Tuesday, 8 July 2008

Cisco Object-Group and how to use them

PIX and ASA firewall are very powerful tools but the Access list seem to get longer and long with all the services and hosts and this puts a load on the CPU to check it and the memory to store it so what can we do.

Well Cisco have been very nice to us in giving us a way to take those long ACL (Access Control Lists) and make the shorter. The way they’ve done this is by using objects, now an object represents a set of things such as a service or hosts and/or even a network mask.

Enough of the talk it’s time for an example this is how an old ACL looks commonly.

access-list outsite_in extended permit tcp any host 209.165.201.10 eq www
access-list outsite_in extended permit tcp any host 209.165.201.12 eq www
access-list outsite_in extended permit tcp any host 209.165.201.14 eq www
access-list outsite_in extended deny ip any any


Now as you can see of each server is listed and this can become both messy and unclear after a while as after you’ve listed just six or seven services the list can become very large and almost unreadable when trying to trouble shoot it.

So what they have done is given us the ability to reference the service and host as groups of services/hosts and as a result can put them into just one line.

Object-group network DMZ_Web_Servers
Network-object host 209.165.201.10
Network-object host 209.165.201.12
Network-object host 209.165.201.14
Network-object host 209.165.200.0 255.255.255.0


Now we have an object we can use in the access list that will equals all of these host is one short list.

access-list outside_in extended permit tcp any object-group DMZ_Web_Servers eq www

As you can see the access list is much shorter and also because the groups can have logical names it’s much quicker to find the problem list or missing object, now there are more than one kind of object group as well as you can see from the next few examples there is the ICMP object.

object-group icmp-type icmp-allowed
icmp-object echo
icmp-object time-exceeded


There is the protocol object and tagged with is also an example of how you can group the services together so that one object in this case proto_grp_2 also allows proto_grp_1 as its nested inside it.

object-group protocol proto_grp_1
protocol-object udp
protocol-object ipsec


object-group protocol proto_grp_2
protocol-object tcp
group-object proto_grp_1


There is the service object these are port objects really they allow you to use ports to be opened we will see later how we can use these with other groups to open up the port on many items at once.

object-group service eng_service tcp
group-object eng_www_service
port-object eq ftp
port-object range 2000 2005


There is the network object for you common or garden hosts and subnet masks.

object-group network sjc_eng_ftp_servers
network-object host sjc.eng.ftp.servcers
network-object host 172.23.56.194
network-object 192.1.1.0 255.255.255.224


And just to show these can all be nested too here is another example of a nested group with network objects.

object-group network sjc_ftp_servers
network-object host sjc.ftp.servers
network-object host 172.23.56.195
network-object 193.1.1.0 255.255.255.224
group-object sjc_eng_ftp_servers


In this next example a object that contains both groups is given access to www and the two nested groups are then given there own access as well such as SMTP and FTP.

object-group network host_grp_1
network-object host 192.168.1.1
network-object host 192.168.1.2


object-group network host_grp_2
network-object host 172.23.56.1
network-object host 172.23.56.2


object-group network all_hosts
group-object host_grp_1
group-object host_grp_2


access-list grp_1 permit tcp object-group host_grp_1 any eq ftp
access-list grp_2 permit tcp object-group host_grp_2 any eq smtp
access-list all permit tcp object-group all_hosts any eq www


As you've seen what would have been 6 lines have be reduced to 3 lines in the end access, but we can do better.

Lastly we a use many objects into just one access list to get all the services and node the permission they need without writing long and complicated access list as an example this grouping enables the access list to be configured in one line instead of 24 lines. Instead with the grouping the access list configuration looks like this.

object-group network remote
network-object host kqk.suu.dri.ixx
network-object host kqk.suu.pyl.gnl


object-group network locals
network-object host 172.23.56.10
network-object host 172.23.56.20
network-object host 172.23.56.194
network-object host 172.23.56.195


object-group service eng_svc
port-object eq www
port-object eq smtp
port-object range 25000 25100


access-list acl permit tcp object-group remote object-group locals object-group eng_svc

This concludes our lesson for the day but remember the shorter and more efficient the access list the lower the load on the CPU and Memory of the firewall.

No comments: