With cisco ISR routers, a lot of SMB/Enterprise business are avoiding the expensive security firewalls and are deploying inspections zones , using their l3 routers for these services.
ZBFW replaces the legacy cisco CBAC {Context-Based Access Control} inspection and is much simpler to deploy. Here's some immediate differences;
- no inspect ACL list to manage ( optional )
- creation and naming of zone-names
- the use of simple inspection policies ( class-maps /policy-map )
Here's my steps for a simple ZBFW configuration and design;
- you really need to think about the protocols and services that you will and should allowed. Yes, this sounds stupid, but a lot of engineers deploy ZBFWs and forget this step.
- be careful of the zone names and directionality
- remember the class-default and the default drop within this class-map
- remember you will need zone members+pairs for all interfaces that you want traffic to transverse , but if you have 2 interfaces that are not part of the ZBFW pairs, then you DON'T NEED any zone-security pairings for traffic to flow
- traffic can't flow from a zone member to a non-zone member
Here's my CCIE/RS lab configurations;
created the zones:
zone security inside
description internal-trusted interface gi0/0
!
! my 2nd zone
!
zone security outside
description external-untrusted interface gi0/1
!
description internal-trusted interface gi0/0
!
! my 2nd zone
!
zone security outside
description external-untrusted interface gi0/1
!
So I now have 2 zones named inside and outside. They could have been called in or out or number1 or number2. Name is not of major concerns, but it might be simple to keep the naming convention simple & to represent the directionality or functions or interface function.
Next,
we create zone-pairs and in this case I went with a 2 zone-pairs setup (in2out and out2in) , but we will later only configured in2out directionality ;
!
!
Zone-pair security in2out source inside destination outside
description zone pair traffic from inside to external
service-policy type inspect zp_in2out
!
!
zone-pair security out2in source outside destination inside
description zone pair traffic from external to inside
!
!
I name mine zonepair a simple name , and gave a short description of these zone-pairs.
Now for traffic that we want to allow, I've create some simple class-maps between these zone-pairs. In this case, I'm only concerned with traffic from my inside ( trusted ) networks out to the outside ( untrusted)
!
!
class-map type inspect match-all icmp
match protocol icmp
class-map type inspect match-all HTTP
match protocol http
class-map type inspect match-any WEBtraffic
description match any web traffic on default 80/443 ports
match protocol http
match protocol https
class-map type inspect match-any POP
match protocol pop3
match protocol pop3s
match protocol smtp
class-map type inspect match-any management-traffic
description allow for traffic to anything that we might manage
match protocol ssh
match protocol telnet
match protocol snmp
class-map type inspect match-all DNS
match protocol dns
class-map type inspect match-all HTTPend
!
!
Be cautious of the match-all vrs match-any. These can create a havoc when trouble-shooting and will wreck havoc if you have match-all and not all protocols are matched. Take heed of the class-map WEBtraffic and we can match either HTTP or HTTPs due the match-any statement.
Next we need to create a policy-map type inspect for the inspection process. This determine rather we drop/pass/inspect the traffic and types listed in the class-maps.
!
!
policy-map type inspect zp_in2out
class type inspect icmp
inspect
class type inspect HTTP
inspect
class type inspect POP
inspect
class type inspect management-traffic
inspect
class type inspect DNS
inspect
class type inspect WEBtraffic
inspect
class class-default
drop
!
!
policy-map type inspect zp_in2out
class type inspect icmp
inspect
class type inspect HTTP
inspect
class type inspect POP
inspect
class type inspect management-traffic
inspect
class type inspect DNS
inspect
class type inspect WEBtraffic
inspect
class class-default
drop
!
!
And lastly, we apply these zone-members to the L3 interfaces.
!
interface GigabitEthernet0/0
ip address 1.1.1.253 255.255.255.0
ip nat inside
ip virtual-reassembly in
zone-member security inside
duplex auto
speed auto
media-type rj45
ipv6 address 2001:470:C021:1::1/64
ipv6 enable
ip address 1.1.1.253 255.255.255.0
ip nat inside
ip virtual-reassembly in
zone-member security inside
duplex auto
speed auto
media-type rj45
ipv6 address 2001:470:C021:1::1/64
ipv6 enable
!
interface GigabitEthernet0/1
description outside
ip address dhcp
ip nat outside
ip virtual-reassembly in
zone-member security outside
duplex auto
speed auto
media-type rj45
!
interface GigabitEthernet0/1
description outside
ip address dhcp
ip nat outside
ip virtual-reassembly in
zone-member security outside
duplex auto
speed auto
media-type rj45
!
show zone security
show zone-pair security
show policy-map type inspect
show class-map type inspect
I hope this post was helpful
Ken Felix
Freelance Security/Network Engineer
kfelix " a t " hyperfeed.com
No comments:
Post a Comment