ccna security ch13 implementing cisco ios zone-based firewalls

8/9/2019 Ccna Security Ch13 Implementing Cisco IOS Zone-based Firewalls

1/30

Chapter 13: Implementing Cisco IOS Zone-Based Firewalls

I. Cisco IOS Zone-Based Firewall1. How Zone-Based Firewall Operates

1. Zones are created, such as inside, outside, dmz, etc...2. Policies are unidirectional, for example, a policy would have to be created for traffic

from the inside to the outside. Stateful filtering will tae care of return traffic.!owever to allow traffic sourced from the outside to the inside, you would have tocreate an additional policy for that as well.

2. Speciic Feat!res o Zone-Based Firewalls1. Stateful inspection2. "pplication inspection#. Pacet filtering$. %&' filtering(. )ransparent firewall *implementation method+. Support for virtual routing and forwarding *-&+/. "0's are not reuired as a filtering method to implement policy

3. Zones and "h# "e $eed %airs o &hem

1. Zones are created and then interfaces are added to a zone. ultiple interfaces can 3oina zone, but only one zone. )he Self4Zone is that of the router itself5 traffic destined tothe actual router *the routers 6P address+ is the self zone. 7y default all traffic isallowed in and out of the self zone.

2. 7y default traffic within a zone is allowed, even between interfaces of the same zone.!owever you must create a zone pair and a unidirectional policy to allow traffic fromone zone to another zone. 8ithin this policy you can configure inspection and otherpolicies. Policies are always unidirectional.

#. )his policy could be configured to inspect the traffic and use the stateful database toeep trac of return traffic.

$. 9ou could also have a :Z zone. " zone4pair would most liely be created between

the outside zone and the dmz zone, both ways.


2/30

(. !ere is an example of a medium sized company with a :Z

'. %!tting the %ieces &ogether1. 0isco 0ommon 0lassification Policy 'anguage *0#P'+ must lie "S" P and 6;S


3/30

d. Policy maps are top to bottom with the class maps. 6f one class4map is notmatched, top to bottom comparison until none are matched5 hitting the implicitdeny. )he only zone that does not have an implicit deny is the self zone.

&a*le 13-2Policy Map Actions

%olic#+ction

,escription "hen to se It

6nspect Permit andstatefully inspectthe traffic

)his should be used on transit traffic initiated by users who expect toget replies from devices on the other side of the firewall

Pass Permits=allows thetraffic but does notcreate an entry inthe statefuldatabase

)raffic that does not need a reply. "lso in the case of protocols that donot support inspection, this policy could be applied to the zone pair forspecific outbound traffic, and be applied to a second zone pair forinbound traffic

:rop :eny the pacet )raffic you do not want to allow between the zones where this policymap is applied

'og 'og the pacets 6f you want to see log information about pacets that were droppedbecause of policy, you can add this option

. Ser)ices %olicies&a*le 13-3 Traffic Interaction Between Zones

Ingress Interace/em*er o Zone

0gress Interace/em*er o Zone

Zone %air 0istswith +pplied%olic#

es!lt

>o >o :oes not matter )raffic is forwarded

>o 9es *any zone+ :oes not matter )raffic is dropped

9es *zone "+ 9es *zone "+ :oes not matter )raffic is forwarded

9es *zone "+ 9es *zone 7+ >o )raffic is dropped

9es *zone "+ 9es *zone 7+ 9es Policy is applied. 6f

policy is inspect


4/30

1. !ow to configure based on the above components


5/30

4. &he Sel Zone&a*le 13-' Self Zone Traffic Behavior

So!rce &raic/em*er o Zone

,estination&raic/em*er oZone

Zone %air0ists with a%olic#+pplied

es!lt

Self Zone " >o )raffic is passed

Zone " Self >o )raffic is passed

Self Zone " 9es Policy is applied

Zone " Self 9es Policy is applied

II.Conig!ring and 5eri#ing Cisco IOS Zone-Based Firewall1. First &hings First2. sing CC% to Conig!re the Firewall

1. Select router you want to configure and navigate to Conig!re 6 Sec!rit# 6 Firewall6 Firewall

2.


6/30

1. )he above, clic next

2. Select interfaces and select which interfaces are trusted and not trusted


7/30

#. 6nterfaces not assigned to a zone cannot pass traffic to or between interfaces assigend

to a zone.

$. 6f 0? is applicable, clic yes to allow 0? traffic through firewall, otherwise clicno.


8/30

(. )he above indicates that the untrusted interface cannot be used to access the routersmanagement plane through that particular interface*s+.


9/30


10/30

A. "fter clicing next, you get a summary of the features that will be implementedB. 7elow are the commands that 00P issued to configure your zone based firewall policy.

3.


11/30

'.


12/30

.


13/30

4.


14/30

8.


15/30

9.


16/30


17/30


18/30

1;.5eri#ing the Firewall

1. )o edit and verify using 00P Conig!re 6 Sec!rit# 6 Firewall 6 Firewall clic 0dit


19/30


20/30


21/30


22/30


23/30

12.Implementing $+& in +ddition to ZBF1. Conig!re 6 o!ter 6 $+& launch basic >") 8izard


24/30

2. 6f using a :Z with a server that must be able to be reached from the outside, youwould use "dvanced >"), however we are using basic nat for the following examples.

#. 7a!nch the Selected &asnow &his +lread#?@ A!i

&a*le 13-1 Do I Know This Already? Sectionto!"estion Mappin#

Fo!ndation &opics Section A!estions

0isco 6;S Zone47ased irewall 14$

0onfiguring and -erifying 0isco 6;S Zone47ased irewall (4A

1. 8hich zone is implied by default and does not need to be manually createdCa. 6nsideb. ;utsidec. :Zd. Self

2. 6f interface number 1 is in zone ", and interface number 2 is in zone 7, and there is nopolic# or ser)ice commands applied yet to the configuration, what is the status oftransit traffic that is being routed between these two interfacesCa. :eniedb. Permittedc. 6nspectedd. 'ogged

#. 8hen creating a specific zone pair and applying a policy to it, policy is beingimplemented on initial traffic in how many directionsCa. 1b. 2c. #d. :epends on the policy

$. 8hat is the default policy between an administratively created zone and the self zoneCa. :enyb. Permitc. 6nspectd. 'og

(. 8hat is one of the added configuration elements that the "dvanced security setting hasin the Z7 8izard that is not included in the 'ow security settingCa. Deneric )0P inspectionb. Deneric %:P inspectionc. iltering of peer4to4peer networing applicationsd. >")

. 8hy is it that the return traffic, from previously inspected sessions, is allowed bac tothe user, in spite of not having a zone pair explicitly configured that matches on thereturn trafficCa. Stateful entries *from the initial flow+ are matched, which dynamically allows

return traffic

b. &eturn traffic is not allowed because it is a firewallc. ?xplicit "0' rules need to be placed on the return path to allow the return trafficd. " zone pair in the opposite direction of the initial zone pair *including an applied

policy+ must be applied for return traffic to be allowed/. 8hat does the eyword overload imply in a >") configurationC

a. >") is willing to tae up to 1EE percent of available 0P%b. P") is being usedc. >") will provide Fbest effortG but not guaranteed service, due to an overloadd. Static >") is being used


28/30

A. 8hich of the following commands shows the current >") translations on the routerCa. Show translations*. show nat translationsc. show ip nat translationsd. show ip nat translations

I5. e)iew +ll the >e# &opics

&a*le 13-Key Topics

>e# &opic0lement

,escription %age$!m*er

)ext O)er)iew o how the ZBF operates4 2B$

'ist Speciic eat!res o the ZBF4 2B$

'ist %!tting the pieces together4 2B

)able 1#42 %olic# map actions4 2B/

)able 1#4# &raic interaction *etween ones4 2BA

?xample 1#41 ZBF components 2BB

)able 1#4$ Sel one traic *eha)ior #EE

'ist ZBF "iard conig!ra*le sec!rit# le)els4 #E$

?xample 1#4$ C7I commands to implement $+&4 #22

?xample 1#4( 5iewing eisting translations4 #2#

5. Complete the &a*les and 7ists rom /emor#

&a*le 13-2 $SD S"pported %peratin# Syste&s

OperatingS#stem

%relogin+ssessment

Host Scan 5a!lt CacheCleaner 32-Bit BrowsersOnl#D

>e#stro


29/30

ac ;S H1E., 1E..1,1E..2xAand x$

H H H

ac ;S H1E.(.x xAand x$

H H H

&ed !at?nterprise'inux # xAand x$biarch

H H H

&ed !at?nterprise'inux $ xAand x$biarch

H H H

edora 0ore$ and later

xA and x$biarch

H H H

%buntu H H H

&a*le 13-3 $SD Privile#e 'evels (e)"ired for Installation with Any$onnect $lient

+n#Connect ClientInstalled

+n#Connect Client andCS, Install &ogether

0ec!ta*le File

"dministrativeprivileges reuiredC

>o 9es 9es

&a*le 13-2Policy Map Actions

%olic#+ction

,escription "hen to se It

6nspect Permit andstatefully inspectthe traffic

)his should be used on transit traffic initiated by users who expect toget replies from devices on the other side of the firewall

Pass Permits=allows thetraffic but doesnot create an entryin the statefuldatabase

)raffic that does not need a reply. "lso in the case of protocols thatdo not support inspection, this policy could be applied to the zonepair for specific outbound traffic, and be applied to a second zonepair for inbound traffic

:rop :eny the pacet )raffic you do not want to allow between the zones where this policymap is applied

'og 'og the pacets 6f you want to see log information about pacets that were droppedbecause of policy, you can add this option


30/30

&a*le 13-3 Traffic Interaction Between Zones

Ingress Interace/em*er o Zone

0gress Interace /em*er oZone

Zone %air 0ists with+pplied %olic#

es!lt

>o >o :oes not matter )raffic is forwarded

>o 9es *any zone+ :oes not matter )raffic is dropped

9es *zone "+ 9es *zone "+ :oes not matter )raffic is forwarded

9es *zone "+ 9es *zone 7+ >o )raffic is dropped

9es *zone "+ 9es *zone 7+ 9es Policy is applied. 6fpolicy is inspect or pass,the initial traffic isforwarded. 6f the policyis drop, the initial trafficis dropped

&a*le 13-' Self Zone Traffic Behavior

So!rce &raic /em*ero Zone

,estination &raic/em*er o Zone

Zone %air 0ists with a%olic# +pplied

es!lt

Self Zone " >o )raffic is passed

Zone " Self >o )raffic is passed

Self Zone " 9es Policy is applied

Zone " Self 9es Policy is applied

5I. ,eine >e# &erms1. zones 42. zone pairs 4#. class map type inspect 4$. policy map type inspect 4

(. service policy 4. stateful inspection 4/. P") 4

5II. Command eerence to Chec< Eo!r /emor#

&a*le 13-4 $o&&and (eference

Command ,escription

Show class-map t#pe inspect Show Z74related class maps

Show polic#-map t#pe inspect Show Z7 related policy maps

Class-map t#pe inspect match-an# /E-C7+SS-/+%

0reate a Z74related class map that will be a matchif any of its entries is a match

%olic#-map t#pe inspect /E-%O7ICE-/+% 0reate a Z74related policy map

Class t#pe inspect /E-C7+SS-/+% %sed inside a Z7 policy map to call on theclassification services of a zone4based class map

Zone-pair sec!rit# in-to-o!t so!rce insidedestination o!tside

0reate a zone pair that identifies an initialunidirectional flow of traffic

ccna security ch13 implementing cisco ios zone-based firewalls

Documents