Please enable JavaScript.
Coggle requires JavaScript to display documents.
Module 10: Zone-Based Policy Firewalls, image, image, image, image, image,…
Module 10: Zone-Based Policy Firewalls
10.0. Introduction
10.0.1 Why Should I Take This Module?
Zone-based policy firewalls (ZPFs) are an evolutionary step beyond classic firewalls. While classic firewalls based security configuration on router interfaces, a ZPF allows interfaces to be assigned to zones.
10.0.2 Whay Will I Learn In This Module?
Implement Zone-Based Policy Firewall using CLI
10.1 ZPF Overview
10.1.1 Benefits of a ZPF
Classic Firewall
The traditional configuration model in which firewall policy is applied on interfaces
Zone-based Policy Firewall (ZPF)
The configuration model in which interfaces are assigned to security zones, and firewall policy is applied to traffic moving between the zones.
10.1.2 ZPF Desing
Step 1. Determine the zones - The administrator focuses on the separation of the network into zones.
Step 2. Establish policies between zones - For each pair of "source-destination" zones (for example, from the inside network to the outside internet),
Step 3. Design the physical infrastructure - After the zones have been identified, and the traffic requirements between them documented, the administrator must design the physical infrastructure
Step 4. Identify subsets within zones and merge traffic requirements - For each firewall device in the design, the administrator must identify zone subsets that are connected to its interfaces
10.2 ZPF Operation
10.2.1 ZPF Actions
Policies identify actions that the ZPF will perform on network traffic.
Inspect - This performs Cisco IOS stateful packet inspection.
Drop - This is analogous to a deny statement in an ACL. A log option is available to log the rejected packets
Pass - This is analogous to a permit statement in an ACL.
10.2.2 Rules for transit Traffic
Traffic transiting through router interfaces is subject to several rules governing interface behavior.
Basic Security Zone Topology
If neither interface is a zone member, then the resulting action is to pass the traffic.
If both interfaces are members of the same zone, then the resulting action is to pass the traffic.
10.2.3 Rules for Traffic to the Self Zone
The self zone is the router itself and includes all of the IP addresses assigned to the router interfaces.
If the router is the source or the destination, then all traffic is permitted. The only exception is if the source and destination are a zone-pair with a specific service-policy.
10.3 Configure a ZPF
10.3.1 Configure a ZPF
The topology shown in the figure will be used throughout the remainder of this topic to demonstrate ZPF configuration
Zone-Based Policy Firewall Configuration Steps
10.3.2 Step 1. Create the Zones
The first step, is to create the zones. However, before creating the zones answer a few questions:
What interfaces should be included in the zones?
What will be the name for each zone?
What traffic is necessary between the zones and in which direction?
10.3.3 Step 2. Identify Traffic
The second step is to use a class-map to identify the traffic to which a policy will be applied. A class is a way of identifying a set of packets based on its contents using “match” conditions.
10.3.4 Step 3. Define an Action
The third step is to use a policy-map to define what action should be taken for traffic that is a member of a class.
10.3.5 Step 4. Identify a Zone-Pair and Match to a Policy
The fourth step is to identify a zone pair and associate that zone pair to a policy-map. The example below shows the command syntax.
10.3.6 Step 5. Assign Zones to Interfaces
The fifth step is to assign zones to the appropriate interfaces. Associating a zone to an interface will immediately apply the service-policy that has been associated with the zone.
10.4 Zone-Based Firewall Summary
10.4.1 What Did I Learn in this Module?
ZPF Overview
The IOS ZPF provides a flexible and powerful replacement for the older Classic IOS Firewall
ZPF Operation
ZPFs use user-defined policies to act on specific traffic that is travelling from a source zone to a destination zone.
