Firewall Policies

A firewall policy identifies specific characteristics about a data packet passing through the Mobility Access Switch and takes some action based on that identification. In a Mobility Access Switch, that action can be a firewall-type action such as permitting or denying the packet, an administrative action such as logging the packet, or a quality of service (QoS) action such as setting 802.1p bits or placing the packet into a priority queue. You can apply firewall policies to user roles to give differential treatment to different users on the same network to apply the same policy to all traffic through the port.

Firewall policies are categorized as follows on the Mobility Access Switch:



Stateful



Stateless

Stateful and stateless firewall policies are mutually exclusive and cannot co-exist on the same user-role.

The following table compares the stateful and stateless firewall policies.

Table 1: Comparison of Stateful and Stateless Firewall Policies

Stateful Firewall Policies	Stateless Firewall Policies
Stateful—Recognize flows in a network and keep track of the state of sessions. For example, if a firewall policy permits telnet traffic from a client, the policy also recognizes that inbound traffic associated with that session should be allowed.	Stateless—Statically evaluate the packet contents. The traffic in the reverse direction will be allowed unconditionally.
Bidirectional— Keep track of data connections traveling into or out of the network. ACLs are applied to either an inbound traffic or an outbound traffic.	Uni-directional—Keep track of data connections traveling into or out of the network. ACLs are applied to inbound traffic.
Dynamic— The address information in the policy rules can change as the policies are applied to the users. For example, the alias user in a policy automatically applies to the IP address assigned to a particular user.	Static— The address information in the policy rules is static

Stateful Firewall Policy (Session ACL)

A session ACL is a stateful firewall which keeps track of the state of network connections such as TCP streams and UDP communication that hit the firewall. The firewall distinguishes the legitimate packets for different types of connections and allows only those packets that match a known active connection.

Mobility Access Switch provides supports for stateful firewall using the session ACLs which can be applied on user-roles. Mobility Access Switch enforces the stateful firewall policy exclusively on the traffic routed through a firewall-enabled VLAN interface (up-link VLAN) and forwards the internal traffic in a stateless manner.

Configuring a Stateful Firewall Policy

This section describes how to configure a stateful firewall policy using session ACLs. To configure a stateful firewall policy, you must

1.

Create a session ACL and apply it to a user-role.

2.

Enable firewall on the up-link VLAN interface.

If you Modify a session ACL in the middle of an ongoing session, the policy is not enforced on the session until it is terminated.

Creating a Session ACL

Execute the following command to create a session ACL:

(host)(config) #ip access-list session <acl-name>

(host)(config-sess-<acl-name>)# <source> <dest> <service> <action> [<extended action>]

To choose source NAT as an extended action under the redirect option,ensure that it is the last option configured in the access control entry (ACE) .

Execute the following command to apply the session ACL to a user-role:

(host)(config) #user-role <user>

(host)(config-role) #access-list session <acl-name>

Enabling Firewall on an Up-link VLAN Interface

Execute the following command to enable firewall on a specific VLAN.

(host) (config) #interface vlan <id>

(host) (vlan "id") #session-processing

You can enable session-processing on multiple VLAN interfaces.

Sample Configuration

The following example creates a policy, web-only that allows web (HTTP and HTTPS) access.

(host)(config) #ip access-list session web-only

any any svc-http permit

any any svc-https permit

The following command applies the session ACL, web-only to the user-role user2

(host)(config) #user-role user2

(host)(config-role) #access-list session web-only

The following example enables firewall on VLAN 5:

(host) (config) #interface vlan 5

(host) (vlan "5") #session-processing

Verifying the Configuration

Execute the following command to verify the session ACL configuration:

(host) #show ip access-list web-only

ip access-list session web-only

web-only

--------

Priority Source Destination Service Action TimeRange Log Expired Queue TOS 8021P Blacklist Mirror DisScan ClassifyMedia IPv4/6

-------- ------ ----------- ------- ------ --------- --- ------- ----- --- ----- --------- ------ ------- ------------- ------

1 any any svc-http permit Low 4

2 any any svc-https permit Low 4

You can use the command show ip access-list hardware to view the ACL equivalent .of the session ACL used to forward the internal traffic.

Execute the following command to verify if the session ACL is applied to the user-role, user2:

(host) #show rights user2

Derived Role = 'user2'

Up BW:No Limit Down BW:No Limit

L2TP Pool = default-l2tp-pool

PPTP Pool = default-pptp-pool

Periodic reauthentication: Disabled

ACL Number = 54/0

Max Sessions = 65535

access-list List

----------------

Position Name Type Location

-------- ---- ---- --------

1 web-only session

web-only

--------

Priority Source Destination Service Action TimeRange Log Expired Queue TOS 8021P Blacklist Mirror DisScan ClassifyMedia IPv4/6

-------- ------ ----------- ------- ------ --------- --- ------- ----- --- ----- --------- ------ ------- ------------- ------

1 any any svc-http permit Low 4

2 any any svc-https permit Low 4

Expired Policies (due to time constraints) = 0

Execute the following command to verify if the specified VLAN interface is firewall-enabled:

(host) (config) #show interface-config vlan 5

vlan "5"

--------

Parameter Value

--------- -----

Interface OSPF profile N/A

Interface PIM profile N/A

Interface IGMP profile N/A

Directed Broadcast Enabled Disabled

Interface shutdown Disabled

session-processing Enabled

mtu 1500

IP Address 5.5.5.2/255.255.255.0

IP NAT Inside Disabled

IPv6 Address N/A

IPv6 link local Address N/A

DHCP client Disabled

DHCP relay profile N/A

Ingress ACL pbr_acl

Interface description N/A

Understanding Application-Level Gateways (ALG) Support on Mobility Access Switch

An application-level gateway (ALG) is a firewall proxy that provides security to networks by filtering the incoming application data such as File Transfer Protocol (FTP) and Real Time Streaming Protocol (RTSP) based on respective protocol specifications.

ArubaOS provides support for the following types of ALGs on the Mobility Access Switch:



Data ALGs: FTP, RTSP, DNS, and DHCP.



Voice ALGs: SIP and SCCP (Skinny)

The following are the limitations on the ALG support for Mobility Access Switch:



No support for SIP initiated voice calls that use an IP other than the one used for the call initiation



No support for VoIP over NAT



No Support for RTSP over NAT



No support for Multicast



Maximum pause time limit of 300 seconds for streaming in RTSP ALG

You can configure data ALGs on the Mobility Access Switch for services running on both standard and non-standard ports.

Aruba recommends that the VoIP ALGs are configured only for services running on standard ports.

By default, all the ALGs are enabled on the Mobility Access Switch. You can enable or disable the VoIP ALGs using the firewall command.

You cannot disable the Data ALGs on the Mobility Access Switch.

Configuring Application-Level Gateways (ALG)

You can configure ALG for a service by creating an alias for the network service using the netservice command and applying it to a session ACL.

ALGs are functional only if Stateful firewall is enabled.

Sample ALG Configuration for FTP Running on a Non-Standard Port

For configuring ALGs on non-standard ports, create an alias and specify the port(s) on which the service is running and apply it for ip access-list.

(host)(config) #netservice ftp1 tcp 10000 ALG ftp

(host)(config) #ip access-list session ftp_session

(host)(config-sess-ftp_session) #host 20.20.20.20 any ftp1 permit

ftp1 is the alias defined for FTP service running on a non-standard port (10000).

Sample ALG Configuration for FTP Running on Standard Port

(host)(config) #netservice ftp2 tcp 21 ALG ftp

(host)(config) #ip access-list session ftp_session

(host)(config-sess-ftp_session) #host 20.20.20.20 any ftp2 permit

Enable session-processing on the up-link port to enable ALG processing. The following sample enables session-processing on VLAN 100:

(host) (config) #interface vlan 100

(host) (vlan "5") #session-processing

Enabling/Disabling VoIP ALG

Executing the following command disables the SIP ALG on the Mobility Access Switch:

(host)(config) #firewall disable-stateful-sip-processing

You can verify the firewall configuration using the following command:

(host) #show firewall

Global firewall policies

------------------------

Policy Action Rate Port

------ ------ ---- ----

...

Stateful SIP Processing Disabled

Stateful SCCP Processing Enabled

...

Stateless Firewall Policy (Stateless ACL)

Stateless ACL does not store information on the connection state. It filters the packets based only on the information contained in the packet such as the source and destination address of the packet, its protocol, and the port number for TCP and UDP traffic.

Stateless ACLs are applicable to the network and physical layers, and sometimes the transport layer to find out the source and destination port numbers. When a packet originates from the sender and filters through a firewall, the device checks for matches to any of the ACL rules that are configured in the firewall and drops or rejects the packet accordingly. When the packet passes through the firewall, it filters the packet on a protocol/port number basis. For example, if a rule in the firewall exists to block telnet access, then the firewall will block the TCP protocol for port number 23.

Creating a Stateless Firewall Policy

This section describes how to configure the rules that constitute a stateless firewall policy(stateless ACL). A stateless ACL can then be applied to a user role (until the policy is applied to a user role, it does not have any effect).

The following command is used to create a stateless ACL:

(host) (config) #ip access-list stateless <acl-name>

(host) (config-sess-<acl-name>)# <source> <dest> <service> <action> [<extended action>]

The following command is used to apply the stateless ACL to a user-role:

(host) (config) #user-role <user>

(host) (config-role) #access-list stateless <acl-name>

Sample Configuration

The following example creates a policy, STATELESS:

(host)(config) #ip access-list stateless STATELESS

(host)(config-stateless-STATELESS) #network 10.100.100.0 255.255.255.0 any tcp 8888 deny log

(host)(config-stateless-STATELESS) #any host 1.100.100.200 any deny log

(host)(config-stateless-STATELESS) #any any any permit

The following command applies the stateless ACL, STATELESS to the user-role user1:

(host) (config) #user-role user1

(host) (config-role) #access-list session STATELESS

Verifying the Configuration

Execute the following command to verify the stateless ACL configuration:

(host) #show ip access-list STATELESS

ip access-list stateless STATELESS

STATELESS

---------

Priority Source Destination Service Action TimeRange Log Expired QoS Policer Blacklist Mirror IPv4 Nexthop

-------- ------ ----------- ------- ------ --------- --- ------- --- ------- --------- ------ ---- -------

1 10.100.100.0 255.255.255.0 any tcp 8888 deny Yes 4

2 any 1.100.100.200 any deny Yes 4

3 any any any permit 4

Execute the following command to verify if the stateless ACL is applied to the user-role, user1:

(host) #show rights user1

Derived Role = 'user1'

Periodic reauthentication: Disabled

ACL Number = 55/0/56

access-list List

----------------

Position Name Type Location

-------- ---- ---- --------

1 STATELESS stateless

STATELESS

---------

Priority Source Destination Service Action TimeRange Log Expired QoS Policer Blacklist Mirror IPv4 Nexthop

-------- ------ ----------- ------- ------ --------- --- ------- --- ------- --------- ------ ---- -------

1 10.100.100.0 255.255.255.0 any tcp 8888 deny Yes 4

2 any 1.100.100.200 any deny Yes 4

3 any any any permit 4

Expired Policies (due to time constraints) = 0

Global Firewall Policies

You can set the following optional firewall parameters on the Mobility Access Switch using the firewall command in the CLI:



disable-stateful-sccp-processing—Disables stateful SCCP processing. Default option is enabled.



disable-stateful-sip-processing—Disables stateful SIP processing. Default option is enabled.



drop-ip-fragments— Drops all IP fragments.



enable-per-packet-logging—Enables per-packet logging. Default is per-session logging.



enforce-tcp-handshake—Enforces TCP handshake before allowing data.



enforce-tcp-sequence—Enforces TCP sequence numbers for all packets.



log-icmp-error—Logs all received ICMP errors.



prohibit-arp-spoofing—Prohibits ARP spoofing.



prohibit-ip-spoofing—Prohibits IP spoofing.



prohibit-rst-replay—Prohibits TCP RST replay attack.



session-idle-timeout—Sets idle or closed session timeout in seconds.



session-mirror-destination—Configures destination for a mirrored session.



session-mirror-ipsec—Configures session mirror of all frames that are processed by IPSec.



session-voip-timeout—Sets VoIP session idle timeout in seconds.

Creating a Network Service Alias

A network service alias defines a TCP, UDP or IP protocol and a list or range of ports supported by that service. When you create a network service alias, you can use that alias when specifying the network service for multiple session ACLs.

To define a service alias via the command-line interface, access the CLI in config mode and issue the following command:

(host) (config) #netservice <name> <protocol>|tcp|udp {list <port>,<port>}|{<port> [<port>]}[ALG <service>]