Pruebas de un router 1841 como firewall ZBF

Fecha: 3 de septiembre del 2014 para las clases de CCNA Security (módulo 4)

 

Escenario

 

Este escenario complementa el laboratorio de firewall CBAC , utilizando los mismos equipos.

Se verifican las pérdidas por análisis de tráfico del firewall y la implementación de limitador de

ancho de banda dentro de una política de zona.

 

También se verifica el impacto en la CPU mientras se analizan los paquetes.

 

Pruebas

 

Las pruebas se realizan mediante Jperf, aplicación que mide la performance de datos en capa 7

a capa 7 (datos limpios, sin cabeceras, etc).

 

Comparación entre CBAC y ZBF

 

ZBF:     [160]  0.0-  60.0 sec   250 MBytes  35.0 Mbits/sec  (performance notablemente menor, la cantidad de

CBAC: [276]  0.0-120.0 sec   690 MBytes  48.2 Mbits/sec          bytes depende del tiempo: 1 contra 2 minutos)

 

Pruebas en sentido inside -> outside

 

 

bin/iperf.exe -c 192.168.72.252 -P 1 -i 1 -p 5001 -f m -t 60

------------------------------------------------------------

Client connecting to 192.168.72.252, TCP port 5001

TCP window size: 0.01 MByte (default)

------------------------------------------------------------

[160] local 192.168.72.101 port 1367 connected with 192.168.72.252 port 5001

[ ID] Interval       Transfer     Bandwidth

[160]  0.0- 1.0 sec  4.63 MBytes  38.8 Mbits/sec

[160]  1.0- 2.0 sec  4.20 MBytes  35.2 Mbits/sec

[160]  2.0- 3.0 sec  4.19 MBytes  35.1 Mbits/sec

[160]  3.0- 4.0 sec  4.18 MBytes  35.1 Mbits/sec

---resumido---

[160] 57.0-58.0 sec  4.15 MBytes  34.8 Mbits/sec

[160] 58.0-59.0 sec  4.15 MBytes  34.8 Mbits/sec

[160] 59.0-60.0 sec  4.15 MBytes  34.8 Mbits/sec

[ ID] Interval       Transfer     Bandwidth

[160]  0.0-60.0 sec   250 MBytes  35.0 Mbits/sec

Done.

 

Aula7B#sh ip nat trans  

Pro Inside global      Inside local       Outside local      Outside global

tcp 192.168.72.252:5001 10.0.0.252:5001   192.168.72.101:1403 192.168.72.101:1403

--- 192.168.72.252     10.0.0.252         ---                ---

Aula7B#

 

Aula7B#sh policy-map type inspect zone-pair sessions

 

policy exists on zp segura-insegura

 Zone-pair: segura-insegura

 

  Service-policy inspect : policy1

 

    Class-map: saliente (match-any)

      Match: protocol dns

        116 packets, 5763 bytes

        30 second rate 0 bps

      Match: protocol ftp

        0 packets, 0 bytes

        30 second rate 0 bps

      Match: protocol http

        65 packets, 2072 bytes

        30 second rate 0 bps

      Match: protocol https

        62 packets, 1936 bytes

        30 second rate 0 bps

      Match: access-group name JPERF

        4 packets, 112 bytes

        30 second rate 0 bps

 

   Inspect

 

      Number of Established Sessions = 1

      Established Sessions

        Session 6660EE40 (10.0.0.252:1518)=>(192.168.72.101:5001) tcp SIS_OPEN

          Created 00:00:28, Last heard 00:00:00

          Bytes sent (initiator:responder) [193001652:0]

 

    Class-map: ICMP (match-any)

    Match: protocol icmp

        84 packets, 3360 bytes

        30 second rate 0 bps

 

   Inspect

 

    Class-map: class-default (match-any)

      Match: any

      Drop

        5 packets, 196 bytes

 

policy exists on zp insegura-segura

 Zone-pair: insegura-segura

 

  Service-policy inspect : policy2

 

    Class-map: entrante (match-any)

      Match: protocol http

        0 packets, 0 bytes

        30 second rate 0 bps

      Match: access-group name JPERF

        3 packets, 96 bytes

        30 second rate 0 bps

    Class-map: class-default (match-any)

      Match: any

      Drop

        22 packets, 880 bytes

 

Aula7B#sh proc | incl CPU

CPU utilization for five seconds: 82%/81%; one minute: 56%; five minutes: 28%

Aula7B#

 

Pruebas en sentido outside -> inside

 

 

Aula7B#sh sessions  ip nat trans                                

Pro Inside global      Inside local       Outside local      Outside global

tcp 192.168.72.252:1505 10.0.0.252:1505   192.168.72.101:5001 192.168.72.101:5001

tcp 192.168.72.252:5001 10.0.0.252:5001   192.168.72.101:1406 192.168.72.101:1406

--- 192.168.72.252     10.0.0.252         ---                ---

Aula7B#

 

Aula7B# sh policy-map type inspect zone-pair sessions

 

policy exists on zp segura-insegura

 Zone-pair: segura-insegura

---resdumido---

policy exists on zp insegura-segura

 Zone-pair: insegura-segura

 

  Service-policy inspect : policy2

 

    Class-map: entrante (match-any)

      Match: protocol http

        0 packets, 0 bytes

        30 second rate 0 bps

 Match: access-group name JPERF

        3 packets, 96 bytes

        30 second rate 0 bps

   Inspect

 

      Number of Established Sessions = 1

      Established Sessions

        Session 6660B440 (192.168.72.101:1406)=>(10.0.0.252:5001) tcp SIS_OPEN

          Created 00:00:18, Last heard 00:00:00

          Bytes sent (initiator:responder) [83165208:0]

 

   Inspect

 

    Class-map: class-default (match-any)

      Match: any

      Drop

        22 packets, 880 bytes

Aula7B#

 

Aula7B# sh proc | incl CPU      

CPU utilization for five seconds: 98%/97%; one minute: 57%; five minutes: 34%

Aula7B#

 

Con limitador de velocidad a 4 Mbps

 

Aula7B#conf t           

Enter configuration commands, one per line.  End with CNTL/Z.

Aula7B(config)# policy-map type inspect policy2

Aula7B(config-pmap)# class type inspect entrante   

Aula7B(config-pmap-c)# inspect policy2e rate 4000000 burst 512000 (burst son “ráfagas” de tráfico de

Aula7B(config-pmap-c)#^Z                                                                        512 KBytes que exceden los 4 Mbps)

Aula7B#

 

 

bin/iperf.exe -c 192.168.72.252 -P 1 -i 1 -p 5001 -f m -t 60 -T 1

------------------------------------------------------------

Client connecting to 192.168.72.252, TCP port 5001

TCP window size: 0.01 MByte (default)

------------------------------------------------------------

[156] local 192.168.72.101 port 1442 connected with 192.168.72.252 port 5001

[ ID] Interval       Transfer     Bandwidth

[156]  0.0- 1.0 sec  0.86 MBytes  7.21 Mbits/sec

[156]  1.0- 2.0 sec  0.31 MBytes  2.62 Mbits/sec

[156]  2.0- 3.0 sec  0.56 MBytes  4.72 Mbits/sec

[156]  3.0- 4.0 sec  0.45 MBytes  3.74 Mbits/sec

---resumido---

[156] 56.0-57.0 sec  0.31 MBytes  2.62 Mbits/sec

[156] 57.0-58.0 sec  0.44 MBytes  3.67 Mbits/sec

[156] 58.0-59.0 sec  0.59 MBytes  4.98 Mbits/sec

[156] 59.0-60.0 sec  0.43 MBytes  3.60 Mbits/sec

[ ID] Interval       Transfer     Bandwidth

[156]  0.0-60.4 sec  27.0 MBytes  3.75 Mbits/sec

Done.

 

Aula7B#sh proc | incl CPU

CPU utilization for five seconds: 10%/9%; one minute: 4%; five minutes: 9% (el impacto es menor

Aula7B#                                                                   ya que procesa (analiza) menos paquetes por segundo)

 

Aula7B#show policy-map type inspect zone-pair sessions

 

policy exists on zp segura-insegura

 Zone-pair: segura-insegura

---resumido---

policy exists on zp insegura-segura

 Zone-pair: insegura-segura

 

  Service-policy inspect : policy2

 

    Class-map: entrante (match-any)

      Match: protocol http

        0 packets, 0 bytes

        30 second rate 0 bps

      Match: access-group name JPERF

        6 packets, 188 bytes

        30 second rate 0 bps

 

   Inspect

 

      Number of Established Sessions = 1

      Established Sessions

        Session 6660D040 (192.168.72.101:1442)=>(10.0.0.252:5001) tcp SIS_OPEN

          Created 00:00:33, Last heard 00:00:00

          Bytes sent (initiator:responder) [16056344:0]

 

       Police

        rate 4000000 bps,512000 limit

        conformed 25745 packets, 21216168 bytes; actions: transmit

        exceeded 1789 packets, 2036186 bytes; actions: drop (opción por defecto)

        conformed 462000 bps, exceed 28000 bps

 

    Class-map: class-default (match-any)

      Match: any

      Drop

        22 packets, 880 bytes

Aula7B#

 

Pruebas de FTP (ver como se comporta una conexión FTP) :

 

C:\>ftp ftp.vilarrasa.com.ar

Conectado a vilarrasa.com.ar. (abre el TCP 21 en el server)

220 Microsoft FTP Service

Usuario (vilarrasa.com.ar:(none)): ccna

331 Password required for ccna.

Contraseña: ****

230-Directory has 74,810,302,464 bytes of disk space available.

230 User logged in.

ftp> dir

200 PORT command successful. (abre el canal de transferencia de datos desde el TCP 20 del server al cliente )

125 Data connection already open; Transfer starting.

09-11-08  12:50PM                 3913 2 sesiones Telnet al mismo router.pcap

---resumido---

07-02-08  08:40AM                  158 Transaccion ARP.pcap

06-19-08  01:01PM                 6867 Traza con loop por mala configuracion RIP.txt

06-19-08  01:02PM                 2411 Traza con loop.txt

09-02-08  10:37AM                68421 Trobleshooting.pka

08-12-08  08:48AM               211798 Trouble shooting ethernet.pdf

11-08-08  09:45AM               125339 Understanding VTP.pdf

226-Directory has 74,808,881,152 bytes of disk space available.

226 Transfer complete.

ftp: 14026 bytes recibidos en 0,13 segundos 112,21 a KB/s.

ftp> mget syb* (copio archivos desde el FTP server al PC en la zona segura)

200 Type set to A.

mget sybex - dictionary of networking.pdf? y

200 PORT command successful. (abre el canal de transferencia de datos desde el TCP 20 del server al cliente )

125 Data connection already open; Transfer starting.

226 Transfer complete.

ftp: 8448705 bytes recibidos en 39,81 segundos 212,22 a KB/s.

ftp> by

221 Goodbye.

 

C:\>

 

Aula7B#sh policy-map type inspect zone-pair sessions

 

policy exists on zp segura-insegura

 Zone-pair: segura-insegura

 

  Service-policy inspect : policy1

 

    Class-map: saliente (match-any)

      Match: protocol dns

        154 packets, 7490 bytes

        30 second rate 0 bps

      Match: protocol ftp

        1 packets, 28 bytes

        30 second rate 0 bps

      Match: protocol http

        80 packets, 2492 bytes

        30 second rate 0 bps

      Match: protocol https

        72 packets, 2216 bytes

        30 second rate 0 bps

      Match: access-group name JPERF

        4 packets, 112 bytes

        30 second rate 0 bps

 

   Inspect

 

      Number of Established Sessions = 2

      Established Sessions

        Session 66617E40 (10.0.0.252:1563)=>(200.58.114.227:21) ftp:tcp SIS_OPEN (canal de control)

          Created 00:01:50, Last heard 00:00:28

          Bytes sent (initiator:responder) [182:603]

        Session 66618640 (200.58.114.227:20)=>(10.0.0.252:5003) ftp-data:tcp SIS_OPEN (canal de datos)

          Created 00:00:29, Last heard 00:00:00

          Bytes sent (initiator:responder) [6055168:0]

 

    Class-map: ICMP (match-any)

      Match: protocol icmp

        84 packets, 3360 bytes

        30 second rate 0 bps

 

   Inspect

 

    Class-map: class-default (match-any)

      Match: any

      Drop

        85 packets, 2436 bytes

 

policy exists on zp insegura-segura

 Zone-pair: insegura-segura

 

  Service-policy inspect : policy2

 

    Class-map: entrante (match-any)

      Match: protocol http

        8 packets, 192 bytes

        30 second rate 0 bps

      Match: access-group name JPERF

        41 packets, 1448 bytes

        30 second rate 0 bps

 

   Inspect

 

    Class-map: class-default (match-any)

      Match: any

      Drop

        135390 packets, 3261112 bytes

Aula7B#

 

Pruebas de port scanning mediante Nmap:

 

 

Configuración del firewall

 

Aula7B#sh runn (lo mas relevante)

Building configuration...

 

Current configuration : 2790 bytes

!

version 12.4

---resumido---

!

hostname Aula7B

!

---resumido---

!

ip cef

!

class-map type inspect match-any saliente

 match protocol dns

 match protocol ftp

 match protocol http

 match protocol https

 match access-group name JPERF (matchea contra una ACL nombrada JPERF)

class-map type inspect match-any entrante

 match protocol http

 match access-group name JPERF (matchea contra la misma ACL ya que es genérica para pruebas)

class-map type inspect match-any ICMP

 match protocol icmp

!

!

policy-map type inspect policy1

 class type inspect saliente

  inspect

 class type inspect ICMP

  inspect

 class class-default

  drop

policy-map type inspect policy2

 class type inspect entrante

  inspect

 class class-default

  drop

!

zone security segura

zone security insegura

zone-pair security segura-insegura source segura destination insegura

 service-policy type inspect policy1

zone-pair security insegura-segura source insegura destination segura

 service-policy type inspect policy2

!

!

!

interface FastEthernet0/0

 description OUTSIDE

 ip address 192.168.72.253 255.255.255.0

 ip nat outside

 ip virtual-reassembly

 zone-member security insegura

 duplex auto

 speed auto

!

interface FastEthernet0/1

 ip address 10.0.0.1 255.255.255.0

 ip nat inside

 ip virtual-reassembly

 zone-member security segura

 duplex auto

 speed auto

!

!

ip forward-protocol nd

ip route 0.0.0.0 0.0.0.0 192.168.72.254

!

ip nat inside source list NAT interface FastEthernet0/0 overload

ip nat inside source static 10.0.0.252 192.168.72.252

!

ip access-list standard NAT

 permit 10.0.0.0 0.0.0.255

!

ip access-list extended JPERF

 permit tcp any any eq 5001 (permiso genérico que permite utilizar la ACL en ambas direcciones)

!

---resumido---

end

 

Aula7B#

 

 

(2014) Networking may cause brain damage

Rosario, Argentina