Policy and firewall_filters

1,536 views
1,498 views

Published on

n7a

Published in: Technology, Business
0 Comments
2 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
1,536
On SlideShare
0
From Embeds
0
Number of Embeds
6
Actions
Shares
0
Downloads
267
Comments
0
Likes
2
Embeds 0
No embeds

No notes for slide

Policy and firewall_filters

  1. 1. Routing Policy and Firewall Filters© 2010 Juniper Networks, Inc. All rights reserved. | www.juniper.net
  2. 2. What Is Routing Policy?Routing policy controls the flow of routing informationto and from the routing table•Use policy to accept, reject, or modify attributes for routes:• Received through dynamic routing protocols• Sent to dynamic routing protocols• Installed in the forwarding table© 2010 Juniper Networks, Inc. All rights reserved. www.juniper.net | 2• Installed in the forwarding tableNeighborsNeighborsNeighborsNeighborsProtocolProtocolProtocolProtocolRoutingRoutingRoutingRoutingTableTableTableTableForwardingForwardingForwardingForwardingTableTableTableTableNeighborsNeighborsNeighborsNeighborsProtocolProtocolProtocolProtocolImportImportImportImportRoutesRoutesRoutesRoutes RoutesRoutesRoutesRoutesPFEPFEPFEPFEExportExportExportExportExportExportExportExportImport policies control the routeimportation into the routing table.Export policies control the routeexportation from the routing table.
  3. 3. Default Routing PoliciesProtocolProtocolProtocolProtocol Import PolicyImport PolicyImport PolicyImport Policy Export PolicyExport PolicyExport PolicyExport PolicyBGP Accept all BGP routes and importinto inet.0Accept all active BGP routesOSPF Accept all OSPF routes and importinto inet.0Reject everything (protocolfloods by default)© 2010 Juniper Networks, Inc. All rights reserved. www.juniper.net | 3into inet.0 floods by default)IS-IS Accept all IS-IS routes and importinto inet.0Reject everything (protocolfloods by default)RIP Accept all RIP routes fromexplicitly configured neighbors andimport into inet.0Reject everything
  4. 4. Building Blocks of Routing Policyterm firsttermmatchno matchthenfrommy-policyA routing policy consists of zeroor more terms; the softwareevaluates terms sequentiallyuntil it reaches a terminatingaction or end of policyUser-defined policyand term names© 2010 Juniper Networks, Inc. All rights reserved. www.juniper.net | 4no matchno matchterm secondtermfrom thenterm thirdtermfrom thenmatchmatchfrom statements describematch conditionsthen statements describethe actions to take if a matchwith the from statementoccursNote: Ordering matters! If you must reorder terms within a policy, consider using the insert CLI command.
  5. 5. Common Match CriteriaCommon match criteria for routing policy:•Prefix (route-filter or prefix-list)•Protocol (OSPF, static, BGP, and so forth)•Routing protocol attributes:• OSPF area ID, AS path, and community© 2010 Juniper Networks, Inc. All rights reserved. www.juniper.net | 5•Next hopterm firsttermmatchthenfromNote: If you omit the from statement, all routes match and will take the specified actionfrom statements describematch conditions
  6. 6. Prefix ListsPrefix lists contain a list of prefixes:•Configured under [edit policy-options] hierarchy•Can be referenced in firewall filters and routing policy terms[edit policy-options]user@host# showprefix-list rfc1918 {10.0.0.0/8;172.16.0.0/12;prefix-list matches the prefix exactly© 2010 Juniper Networks, Inc. All rights reserved. www.juniper.net | 6172.16.0.0/12;192.168.0.0/16;}policy-statement policy-1 {from {prefix-list rfc1918;}then reject;}policy-statement policy-2 {from {prefix-list-filter rfc1918 orlonger reject;}}prefix-list-filter allows match typesand actions. Supported match types includeexact, longer, and orlonger and arecovered on subsequent slides.
  7. 7. Route FiltersRoute filters match individual routes within a policy:•You can specify multiple route filters within a single term•Not reusable—term-specific[edit policy-options]user@host# showpolicy-statement policy-1 {term reject-rfc1918-prefixes {from {© 2010 Juniper Networks, Inc. All rights reserved. www.juniper.net | 7from {route-filter 172.16.0.0/12 orlonger;route-filter 192.168.0.0/16 orlonger;route-filter 10.0.0.0/8 orlonger;}then reject;}}Note: Various match types are supported. Wediscuss the match types on subsequent slides.
  8. 8. Match Types (1 of 3)exact:•Match the specified prefix and mask exactlyorlonger:from route-filter 192.168.0.0/16 exact;© 2010 Juniper Networks, Inc. All rights reserved. www.juniper.net | 8orlonger:•Match the specified prefix and mask exactly and all routesthat are subsets of the prefix and that have longer masksfrom route-filter 192.168.0.0/16 orlonger;
  9. 9. Match Types (2 of 3)longer:•Match routes that are subsets of the prefix and that havelonger masks;•Do not match the specified prefix and maskfrom route-filter 192.168.0.0/16 longer;© 2010 Juniper Networks, Inc. All rights reserved. www.juniper.net | 9upto:•Match specified prefix and mask exactly and any routes thatare subsets of the specified prefix and that have a mask nolonger than the second value specifiedfrom route-filter 192.168.0.0/16 upto /24;
  10. 10. Match Types (3 of 3)prefix-length-range:•Match routes that are subsets of the specified prefix andthat have a mask between the two values (inclusive match)through:from route-filter 192.168.0.0/16 prefix-length-range /20-/24;© 2010 Juniper Networks, Inc. All rights reserved. www.juniper.net | 10through:•Match first and second specified prefixes and masks exactlyand all prefixes directly between the two prefixesfrom route-filter 192.168.0.0/16 through 192.168.16.0/20;
  11. 11. Match Type SummaryGiven a starting prefix of 192.168/16, what matcheswith each option?…192.168/16192.168/16192.168/16192.168/16…192.168/16192.168/16192.168/16192.168/16…192.168/16192.168/16192.168/16192.168/16© 2010 Juniper Networks, Inc. All rights reserved. www.juniper.net | 11exact…orlonger (down to /32)… …longer (down to /32)through……192.168/16192.168/16192.168/16192.168/16……192.168/16192.168/16192.168/16192.168/16/x/yprefix-length-range /x-/y……192.168/16192.168/16192.168/16192.168/16upto
  12. 12. Common ActionsCommon actions in routing policy:•Terminating actions:• accept• reject•Flow control:• next term© 2010 Juniper Networks, Inc. All rights reserved. www.juniper.net | 12• next term• next policy•Modifying attributes:• community (add, delete, and set)• preferenceterm firsttermmatchthenfromthen statements describethe actions to take if a match withthe from statement occurs
  13. 13. Implementing Routing Policy (1 of 2)Definition of routing policy is always under the[edit policy-options] hierarchy:[edit policy-options]user@host# showpolicy-statement my-policy {term accept-local-route {from {protocol local;interface ge-0/0/0;term firsttermthenfrommy-policy© 2010 Juniper Networks, Inc. All rights reserved. www.juniper.net | 13interface ge-0/0/0;}then accept;}term accept-some-static-routes {from {protocol static;route-filter 172.18.1.0/24 exact;route-filter 172.18.2.0/24 exact;}then accept;}term accept-rip-routes {from protocol rip;then accept;}}matchno matchno matchthenterm secondtermfrom thenterm thirdtermfrom thenfrommatchmatch
  14. 14. Implementing Routing Policy (2 of 2)You can apply routing policies as import or exportpolicies at different levels (protocol dependent)[edit protocols ospf]user@host# showexport my-policy;area 0.0.0.0 {interface ge-0/0/1.0;© 2010 Juniper Networks, Inc. All rights reserved. www.juniper.net | 14interface ge-0/0/1.0;interface ge-0/0/2.0;interface ge-0/0/3.0 {passive;}interface lo0.0;}
  15. 15. Routing Policy FlowYou can chain routing policies together•Evaluation proceeds left to right until the software reaches aterminating action of accept or reject•The software supports flow-control actions such as nextpolicyRouteRouteRouteRoute© 2010 Juniper Networks, Inc. All rights reserved. www.juniper.net | 15AcceptAcceptAcceptAcceptor rejector rejector rejector rejectAcceptAcceptAcceptAcceptor rejector rejector rejector rejectAcceptAcceptAcceptAcceptor rejector rejector rejector rejectPolicy 1Policy 1Policy 1Policy 1AcceptAcceptAcceptAcceptor rejector rejector rejector rejectAcceptAcceptAcceptAcceptor rejector rejector rejector rejectAcceptAcceptAcceptAcceptor rejector rejector rejector rejectPolicy 2Policy 2Policy 2Policy 2AcceptAcceptAcceptAcceptor rejector rejector rejector rejectPolicyPolicyPolicyPolicy nnnnAcceptAcceptAcceptAcceptRejectRejectRejectRejectTerm CTerm CTerm CTerm C Term CTerm CTerm CTerm CDefaultDefaultDefaultDefaultpolicypolicypolicypolicyTerm ATerm ATerm ATerm ATerm BTerm BTerm BTerm BTerm ATerm ATerm ATerm ATerm BTerm BTerm BTerm BTerm ATerm ATerm ATerm A
  16. 16. Case Study: Objective and TopologyAdvertise the default static route defined on R1 intoOSPF using routing policy:.1.2OSPFOSPFOSPFOSPFArea 0Area 0Area 0Area 0R1R1R1R1R2R2R2R2R4R4R4R4 InternetInternetInternetInternet© 2010 Juniper Networks, Inc. All rights reserved. www.juniper.net | 16user@R1> show route protocol staticinet.0: 16 destinations, 16 routes (16 active, 0 holddown, 0 hidden)+ = Active Route, - = Last Active, * = Both0.0.0.0/0 *[Static/5] 00:00:44> to 172.30.25.1 via ge-0/0/1.0.1.2172.30.25.0/30172.30.25.0/30172.30.25.0/30172.30.25.0/30R3R3R3R3
  17. 17. Case Study: Defining the PolicySample routing policy configuration used to advertiseR1’s default static route into OSPF:[edit policy-options]user@R1# showpolicy-statement default-static {term accept-default-static {User-defined policy and term names© 2010 Juniper Networks, Inc. All rights reserved. www.juniper.net | 17term accept-default-static {from {protocol static;route-filter 0.0.0.0/0 exact;}then accept;}}Match criteriaAction
  18. 18. Case Study: Applying the PolicySample application of routing policy used to advertiseR1’s default static route into OSPF:[edit protocols ospf]user@R1# showexport default-static;area 0.0.0.0 { R1R1R1R1R2R2R2R2© 2010 Juniper Networks, Inc. All rights reserved. www.juniper.net | 18area 0.0.0.0 {interface ge-0/0/2.0;interface ge-0/0/3.0;interface lo0.0;}Export default static routefrom route table to OSPFOSPFOSPFOSPFOSPFArea 0Area 0Area 0Area 0R1R1R1R1R4R4R4R4R3R3R3R3Note: Once you define routing policy and applyit, R1 floods an external LSA for the default staticroute to all OSPF routers in Area 0.
  19. 19. Case Study: Monitoring the ResultsSample verification step to ensure the routing policyworks as expected (capture is taken from R4):user@R4> show route protocol ospf exact 0/0inet.0: 12 destinations, 12 routes (12 active, 0 holddown, 0 hidden)+ = Active Route, - = Last Active, * = Both© 2010 Juniper Networks, Inc. All rights reserved. www.juniper.net | 190.0.0.0/0 *[OSPF/150] 00:03:33, metric 0, tag 0> to 172.19.3.1 via ge-0/0/2.0to 172.19.4.1 via ge-0/0/3.0.1.2172.30.25.0/30172.30.25.0/30172.30.25.0/30172.30.25.0/30OSPFOSPFOSPFOSPFArea 0Area 0Area 0Area 0R1R1R1R1R2R2R2R2R4R4R4R4R3R3R3R3InternetInternetInternetInternetR4 installs external defaultOSPF route flooded by R1
  20. 20. What Is a Firewall Filter?Firewall filters control the traffic entering and leavinga networking device in a stateless fashion:•Processes every packet independently•Used to filter and monitor network traffic© 2010 Juniper Networks, Inc. All rights reserved. www.juniper.net | 20
  21. 21. Building Blocks of Firewall Filtersno matchterm firsttermmatchthenfrommy-filterFirewall filters consist of one ormore terms; the softwareevaluates terms sequentially untilit reaches a terminating actionUser-defined filterand term names© 2010 Juniper Networks, Inc. All rights reserved. www.juniper.net | 21no matchno matchterm secondtermterm Defaultmatchthen statements describe theactions to take if a match withthe from statement occursdiscardDefault action for packetsnot explicitly allowedNote: Ordering matters! If you must reorder terms within a filter, consider using the insert CLI command.from statements describematch conditionsthenfrom
  22. 22. Common Match CriteriaCan match based on most header fields:Match conditions categories include:•Numeric range© 2010 Juniper Networks, Inc. All rights reserved. www.juniper.net | 22•Numeric range•Address•Bit fieldterm firsttermmatchthenfromfrom statements describematch conditions
  23. 23. Firewall Filter ActionsCommon actions in firewall filters:•Terminating actions:• accept• discard• Reject•Flow control:term firsttermmatchthenfromthen statements describe theactions to take if a match with thefrom statement occurs© 2010 Juniper Networks, Inc. All rights reserved. www.juniper.net | 23•Flow control:• next term•Action modifiers:• count, log, and syslog• forwarding-class and loss-priority• PolicerThe software discards all traffic not explicitly allowed!
  24. 24. Implementing Firewall Filters (1 of 2)Define firewall filters based on protocol family underthe [edit firewall] hierarchy level:[edit firewall family inet]user@host# showfilter filter-in {term block-some-packets {from {source-address {The software appliesfamily inet filtersonly to interfacesrunning IPv4 term firsttermthenfrommy-policy© 2010 Juniper Networks, Inc. All rights reserved. www.juniper.net | 24source-address {10.10.10.0/24;}}then {count spoof-in;discard;}}term accept-others {then accept;}}…If discard is not presentthen packets are acceptedmatchno matchno matchthenterm secondtermfrom thenterm thirdtermfrom thenfrommatchmatch
  25. 25. Implementing Firewall Filters (2 of 2)Apply firewall filters as input or output on an interface•Protocol family on interface and filter must match:The software applies firewall[edit interfaces ge-0/0/1]user@host# showunit 0 {family inet {filter {input filter-in;© 2010 Juniper Networks, Inc. All rights reserved. www.juniper.net | 25The software applies firewallfilters using input andoutput statementsinput filter-in;output filter-out;}address 172.30.25.2/30;}}InputInputInputInputInputInputInputInputOutputOutputOutputOutputOutputOutputOutputOutputInput firewall filters controltraffic entering an interfaceOutput firewall filters controltraffic leaving an interfaceTip: To avoid late night drives back to the office, use commit confirmed when activating filters!
  26. 26. Test Your Knowledge (1 of 2)Apply a filter on R1’s ge-0/0/1.0 interface to allowHTTP traffic to 172.27.102.100•Should the filter be applied as an input or output filter?© 2010 Juniper Networks, Inc. All rights reserved. www.juniper.net | 26.1.2172.30.25.0/30172.30.25.0/30172.30.25.0/30172.30.25.0/30172.27.102.0/24172.27.102.0/24172.27.102.0/24172.27.102.0/24R1R1R1R1ge-0/0/1.0.100.100.100.100 .1.1.1.1MYNETMYNETMYNETMYNETInternetInternetInternetInternet
  27. 27. filter web-server {term allow-web-traffic {from {destination-address {172.27.102.100/32;}protocol tcp;Test Your Knowledge (2 of 2)Which inbound traffic does the router permit?Applied as an input filter© 2010 Juniper Networks, Inc. All rights reserved. www.juniper.net | 27protocol tcp;port http;}then accept;}term deny-other-web-traffic {from {protocol tcp;port http;}then {discard;}}}.2172.27.102.0/24172.27.102.0/24172.27.102.0/24172.27.102.0/24R1R1R1R1 ge-0/0/1.0.100.100.100.100 .1.1.1.1MYNETMYNETMYNETMYNET
  28. 28. Filtering Local Traffic (1 of 2)Apply filters to lo0 interface to filter local traffic•Filter must account for routing and management protocolsRouting EngineRouting EngineRouting EngineRouting Engine© 2010 Juniper Networks, Inc. All rights reserved. www.juniper.net | 28Frames/Packets InFrames/Packets InFrames/Packets InFrames/Packets InPacket Forwarding EnginePacket Forwarding EnginePacket Forwarding EnginePacket Forwarding EngineControl PlaneControl PlaneControl PlaneControl PlaneForwarding PlaneForwarding PlaneForwarding PlaneForwarding PlaneCPUCPUCPUCPUlo0
  29. 29. filter limit-ssh-access {term ssh-accept {from {source-prefix-list {trusted;}protocol tcp;destination-port ssh;}then accept;lo0 {unit 0 {family inet {filter {input limit-ssh-access;}address 10.255.71.48/32;}}}Filtering Local Traffic (2 of 2)DefinitionDefinitionDefinitionDefinition ApplicationApplicationApplicationApplication© 2010 Juniper Networks, Inc. All rights reserved. www.juniper.net | 29then accept;}term ssh-reject {from {protocol tcp;destination-port ssh;}then {discard;}}term else-accept {then accept;}}}Which problems might occur if youomit the else-accept term?Think About ItThink About ItThink About ItThink About ItAffects incoming trafficdestined to the routing engine!
  30. 30. PolicingPolicing (rate-limiting) enables you to limit the amountof traffic that passes into or out of an interface:•Works with firewall filters to thwart DoS attacks• Common actions include discard and setting loss-priority level•Uses average bandwidth and maximum burst size© 2010 Juniper Networks, Inc. All rights reserved. www.juniper.net | 30Bit BucketBit BucketBit BucketBit Bucket
  31. 31. [edit firewall]user@host# showpolicer p1 {if-exceeding {bandwidth-limit 400k;burst-size-limit 100k;}then discard;}family inet {filter rate-limit-subnet {term match-subnet {Configuration Examplebandwidth-limit* In bits per second* 30,520 bps to 4.29 Gbpsburst-size-limit* In bytes* Minimum should = 10You must apply filter!Policer defined© 2010 Juniper Networks, Inc. All rights reserved. www.juniper.net | 31term match-subnet {from {source-address {192.100.1.0/24;}}then {policer p1;}}term else-accept {then accept;}}}Note: Filter must account for routingand management protocols* Minimum should = 10times MTU (low speed) orbandwidth times 3–5milliseconds (high speed)Policer referenced

×