Latest revision as of 15:25, 15 October 2009

Zone based Firewall(ZFW)

This page is part of the Netband Project

Branch router with DMZ

In this example the configuration will what you would expect from a branch office with an inside, outside and a DMZ interface for local servers. ZFW is not like IOS firewalling with ip inspect, the inspect firewall is a per interface rule firewall where ZFW is a direction firewall with one-to-one, one-to-many or many-to-many.

Vlans

Creating vlans to make the vlan interfaces on

vlan 2
 name INSIDE
vlan 3
 name OUTSIDE
vlan 4
 name DMZ

Security zones

Declaring Zones which will be mapped to the interfaces

zone security INSIDE-ZONE
zone security OUTSIDE-ZONE
zone security DMZ-ZONE

Vlan interfaces

Creating vlan interfaces for the different zones

interface vlan 2
 description Inside interface
 ip address 10.0.0.1 255.255.255.0
 zone-member security INSIDE-ZONE
!
interface vlan 3
 description Outside interface
 ip address 80.225.34.13 255.255.255.0
 zone-member security OUTSIDE-ZONE
!
interface vlan 4
 description DMZ interface
 zone-member security DMZ-ZONE

Customizing your matches

If you need a custom tcp port to be allowed to pass through the zones

ip port-map user-streaming port tcp 8000 description Custom Video Streaming port

Create a parameter map of regular expressions your http requests will be matched against

parameter-map type regex URLS-PARAMAP
 pattern ..*cmd.exe.
 pattern ..*sex.
 pattern ..*gambling.

Class-maps

This will specify what traffic the class-maps will match on.

class-map type inspect match-any INSIDE-OUTSIDE-CMAP
 match protocol tcp
 match protocol udp
 match protocol icmp
!
class-map type inspect match-any INSIDE-DMZ-CMAP
 match protocol tcp
 match protocol udp
 match protocol icmp
!
class-map type inspect match-any OUTSIDE-DMZ-CMAP
 match protocol http
 match protocol https
 match protocol user-streaming
!
class-map type inspect http match-all URLS-CMAP
 match request uri regex URLS-PARAMAP

Policy-maps

This will make a policy-map witch will descripe what actions to take on the trafik that matches our class-maps

policy-map type inspect http URLS-PMAP
 class type inspect http URLS-CMAP
  reset
 class class-default
!
policy-map type inspect OUTSIDE-DMZ-PMAP
 class type inspect OUTSIDE-DMZ-CMAP
  inspect
 class class-default
  drop
!
policy-map type inspect INSIDE-OUTSIDE-PMAP
 class type inspect INSIDE-OUTSIDE-CMAP
  inspect
 service-policy http URLS-PMAP
 class class-default
  drop
!
policy-map type inspect INSIDE-DMZ-PMAP
 class type inspect INSIDE-DMZ-CMAP
  inspect
 class class-default
  drop

Zone-pairs

And the we need to map zones together in zone-pairs with a traffic direction and connect the policy-maps to them

zone-pair security INSIDE-OUTSIDE-ZONEP source INSIDE-ZONE destination OUTSIDE-ZONE
 service-policy type inspect INSIDE-OUTSIDE-PMAP
!
zone-pair security INSIDE-DMZ-ZONEP source INSIDE-ZONE destination DMZ-ZONE
 service-policy type inspect INSIDE-DMZ-PMAP
!
zone-pair security OUTSIDE-DMZ-ZONEP source OUTSIDE-ZONE destination DMZ-ZONE
 service-policy type inspect OUTSIDE-DMZ-PMAP

Nifty Features

All this zone-based firewalling is not only a layer3 thing.
Try creating a bridging interface and make it your Layer3 link and assign two vlan to that bridge group. Now it is possible to place 2 servers in different vlans, but in the same layer 2 subnet and still have a firewall between them.
Now you have a Layer 2 firewall:-)

External links

http://www.cisco.com/en/US/products/sw/secursw/ps1018/products_tech_note09186a00808bc994.shtml
http://www.cisco.com/en/US/docs/ios/sec_data_plane/configuration/guide/sec_zone_polcy_firew.html