Earlier we talked about using CBAC (See the post Understanding CBAC) the “classic firewall” and we mention some information about zone based firewalls but not nearly enough. So today we will be talking about zone based firewalls. Why are they different? We also will learn the basics about what is zone based and what are the advantages compared to CBAC.
You can think of zone based has making interfaces in a quarantine zone, each interface by default if set up in a zone is denied access to any other interface. This helps isolate networks that have private and or secure information that does not need the public network to have access to it. The firewall policies are configured using the Cisco Common Classification Policy Language (C3PL), this uses a hierarchical structure to define network protocol inspection and allows network devices to be grouped under one inspection policy.
Believe it or not it should be easier to configure zone based firewall compared to CBAC Remember that CBAC has these limitations:
- By having multiple inspection policies and ACLs on several interfaces on a router makes it difficult and sometimes overwhelming.
- All traffic through a given interface is subject to the same inspection.
- CBAC relies too heavily on ACLs, which can only do so much!
By using zones that borders a network the traffic is inspected by the policy restrictions. These restrictions can be different in each zone or interface. Using the zone based approach does have its benefits:
- The Zone Based firewall is not dependent on ACLs.
- The router security posture is to block unless explicitly allowed. CBAC allows everything unless explicitly denied or checked.
- Policies are easy to read and troubleshoot with C3PL. (Cisco Common Classification Policy Language)
- One policy affects any given traffic, instead of needing multiple ACLs, inspection actions and rules that CBAC would need.
An important note when deciding to implement CBAC or Zone based is that either models can be enabled on the router simultaneously. They however cannot be used on the same interface as a router.
There are three actions the zone based firewall can take when looking at traffic:
- Inspect – This action is like the CBAC ip inspect command. It automatically allows for return traffic and potential ICMP messages. For protocols requiring multiple parallel signaling and data sessions (such as, FTP or H.323), the inspect action also handles the proper establishment of data sessions.
- Drop – To a deny statement in an ACL. A log option is also available to log the rejected packets.
- Pass – To a permit statement in an ACL. The pass action does not track the state of connections or sessions within the traffic. Pass allows the traffic only in one direction. A corresponding policy must be applied to allow return traffic to pass in the opposite direction.
When determining how to set up zone-based firewalls the first thing you need to think of is the different zones that need to be implemented. The infrastructure must be split into separate zones with different security levels. Example the public network or internet to the inside network would be split into two zones. Create the zones for the firewall with the zone security command.
You also have to set up policies between the zones. Remember by default when zones are configured they deny all access to any other zone as well has non-zone interfaces. You must define the type of traffic that will be allowed on the zone. Example would be TCP and UDP sessions which are the most common, but there is also ICMP and others that can be defined. You want to define the traffic classes with the class-map type inspect command.
After the zones have been identified along with the traffic requirements between them, the next thing to do is design the physical infrastructure and policies this would be stating the number of devices between the mission-critical devices and least critical devices and determining redundant routes and devices if any. You would specify the firewall policies with the policy-map type inspect command. Define the class-map name and you want that policy to do? Do you want the policy to pass, inspect or drop the traffic specified by the class-map?
You want to apply the firewall policies the source and destination zones, by using the zone-pair security command. What zone is the source? What zone is the destination? What policy-map are you going to use by using the service-policy type inspect command.
The last setup is to identify a subset within zones and merge the traffic; the technician must identify the connected interfaces and apply that zone to the interface, by using the zone-member security command.
- To recap, you must create a zone.
- Then define the type of traffic that will be checked by the policy by using the class-map type inspect command
- Next, is define the firewall policies by using the policy-map type inspect command. You what do you want to do with that traffic that you specified earlier with the class-maps (Pass, inspect or drop)
- Assign the policy-maps to the zone pairs, tell the router which policy is the source and destination by using the zone-pair security command. Tell the router which policy to use by using the service-policy type inspect command.
- Finally apply that zone-pair to the interface by using the zone-member security command.
That is the rundown of zone-based firewalls! Look complex? If you start to understand it you will find it easier to carry out than CBAC. Zone-based helps keep interfaces apart by blocking all traffic unless allowed by the policies. Like before you can always find more information online. I recommend Cisco.com for a full understanding of zone-based policy firewall, I hope this tutorial was helpful.