0% found this document useful (0 votes)
2 views

Network Security v1.0 - Module 10

Module 10 focuses on Zone-Based Policy Firewalls (ZPF) in networking security, detailing how to implement ZPF using CLI. It covers the benefits and design of ZPFs, their operational rules, and the steps required for configuration, including creating zones, identifying traffic, and defining actions. The module also includes recommended activities and resources for further learning.
Copyright
© © All Rights Reserved
Available Formats
Download as PPTX, PDF, TXT or read online on Scribd
0% found this document useful (0 votes)
2 views

Network Security v1.0 - Module 10

Module 10 focuses on Zone-Based Policy Firewalls (ZPF) in networking security, detailing how to implement ZPF using CLI. It covers the benefits and design of ZPFs, their operational rules, and the steps required for configuration, including creating zones, identifying traffic, and defining actions. The module also includes recommended activities and resources for further learning.
Copyright
© © All Rights Reserved
Available Formats
Download as PPTX, PDF, TXT or read online on Scribd
You are on page 1/ 35

Module 10: Zone-Based

Policy Firewalls

Instructor Materials

Networking Security v1.0


(NETSEC)
Instructor Materials – Module 10 Planning Guide

This PowerPoint deck is divided in two parts:


• Instructor Planning Guide
• Information to help you become familiar with the module
• Teaching aids
• Instructor Class Presentation
• Optional slides that you can use in the classroom
• Begins on slide # 9
Note: Remove the Planning Guide from this presentation before sharing with anyone.
For additional help and resources go to the Instructor Home Page and Course
Resources for this course. You also can visit the professional development site on
netacad.com, the official Cisco Networking Academy Facebook page, or Instructor
Only FB group.

© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 2
Module 10: Activities

What activities are associated with this module?

Page # Activity Type Activity Name Optional?

10.2.4 Check Your Understanding Rules for Transit Traffic Recommended

10.3.8 Syntax Checker Configure a ZPF Recommended

10.3.10 Video Video Demonstration of ZPF Recommended

10.3.11 Packet Tracer Configure ZPF Recommended

10.3.12 Lab Configure ZPFs Recommended

10.4.2 Module Quiz Zone-Based Firewall Quiz Recommended

© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 6
Module 10: Zone-Based
Policy Firewalls

Networking Security v1.0


(NETSEC)
Module Objectives
Module Title: Zone-Based Policy Firewalls

Module Objective: Implement Zone-Based Policy Firewall using CLI.

Topic Title Topic Objective


ZPF Overview Explain how Zone-Based Firewalls are used to help secure a network.
ZPF Operation Explain the operation of a Zone-Based Policy Firewall.
Configuring a ZPF Configure a Zone-Based Firewall with CLI.

© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 10
10.1 ZPF Overview

© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 11
ZPF Overview
Benefits of a ZPF

There are two configuration models for Cisco IOS Firewall:


• Classic Firewall - The traditional configuration model in which firewall policy is applied on
interfaces.
• Zone-based Policy Firewall (ZPF) - The new configuration mode in which interfaces are
assigned to security zones, and firewall policy is applied to traffic moving between the
zones.
There are several benefits of a ZPF:
• It is not dependent on ACLs.
• The router security posture is to block unless explicitly allowed.
• Policies are easy to read and troubleshoot with the Cisco Common Classification Policy
Language (C3PL). C3PL is a structured method to create traffic policies based on events,
conditions, and actions. This provides scalability because one policy affects any given
traffic, instead of needing multiple ACLs and inspection actions for different types of traffic.
• Virtual and physical interfaces can be grouped into zones.
• Policies are applied to unidirectional traffic between zones.
© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 12
ZPF Overview
ZPF Design
Designing ZPFs involves several steps:

Step 1. Determine the zones. A zone defines a boundary where traffic is subjected to
policy restrictions as it crosses to another region of the network.

Step 2. Establish policies between zones. Define the sessions that clients in the
source zones can request from servers in destination zones.

Step 3. Design the physical infrastructure. This includes dictating the number of
devices between most-secure and least-secure zones and determining redundant
devices.

Step 4. Identify subsets within zones and merge traffic requirements. Although an
important consideration, implementing zone subsets is beyond the scope of this
curriculum.
© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 13
ZPF Overview
ZPF Design (Cont.)
LAN to Internet Example

© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 14
ZPF Overview
ZPF Design (Cont.)
Firewall with Public Servers Example 1

© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 15
ZPF Overview
ZPF Design (Cont.)
Firewall with Public Servers Example 2

© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 16
ZPF Overview
ZPF Design (Cont.)
Redundant Firewalls

© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 17
ZPF Overview
ZPF Design (Cont.)
Complex Firewall

© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 18
10.2 ZPF Operation

© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 19
ZPF Operation
ZPF Actions

Policies identify actions that the ZPF will perform on network traffic. Three possible
actions can be configured to process traffic by protocol, source and destination zones
(zone pairs), and other criteria.

• Inspect - Performs Cisco IOS stateful packet inspection.


• Drop - Analogous to a deny statement in an ACL. A log option is available to
log the rejected packets.
• Pass - Analogous to a permit statement in an ACL. The pass action does not
track the state of connections or sessions within the traffic.

© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 20
ZPF Operation
Rules for Transit Traffic
Traffic transiting through router
interfaces is subject to several rules
governing interface behavior. For the
transit traffic example, refer to the
topology shown in the figure.
Source Interface Member Destination Interface Zone-Pair Exists? Policy Exists? Result
of Zone? Member of Zone?
NO NO N/A N/A PASS
YES NO N/A N/A DROP
NO YES N/A N/A DROP
YES (private) YES (private) N/A N/A PASS
YES (private) YES (public) NO N/A DROP
YES (private) YES (public) YES NO PASS
YES (private) YES (public) YES YES INSPECT
© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 21
ZPF Operation
Rules for Traffic to the Self Zone
The self zone is the router itself and includes all the IP addresses assigned to the router
interfaces. This is traffic that originates at the router or is addressed to a router interface.

The rules depend on whether the router is the source or the destination of the traffic, as shown
in the table.
Source Interface Member Destination Interface Zone-Pair Exists? Policy Exists? Result
of Zone? Member of Zone?
YES (self zone) YES NO N/A PASS
YES (self zone) YES YES NO PASS
YES (self zone) YES YES YES INSPECT
YES YES (self zone) NO N/A PASS
YES YES (self zone) YES NO PASS
YES YES (self zone) YES YES INSPECT

© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 22
10.3 Configure a ZPF

© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 23
Configure a ZPF
Configure a ZPF
The topology and steps shown in the figure will be used throughout the remainder of this topic to
demonstrate ZPF configuration.

Step 1: Create the zones.


Step 2: Identify traffic with a class-map.
Step 3: Define an action with a policy-map.
Step 4: Identify a zone pair and match it to a policy-map.
Step 5: Assign zones to the appropriate interfaces.
© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 24
Configure a ZPF
Step 1. Create Zones
The first step, is to create the zones. However, before creating the zones answer a few questions:
• What interfaces should be included in the zones?
• What will be the name for each zone?
• What traffic is necessary between the zones and in which direction?

In the example topology, we have two interfaces, two zones, and traffic flowing in one direction.
Traffic sourced from the public zone will not be allowed. Create the private and public zones for the
firewall with the zone security command, as shown here.

© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 25
Configure a ZPF
Step 2. Identify Traffic
The second step is to use a class-map to identify the traffic to which a policy will be applied.
The figure shows the syntax for the class-map command. There are several types of class-maps.
For a ZPF configuration, use the inspect keyword to define a class-map. Determine how packets
are evaluated when multiple match criteria exist. Packets must meet one of the match criteria
(match-any) or all of the match criteria (match-all) to be considered a member of the class.

Parameter Description
match-any Packets must meet one of the match criteria to be considered a member of the class.
match-all Packets must meet all of the match criteria to be considered a member of the class.
class-map-name Name of the class-map that will be used to configure the policy for the class in the policy-map.

© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 26
Configure a ZPF
Step 2. Identify Traffic (Cont.)
The figure shows the syntax for the match statements in class-map sub-configuration mode. Match
traffic to an ACL, a specific protocol, or even another class-map.

Parameter Description
match access-group Configures the match criteria for a class-map based on the specified ACL number or name.
match protocol Configures the match criteria for a class-map based on the specified protocol.
match class-map Uses another class-map to identify traffic.

© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 27
Configure a ZPF
Step 3. Define an Action
The third step is to use a policy-map to define what action should be taken for traffic
that is a member of a class. The figure shows the command syntax to configure a
policy-map. An action is a specific functionality. It is typically associated with a traffic
class. For example, inspect, drop, and pass are actions.

Parameter Description
inspect An action that offers state−based traffic control. The router maintains session
information for TCP and UDP and permits return traffic.
drop Discards unwanted traffic
pass A stateless action that allows the router to forward traffic from one zone to
another

© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 28
Configure a ZPF
Step 4. Identify a Zone-Pair and Match to a Policy

The fourth step is to identify a zone pair and associate that zone pair to a policy-map.
The figure shows the command syntax. Create a zone-pair with the zone-pair
security command. Then use the service-policy type inspect command to attach a
policy-map and its associated action to the zone-pair.

Parameter Description
source source-zone-name Specifies the name of the zone from which traffic is originating.
destination destination-zone-name Specifies the name of the zone to which traffic is destined.
self Specifies the system-defined zone. Indicates whether traffic will be going to or from the
router itself.

© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 29
Configure a ZPF
Step 5. Assign Zones to Interfaces
The fifth step is to assign zones to the appropriate interfaces. Associating a zone to an interface
will immediately apply the service-policy that has been associated with the zone. If no service-
policy is yet configured for the zone, all transit traffic will be dropped. Use the zone-member
security command to assign a zone to an interface. In the example, GigabitEthernet 0/0 is
assigned the PRIVATE zone, and Serial 0/0/0 is assigned the PUBLIC zone.

In the following example, GigabitEthernet 0/0 is assigned the PRIVATE zone, and Serial 0/0/0 is
assigned the PUBLIC zone.

© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 30
Configure a ZPF
Verify a ZPF Configuration

Verify a ZPF configuration by viewing


the running configuration. Notice that
the class-map is listed first. Then the
policy-map makes use of the class-
map.

The zone configurations follow the


policy-map configurations with zone
naming, zone pairing, and
associating a service-policy to the
zone pair.

Finally, the interfaces are assigned


zones.
© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 31
Configure a ZPF
Verify a ZPF Configuration (Cont.)
The example shows verification information
after a test of the ZPF configuration. A
PRIVATE zone host 192.168.1.3 established
an HTTPS session with a web server at
10.1.1.2. Notice further down in the
command output that four packets matched
the class class-default. This verification
information was generated by having host
192.168.1.3 ping the web server at 10.1.1.2.

Other commands include:


• show class-map type inspect
• show zone security
• show zone-pair security
• show policy-map type inspect
© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 32
Configure a ZPF
ZPF Configuration Considerations
When configuring a ZPF with the CLI, there are several factors to consider:

• The router never filters the traffic between interfaces in the same zone.
• An interface cannot belong to multiple zones. To create a union of security zones, specify a
new zone and appropriate policy map and zone pairs.
• ZPF can coexist with Classic Firewall although they cannot be used on the same interface.
Remove the ip inspect interface configuration command before applying the zone-member
security command.
• Traffic can never flow between an interface assigned to a zone and an interface without a zone
assignment. Applying the zone-member configuration command always results in a temporary
interruption of service until the other zone-member is configured.
• The default inter-zone policy is to drop all traffic unless otherwise specifically allowed by the
service-policy configured for the zone-pair.
• The zone-member command does not protect the router itself (traffic to and from the router is
not affected) unless the zone- pairs are configured using the predefined self zone.
© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 33
Configure a ZPF
Video Demonstration - ZPFs

This video is a demonstration of ZPFs.

© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 34
Configure a ZPF
Packet Tracer - Configure ZPF

In this Packet Tracer, you will complete the following objectives:

• Verify connectivity among devices before firewall configuration.


• Configure a ZPF on router R3.
• Verify ZPF functionality using ping, Telnet, and a web browser.

© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 35
Configure a ZPF
Lab - Configure ZPFs

In this lab, you will complete the following objectives:

• Complete a basic router configuration.


• Use the CLI to configure a ZPF
• Use the CLI to verify the configuration.

© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 36
10.4 Zone-Based Firewalls
Summary

© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 37
Zone-Based Firewalls Summary
What Did I Learn in this Module?

• The IOS ZPF provides a new configuration mode in which interfaces are assigned to security
zones and firewall policies are applied to traffic moving between the zones.
• ZPFs use user-defined policies to act on specific traffic that is travelling from a source zone to a
destination zone.
• Three actions can be specified: inspect, drop, or pass.
• Default rules are applied to transit traffic based on the configuration of the ingress and egress
interfaces and the existence of policies.
• A special zone known as the self zone is the router itself.
• There are five steps in the process of configuring a ZPF:
Step 1: Create the zones.
Step 2: Identify traffic with a class-map.
Step 3: Define an action with a policy-map.
Step 4: Identify a zone pair and match it to a policy-map.
Step 5: Assign zones to the appropriate interfaces.
© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 38
Zone-Based Firewalls Summary
New Terms and Commands
• zone security zone-name • show policy-map type inspect zone-pair sessions
• class-map type inspect [match-any | match-all] • show class-map type inspect
class-map-name • show zone security
match access-group {acl-# | acl-name } • show zone-pair security
match protocol protocol-name • show policy-map type inspect
match class-map class-map-name
• policy-map type inspect policy-map-name
class type inspect class-map-name
{inspect | drop | pass}
• zone-pair security zone-pair-name source
{source-zone-name | self} destination
{destination-zone-name | self}
• service-policy type inspect policy-map-
name
• zone-member security zone-name

© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 39

You might also like