip access-list extended ISPServers
permit ip any host 192.1.1.1
permit ip any host 192.1.1.2




This time we used the action drop and log for the class class-default.
With this configuration, outbound traffic are restricted to those services defined in the class-maps. Matching traffic are permitted and inspected while those that does not match are dropped. There is still no security policy defined for inbound traffic (outside-to-inside) so it will be dropped by the router.

Posted by at
Labels: , ,

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)