Deploying Zone-Based Firewalls

Cisco Press has just released my latest book (and my first digital one): Deploying Zone-Based Firewalls. The book covers a completely new way to configure IOS firewall feature set based on security zones you define on a router and inter-zone policies configured using the familiar class-maps and policy-maps.

You can preview this digital book (they call it Digital Short Cut) using the Safari technology at Cisco Press and buy it at Amazon.

Recent posts in the same categories

22 comments:

  1. Unknown 15 December 2006 16:41
    when you use the new zone base fw feature. when you drop and log all other traffic in a policy, is the log function done using CEF or process switching?
  2. Unknown 05 February 2007 14:56
    Hello,

    is it mandatory to use "Class class-default --> Drop" statement in Policy map or Policy map automatically rejects everything what is not permitted/inspected? For example I would like to permit https traffic and reject everything else. Do I need to input "Class class-default --> Drop" ?

    Thank you and Kind regards,Marko
  3. Ivan Pepelnjak 05 February 2007 18:30
    As the answer might interest many readers, I wrote a new post about it.
  4. Anonymous 05 May 2007 11:55
    I've read your book, which I found clear and well put together.

    I was, however, left wondering why there was such little apparent use made of the feature in real life.

    IOS Zone-based firewalls are supposed to be easier to set up and understand (arguable), more precise, and possibly offering higher throughput, but there seem to be relatively few examples of their use, even with their support in SDM 2.4.

    Is it because

    (a) they are a relatively recent addition to IOS and so there is less documentation / experience / expertise available for their use.

    (b) they are not easier to configure/maintain in practice.

    For example you still need to use Access Control Lists to let particular types of icmp through, because the ZBF operates on a protocol basis.

    And, instead of an easy to read list of what is blocked/passed, you have zones, zone links, protocol inspection rules, etc. Even with SDM, there is a good deal of setting up of the building blocks before you can use them.

    Am I missing something?
  5. Ivan Pepelnjak 05 May 2007 14:59
    Thanks for your thoughts about the book :)

    I would assume that the (current)low acceptance of the zone-based configuration is based both on the release it's available in (I would never put an "experimental" IOS release like a T release in my production network unless forced to do so by a mandatory feature or new hardware platform) as well as relative unfamiliarity (people still think in terms of access lists).

    I also agree with you that the configuration interface is a bit baroque (with classes, policies, inter-zone service policies ...) and it's definitely easier to write an access list ... if you have only two zones. However, try writing an access list for a complex firewall with 4 or 5 zones (where you have to merge all your inter-zone policies into a single access list) and you'll start appreciating the zone-based configuration. The configuration model is even more useful if you have multiple zones that have the same inter-zone policy toward a target zone (for example, all internal zones have the same policy toward the Internet).

    Having said all that, a year ago, I would probably still stick to the access-lists (even if the zone-based configuration would be available in a GD release) if I'd have to do a quick configuration job. Having climbed the learning curve, I will definitely use the new approach in my future projects ... once it becomes available in a stable major release.
  6. Anonymous 06 May 2007 14:16
    I have just provisioned a router with from scratch using SDM2.4.

    It now installs a zone-based firewall by default.

    I am struggling to

    (1) get BGP going, to pick up bogon lists from cymru (repeated no route to peer messages)

    (2) L2TP/IPSec connections.

    This is a straightforward DSL+LAN setup (no DMZ).

    My main issue (apart from the sheer number of settings that SDM generates) is a confusion between when to use self and when to use in/outside.
  7. Anonymous 07 May 2007 22:38
    The trick seems to be to allow isakmp & esp from out to self, and to add a static route to the cymru bgp peer.
  8. Ivan Pepelnjak 08 May 2007 06:28
    You're right regarding the IPSec issues, I also wrote a post detailing the rules of the self zone usage.

    As for the BGP session, it looks like the router is not willing to use the default route to get to its BGP peer. Interesting, will check it in my lab :)
  9. Anonymous 11 May 2007 00:55
    The other thing that I am noticing is that cymru BGP appears to be trying to send a message from port 179 into a random high-numbered port in my router. This gets blocked, even though I am inspecting outgoing bgp.

    Perhaps it is something to do with the time it takes to build IPS signatures as the ATM goes up
  10. Anonymous 05 June 2007 00:39
    A further example that would be helpful is the setup for SIP.

    I notice that just opening SIP and RTP (in my case 5004 or 5006) does not help. I also seem to have to open UDP to get the RTP connection to work; otherwise, it just seems to be blocked, even if it is open.

    Thanks.
  11. Anonymous 25 June 2007 09:02
    An apparent limitation of the ZBF approach is that out-of-order packets in TCP streams are not cached and reassembled before they are inspected by IPS or the firewall http://www.cisco.com/en/US/products/ps6441/products_feature_guide09186a0080768229.html

    What difference does this make in real life?
  12. Ivan Pepelnjak 25 June 2007 18:52
    I wrote a post about this problem a while ago, but as it was mis-labeled, even I had problems finding it :( ... fixed now.

    The only situation where you'd get out-of-order TCP packets in real life is if a box anywhere in the end-to-end path is doing per-packet load sharing ... or if you do weird QoS stuff classifying some TCP packets in a session in a different class than others (for example, mark long packets low-priority).
  13. Anonymous 12 March 2008 10:01
    I notice that configuring deep packet (L7) http inspection seems to kill my download speed. Is there a work-around?
  14. Ivan Pepelnjak 13 March 2008 11:24
    Apart from buying a faster router, disabling the deep packet inspection or upgrading IOS (and hoping that a newer release is more optimized), there's not much you can do, it's a CPU-intensive task. Just to be on the safe side, inspect the "show proc cpu" output to verify that the CPU load is really getting close to 100%.
  15. John Moseley 08 January 2010 21:46
    Hi guys, I'm slightly confused. Is the zone based feature available on Cisco ASA's or is it purely a router feature? If it is available what OS version?

    Many Thanks
  16. Ivan Pepelnjak 09 January 2010 20:22
    This book describes the IOS implementation (available in 12.4T and 15.0). Something very similar is available in ASA.
  17. Victor 30 May 2010 00:58
    Hello Ivan,

    Could you pls provide any insight about inspecting mpls encapsulated traffic with ZBF? I've been unable to find much information about such topic? I heard about an specific solution using an special hairpin to decapsulate and loop back the traffic using a tunnel interface.

    Thanks.... Victor.
  18. Ivan Pepelnjak 30 May 2010 16:13
    Never tried that. I would assume ZBF works only on pure IP traffic. What exactly are you looking for?
  19. Victor. 01 June 2010 01:42
    Hi Ivan, thank you for your response, I'm working on a exercise where they ask to apply inspection (ZBF) to the VPN traffic between two PEs. Basically the solution provided is creating a new VRF on the device along with a Tunnel, one of the Tunnel interfaces belong to the newly created VRF and the other to the VRF already present, essentially linking both VRF's back-to-back on the same router. Finally the policies are applied on the tunnel interface, where the traffic is transiting unlabeled. Until now, this solution (VRFs workaround) has been difficult to understand.
    By the way, your book on this subject has been a good reading.
    Thanks in advance for your help. Regards.... Victor.
  20. Carlos 06 May 2011 01:07
    Hi Ivan,

    I have just read your book on deploying ZBF and was a great read. Really helped to break down ZBF for me so thanks.

    One thing I noticed is your method for all out traffic to be inspected (listing 3-5) says
    policy-map type inspect InsideToOutside
    class class-default
    inspect

    I am using that latest release of IOS 15.1(4)m and it seems that you can no longer use inspect on the class-default anymore.

    rtr(config-pmap)# class class-default
    rtr(config-pmap-c)# inspect
    %Action inspect cannot be added to class-default

    Just wondering what you recommend in place of this? Was thinking to use a class map inspect for tcp,udp,icmp.

    Thanks
  21. Ivan Pepelnjak 08 May 2011 11:07
    Weird. The workaround would be to create a class that matches TCP, UDP or ICMP.

    Not sure whether you'd have to put FTP/SIP in a separate class to ensure ZBF does deep(er) packet inspection.
Add comment
Home
Sidebar