Zone Based Policy Firewall

Published Date: 02 Nov 2017

Abstract:

Security of the network is essential to the success of today�s businesses. We implement security

standards and draft security policies to manage the risks. Firewall is an essential component

creating a secured network and mitigating network security risks like denial-of-service attacks,

inappropriate network usage, data theft and loss, Virus, Trojans attacks and intrusion attempts by

both internal and external users. It does so by enforcing security policy, efficiently logging internet

activity, increasing network flexibility and limiting networks exposure to harmful elements.

There are mainly four types of firewall technologies; they are Packet Filtering, Application proxies,

Stateful Packet Inspection and more granular Deep Packet Inspections.

This paper demonstrates uses, applications, merits and demerits of Zone-Based Policy Firewalls

hereon referred to as ZBF on Cisco IOS devices.

Introduction:

Zone-Based Policy Firewall provides an intuitive design approach to policy processing on group of

router interfaces. It was introduced in IOS software version 12.4(6)T in 2006 and lateron enhanced

in 12.4(9)T. Zone based Firewall supports most of the features of earlier Context-Based Access

Control (CBAC) firewalls like Application Inspection, Stateful Packet Inspection, Denial of

Service(DoS) mitigation, and URL Filtering and adds additional features and flexibility like Ratelimiting

and P2P and IM inspection.

In traditional Context-Based Access Control (CBAC) firewall, we use Access Control Lists (ACL) on

individual router interfaces to allow/deny traffic and use "IP inspect" policies to apply Stateful Packet

inspection. In Zone-Based Policy Firewall, we actually divide the network into different Zones like

Trusted, Untrusted and apply policies to these Zones. Within the Zone, traffic flows uninspected. But

traffic flows between Zones are inspected by the pre-defined policy and few actions like INSPECT,

DROP, or PASS are acted upon.

This demonstration is divided into following paragraphs.

a) Components of ZBF

b) Configuring ZBF on Cisco IOS firewall

c) Verifying ZBF in action.

d) Advantages of using ZBF

e) Demerits associated with ZBF

f) Conclusion and Recommendations

g) References used

We will refer to the following diagram throughout the rest of the documentation. We are using a

Cisco 7200 router (c7200-advsecurityk9-mz.150-1.M). Trusted MPLS and LAN are on the INSIDE

zone. WAN is on OUTSIDE zone. And the servers are on DMZ zone.

Here are the IP Subnet assignments for our demonstration:

Zone NAME Subnet Router IP Router Interface Client Device IP

INSIDE 10.10.20.0/24 10.10.20.1 E2/1 10.10.20.2

INSIDE 10.10.10.0/24 10.10.10.1 E2/0 10.10.10.2

OUTSIDE 172.16.1.0/24 172.16.1.1 E2/2 172.16.1.2

GUEST 192.168.2.0/24 192.168.2.1 S1/0 192.168.2.2

INSIDE ZONE Users at LAN subnet 10.10.10.0 are allowed to access WAN subnet 172.16.1.0 and

Branch office subnet 10.10.20.0.

Users at GUEST zone subnet 192.168.2.0 can only access internet at OUTSIDE zone subnet

172.16.1.0 and are not allowed to access INSIDE zone subnet 10.10.10.0 and subnet 10.10.20.0

because we want to restrict Guests from accessing our internal LAN.

OUTSIDE zone WAN subnet 172.16.1.0 cannot access any other subnet.

Trusted MPLS WAN

to Branch Office

Untrusted WAN link

Cisco Switch

10.10.10.2

10.10.10.0/24

Inside Zone Outside Zone

E2/1 S1/0

E2/0 E2/2

192.168.2.18

10

REST API

192.168.2.100

Core Java Classes

192.168.2.101

Database Server

192.168.2.102

Version Control

192.168.2.103

Web Portal

Server

192.168.2.104

Cent OS 6.2

GUEST Zone

10.10.10.3 10.10.10.4 10.10.10.5

172.16.1.0/24

10.10.20.0/24

192.168.2.0/24

a) Components of ZBF

To configure ZBF on Cisco IOS devices, we define Zones, Class-maps and Policy Maps. Then

define Zone Pairs to apply Policy Maps and add interfaces to Zones.

Zone: a ZONE is a logical name configured by a network engineer. It�s the group where we

assign interfaces to identify them easily and lateron apply policies for processing. Zone is a

primary part of a ZBF. Traffic between member interfaces within the zone are allowed by default.

Traffic between zones is dropped by default.

Syntax: Router(config)#zone security (ZoneName)

Class-Maps: Class maps are used to identify interesting traffic. In CBAC based firewall, we

used ACLs to find interesting traffic, which had a limitation of Permit/Deny based on Layer3 and

Layer4 addresses. Class-Maps go a step further to not only Permit/Deny but also inspect. We

can also stack a Class-Map inside another which gives more flexibility.

Syntax:

Router(config)#class-map type inspect match-any (anyname)

Router(config-cmap)#match protocol icmp

Policy-Maps: Policy-Maps define the actions that are to be taken on the interesting traffic that

we identified using Class-maps. We might want to INSPECT, PASS, and DROP the interesting

traffic.

INSPECT � Traffic is inspected and allowed, this ensures that the return traffic is statefully

allowed.

DROP: Traffic is not allowed and dropped.

PASS: Traffic is allowed.

Router(config)#policy-map type inspect POLICY_IN_TO_OUT

Router(config-pmap)#class type inspect IN_TO_OUT

Zone-Pairs: Zone-pair controls unidirectional traffic flow between zones. By default, traffics

between zones are dropped. Here we define rules to allow interesting traffic between zone.

�Interesting traffic� means, selectively allowing certain type of traffic while restricting other. We

might want to allow web browsing using HTTP while not allow telnet.

Syntax:

Router(config)# zone-pair security (ZONE_PAIR_NAME) source INSIDE destination OUTSIDE

Router(config-sec-zone-pair)#service-policy type inspect (POLICY_NAME)

b) Configuring ZBF on Cisco IOS firewall:

This will involve following steps:

1. Define Zones and assign interfaces to zones.

2. Define Class-map to identify Interesting traffic

3. Define Policy-Map

4. Configure Zone-Pairs

1. Define Zones and Assign interfaces to zones.

Create Zones:

We are creating three Zones and naming them as INSIDE, OUTSIDE and GUEST

Router#conf term

Router(config)#zone security INSIDE

Router(config-sec-zone)#exit

Router(config)#zone security OUTSIDE

Router(config-sec-zone)#exit

Router(config)#zone security GUEST

Then we configure interfaces with IP and assign Interfaces to Zones

Router(config)#interface e2/0

Router(config-if)#ip address 10.10.10.1 255.255.255.0

Router(config-if)#zone-member security INSIDE

Router(config-if)#no shut

Router(config)#interface e2/1

Router(config-if)#ip address 10.10.20.1 255.255.255.0

Router(config-if)#zone-member security INSIDE

Router(config-if)#no shut

Router(config)#interface e2/2

Router(config-if)#ip address 192.168.2.1 255.255.255.0

Router(config-if)#zone-member security GUEST

Router(config-if)#no shut

Router(config)#interface s1/0

Router(config-if)#ip address 172.16.1.1 255.255.255.0

Router(config-if)#zone-member security OUTSIDE

Router(config-if)#no shut

2. Define Class-map to identify Interesting traffic

We are defining two Class-maps, IN_TO_OUT matches INSIDE zone users icmp, http, ssh, and

telnet traffic and GUEST_TO_OUT matches Guest users http and icmp traffic only

Router(config)#class-map type inspect match-any IN_TO_OUT

Router(config-cmap)#match protocol icmp

Router(config-cmap)#match protocol http

Router(config-cmap)#match protocol ssh

Router(config-cmap)#match protocol telnet

Router(config)#class-map type inspect match-any GUEST_TO_OUT

Router(config-cmap)#match protocol icmp

Router(config-cmap)#match protocol http

3. Define Policy-Map

Policy-Map specifies an action for the Class-Map. Note that there is a hidden class class-default

at the end of each policy-map that drops �all other� traffic by default, just like the implicit �deny

all� at the end of each access list.

Syntax:

class class-default

drop

We are creating two Policy-Maps:

POLICY_IN_TO_OUT which allows icmp, http, ssh. telnet traffic originated from INSIDE to

OUTSIDE zone. And POLICY_GUEST_TO_OUT which allows icmp, http traffic originated from

GUEST to OUTSIDE zone. All other traffic is dropped by the class-default

Router(config)#policy-map type inspect POLICY_IN_TO_OUT

Router(config-pmap)#class type inspect IN_TO_OUT

Router(config-pmap-c)#inspect

Router(config)#policy-map type inspect POLICY_GUEST_TO_OUT

Router(config-pmap)#class type inspect GUEST_TO_OUT

Router(config-pmap-c)#inspect

4. Configure Zone-Pairs

We need to configure Zone-pairs to allow traffic from one zone to another. It must be configured

for each side of the connection that will initiate the connection. It needs to be configured for each

direction of the flow. Remember the return traffic is always allowed once a zone initiates a

connection. Here in our diagram, INSIDE zone will be allowed to access OUTSIDE zone.

GUEST zone can only access the OUTSIDE zone. OUTSIDE Zone cannot access any other

zone.

Following two ZONE-Pair will meet out objective

Zone-pair name Remarks

ZONE_IN_TO_OUT Allows traffic originating from INSIDE to OUTSIDE

ZONE_GUEST_TO_OUT Allows traffic originating from GUEST to OUTSIDE

Router(config)# zone-pair security ZONE_IN_TO_OUT source INSIDE destination OUTSIDE

Router(config-sec-zone-pair)#service-policy type inspect POLICY_IN_TO_OUT

Router(config)# zone-pair security ZONE_GUEST_TO_OUT source GUEST destination

OUTSIDE

Router(config-sec-zone-pair)#service-policy type inspect POLICY_GUEST_TO_OUT

This concludes our configuration part and now it�s time to verify the configurations. Here is the

final configuration:

class-map type inspect match-any GUEST_TO_OUT

match protocol http

match protocol icmp

class-map type inspect match-any IN_TO_OUT

match protocol icmp

match protocol http

match protocol ssh

match protocol telnet

!

!

policy-map type inspect POLICY_IN_TO_OUT

class type inspect IN_TO_OUT

inspect

class type inspect GUEST_TO_OUT

inspect

class class-default

drop

policy-map type inspect POLICY_GUEST_TO_OUT

class type inspect GUEST_TO_OUT

class class-default

drop

!

zone security INSIDE

zone security OUTSIDE

zone security GUEST

zone-pair security ZONE_IN_TO_OUT source INSIDE destination OUTSIDE

service-policy type inspect POLICY_IN_TO_OUT

zone-pair security ZONE_GUEST_TO_OUT source GUEST destination OUTSIDE

service-policy type inspect POLICY_GUEST_TO_OUT

!

!

interface Serial1/0

ip address 172.16.1.1 255.255.255.0

zone-member security OUTSIDE

serial restart-delay 0

!

interface Ethernet2/0

ip address 10.10.10.1 255.255.255.0

zone-member security INSIDE

duplex half

!

!

interface Ethernet2/1

ip address 10.10.20.1 255.255.255.0

zone-member security INSIDE

duplex half

!

!

interface Ethernet2/2

ip address 192.168.2.1 255.255.255.0

zone-member security GUEST

duplex half

c) Verifying ZBF in action.

We use the command �Show Zone Security� to view the interfaces membership to different ZONEs.

Router#Show Zone security

*Apr 27 12:07:47.131: %SYS-5-CONFIG_I: Configured from console by console

zone self

Description: System defined zone

zone INSIDE

Member Interfaces:

Ethernet2/1

Ethernet2/0

zone OUTSIDE

Member Interfaces:

Serial1/0

zone GUEST

Member Interfaces:

Ethernet2/2

Notice the default zone �Zone Self�, it applies to all traffic destine to and originating from the routers

control pane eg. Routing protocols. By default all traffics are allowed on Zone Self.

This confirms, interfaces are configured correctly to their respective Zones.

Command �Show zone-pair security� provides details on Zone-pair configurations

Router#show zone-pair security

Zone-pair name ZONE_IN_TO_OUT

Source-Zone INSIDE Destination-Zone OUTSIDE

service-policy POLICY_IN_TO_OUT

Zone-pair name ZONE_GUEST_TO_OUT

Source-Zone GUEST Destination-Zone OUTSIDE

service-policy POLICY_GUEST_TO_OUT

Command �show policy-map type inspect zone-pair� provides details on the policy implementation

on interesting traffic.

Router#show policy-map type inspect zone-pair

policy exists on zp ZONE_IN_TO_OUT

Zone-pair: ZONE_IN_TO_OUT

Service-policy inspect : POLICY_IN_TO_OUT

Class-map: IN_TO_OUT (match-any)

Match: protocol icmp

6 packets, 480 bytes

30 second rate 0 bps

Match: protocol http

0 packets, 0 bytes

30 second rate 0 bps

Match: protocol ssh

0 packets, 0 bytes

30 second rate 0 bps

Match: protocol telnet

0 packets, 0 bytes

30 second rate 0 bps

Inspect

Packet inspection statistics [process switch:fast switch]

icmp packets: [0:10]

Session creations since subsystem startup or last reset 1

Current session counts (estab/half-open/terminating) [0:0:0]

Maxever session counts (estab/half-open/terminating) [0:1:0]

Last session created 00:00:34

Last statistic reset never

Last session creation rate 1

Maxever session creation rate 1

Last half-open session total 0

TCP reassembly statistics

received 0 packets out-of-order; dropped 0

peak memory usage 0 KB; current usage: 0 KB

peak queue length 0

Class-map: GUEST_TO_OUT (match-any)

Match: protocol http

0 packets, 0 bytes

30 second rate 0 bps

Match: protocol icmp

0 packets, 0 bytes

30 second rate 0 bps

Here we can see LAN-> WAN icmp ping is allowed but WAN-> LAN icmp is dropped.

LAN#ping 172.16.1.2

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 172.16.1.2, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 16/35/64 ms

WAN#ping 10.10.10.2

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 10.10.10.2, timeout is 2 seconds:

.....

Success rate is 0 percent (0/5)

d) Advantages of using ZBF

? ZBF works on Security Zones, Not individual router interfaces.

? We can define IPSec tunnel interfaces to a zone and apply policy to them.

? Supports additional features and flexibility like Rate-limiting and P2P and IM inspection in

addition to the functionalities of CBAC based firewall.

? Between zones policy processing is unidirectional.

? Supports most of the features of earlier Context-Based Access Control (CBAC) firewalls like

Application Inspection, Stateful Packet Inspection, Denial of Service(DoS) mitigation.

? ZBF uses Class-Maps go a step further to the traditional ACLs by not only Permit/Deny but

also inspect. We can even stack a Class-Map inside another which gives more flexibility.

? Traffic is by default denied between zones.

? Zone based policy firewall can be configured using CLI or GUI.

? Policies are imposed on the Zone, making it easier for the membership changes to the router

interfaces.

e) Demerits associated with ZBF

f) Conclusion and Recommendations

g) References used

Ref : http://blog.ine.com/2008/10/16/cisco-ios-zone-based-firewall-overview/

Zone-Based Policy Firewall Design and Application Guide

http://www.cisco.com/en/US/products/sw/secursw/ps1018/products_configuration_example09186a0

0808bc994.shtml.