uRPF - Unicast Reverse Path Forwarding

Cisco Docs: Cisco Docs: Secure DATA PLANE>Security Configuration Guide: Unicast Reverse Path Forwarding
http://www.cisco.com/en/US/docs/ios-xml/ios/sec_data_urpf/configuration/12-4t/sec-data-urpf-12-4t-book.html

The Unicast RPF feature helps to mitigate problems that are caused by the introduction of malformed or forged (spoofed) IP source addresses into a network by discarding IP packets that lack a verifiable IP source address

Configure the receiving interface, which allows Unicast RPF to verify the best return path before forwarding the packet on to the next destination. For example, verify if the SOURCE IP is reachable via that exact interface:
(config-subif)#ip verify unicast source reachable-via ?
  any  Source is reachable via any interface
  rx   Source is reachable via interface on which packet was received <-EXACT INTERFACE

#sh ip int s1/0.21 | b verify
  IP verify source reachable-via RX
   0 verification drops
   0 suppressed verification drops
   0 verification drop-rate

!!!If the check fails, and this is NOT the best interface to reach the IP from which the incoming packed was sourced the packed it DROPPED.

Zone Based Firewall

Cisco Docs: Secure DATA PLANE>Security Configuration Guide:Zone-Based Policy Firewall
http://www.cisco.com/en/US/docs/ios-xml/ios/sec_data_zbf/configuration/12-4t/sec-data-zbf-12-4t-book.html

To configure the Zone Based FW, the approach is somewhat similar to the MQC method in the QoS configuration.

STEP 1> Start by creating a class map of INSPECT TYPE, and match HTTP, and DROP everything else:
(config)#class-map type inspect match-any OUTSIDE
(config-cmap)#match protocol http
(config-pmap)#class type inspect OUTSIDE 
(config-pmap-c)#drop

STEP 2> Create a inspect type POLICY-MAP that matches the defined CLASS-MAP, and INSPECTS:
(config)#policy-map type inspect OUTSIDE_POLICY
(config-pmap)#class OUTSIDE
(config-pmap-c)#inspect ?
  WORD  Parameter-map (inspect) name <PARAMETER MAP CAN BE DEFINED to tune the inspection
  <cr>
(config-pmap-c)#inspect

STEP 3> Define the SECURITY ZONES for the interfaces you need, and assign them to the interfaces:
(config)#zone security DMZ
(config-if)#zone-member security DMZ

(config)#zone security OUTSIDE
(config-if)#zone-member security OUTSIDE

STEP 4> Set the POLICIES between each ZONE PAIR:
(config)#zone-pair security OUT-to-DMZ source OUTSIDE destination DMZ
(config-sec-zone-pair)#service-policy type inspect OUTSIDE_POLICY

#show policy-map type inspect zone-pair session
policy exists on zp OUT-to-DMZ
 Zone-pair: OUT-to-DMZ
  Service-policy inspect : OUTSIDE_POLICY
    Class-map: INSIDE (match-any)
      Match: protocol tcp
        0 packets, 0 bytes
        30 second rate 0 bps
      Match: protocol udp
        0 packets, 0 bytes
        30 second rate 0 bps
      Match: protocol icmp
        0 packets, 0 bytes
        30 second rate 0 bps
   Inspect
    Class-map: class-default (match-any)
      Match: any
      Drop
        0 packets, 0 bytes

PARAMETER MAP can be created to tune to drop logs, handle alarms, max&min session numbers and much more, for example:
(config)# parameter-map type inspect eng-network-profile
(config-profile)# tcp synwait-time 3 <-HOW LONG TO WAIT FOR SYN FOR THE TCP SESSION

Most Popular Posts