Personal Stateful Firewall Configuration


Personal Stateful Firewall Configuration
 
 
 
This chapter describes how to configure the Personal Stateful Firewall in-line service feature.
Important: In StarOS 8.x, Stateful Firewall for CDMA and early UMTS releases used rulebase-based configurations, whereas in later UMTS releases Stateful Firewall used policy-based configurations. In StarOS 9.0, Stateful Firewall for UMTS and CDMA releases both use policy-based configurations. For more information, please contact your local service representative.
This chapter covers the following topics:
 
 
Before You Begin
This section lists the steps to perform before you can start configuring Stateful Firewall support on a system.
Step 1
Step 2
Step 3
 
Configuring the System
This section lists the high-level steps to configure Stateful Firewall support on a system.
Important: In StarOS 8.x, Stateful Firewall for CDMA and early UMTS releases used rulebase-based configurations, whereas later UMTS releases used policy-based configurations. In StarOS 9.0, Stateful Firewall for UMTS and CDMA releases both use policy-based configurations. For more information, please contact your local service representative.
Step 1
Step 2
 
Configuring Stateful Firewall
This section describes how to configure Stateful Firewall support in a system.
Important: In StarOS 8.x, Stateful Firewall for CDMA and early UMTS releases used rulebase-based configurations, whereas later UMTS releases used policy-based configurations. In StarOS 9.0, Stateful Firewall for UMTS and CDMA releases both use policy-based configurations. For more information, please contact your local service representative.
Step 1
Step 2
Optional: Configure application-port maps for TCP and UDP protocols as described in the Configuring Port Maps section.
Step 3
Optional: Configure host pools as described in the Configuring Host Pools section.
Step 4
Optional: Configure IMSI pools as described in the Configuring IMSI Pools section.
Step 5
Step 6
Step 7
Step 8
Step 9
Step 10
Optional: Configure the default Firewall-and-NAT policy as described in the Configuring Default Firewall-and-NAT Policy section.
Step 11
Step 12
Step 13
Important: Commands used in the configuration examples in this section provide base functionality to the extent that the most common or likely commands and/or keyword options are presented. In many cases, other optional commands and/or keyword options are available. Refer to the Command Line Interface Reference for complete information regarding all commands.
 
Enabling the ECS Subsystem and Creating the ECS Service
To enable the ECS subsystem and create the enhanced charging service on the system, use the following configuration:
 
configure
  require active-charging
  active-charging service <ecs_service_name> [ -noconfirm ]
  end
 
Configuring Port Maps
This is an optional configuration to create and configure port maps to use in access ruledef configuration.
 
To create and configure a port map use the following configuration:
configure
  active-charging service <ecs_service_name>
     port-map <port_map_name> [ -noconfirm ]
        port { <port_number> | range <start_port> to <end_port> }
        end
Notes:
 
Configuring Host Pools
This is an optional configuration to create and configure host pools to use in access ruledef configuration.
 
To create and configure a host pool use the following configuration:
configure
  active-charging service <ecs_service_name>
     host-pool <host_pool_name> [ -noconfirm ]
        ip { <ip_address> | <ip_address/mask> | range <start_ip_address> to <end_ip_address> }
        end
Notes:
 
Configuring IMSI Pools
This is an optional configuration to create and configure IMSI pools to use in access ruledef configuration.
 
To create and configure an IMSI pool use the following configuration:
configure
  active-charging service <ecs_service_name>
     imsi-pool <imsi_pool_name> [ -noconfirm ]
        imsi { <imsi_number> | range <start_imsi> to <end_imsi> }
        end
Notes:
 
Configuring Access Ruledefs
To create and configure an access rule definition use the following configuration:
 
configure
  active-charging service <ecs_service_name>
     access-ruledef <access_ruledef_name> [ -noconfirm ]
        bearer apn [ case-sensitive ] <operator> <value>
        bearer imsi { <operator> <msid> | { !range | range } imsi-pool <imsi_pool_name> }
        bearer username [ case-sensitive ] <operator> <user_name>
        icmp { any-match <operator> <condition> | code <operator> <code> | type <operator> <type> }
        ip { { { any-match | downlink | uplink } <operator> <condition> } | { { dst-address | src-address } { { <operator> { <ip_address> | <ip_address/mask> } } | { !range | range } host-pool <host_pool_name> } | protocol { { <operator> { <protocol> | <protocol_assignment> } } | { <operator> <protocol_assignment> } }
        tcp { any-match <operator> <condition> | { { dst-port | either-port | src-port } { { <operator> <port_number> } | { !range | range } { <start_range> to <end_range> | port-map <port_map_name> } } }
        udp { any-match <operator> <condition> | { dst-port | either-port | src-port } { <operator> <port_number> | { !range | range } { <start_range> to <end_range> | port-map <port_map_name> } } }
        create-log-record
        end
Notes:
 
Configuring Firewall-and-NAT Policies
To create and configure a Firewall-and-NAT Policy, use the following configuration:
configure
  active-charging service <ecs_service_name>
     fw-and-nat policy <fw_nat_policy_name> [ -noconfirm ]
        firewall policy firewall-required
        access-rule priority <priority> { [ dynamic-only | static-and-dynamic ] access-ruledef <access_ruledef_name> { deny [ charging-action <charging_action_name> ] | permit [ trigger open-port { <port_number> | range <start_port> to <end_port> } direction { both | reverse | same } ] }
        access-rule no-ruledef-matches { downlink | uplink } action { deny [ charging-action <charging_action_name> ] | permit }
        end
Notes:
The access-rule no-ruledef-matches CLI command configures the default action on packets with no access ruledef matches. Rule matching is done for the first packet of a flow. Only when no rules match, the access-rule no-ruledef-matches configuration is considered. The default settings for uplink direction is “permit”, and for downlink direction “deny”.
 
Configuring Protection from DoS and Other Attacks
To configure protection from DoS and other attacks, use the following configuration:
configure
  active-charging service <ecs_service_name>
     firewall port-scan { connection-attempt-success-percentage { non-scanner | scanner } <percentage> | inactivity-timeout <inactivity_timeout> | protocol { tcp | udp } response-timeout <response_timeout> | scanner-policy { block inactivity-timeout <inactivity_timeout> | log-only } }
     idle-timeout { icmp | tcp | udp } <idle_timeout>
     rulebase <rulebase_name>
        flow limit-across-applications { <limit> | non-tcp <limit> | tcp <limit> }
        icmp req-threshold <req_threshold>
        exit
     fw-and-nat policy <fw_nat_policy_name>
        firewall dos-protection { all | flooding { icmp | tcp-syn | udp } | ftp-bounce | ip-unaligned-timestamp | mime-flood | port-scan | source-router | tcp-window-containment | teardrop | winnuke }
        firewall flooding { { protocol { icmp | tcp-syn | udp } packet limit <packets> } | { sampling-interval <sampling_interval> } }
        firewall icmp-checksum-error { drop | permit }
        firewall icmp-destination-unreachable-message-threshold <messages> then-block-server
        firewall icmp-fsm
        firewall ip-reassembly-failure { drop | permit }
        firewall malformed-packets { drop | permit }
        firewall max-ip-packet-size <max_packet_size> protocol { icmp | non-icmp }
        firewall mime-flood { http-headers-limit <max_limit> | max-http-header-field-size <max_size> }
        firewall tcp-checksum-error { drop | permit }
        firewall tcp-fsm [ first-packet-non-syn { drop | permit | send-reset } ]
        firewall tcp-idle-timeout-action { drop | reset }
        firewall tcp-options-error { drop | permit }
        firewall tcp-reset-message-threshold <messages> then-block-server
        firewall tcp-syn-flood-intercept { mode { none | watch [ aggressive ] } | watch-timeout <intercept_watch_timeout> }
        firewall tcp-syn-with-ecn-cwr { drop | permit }
        firewall udp-checksum-error { drop | permit }
        firewall validate-ip-options
        end
Notes:
The firewall port-scan CLI command in the Active Charging Service Configuration Mode configures protection from port scanning.
The idle-timeout { icmp | tcp | udp } <idle_timeout_duration> CLI command in the Active Charging Service Configuration Mode configures Stateful Firewall idle timeout settings.
The flow limit-across-applications { <limit> | non-tcp <limit> | tcp <limit> } CLI command in the Rulebase Configuration Mode configures the maximum number of simultaneous flows per subscriber/APN sent to a rulebase regardless of the flow type, or limits flows based on the protocol type.
The icmp req-threshold <req_threshold> CLI command Rulebase Configuration Mode configures the maximum number of outstanding ICMP requests to store for ICMP reply matching. Stateful Firewall will drop the ICMP replies if it does not have any information about ICMP requests.
The firewall dos-protection CLI command configures Stateful Firewall protection for subscribers from Denial-of-Service (DoS) attacks. Note that the following DoS attacks are only detected in the downlink direction: flooding, ftp-bounce, ip-unaligned-timestamp, mime-flood, port-scan, source-router, tcp-window-containment, teardrop, winnuke.
The firewall flooding CLI command configures Stateful Firewall protection from packet flooding attacks.
The firewall icmp-checksum-error { drop | permit } CLI command configures Stateful Firewall action on packets with ICMP Checksum errors.
The firewall icmp-destination-unreachable-message-threshold <messages> then-block-server CLI command configures the threshold on the number of ICMP error messages sent by subscribers for a particular data flow.
The firewall icmp-fsm CLI command enables Stateful Firewall’s ICMP Finite State Machine (FSM).
The firewall ip-reassembly-failure { drop | permit } CLI command configures Stateful Firewall action on packets involved in IP Reassembly Failure scenarios.
The firewall malformed-packets { drop | permit } CLI command configures Stateful Firewall action on malformed packets.
The firewall max-ip-packet-size <packet_size> protocol { icmp | non-icmp } CLI command configures the maximum IP packet size (after IP reassembly) that Stateful Firewall will permit to prevent packet flooding attacks.
The firewall mime-flood CLI command configures the maximum number of headers allowed in an HTTP packet, and the maximum header field size allowed in the HTTP header to prevent MIME flooding attacks. This command is only effective if DoS protection for MIME flood attacks has been enabled using the firewall dos-protection mime-flood command, and the route command has been configured to send HTTP packets to the HTTP analyzer.
The firewall tcp-checksum-error { drop | permit } CLI command configures Stateful Firewall action on packets with TCP Checksum errors.
The firewall tcp-fsm [ first-packet-non-syn { drop | permit | send-reset } ] CLI command enables Stateful Firewall’s TCP Finite State Machine (FSM).
The firewall tcp-idle-timeout-action { drop | reset } CLI command configures action to take on TCP idle timeout expiry.
The firewall tcp-options-error { drop | permit } CLI command configures Stateful Firewall action on packets with TCP Option errors.
The firewall tcp-reset-message-threshold <messages> then-block-server CLI command configures the threshold on the number of TCP reset messages sent by the subscriber for a particular data flow.
The firewall tcp-syn-flood-intercept CLI command configures the TCP intercept parameters to prevent TCP-SYN flooding attacks by intercepting and validating TCP connection requests for DoS protection mechanism configured with the firewall dos-protection command.
The firewall tcp-syn-with-ecn-cwr { drop | permit } CLI command configures Stateful Firewall action on TCP SYN packets with either ECN or CWR flag set.
The firewall udp-checksum-error { drop | permit } CLI command configures Stateful Firewall action on packets with UDP Checksum errors.
The firewall validate-ip-options CLI command enables the Stateful Firewall validation of IP options for errors. When enabled, Stateful Firewall will drop packets with IP Option errors.
 
Configuring Maximum Number of Servers to Track for DoS Attacks
To configure the maximum number of server IPs to be tracked for involvement in any kind of DoS attacks, use the following configuration:
configure
  active-charging service <ecs_service_name>
     firewall track-list attacking-servers <no_of_servers>
     end
 
Configuring Action on Packets Dropped by Stateful Firewall
To configure the accounting action on packets dropped by Stateful Firewall due to any error, use the following configuration:
configure
  active-charging service <ecs_service_name>
     rulebase <rulebase_name>
        flow any-error charging-action <charging_action_name>
        end
Notes:
For a packet dropped due to any error condition after data session is created, the charging action applied is the one configured in the flow any-error charging-action command. Whereas, for a packet dropped due to access ruledef match or no match (first packet of a flow), the charging action applied is the one configured in the access-rule priority or in the access-rule no-ruledef-matches command respectively.
 
Configuring Dynamic Pinholes/ALGs
This section describes how to configure routing rules to open up dynamic pinholes for ALG functionality.
This section covers the following topics:
 
Creating Routing Ruledefs
To configure routing rules for FTP, SIP, and RTSP protocols use the following configuration:
configure
  active-charging service <ecs_service_name>
     ruledef <ruledef_name>
        tcp either-port <operator> <value>
        rule-application routing
        end
Notes:
 
Configuring Routing Ruledefs in the Rulebase
To configure the routing ruledefs in the rulebase use the following configuration:
configure
  active-charging service <ecs_service_name>
     rulebase <rulebase_name>
        route priority <priority> ruledef <ruledef_name> analyzer { ftp-control | rtsp } [ description <description> ]
        rtp dynamic-flow-detection
        end
Notes:
For RTSP ALG to work, in the rulebase, the rtp dynamic-flow-detection command must be configured.
 
Enabling Stateful Firewall Support for APN/Subscribers
This section describes how to enable Stateful Firewall support for APN/subscribers.
This section covers the following topics:
 
Enabling Stateful Firewall for APN
To configure the Firewall-and-NAT Policy in an APN use the following configuration:
configure
  context <context_name>
     apn <apn_name>
        fw-and-nat policy <fw_nat_policy_name>
        end
Notes:
 
Enabling Stateful Firewall for Subscribers
To configure the Firewall-and-NAT Policy in a subscriber template use the following configuration:
configure
  context <context_name>
     subscriber default
        fw-and-nat policy <fw_nat_policy_name>
        end
Notes:
 
Configuring Default Firewall-and-NAT Policy
This is an optional configuration to specify a default Firewall-and-NAT policy to use if in the APN/subscriber configurations the following command is configured:
default fw-and-nat policy
To configure the default Firewall-and-NAT policy, use the following configuration:
configure
  active-charging service <ecs_service_name>
     rulebase <rulebase_name>
        fw-and-nat default-policy <fw_nat_policy_name>
        end
 
Configuring Stateful Firewall Thresholds
This section describes how to configure Stateful Firewall threshold limits and polling interval for DoS-attacks, dropped packets, deny rules, and no rules.
This section covers the following topics:
 
Enabling Thresholds
To enable thresholds use the following configuration:
configure
  threshold monitoring firewall
  end
 
Configuring Threshold Poll Interval
To configure threshold poll interval use the following configuration:
configure
  threshold poll fw-deny-rule interval <poll_interval>
  threshold poll fw-dos-attack interval <poll_interval>
  threshold poll fw-drop-packet interval <poll_interval>
  threshold poll fw-no-rule interval <poll_interval>
  end
 
Configuring Threshold Limits
To configure threshold limits use the following configuration:
configure
  threshold fw-deny-rule <high_thresh> [ clear <low_thresh> ]
  threshold fw-dos-attack <high_thresh> [ clear <low_thresh> ]
  threshold fw-drop-packet <high_thresh> [ clear <low_thresh> ]
  threshold fw-no-rule <high_thresh> [ clear <low_thresh> ]
  end
 
Configuring Bulk Statistics Schema
To configure bulk statistics schema for the Personal Stateful Firewall service use the following configuration:
configure
  bulkstats mode
     context schema <schema_name> format <format_string>
     end
Notes:
For more information on format_string variable, see the Bulk Statistics Configuration Mode Commands chapter of the Command Line Interface Reference.
To configure the various parameters for bulk statistics collection prior to configuring the commands in this section, see the Configuring and Maintaining Bulk Statistics chapter of the System Administration Guide.
 
Configuring Flow Recovery
To configure flow recovery parameters for Stateful Firewall flows, use the following configuration:
configure
  active-charging service <ecs_service_name>
     firewall flow-recovery { downlink | uplink } [ timeout <timeout> ]
     end
 
Optional Configurations
This section describes optional administrative configurations.
The following topics are covered in this section:
 
 
Changing Stateful Firewall Policy in Mid-session
To change the Firewall-and-NAT policy in mid-session, in the Exec mode, use the following configuration:
update active-charging { switch-to-fw-and-nat-policy <fw_nat_policy_name> | switch-to-rulebase <rulebase_name> } { all | callid <call_id> | fw-and-nat-policy <fw_nat_policy_name> | imsi <imsi> | ip-address <ipv4_address> | msid <msid> | rulebase <rulebase_name> | username <user_name> } [ -noconfirm ]
Notes:
 
Configuring Stateless Firewall
This section describes how to configure Stateless Firewall processing wherein stateful checks are disabled.
To configure Stateless Firewall use the following configuration:
configure
  active-charging service <ecs_service_name>
     fw-and-nat policy <fw_nat_policy_name>
        no firewall icmp-fsm
        no firewall tcp-fsm
        end
Notes:
The no firewall icmp-fsm CLI command disables Stateful Firewall’s ICMP Finite State Machine (FSM). When disabled, ICMP reply without corresponding requests, ICMP eror message without inner packet data session, and duplicate ICMP requests are allowed by the firewall.
The no firewall tcp-fsm CLI command disables Stateful Firewall’s TCP Finite State Machine (FSM). When disabled, only packet header check is done; there will be no FSM checks, sequence number validations, or port scan checks done.
 
Saving the Configuration
To save changes made to the system configuration, see the Verifying and Saving Your Configuration chapter.
 
Gathering Stateful Firewall Statistics
The following table lists commands to gather Stateful Firewall statistics.
 
Important: For more information on these commands, see the Exec Mode Commands chapter of the Command Line Interface Reference.
Gathering Stateful Firewall Statistics
 
Managing Your Configuration
This section explains how to review the Personal Stateful Firewall configurations after saving them in a .cfg file as described in the Verifying and Saving Your Configuration chapter, and also to retrieve errors and warnings with in an active configuration for a service.
Output descriptions for most of these commands are available in the Command Line Interface Reference.
System Status and Personal Stateful Firewall Service Monitoring Commands
show configuration context <context_name>
show configuration errors section active-charging [ verbose ] [ | { grep <grep_options> | more } ]show configuration errors verbose
show subscribers configuration username <user_name> | grep Firewall show apn name <apn_name> | grep Firewall
 
 
 

Cisco Systems Inc.
Tel: 408-526-4000
Fax: 408-527-0883