Female Voice: “Don’t tell me which zone’s for stopping and which zone’s for loading!”
Male Voice: “Listen, Betty, don’t start your white zone sh*t again. There is just no stopping in the white zone.” – Airplane 1980
A new addition in the CCSP and CCIE tracks is the Cisco IOS Zone-Based Firewall. This blog will introduce you to this new feature. And not to give too much away, but as you will see, it is a new feature based on some more classic-type technologies!
For this blog post, I actually consulted my own book – the CCNA Security Quick Reference published by Cisco Press. That was not a plug, in fact I was paid a flat rate for that one ☺. I also consulted the Cisco DOC-CD.
The IOS Zone-Based Firewall first showed up in 12.4(6)T and the goal was to provide an intuitive and straightforward policy design approach for multiple interface routers. There was also a desire to offer a greater level of granularity for the application of such policies. The Zone-Based approach utilizes CBAC technology and gives you everything you had there, plus more.
In order to configure the Zone-Based Firewall, you define your zones, define your class maps, define your policy maps, and then define your zone pairs and apply your policy maps to them. Possible actions for traffic moving between zones is INSPECT, DROP, or PASS. Zone Drop or Pass? This is starting to sound more and more like a football blog!
Inspect causes the traffic to be monitored with the IOS stateful packet inspection (think CBAC), while drop and pass are obvious. Pass allows the traffic to move between zones with no inspection whatsoever.
Let’s take a look at a quick and simple example.
Let’s presume we have Fa0/0 and Fa0/1 that connect to private networks in our company. We also have S0/0 that connects to the public Internet. Based on this, we create a simple zone-based firewall as follows:
I sure hope you enjoyed this quick introduction to a 3.X CCIE Security feature!
Male Voice: “Listen, Betty, don’t start your white zone sh*t again. There is just no stopping in the white zone.” – Airplane 1980
A new addition in the CCSP and CCIE tracks is the Cisco IOS Zone-Based Firewall. This blog will introduce you to this new feature. And not to give too much away, but as you will see, it is a new feature based on some more classic-type technologies!
For this blog post, I actually consulted my own book – the CCNA Security Quick Reference published by Cisco Press. That was not a plug, in fact I was paid a flat rate for that one ☺. I also consulted the Cisco DOC-CD.
The IOS Zone-Based Firewall first showed up in 12.4(6)T and the goal was to provide an intuitive and straightforward policy design approach for multiple interface routers. There was also a desire to offer a greater level of granularity for the application of such policies. The Zone-Based approach utilizes CBAC technology and gives you everything you had there, plus more.
In order to configure the Zone-Based Firewall, you define your zones, define your class maps, define your policy maps, and then define your zone pairs and apply your policy maps to them. Possible actions for traffic moving between zones is INSPECT, DROP, or PASS. Zone Drop or Pass? This is starting to sound more and more like a football blog!
Inspect causes the traffic to be monitored with the IOS stateful packet inspection (think CBAC), while drop and pass are obvious. Pass allows the traffic to move between zones with no inspection whatsoever.
Let’s take a look at a quick and simple example.
Let’s presume we have Fa0/0 and Fa0/1 that connect to private networks in our company. We also have S0/0 that connects to the public Internet. Based on this, we create a simple zone-based firewall as follows:
Step 1: Define and populate our zones:
configure terminal
!
zone security ZONE_PRIVATE
zone security ZONE_INTERNET
!
interface range fa0/0 - 1
zone-member security ZONE_PRIVATE
!
interface s0/0
zone-member security ZONE_INTERNET
Step 2: Define the class maps that identify traffic that is permitted between zones:
configure terminal
!
class-map type inspect match-any CM_INTERNET_TRAFFIC
match protocol http
match protocol https
match protocol ftp
Step 3: Configure a policy map which specifies the action for the class map:
configure terminal
!
policy-map type inspect PM_PRIVATE_TO_INTERNET
class type inspect CM_INTERNET_TRAFFIC
inspect
Step 4: Configure the zone pair and apply your policy:
configure terminalNotice how this simple configuration allows for the stateful inspection of our Internet protocols from the private areas to the Internet. It also blocks traffic from the Internet heading to the private area unless it is in response to the inspected traffic.
zone-pair security ZONEP_PRIV_INT source ZONE_PRIVATE destination ZONE_INTERNET
service-policy type inspect PM_PRIVATE_TO_INTERNET
I sure hope you enjoyed this quick introduction to a 3.X CCIE Security feature!
0 comments:
Post a Comment