programming4us
programming4us
ENTERPRISE

Identity on Cisco Firewalls : User-Based Zone Policy Firewall (part 3) - Integrating Auth-Proxy and the ZFW

- How To Install Windows Server 2012 On VirtualBox
- How To Bypass Torrent Connection Blocking By Your ISP
- How To Install Actual Facebook App On Kindle Fire

Integrating Auth-Proxy and the ZFW

The previous sections detailed two methods of associating users to local groups in IOS. The acquired user-to-group mapping information will now be applied to create distinct ZFW policies.

Example 7 summarizes ACS settings for GROUP1 and GROUP2, which respectively include user1 and user2. Notice that the group definitions use method 1.

Example 7. CS-ACS Settings for Scenario 3
! Members of GROUP1 are assigned a DACL after authentication
ACS/Group Settings : GROUP1
Downloadable ACLs – Assign IP ACL: DACL1
permit tcp any any eq 80
permit icmp any any echo
[009\001] cisco-av-pair
priv-lvl=15
supplicant-group=GROUP1

! Members of GROUP2 are assigned an individual ACE after authentication

ACS/Group Settings : GROUP2
[009\001] cisco-av-pair
priv-lvl=15
supplicant-group=GROUP2
proxyacl#1=permit tcp any any eq 22

Example 8 shows a set of commands used to created a zone-pair security policy that takes into account the local user-group associations.

Example 8. Baseline Configuration for ZFW and Auth-Proxy Integration
! Defining inspect class-maps that match local user-group information

class-map type inspect match-all CLASS11
match user-group GROUP1
match protocol tcp
class-map type inspect match-all CLASS12
match user-group GROUP1
match protocol icmp
class-map type inspect match-all CLASS21
match user-group GROUP2
match protocol tcp
!
! Defining a policy-map for inspection
policy-map type inspect IN-OUT
class type inspect CLASS11
inspect
class type inspect CLASS12
inspect
police rate 16000 burst 3000
class type inspect CLASS21
inspect
class class-default
drop log
!
! Defining zones and zone-pairs

zone security INSIDE
zone security OUTSIDE
zone-pair security OUTBOUND source INSIDE destination OUTSIDE
service-policy type inspect IN-OUT
!
! Defining an Auth-Proxy policy to intercept Telnet traffic

ip admission name ADMISSION proxy telnet inactivity-time 60
!
! Assigning interfaces to zones and applying the Auth-Proxy policy to VLAN21

interface Vlan21
ip admission ADMISSION
zone-member security INSIDE
!
interface FastEthernet4.201
zone-member security OUTSIDE


Example 9 displays the following processes for user2, a member of GROUP2:

  • Auth-Proxy intercepting Telnet traffic

  • Supplicant-group=GROUP2 AV-Pair being assigned to IOS

  • The original Telnet session being created by the ZFW

  • A new SSH session controlled only by ZFW.

Example 9. Auth-Proxy and Zone Firewall in Action
AUTH-PROXY creates info:
cliaddr - 172.21.21.250, cliport - 1496
seraddr - 172.16.201.2, serport - 23
ip-srcaddr 172.21.21.250
pak-srcaddr 172.21.21.101
AUTH-PROXY: Allocate Unique_id 1E

RADIUS(0000001E): Send Access-Request to 172.21.21.250:1812 id 1645/27, len 104
RADIUS: authenticator BD B2 75 D4 36 9A FE CF - D4 D5 D4 ED 43 A8 4A 34
RADIUS: User-Name [1] 7 "user2"
[ output suppressed]
RADIUS: Received from id 1645/27 172.21.21.250:1812, Access-Accept, len 136
RADIUS: authenticator F3 CD C1 47 F2 76 FB 1B - D5 4C 58 44 07 19 15 DD
RADIUS: Vendor, Cisco [26] 19
RADIUS: Cisco AVpair [1] 13 "priv-lvl=15"
RADIUS: Vendor, Cisco [26] 31
RADIUS: Cisco AVpair [1] 25 "supplicant-group=GROUP2"
RADIUS: Vendor, Cisco [26] 43
RADIUS: Cisco AVpair [1] 37 "proxyacl#1=permit tcp any any eq 22"
[ output suppressed]

FIREWALL sis 84668480: Session Created
FIREWALL sis 84668480: Pak 84184CC4 init_addr (172.21.21.250:1496) resp_addr
(172.16.201.2:23) init_alt_addr (172.21.21.250:1496) resp_alt_addr (172.16.201.2:23)

! User "user2" starts SSH session after Auth-Proxy (ZFW inspection comes into play)
FIREWALL* sis 84668680: Session Created
FIREWALL* sis 84668680: Pak 83D1D13C init_addr (172.21.21.250:1500) resp_addr (172.16.200.200:22)
 init_alt_addr (172.21.21.250:1500) resp_alt_addr (172.16.200.200:22)

! Displaying ZFW sessions

DMZ# show policy-map type inspect zone-pair sessions | include Session
Number of Established Sessions = 2
Established Sessions
Session 84668480 (172.21.21.250:1496)=>(172.16.201.2:23) tcp SIS_OPEN
Session 84668680 (172.21.21.250:1500)=>(172.16.200.200:22) tcp SIS_OPEN


Example 10 summarizes user-group information for GROUP1 and GROUP2.

Example 10. Displaying User Group Information
! 02 users connected with 02 different authorization parameters (DACL and AV-Pair)
DMZ# show user-group
Usergroup : GROUP1
---------------------------------------------------------------------------
User Name Type Interface Learn Age (min)
---------------------------------------------------------------------------
172.21.21.101 IPv4 Vlan21 Dynamic 8

Usergroup : GROUP2
---------------------------------------------------------------------------
User Name Type Interface Learn Age (min)
---------------------------------------------------------------------------
172.21.21.250 IPv4 Vlan21 Dynamic 10
!
DMZ# show epm session ip 172.21.21.250
Admission feature : Authproxy
AAA Policies :
Supplicant-Group : GROUP2
Proxy ACL : permit tcp any any eq 22
!
DMZ# show epm session ip 172.21.21.101
Admission feature : Authproxy
AAA Policies :
ACS ACL : xACSACLx-IP-DACL1-4aac618d
Supplicant-Group : GROUP1
!
DMZ# show access-list xACSACLx-IP-DACL1-4aac618d
Extended IP access list xACSACLx-IP-DACL1-4aac618d (per-user)
10 permit tcp any any eq www
20 permit icmp any any echo


Other  
  •  Identity on Cisco Firewalls : IOS User-Level Control with Auth-Proxy (part 4) - Combining Classic IP Inspection (CBAC) and Auth-Proxy
  •  Identity on Cisco Firewalls : IOS User-Level Control with Auth-Proxy (part 3) - IOS Auth-Proxy with Downloadable ACLs
  •  Identity on Cisco Firewalls : IOS User-Level Control with Auth-Proxy (part 2) - IOS Auth-Proxy with Downloadable Access Control Entries
  •  Identity on Cisco Firewalls : IOS User-Level Control with Auth-Proxy (part 1)
  •  Identity on Cisco Firewalls : ASA User-Level Control with Cut-Through Proxy (part 6) - HTTP Listener
  •  Identity on Cisco Firewalls : ASA User-Level Control with Cut-Through Proxy (part 5) - Cut-Through Proxy with Downloadable ACLs
  •  Identity on Cisco Firewalls : ASA User-Level Control with Cut-Through Proxy (part 4) - Cut-Through Proxy with Locally Defined ACL
  •  Identity on Cisco Firewalls : ASA User-Level Control with Cut-Through Proxy (part 3) - Cut-Through Proxy with Downloadable ACEs
  •  Identity on Cisco Firewalls : ASA User-Level Control with Cut-Through Proxy (part 2) - Simple Cut-Through Proxy
  •  Identity on Cisco Firewalls : ASA User-Level Control with Cut-Through Proxy (part 1)
  •  
    Youtube channel
    Top 10
    - Microsoft Visio 2013 : Adding Structure to Your Diagrams - Finding containers and lists in Visio (part 2) - Wireframes,Legends
    - Microsoft Visio 2013 : Adding Structure to Your Diagrams - Finding containers and lists in Visio (part 1) - Swimlanes
    - Microsoft Visio 2013 : Adding Structure to Your Diagrams - Formatting and sizing lists
    - Microsoft Visio 2013 : Adding Structure to Your Diagrams - Adding shapes to lists
    - Microsoft Visio 2013 : Adding Structure to Your Diagrams - Sizing containers
    - Microsoft Access 2010 : Control Properties and Why to Use Them (part 3) - The Other Properties of a Control
    - Microsoft Access 2010 : Control Properties and Why to Use Them (part 2) - The Data Properties of a Control
    - Microsoft Access 2010 : Control Properties and Why to Use Them (part 1) - The Format Properties of a Control
    - Microsoft Access 2010 : Form Properties and Why Should You Use Them - Working with the Properties Window
    - Microsoft Visio 2013 : Using the Organization Chart Wizard with new data
    REVIEW
    - First look: Apple Watch

    - 3 Tips for Maintaining Your Cell Phone Battery (part 1)

    - 3 Tips for Maintaining Your Cell Phone Battery (part 2)
    programming4us programming4us
    programming4us
     
     
    programming4us