Enable ZBFW
From DocWiki
(→Related Information) |
(→Configuration) |
||
| Line 50: | Line 50: | ||
ZBFW(config)#zone sec out | ZBFW(config)#zone sec out | ||
| + | |||
ZBFW(config-sec-zone)#exit | ZBFW(config-sec-zone)#exit | ||
| + | |||
ZBFW(config)#zone sec in | ZBFW(config)#zone sec in | ||
| + | |||
ZBFW(config-sec-zone)#exit | ZBFW(config-sec-zone)#exit | ||
ZBFW(config)#ip access-list exte insp-traffic | ZBFW(config)#ip access-list exte insp-traffic | ||
| + | |||
ZBFW(config-ext-nacl)#permit ip 10.10.10.0 0.0.0.255 any | ZBFW(config-ext-nacl)#permit ip 10.10.10.0 0.0.0.255 any | ||
| + | |||
ZBFW(config-ext-nacl)#exit | ZBFW(config-ext-nacl)#exit | ||
| + | |||
ZBFW(config)#class-map type inspect match-any insp-traffic | ZBFW(config)#class-map type inspect match-any insp-traffic | ||
| + | |||
ZBFW(config-cmap)#match access-group name insp-traffic | ZBFW(config-cmap)#match access-group name insp-traffic | ||
| + | |||
ZBFW(config-cmap)#exit | ZBFW(config-cmap)#exit | ||
| + | |||
| + | |||
ZBFW(config)#class-map type inspect match-any insp-traffic-protocol | ZBFW(config)#class-map type inspect match-any insp-traffic-protocol | ||
| + | |||
ZBFW(config-cmap)#match protocol tcp | ZBFW(config-cmap)#match protocol tcp | ||
| + | |||
ZBFW(config-cmap)#match protocol udp | ZBFW(config-cmap)#match protocol udp | ||
| + | |||
ZBFW(config-cmap)#match protocol icmp | ZBFW(config-cmap)#match protocol icmp | ||
| + | |||
ZBFW(config-cmap)#exit | ZBFW(config-cmap)#exit | ||
| + | |||
| + | |||
ZBFW(config)#class-map type inspect match-all inspection-outbound | ZBFW(config)#class-map type inspect match-all inspection-outbound | ||
| + | |||
ZBFW(config-cmap)#match class insp-traffic | ZBFW(config-cmap)#match class insp-traffic | ||
| + | |||
ZBFW(config-cmap)#match class insp-traffic-protocol | ZBFW(config-cmap)#match class insp-traffic-protocol | ||
| + | |||
ZBFW(config-cmap)#exit | ZBFW(config-cmap)#exit | ||
| + | |||
| + | |||
| + | |||
ZBFW(config)#policy-map type inspect outbound | ZBFW(config)#policy-map type inspect outbound | ||
| + | |||
ZBFW(config-pmap)#class inspection-outbound | ZBFW(config-pmap)#class inspection-outbound | ||
| + | |||
ZBFW(config-pmap-c)#insp | ZBFW(config-pmap-c)#insp | ||
| + | |||
ZBFW(config-pmap-c)#inspect | ZBFW(config-pmap-c)#inspect | ||
| + | |||
ZBFW(config-pmap-c)#exit | ZBFW(config-pmap-c)#exit | ||
| + | |||
ZBFW(config-pmap)#exit | ZBFW(config-pmap)#exit | ||
| + | |||
| + | |||
ZBFW(config)#zone-pair sec in-out source in destination out | ZBFW(config)#zone-pair sec in-out source in destination out | ||
| + | |||
ZBFW(config-sec-zone-pair)#service-policy type inspect outbound | ZBFW(config-sec-zone-pair)#service-policy type inspect outbound | ||
| + | |||
ZBFW(config-sec-zone-pair)#exit | ZBFW(config-sec-zone-pair)#exit | ||
| + | |||
ZBFW(config)# | ZBFW(config)# | ||
| + | |||
| + | |||
ZBFW(config)#int f0/0 | ZBFW(config)#int f0/0 | ||
| + | |||
ZBFW(config-if)#zone-member security out | ZBFW(config-if)#zone-member security out | ||
| + | |||
ZBFW(config-if)#exit | ZBFW(config-if)#exit | ||
| + | |||
| + | |||
| + | |||
ZBFW(config)#int f0/1 | ZBFW(config)#int f0/1 | ||
| + | |||
ZBFW(config-if)#zone-member security in | ZBFW(config-if)#zone-member security in | ||
| + | |||
ZBFW(config-if)#exit | ZBFW(config-if)#exit | ||
| + | |||
ZBFW(config)# | ZBFW(config)# | ||
Revision as of 18:14, 23 June 2010
Contents |
Introduction
ZBFW is a feature set of IOSFW where we assign the router interfaces into different zones depending upon the requirement. This way we are applying inspection to the traffic moving between zones not interfaces. While using ZBFW we have more flexibility as compared to CBAC.In CBAC we configure inspection policies with ACL rules to define the IOSFW feature set however these inspection policies and ACL rules are applicable to all the traffic leaving or entering a respective interface of the router. In ZBFW we can use object-groups or ACLS to perform inspection of interested traffic along with class-maps and policy-maps which in turns provide more flexibility as compared to CBAC.Also multiple inspection rules and ACL on several interfaces of router make it more difficult to correlate the policies that will be applied to traffic flow between multiple interfaces as in case of CBAC.
ZBFW offers following features
- Application inspection
- Statefull inspection
- Local URL filtering
- Transparent firewall
Things to remember about ZBFW
- The policies configured from one zone to another are unidirectional in nature.
- By default the traffic flow between the inter-zones is “DENY ALL”.
- By default the traffic flow to or from “SELF” zone to another zone is “ALLOW ALL” and we can restrict the same with the help of class-maps along with respective actions.
- By default the traffic flow between the intra-zones is “Allow ALL” and we can’t restrict or apply any kind of inspection to the same.
- An interface can be assigned to only one security zone.
- Traffic cannot flow between a zone-member interface and any interface which is not a *zone-member, so that means every interface should be assigned to a zone.
- We can apply multiple classes along with respective action per zone-pair.
Steps to configure ZBFW
- Identify and define network zones.
- Determine the traffic flow between the respective zones.
- Define class-maps to describe traffic between zones.
- Associate class-maps with policy-maps to define actions to the respective traffic flow.
- Set up zone pairs for any policy other than deny all.
- Assign policy-maps to zone-pairs.
- Now assign interfaces to zones.
- The final step would be validate the configuration by passing some interested traffic.
Design
Server—–R1(ZBFW)—-Client Client :- 10.10.10.2 R1 LAN interface:- 10.10.10.1 R1 WAN interface:- 2.2.2.1 Server :- 2.2.2.2
Configuration
ZBFW(config)#zone sec out
ZBFW(config-sec-zone)#exit
ZBFW(config)#zone sec in
ZBFW(config-sec-zone)#exit
ZBFW(config)#ip access-list exte insp-traffic
ZBFW(config-ext-nacl)#permit ip 10.10.10.0 0.0.0.255 any
ZBFW(config-ext-nacl)#exit
ZBFW(config)#class-map type inspect match-any insp-traffic
ZBFW(config-cmap)#match access-group name insp-traffic
ZBFW(config-cmap)#exit
ZBFW(config)#class-map type inspect match-any insp-traffic-protocol
ZBFW(config-cmap)#match protocol tcp
ZBFW(config-cmap)#match protocol udp
ZBFW(config-cmap)#match protocol icmp
ZBFW(config-cmap)#exit
ZBFW(config)#class-map type inspect match-all inspection-outbound
ZBFW(config-cmap)#match class insp-traffic
ZBFW(config-cmap)#match class insp-traffic-protocol
ZBFW(config-cmap)#exit
ZBFW(config)#policy-map type inspect outbound
ZBFW(config-pmap)#class inspection-outbound
ZBFW(config-pmap-c)#insp
ZBFW(config-pmap-c)#inspect
ZBFW(config-pmap-c)#exit
ZBFW(config-pmap)#exit
ZBFW(config)#zone-pair sec in-out source in destination out
ZBFW(config-sec-zone-pair)#service-policy type inspect outbound
ZBFW(config-sec-zone-pair)#exit
ZBFW(config)#
ZBFW(config)#int f0/0
ZBFW(config-if)#zone-member security out
ZBFW(config-if)#exit
ZBFW(config)#int f0/1
ZBFW(config-if)#zone-member security in
ZBFW(config-if)#exit
ZBFW(config)#
Related show Commands
This section provides information you can use to confirm your configuration is working properly.
Certain show commands are supported by the Output Interpreter Tool (registered customers only), which allows you to view an analysis of show command output.
ZBFW#sh policy-map type inspect zone-pair in-out sessions Zone-pair: in-out
Service-policy inspect : outbound
Class-map: inspection-outbound (match-all)
Match: class-map match-any insp-traffic
Match: access-group name insp-traffic
4 packets, 135 bytes
30 second rate 0 bps
Match: class-map match-any insp-traffic-protocol
Match: protocol tcp
1 packets, 28 bytes
30 second rate 0 bps
Match: protocol udp
2 packets, 67 bytes
30 second rate 0 bps
Match: protocol icmp
1 packets, 40 bytes
30 second rate 0 bps
Inspect
Established Sessions
Session 669F65F4 (10.10.10.2:1086)=>(2.2.2.2:23) tcp SIS_OPEN
Created 00:00:18, Last heard 00:00:13
Bytes sent (initiator:responder) [45:84]
Session 669F6064 (10.10.10.2:8)=>(3.3.3.1:0) icmp SIS_OPEN
Created 00:02:14, Last heard 00:00:00
ECHO request
Bytes sent (initiator:responder) [4320:4288]
Class-map: class-default (match-any)
Match: any
Drop (default action)
1 packets, 219 bytes
Show running-config
Add show running config of your device
