CCNA Security – Chapter 4 (ZFW, Zone-Based Policy Firewall) – CCP Configuration

In 2006, Cisco Systems introduced the zone-based policy firewall configuration model with Cisco IOS Release 12.4(6)T. With this new model, interfaces are assigned to zones and then an inspection policy is applied to traffic moving between the zones. A zone-based firewall allows different inspection policies to be applied to multiple host groups connected to the same router interface. It also has the ability to prohibit traffic via a default deny-all policy between firewall zones.
!
!
Firewall policies are configured using the Cisco Common Classification Policy Language (C3PL), which uses a hierarchical structure to define network protocol inspection and allows hosts to be grouped under one inspection policy.
!
!
The default policy between zones is deny all. If no policy is explicitly configured, all traffic moving between zones is blocked.
!
Some of the benefits of ZPF include the following:
!!!
It is not dependent on ACLs.
The router security posture is to block unless explicitly allowed.
Policies are easy to read and troubleshoot with C3PL.
One policy affects any given traffic, instead of needing multiple ACLs and inspection actions.
!
!
When deciding whether to implement CBAC or zones, one important note is that both configuration models can be enabled concurrently on a router. However, the models cannot be combined on a single interface
!
For traffic that is not based on the concept of sessions, such as IPsec Encapsulating Security Payload [ESP], the administrator must define unidirectional traffic flows from source to destination and vice versa.
!
The Cisco IOS zone-based policy firewall can take three possible actions when configured using CCP:
!!!!
!— Inspect – Configures Cisco IOS stateful packet inspection. This action is equivalent to the CBAC ip inspect command. It automatically allows for return traffic and potential ICMP messages. For protocols requiring multiple parallel signaling and data sessions (for example, FTP or H.323), the inspect action also handles the proper establishment of data sessions.
!— Drop – Analogous to a deny statement in an ACL. A log option is available to log the rejected packets.
!— Pass – Analogous to a permit statement in an ACL. The pass action does not track the state of connections or sessions within the traffic. Pass allows the traffic only in one direction. A corresponding policy must be applied to allow return traffic to pass in the opposite direction.
!
!
To apply rate limits to the traffic of a specified class, the police option can be used in conjunction with the inspect or pass command.
!
When an interface is configured to be a zone member, the hosts that are connected to the interface are included in the zone, but traffic flowing to and from the interfaces of the router is not controlled by the zone policies. Instead, all the IP interfaces on the router are automatically made part of the self zone.
!
A zone-pair allows a unidirectional firewall policy between two security zones to be specified. The direction of the traffic is determined by specifying a source and destination security zone. The same zone cannot be defined as both the source and the destination.
!
If there are no policies between a zone and the self zone, all traffic is permitted to the interfaces of the router without being inspected.
!
zone security INSIDE
description INSIDE_NETWORK
zone security OUTSIDE
description OUTSIDE_NETWORK
zone security MANAGEMENT
description MANAGEMENT_NETWORK
!
Only policy maps defined with type inspect can be used in the zone-pair security command.
!
Only class maps defined with type inspect can be used in policy maps with type inspect.
!
There can be no name overlap with other types of class maps or policy maps. For example, there cannot be a quality-of-service class map and an inspect class map with the same name.
!
The router never filters the traffic between interfaces in the same zone.
!
ZPF does not change ACLs. Review ACL usage before entering the zone-member command.
!
class-map type inspect ACCESS-2-INTERNET
match access-group name ACL-NAME
match protocol PROTOCOL
match class-map CLASS-MAP-NAME
exit
!
class-map type inspect match-any my-test-cmap
match protocol http
match protocol tcp
!
!
policy-map type inspect policy-map-name
class type inspect class-name
!– The default class (matching all remaining traffic) is specified using this command.
class class-default
exit
!
zone-pair security zone-pair-name destination [self | destination-zone-name]
service-policy {h323 | http | im | imap | p2p | pop3 | sip | smtp | sunrpc | urlfilter} policy-map
!
zone-member security zone-name
!
show policy-map type inspect zone-pair session

Responder

Introduce tus datos o haz clic en un icono para iniciar sesión:

Logo de WordPress.com

Estás comentando usando tu cuenta de WordPress.com. Cerrar sesión / Cambiar )

Imagen de Twitter

Estás comentando usando tu cuenta de Twitter. Cerrar sesión / Cambiar )

Foto de Facebook

Estás comentando usando tu cuenta de Facebook. Cerrar sesión / Cambiar )

Google+ photo

Estás comentando usando tu cuenta de Google+. Cerrar sesión / Cambiar )

Conectando a %s