Around The Globe ATG.WORLD

Visit our sister website :

http://www.atg.world/

This is a social network for enthusiasts just like us. No Junk! Only meaningful conversations with the people who share the same enthusiasm as us.

Around The Globe ATG.WORLD

Visit our sister website :

http://www.atg.world/

This is a social network for enthusiasts just like us. No Junk! Only meaningful conversations with the people who share the same enthusiasm as us.

Tuesday, July 31, 2012

Zone-Based Policy FireWalls (Explanation + Tutorial + Lab Example)

When it comes to Cisco's networking, I think everything as it is in the real world, and to my astonishment, everything fits like a glove. For example, Zone-Based Policy Firewalls. First impression - something related to security!!


Router interfaces are placed into security zones.
So, Imagine a jail with 4 different blocks, 2 each situated in 2 different wings, each wing separated by a surveilled wired fence. One wing - Wing Fear consists of the most "feared" persons, which needs to be the most "secured" area (like the Arkham Asylum). The other one Wing Peace contains comparatively peaceful people, which does not require much security.

Traffic can travel freely between interfaces in the same zone, but is blocked by default from traveling between zones. The prisoners in each block in the same wing obviously can interact/talk with each other during the play/lunch hours, or whenever there is need. However, they cannot interact with the prisoners in the other wing.

 Traffic is also blocked between interfaces that have been assigned to a security zone and those that have not. Obviously the prisoners cannot interact with the normal people ( who are not imprisoned and hence, no security).

 You must explicitly apply a policy to allow traffic between zones. Zone policies are configured using the Cisco Common Class-Based Policy Language (C3PL or CPL), which is similar to the Modular QoS Command Line Interface (MQC)  in its use of class maps and policy maps. Selected prisoners from Wing Peace may/maynot interact with selected prisoners Wing Fear based on the selection (class) and permission (policy) by the warden.

 A Traffic policy is applied unidirectionally between zones using zone pairs. When traffic needs to flow between zones, a zone pair is set up in the direction of the traffic flow. If a bidirectional traffic flow is required, two zone pairs are required, one in each direction. This second zone pair is not required if using stateful inspection (type inspect) and the only expected traffic is return traffic. The second zone pair is not required because this traffic is permitted by default.

Simply put, if you donot want the Internet Zone to initiate traffic to the LAN Zone, leave it at the defaults. Note that the traffic from the Internet Zone to the LAN Zone in response to the requests initiated from within LAN Zone to an Internet Server will be permitted by the FireWall (if policy from LAN to Internet is configured for stateful inspection).

 The system-defined self zone includes all traffic that is directed at the device directly or traffic that is generated by the device. By default the traffic flow to or from “SELF” zone to another zone is “ALLOW ALL”, but, as with other zones, traffic policy can be applied to the self zone as both the source or destination zone and is also configured unidirectionally.
Now, consider the interaction  between the jailers and the prisoners. Do you think there is any restriction that they have ? No!!

Steps to configure ZBFW :
Again, imagine the transport b/w India and Pakistan.
Step 1   Decide the zones you will need, and create them on the router.
Two Zones - India and Pakistan. 
 R3(config)#zone security INDIA
 R3(config)#zone security PAKISTAN
Step 2   Assign interfaces to zones. An interface may be assigned to only one security zone.
Transport b/w  Lahore- Pakistan  and  Amritsar - India 
 R3(config)#inter fastEthernet 0/0
 R3(config-if)#zone-member security INDIA
 R3(config)#interface fastEthernet 1/0
 R3(config-if)#zone-member security PAKISTAN

Step 3 Decide how traffic should travel between the zones, and create zone-pairs on the router.
Do we need to establish transport from-to or between Lahore and Pakistan .. Only one-way or bi-directional .. ??
 R3(config)#zone-pair security IND_PAK source INDIA destination PAKISTAN
 R3(config)#zone-pair security PAK_IND source PAKISTAN destination INDIA
Step 4 Create class maps to identify the inter-zone traffic that must be inspected by the firewall.
Who are the people travelling .. Check their background !! 
 R3(config)#ip access-list extended IN_TO_OUT
 R3(config-ext-nacl)#permit tcp 10.1.1.0 0.255.255.255 any eq www
 R3(config-ext-nacl)#permit tcp 10.1.1.0 0.255.255.255 any eq echo

 R3(config)#ip access-list extended OUT_TO_IN
 R3(config-ext-nacl)#permit icmp any 10.1.1.0 0.0.0.255 unreachable

 R3(config)#class-map type inspect IND_TO_PAK
 R3(config-cmap)#match access-group name IN_TO_OUT

 R3(config)#class-map type inspect PAK_TO_IND
 R3(config-cmap)#match access-group name OUT_TO_IN
 
Step 5  Assign policies to the traffic by creating policy maps and associating class maps with them.
Grant/Deny VISA to the people. Also set the permissions/duration during the travel for those allowed to travel. 
 R3(config)#policy-map type inspect ZBFW_IN_OUT_PM
 R3(config-pmap)#class type inspect IND_TO_PAK
 R3(config-pmap-c)#inspect
%No specific protocol configured in class IND_TO_PAK for inspection. All protocols will be inspected


 R3(config)#policy-map type inspect ZBFW_OUT_IN_PM
 R3(config-pmap)#class type inspect PAK_TO_IND
 R3(config-pmap-c)#pass

Step 6   Assign the policy maps to the appropriate zone-pair.
 hunhh .. Enough .. Self-Explanatory!!
 R3(config)#zone-pair security IND_PAK
 R3(config-sec-zone-pair)#service-policy type inspect ZBFW_IN_OUT_PM
 R3(config)#zone-pair security PAK_IND
 R3(config-sec-zone-pair)#service-policy type inspect ZBFW_OUT_IN_PM


Done with the explanation. Read the other technical details and example on Cisco's website, and, get the lab rolling!!
Here's a great basic lab for ZBFW from GNS3Vault using GNS3.
http://gns3vault.com/Security/basic-zone-based-firewall.html