|
Introduced in PIX software v6.2, object grouping is a major advancement toward making very complex access lists much simpler to configure on the PIX. Before the object-grouping feature was available, each unique network, node, service, and protocol combination that needed to be defined in an access list had to be configured with a separate access-list statement. However, in most organizational security policies, groups of entries have similar access rights. Object groups allow groups of network addresses, services, protocols, and ICMP types to be defined, thereby reducing the number of access list entries needed.
For example, say that an organization wants to deny inside users access to a number of external FTP servers because they are known to be sources of illegal software and viruses. Without object groups, an access list entry has to be defined for each individual FTP server. However, using object groups, we can define a network object group containing a list of hosts that contains all the IP addresses of the banned FTP servers. IP addresses can easily be added and removed from this group at will. Now, only one access list entry has to be created denying access to the object group from the inside. The access list does not need to be modified if entries are added or removed from the object group. As you can see, object groups allow for simplification of access list configuration and maintenance.
There are four types of object groups: icmp-type, protocol, network, and service. Each object group type corresponds to a field in the access-list or conduit command. Once an object group has been created, a subconfiguration mode is entered so the group can be populated. Each object group type has different subconfiguration options, so we will look at each separately. Once an object group has been configured, it can be used in an access-list or conduit command.
An ICMP-type object group is a group of ICMP-type numerical or literal values. ICMP-type object groups can be used in place of the icmp-type parameter in an access list or conduit. To create an ICMP-type object group, the syntax is:
object-group icmp-type <grp_id>
Once an object group has been defined, the subconfiguration mode enables the object group to be populated. At this stage, an optional description can be specified using the description subcommand. To populate the ICMP-type object group, the syntax is as follows:
icmp-object <icmp_type>
For example, the following object group defines ICMP-type values that will be used later with an access list or conduit:
PIX1(config)# object-group icmp-type icmp-grp PIX1(config-icmp-type)# description ICMP Type allowed into the PIX PIX1(config-icmp-type)# icmp-object echo-reply PIX1(config-icmp-type)# icmp-object unreachable PIX1(config-icmp-type)# exit PIX1(config)# exit
A network object group is a group of host IP addresses or networks. Network object groups can be used in place of a src_addr or dst_addr parameter in an access list or conduit statement. To create a network object group, the syntax is as follows:
object-group network <grp_id>
Network object groups have two subcommands for defining the group of hosts and networks. The syntax for defining a host entry in the object group is:
network-object host <host_addr | host_name>
The host_addr parameter is the IP address of the host being added to the object-group. Alternatively, the host_name parameter specifies the hostname of a host defined using the name command.
The syntax for defining a network entry in the object group is:
network-object <net_addr> <netmask>
For example, the following object group defines host and network values to be used later with an access list or conduit:
PIX1(config)# object-group network net-grp PIX1(config-network)# description List of Public HTTP Servers PIX1(config-network)# network-object host 192.168.1.10 PIX1(config-network)# network-object host 172.16.10.1 PIX1(config-network)# network-object 172.16.2.0 255.255.255.0 PIX1(config-network)# exit PIX1(config)# exit
A protocol object group is a group of protocol numbers or literal values. Protocol object groups can be used in place of the protocol parameter in an access list or conduit. To create a protocol object group, the syntax is as follows:
object-group protocol <grp_id>
Once an object group has been defined, the subconfiguration mode enables the object group to be populated. To populate the protocol object group, the syntax is:
protocol-object <protocol>
The protocol parameter is a protocol number or literal value. For example, the following object group defines a group of protocols that will be used later with an access list or conduit to provide VPN access:
PIX1(config)# object-group protocol vpn-grp PIX1(config-protocol)# description Protocols allowed for VPN Access PIX1(config-protocol)# protocol-object ah PIX1(config-protocol)# protocol-object esp PIX1(config-protocol)# protocol-object gre PIX1(config-protocol)# exit PIX1(config)# exit
A service object group is a group of TCP and/or UDP port numbers or port number ranges. Service object groups can be used in place of the port parameter in an access list or a conduit. The syntax to create a service object group is as follows:
object-group service <grp_id> tcp|udp|tcp-udp
Since a service object group is a listing of ports and port ranges, the ports defined need to be configured as TCP, UDP, or both TCP and UDP. The tcp, udp, and tcp-udp keywords define the common IP protocol for all ports listed in the object group. The subconfiguration command syntax to populate the service object group with a single port is:
port-object eq <port>
The subconfiguration command syntax to populate the service object group with a range of ports is:
port-object range <begin-port> <end-port>
For example, the following object group defines a group of ports that all Web servers within in organization need to have opened on the firewall:
PIX1(config)# object-group service websrv-grp tcp PIX1(config-service)# description Ports needed on public web servers PIX1(config-service)# port-object eq 80 PIX1(config-service)# port-object eq 8080 PIX1(config-service)# port-object range 9000 9010
To verify that an object group was created and populated with the correct information, we can view the current object group configuration using the show object-group command:
PIX1# show object-group object-group icmp-type icmp-grp description: ICMP Type allowed into the PIX icmp-object echo-reply icmp-object unreachable object-group network net-grp description: List of Public HTTP Servers network-object host 192.168.1.10 network-object host 172.16.10.1 network-object 172.16.2.0 255.255.255.0 object-group protocol vpn-grp description: Protocols allowed for VPN Access protocol-object ah protocol-object gre protocol-object esp object-group service websrv-grp tcp description: Ports needed on public web servers port-object eq www port-object eq 8080 port-object range 9000 9010
If one of the object groups does not look correct or is not needed, it can be removed using the no object-group <grp_id> command.
Object groups can be used in place of their respective values in access lists or conduits, but they must be preceded by the object-group keyword. For example, to allow the ICMP type values defined in the icmp-grp object group to enter the PIX's outside interface, the access-list command is:
PIX1(config)# access-list icmp_in permit icmp any any object-group icmp-grp
To allow access to the Web servers defined in the net-grp on the ports defined in websrv-grp, the command is:
PIX1(config)# access-list outside_in permit tcp any object-group net-grp object-group websrv-grp
One nice feature of object groups is the ability to nest object groups of the same type together. For example:
PIX1(config)# object-group network all-servers PIX1(config-network)# group-object net-grp PIX1(config-network)# network-object 172.16.3.0 255.255.255.0
|