Instant messaging and peer-to-peer applications are two of the most widely used applications on the Internet. Most organizations view these applications as frivolous ways to consume expensive resources, including employee time and network bandwidth. Furthermore, instant messaging and peer-to-peer networks can act as a conduit for malicious threats such as worms, offering an easy path around firewalls and causing concerns about privacy and security.
Cisco® IOS® Software Release 12.4(9)T introduced native Cisco IOS Zone-Based Policy Firewall support for instantmessaging and peer-to-peer applications on the integrated services router, allowing organizations to properlycontrol instant messaging and peer-to-peer applications on their networks. This white paper offers some sample configurations using Cisco IOS Zone-Based Policy Firewall to monitor and block instant messaging and peer-to-peer traffic.
Table 1 lists some of the applications supported by Cisco IOS Zone-Based Policy Firewall.
Table 1. Instant Messaging and Peer-to-Peer Applications Supported by Cisco IOS Zone-Based Policy Firewall
An instant messaging application from America-Online
A peer-to-peer (P2P) file sharing communications protocol from BitTorrent, Inc.
A peer-to-peer file sharing network
A peer-to-peer protocol that was used by the Kazaa, Grokster, iMesh, and Morpheus file sharing programs
A peer-to-peer protocol
Instant Messaging application owned by America-Online
A peer-to-peer file sharing application using the FastTrack protocol
An instant messaging client created by Microsoft
An instant messaging client by Microsoft, included with the Windows XP operating system
A peer-to-peer file sharing program authored by Frontcode Technologies
An instant messaging client from Yahoo
Application Inspection and Control
Application inspection and control (AIC) introduces additional capability to Cisco IOS Zone-Based Policy Firewall. Application inspection policies are applied at Layer 7 of the Open Systems Interconnection (OSI) model, where user applications send and receive messages that allow the applications to offer useful capabilities.
Application inspection and control varies in capability per service. For example, HTTP application inspection offers granular filtering on several types of application activity, including the ability to limit transfer size, web address lengths, and browser activity to enforce compliance with application-behavior standards and to limit the types of content that are transferred over the service. On the other hand, instant messaging and peer-to-peer application inspection offers granular application control on specific activities in the various protocols, so that certain application activities are allowed while others are denied. These instant messaging and peer-to-peer application activities include text chat, file search, file transfer, voice, and video.
Application inspection class maps allow you to identify traffic based on the attributes of a given protocol. All the match conditions in these class maps are specific to an application (for example, HTTP or Yahoo! Messenger). Application inspection class maps are identified by an additional subtype that generally is the protocol name (for instance, HTTP or YMSGR) in addition to the type inspect.
Application inspection policy maps are used to specify a policy for an application protocol. For example, if you want to drop HTTP traffic with URI lengths exceeding 256 bytes, you must configure an HTTP policy map to do that. Application inspection policy maps cannot be attached directly to a zone-pair. They must be configured as "child" policies in a top-level Layer 3 or Layer 4 policy map. For more information, please consult: http://www.cisco.com/en/US/docs/ios/sec_data_plane/configuration/guide/sec_zone_polcy_firew.html - wp1054769
Instant messaging and peer-to-peer traffic generally offer two modes of operation: a native mode, where the application runs on a uniquely defined set of Transmission Control Protocol (TCP) or User Datagram Protocol (UDP) ports, and "HTTP cloaked" mode, in which the application masquerades as HTTP (TCP port 80) traffic in order to gain passage through firewalls and other network policy controls. Some of the more advanced instant messaging and peer-to-peer applications implement sufficient RFC 2616 dialogue to appear as a legitimate conversation between a web browser and a web server.
Cisco IOS Zone-Based Policy Firewall provides both Layer 4 inspection to permit or deny instant messaging and peer-to-peer traffic and Layer 7 granular application control on specific instant messaging and peer-to-peer activities. The instant messaging and peer-to-peer applications can be individually denied or permitted. Each application may be individually controlled so that text chat service is allowed, and voice, file transfer, video, and other services are restricted. This functionality allows organizations to control instant messaging and peer-to-peer traffic that operates in HTTP cloaked mode and is disguised as HTTP (web) traffic.
We will examine a simple network to build an example of using Cisco IOS Zone-Based Policy Firewall to control
peer-to-peer and instant messaging traffic, and block cloaked applications that try to exploit TCP port 80 to gain access though the firewall (Figure 1). Our sample network consists of a private network, connected to the public Internet through a Cisco router using Zone-Based Policy Firewall.
Figure 1. Example Network Using Cisco IOS Zoned-Based Policy Firewall
The example network denies any traffic initiated from the public Internet to the private network, and allows the following traffic from the private network to the public Internet: Domain Name System (DNS) lookup, Simple Mail Transfer Protocol (SMTP), Post Office Protocol Version 3 (POP3), HTTP/HTTPS, Network Time Protocol (NTP), File Transfer Protocol (FTP), Internet Control Message Protocol (ICMP), any services provided in Yahoo! Messenger, and only text-chat in eDonkey. Furthermore, application inspection is applied on HTTP connections to help ensure that supported instant messaging and peer-to-peer applications are not carried on TCP port 80 (HTTP).
Configuring Firewall Policy to Control Instant Messaging and Peer-to-Peer Traffic
The private to public policy applies Layer 4 inspection to DNS, SMTP, POP3, HTTP/HTTPS, NTP, FTP, ICMP, Yahoo! Messenger, and eDonkey passing from the private zone to the public zone. This allows connections from the private zone to the public zone, as well as return traffic.
Layer 7 inspection (application inspection and control) policy is applied to control specific services within instant messaging and peer-to-peer applications, and unwanted use of HTTP's service port for other applications such as instant messaging, peer-to-peer, and tunneling applications that can redirect otherwise firewalled applications through TCP port 80 (HTTP).
To configure firewall policy, follow these steps:
1. Write the Layer 4 class map.
Define a class map that describes the traffic permitted from private zone to the public zone. Separate Layer 4 class maps are defined for HTTP, Yahoo! Messenger, and eDonkey. This is because Layer 7 application inspection policy for these protocols needs to be applied to their respective Layer 4 policy maps. The match protocol smtp extended command is used to inspect Extended SMTP (ESMTP) traffic.
class-map type inspect match-any L4-cmap
match protocol dns
match protocol smtp extended
match protocol pop3
match protocol https
match protocol ntp
match protocol ftp
match protocol icmp
class-map type inspect match-any P2P-L4-cmap
match protocol edonkey
class-map type inspect match-any IM-L4-cmap
match protocol ymsgr
class-map type inspect match-any HTTP-L4-cmap
match protocol http
2. Write the peer-to-peer application inspection and control (Layer 7) class map and policy map.
Peer-to-peer application inspection and control (Layer 7) augments Layer 4 stateful inspection with the capability to recognize and apply service-specific actions, such as selectively blocking or allowing file-search, file-transfer, and text-chat capabilities. Service-specific capabilities vary by service.
In the example, the allowed peer-to-peer traffic from the private zone to the public zone is text-chat only in eDonkey.
class-map type inspect edonkey match-any P2P-L7-allow-cmap
class-map type inspect edonkey match-any P2P-L7-block-cmap
policy-map type inspect p2p P2P-L7-pmap
class type inspect edonkey P2P-L7-allow-cmap
class type inspect edonkey P2P-L7-block-cmap
3. Develop the instant messaging application inspection and control (Layer 7) class map and policy map.
In the example, the allowed instant messaging traffic from the private zone to the public zone is any services in Yahoo! Messenger.
class-map type inspect ymsgr match-any IM-L7-allow-cmap
match service any
policy-map type inspect im IM-L7-pmap
class type inspect ymsgr IM-L7-allow-cmap
4. Define the HTTP application inspection and control (Layer 7) class map and policy map.
Layer 7 HTTP application inspection and control is used to control unwanted use of the HTTP service port for other applications such as instant messaging, peer-to-peer, and tunneling applications that can redirect otherwise firewalled applications through TCP port 80 (HTTP).
When you use "protocol-violation" HTTP application inspection, the content of some websites may be blocked by this option because they may not be compliant with RFCs.
class-map type inspect http match-any HTTP-L7-cmap
match req-resp protocol-violation
match request port-misuse any
policy-map type inspect http HTTP-L7-pmap
class type inspect http HTTP-L7-cmap
5. Write the Layer 4 policy map.
Configure the Layer 4 policy map to inspect traffic on the class maps defined earlier.
policy-map type inspect L4-pmap
class type inspect HTTP-L4-cmap
service-policy http HTTP-L7-pmap
class type inspect P2P-L4-cmap
service-policy p2p p2p-L7-pmap
class type inspect IM-L4-cmap
service-policy im IM-L7-pmap
class type inspect L4-cmap
6. Create the zones and assign interfaces to the zones.
Create the private and public zones and assign router interfaces to the respective zones, as follows:
zone security Private
zone security Public
zone-member security Private
zone-member security Public
7. Create a zone-pair and apply the policy map.
Create a zone-pair and apply the appropriate policy map:
zone-pair security Private-to-Public source Private destination Public
service-policy type inspect L4-pmap
For More Information
For more information about Cisco IOS Zone-Based Policy Firewall, refer to the following configuration and design guides: