When it comes to Cisco's networking, I think everything as it is in the real world, and to my astonishment, everything fits like a glove. For example, Zone-Based Policy Firewalls. First impression - something related to security!!
Router interfaces are placed into security zones.
So, Imagine a jail with 4 different blocks, 2 each situated in 2 different wings, each wing separated by a surveilled wired fence. One wing - Wing Fear consists of the most "feared" persons, which needs to be the most "secured" area (like the Arkham Asylum). The other one Wing Peace contains comparatively peaceful people, which does not require much security.
Traffic can travel freely between interfaces in the same zone, but is blocked by default from traveling between zones. The prisoners in each block in the same wing obviously can interact/talk with each other during the play/lunch hours, or whenever there is need. However, they cannot interact with the prisoners in the other wing.
Traffic is also blocked between interfaces that have been assigned to a security zone and those that have not. Obviously the prisoners cannot interact with the normal people ( who are not imprisoned and hence, no security).
You must explicitly apply a policy to allow traffic between zones. Zone policies are configured using the Cisco Common Class-Based Policy Language (C3PL or CPL), which is similar to the Modular QoS Command Line Interface (MQC) in its use of class maps and policy maps. Selected prisoners from Wing Peace may/maynot interact with selected prisoners Wing Fear based on the selection (class) and permission (policy) by the warden.
A Traffic policy is applied unidirectionally between zones using zone pairs. When traffic needs to flow between zones, a zone pair is set up in the direction of the traffic flow. If a bidirectional traffic flow is required, two zone pairs are required, one in each direction. This second zone pair is not required if using stateful inspection (type inspect) and the only expected traffic is return traffic. The second zone pair is not required because this traffic is permitted by default.
Simply put, if you donot want the Internet Zone to initiate traffic to the LAN Zone, leave it at the defaults. Note that the traffic from the Internet Zone to the LAN Zone in response to the requests initiated from within LAN Zone to an Internet Server will be permitted by the FireWall (if policy from LAN to Internet is configured for stateful inspection).
The system-defined self zone includes all traffic that is directed at the device directly or traffic that is generated by the device. By default the traffic flow to or from “SELF” zone to another zone is “ALLOW ALL”, but, as with other zones, traffic policy can be applied to the self zone as both the source or destination zone and is also configured unidirectionally.
Now, consider the interaction between the jailers and the prisoners. Do you think there is any restriction that they have ? No!!
Steps to configure ZBFW :
Again, imagine the transport b/w India and Pakistan.
Step 1 Decide the zones you will need, and create them on the router.
Two Zones - India and Pakistan.
R3(config)#zone security INDIA
R3(config)#zone security PAKISTAN
Step 2 Assign interfaces to zones. An interface may be assigned to only one security zone.
Transport b/w Lahore- Pakistan and Amritsar - India
R3(config)#inter fastEthernet 0/0
R3(config-if)#zone-member security INDIA
R3(config)#interface fastEthernet 1/0
R3(config-if)#zone-member security PAKISTAN
Step 3 Decide how traffic should travel between the zones, and create zone-pairs on the router.
Do we need to establish transport from-to or between Lahore and Pakistan .. Only one-way or bi-directional .. ??
Who are the people travelling .. Check their background !!
R3(config)#class-map type inspect IND_TO_PAK
R3(config-cmap)#match access-group name IN_TO_OUT
R3(config)#class-map type inspect PAK_TO_IND
R3(config-cmap)#match access-group name OUT_TO_IN
Step 5 Assign policies to the traffic by creating policy maps and associating class maps with them.
Grant/Deny VISA to the people. Also set the permissions/duration during the travel for those allowed to travel.
R3(config)#policy-map type inspect ZBFW_IN_OUT_PM
R3(config-pmap)#class type inspect IND_TO_PAK
R3(config-pmap-c)#inspect
%No specific protocol configured in class IND_TO_PAK for inspection. All protocols will be inspected
R3(config)#policy-map type inspect ZBFW_OUT_IN_PM
R3(config-pmap)#class type inspect PAK_TO_IND
R3(config-pmap-c)#pass
Step 6 Assign the policy maps to the appropriate zone-pair.
hunhh .. Enough .. Self-Explanatory!!
R3(config)#zone-pair security IND_PAKTwo Zones - India and Pakistan.
R3(config)#zone security INDIA
R3(config)#zone security PAKISTAN
Step 2 Assign interfaces to zones. An interface may be assigned to only one security zone.
Transport b/w Lahore- Pakistan and Amritsar - India
R3(config)#inter fastEthernet 0/0
R3(config-if)#zone-member security INDIA
R3(config)#interface fastEthernet 1/0
R3(config-if)#zone-member security PAKISTAN
Step 3 Decide how traffic should travel between the zones, and create zone-pairs on the router.
Do we need to establish transport from-to or between Lahore and Pakistan .. Only one-way or bi-directional .. ??
R3(config)#zone-pair security IND_PAK source INDIA destination PAKISTAN
R3(config)#zone-pair security PAK_IND source PAKISTAN destination INDIA
Step 4 Create class maps to identify the inter-zone traffic that must be inspected by the firewall.R3(config)#zone-pair security PAK_IND source PAKISTAN destination INDIA
Who are the people travelling .. Check their background !!
R3(config)#ip access-list extended IN_TO_OUT
R3(config-ext-nacl)#permit tcp 10.1.1.0 0.255.255.255 any eq www
R3(config-ext-nacl)#permit tcp 10.1.1.0 0.255.255.255 any eq echo
R3(config-ext-nacl)#permit tcp 10.1.1.0 0.255.255.255 any eq www
R3(config-ext-nacl)#permit tcp 10.1.1.0 0.255.255.255 any eq echo
R3(config)#ip access-list extended OUT_TO_IN
R3(config-ext-nacl)#permit icmp any 10.1.1.0 0.0.0.255 unreachable
R3(config-ext-nacl)#permit icmp any 10.1.1.0 0.0.0.255 unreachable
R3(config)#class-map type inspect IND_TO_PAK
R3(config-cmap)#match access-group name IN_TO_OUT
R3(config)#class-map type inspect PAK_TO_IND
R3(config-cmap)#match access-group name OUT_TO_IN
Step 5 Assign policies to the traffic by creating policy maps and associating class maps with them.
Grant/Deny VISA to the people. Also set the permissions/duration during the travel for those allowed to travel.
R3(config)#policy-map type inspect ZBFW_IN_OUT_PM
R3(config-pmap)#class type inspect IND_TO_PAK
R3(config-pmap-c)#inspect
%No specific protocol configured in class IND_TO_PAK for inspection. All protocols will be inspected
R3(config)#policy-map type inspect ZBFW_OUT_IN_PM
R3(config-pmap)#class type inspect PAK_TO_IND
R3(config-pmap-c)#pass
Step 6 Assign the policy maps to the appropriate zone-pair.
hunhh .. Enough .. Self-Explanatory!!
R3(config-sec-zone-pair)#service-policy type inspect ZBFW_IN_OUT_PM
R3(config)#zone-pair security PAK_IND
R3(config-sec-zone-pair)#service-policy type inspect ZBFW_OUT_IN_PM
Done with the explanation. Read the other technical details and example on Cisco's website, and, get the lab rolling!!
Here's a great basic lab for ZBFW from GNS3Vault using GNS3.
http://gns3vault.com/Security/basic-zone-based-firewall.html