Cisco IOS Zone-Based Policy Firewall Overview

8/16/2019 Cisco IOS Zone-Based Policy Firewall Overview

1/68

BRKCRT-2006

CCNA-Security/CCSP: Cisco IOS Zone-BasedPolicy Firewall Overview


2/68

© 2010 Cisco and/or its affiliates. All rights reserved. Cisco ConfidentialBRKCRT-2006_c1 2

Zone-Based Policy Firewall

ZFW (aka Zone-Policy Firewall, ZBP, and ZFP)

Covered in IINS (CCNA Security)

Covered in SNRS (CCSP), more depth

Covered in CCIE R&S Lab Exam


3/68


Agenda

Overview of ZFW Operations

ZFW CLI Configurations

Cisco Configuration Professional (CCP) Demoon ZFW

Sample ZFW Exam Items

Demo on How to Use Packet Tracer (PT) ZFW Lab


4/68


In the Beginning… ACLs

Early firewalls were ACLs configured on routers to restrict

traffic, providing initial access policy

UntrustedTrusted Internet

# access-list access-list-number {deny | permit} protocol source source-wildcard destination destination-wildcard


5/68


Then… Cisco IOS Classic FirewallThe next generation of firewalls, such as Cisco IOS ClassicFirewall (formerly CBAC), offered interface-based firewall

servicesTraffic entering or leaving an interface is inspected for serviceconformance; if traffic matches the requirements, the return traffic isallowed back through the firewall

UntrustedTrusted Internet

# ip inspect name inspection-name protocol # access-list access-list-number {deny | permit} protocol source source-wildcard destination destination-wildcard # ip inspect inspection-name {in | out}


6/68


Cisco IOS ZFW

ZFW Introduces a New Firewall Configuration Model:

Allows grouping of physical and virtual interfaces into zones

Applies unidirectional policies between zones, not interfaces

Simple to add or remove interfaces, integrating them into afirewall policy

Default policy for inter-zone traffic is DENY ALL

Requires Cisco IOS version 12.4(6)T or later

DMZ

PublicPrivate

Private-PublicPolicy

Public-DMZPolicy

Private-DMZPolicy

Internet


7/68


Benefits of Cisco IOS ZFW

A ZFW is not dependant on ACLs

The security posture is block unlessexplicitly allowed

Cisco Policy Language (CPL; aka Cisco Common

Classification Policy Language, C3PL) makespolicies easy to read and troubleshoot

One policy may be applied to any given trafficrather than requiring multiple ACLs andinspection actions


8/68


Security Zones

Interfaces in two different zones: traffic will not flow betweenthe interfaces until a policy is defined to allowthe traffic

E1 will not flow to S3

Interfaces not in zones: traffic will flow between them

E2 will flow to S4

Interfaces in a zone communicating to interfaces not in azone: traffic will not flow between them

E1 will not flow to S4

E0

E1

E2

S3ZonePrivate

ZonePublic

S4 not in anysecurityzones


9/68


Zoning RulesSource Interface

(zone member?)

Dest. Interface

(zone member?)

Zone-pair

(exists?)

CPL Policy

(exists?)

Result

NO NO N/A N/A PASS

YES NO N/A N/A DROP

NO YES N/A N/A DROP

YES (Private ) YES (Private ) N/A N/A No CPL actions

YES (Private ) YES (Public ) NO N/A DROP

YES (Private ) YES (Public ) YES NO DROP

YES (Private ) YES (Public ) YES YES CPL actions

A zone-pair requires different zones as source and destination.


10/68


Zoning Rules (Cont.)Source Interface

(zone member?)

Dest. Interface

(zone member?)

Zone-pair

(exists?)

CPL Policy

(exists?)

Result

YES (self-zone ) YES NO - PASS

YES (self-zone ) YES YES NO PASS

YES (self-zone ) YES YES YES CPL actions

YES YES (self-zone ) NO - PASS

YES YES (self-zone ) YES NO PASS

YES YES (self-zone ) YES YES CPL actions

Router IP addresses default to the self-zone.

The self-zone is a deny-all policy exception, traffic is allowed until denied.


11/68


Steps to Configure a ZFW Firewall

1. Define zones2. Define class−maps that describe traffic that must have

policy applied as it crosses a zone−pair

3. Define policy−

maps to apply action to yourclass−maps traffic

4. Define zone−pairs5. Apply policy−maps to zone−pairs

6. Assign interfaces to zones

DMZ

PublicPrivate

Private-Public

Policy

Public-DMZPolicy

Private-DMZPolicy

Internet


12/68


Configuring ZFW Security Zones

Define Security Zones and Zone-Pairs:

Identify interfaces that share security parameters,

group them into security zones

Determine traffic flow requirements between zones

Fa0/0

Fa0/1

Serial0/0/0

DMZZone

Public

Zone

PrivateZone


13/68


zone security private

zone security public

Security Zone Configuration Example

PublicZone

PrivateZone Internet


14/68



1. Define zones2. Define class−−−−maps that describe traffic that must have

policy applied as it crosses a zone−−−−pair

3. Define policy−




DMZ

PublicPrivate

Private-Public

Policy

Public-DMZPolicy

Private-DMZPolicy

Internet


15/68


16/68


Configuring ZFW Class-Maps (Cont.)

Combining Match Criteria: Match−Any versus

Match−

AllClass−maps can apply match−any or match−all operatorsto determine how to apply the match criteria

match−any —traffic must meet only one of the match

criteria in the class−

map (default)match−all —traffic must match all of the class−map’scriteria in order to belong to that particular class

Match criteria must be applied in order from more specific

to less specific, if traffic meets multiple criteria


17/68


Class-Maps Configuration Example

class-map type inspect match-any telnet-protocol

match protocol telnet

PublicZone


Telnet

Telnet return traffic

Any other traffic


18/68





3. Define policy−−−−

maps to apply action to yourclass−−−−maps traffic



DMZ

PublicPrivate

Private-Public

Policy

Public-DMZPolicy

Private-DMZPolicy

Internet


19/68


Configuring ZFW Policy-Maps

Policy−maps apply actions to class−maps and

define the service−

policy that will be applied to asecurity zone−pair

ZFW provides three actions for inter-zone traffic:

Drop —discards unwanted traffic. Also, the default action as

applied by the class class−−−−

default that terminates everyinspect−type policy−map.

Pass —a stateless action the allows the router to forwardtraffic from one zone to another

Inspect —an action that offers state−

based traffic control.The router maintains session information for TCP and UDPand permits return traffic.


20/68


Policy-Maps Configuration Example

policy-map type inspect private-to-public-policy

class type inspect telnet-protocol

inspect

PublicZone


TelnetInspect


Any other traffic


21/68





3. Define policy−


4. Define zone−−−−pairs5. Apply policy−−−−maps to zone−−−−pairs


DMZ

PublicPrivate

Private-Public

Policy

Public-DMZPolicy

Private-DMZPolicy

Internet


22/68


Configuring ZFW Security Zones

Define Security Zone-Pairs:

Establish zone-pairs for inter-zone traffic

Fa0/0

Fa0/1

Serial0/0/0

DMZZone

Public

Zone

PrivateZone


23/68


Apply ZFW Policy-Maps to Zone-Pairs

Use the service-policy type inspect command toattach a policy-map and its associated actions to azone-pair

Enter the command after entering the zone-pairsecurity command


24/68


zone-pair security private-public source private destination public

service-policy type inspect private-to-public-policy

Zone-Pair with Policy-Map

Configuration Example

Zone-Pair: Private-Public

PublicZone



25/68





3. Define policy−


4. Define zone−pairs5. Apply policy−maps to zone−pairs6. Assign interfaces to zones

DMZ

PublicPrivate

Private-Public

Policy

Public-DMZPolicy

Private-DMZPolicy

Internet


26/68


Apply Interfaces to Zones

All traffic to and from an interface in a security zoneis dropped by default (exception is self-zone)

To permit traffic, the zone that an interfacebelongs to must be part of a zone-pair with anapplied policy

If the policy permits traffic (via inspect or passactions), traffic can flow through the interface


27/68


interface FastEthernet 0/0

zone-member security private

!

interface Serial 0/0/0

zone-member security public

Zone-Member Configuration Example

Zone-Pair: Private-Public

PublicZone

PrivateZone

Fa0/0

Serial0/0/0

Internet


28/68


Basic ZFW Configuration

PublicZone

PrivateZone

Fa0/0

Serial0/0/0

Internet

Telnet

Inspect


Any other traffic


29/68


class-map type inspect match-any telnet-protocol

match protocol telnet

!

policy-map type inspect private-to-public-policyclass type inspect telnet-protocol

inspect

!

zone security private

zone security public

!interface FastEthernet 0/0


!

interface Serial 0/0/0

zone-member security public

!

zone-pair security private-to-public source private destination public

service-policy type inspect private-to-public-policy

Basic ZFW Configuration (Cont.)


30/68


ZFW VerificationR1# show policy-map type inspect zone-pair sessions

policy exists on zp private-to-public

Zone-pair: private-to-public

Service-policy inspect : private-to-public-policy

Class-map: telnet-protocol (match-any)

Match: protocol telnet

1 packets, 28 bytes

30 second rate 0 bps

Inspect

Number of Established Sessions = 1

Established Sessions

Session 656986C0 (192.168.10.2:1051)=>(10.1.1.2:23) telnet:tcp SIS_OPEN

Created 00:03:18, Last heard 00:00:10

Bytes sent (initiator:responder) [92:2727]

Class-map: class-default (match-any)

Match: any

Drop

6 packets, 1275 bytes


31/68


Other Verifications Commands

show class-map type inspect [protocol-name ] [class-map-name ]

show zone security [zone-name ]

show zone-pair security [source source-zone-name ] [destinationdestination-zone-name ]

show policy-map type inspect [policy-map-name ]


32/68


Review ZFW Class-Maps

class-map type inspect match-any insp-traffic

match protocol ftp

match protocol http

match protocol icmp

match protocol tcp

policy-map type inspect mypolicy

class type inspect insp-traffic

inspect

zone-pair security in-out source in-zone destination out-zone

service-policy type inspect mypolicy

Order of match statements important

Classification exits on first match


33/68


34/68


Overview of ZFW Parameter-Maps

Parameter−maps specify inspection behaviorfor ZFW

Parameters include connecting thresholds,timeouts, and other elements pertaining to theinspect action

Examples of use include DoS protection, TCPconnection/UDP session timers, and audit−traillogging settings


35/68


Overview of ZFW

Parameter-Maps (Cont.)

Verification:

show parameter-map type inspect [default]

class-map type inspect match-all inspect-traffic

match protocol tcp

parameter-map type inspect insp-params

audit-trail on

tcp synwait-time 10

policy-map type inspect mypolicy

class type inspect inspect-traffic

inspect insp-params

zone-pair security in-out source in-zone dest out-zone

service-policy type inspect mypolicy

Parameters for

inspection

Inspect action with

specified parameters


36/68


ZFW Application Inspection

Application inspection policies are applied at layer 7of the OSI model

Applications may offer undesired capabilities orvulnerabilities. Messages associated with thesecapabilities can be filtered.

Application inspection and control (AIC) varies incapability per service


37/68


Configuring ZFW AIC

AIC is configured as an additional set ofapplication−specific class−maps and policy−maps(aka L7)

AIC is then applied to existing inspectionclass−maps and policy−maps by defining the

application service-policy in the inspectionpolicy−map (aka L3/4)


38/68


class−−−− map type inspect http match−−−−any http−−−−aic−−−−cmap

match request port−−−− misuse any

match req −−−−resp protocol−−−−violation

policy−−−− map type inspect http http

−−−−aic

−−−− pmap

class type insp http http−−−−aic−−−−cmap

reset

log

class−−−− map type inspect match−−−−any http−−−−cmap

match protocol http

class−−−− map type inspect match−−−−any other−−−−traffic−−−−cmap

match protocol smtp

match protocol dns

match protocol ftp

policy−−−− map type inspect priv−−−− pub−−−− pmap

class type inspect http−−−−cmap

inspect

service−−−− policy http http

−−−−aic

−−−− pmap

class type inspect other−−−−traffic−−−−cmap

inspect

ZFW HTTP AIC Example

Configure the actions thatare not permitted.

Define actions to be appliedto unwanted traffic.

Define class−map for statefulhttp inspection.

Define class−map for statefulinspection for other traffic

Define policy−map, associate

class−

maps and actions.


39/68


CCP ZFW Demo


40/68


CCP ZFW Instructor Democlass-map type inspect match-all telnet-classmatch protocol telnet

!

policy-map type inspect private-to-internet

class type inspect telnet-class

inspect

!zone security private

zone security internet

!

interface Vlan1

description inside interface

ip address 10.10.10.1 255.255.255.0


ip nat inside

no shut

!

interface FastEthernet4

description outside interface

ip address dhcp

zone-member security internet

ip nat outsideno shut

!

zone-pair security private-to-internet source private destination internet

service-policy type inspect private-to-internet


41/68


CCP ZFW Instructor Demo—Zones


42/68


CCP ZFW Instructor Demo—Zone Pairs


43/68


CCP ZFW Instructor Demo—Class Map

CCP ZFW I t t D


44/68


CCP ZFW Instructor Demo—

Policy Map

CCP ZFW I t t D


45/68



Edit Firewall Policy

CCP ZFW Instructor Demo


46/68



Edit Firewall Policy

Permit Firewall = Inspect

Permit ACL = Pass



47/68



Add Zone Policy



48/68



Add Zone Policy



49/68



Add Zone PolicyResulting CLI Commands Preview


50/68


CCP ZFW Instructor Demo—Wizards

no dmz

dmz


51/68


ZFW Exam Item Samples


52/68


ZFW Exam Items: Sample 1

Which three actions can be configured within aL3/L4 type inspect policy-map? (choose three)

A. PassB. LogC. Inspect

D. ResetE. DropF. Permit


53/68


What’s wrong with the following ZFW configuration?

class-map type inspect match-all testclass match protocol telnet

match protocol http match access-group 101!

policy-map type inspect private-to-internet-policyclass type inspect testclass pass!

zone security privatezone security internet!interface fastethernet 0/0zone-member security private!interface fastethernet 0/1

zone-member security internet!zone-pair security private-to-internet source private destination internetservice-policy type inspect private-to-internet-policy!



54/68



Where is the Application (L7) InspectPolicy applied?

A. Within the L3/L4 type inspect class-mapB. Within the L3/L4 type inspect policy-mapC. Within the security zone-pair

D. Within each security zone


55/68


ZFW Exam Items: Sample 4Based on the SDM screen shown:

1. What is the name of the policy-map applied for traffic moving from the in-zone to theout-zone?

2. What will happen to all the traffic moving from the in-zone to the out-zone that is notmatched by any of the class-maps within the applied policy-map?


56/68


ZFW Packet Tracer Demo


57/68


ZFW Packet Tracer Lab Demo

ZFW

IN-ZONE OUT-ZONE

Instructions for downloading Packet Tracer will be provided during the session.


58/68


PT Device Access—PC


59/68


PT Device Access—PC Desktop

PT Device Access—


60/68


PC Desktop Web Broswer


61/68


PT Device Access—Router


62/68


PT Device Access—Router Config

PT D i A R CLI


63/68


PT Device Access—Router CLI

P k t T D l d


64/68


Packet Tracer Download

https://pt.netacad.net/downloads/pt/PacketTracer53_ BRKCRT-2006_setup.exe

username: ptuser

password: got_52yet?

S ti S i


65/68


Supporting Sessions

BRKSEC-2007: Deploying Cisco IOS Security

LTRSEC-2007: Cisco IOS Security Features

BRKSEC-3007: Advanced Cisco IOS SecurityFeatures

BRKCRT-2062: CCSP: Securing Networks with

ASA Fundamentals for CCNA Security and CCSPprep...

BRKSEC-2020: Firewall Design and Deployment

(Focuses on ASA/FWSM implementations)

BRKSEC-3020: Advanced Firewalls

(Focuses on ASA/FWSM implementations)


66/68


Q&A

Complete Your OnlineSession Evaluation


67/68


Session Evaluation

Give us your feedback and youcould win fabulous prizes.Winners announced daily.

Receive 20 Cisco PreferredAccess points for each sessionevaluation you complete.

Complete your sessionevaluation online now (open abrowser through our wirelessnetwork to access our portal)or visit one of the Internetstations throughout the

Convention Center.

Don’t forget to activate your

Cisco Live and Networkers Virtual

account for access to all sessionmaterials, communities, and on-demandand live activities throughout the year.Activate your account at any internetstation or visit www.ciscolivevirtual.com.


68/68


Date post:	05-Jul-2018
Category:	Documents
Upload:	faysal-bensalah
View:	223 times
Download:	0 times

Cisco IOS Zone-Based Policy Firewall Overview

Documents