Cisco® CCNA Security Exam Notes : Implementing Zone-based Firewall

5. Cisco Firewall Technologies

5.3 Implement Zone-Based firewall

The following are the important features of Zone Based Firewalls (ZBF):

1. Interfaces are placed into zones

2. In ZBFs, the policies are implemented in a single direction (for example, inside to outside). Reverse traffic is automatically taken care of because of stateful inspection.

3. If you want to allow initial traffic (originating packets) in both directions, you create two unidirectional policies for traffic to be allowed and inspected from the inside to the outside, and also from the outside to the inside.

4. Additional interfaces may simply be added to the zones, and no further configuration is necessary. The existing policies will automatically apply to the newly added interface.

Following are true about Zone-Based firewall

1. The default zone, known as self zone is a logical zone

2. A zone can have one or more interfaces assigned to it

3. An interface can be applied to only one zone

4. For interfaces that are members of the same zone, all traffic is permitted by default.

5. By default, any traffic to or from the self zone is allowed

6. Any traffic initiated by the router is considered as leaving the self zone. Any traffic with the destination address of the router is considered as entering the self zone.

7. A policy needs to be created for forwarding traffic from one zone to another zone. By default, no traffic is allowed between two different zones.

As seen in the figure below, zone pairs are required to control access from inside network to outside network, and outside network to the DMZ. The number of zones given is three (Inside, Outside, and DMZ). The number of zone pairs is two (in-to-out, and out-to-DMZ).

Zone-Based firewall Architecture

The following are the three components of Zone Based Firewall policy:

1. Class maps

2. Policy maps, and

3. Service policies.

Class maps filter traffic based on certain rules. They classify traffic using ACLs, ToS, protocol, etc. Classification may happen anywhere between layer-3 to layer-7. The output from the Class map is used by the Policy map for further action.

A policy map is an association of traffic classes and actions. It specifies what actions should be performed on defined traffic classes. An action is a specific function, and it is typically associated with a traffic class. For example, inspect and drop is action.

Service policy is where you apply the policies, identified from a policy map, to a zone pair. This step actually implements the policy.

The following are true about policy map

1. An ACL that has been created to identify which traffic should be encrypted is called a crypto ACL

2. Crypto ACL is not applied directly to any interface, but instead it is referenced by a policy called a crypto map

3. The crypto map is directly applied to an interface.

4. Crypto map is applied at the interface configuration mode

Policy map action:

Inspect - Permit and statefully inspect the traffic. This is used on transit traffic initiated by users who expect to get replies from servers on the other side of the firewall.

Pass - Permits the traffic but does not create an entry in the Stateful database. Traffic that doesn't need a reply. Also in the case of protocols that do not support inspection, this policy could be applied to the zone pair for specific outbound traffic, and be applied to a second zone pair for inbound traffic.

Drop - Deny the packet. Traffic you do not want to allow between the zones where this policy map is applied.

Log - Log the packets. For example, you may want to log information about packets that were dropped because of policy, and then you can add this option.

Following are true about service policy in configuring a ZBF

  • A service policy is applied to a zone pair.
  • A specific zone pair can have only a single service policy assigned to it.
  • The zone pair represents a unidirectional flow of traffic between two zones.
  • If a policy is not applied to a zone pair, the default behavior is to drop traffic

Traffic interactions between two zones in ZBF

  • If no zones are defined for Ingress and Egress interfaces, the traffic is forwarded
  • If a no zone is defined for Ingress interface, but the Egress interface belongs to a zone, then traffic is dropped
  • If both Ingress and Egress interfaces belong to the same zone, then the traffic is forwarded, irrespective of policy defined or not.
  • If both interfaces are in different zones, and if no policy is applied to zone pair, then the traffic is dropped
  • If both interfaces are in different zones, and a policy is applied to zone pair, then the traffic is forwarded according to the applied policy
Traffic interactions between two zones in ZBF

1. class-map type inspect match-any MyClassMap1: Create a ZBF-related class map that will be a match if any of its entries is a match

2. policy-map type inspect MyPolicyMap1: Create a ZBF-related policy map

3. class type inspect MyPolicyMap1: Used inside of a ZBF policy map to call on the classification services of a zone-based class map

4. zone-pair security INOUT source INSIDE destination OUTSIDE: Create a zone pair that identifies an initial unidirectional flow of traffic

The sequence of steps is as given below:

  • Define zones.
  • Define zone-pairs.
  • Define class-maps that describe traffic that must have policy applied as it crosses a zone-pair.
  • Define policy-maps to apply action to your class-maps' traffic.
  • Apply policy-maps to zone-pairs.
  • Assign interfaces to zones.

Though, the sequence of steps is not important, but some events must be completed in order. For example, you must configure a class-map before you assign a class-map to a policy-map. Similarly, you cannot assign a policy-map to a zone-pair until you have configured the policy. If you try to configure a section that relies on another portion of the configuration that you have not configured, the router responds with an error message.

Previous   Contents   Next