Zone Based Firewalling (ZBF)steemCreated with Sketch.

in #security7 years ago

HASHEM.jpg

Zone-Based Policy Firewall changes the firewall configuration from the older interface-based model to a more flexible, more easily understood zone-based model. Interfaces are assigned to zones, and inspection policy is applied to traffic moving between the zones. Inter-zone policies offer considerable flexibility and granularity, so different inspection policies can be applied to multiple host groups connected to the same router interface.

Note: Cisco has a self-Zone that service to traffics terminate in the control plane. These traffics are permitted by default if you don’t have any CoPP or CPPr policy.

When you implement ZBF, you can select 4 deferent action in your policies:

  • Inspection: It writes traffic information in state table and forward traffic.

  • Pass: It forwards traffic in state table without writing their information in state table.

  • Drop: It drops traffic

  • Log: It logs traffic.

                               ZBF Configuration Steps:

! Making Security zones:
R1(config)#zone security LOCAL-ZONE
R1(config)#zone security WAN-ZONE

! Assign interfaces to zones
R1(config)#interface fastEthernet 0/0
R1(config-if)#Zone-member security LOCAL-ZONE
R1(config)#interface fastEthernet 0/1
R1(config-if)#zone-member security WAN-ZONE

! Selecting traffic with ACL
R1(config)#ip access-list extended LOCAL-WAN
R1(config-ext-nacl)#permit ip any any

! Making inspection class-map
R1(config)#class-map type inspect match-all LOCAL-WAN-CLASS
R1(config-cmap)#match access-group name LOCAL-WAN
R1(config-cmap)#match protocol ftp

! Making policy map
R1(config)#policy-map type inspect LOCAL-WAN-POLICY
R1(config-pmap)#class type inspect LOCAL-WAN-CLASS
R1(config-pmap-c)#inspect

! Making zone-pairs to handle traffics
R1(config)#zone-pair security LOCAL-WAN-PAIR source LOCAL-ZONE destination WAN-ZONE
R1(config-sec-zone-pair)#service-policy type inspect LOCAL-WAN-POLICY

                                   ! ZBF verification

R1#show zone security
zone self
Description: System defined zone

zone LOCAL-ZONE
Member Interfaces:
FastEthernet0/0

zone WAN-ZONE
Member Interfaces:
FastEthernet0/1

R1#show class-map type inspect
Class Map type inspect match-all LOCAL-WAN-CLASS (id 1)
Match access-group name LOCAL-WAN
Match protocol ftp
!
R1#show policy-map type inspect
Policy Map type inspect LOCAL-WAN-POLICY
Class LOCAL-WAN-CLASS
Inspect ERROR
Class class-default
!
R1#show zone-pair security
Zone-pair name LOCAL-WAN-PAIR
Source-Zone LOCAL-ZONE Destination-Zone WAN-ZONE
service-policy LOCAL-WAN-POLICY

R1#show policy-map type inspect zone-pair
Zone-pair: LOCAL-WAN-PAIR

Service-policy inspect : LOCAL-WAN-POLICY

Class-map: LOCAL-WAN-CLASS (match-all)
  Match: access-group name LOCAL-WAN
  Match: protocol ftp
  Inspect
    Session creations since subsystem startup or last reset 0
    Current session counts (estab/half-open/terminating) [0:0:0]
    Maxever session counts (estab/half-open/terminating) [0:0:0]
    Last session created never
    Last session created never
    Last statistic reset never
    Last session creation rate 0
    Last half-open session total 0
Class-map: class-default (match-any)
  Match: any
  Drop (default action)
    0 packets, 0 bytes

R1#show policy-map type inspect zone-pair sessions
Zone-pair: LOCAL-WAN-PAIR

Service-policy inspect : LOCAL-WAN-POLICY

Class-map: LOCAL-WAN-CLASS (match-all)
  Match: access-group name LOCAL-WAN
  Match: protocol ftp
  Inspect

Class-map: class-default (match-any)
  Match: any
  Drop (default action)
    0 packets, 0 bytes
#network #zbf #cisco
7 years ago in #security by
$0.03
  • Past Payouts $0.03, 0.00 TRX
  • - Author $0.03, 0.00 TRX
  • - Curators $0.00, 0.00 TRX
3 votes
Reply 0

Coin Marketplace

STEEM 0.20
TRX 0.12
JST 0.029
BTC 61577.64
ETH 3448.57
USDT 1.00
SBD 2.53