aula 10 - firewalls - zbf
TRANSCRIPT
-
8/8/2019 Aula 10 - Firewalls - ZBF
1/17
10 Aula Prtica Firewalls : Zone Based Policy Firewall (ZBPF) em routers Cisco
Ano lectivo 09/10Milton Aguiar
-
8/8/2019 Aula 10 - Firewalls - ZBF
2/17
Zone-based Policy FirewallIn 2006, Cisco Systems introduced the zone-based policy firewall configuration model with Cisco IOS Release12.4(6)T.;
With this new model, interfaces are assigned to zonesand then an inspection policy is applied to trafficmoving between the zones .
A zone-based firewall allows different inspection policiesto be applied to multiple host groups connected to thesame router interface.It also has the ability to prohibit traffic via a default deny-all policy between firewall zones.
2Milton Aguiar 2009/2010
-
8/8/2019 Aula 10 - Firewalls - ZBF
3/17
ZBPF
Milton Aguiar 2009/2010 3
-
8/8/2019 Aula 10 - Firewalls - ZBF
4/17
ZBPFThe primary motivations for network security professionalsto migrate to the ZPF model are structure and ease of use .
Zones establish the security borders of a network.
The zone itself defines a boundary where traffic issubjected to policy restrictions as it crosses over intoanother region of a network.
The default policy between zones is deny all . If nopolicy is explicitly configured, all traffic moving betweenzones is blocked.
Milton Aguiar 2009/2010 4
-
8/8/2019 Aula 10 - Firewalls - ZBF
5/17
ZBPF
Milton Aguiar 2009/2010 5
-
8/8/2019 Aula 10 - Firewalls - ZBF
6/17
ZBPF
Milton Aguiar 2009/2010 6
Designing zone-based firewalls involves a few steps:
Step 1. Determine the Zones :The infrastructure underconsideration must be split into separate zones with various security levels. For example, the public networkto which the internal network is connected is one zone.
Step 2. Establish policies between zones: For eachpair of "source-destination" zones (for example, frominside network to Internet), define the sessions thatclients in the source zones can request from servers indestination zones.
-
8/8/2019 Aula 10 - Firewalls - ZBF
7/17
ZBPF
Milton Aguiar 2009/2010 7
Designing zone-based firewalls involves a few steps:(cont..)
Step 3. Design the physical infrastructure: Thisincludes dictating the number of devices between most-
secure and least-secure zones and determiningredundant devices.
Step 4. Identify subset within zones and merge
traffic requirements: the administrator must identify zone subsets connected to its interfaces and merge thetraffic requirements for those zones.
-
8/8/2019 Aula 10 - Firewalls - ZBF
8/17
ZBPF
Milton Aguiar 2009/2010 8
Zone-based policy firewall can take three possibleactions when configured:
Inspect -It automatically allows for return traffic andpotential ICMP messages;
Drop - Analogous to a deny statement in an ACL;Pass - Analogous to a permit statement in an ACL.
-
8/8/2019 Aula 10 - Firewalls - ZBF
9/17
ZBPF
Milton Aguiar 2009/2010 9
-
8/8/2019 Aula 10 - Firewalls - ZBF
10/17
ZBPF
Milton Aguiar 2009/2010 10
Several rules governing interface behavior, as is the trafficmoving between zone member interfaces:
A zone must be configured before an administrator can assigninterfaces to the zone.If traffic is to flow between all interfaces in a router, each
interface must be a member of a zone. An administrator can assign an interface to only one security zone.Traffic is implicitly allowed to flow by default amonginterfaces that are members of the same zone.
To permit traffic to and from a zone member interface, apolicy allowing or inspecting traffic must be configuredbetween that zone and any other zone.Traffic cannot f low between a zone member interface and any interface that is not a zone
-
8/8/2019 Aula 10 - Firewalls - ZBF
11/17
ZBPF
Milton Aguiar 2009/2010 11
Several rules governing interface behavior, as is the trafficmoving between zone member interfaces (cont..):
Interfaces that have not been assigned to a zone function canstill use a CBAC stateful packet inspection configuration.If an administrator does not want an interface on the router tobe part of the zone-based firewall policy, it might still benecessary to put that interface in a zone and configure a pass-all policy (also known as a dummy policy) between that zoneand any other zone to which traffic flow is desired.
All the IP interfaces on the router are automatically made part of the self zone when ZPF is configured. The self zone is the only exception to the default deny all policy. Alltraffic to any router interface is allowed until traffic isexplicitly denied.
-
8/8/2019 Aula 10 - Firewalls - ZBF
12/17
ZBPF
Milton Aguiar 2009/2010 12
-
8/8/2019 Aula 10 - Firewalls - ZBF
13/17
ZBPF
Milton Aguiar 2009/2010 13
-
8/8/2019 Aula 10 - Firewalls - ZBF
14/17
ZBPF
Milton Aguiar 2009/2010 14
-
8/8/2019 Aula 10 - Firewalls - ZBF
15/17
ZBPF
Milton Aguiar 2009/2010 15
-
8/8/2019 Aula 10 - Firewalls - ZBF
16/17
ZBPF
Milton Aguiar 2009/2010 16
-
8/8/2019 Aula 10 - Firewalls - ZBF
17/17
ZBPF - TROUBLESHOOTING
Milton Aguiar 2009/2010 17
Use the show policy-map type inspect zone-pair session command to examine the active connectionsin the ZPF state table