Object groups

An ACL (Access-list), can allow clients, to access particular server for a specific service,  as the number of server increases, the number of lines in an ACL increases as well.

let see how to implement security policies, with access-list and how can we simplify the Access-list by the use of object grouping. (by default FW ACL are extendet).  lets see the structure of an ACL on the PIX Firewall.

MYPIX(config)# access-list 1 permit ?
configure mode commands/options:
  Enter protocol number (0 - 255)
  Hostname or A.B.C.D  Match based on destination network address
  ah
  any                  Abbreviation for an address and mask of 0.0.0.0 0.0.0.0
  eigrp
  esp
  gre
  host                 Use this keyword to configure destination host
  icmp
  icmp6
  igmp
  igrp
  ip
  ipinip
  ipsec
  nos
  object-group         Specify a service or protocol object-group after this  keyword
  ospf
  pcp
  pim
  pptp
  snp
  tcp
  udp

MYPIX(config)# access-list 1 permit tcp ?
configure mode commands/options:
  Hostname or A.B.C.D  Source IP address
  any                  Abbreviation for source address and mask of 0.0.0.0
                       0.0.0.0
  host                 Use this keyword to configure source host
  interface            Use interface address as source address
  object-group         Network object-group for source address

MYPIX(config)# access-list 1 permit tcp any ?
configure mode commands/options:
  Hostname or A.B.C.D  Destination IP address
  any                  Abbreviation for destination address and mask of 0.0.0.0  0.0.0.0
  eq                   Port equal to operator
  gt                   Port greater than operator
  host                 Use this keyword to configure destination host
  interface            Use interface address as destination address
  lt                   Port less than operator
  neq                  Port not equal to operator
  object-group         Optional service object-group name for source port or
                       <strong>network object-group</strong> for destination address
  range                Port range operator

MYPIX(config)# access-list 1 permit tcp any any ?
configure mode commands/options:
  eq            Port equal to operator
  gt            Port greater than operator
  inactive      Keyword for disabling an ACL element
  log           Keyword for enabling log option on this ACL element
  lt            Port less than operator
  neq           Port not equal to operator
  object-group  Optional <strong>service object-group</strong> for destination port
  range         Port range operator
  time-range    Keyword for attaching time-range option to this ACL element

MYPIX(config)# access-list 1 permit tcp any any ?
configure mode commands/options:
  eq            Port equal to operator
  gt            Port greater than operator
  inactive      Keyword for disabling an ACL element
  log           Keyword for enabling log option on this ACL element
  lt            Port less than operator
  neq           Port not equal to operator
  object-group  Optional service object-group for destination port
  range         Port range operator
  time-range    Keyword for attaching time-range option to this ACL element
 

With Object grouping, we find a way to group object of a similar type so that a single ACL can apply to all the object in the group.

The following types of object group exist:

icmp-type Specifies a group of ICMP types, such as echo

network Specifies a group of host or subnet IP addresses -> is used to group client host, server or subnets.

protocol Specifies a group of protocols, such as TCP, etc -> is used to group protocoles, can contain one of the keywords, icmp, ip, tcp, or upd, or a value between 1 to 254 to represent an IP Protocol Number.

service Specifies a group of TCP/UDP ports/services -> , to group TCP or UDP ports numbers assigned to a different service

Lets do an example on how to use object groups.

Pix1

Pix2

First we are going to configurethe access-list, then we are showing how to use the object group.
Connections from low (0 – outside) to high security (1 – inside ) are disallowed unless the configuration explicitly permits them. An access list is applied to an interface and checks all traffic with no difference between the direction of traffic as outbound (high-to-low security) and inbound (low-to-high security), but an ACL is not necesary if going from a higher security level to a lower. everything that is inspected in the global_policy policy-map will be allowed.

policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225 _default_h323_map
  inspect h323 ras _default_h323_map
  inspect rsh
  inspect rtsp
  inspect esmtp _default_esmtp_map
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
 class class-default

Pix3

Pix4

ok that is working, lets clear the access list, in order to simplify this example using Object Groups.

5

Pix7

Pix8

Now say that we are told that we need to configure our pix to allow users to access the following servers, in a single object.

WWW   2.2.2.1
Syslog   2.2.2.2
FTP       2.2.2.3
Email     2.2.2.4

for the momment we will allow any IP Traffic comming from the outside to access this servers, and  the requeriment is to use the least amount of lines in our configuration.

so we can configure:

Pix9

An object can be a member of a group. For object groups to be nested, they must be of the same type, for example, all networks/hosts, protocols, or services

Finally we have:

Pix10

Very nice feature Cisco!!

A Networker Blog

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s