Configuring FPM

- For header field matching

■ Create a traffic class

- Define a protocol stack and specify exact parameters to match

- Using class map type "stack" and "access-control"

■ Create a traffic policy

- Define a service policy

■ Apply the service policy to an interface

© 2007 Cisco Systems, Inc. All rights reserved SNRS V2.0—3-6

FPM allows customers to create their own filtering policies that can immediately detect and block new viruses and attacks.

The process for configuring FPM consists of four steps. Step 1 Load a PHDF from flash memory.

Once the appropriate PHDFs are loaded, a class-map command with type stack must be defined so that FPM knows which headers are present and in which order.

Once the stack of protocols is defined, a class map of type access-control is defined for classifying packets.

Step 2 Create a traffic class by defining class maps.

A policy map is an ordered set of classes and associated actions. The policy binds the class and action. Actions can be drop, ICMP response, and log, or service-policy to nest another policy.

Step 3 Create a traffic policy by defining a service policy.

Step 4 Apply the service policy to an interface.

3-58 Securing Networks with Cisco Routers and Switches (SNRS) v2.0 © 2007 Cisco Systems, Inc.

PHDFs and Traffic Classes

This section covers how to load the PHDFs and create a class map to classify traffic.

PHDFs and Class Map router(config)# load protocol flashrip.phdf router(config)# load protocol flash:udp.phdf router(config)# class-map type stack match-all ip-udp router(config-cmap)# description match UDP over IP packets router(config-cmap)# match field ip protocol eq 0x11 next udp router(config-cmap)# exit router(config)# class-map type access-control match-all slammer router(config-cmap)# description "match on slammer packets" router(config-cmap)# match field udp dest-port eq 0x59A router(config-cmap)# match field ip length eq 0x194 router(config-cmap)# match start l3-start offset 224 size 4 eq 0x4011010

© 2007 Cisco Systems, Inc. All rights reserved. SNRS v2.0—3-7

This is an example of a filter policy used to mitigate the SQL Slammer attack. First, you load the PHDFs into the router. You then define a traffic class using class maps. The match criteria defined within the class maps is for slammer and UDP packets with an IP length not to exceed 404 B, UDP port 1434, and pattern 0x4011010 at 224 B from the start of the IP header.

Compete these steps to configure FPM.

Loading a PDHF

To load a PHDF onto a router, use the load protocol command in global configuration mode. To unload all protocols from a specified location or a single protocol, use the no form of this command.

Step 1 Load the PDHF on the router.

router(config)# load protocol location:filename

Syntax Description


Location of the PHDF that is to be loaded onto the router

When used with the no version of this command, all protocols loaded from the

specified filename will be unloaded.

Note The location must be local to the router.

© 2007 Cisco Systems, Inc. Network Foundation Protection 3-59


Unloads only the specified protocol

Note If you attempt to unload a protocol that is being referenced by a filter, you will receive an error.

FPM allows users to classify traffic on the basis of any portion of a packet header given the protocol field, length, and pattern. Protocol headers are defined in separate files (PHDFs); the field names that are defined within the PHDFs are used for defining the packet filters. A PHDF is a file that allows the user to leverage the flexibility of XML to describe almost any protocol header. The important components of the PHDF are the version, the XML file schema location, and the protocol field definitions. The protocol field definitions name the appropriate field in the protocol header, allow for a comment describing the field, provide the location of the protocol header field in the header (the offset is relative to the start of the protocol header), and provide the length of the field. Users can choose to specify the measurement in bytes or in bits.

0 0

Post a comment