Router: Zone-based Firewalls part I

A new configuration enhancement has been introduced in IOS 12.4(6)T called Zone-based policy firewall. Rather than configuring multiple access-lists to filter traffic between multiple router interfaces, you follow the zone-based design and only have to specify the traffic permitted between zones. Zone-based policy firewall also adds more granularity to inspection policies comapared to CBAC.

Here are some notes:

1. The zone-based policy firewall can coexist with Cisco IOS Firewall stateful inspection. You can still use the ip inspect command on interfaces that are not members of security zones.
   
2. Traffic can never flow between an interface assigned to a zone and an interface without a zone assignment.
   
3. The default interzone policy is to drop all traffic unless specified otherwise in the zone-pair configuration command.
   
4. The router never filters the traffic between interfaces in the same zone.
   
5. If two interfaces are not in zones, traffic flows freely between them.
   
6. The zone-member command does not protect the router itself (traffic to and from the router is not affected) unless you configure the zone pairs using the predefined self zone.
   

Examples are available on this slide.

Here's a simple example.

! Create the zones. for this example we only have two zones
!
zone security Inside
 description This is the Internal network

zone security Outside
 description This Internet zone
!
! Using policy-map, we specify the action to do
! on the traffic matching the class-maps
! For this example, we use the default class
! class-default = match all
!
policy-map type inspect InsideToOutside
 class class-default
 inspect
!
! Apply the policy to traffic between a pair of zones
!
 zone-pair security InsideToOutside source Inside destination Outside
 service-policy type inspect InsideToOutside
!
! Assign the interfaces to each zones
!
interface FastEthernet0/0
 zone-member security Inside
!
interface Serial0/0/0.100 point-to-point
 zone-member security outside

This is a simple two-zone configuration where a security policy is defined for outbound traffic (inside-to-outside). Inbound traffic will be dropped since there is no security policy defined for outside-to-inside traffic.