[Dr.WoW] [No.10] Security Policies in the Local Zone Highlighted

Latest reply: May 19, 2018 01:30:30 3188 4 1 0
Firewalls forward some services on networks and process some other services. For example, administrators log in to the firewalls for management; Internet devices and users establish VPNs with the firewalls; the firewalls and routers run routing protocols, such as Open Shortest Path First (OSPF); and the firewalls interconnect with authentication servers.

For normal service processing, we must configure corresponding security policies on the firewalls to allow the receipt of service packets. To be specific, configure security policies between the Local zone of the firewalls and the security zones where the interfaces used by the services reside.

In the preceding parts, we describe security policies for the packets passing through firewalls. Now, let's see how to configure security policies for the packets to be processed by the firewalls. OSPF packets are used as an example.

1 Configuring a Security Policy in the Local Zone for OSPF

A USG9500 running V300R001 is connected to two routers, as shown in Figure 1-1.

NOTE
This section verifies the security policy configuration between the security zone where the firewall interface resides and the Local zone when the firewall participates in OSPF route calculation. If the firewall does not participate in OSPF route calculation, only transparently transmits OSPF packets, and uses interfaces in different security zones to send and receive OSPF packets, a security policy must be configured on the firewall to allow the OSPF packets to pass.

Figure 1-1 Networking for OSPF packet exchange

[Dr.WoW] [No.10] Security Policies in the Local Zone-1311977-1

 

The configuration on the firewall is as follows:

[FW] interface GigabitEthernet1/0/1

[FW-GigabitEthernet1/0/1] ip address 192.168.0.1 24

[FW-GigabitEthernet1/0/1] quit

[FW] firewall zone untrust

[FW-zone-untrust] add interface GigabitEthernet1/0/1

[FW-zone-untrust] quit

[FW] ospf

[FW-ospf-1] area 1

[FW-ospf-1-area-0.0.0.1] network 192.168.0.0 0.0.0.255

The configuration on Router 1 is as follows:

[Router1] interface GigabitEthernet0/0/1

[Router1-GigabitEthernet0/0/1] ip address 192.168.0.2 24

[Router1-GigabitEthernet0/0/1] quit

[Router1] interface GigabitEthernet0/0/2

[Router1-GigabitEthernet0/0/2] ip address 192.168.1.1 24

[Router1-GigabitEthernet0/0/2] quit

[Router1] ospf

[Router1-ospf-1] area 1

[Router1-ospf-1-area-0.0.0.1] network 192.168.0.0 0.0.0.255

[Router1-ospf-1-area-0.0.0.1] network 192.168.1.0 0.0.0.255

The configuration on Router 2 is as follows:

[Router2] interface GigabitEthernet0/0/1

[Router2-GigabitEthernet0/0/1] ip address 192.168.1.2 24

[Router2-GigabitEthernet0/0/1] quit

[Router2] ospf

[Router2-ospf-1] area 1

[Router2-ospf-1-area-0.0.0.1] network 192.168.1.0 0.0.0.255

By default, no security policy is set between the Untrust zone where GE1/0/1 resides and the Local zone, and therefore packets are not allowed to travel between the zones.

After the configuration is complete, run the display ospf peer command to view the OSPF neighbor relationship.

[FW] display ospf peer                                 

                                                                                

         OSPF Process 1 with Router ID 192.168.0.1                              

                 Neighbors                                                     

                                                                                

 Area 0.0.0.1 interface 192.168.0.1(GigabitEthernet1/0/1)'s neighbors            

 Router ID: 192.168.1.1    Address: 192.168.0.2                                 

   State: ExStart  Mode:Nbr is  Slave  Priority: 1                             

   DR: None   BDR: None   MTU: 0                                               

   Dead timer due in 32  sec                                                   

   Retrans timer interval: 0                                                    

   Neighbor is up for 00:00:00                                                 

   Authentication Sequence: [ 0 ]

Run the display ospf peer command on Router 1 to view the OSPF neighbor relationship.

[Router1] display ospf peer                                               

                                                                               

         OSPF Process 1 with Router ID 192.168.1.1                           

                 Neighbors                                                      

                                                                               

 Area 0.0.0.1 interface 192.168.0.2(GigabitEthernet0/0/1)'s neighbors             

 Router ID: 192.168.0.1       Address: 192.168.0.1         GR State: Normal        

   State: ExStart  Mode:Nbr is  Slave  Priority: 1                             

   DR: 192.168.0.1  BDR: 192.168.0.2  MTU: 0                                         

   Dead timer due in 32  sec                                                   

   Neighbor is up for 00:00:00                                                 

   Authentication Sequence: [ 0 ]

 

                 Neighbors                                                     

                                                                                

 Area 0.0.0.1 interface 192.168.1.1(GigabitEthernet0/0/2)'s neighbors             

 Router ID: 192.168.1.2       Address: 192.168.1.2         GR State: Normal        

   State: Full  Mode:Nbr is  Slave  Priority: 1                             

   DR: 192.168.1.2  BDR: 192.168.1.1  MTU: 0                                         

   Dead timer due in 32  sec                                                   

   Neighbor is up for 00:09:28                                                 

   Authentication Sequence: [ 0 ]

 

The OSPF neighbor state is ExStart on both the firewall and Router 1. According to the process for establishing an OSPF neighbor relationship shown in Figure 1-2, we can find that the OSPF neighbor relationship failed to be established because the firewall and Router 1 did not exchange Database Description (DD) packets.

Figure 1-2 Process for establishing an OSPF neighbor relationship

[Dr.WoW] [No.10] Security Policies in the Local Zone-1311977-2

 

It is suspected that the firewall discarded the DD packets. Run the display firewall statistic system discarded command on the firewall to view information about discarded packets.

[FW] display firewall statistic system discarded              

Packets discarded statistic on slot 3 CPU 3                                    

                                   Total packets discarded :  31           

                                                                                

                                Total deny bytes discarded : 1,612            

                            Default deny packets discarded : 31

The command output shows that packets were discarded due to default packet filtering. This is because we did not configure a security policy to allow DD packets to pass, and therefore the packets matched default packet filtering and were discarded. Additionally, we find that the number of discarded packets is increasing, indicating that the OSPF module keeps sending DD packets to establish the OSPF neighbor relationship, but the packets are still discarded.

Then, we configure a security policy in the Local-Untrust interzone to allow OSPF packets to pass. Note that the security policy must be set in both inbound and outbound directions as the firewall needs to send and receive DD packets.

TIP

To exactly match OSPF, we use the OSPF service set provided by security policies. If this service set is unavailable, create it and set the protocol number to 89.

[FW] policy interzone local untrust inbound

[FW-policy-interzone-local-untrust-inbound] policy 1

[FW-policy-interzone-local-untrust-inbound-1] policy service service-set ospf

[FW-policy-interzone-local-untrust-inbound-1] action permit

[FW-policy-interzone-local-untrust-inbound-1] quit

[FW-policy-interzone-local-untrust-inbound] quit

[FW] policy interzone local untrust outbound

[FW-policy-interzone-local-untrust-outbound] policy 1

[FW-policy-interzone-local-untrust-outbound-1] policy service service-set ospf

[FW-policy-interzone-local-untrust-outbound-1] action permit

Run the display ospf peer command on the firewall and Router 1 to view the OSPF neighbor relationship. The following result may appear after several minutes, or we can run the reset ospf process command to restart the OSPF process to accelerate its presentation.

[FW] display ospf peer                                 

                                                                               

         OSPF Process 1 with Router ID 192.168.0.1                              

                 Neighbors                                                      

                                                                               

 Area 0.0.0.1 interface 192.168.0.1(GigabitEthernet1/0/1)'s neighbors            

 Router ID: 192.168.0.2    Address: 192.168.0.2                                  

   State: Full  Mode:Nbr is  Slave  Priority: 1                             

   DR: 192.168.0.2   BDR: 192.168.0.1   MTU: 0                                               

   Dead timer due in 32  sec                                                   

   Retrans timer interval: 4                                                   

   Neighbor is up for 00:00:51                                                 

   Authentication Sequence: [ 0 ]

 

[Router1] display ospf peer                                              

                                                                               

         OSPF Process 1 with Router ID 192.168.1.1                           

                 Neighbors                                                      

                                                                               

 Area 0.0.0.1 interface 192.168.0.2(GigabitEthernet0/0/1)'s neighbors             

 Router ID: 192.168.0.1       Address: 192.168.0.1         GR State: Normal        

   State: Full  Mode:Nbr is  Slave  Priority: 1                             

   DR: 192.168.0.1  BDR: 192.168.0.2  MTU: 0                                         

   Dead timer due in 32  sec                                                   

   Neighbor is up for 00:00:00                                                 

   Authentication Sequence: [ 0 ]

 

                 Neighbors                                                     

                                                                               

 Area 0.0.0.1 interface 192.168.1.1(GigabitEthernet0/0/2)'s neighbors             

 Router ID: 192.168.1.2       Address: 192.168.1.2         GR State: Normal        

   State: Full  Mode:Nbr is  Slave  Priority: 1                             

   DR: 192.168.1.2  BDR: 192.168.1.1  MTU: 0                                         

   Dead timer due in 32  sec                                                   

   Neighbor is up for 01:35:43                                                 

   Authentication Sequence: [ 0 ]

As the command output indicates, the OSPF neighbor relationship has been established, and the firewall has learned the OSPF route to network segment 192.168.1.0/24.

[FW] display ip routing-table protocol ospf                   

Route Flags: R - relay, D - download to fib                                    

------------------------------------------------------------------------------ 

Public routing table : OSPF                                                    

         Destinations : 2           Routes : 2                                 

                                                                               

OSPF routing table status : <Active>                                           

         Destinations : 1           Routes : 1                                 

                                                                               

Destination/Mask    Proto  Pre  Cost       Flags NextHop         Interface     

                                                                               

     192.168.1.0/24  OSPF   10   2         D     192.168.0.2     GigabitEthernet1/0/1

In conclusion, we need to configure a security policy between the security zone where the OSPF-enabled interface resides and the Local zone to allow OSPF packets to pass, so that the firewall can establish an OSPF neighbor relationship with the connected device.

Actually, we can also consider this issue from the unicast and multicast packets' perspective. For firewalls, unicast packets are controlled by security policies in most cases, and therefore security policies must be configured to allow the packets to pass. Multicast packets, however, are not controlled by security policies, and no additional security policy needs to be configured.

Which OSPF packets are unicast packets and which are multicast packets? OSPF packet types vary with network types, as listed in Table 1-1.

TIP
The ospf network-type command can be used to change the OSPF network type.

Table 1-1 OSPF network and packet types

Network Type

Hello

Database

Description

Link State

Request

Link State

Update

Link State

Ack

Broadcast

Multicast

Unicast

Unicast

Multicast

Multicast

P2P

Multicast

Multicast

Multicast

Multicast

Multicast

NBMA

Unicast

Unicast

Unicast

Unicast

Unicast

P2MP

Multicast

Unicast

Unicast

Unicast

Unicast

 

As Table 1-1 indicates, when the network type is Broadcast, OSPF DD and LSR packets are unicast, and security policies must be configured to allow the unicast packets to pass. When the network type is P2P, all OSPF packets are multicast, and no additional security policy needs to be configured. This security policy configuration principle also applies to the NBMA and P2MP network types. In actual networks, if the OSPF status is abnormal on a firewall, check whether security policies are not configured for unicast OSPF packets.

In addition to OSPF packets, other services that firewalls need to process require the configuration of security policies in the Local zone to allow the packets to pass. In the next part, I will tell you how to configure security policies for such services.

2 Which Protocols Require Security Policies Configured in the Local Zone on Firewalls?

As shown in Figure 1-3, the USG2000/5000 series is used as an example. The firewall needs to process the following services: an administrator logs in to the firewall; the firewall interconnects with an authentication server; an Internet device or user establishes a VPN with the firewall; and the firewall runs OSPF to communicate with a router.

NOTE
GRE VPN, L2TP VPN, IPSec VPN, and SSL VPN will be described in the following chapters.
Figure 1-3 Common types of services processed by firewalls

[Dr.WoW] [No.10] Security Policies in the Local Zone-1311977-3

 

When configuring security policies for such services, we need to ensure normal service operation and secure the firewall. Therefore, we must specify refined matching conditions for the security policies. How to specify accurate matching conditions? We need to ***yze information such as the source addresses, destination addresses, and protocol types of the services.

In Table 1-2, I provide matching conditions for services shown in Figure 1-3 for your reference.
Table 1-1 Setting matching conditions in security policies based on protocols or applications

Service

Matching Conditions in Security Policies

 

Source Zone

Destination Zone

Source Address

Destination Address

Application or Protocol + Destination Port

Telnet

Trust

Local

192.168.0.2

192.168.0.1

Telnet

Or TCP + port 23

SSH

Trust

Local

192.168.0.2

192.168.0.1

SSH

Or TCP + port 22

FTP

Trust

Local

192.168.0.2

192.168.0.1

FTP

Or TCP + port 21

HTTP

Trust

Local

192.168.0.2

192.168.0.1

HTTP

Or TCP + port 80

HTTPS

Trust

Local

192.168.0.2

192.168.0.1

HTTPS

Or TCP + port 443

RADIUS

Local

DMZ

172.16.0.1

172.16.0.2

RADIUS

Or UDP + port 1645/1646/1812/1813*

Sending OSPF negotiation packets (outbound)

Local

Untrust

1.1.1.1

1.1.1.2

OSPF

Receiving OSPF negotiation packets (inbound)

Untrust

Local

1.1.1.2

1.1.1.1

OSPF

Sending GRE VPN tunnel establishment requests (outbound)

Local

Untrust

1.1.1.1

2.2.2.2

GRE

Receiving GRE VPN tunnel establishment requests (inbound)

Untrust

Local

2.2.2.2

1.1.1.1

GRE

Sending L2TP VPN tunnel establishment requests (outbound)

Local

Untrust

1.1.1.1

2.2.2.2

L2TP

Or UDP + port 1701

Receiving L2TP VPN tunnel establishment requests (inbound)

Untrust

Local

2.2.2.2

1.1.1.1

L2TP

Or UDP + port 1701

Sending IPSec VPN tunnel establishment requests (outbound)

Local

Untrust

1.1.1.1**

2.2.2.2

Manual mode:

No configuration is required.

IKE mode (non-NAT traversal environments):

UDP + port 500

IKE mode (NAT traversal environments):

UDP + ports 500 and 4500

Receiving IPSec VPN tunnel establishment requests (inbound)

Untrust

Local

2.2.2.2

1.1.1.1

Manual mode:

AH/ESP

IKE mode (non-NAT traversal environments):

AH/ESP and UDP + port 500

IKE mode (NAT traversal environments):

UDP + ports 500 and 4500

SSL VPN

Untrust

Local

ANY

1.1.1.1

Reliable mode:

UDP + port 443***

Fast mode:

UDP + port 443

*: The default port number is used here. For the specified port number, see the RADIUS server configuration.

**: In NAT traversal environments, the source and destination addresses may be public or private addresses. Be subject to the actual situation.

***: If the firewall supports both HTTPS and SSL VPN, be subject to their actual ports.

 

 

 

 

To view the list of all Dr. WoW technical posts, click here.

  • x
  • convention:

user_2790689
Created May 5, 2015 04:02:25 Helpful(0) Helpful(0)

Thank you for sharing.
  • x
  • convention:

Wayne
Created Aug 11, 2015 01:40:04 Helpful(0) Helpful(0)

thanks so much,looking forward to new materials

 

  • x
  • convention:

wissal
MVE Created Apr 10, 2018 15:44:57 Helpful(0) Helpful(0)

useful document, thanks
  • x
  • convention:

Telecommunications%20Engineer%2C%20currently%20senior%20project%20manager%20of%20the%20radio%20access%20network%20and%20partner%20of%20Huawei%20de%20Tunisia.
w1
Created May 19, 2018 01:30:30 Helpful(0) Helpful(0)

:):)Nice
  • x
  • convention:

Reply

Reply
You need to log in to reply to the post Login | Register

Notice Notice: To protect the legitimate rights and interests of you, the community, and third parties, do not release content that may bring legal risks to all parties, including but are not limited to the following:
  • Politically sensitive content
  • Content concerning pornography, gambling, and drug abuse
  • Content that may disclose or infringe upon others ' commercial secrets, intellectual properties, including trade marks, copyrights, and patents, and personal privacy
Do not share your account and password with others. All operations performed using your account will be regarded as your own actions and all consequences arising therefrom will be borne by you. For details, see " Privacy."
If the attachment button is not available, update the Adobe Flash Player to the latest version!
Login and enjoy all the member benefits

Login and enjoy all the member benefits

Login