NBAR!

Started by SofaKing, September 02, 2016, 10:32:24 AM

Previous topic - Next topic

SofaKing

NBAR - Network Based Application Recognition:  I've been doing a lot of reading on QoS lately and ran into NBAR.  The thing that I found really cool about NBAR, other than using it for QoS, is the ability to block user access to certain protocols on the router itself.  The problem I have been running into is the Guest WiFi eating up all of the bandwidth at our stores.  Outbound QoS does an OK job but it is the inbound traffic that is causing the majority of our issues.  With using NBAR I can block protocols that use a lot of bandwidth which will hopefully give our stores some relief.  The configuration for this is pretty simple:

class-map match-any BLOCK_GUEST_CM
match protocol youtube
match protocol netflix
match protocol hulu

policy-map BLOCK_GUEST_PM
class BLOCK_GUEST_CM
  drop

int bvi32
service-policy input BLOCK_GUEST_PM


After applying the policy-map to the guest vlan users are no longer able to connect to hulu, netflix, or youtube.  NBAR can also block P2P, bittorrent, tor, etc..
**I had to update the NBAR protocol pack to get it to block youtube.  Cisco has updated packs you can download from their website and then install on your router.  Once the updated pack is in flash all you have to do is install it(no reboot required):

ip nbar protocol-pack flash:pp-adv-isrg2.pack

If anyone has any good ideas on how to control inbound traffic let me know ;)


Networking -  You can talk about us but you can't talk without us!

deanwebb

block any any all log

^ Prevents ALL possible malware downloads. Best to apply the rule in both directions.
Take a baseball bat and trash all the routers, shout out "IT'S A NETWORK PROBLEM NOW, SUCKERS!" and then peel out of the parking lot in your Ferrari.
"The world could perish if people only worked on things that were easy to handle." -- Vladimir Savchenko
Вопросы есть? Вопросов нет! | BCEB: Belkin Certified Expert Baffler | "Plan B is Plan A with an element of panic." -- John Clarke
Accounting is architecture, remember that!
Air gaps are high-latency Internet connections.

icecream-guy

Quote from: deanwebb on September 02, 2016, 10:47:55 AM
block any any all log

^ Prevents ALL possible malware downloads. Best to apply the rule in both directions.

BINGO!  :problem?:
:professorcat:

My Moral Fibers have been cut.

deanwebb

OK, now for serious answers... while the firewall is keeping uninvited inbound traffic out, *invited* traffic in the form of a browser request gets thorough all the time... having a proxy server doing content filtering and/or a PaloAlto firewall filtering on traffic can get things as granular as allowing Facebook, but blocking FB games. By blocking the request, then no inbound traffic will arrive to answer that request.
Take a baseball bat and trash all the routers, shout out "IT'S A NETWORK PROBLEM NOW, SUCKERS!" and then peel out of the parking lot in your Ferrari.
"The world could perish if people only worked on things that were easy to handle." -- Vladimir Savchenko
Вопросы есть? Вопросов нет! | BCEB: Belkin Certified Expert Baffler | "Plan B is Plan A with an element of panic." -- John Clarke
Accounting is architecture, remember that!
Air gaps are high-latency Internet connections.

SofaKing

Thanks Dean - we have Palo Alto firewalls in our main corporate office and are working on deploying them to all of our branch offices.  For our stores we do have a squid proxy doing the content filtering for the PCs in the stores.  It would be too expensive for us to have a Palo Alto at each of our 1200+ stores and I'm not sure how to get the guest user PC to use the squid proxy since we don't manage their device.  I read somewhere that you could forward the user traffic using NAT to go through the proxy.  I'll hopefully have time to play with this later this week.  I bought a rsapberry pi 3 to install squid on for the tests.  This will be my first time playing with a raspberry pi so should be fun :)
Networking -  You can talk about us but you can't talk without us!

deanwebb

Fun, indeed. And NBAR would be good for bulk traffic filtering routers so that the firewalls don't have to waste cycles on dropping the traffic.
Take a baseball bat and trash all the routers, shout out "IT'S A NETWORK PROBLEM NOW, SUCKERS!" and then peel out of the parking lot in your Ferrari.
"The world could perish if people only worked on things that were easy to handle." -- Vladimir Savchenko
Вопросы есть? Вопросов нет! | BCEB: Belkin Certified Expert Baffler | "Plan B is Plan A with an element of panic." -- John Clarke
Accounting is architecture, remember that!
Air gaps are high-latency Internet connections.

wintermute000

#6
Is your store network local internet links hence this problem?
You have three options in my mind if you can't enforce proxy via standard settings or roll out local Palos (sweet sweet palos)

- overlay a VPN/tunnel solution to force all traffic to be centralised
- cloud proxy solution with local router redirecting  - full fat solution includes the likes of the new Cisco web security thingy that basically sets up a tunnel between the router and a cloud proxy service so acts as a transparent proxy. Vendors like Zscaler offer similar solutions using manual IPSEC/GRE tunnels and PBR for example.
- quick and dirty equivalent is openDNS (block via URL categories) - I'm not sure how this works at a granular RBAC level

LynK

We had this same issue, and I am going to give you the magic formula. Here we go:

1) Get a backup connection (cable)
2) configure PBR (send RFC 1918 in, internet out cable)
3) Get a cloud based DNS service (cough OpenDNS cough)
4) Configure Split-DNS on said router

There you go. No more issues :)
Sys Admin: "You have a stuck route"
            Me: "You have an incorrect Default Gateway"

SofaKing

Thanks Wintermute000 and LynK -

Our stores connect with a Cisco router with two WAN interfaces.  Currently our guest network is separated from the store network(s) by using VRFs and PBR.  One WAN connection is the primary DSL/Cable/T1 and the second WAN port is a 4G LTE backup connection.  The business has decided that a good backup is more important than a second connection that is primarily used for guest access.  A handful of our stores do have two Cable/DSL connections where this is currently being done but these are one-offs and are to support the high density of guest user access(i.e. one of ours stores just off the Vegas strip).

We had looked at OpenDNS(before they were bought by Cisco) but the business decided it would be too expensive to implement at all stores.  They want a Ferrari for the price of a Kia which I think a lot of people working for a retail based company run into.  I liked NBAR since I could filter applications without any extra costs associated with it.

I gave the suggestion that the cheapest way to alleviate the stress on the store network caused by the guest usage is to get a bigger pipe.  This is something we are looking into but in the meantime they are wanting the store to run perfectly with guest wireless on a legacy DSL connection with 1.5Mbps/786Kbps ;)
Networking -  You can talk about us but you can't talk without us!

wintermute000

the cheap solution:

PBR the guest wireless out the backup 4G.
Write a EEM to ACL off or shape guest traffic when running in backup ;)

Dieselboy

Quote from: LynK on September 07, 2016, 01:02:14 PM
We had this same issue, and I am going to give you the magic formula. Here we go:

1) Get a backup connection (cable)
2) configure PBR (send RFC 1918 in, internet out cable)
3) Get a cloud based DNS service (cough OpenDNS cough)
4) Configure Split-DNS on said router

There you go. No more issues :)

Cisco cough bought cough openDNS cough

NetworkGroover

Quote from: Dieselboy on September 12, 2016, 10:03:54 PM

Cisco cough bought cough openDNS cough

Welp... I'm sure that'll be broken soon then....  :problem?:
Engineer by day, DJ by night, family first always

wintermute000

Viptela + automagic tunnels to zscaler ftw

SimonV

How about adding a bandwidth policer to your "guest" interface? Allocate only a certain bandwidth for guest traffic?