Please enable JavaScript.
Coggle requires JavaScript to display documents.
Module 10: Zone-based policy firewalls - Coggle Diagram
Module 10: Zone-based policy firewalls
10.1 ZPF Overview
10.1.1 Benefits of a ZPF
There are two configuration models for Cisco IOS Firewall:Classic Firewall - The traditional configuration model in which firewall policy is applied on interfaces.
Zone-based Policy Firewall (ZPF) - The configuration model in which interfaces are assigned to security zones, and firewall policy is applied to traffic moving between the zones.If an additional interface is added to the private zone, the hosts connected to the new interface in the private zone can pass traffic to all hosts on the existing interface in the same zone. A simple three-zone network is shown in the figure.
The primary motivations for network security professionals to migrate to the ZPF model are structure and ease of use. The structured approach is useful for documentation and communication. The ease of use makes network security implementations more accessible to a larger community of security professionals.
10.1.2 ZPF Design
Designing ZPFs involves several steps:
10.2 ZPF Operation
10.2.1 ZPF Actions
Policies identify actions that the ZPF will perform on network traffic. Three possible actions can be configured to process traffic by protocol, source and destination zones (zone pairs), and other criteria.
Inspect - This performs Cisco IOS stateful packet inspection.
Drop - This is analogous to a deny statement in an ACL. A log option is available to log the rejected packets.
Pass - This is analogous to a permit statement in an ACL. The pass action does not track the state of connections or sessions within the traffic.
10.2.2 Rules for Transit Traffic
Traffic transiting through router interfaces is subject to several rules governing interface behavior. For the transit traffic example, refer to the topology shown in the figure.
The rules depend on whether or not the ingress and egress interfaces are members of the same zone:
If neither interface is a zone member, then the resulting action is to pass the traffic.
If both interfaces are members of the same zone, then the resulting action is to pass the traffic.
If one interface is a zone member, but the other is not, then the resulting action is to drop the traffic regardless of whether a zone-pair exists.
If both interfaces belong to the same zone-pair and a policy exists, then the resulting action is inspect, allow, or drop as defined by the policy.
10.2.3 Rules for Traffic to the Self Zone
The self zone is the router itself and includes all of the IP addresses assigned to the router interfaces. This is traffic that originates at the router or is addressed to a router interface. Specifically, the traffic is either for device management, for example SSH, or traffic forwarding control, such as routing protocol traffic. The rules for a ZPF are different for the self zone. For the self zone traffic example, refer to the topology shown in the previous figure.
10.3 Configure a ZPF
10.3.1 Configure a ZPF
The topology shown in the figure will be used throughout the remainder of this topic to demonstrate ZPF configuration. The sequence of steps is not required. However, some configurations must be completed in order. For instance, you must configure a class-map before you assign a class-map to a policy-map. Similarly, you cannot assign a policy-map to a zone-pair until you have configured the policy. If you try to configure a section that relies on another portion of the configuration that you have not yet configured, the router responds with an error message.
10.3.2 Step 1. Create the Zones
10.3.3 Step 2. Identify Traffic
10.3.4 Step 3. Define an Action
10.3.5 Step 4. Identify a Zone-Pair and Match to a Policy
10.3.6 Step 5. Assign Zones to Interfaces
The fifth step is to assign zones to the appropriate interfaces. Associating a zone to an interface will immediately apply the service-policy that has been associated with the zone. If no service-policy is yet configured for the zone, all transit traffic will be dropped. Use the zone-member security command to assign a zone to an interface, as shown in the example below.
10.3.7 Verify a ZPF Configuration
Verify a ZPF configuration by viewing the running configuration. Notice that the class-map is listed first. Then the policy-map makes use of the class-map. Also, notice the highlighted class class-default that will drop all other traffic that is not a member of the HTTP-TRAFFIC class.
The zone configurations follow the policy-map configurations with zone naming, zone pairing, and associating a service-policy to the zone pair. Finally, the interfaces are assigned zones.
10.3.8 Syntax Checker-Configure a ZPF
10.3.9 ZPF Configuration Considerations
When configuring a ZPF with the CLI, there are several factors to consider:
The router never filters the traffic between interfaces in the same zone.
An interface cannot belong to multiple zones. To create a union of security zones, specify a new zone and appropriate policy map and zone pairs.
ZPF can coexist with Classic Firewall although they cannot be used on the same interface. Remove the ip inspect interface configuration command before applying the zone-member security command.
Traffic can never flow between an interface assigned to a zone and an interface without a zone assignment. Applying the zone-member configuration command always results in a temporary interruption of service until the other zone-member is configured.
The default inter-zone policy is to drop all traffic unless otherwise specifically allowed by the service-policy configured for the zone-pair.
The zone-member command does not protect the router itself (traffic to and from the router is not affected) unless the zone- pairs are configured using the predefined self zone.
