ASAModular Policy Framework (MPF)

NetWork Training Center N.T.Cwww.ntcenter.az

Teymur Azimov

ACLs alone, packets are permitted or denied based on the information that can be found in the packet headers. Although that approach does offer granular control over things such as source and destination addresses and Layer 3 and 4 protocols and port numbers, it still treats all types of traffic identically once the packets are permitted or denied. For eaxmple Babek need to examine specific application protocols with a deep packet inspection. To make sure that hosts are using the protocols correctly. Sometimes WE use an intrusion prevention system (IPS) process to detect and prevent any malicious activity. Functions such as these are not possible with simple interface ACLs.

ASA offers much more flexibility through its Modular Policy Framework (MPF). With the MPF feature, WE can define a set of policies that identifies traffic and then takes some specific actions on it. MPF as a set of three nested items:

A service policy: An entire set of policies that is applied to one or all ASA interfaces,configured with the service-policy command.

A policy map: Where an action is taken on matched traffic, configured with thepolicy-map command

A class map: Where specific traffic flows are identified or classified, configuredwith the class-map command

Service policy can contain one or more policy maps, which can, in turn, contain one or more class maps. As well, any class maps you define can be referenced in multiple policy maps and service policies.

Configuring Modular Policy Framework consists of the following tasks:1. Identify the traffic on which WE want to perform Modular Policy Framework actions by creating Layer 3/4 class maps.For example, WE might want to perform actions on all traffic that passes through the ASA; or We might only want to perform certain actions on traffic from 10.1.1.0/24 to any destination address.

2. If one of the actions WE want to perform is application inspection, and We want to perform additional actions on some inspection traffic, then create an inspection policy map. The inspection policy map identifies the traffic and specifies what to do with it.For example, Sahib might want to drop all HTTP requests with a body length greater than 1000 bytes.

If Ferid want to match text with a regular expression within inspected packets, he can create a regular expression or a group of regular expressions (a regular expression class map). Then, when WE define the traffic to match for the inspection policy map, WE can call on an existing regular expression.For example, WE might want to drop all HTTP requests with a URL including the text“milli.az”

3. Define the actions WE want to perform on each Layer 3/4 class map by creating a Layer 3/4 policy map. Then, determine on which interfaces Hikmet want to apply the policy map using a service policy.

To get an idea of the MPF structure, WE look at the policies that are configured bydefault in an ASA. First, WE can use the show running-config service-policy commandto see which service policies have been defined and applied to the ASA interfaces.Service policy that refers to something called global_policy, which has been applied globally to all ASA interfaces. A service policy always references a policy map—the next level down in the MPF hierarchy.

Default Service Policiesciscoasa# show running-config service-policyservice-policy global_policy globalciscoasa#

WE know that the name of the policy map is global_policy, but what does it do? Next,WE can look for the policy map configuration to find out.

Policy Map Configuration

Policy Map Configuration

ciscoasa# show running-config policy-map global_policy!policy-map global_policyclass inspection_defaultinspect dns preset_dns_mapinspect ftpinspect h323 h225inspect h323 rasinspect rshinspect rtspinspect esmtpinspect sqlnetinspect skinnyinspect sunrpcinspect xdmcpinspect sipinspect netbiosinspect tftpinspect ip-options!

How the policy map named global_policy begins with a class command and thencontains a long list of inspect commands.

A policy map must always classify or identify traffic first and then take some action on it.

The class command references a class map that does the actual traffic classification, while the inspect commands define each of the actions that must be taken on the matching traffic. What sort of traffic is being classified in the policy map? To find out,WE need to look at the configuration of a class map called inspection_default.

Class Map Configurationciscoasa# show running-config class-map inspection_default!class-map inspection_defaultmatch default-inspection-traffic!ciscoasa#

Simple Hierarchy of the Default MPF Configuration

service-policy pmap1

policy-map pmap1class cmap1action ...

class-map cmap1match ...

MPF supports these features:

TCP normalization, TCP and UDP connection limits and timeouts, and TCP sequence number randomization

CSC (content security control)

Application inspection

IPS

QoS input policing

QoS output policing

QoS priority queue

What can WE configure in a policy map ?

The following list describes the actions that an ASA can take on traffic it encounters:

Apply application inspection engines: We can tailor the stateful inspectionprocess that is performed on a very specific type of traffic. Different sets of trafficcan be inspected differently.

Set connection limits: The ASA can control the volume of UDP and TCP connectionsthat are initiated for matched traffic.

Adjust TCP parameters: Values carried in the TCP header can be inspected,changed, or normalized to conform to configured limits in very specific ways. Thiscan be done differently for each set of traffic identified

Limit management traffic: Connections that terminate on the ASA itself can belimited, just like other types of connections that pass through the ASA. Configuringlimits on management traffic can help prevent unnecessary strain on the ASA’s CPU.

Send traffic to a Security Services Module (SSM): Specific traffic can bediverted to an embedded Advanced Inspection and Prevention (AIP) module or anembedded Content Security and Control (CSC) module.

Limit the bandwidth used: WE can tailor traffic policers to limit the bandwidthused by predefined sets of traffic. For example, mission-critical applications might beallowed to use any available bandwidth, whereas peer-to-peer file sharing applicationsare limited to a small portion of interface bandwidth.Provide priority handling: Specific types of traffic can be given priority over othertypes as packets are sent out an interface. This allows time-critical applications toreceive premium service as those packets are inspected and passed through the ASA.

As a rule, remember the following security policy building blocks and their functions:

■ Class map: Which traffic will be matched?■ Policy map: What action will be taken on each class of traffic?■ Service policy: Where will the policy map be applied?

WE can configure security policies according to the following broad categories

OSI Layers 3 and 4: Match and take action based on information found in theLayer 3 and 4 headers, such as IP address, protocol, and port numbers.

OSI Layers 5–7: Match and take action on traffic flows, based on informationfound in the application layer content of packets

Management traffic: Match and take action on traffic that terminates on the ASAitself, rather than passing through the ASA

We can use the following steps to configure a security policy, first with the CLI orwith ASDM:

Step 1. Define a Layer 3–4 class map.Step 2. Define a Layer 3–4 policy map.Step 3. Apply the policy map to the appropriate interfaces.

Step 1: Define a Layer 3–4 Class Map

As traffic moves through an ASA, it can be identified or classified according to the matchingconditions defined in a class map. WE can configure multiple class maps to identifyseveral different classes of traffic, if needed. Then a different policy can be applied toeach traffic class.

First, identify the class map with the class-map command, as follows:

ciscoasa(config)# class-map class_map_nameciscoasa(config-cmap)# description text

All traffic: All packets passing through an ASA interface■ Default traffic: Packets that belong to a predefined set of protocols and port numbers■ Traffic flow: Packets destined for a unique IP address, where the policy action willbe applied on a per-flow basis■ Destination port: Packets being sent to a destination port number or range ofport numbers■ Access list: Packets that are permitted by an access list, matched according to protocol,IP addresses, and port numbers■ QoS values: Packets that contain up to four matching IP precedence values or up toeight matching Differentiated Services Code Point (DSCP) values■ RTP port range: Real-time Transport Protocol (RTP) packets that fall within a rangeof UDP port numbers■ VPN group: Packets that pass through a specific VPN tunnel group name

Match Commands Used in a Class Map

Matching Condition Command SyntaxAny traffic ciscoasa(config-cmap)# match any

Default traffic types ciscoasa(config-cmap)# match default-inspection-traffic

Traffic flow ciscoasa(config-cmap)# match flow ip destination-addressDestination port Numberciscoasa(config-cmap)# match port {tcp | udp} {eq port | rangestart end}Access list ciscoasa(config-cmap)# match access-list acl_nameQoS: IP precedence ciscoasa(config-cmap)# match precedence value1 [value2 [value3[value4]]]QoS: DSCP ciscoasa(config-cmap)# match dscp value1 [value2 ...[value8]]RTP port number rangeciscoasa(config-cmap)# match rtp starting_port range

VPN tunnel group nameciscoasa(config-cmap)# match tunnel-group

ciscoasa(config)# class-map anythingciscoasa(config-cmap)# match anyciscoasa(config-cmap)# exit!ciscoasa(config)# class-map voiceciscoasa(config-cmap)# match rtp 2000 100ciscoasa(config-cmap)# exit!ciscoasa(config)# access-list extended dc permit ip any 10.100.0.0 255.255.0.0ciscoasa(config)# class-map data-centerciscoasa(config-cmap)# match access-list dcciscoasa(config-cmap)# exitFrom

Configuring Three Class Maps

Step 2: Define a Layer 3–4 Policy Map

Security policies are defined in a policy map as a sequence of match-action pairs. Eachsecurity policy references a class map to match traffic, followed by one or more actions totake on the matched traffic.

First, identify the policy map with the policy-map command, as follows:

ciscoasa(config)# policy-map policy_map_nameciscoasa(config-pmap)# description text

Give the policy map an arbitrary name as policy_map_name, and then use thedescription command to describe the purpose of the policy map.Next, use the class command to identify a class map that will be used to match or classifytraffic, as follows:ciscoasa(config-pmap)# class {class_map_name | class-default}

Choose an action to take on any traffic that is matched or classified by the classmap. The following list summarizes the actions that are possible;Set connection limits:

Adjust TCP options:

Inspect the traffic with an application inspection engine:

Inspect the traffic with an intrusion prevention system (IPS) or Content

Security and Control (CSC) module:

Police or shape the traffic to control the bandwidth used:

Configuring a Policy Map with Three Security Policies

ciscoasa(config)# policy-map p1ciscoasa(config-pmap)# class anythingciscoasa(config-pmap-c)# set connection ...ciscoasa(config-pmap-c)# inspect ...ciscoasa(config-pmap-c)# class voiceciscoasa(config-pmap-c)# priorityciscoasa(config-pmap-c)# exitciscoasa(config-pmap)# class data-centerciscoasa(config-pmap-c)# set connection timeout ...ciscoasa(config-pmap)# exit

Step 3: Apply the Policy Map to the Appropriate Interfaces

The entire policy map is applied to one or all ASA interfaces, where the classifications and actions are carried out. Use the following command to define a service policy that binds a policy map to an interface:

ciscoasa(config)# service-policy policy_map_name {global | interface if_name}

The ASA supports only one global service policyRemember that a global service policy is configured by default. Therefore, WE cannot add a second global service policy; WE canedit the existing one or WE can remove it and add a different one in its place.

ciscoasa(config)# service-policy p1 interface outside

MPF Structure for the TCP Normalizer

ciscoasa(config)# class-map class_map_nameciscoasa(config-cmap)# match conditionciscoasa(config-cmap)# exitciscoasa(config)# policy-map policy_map_nameciscoasa(config-pmap)# class class_map_nameciscoasa(config-pmap-c)# set connection advanced-options tcp-mapciscoasa(config-pmap-c)# exitciscoasa(config-pmap)# exitciscoasa(config)# service-policy policy_map_name interface interface

Enabling ICMP and ICMP Error Inspection Globally

ciscoasa(config)# policy-map global_policyciscoasa(config-pmap)# class inspection_defaultciscoasa(config-pmap-c)# inspect icmpciscoasa(config-pmap-c)# inspect icmp errorciscoasa(config-pmap-c)# exitciscoasa(config-pmap)# exitciscoasa(config)#Configuring Dynamic

Configuring HTTP Inspection for Specific Traffic on an Interfaceciscoasa(config)# access-list MYHTTP extended permit tcp any 172.16.1.0255.255.255.0 eq wwwciscoasa(config)# class-map CMAP_HTTPciscoasa(config-cmap)# match access-list MYHTTPciscoasa(config-cmap)# exitciscoasa(config)# policy-map MYPOLICYciscoasa(config-pmap)# class CMAP_HTTPciscoasa(config-pmap-c)# inspect http

ciscoasa(config-pmap-c)# exitciscoasa(config-pmap)# exitciscoasa(config)# service-policy MYPOLICY interface outside

THANKS

www.ntcenter.az