Stratix 5900 ZFW Configuration Guide 07142014

5/22/2018 Stratix 5900 ZFW Configuration Guide 07142014

1/44

Copyright 2014 Rockwell Automation, Inc. All Rights Reserved.Rev 5058-CO900F

COMPANY INTERNALInternal Use Only

1783-SRKIT

Stratix 5900 Services Router:

Zone-Based Policy Firewall Configuration Guide Overview


2/44

Copyright 2014 Rockwell Automation, Inc. All Rights Reserved.COMPANY INTERNAL - Internal Use Only 2

Agenda

Zone-Based Policy Firewall (ZFW) Overview

Firewall vs. Router

Additional Information

Configuring a Zone-Based Policy Firewall (ZFW)


3/44


What is a Traditional Firewall?

A software or hardware device thatsprimary function is to permit or deny traffic

as it attempts to enter or leave the network

based on explicit preconfigured policies or

rules

Preconfigured rules are called Access

Control Lists (ACLs) ACLs are a collection of Permit and Deny

statements. Each permit and Deny Statement is

referred to as an Access Control Entry (ACE)

Firewalls are capable of inspecting the

following elements of a packet Source MAC or IP Address

Destination MAC or IP Address

Source TCP or UDP Port

Destination TCP or UDP Port

ProtocolLayer 2,3,4 or 7

Firewall

ACL

InsideInterface

OutsideInterface

10.10.30.10 192.168.10.100

ACEAllow ICMP(ping) Traffic

To 10.10.30.10

ACE

Allow HTTPS Traffic

To 10.10.30.10

ACEBlock All Other Traffic


4/44


What is an Integrated Services Router(ISR)?

An ISR is a router that integrates additional network features into the router

Virtual Private Networks (VPN) support

Firewall

Encryption Services

ISR are routers by default and security features such as firewalls or AccessControl Lists (ACLs) must be implemented to secure the ISR

ISRs are different from firewalls in that you must enable security

whereas a firewall is secured by default

Firewalls require security rules to be written before communicationscan occur


5/44


Firewall vs. Integrated Services Router

Similarities Firewall features can be done by either, depending on where in the architecture

Both are stateful

A stateful firewall keeps the state information of the source and destination IP Addresses, thesource and destination port and the connections flags. For instance, a stateful firewall willexpect to see a connection establishment consisting of a SYN, SYN/ACK, ACK packets

before allowing a TCP conversation to occur between the hosts. Differences

ASA 55xx firewallused for Industrial Demilitarized Zones (IDMZ)

ASA 55xx supports Deep Packet Inspection while not recommend for the Stratix5900

ASA 55xx is a security appliance that is not a good router while the Stratix 5900 isa router with limited security features.

Positioning within the Converged Plantwide Ethernet (CPwE) reference architectures

Stratix 5900Zone-Based Policy Firewall (ZFW) within the Cell/Area Zone or OEM application(machine or skid)


6/44


Agenda


Firewall vs. Router




7/44

Copyright 2014 Rockwell Automation, Inc. All Rights Reserved.COMPANY INTERNAL - Internal Use Only

What is a Zone-Based Policy Firewall?

7

A Zone-Based Policy Firewall (ZFW) isa Firewall that is configured to permit or

deny traffic as it attempts to enter or

leave a Security Zone based on explicit

preconfigured policies or rules

ZFW allows the designer to create

Security Zones

Security Policies called Policy Maps

are created to define the permit and

deny traffic rules

Zone Pairs use the Policy Maps to

define the traffic flow between the

Security Zones

Firewall

Zone Pair

(Inside SecurityZone To Outside

Security Zone)

InsideSecurityZone

OutsideSecurityZone

10.10.30.10 192.168.10.100

Policy MapPermit ICMP Traffic

To 10.10.30.10

Permit HTTPS Traffic

To 10.10.30.10

Deny All Other Traffic

Policy Map

Policy Map


8/44


Zone-Based Policy Firewall

A ZFW changes the firewallconfiguration from the older interface-

based model to a more flexible, more

easily understood zone-based model

Security Zones with the same security

requirements are created

For example, an Inside Security

Zone can be implemented for the

Logix Controller(s) while an

Outside Security Zone can beimplemented to allow computers

running configuration software to

access the Logix Controller

Cell/Area A

Outside Security Zone

Inside Security Zone

VLAN 10Fa0

Stratix 5900_1

Fa1 Fa2 Fa3

Logix

1

E

N

E

T

Studio 5000

Layer 3 switch

10.10.30.10/24

192.168.10.100/24

172.28.42.2/24

172.28.42.1/24

Network A

Network B

Network C

WAN0


9/44


Network Interface and VLAN SecurityZone Assignments

9

Network Interfaces and VLANs areassigned to a Security Zone

For example, the WAN 0 networkinterface is assigned to theOutside Security Zone

By placing the WAN 0 interface inthe Outside Security Zone, anytraffic entering the Stratix 5900through the WAN 0 interface canhave security policies applied asit traverses from the Outside tothe Inside Security Zone

VLAN 10 is assigned to the

Inside Security Zone where theLogix Controller is located

The Fast Ethernet NetworkInterfaces (Fa0-3)are assigned toVLAN 10 and therefore areassigned to the Inside SecurityZone

Cell/Area A



VLAN 10Fa0

Stratix 5900_1

Fa1 Fa2 Fa3

Logix

1

E

N

E

T

Studio 5000

Layer 3 switch

10.10.30.10/24

192.168.10.100/24

172.28.42.2/24

172.28.42.1/24

Network A

Network B

Network C

WAN0


10/44Copyright 2014 Rockwell Automation, Inc. All Rights Reserved.COMPANY INTERNAL - Internal Use Only

Security Policy Maps

10

Security Policy Maps are created to Permitor Deny traffic between Security Zones

For example, a Policy Map would be

created to allow Studio 5000 using the

CIP protocol to communicate to the

Logix Controller using TCP port 44818

Cell/Area A



VLAN 10Fa0

Stratix 5900_1

Fa1 Fa2 Fa3

Logix

1

E

N

E

T

Studio 5000

Layer 3 switch

10.10.30.10/24

192.168.10.100/24

172.28.42.2/24

172.28.42.1/24

Network A

Network B

Network C

WAN0

INSPECT

CIP Class 3

Port 44818

Security Policy

Map10.10.30.10

192.168.10.100

Policy Map Name =

Outside-Inside-Map



Applying Policy Maps to Zone Pairs

11

Policy Maps are Applied to Security ZonePairs

For example, the Policy Map (Outside-

Inside-Map) would be assigned to

Inspect the traffic from the Outside

Security Zone to the Inside Security

Zone.

Cell/Area A



VLAN 10Fa0

Stratix 5900_1

Fa1 Fa2 Fa3

Logix

1

E

N

E

T

Studio 5000

Layer 3 switch

10.10.30.10/24

192.168.10.100/24

172.28.42.2/24

172.28.42.1/24

Network A

Network B

Network C

WAN0

INSPECT

CIP Class 3

Port 44818



Security Policy

Map10.10.30.10

192.168.10.100

Policy Map Name =

Outside-Inside-Map



Zone Pairs

12

A Zone-Pair allows you to specify a uni-directional firewall policy between two zones.

Zone pairs allow you to leverage Policy Maps

to define the communications between

different security zones. We define zone pairs based on the source

and destination security zone traffic flow

Inside

Security

Zone

VLAN 10

Zone Pair

Outside

Security

Zone

WAN0

Fa0 Fa1 Fa2 Fa3

In

2Out

Out

2In

Source

Security

Zone

Destination

Security

Zone

Outside Inside

Policy

Map

Name

Outside-

Inside-Map

OutsideInside Inside-Outside-Map

ZonePair

Out2In

In2Out


13/44Copyright 2014 Rockwell Automation, Inc. All Rights Reserved.COMPANY INTERNAL - Internal Use Only 13

Agenda


Firewall vs. Router





Steps to Building A Zone-Based PolicyFirewall

14

The tasks to building a ZFW can be graphically depicted as a set of Configuration Steps.

Finishing the lowest foundational steps are recommended before moving to higher steps In the Configuration Steps below, defining the protocols that will be used with the firewall

should be accomplished first. It is the lowest and most foundational step of configuring a

ZFW

For this exercise, when a Configuration Step is completed, it will be depicted with blue

hash marks. For example, the Standard Protocol step is completed. The green box, UserDefined Protocols, represents the step you are currently accomplishing

Port to

Application

Mapping

Security Add

Standard Protocols User Defined Protocols

Class Map Inspection

Policy MapProtocol Inspection

Zones

ZonesPairs

Action Steps

User-CIP-

CLASS3

TCP

44818

User-CIP-

CLASS1

UDP

2222

User-CIP-

CLASS3

User-CIP-

CLASS1

Final ResultStratix

Configurator

Zone-Based Policy Firewall (ZFW)

Configuration Steps

ConfigurationSteps

ConfigurationAid



Configuration Aid:Steps to building a ZFW

Location in the Stratix Configurator

In order to find where to enter the configuration in the Stratix Configurator, you will see a

folder structure in the Configuration Aid. The folders represent where to find the neededdialog box or configuration window within the Stratix Configurator

Class Map:

CIP




Zones

ZonesPairs

Action Steps

Security

C3PL

Class

MapsInspection

Add

Class Map

CIP

User-CIP-

CLASS3

TCP

44818

User-CIP-

CLASS1

2222

User-CIP-

CLASS3

User-CIP-

CLASS1

Final ResultStratix

Configurator


Configuration Steps

ConfigurationAid




High Level Configuration Steps

You will also see an arrow labeled as Action Steps within the Configuration Aid. These

represent the high level actions or tasks that will be accomplished during this step.

Class Map:

CIP




Zones

ZonesPairs

Action Steps

Security

C3PL

Class

MapsInspection

Add

Class Map

CIP

User-CIP-

CLASS3

TCP

44818

User-CIP-

CLASS1

2222

User-CIP-

CLASS3

User-CIP-

CLASS1

Final ResultStratix

Configurator


Configuration Steps

ConfigurationAid




Final Product or Output

Finally within the Configuration Aid, you will see the Final Results column which

represents the final product or output of the step you have completed.

Class Map:

CIP




Zones

ZonesPairs

Action Steps

Security

C3PL

Class

MapsInspection

Add

Class Map

CIP

User-CIP-

CLASS3

TCP

44818

User-CIP-

CLASS1

2222

User-CIP-

CLASS3

User-CIP-

CLASS1

Final ResultStratix

Configurator


Configuration Steps

ConfigurationAid



Configuring a ZFW:Pre-defined / Standard Protocols

The Stratix 5900 includes pre-defined protocols that can be used to configure security

policies These pre-defined protocols include HTTP, ICMP, FTP and others. The list can be found under the Configure

Tab ->Security -> C3PL -> Class Map -> Add in the Stratix Configurator



Configuring a ZFW:Adding User Defined Protocols

19

When you want to use a protocol that is not in the pre-defined protocol list, you must add a

User Defined Protocol. A User Defined Protocol such as CIP can be added through the Stratix Configurator ->

Security -> Port to Application Mapping Screen

Once completed, the User Defined Protocol will be available for use in the security policies

Port to

Application

Mapping

Security Add




Zones

ZonesPairs

Action Steps

User-CIP-

CLASS3

TCP

44818

User-CIP-

CLASS1

UDP

2222

User-CIP-

CLASS3

User-CIP-

CLASS1

Final ResultStratix

Configurator


Configuration Steps



Configuring a ZFW:Port To Application Mapping

20

From the Port to

Application MappingScreen, select Add to

configure a new protocol

Be sure to use the key

word identifier user when

naming your protocol The Protocol name in this

example is user-CIP-Class3

Select the Port TypeTCP

Enter the port number 44818

All protocols that are not in

the pre-defined protocol listare defined using this

method

!



Configuring a ZFW:Adding Class Maps

21

Class-maps define the traffic that a ZFW selects for policy application

Class-maps sort the traffic based on the following criteria: Access-groupA standard, extended, or named Access-Control List can filter traffic based on source and

destination IP address and source and destination port

Protocol - Any well-known or user-defined service known to the Stratix 5900 may be specified

Class-mapA subordinate class-map providing additional match criteria can be nested inside another class-

map

NotThe not criterion specifies that any traffic that does not match a specified service (protocol), access-group or subordinate class-map will be selected for the class-map

Class Map:

CIP




Zones

ZonesPairs

Action Steps

Security

C3PL

Class

MapsInspection

Add

Class Map

CIP

User-CIP-

CLASS3

TCP

44818

User-CIP-

CLASS1

2222

User-CIP-

CLASS3

User-CIP-

CLASS1

Final ResultStratix

Configurator


Configuration Steps



Configuring a ZFW:Class Maps: Selecting from Protocol List

22

Since we have added a User Defined Protocol named user-CIP-Class3 in previous steps,

we will see this protocol under the User Defined protocol list.



Configuring a ZFW:Class Maps

23

Class-maps can apply "match-any" or "match-all" operators to determine how to apply the

match criteria. If "match-any" is specified, traffic must meet only one of the match criteria inthe class-map. If "match-all" is specified, traffic must match all of the class-map's criteria to

belong to that particular class



Configuring a ZFW:Class Maps Completed

24

Once the Class Maps are configured, the list will display

Class Map Names Details of the Class Map, Including any Pre-defined and User Defined Protocols, other subordinate Class Maps

and Access Control Lists (ACLs)



Configuring a ZFW:Policy Maps

25

We now want to assign the previously defined Class Maps and associate them to the

following policies: Inside to Outside Security Zone Policy

Outside to Inside Security Zone Policy

Policy maps specify the actions to be taken when traffic matches defined criteria.

Policy Map:

Inspect




Zones

ZonesPairs

Action Steps

Security

C3PL

Policy

MapProtocol

Inspection

Add

Policy Map

Industrial

Final Result

Inspect

Class Map:CIP

User-

CIP-CLASS

3

User-

CIP-CLASS

1

Class Map:

CIP

User-CIP-

CLASS3User-CIP-

CLASS1

StratixConfigurator

Zone-Based Policy F irewall (ZFW)

Configuration Steps



Configuring a ZFW:Policy Maps

26

Traffic types and criteria are defined in class maps associated with a policy

map. In order for a ZFW to use the information in a policy map and its associated

class maps, the policy map must be associated with a zone-pair.

We will configure Zone Pairs in future steps, but it is important to understand

that you will use the previously created objects. You will define if you wantto Drop, Pass or Inspect the protocols you have defined.



Configuring a ZFW:Adding Outside to Inside Policy Map

27

From the Policy Map Protocol Inspection screen, select Add

Enter the Policy Name and Description Select Add from the Add Protocol Inspection Policy Map window to associate your

Class Maps from the previous steps



Configuring a ZFW:Associate Class Map to Policy Map 1 of 2

28

From the Class Name pull down selector, choose Select A Class Map



Configuring a ZFW:Associate Class Map to Policy Map 2 of 2

29

From the Existing Class Map List, select Outside-Inside-Inspect



Configuring a ZFW:Inspect with Policy Maps

30

Once you have selected Outside-Inside-Inspect Class Map, you will now choose

Inspect



Pass Rule vs- Inspect Rule?Pass Rule Example

31

Interface

Inbound

Rules

Outbound

RulesDeny ALLPass ICMP

(ping)

Inside

Security

Zone

Outside

Security

Zone

1

23

In our example, if the host within the Inside

Security Zone were to send an ICMP (ping)message (Step 1) to the host in the Outside

Security Zone, then the firewall would pass the

ICMP message (Step 2) to the host.

See Outbound Rule = Pass ICMP The host from the Outside Security Zone

would respond (Step 3) but would be blocked

by the firewall because of the deny all rule. Inbound Rule = Deny ALL

In our example, an explicit Inbound ICMP Pass

Rule would have to be written to allow the host

in from the Outside Security Zone to send an

ICMP message to the host on the Inside

Security Zone



Pass Rule vs- Inspect Rule?Inspect Rule Example

32

Outside

Security

Zone

Interface

Inbound

RulesOutbound

Rules

Deny ALL

Inspect ICMP

(ping)

Inside

Security

Zone

Outside

Security

Zone

1

23

Create Temporary Firewall

Rule To Allow ICMP Reply

4

A

In this example, we see in Step 1, the host in the

Inside Security Zone issues an ICMP message.The firewall not only allows the ICMP message to

pass (Step 2) but it dynamically creates a rule to

allow the host on the Outside Security Zone to

respond (Step 3 and Step 4).

See Outbound Rule = Inspect ICMP Inspect Rules will dynamically open the return port

and keep track of the session information so when

the session is complete, it will close the port that

dynamically opened

We also see from our example, with a Deny AllInbound Rule, this will not allow any ICMP

messages to be created from the Outside Security

Zone to be passed to the Inside Security Zone



Configuring a ZFW:Policy Map Completed

33

Once the Policy Maps are configured, the list will display

Policy Map Names Details of the Policy Maps and the Action ( Drop, Pass, Inspect) of the Policy


34/44


Configuring a ZFW:Security Zones

34

We now want to create our Security Zones

Outside Security Zonethe security zone that does not contain Logix processors orLogix I/O systems directly connected to the local Stratix 5900

Inside Security Zonethe security zone that contains locally connected Logix

processor and I/O

Zones

Action Steps

Security

Firewall

FirewallComponents Zones

Inside

VLAN 10

Final Result

Outside

Gigabit

Ethernet0

Inside Outside




Zones

ZonesPairs

Add

StratixConfigurator


Configuration Steps

C f


35/44


Configuring a ZFW:Adding the Outside Security Zone

35

From the Firewall Components -> Zones, select Add to create the Outside Security

Zone Select GigabitEthernet0 interface to be associated with the Outside Security Zone

C fi i ZFW


36/44


Configuring a ZFW:Adding the Inside Security Zone

36

From the Firewall Components -> Zones, select Add to create the Inside Security Zone

Select VLAN 10 to be associated with the Inside Security Zone Rememberat the beginning of this presentation we assigned all Fast Ethernet Network Interfaces to VLAN

10, therefore, all Fast Ethernet Network Interfaces will be assigned to the Inside Security Zone!

C fi i ZFW


37/44


Configuring a ZFW:Security Zone Pairs (Out2In)

37

In our example, we will define Outside to Inside and Inside to Outside zone pairs.

If you want traffic to flow from one zone to another, you need a zone-pair and a policy applied to that zone-pair We will create the Outside to Inside Zone Pair and we will name it Out2In

The same method is used to create the In2Out Zone pair

Security

Firewall

FirewallComponents ZonesPairs Source Zone:Outside

Destination

Zone:Inside




Zones

ZonesPairs

Add:Out2In

Policy:

Outside-Inside-Policy

Action Steps Final ResultStratix

Configurator

Outside

Zone

Inside

Zone

Policy Map: Inside-

Outside-Policy


Configuration Steps

C fi i ZFW


38/44


Configuring a ZFW:Out2In Zone Pair

38

From the Firewall Components -> Zones Pairs, select Add to create the Out2In Zone

Pair Select Outside as Source Zone and Inside as Destination Zone

Select Outside-Inside-Policy as the security policy


39/44


Review

39

You have added a User Defined Protocol (user-CIP-Class3) to be used

within the Class Maps You have added the Outside-Inside-Inspect Class map to Match Any of

the user-CIP-Class3 protocols that will be used with the Policy Maps

You have Added Outside-Inside-Policy to Inspect the Outside-Inside-

Inspect Class Map that contains the user-CIP-Class3 Protocol You have added an Outside and Inside Security Zone

You have created Out2In and In2Out Security Zone Pairs to apply the

Outside-Inside-Policy Security Policy Map




Zones

ZonesPairs


Configuration Steps

Z B d P li Fi ll


40/44


Zone-Based Policy FirewallConfiguration Completed

40

With all the configuration steps

completed, Studio 5000 will beable to go online with the Logix

controller

Cell/Area A



VLAN 10

Fa0

Stratix 5900_1

Fa1 Fa2 Fa3

Logix

1

E

N

E

T

Studio 5000

Layer 3 switch

10.10.30.10/24

192.168.10.100/24

172.28.42.2/24

172.28.42.1/24

Network A

Network B

Network C

WAN0


41/44


Agenda


Firewall vs. Router



St ti 5900 ZFW C fi ti G id


42/44


Stratix 5900 ZFW Configuration GuideComing Soon

42

Stratix 5900 Zone-Based Policy Firewall (ZFW)Configuration Guide

To Be Released Summertime 2014

A guide to help customers understand thefundamentals of ZFW by providing step by step

configuration instructions to allow: Studio 5000 to communicate with a Logix

Controller

Produce / Consume messages between LogixControllers

The Statix 5900 ZFW Configuration Guide is moredetailed than this powerpoint

Includes Access Control List Examples

Includes Network Object Groups


43/44


Other References

43

Zone-Based Policy Firewall Design and Application Guide Conceptual Difference Between Cisco IOS Classic and Zone-Based

Firewalls

Zone-Based Policy Firewalls

Zone Based Firewall 101 Video
http://www.cisco.com/c/en/us/support/docs/security/ios-firewall/98628-zone-design-guide.htmlhttp://www.cisco.com/c/en/us/products/collateral/security/ios-firewall/prod_white_paper0900aecd806f31f9.htmlhttp://www.cisco.com/c/en/us/products/collateral/security/ios-firewall/prod_white_paper0900aecd806f31f9.htmlhttp://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_data_zbf/configuration/xe-3s/asr1000/sec-data-zbf-xe-asr1k-book/sec-zone-pol-fw.htmlhttp://www.youtube.com/watch?v=ZmmvQH0seEchttp://www.youtube.com/watch?v=ZmmvQH0seEchttp://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_data_zbf/configuration/xe-3s/asr1000/sec-data-zbf-xe-asr1k-book/sec-zone-pol-fw.htmlhttp://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_data_zbf/configuration/xe-3s/asr1000/sec-data-zbf-xe-asr1k-book/sec-zone-pol-fw.htmlhttp://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_data_zbf/configuration/xe-3s/asr1000/sec-data-zbf-xe-asr1k-book/sec-zone-pol-fw.htmlhttp://www.cisco.com/c/en/us/products/collateral/security/ios-firewall/prod_white_paper0900aecd806f31f9.htmlhttp://www.cisco.com/c/en/us/products/collateral/security/ios-firewall/prod_white_paper0900aecd806f31f9.htmlhttp://www.cisco.com/c/en/us/products/collateral/security/ios-firewall/prod_white_paper0900aecd806f31f9.htmlhttp://www.cisco.com/c/en/us/products/collateral/security/ios-firewall/prod_white_paper0900aecd806f31f9.htmlhttp://www.cisco.com/c/en/us/support/docs/security/ios-firewall/98628-zone-design-guide.htmlhttp://www.cisco.com/c/en/us/support/docs/security/ios-firewall/98628-zone-design-guide.htmlhttp://www.cisco.com/c/en/us/support/docs/security/ios-firewall/98628-zone-design-guide.html


44/44

www.rockwellautomation.com

Follow ROKAutomation on Facebook & Twitter.Connect with us on LinkedIn.

COMPANY INTERNALInternal Use Only

Stratix 5900 Services Router:

Zone-Based Policy Firewall Configuration Guide Overview1783-SRKIT

Documents

Stratix 5900 ZFW Configuration Guide 07142014