ZBF Part 2 of 3 – Configuration and Verification

VN:F [1.9.6_1107]
Rating: 0.0/5 (0 votes cast)
By Anthony Sequeira on July 26th, 2011

The Zone-Based Firewall provides us with a new router firewall paradigm as we discussed in the last post in this series. With the Zone-Based Firewall, we take interfaces and place them into a new logical router structure called a zone. A zone is used to define interfaces that will share a particular security treatment.

Cisco automatically designates a special zone for us called the Self Zone. This important zone is used for controlling traffic that is sourced from, or directed to the router itself. The zones we create are placed into zone pairs. A great example is having a simple Inside_Private_Zone be paired with an Outside_Public_Zone. You can then apply a unidirectional security treatment to the zone pair. Notice that applying policy to the zone pair is indeed unidirectional. In the configuration your specify a source and a destination when you are applying the policy to ensure this unidirectional nature.

Special purpose security class-maps are used to define the traffic that we want to apply policy to. Using an approach that is reminiscent of the older Modular Quality of Service (MQC) technology, special purpose policy-maps are used to define the policy. Finally, service-policies are used to assign these zone-based policy-maps to zone pairs.

When you are assigning policy to a zone pair in a particular direction, you use the options of DROP, PASS, or INSPECT. Should the policy action specify drop, the traffic matching the class-map is dropped. Should the traffic match a pass action, traffic is not treated or analyzed in any special manner; it is simply passed from one zone to another. The INSPECT option is the critical potential policy action. This does stateful inspection (think CBAC) on the traffic as defined in the class-maps.

The steps for the Zone-Based Firewall configuration are as follows:

Step 1 – Define and populate zones.

Step 2 – Define the class-maps that identify traffic flowing between zones.

Step 3 – Configure a policy-map that specifies actions for the traffic.

Step 4 – Configure the zone pair and apply the policy.

In the next post on this topic, we will walk through an example configuration and verification, and look at particular caveats to keep in mind.

Anthony Sequeira CCIE, CCSI
Twitter: @compsolv
Facebook: http://www.facebook.com/compsolv

 

Share and Enjoy:
  • RSS
  • Twitter
  • Facebook
  • Google Bookmarks
  • Digg
  • Print
  • Technorati
  • Slashdot
  • LinkedIn
  • del.icio.us
  • Reddit
  • Sphinn
  • Mixx
  • Blogplay
  • Netvibes
  • NewsVine
  • Live
  • Ping.fm
  • MySpace
  • Yahoo! Bookmarks
  • Yahoo! Buzz

Tags: , , ,

This entry was posted on Tuesday, July 26th, 2011 at 9:00 am and is filed under Ask the Expert, CCIE, Routing & Switching, Security, Strategy, Techtorials. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

Leave a Reply