The following are the important features of Zone Based Firewalls (ZBF):
1. Interfaces are placed into zones
2. In ZBFs, the policies are implemented in a single direction (for example, inside to outside). Reverse traffic is automatically taken care of because of stateful inspection.
3. If you want to allow initial traffic (originating packets) in both directions, you create two unidirectional policies for traffic to be allowed and inspected from the inside to the outside, and also from the outside to the inside.
4. Additional interfaces may simply be added to the zones, and no further configuration is necessary. The existing policies will automatically apply to the newly added interface.
Following are true about Zone-Based firewall
1. The default zone, known as self zone is a logical zone
2. A zone can have one or more interfaces assigned to it
3. An interface can be applied to only one zone
4. For interfaces that are members of the same zone, all traffic is permitted by default.
5. By default, any traffic to or from the self zone is allowed
6. Any traffic initiated by the router is considered as leaving the self zone. Any traffic with the destination address of the router is considered as entering the self zone.
7. A policy needs to be created for forwarding traffic from one zone to another zone. By default, no traffic is allowed between two different zones.
As seen in the figure below, zone pairs are required to control access from inside network to outside network, and outside network to the DMZ. The number of zones given is three (Inside, Outside, and DMZ). The number of zone pairs is two (in-to-out, and out-to-DMZ).
The following are the three components of Zone Based Firewall policy:
1. Class maps
2. Policy maps, and
3. Service policies.
Class maps filter traffic based on certain rules. They classify traffic using ACLs, ToS, protocol, etc. Classification may happen anywhere between layer-3 to layer-7. The output from the Class map is used by the Policy map for further action.
A policy map is an association of traffic classes and actions. It specifies what actions should be performed on defined traffic classes. An action is a specific function, and it is typically associated with a traffic class. For example, inspect and drop is action.
Service policy is where you apply the policies, identified from a policy map, to a zone pair. This step actually implements the policy.
The following are true about policy map
1. An ACL that has been created to identify which traffic should be encrypted is called a crypto ACL
2. Crypto ACL is not applied directly to any interface, but instead it is referenced by a policy called a crypto map
3. The crypto map is directly applied to an interface.
4. Crypto map is applied at the interface configuration mode
Policy map action:
Inspect - Permit and statefully inspect the traffic. This is used on transit traffic initiated by users who expect to get replies from servers on the other side of the firewall.
Pass - Permits the traffic but does not create an entry in the Stateful database. Traffic that doesn't need a reply. Also in the case of protocols that do not support inspection, this policy could be applied to the zone pair for specific outbound traffic, and be applied to a second zone pair for inbound traffic.
Drop - Deny the packet. Traffic you do not want to allow between the zones where this policy map is applied.
Log - Log the packets. For example, you may want to log information about packets that were dropped because of policy, and then you can add this option.
Following are true about service policy in configuring a ZBF
Traffic interactions between two zones in ZBF
1. class-map type inspect match-any MyClassMap1: Create a ZBF-related class map that will be a match if any of its entries is a match
2. policy-map type inspect MyPolicyMap1: Create a ZBF-related policy map
3. class type inspect MyPolicyMap1: Used inside of a ZBF policy map to call on the classification services of a zone-based class map
4. zone-pair security INOUT source INSIDE destination OUTSIDE: Create a zone pair that identifies an initial unidirectional flow of traffic
The sequence of steps is as given below:
Though, the sequence of steps is not important, but some events must be completed in order. For example, you must configure a class-map before you assign a class-map to a policy-map. Similarly, you cannot assign a policy-map to a zone-pair until you have configured the policy. If you try to configure a section that relies on another portion of the configuration that you have not configured, the router responds with an error message.