Tuesday, January 9, 2007

Router: Zone-based Firewalls part III

Now let's look at an example where we have three zones: inside, outside and dmz. There are servers in the DMZ zone that needs to be accessible from the inside and outside network. We will restrict Outside to DMZ traffic only to ip 192.1.1.1 via http.


! we define the zones
!
 zone security Inside
 zone security Outside
 zone security DMZ
!
! we apply the zones to the interfaces
!
interface FastEthernet0/0
 ...
 zone-member security Inside
!
interface FastEthernet0/1
 ...
 zone-member security DMZ
!
interface Serial0/0.100 point-to-point
 description Link to the Internet
 ...
 zone-member security Outside
!
! Match any traffic going to the Webserver
!
access-list 199 permit ip any host 192.1.1.1
!
! match traffic to be inspected
!
class-map type inspect insp-traffic
 match protocol http
 match protocol icmp
 match protocol tcp
!
! match http traffic going to the webserver
!
class-map type inspect match-all http_traffic
 match access-group 199
 match protocol http
!
class-map type inspect match-all toDMZfromInside
 match access-group 199
 match class-map insp-traffic
!
class-map type inspect match-any DNS
 match protocol dns
!
policy-map type inspect out_traffic
 class type inspect insp-traffic
  inspect
!
policy-map type inspect toDMZfromInsideTraffic
 class type inspect toDMZfromInside
  inspect
!
policy-map type inspect webtraffic
 class type inspect http_traffic
  inspect
!
policy-map type inspect DNSTraffic
 class type inspect DNS
  inspect
!
! security policy for inside to outside traffic
!
zone-pair security InsideToOutside source Inside destination Outside
service-policy type inspect out_traffic
!
! security policy for outside to dmz traffic
!
zone-pair security OutsideToDMZ source Outside destination DMZ
service-policy type inspect webtraffic
!
! security policy for inside to dmz traffic
!
zone-pair security InsideToDMZ source Inside destination DMZ
service-policy type inspect toDMZfromInsideTraffic
!
! security policy for dmz to outside traffic
!
zone-pair security DMZToOutside source DMZ destination Outside
service-policy type inspect DNSTraffic
!


Notice that there is no security policy for traffic going from Outside to Inside or from DMZ to Inside. This configuration will drop any traffic going to the Inside network.

Zone-based Firewall is modular making the configuration much more easier to read. You can add more zones or you can add more interfaces to each zone without cluttering the configuration and thus easing troubleshooting. It removes the firewall's dependency on access-lists and allows you to configure one policy for any given traffic.

For more info, check out Cisco documentation (of course!) and discussion slide on zone-based firewall and the excellent ebook Deploying Zone-Based Firewalls (Digital Short Cut) from Ivan Pepelnjak.
Posted by at
Labels: , ,

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)