Tuesday, August 28, 2012

Cisco IOS Zone-Based Firewall

  • Classic IOS, inspection policies were applied to all traffic on that interface,
    • we can't apply to different policies to different groups of users.
  • Zone-based firewall (ZFW), available in IOS release 12.4(6)T or later.
  • This concept(ZFW) is similar to that used by appliance firewalls.
    • Router interfaces are placed into security zones.
    • Traffic between zones were blocked by default.
    • Some times traffic blocked between interfaces that have been assigned to a security zone & those that have not.
    • We must explicitly apply a policy to allow traffic between zones.
    • Zone policies are configured using the Class-based Policy Language(CPL), 
      • which is similar to Modular QoS Command Line Interface (MQC) 
      • in its use of class maps and policy maps.
        • Class maps let you configure highly granular policies if needed.
      • A new class & policy map type, the inspect type, is introduced for zone-based firewalls.


at No comments:

Cisco IOS Firewall Configuration Steps

CBAC configuration steps:

  • Choose an interface (inside or outside).
  • Configure an ip access list that denies all traffic to be inspected.
  • Configure global timeouts & thresholds using the ip inspect commands.
  • Define an inspection rule & an optional rule-specific timeout value using the ip inspect name protocol commands.
  • Apply the inspection rule to an interface.
  • Apply the access list to the same interface as the inspection rule, but in the opposite direction(inbound or outbound)



at No comments:

Cisco IOS Firewall Caveats(limitations)

  • Caveats are powerful as CBAC is for dynamic inspection and filtering.
    • it has also some limitations.
  • CBAC comes after Access-list filters are applied to an interface.
    • if an access list blocks a particular type of traffic on an interface,
    • where you are using CBAC to inspect inbound traffic,
    • that traffic will be denied before CBAC sees it.
  • CBAC cannot protect against attacks that originate inside your network.
  • CBAC works only on protocols that you specified,
    • leaving all other traffic to access lists & other filtering methods.
  • To inspect traffic other than TCP & UDP transported traffic,
    • you must configure a named inspection rule.
  • CBAC does not inspect traffic destined to or  originated from the firewall router itself,
    • only that traverses the firewall router.
  • CBAC has restrictions on handling encrypted traffic.
at No comments:

Cisco IOS Firewall protocol Support


  • An IOS firewall can inspect a long list of protocols when CBAC was used.
  • Common protocols that CBAC can inspects are:
    • Any generic TCP session, regardless of application layer protocol
    • All UDP "sessions"
    • FTP
    • SMTP
    • TFTP
    • H.323 (NetMeeting, ProShare, and so on)
    • Java
    • CU-SeeMe
    • UNIX R commands (rlogin, rexec, rsh, and so on)
    • RealAudo
    • Sun RPC
    • SQL*Net
    • StreamWorks
    • VDOLive
at No comments:
Subscribe to: Posts (Atom)