Zone-Based Firewall Concept

IOS Zone-Based Firewall first appeared in IOS 12.4(6)T. With the Zone-Based Firewall, IOS gave routers with multiple interfaces a simple and intuitive approach to designing policies.

The application of such policies should also be able to be more granular. A Zone-Based approach utilizes CBAC technology and offers all the benefits of the previous approach, plus more.

Zone-Based Firewall configuration requires defining your zones, your class maps, your policy maps, and your zone pairs. Apply your policy maps to your zone pairs to configure the firewall.

There are three possible actions for traffic moving between zones: INSPECT, DROP, and PASS.A drop or pass causes the IOS stateful packet inspection (like CBAC) to monitor the traffic, while inspect causes it to be monitored using the IOS stateful packet inspection (like CBAC).Passing between zones does not require any inspection.

Fig 1.1- ZBF

Now create a simple zone-based firewall as:
Step 1: Develop a zone definition and populate it

!
zone security Secure_pri
zone security Secure_int
interface Ge0/0
zone-member security Secure_pri
!
interface Ge0/1
zone-member security Secure_int
!

Step 2: Define the class maps that indicate the permissible traffic between zones

!
class-map type inspect match-any CM_INTERNET_TRAFFIC
match protocol http match protocol https match protocol ftp
!

Step 3: Configure a policy map which specifies the action for the class map

!
policy-map type inspect PM_PRIVATE_TO_INTERNET
class type inspect CM_INTERNET_TRAFFIC inspect
!

Step 4: Configure the zone pair and apply your policy

!
zone-pair security ZONEP_PRIV_INT source ZONE_PRIVATE destination ZONE_INTERNET service-policy type inspect PM_PRIVATE_TO_INTERNET
!

Take note of how this basic arrangement enables stateful examination of our Internet protocols as they go from private locations to the Internet. It also prevents Internet traffic from entering the private region unless it is in reaction to the examined traffic.

class-map type inspect match-any dmzout

match protocol http

match protocol icmp

!

class-map type inspect match-any insideout
match protocol tcp

match protocol udp

match protocol icmp

!

policy-map type inspect dmzout
class type inspect dmzout

inspect

policy-map type insidedmz

class type inspect insideout

inspect

policy-map type inspect insideout

class type inspect insideout

inspect
!
zone security inside

zone security outside

zone security dmz

!
interface Ge0/0

zone-member security inside
!
interface Ge0/1

zone-member security outside

!

interface Ge1/1

zone-member security dmz

zone-pair security i2u source inside destination outside
service-policy type inspect in2out

zone-pair security i2d source inside destination dmz

service-policy type inspect in2dmz

zone-pair security o2d source outside destination dmz

service-policy type inspect out2dmz
!

Port Communication

• Unless we place explicit limits, all ports in the same zone can talk with each other without issue.
• Ports in different Zones can communicate with one another (without any explicit permission)
• Ports from the same Zone pair cannot communicate with one another (Unless we programmed them explicitly to communicate).
• There is no distinction between ports that are assigned to a zone and those that are not.
• We must enable communication in order for two ports in the same zone to communicate with one another.
• Because it is a Zone-based FW with many limitations, we must declare specific permission between two separate ports that are not assigned to any of the FW's Zones in order for them to interact.