Difference between revisions of "Netband Project - Zone based Firewall(ZFW)"
From Teknologisk videncenter
(→Branch router with DMZ) |
|||
| Line 3: | Line 3: | ||
==Branch router with DMZ== | ==Branch router with DMZ== | ||
| + | In this exaple the configuration will what you would expect from a branch office with inside and outside interface and a DMZ for local servers. | ||
| + | ZFW is not like IOS firewalling with ip inspect, the inspect firewall is a per interface rule firewall where ZFW is a direction firewall with one-to-one, one-to-many or many-to-many. | ||
| + | |||
| + | <pre>vlan 2 | ||
| + | name INSIDE | ||
| + | vlan 3 | ||
| + | name OUTSIDE | ||
| + | vlan 4 | ||
| + | name DMZ | ||
| + | ! | ||
| + | ! | ||
| + | interface vlan 2 | ||
| + | description Inside interface | ||
| + | ip address 10.0.0.1 255.255.255.0 | ||
| + | zone-member security INSIDE-ZONE | ||
| + | ! | ||
| + | interface vlan 3 | ||
| + | description Outside interface | ||
| + | ip address 80.225.34.13 255.255.255.0 | ||
| + | zone-member security OUTSIDE-ZONE | ||
| + | ! | ||
| + | interface vlan 4 | ||
| + | description DMZ interface | ||
| + | zone-member security DMZ-ZONE | ||
| + | ! | ||
| + | |||
| + | </pre> | ||
===HTTP Aplication inspection=== | ===HTTP Aplication inspection=== | ||
<pre>parameter-map type regex uri_regex_cm | <pre>parameter-map type regex uri_regex_cm | ||
Revision as of 11:26, 27 April 2009
<accesscontrol>NetBand</accesscontrol>
This page is part of the Netband Project
Branch router with DMZ
In this exaple the configuration will what you would expect from a branch office with inside and outside interface and a DMZ for local servers. ZFW is not like IOS firewalling with ip inspect, the inspect firewall is a per interface rule firewall where ZFW is a direction firewall with one-to-one, one-to-many or many-to-many.
vlan 2 name INSIDE vlan 3 name OUTSIDE vlan 4 name DMZ ! ! interface vlan 2 description Inside interface ip address 10.0.0.1 255.255.255.0 zone-member security INSIDE-ZONE ! interface vlan 3 description Outside interface ip address 80.225.34.13 255.255.255.0 zone-member security OUTSIDE-ZONE ! interface vlan 4 description DMZ interface zone-member security DMZ-ZONE !
HTTP Aplication inspection
parameter-map type regex uri_regex_cm pattern ..*cmd.exe. pattern ..*sex. pattern ..*gambling. ! class-map type inspect http match-all uri_check_cm match request uri regex uri_regex_cm ! class-map type inspect match-any INSIDE-OUT-HTTP match protocol http ! policy-map type inspect http uri_check_pm class type inspect http uri_check_cm reset class class-default ! policy-map type inspect INSIDE-OUT-PMAP class type inspect INSIDE-OUT-HTTP inspect service-policy http uri_check_pm
External links
http://www.cisco.com/en/US/products/sw/secursw/ps1018/products_tech_note09186a00808bc994.shtml
http://www.cisco.com/en/US/docs/ios/sec_data_plane/configuration/guide/sec_zone_polcy_firew.html