Desde que a Cisco os introduziu em 2006, firewalls baseadas em zona (ZFW) são a ‘bola de vez’. São stateful firewalls poderosas que também permitem application inspection. Ja vimos no post anterior que antigas implementações representavam um esforço grande em termos de escalabilidade e gestão. Com a introdução do conceito de zonas as interfaces dum encaminhador ou dum comutador de camada 3 pertencem a uma determinada zona ou a nenhuma zona.
Depois disso, são estabelecidas relações (policy) entre esta e outras zonas. Se nenhuma policy for atribuída a interfaces pertencentes a zonas o tráfego estará sujeito a condição de deny all ou seja será negado tráfego da interface e para a interface. Para determinar a que tráfego será aplicada uma determinada policy são criadas class-maps. Class-maps permitem identificar tráfego vindo a determinada interface.
Entre uma zona e outra podem existir um determinado numero de relações, a saber:
- A zone must be configured before interfaces can be assigned to the zone.
- An interface can be assigned to only one security zone.
- All traffic to and from a given interface is implicitly blocked when the interface is assigned to a zone, except traffic to and from other interfaces in the same zone, and traffic to any interface on the router.
- Traffic is implicitly allowed to flow by default among interfaces that are members of the same zone.
- In order to permit traffic to and from a zone member interface, a policy allowing or inspecting traffic must be configured between that zone and any other zone.
- The self zone is the only exception to the default deny all policy. All traffic to any router interface is allowed until traffic is explicitly denied.
- Traffic cannot flow between a zone member interface and any interface that is not a zone member. Pass, inspect, and drop actions can only be applied between two zones.
- Interfaces that have not been assigned to a zone function as classical router ports and might still use classical stateful inspection/CBAC configuration.
- If it is required that an interface on the box not be part of the zoning/firewall policy. It might still be necessary to put that interface in a zone and configure a pass all policy (sort of a dummy policy) between that zone and any other zone to which traffic flow is desired.
- From the preceding it follows that, if traffic is to flow among all the interfaces in a router, all the interfaces must be part of the zoning model (each interface must be a member of one zone or another).
- The only exception to the preceding deny by default approach is the traffic to and from the router, which will be permitted by default. An explicit policy can be configured to restrict such traffic.
A seguinte figura ilustra uma rede com 3 zonas definidas: private, DMZ e Internet.
Implementar firewalls baseadas em zona é algo executado nos seguintes passos:
1 – Definir e configurar zonas.
2 – Definir e configurar zone-pairs (por exemplo, Internet-DMZ ou Private-Internet).
3 – Configurar class-maps para definir que tráfego irá ser permitido entre as zone-pairs.
4 – Configurar policy-maps e aplicar acções sobre uma class-map (por exemplo para a class-map class-negar-ftp, aplicar a action drop)
5 – Associar uma interface a uma zona.
O diagrama abaixo é bastante elucidativo. Trata-se duma rede com 3 zonas, a saber: FINANCE, DMZ e INTERNET.
Ficaram definidas as seguintes restrições (policy) para o tráfego:
1 – TRAFFIC FROM INTERNET TO DMZ -> ALLOW
2 – TRAFFIC FROM INTERNET TO FINANCE -> DENY
3 – TRAFFIC FROM FINANCE TO DMZ -> ALLOW
4 – TRAFFIC FROM FINANCE TO INTERNET -> ALLOW
5 – TRAFFIC FROM DMZ TO INTERNET -> DENY
6 – TRAFFIC FROM DMZ TO FINANCE -> DENY
Estas restrições tipificam o comportamento normal duma Firewall: Permitir tráfego (http e dns) da rede privada (FINANCE) para a INTERNET, mas barrar todo tráfego vindo da INTERNET. No entanto liberar tráfego (icmp, dns, ftp, tftp, http) da rede privada (FINANCE) para a DMZ (que é rede publica). Da INTERNET para a DMZ permitir também algum tráfego.
No caso da INTERNET para a DMZ foi necessário combinar a aplicação de ACL’s com class-maps ja que a DMZ comporta 3 servidores (FTP, DNS e HTTP) com endereços IP públicos. Esta ACL permitirá acesso a hosts na INTERNET a estes 3 servidores.
Vamos então a configuração:
Encaminhador SNNANGOLA FIREWALL
Hostname
hostname SNNANGOLA
Lista de acesso para tráfego que venha da INTERNET aos 3 servidores da DMZ
access-list 100 permit ip any host 195.30.30.35
access-list 100 permit ip any host 195.30.30.34
access-list 100 permit ip any host 195.30.30.35
Class-maps para definir tráfego que as interfaces das 3 zonas receberão
class-map type inspect match-any FINANCE-TO-INTERNET
match protocol tcp
match protocol udp
match protocol icmp
match protocol http
match protocol dnsclass-map type inspect match-any FINANCE-TO-DMZ
match protocol tcp
match protocol udp
match protocol icmp
match protocol dns
match protocol ftp
match protocol tftp
match protocol httpclass-map type inspect match-any INTERNET-TO-DMZ
match access-group 100
match protocol http
match protocol dns
match protocol ftp
match protocol icmp
Na class-map INTERNET-TO-DMZ note a existência duma correspondência com a ACL 100.
3 Policy-Maps para aplicar acção de inspect a tráfego definido pelas class-maps
policy-map type inspect FINANCE-TO-INTERNET-POLICY
class type inspect FINANCE-TO-INTERNET
inspectpolicy-map type inspect FINANCE-TO-DMZ-POLICY
class type inspect FINANCE-TO-DMZ
inspectpolicy-map type inspect INTERNET-TO-DMZ-POLICY
class type inspect INTERNET-TO-DMZ
inspect
Existem 3 tipos de acções que podem ser aplicadas a uma policy-map. inspect, drop e pass:
- Drop—This is the default action for all traffic, as applied by the “class class-default” that terminates every inspect-type policy-map. Other class-maps within a policy-map can also be configured to drop unwanted traffic. Traffic that is handled by the drop action is “silently” dropped (i.e., no notification of the drop is sent to the relevant end-host) by the ZFW, as opposed to an ACL’s behavior of sending an ICMP “host unreachable” message to the host that sent the denied traffic. Currently, there is not an option to change the “silent drop” behavior. The log option can be added with drop for syslog notification that traffic was dropped by the firewall.
- Pass—This action allows the router to forward traffic from one zone to another. The pass action does not track the state of connections or sessions within the traffic. Pass only allows the traffic in one direction. A corresponding policy must be applied to allow return traffic to pass in the opposite direction. The pass action is useful for protocols such as IPSec ESP, IPSec AH, ISAKMP, and other inherently secure protocols with predictable behavior. However, most application traffic is better handled in the ZFW with the inspect action.
- Inspect—The inspect action offers state-based traffic control. For example, if traffic from the private zone to the Internet zone in the earlier example network is inspected, the router maintains connection or session information for TCP and User Datagram Protocol (UDP) traffic. Therefore, the router permits return traffic sent from Internet-zone hosts in reply to private zone connection requests. Also, inspect can provide application inspection and control for certain service protocols that might carry vulnerable or sensitive application traffic. Audit-trail can be applied with a parameter-map to record connection/session start, stop, duration, the data volume transferred, and source and destination addresses.
Definir e configurar zonas
zone security FINANCE
zone security INTERNET
zone security DMZ
Configurar ‘zone-pairs’
zone-pair security FINANCE-DMZ source FINANCE destination DMZ
service-policy type inspect FINANCE-TO-DMZ-POLICYzone-pair security FINANCE-INTERNET source FINANCE destination INTERNET
service-policy type inspect FINANCE-TO-INTERNET-POLICYzone-pair security INTERNET-DMZ source INTERNET destination DMZ
service-policy type inspect INTERNET-TO-DMZ-POLICY
As zone-pair’s sao configuradas definindo-se uma origem e um destino de trafego. Em seguida associar o mesmo a uma policy.
Atribuir uma zona a uma interface:
interface FastEthernet0/0
ip address 192.168.20.1 255.255.255.0
zone-member security FINANCE
duplex auto
speed autointerface FastEthernet0/1
ip address 195.30.30.62 255.255.255.224
zone-member security DMZ
duplex auto
speed autointerface Serial0/0/0
ip address 195.30.30.30 255.255.255.224
zone-member security INTERNET
clock rate 64000
Só para que conste e fique anotado se você ainda não se apercebeu:
Fa0/0 – Interface facing FINANCE subnetwork.
Fa0/1 – Interface facing DMZ subnetwork.
Serial0/0/0 – Interface facing INTERNET subnetwork.
Em seguida configurações de encaminhamento RIP version 2 e estático:
router rip
version 2
network 192.168.10.0
network 192.168.20.0
network 195.30.30.0
default-information originate
no auto-summaryip route 0.0.0.0 0.0.0.0 195.30.30.1
Encaminhador INTERNET
hostname INTERNET
interface FastEthernet0/0
ip address 195.30.30.65 255.255.255.224
duplex auto
speed autointerface Serial0/0/0
ip address 195.30.30.1 255.255.255.224router rip
version 2
network 195.30.30.0
no auto-summary
Os resultados são animadores e como você pode ver não é difícil configurar firewalls baseadas em zona, alem destas possuírem uma soberba flexibilidade. E isto é apenas o começo. O poder deste tipo de firewalls é absolutamente impressionante senão único em se tratando de aplication inspection.
Fontes:
http://www.cisco.com/en/US/products/sw/secursw/ps1018/products_tech_note09186a00808bc994.shtml
http://blog.ipexpert.com/2010/01/18/cisco-ios-zone-based-firewalls/
Switching News Network Angola (SNN Angola) 
Muito bom artigo. Parabéns ao autor por coletar e divulgar tão valiosas informações para os Profissionais de TI.