Thursday, November 1, 2012

zone-based firewall cisco IOS from my CCIE/RS studies

ZBFW ( zone based firewalls ) are getting to be common  nowadays.

With cisco  ISR routers, a lot of SMB/Enterprise business are avoiding the expensive security firewalls and are deploying  inspections zones ,  using their l3 routers for these services.

ZBFW replaces the legacy cisco  CBAC  {Context-Based Access Control}  inspection and is much simpler to deploy. Here's some immediate differences;
  •  no  inspect ACL list to manage ( optional )
  •  creation and naming of zone-names
  •  the use of simple inspection policies ( class-maps /policy-map )
Anybody who ever done CBAC should be aware of the issues with ACLs and directionality :) The  ZBFW,  makes this all so  much easier to deploy, review and troubleshoot.

Here's my steps for a simple  ZBFW configuration and design;

  1. you really need to think about the protocols and services that you will and should allowed. Yes, this sounds stupid, but a lot of engineers deploy ZBFWs and forget this step.
  2. be careful of the zone names and directionality
  3. remember the class-default and the default drop within this class-map
  4. remember you will need zone members+pairs for all interfaces that you want traffic to transverse , but if you have 2 interfaces that are not part of the ZBFW  pairs, then you DON'T NEED any zone-security pairings for traffic to flow
  5. traffic can't flow from a zone member to a non-zone member

Here's my  CCIE/RS lab configurations;

created the zones:

 zone security inside
 description internal-trusted interface gi0/0

! my 2nd zone
zone security outside
 description external-untrusted interface gi0/1


So I now have 2 zones named inside and outside. They could have been called  in or out or number1 or number2.  Name is  not of major concerns, but it might be simple to keep the naming convention simple & to  represent the  directionality or functions or interface function.


we create zone-pairs and in this case I went with a  2 zone-pairs setup (in2out and  out2in) , but we will later only configured in2out directionality ;

Zone-pair security in2out source inside destination outside
 description zone pair traffic from inside to external
 service-policy type inspect zp_in2out



zone-pair security out2in source outside destination inside
 description zone pair traffic from external to inside


I name mine zonepair  a simple name , and  gave a short description of these zone-pairs.

Now for traffic that we want to allow, I've create some  simple class-maps between these  zone-pairs. In this case, I'm only concerned with  traffic from my inside ( trusted )  networks out to the outside ( untrusted)

class-map type inspect match-all icmp
 match protocol icmp
class-map type inspect match-all HTTP
 match protocol http
class-map type inspect match-any WEBtraffic
 description match any web traffic on default 80/443 ports
 match protocol http
 match protocol https
class-map type inspect match-any POP
 match protocol pop3
 match protocol pop3s
 match protocol smtp
class-map type inspect match-any management-traffic
 description allow for  traffic to anything that we might manage
 match protocol ssh
 match protocol telnet
 match protocol snmp
class-map type inspect match-all DNS
 match protocol dns
class-map type inspect match-all HTTPend

Be cautious of the match-all vrs match-any. These can create a havoc when trouble-shooting and will wreck havoc if you have match-all and not all protocols are matched. Take heed of the class-map WEBtraffic  and we can match either HTTP or HTTPs due the match-any statement.

Next we need to  create a  policy-map type inspect for the inspection process. This determine rather we drop/pass/inspect  the traffic and types listed  in the  class-maps.

policy-map type inspect zp_in2out
 class type inspect icmp
 class type inspect HTTP
 class type inspect POP
 class type inspect management-traffic
 class type inspect DNS
 class type inspect WEBtraffic
 class class-default

Notice the class-default and the default action of to drop all traffic if it didn't match any of the other sequences of the "class type inspect".

And lastly, we  apply these zone-members to the L3 interfaces.

 interface GigabitEthernet0/0
 ip address
 ip nat inside
 ip virtual-reassembly in
 zone-member security inside
 duplex auto
 speed auto
 media-type rj45
 ipv6 address 2001:470:C021:1::1/64
 ipv6 enable
interface GigabitEthernet0/1
 description outside
 ip address dhcp
 ip nat outside
 ip virtual-reassembly in
 zone-member security outside
 duplex auto
 speed auto
 media-type rj45

And that will complete the ZBFW  configurations. To  ensure that we have  this properly configured, we can used the following show commands.

show zone security
show zone-pair security
show policy-map type inspect
show class-map type inspect

I hope this post was helpful

Ken Felix
Freelance Security/Network Engineer
kfelix " a t "

No comments:

Post a Comment