Zone-Based Policy Firewall

Zone-Based Policy Firewall

A Zone is a group of interfaces that have similar functions or features. Zones establish the security borders of a network. A zone defines a boundary where traffic is subjected to policy restrictions as it crosses to another region of a network. An inspection policy is applied to traffic moving between the zones. Inter-zone policies offer considerable flexibility, so different inspection policies can be applied to multiple host groups connected to the same router interface.

A self zone is a system-defined zone. It does not have any interfaces as members.

Zone-Based Policy Firewall Actions:

Zone-based policy firewall provides three actions for traffic that traverses from one zone to another-

    1. Drop: This is the default action for all traffic, as applied by "class class-default" that terminates inspect-type policy-map. Other class-maps can also be configured to drop unwanted traffic. Traffic that is handled by drop action is "silently" dropped (i.e. no ICMP Unreachable message is sent).
    2. Pass: This action allows the router to forward traffic from one zone to another. It only allows traffic in one direction.
    3. Inspect: The inspect action offers state-based traffic control. The router maintains session information for TCP and UDP traffic. Therefore, the router permits return traffic sent. Also, inspect provide application inspection and control for certain service protocols that might carry vulnerable or sensitive application traffic.

Rules for applying Zone-based Policy Firewall:

    • A zone must be configured before an interface is assigned to it and an interface can be assigned to only a single zone.
    • All traffic to and from an interface within a zone is permitted.
    • All traffic between zones is affected by existing policies
    • Traffic cannot flow between zone member interface and any interface that is not a zone member. Pass, inspect or drop actions can only be applied between two zones.

Network topology:

The three main policies are-

    • Hosts in PUBLIC zone can reach Telnet service on Server in DMZ. The policy will restrict access to other services available on each server.
    • The DMZ servers cannot connect to hosts in any other zones.
    • Hosts in the PRIVATE zone can connect to hosts in DMZ zone on all TCP, UDP and ICMP services.
    • Hosts in PRIVATE zone can reach PUBLIC zone but not vice versa.

Configuration:

Step 1: Define Zones and assign interfaces to zones

A security zone is configured for each region- PRIVATE, PUBLIC and DMZ. All interfaces assigned to the same zone will be protected with a similar level of security.

    • One interface is connected to the PRIVATE network with 2 PCs
    • One interface is connected to the PUBLIC Internet
    • One interface is connected to an Internet service DMZ with 2 servers
zone security PRIVATE
zone security PUBLIC
zone security DMZ
!
interface fastethernet 2/0
 zone-member security PRIVATE
!
interface fastethernet 2/1
 zone-member security DMZ
!
interface serial 1/0
 zone-member security PUBLIC
!

Step 2: Define class-maps with allowed traffic within zones

We permit Telnet traffic from PUBLIC zone to DMZ zone. So we create a class-map PUBLIC_TO_DMZ to match Telnet traffic.

class-map PUBLIC_TO_DMZ

class-map type inspect match-all PUBLIC_TO_DMZ
 match access-group 102
 match protocol telnet
!
access-list 102 permit ip any 10.1.1.0 0.0.0.255
!

We also permit hosts in PRIVATE zone to connect to servers in DMZ zone. So we create another class-map PRIVATE_TO_DMZ to permit all services on DMZ servers.

class-map PRIVATE_TO_DMZ

class-map type inspect match-any PRIVATE_TO_DMZ
 match access-group 101
 match protocol tcp
 match protocol udp
 match protocol icmp
!
access-list 101 permit ip 192.168.1.0 0.0.0.255 10.1.1.0 0.0.0.255
!

And lastly, hosts in PRIVATE zone can reach any host in PUBLIC zone. So we create a class-map PRIVATE_TO_PUBLIC matching IP address of hosts in PRIVATE zone allowing all traffic.

class-map PRIVATE_TO_PUBLIC

class-map type inspect match-all PRIVATE_TO_PUBLIC
 match access-group 103
!
access-list 103 permit ip 192.168.1.0 0.0.0.255 any
!

Step 3: Configure a policy-map which specifies the action for the class-map

The next action is to configure a policy-map to inspect the traffic we have just defined in the class-maps. First policy-map PRIVATE_DMZ_POLICY defines actions for traffic from PRIVATE zone to DMZ zone and PRIVATE_PUBLIC_POLICY defines action for traffic from PRIVATE and PUBLIC zones,

policy-map PRIVATE_DMZ_POLICY and PRIVATE_PUBLIC_POLICY

policy-map type inspect PRIVATE_DMZ_POLICY
 class type inspect PRIVATE_TO_DMZ
  inspect
!
policy-map type inspect PRIVATE_PUBLIC_POLICY
 class type inspect PRIVATE_TO_PUBLIC
  inspect
!

And last policy-map PUBLIC_DMZ_POLICY defines actions for traffic from PUBLIC to DMZ zone.

policy-map PUBLIC_DMZ_POLICY

policy-map type inspect PUBLIC_DMZ_POLICY
 class type inspect PUBLIC_TO_DMZ
  inspect
!

Step 4: Configure the zone-pair and apply the policy-map

A zone-pair allows to specify a unidirectional firewall policy between security zones. A zone-pair is defined using a zone-pair security global configuration command. The direction of the traffic is specified by specifying a source and destination zones.

The service-policy command ties the policy-maps to zone-pair.

zone-pair and service-policy

zone-pair security PRIVATE_DMZ source PRIVATE destination DMZ
 service-policy type inspect PRIVATE_DMZ_POLICY
!
zone-pair security PRIVATE_PUBLIC source PRIVATE destination PUBLIC
 service-policy type inspect PRIVATE_PUBLIC_POLICY
!
zone-pair security PUBLIC_DMZ source PUBLIC destination DMZ
 service-policy type inspect PUBLIC_DMZ_POLICY
!