Pruebas de un router 1841 como firewall
ZBF
Fecha: 3 de septiembre del 2014 para las clases de CCNA Security (módulo 4)
Escenario
Este escenario complementa el laboratorio de firewall CBAC , utilizando los mismos equipos.
Se verifican las pérdidas por análisis de tráfico del firewall y la implementación de limitador de
ancho de banda dentro de una política de zona.
También se verifica el impacto en la CPU mientras se analizan los paquetes.
Pruebas
Las pruebas se realizan mediante Jperf, aplicación que mide la performance de datos en capa 7
a capa 7 (datos limpios, sin cabeceras, etc).
Comparación entre CBAC y ZBF
ZBF: [160]
0.0- 60.0 sec 250 MBytes
35.0 Mbits/sec
(performance notablemente menor, la cantidad de
CBAC: [276] 0.0-120.0 sec 690 MBytes
48.2 Mbits/sec bytes
depende del tiempo: 1 contra 2 minutos)
Pruebas en sentido inside -> outside
bin/iperf.exe -c 192.168.72.252 -P 1 -i 1 -p 5001 -f
m -t 60
------------------------------------------------------------
Client connecting to 192.168.72.252, TCP port 5001
TCP window size: 0.01 MByte (default)
------------------------------------------------------------
[160] local 192.168.72.101 port 1367 connected with
192.168.72.252 port 5001
[ ID] Interval
Transfer Bandwidth
[160] 0.0-
1.0 sec 4.63 MBytes 38.8 Mbits/sec
[160] 1.0-
2.0 sec 4.20 MBytes 35.2 Mbits/sec
[160] 2.0-
3.0 sec 4.19 MBytes 35.1 Mbits/sec
[160] 3.0-
4.0 sec 4.18 MBytes 35.1 Mbits/sec
---resumido---
[160] 57.0-58.0 sec
4.15 MBytes 34.8 Mbits/sec
[160] 58.0-59.0 sec
4.15 MBytes 34.8 Mbits/sec
[160] 59.0-60.0 sec
4.15 MBytes 34.8 Mbits/sec
[ ID] Interval
Transfer Bandwidth
[160]
0.0-60.0 sec 250 MBytes 35.0
Mbits/sec
Done.
Aula7B#sh ip nat trans
Pro Inside global Inside local Outside local Outside global
tcp 192.168.72.252:5001 10.0.0.252:5001 192.168.72.101:1403 192.168.72.101:1403
--- 192.168.72.252 10.0.0.252 --- ---
Aula7B#
Aula7B#sh policy-map type inspect zone-pair sessions
policy exists on zp segura-insegura
Zone-pair: segura-insegura
Service-policy inspect : policy1
Class-map: saliente (match-any)
Match: protocol dns
116 packets, 5763 bytes
30 second rate 0 bps
Match: protocol ftp
0 packets, 0 bytes
30 second rate 0 bps
Match: protocol http
65 packets, 2072 bytes
30 second rate 0 bps
Match: protocol https
62 packets, 1936 bytes
30 second rate 0 bps
Match: access-group name
JPERF
4 packets, 112 bytes
30 second rate 0 bps
Inspect
Number of Established Sessions = 1
Established Sessions
Session
6660EE40 (10.0.0.252:1518)=>(192.168.72.101:5001) tcp SIS_OPEN
Created 00:00:28, Last
heard 00:00:00
Bytes sent
(initiator:responder) [193001652:0]
Class-map: ICMP (match-any)
Match: protocol icmp
84 packets, 3360 bytes
30 second rate 0 bps
Inspect
Class-map: class-default (match-any)
Match: any
Drop
5 packets, 196 bytes
policy exists on zp insegura-segura
Zone-pair: insegura-segura
Service-policy inspect : policy2
Class-map: entrante (match-any)
Match: protocol http
0 packets, 0 bytes
30 second rate 0 bps
Match: access-group name JPERF
3 packets, 96 bytes
30 second rate 0 bps
Class-map: class-default (match-any)
Match: any
Drop
22 packets, 880 bytes
Aula7B#sh proc | incl CPU
CPU utilization for five seconds: 82%/81%; one minute: 56%; five minutes: 28%
Aula7B#
Pruebas en sentido outside -> inside
Aula7B#sh sessions ip nat trans
Pro Inside global Inside local Outside local Outside global
tcp 192.168.72.252:1505 10.0.0.252:1505 192.168.72.101:5001 192.168.72.101:5001
tcp 192.168.72.252:5001
10.0.0.252:5001 192.168.72.101:1406
192.168.72.101:1406
--- 192.168.72.252 10.0.0.252 --- ---
Aula7B#
Aula7B# sh policy-map type inspect zone-pair sessions
policy exists on zp segura-insegura
Zone-pair: segura-insegura
---resdumido---
policy exists on zp insegura-segura
Zone-pair: insegura-segura
Service-policy inspect : policy2
Class-map: entrante (match-any)
Match: protocol http
0 packets, 0 bytes
30 second rate 0 bps
Match: access-group name JPERF
3 packets, 96 bytes
30 second rate 0 bps
Inspect
Number of Established Sessions
= 1
Established Sessions
Session 6660B440
(192.168.72.101:1406)=>(10.0.0.252:5001) tcp SIS_OPEN
Created 00:00:18, Last
heard 00:00:00
Bytes sent
(initiator:responder) [83165208:0]
Inspect
Class-map: class-default (match-any)
Match: any
Drop
22 packets, 880 bytes
Aula7B#
Aula7B# sh proc | incl CPU
CPU utilization for five seconds: 98%/97%; one minute: 57%; five minutes: 34%
Aula7B#
Con limitador de velocidad a 4 Mbps
Aula7B#conf t
Enter configuration commands, one per line. End with CNTL/Z.
Aula7B(config)# policy-map type inspect policy2
Aula7B(config-pmap)# class type inspect entrante
Aula7B(config-pmap-c)# inspect policy2e rate 4000000 burst 512000 (burst son “ráfagas” de tráfico de
Aula7B(config-pmap-c)#^Z 512 KBytes que exceden los 4 Mbps)
Aula7B#
bin/iperf.exe -c 192.168.72.252 -P 1 -i 1 -p 5001 -f
m -t 60 -T 1
------------------------------------------------------------
Client connecting to 192.168.72.252, TCP port 5001
TCP window size: 0.01 MByte (default)
------------------------------------------------------------
[156] local 192.168.72.101 port 1442 connected with
192.168.72.252 port 5001
[ ID] Interval
Transfer Bandwidth
[156] 0.0-
1.0 sec 0.86 MBytes 7.21 Mbits/sec
[156] 1.0-
2.0 sec 0.31 MBytes 2.62 Mbits/sec
[156] 2.0-
3.0 sec 0.56 MBytes 4.72 Mbits/sec
[156] 3.0-
4.0 sec 0.45 MBytes 3.74 Mbits/sec
---resumido---
[156] 56.0-57.0 sec
0.31 MBytes 2.62 Mbits/sec
[156] 57.0-58.0 sec
0.44 MBytes 3.67 Mbits/sec
[156] 58.0-59.0 sec
0.59 MBytes 4.98 Mbits/sec
[156] 59.0-60.0 sec
0.43 MBytes 3.60 Mbits/sec
[ ID] Interval
Transfer Bandwidth
[156]
0.0-60.4 sec 27.0 MBytes 3.75
Mbits/sec
Done.
Aula7B#sh proc | incl CPU
CPU utilization for five
seconds: 10%/9%; one minute: 4%;
five minutes: 9% (el impacto es menor
Aula7B# ya que procesa (analiza) menos paquetes por segundo)
Aula7B#show policy-map type inspect zone-pair sessions
policy exists on zp segura-insegura
Zone-pair: segura-insegura
---resumido---
policy exists on zp insegura-segura
Zone-pair: insegura-segura
Service-policy inspect : policy2
Class-map: entrante (match-any)
Match: protocol http
0 packets, 0 bytes
30 second rate 0 bps
Match:
access-group name JPERF
6 packets, 188 bytes
30 second rate 0 bps
Inspect
Number of Established Sessions = 1
Established Sessions
Session 6660D040
(192.168.72.101:1442)=>(10.0.0.252:5001) tcp SIS_OPEN
Created 00:00:33, Last
heard 00:00:00
Bytes sent
(initiator:responder) [16056344:0]
Police
rate
4000000 bps,512000 limit
conformed 25745 packets,
21216168 bytes; actions: transmit
exceeded 1789 packets,
2036186 bytes; actions: drop (opción
por defecto)
conformed 462000 bps,
exceed 28000 bps
Class-map: class-default (match-any)
Match: any
Drop
22 packets, 880 bytes
Aula7B#
Pruebas de FTP (ver como se
comporta una conexión FTP) :
C:\>ftp ftp.vilarrasa.com.ar
Conectado a vilarrasa.com.ar. (abre el TCP 21 en el server)
220 Microsoft FTP Service
Usuario (vilarrasa.com.ar:(none)): ccna
331 Password required for ccna.
Contraseña: ****
230-Directory has 74,810,302,464 bytes of disk space available.
230 User logged in.
ftp> dir
200 PORT command successful. (abre el canal de transferencia de datos desde el TCP 20 del server al cliente )
125 Data connection already open; Transfer starting.
09-11-08 12:50PM 3913 2 sesiones Telnet al mismo router.pcap
---resumido---
07-02-08 08:40AM 158 Transaccion ARP.pcap
06-19-08 01:01PM 6867 Traza con loop por mala configuracion RIP.txt
06-19-08 01:02PM 2411 Traza con loop.txt
09-02-08 10:37AM 68421 Trobleshooting.pka
08-12-08 08:48AM 211798 Trouble shooting ethernet.pdf
11-08-08 09:45AM 125339 Understanding VTP.pdf
226-Directory has 74,808,881,152 bytes of disk space available.
226 Transfer complete.
ftp: 14026 bytes recibidos en 0,13 segundos 112,21 a KB/s.
ftp> mget syb* (copio archivos desde el FTP server al PC en la zona segura)
200 Type set to A.
mget sybex - dictionary of networking.pdf? y
200 PORT command successful. (abre el canal de transferencia de datos desde el TCP 20 del server al cliente )
125 Data connection already open; Transfer starting.
226 Transfer complete.
ftp: 8448705 bytes recibidos en 39,81 segundos 212,22 a KB/s.
ftp> by
221 Goodbye.
C:\>
Aula7B#sh policy-map type inspect zone-pair sessions
policy exists on zp segura-insegura
Zone-pair: segura-insegura
Service-policy inspect : policy1
Class-map: saliente (match-any)
Match: protocol dns
154 packets, 7490 bytes
30 second rate 0 bps
Match:
protocol ftp
1 packets, 28 bytes
30 second rate 0 bps
Match: protocol http
80 packets, 2492 bytes
30 second rate 0 bps
Match: protocol https
72 packets, 2216 bytes
30 second rate 0 bps
Match: access-group name JPERF
4 packets, 112 bytes
30 second rate 0 bps
Inspect
Number of Established Sessions = 2
Established Sessions
Session
66617E40 (10.0.0.252:1563)=>(200.58.114.227:21) ftp:tcp SIS_OPEN (canal de control)
Created 00:01:50, Last heard 00:00:28
Bytes sent (initiator:responder) [182:603]
Session
66618640 (200.58.114.227:20)=>(10.0.0.252:5003) ftp-data:tcp SIS_OPEN (canal de datos)
Created 00:00:29, Last heard 00:00:00
Bytes sent (initiator:responder) [6055168:0]
Class-map: ICMP (match-any)
Match: protocol icmp
84 packets, 3360 bytes
30 second rate 0 bps
Inspect
Class-map: class-default (match-any)
Match: any
Drop
85 packets, 2436 bytes
policy exists on zp insegura-segura
Zone-pair: insegura-segura
Service-policy inspect : policy2
Class-map: entrante (match-any)
Match: protocol http
8 packets, 192 bytes
30 second rate 0 bps
Match: access-group name JPERF
41 packets, 1448 bytes
30 second rate 0 bps
Inspect
Class-map: class-default (match-any)
Match: any
Drop
135390 packets, 3261112 bytes
Aula7B#
Pruebas de port scanning mediante Nmap:
Configuración del firewall
Aula7B#sh runn (lo mas relevante)
Building configuration...
Current configuration : 2790 bytes
!
version 12.4
---resumido---
!
hostname Aula7B
!
---resumido---
!
ip cef
!
class-map type inspect match-any saliente
match protocol dns
match protocol ftp
match protocol http
match protocol https
match access-group name JPERF (matchea contra una ACL nombrada
JPERF)
class-map type inspect match-any entrante
match protocol http
match access-group name JPERF (matchea contra la misma ACL ya que
es genérica para pruebas)
class-map type inspect match-any ICMP
match protocol icmp
!
!
policy-map type inspect policy1
class type inspect saliente
inspect
class type inspect ICMP
inspect
class class-default
drop
policy-map type inspect policy2
class type inspect entrante
inspect
class class-default
drop
!
zone security segura
zone security insegura
zone-pair security segura-insegura source segura destination insegura
service-policy type inspect
policy1
zone-pair security insegura-segura source insegura destination segura
service-policy type inspect
policy2
!
!
!
interface FastEthernet0/0
description OUTSIDE
ip address 192.168.72.253 255.255.255.0
ip nat outside
ip virtual-reassembly
zone-member security insegura
duplex auto
speed auto
!
interface FastEthernet0/1
ip address 10.0.0.1 255.255.255.0
ip nat inside
ip virtual-reassembly
zone-member security segura
duplex auto
speed auto
!
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 192.168.72.254
!
ip nat inside source list NAT interface FastEthernet0/0 overload
ip nat inside source static 10.0.0.252 192.168.72.252
!
ip access-list standard NAT
permit 10.0.0.0 0.0.0.255
!
ip access-list extended JPERF
permit tcp any any eq 5001 (permiso genérico que permite
utilizar la ACL en ambas direcciones)
!
---resumido---
end
Aula7B#
(2014) Networking may cause brain damage
Rosario, Argentina