Zone Based Firewall (or ZBF, ZBFW or ZFW) is the actual firewall feature available on Cisco routers. ZBF is destined to replace (or remodeled) the IOS classic stateful firewall also called CBAC (Context Based Access Control).
ZBF provides stateful packet inspection (compared to ACL, stateless) and offers a flexible CLI configuration that I will detail below.
ZBF is a great feature for small and midsized networks needing security isolation between multiple zones having different purposes and access rights. The configuration is easier compared to CBAC that requires inspection rules for each interfaces.
Keep this rules in mind while configuring ZBF:
– Zone to zone communication is implicitly denied
– Interfaces in the same zone are allowed to talk to each other
– The self zone is the router: it designates all traffic originated and destined to the router. This is allowed by default.
The basic scenario consists in defining 3 zones: Private, DMZ and Internet:
But the following scenarios can also be considered:
– 2 zones: LAN and EXTERNAL as simple firewall
– Multiple service zones: enforce a corporate network security policy
I will explore the configuration of the last scenario. Imagine a company that classifies data according to different levels. To maintain the isolation the company designs its network using multiple servers residing in different networks. A Cisco router is used to inspect and log file transfer traffic between these networks. The administrators of the router are located in the CONFIDENTIAL zone.
The following steps are required to set up ZBFW:
– Create zones
– Put the interfaces in zones
– Define ACLs and Class-Maps to select the traffic
– Define policies applied (drop, inspect, pass, log)
– Define where filtering occurs (zone-pair)
In this example:
Create the security zones
zone security PUBLIC description PUBLIC-UNCLASSIFIED zone security TS description TOP-SECRET zone security SECRET description SECRET zone security CONFIDENTIAL description CONFIDENTIAL
R13#show zone security zone self Description: System defined zone zone PUBLIC Description: PUBLIC-UNCLASSIFIED zone TS Description: TOP-SECRET zone SECRET Description: SECRET zone CONFIDENTIAL Description: CONFIDENTIAL
Define the interfaces, here I configure a router on a stick with 802.1q sub interfaces.
int f0/0 no sh int f0/0.10 encapsulation dot1Q 10 ip address 10.10.10.254 255.255.255.0 zone-member security SECRET int f0/0.20 encapsulation dot1Q 20 ip address 10.10.20.254 255.255.255.0 zone-member security CONFIDENTIAL int f0/0.30 encapsulation dot1Q 30 ip address 10.10.30.254 255.255.255.0 zone-member security TS int lo0 ip address 126.96.36.199 255.255.255.0 zone-member security PUBLIC
The interfaces now appear under their zones:
R13#sh zone security zone self Description: System defined zone zone PUBLIC Description: PUBLIC-UNCLASSIFIED Member Interfaces: Loopback0 zone TS Description: TOP-SECRET Member Interfaces: FastEthernet0/0.30 zone SECRET Description: SECRET Member Interfaces: FastEthernet0/0.10 zone CONFIDENTIAL Description: CONFIDENTIAL Member Interfaces: FastEthernet0/0.20 R13#sh ip int brie Interface IP-Address OK? Method Status Protocol FastEthernet0/0 unassigned YES unset up up FastEthernet0/0.10 10.10.10.254 YES manual up up FastEthernet0/0.20 10.10.20.254 YES manual up up FastEthernet0/0.30 10.10.30.254 YES manual up up FastEthernet0/1 unassigned YES unset administratively down down Loopback0 188.8.131.52 YES manual up up
Then I configure the policies that will enforce zone to zone communication restrictions.
Like QoS configuration, class-maps and ACLs match the traffic and policy-maps take the actions.
ip access-list standard DENIED deny any class-map type inspect match-any filetransfer match protocol nfs class-map type inspect match-all LOGDENIED match access-group name DENIED policy-map type inspect pol-filetransfer class type inspect filetransfer inspect class class-default drop log policy-map type inspect pol-LOGDENIED class type inspect LOGDENIED drop log
Then I apply the policies between the zones:
zone-pair security CONFIDENTIAL->UNCLASSIFIED source CONFIDENTIAL destination PUBLIC service-policy type inspect pol-filetransfer zone-pair security SECRET->CONFIDENTIAL source SECRET destination CONFIDENTIAL service-policy type inspect pol-filetransfer zone-pair security SECRET->UNCLASSIFIED source SECRET destination PUBLIC service-policy type inspect pol-filetransfer zone-pair security TS->UNCLASSIFIED source TS destination PUBLIC service-policy type inspect pol-filetransfer zone-pair security TS->CONFIDENTIAL source TS destination CONFIDENTIAL service-policy type inspect pol-filetransfer zone-pair security TS->SECRET source TS destination SECRET service-policy type inspect pol-filetransfer zone-pair security PUBLIC->TS source PUBLIC destination TS service-policy type inspect pol-LOGDENIED zone-pair security PUBLIC->CONFIDENTIAL source PUBLIC destination CONFIDENTIAL service-policy type inspect pol-LOGDENIED zone-pair security PUBLIC->SECRET source PUBLIC destination SECRET service-policy type inspect pol-LOGDENIED
Last but not least, I configure the self zone to only permit administrators to access the router. By default any zone can communicate with any router interfaces.
!from ZONE SECRET to routers loopback 2 (not member of any zone) R2(config)#do ping 184.108.40.206 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 220.127.116.11, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 20/22/32 ms
(as you see I avoid using match protocol with the self zone, because it is buggy… CSCsq44101)
ip access-list extended ADMIN-ACL permit tcp any any eq 22 permit tcp any any eq telnet permit tcp any any eq cmd permit tcp any any eq tacacs permit tcp any any eq 37 permit icmp any any class-map type inspect match-any ADMIN match access-group name ADMIN-ACL policy-map type inspect pol-ADMIN class type inspect ADMIN inspect class class-default drop log zone-pair security CONFIDENTIAL->self source CONFIDENTIAL destination self service-policy type inspect pol-ADMIN zone-pair security self->CONFIDENTIAL source self destination CONFIDENTIAL service-policy type inspect pol-LOGDENIED zone-pair security self->SECRET source self destination SECRET service-policy type inspect pol-LOGDENIED zone-pair security self->TS source self destination TS service-policy type inspect pol-LOGDENIED
Let’s test again:
R2(config)#do ping 18.104.22.168 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 22.214.171.124, timeout is 2 seconds: .....
The following commands can be useful to troubleshoot Zone Based Firewall:
sh class-map type inspect sh policy-map type inspect sh ip access-list sh zone security sh zone-pair security
Please note that ZBF can be configured with SDM.
Thanks for reading!