Cisco firewall technologies keep evolving when it comes to a relatively simple router in your network providing these services. It used to be that we had to rely on very simple access control list filters in order to create a firewall using our router. Over time, this gave rise to more and more sophisticated access control lists. Dynamic and reflexive ACLs attempted to bring PIX-like intelligence to the router acting as the security device.
Cisco then really pushed the envelope with their routers through the creation of Context-Based Access Control (CBAC) technology for them. This enhancement would finally bring the stateful inspection of traffic moving through the device, and bring many features of the Adaptive Security Algorithm (ASA) from the Cisco ASA appliance. CBAC permits traffic to leave protected networks and venture forth into unprotected areas. Return traffic is inspected to ensure it is safe and valid response traffic for the inside client. Connections that are attempted from outside devices are dynamically stopped.
Thanks to the invention of the Zone-Based Firewall, the earlier CBAC technology approach is now referred to as Cisco IOS Classic Firewall.
What were the issues with the Cisco IOS Classic Firewall? The main issue with this technique was the complexity of its implementation, especially when many interfaces were involved. It required a combination of ACLs and inspection rules all of which are required to implement the desired filtering policy.
The Zone-Based Policy Firewall is a complete configuration change when compared to the early IOS Classic Firewall. As its name implies, the firewall now uses the concept of zones. This is the first security feature to use the concept of a zone, but more are promised to in the future according to Cisco.
What specific benefits are introduced with the Zone-Based Firewall? There is no longer a dependency on Access Control Lists for filtering. Also, a model of block access is now the default. Access must be specifically permitted through the device.
Another benefit with the ZBF is the introduction of a new configuration policy language that you are probably already quite familiar with. Cisco calls this the Common Classification Policy Language (C3PL) and it follows the logic of the Modular Quality of Service Command Line Interface (MQC).
ZBF configurations become so simple because one policy can be created that impacts any given traffic instead of needing many ACLs and inspection actions.
In the next post in this series, we will walk through the configuration steps of this powerful feature. We will then build a full blown example of the ZBF in action so we can study monitoring and verification.
Anthony Sequeira CCIE, CCSI