Zone-based firewall Configuration
Prerequisite – Zone-based firewall
Zone-based firewall is an advanced method of stateful firewall. In stateful firewall, an entry containing source IP address, destination IP address, source Port number and destination Port number, is maintained for the traffic generated by the trusted (private) network in the stateful database. This will only the traffic including the replies for the private (trusted) network using the stateful database.
Zone-based Firewall procedure:
- Create zones and assign an interface to it –
In Zone-based firewall, logical zones are created. A zone is assigned to an interface. By default, traffic from one zone to another is not allowed.
- Create class-map –
After creating a zone, a class-map policy is made which will identify the type of traffic, like ICMP, on which the policies will be applied.
- Create policy-map and assign class-map to the policy-map –
After identifying the type of traffic in class-map, we have to define what action must be taken on the traffic. The action can be:
- Inspect: It is same as inspection of CBAC i.e only that traffic will be allowed from the outside network which will be inspected (return traffic of inside (trusted) network.
- Drop: This is the default action for all traffic. The class-map configured in a policy map can be configured to drop unwanted traffic.
- Pass: This will allow the traffic from one zone to another. Unlike inspect action, it will not create a session state for a traffic. If we want to allow traffic from the opposite direction, corresponding policy should be created.
- Configure a zone-pair and assign the policy –
A zone-pair is configured for one direction only. Policies are defined in which traffic is identified (what type of traffic) then what action should be taken (Inspect Denied, permit). Then we have to apply this policies to a zone-pair.
As shown in the figure, 4 routers are connected with each other namely Router1 having ip address 10.1.1.1/24 on its fa0/0 interface, Router2 having IP address 10.1.1.2/24 on its fa0/0 10.1.2.1/24 on its fa0/1 interface and 10.1.3.1/24 on its fa1/0 interface, Router3 having IP address 10.1.2.2/24 on its fa0/1 interface and Router4 has 10.1.3.2/24 on its fa0/1 interface.
First we have to perform routing so that the routers are reachable to each other.
Configuring RIP on Router2:
Router2(config)#router rip Router2(config-router)#network 10.1.1.0 Router2(config-router)#network 10.1.2.0 Router2(config-router)#network 10.1.3.0 Router2(config-router)#no auto-summary
Now, giving default route on Router1:
Router1(config)#ip route 0.0.0.0 0.0.0.0 10.1.1.2
Giving default route on Router2
Router3(config)#ip route 0.0.0.0 0.0.0.0 10.1.2.1
Giving default route on Router4
Router4(config)#ip route 0.0.0.0 0.0.0.0 10.1.3.1
Now, we have to redistribute default routes in RIP:
Router2(config)#router rip Router2(config-router)#default-information originate
These routers will be able to ping each other.
Now, configure Zone-based firewall.
In this scenario, we will allow only ICMP traffic and telnet traffic from inside zone to outside zone.
To achieve this task, following steps will be taken:
- Create zones and assign interfaces to zone –
First, we have to configure a name for zone and then apply it to the interface (here, Router2). Configuring the zones and name them as inside, outside and dmz.
Router2(config)#zone security inside Router2(config-sec-zone)#exit Router2(config)#zone security outside Router2(config-sec-zone)#exit Router2(config)#zone security dmz Router2(config-sec-zone)#exit
Now, applying zones to the interfaces.
Router2(config)#interface fa0/0 Router2(config-if)#zone-member security inside Router2(config)#interface fa0/1 Router2(config-if)#zone-member security outside Router2(config)#interface fa1/0 Router2(config-if)#zone-member security dmz
After applying zones to the interface, the routers will not be able to ping each other as by default, traffic from one zone to another will be drop (as per default policy).
- Create a class-map –
Class-map will be created to identify the type of traffic in which we want to perform the operation.
Configuring class-map stating the type of traffic on which inspection will be performed.
Router2(config)#class-map type inspect match-any in-out Router2(config-cmap)#match protocol icmp Router2(config-cmap)#match protocol telnet
match-any means any of the statement matches in the class-map i.e either for telnet or ICMP. We have given name in-out to the class-map.
- Create policy-map and apply class-map to the policy-map –
Policy-map will be configured to mention what operation (inspect, drop or pass) will be performed. In our scenario, we will use inspect i.e only that traffic will enter from outside to inside zone if it has an entry in stateful database (replies of traffic initiated in inside zone).
Router2(config)#policy-map type inspect in-out Router2(config-pmap)#class in-out Router2(config-pmap-c)#inspect
Here, we have configured a policy-map named input an assign class-map (named in-out) to it and action that will be taken is inspect.
Here, we have taken same name of class-map and policy-map. Different names can be taken but then it will be complicated.
- Create zone-pair and apply policy-map to the zone-pair –
Create zone pair specifying the source and the destination zone and apply the policy-map to the zone-pair.
Router2(config)#zone-pair security in-outpair source inside destination outside Router2(config-sec-zone-pair)#service-policy type inspect in-out
Here, in the first command, notice that in-outpair is the name for zone-pair in which inside zone will be the source and outside zone will be the destination.
It means a zone-pair has been defined in direction from inside zone to outside zone. In the second command, in-out is the name of policy-map.
Now, the inside zone will be be to ping and telnet the outside zone devices but for vice-versa we have to define separate zone-pair. Also, note that inside zone devices will be able to reach outside zone devices but not DMZ zone because no zone-pair has been defined for it.