Zone Based Firewall

Cisco Docs: Secure DATA PLANE>Security Configuration Guide:Zone-Based Policy Firewall
http://www.cisco.com/en/US/docs/ios-xml/ios/sec_data_zbf/configuration/12-4t/sec-data-zbf-12-4t-book.html

To configure the Zone Based FW, the approach is somewhat similar to the MQC method in the QoS configuration.

STEP 1> Start by creating a class map of INSPECT TYPE, and match HTTP, and DROP everything else:
(config)#class-map type inspect match-any OUTSIDE
(config-cmap)#match protocol http
(config-pmap)#class type inspect OUTSIDE 
(config-pmap-c)#drop

STEP 2> Create a inspect type POLICY-MAP that matches the defined CLASS-MAP, and INSPECTS:
(config)#policy-map type inspect OUTSIDE_POLICY
(config-pmap)#class OUTSIDE
(config-pmap-c)#inspect ?
  WORD  Parameter-map (inspect) name <PARAMETER MAP CAN BE DEFINED to tune the inspection
  <cr>
(config-pmap-c)#inspect

STEP 3> Define the SECURITY ZONES for the interfaces you need, and assign them to the interfaces:
(config)#zone security DMZ
(config-if)#zone-member security DMZ

(config)#zone security OUTSIDE
(config-if)#zone-member security OUTSIDE

STEP 4> Set the POLICIES between each ZONE PAIR:
(config)#zone-pair security OUT-to-DMZ source OUTSIDE destination DMZ
(config-sec-zone-pair)#service-policy type inspect OUTSIDE_POLICY

#show policy-map type inspect zone-pair session
policy exists on zp OUT-to-DMZ
 Zone-pair: OUT-to-DMZ
  Service-policy inspect : OUTSIDE_POLICY
    Class-map: INSIDE (match-any)
      Match: protocol tcp
        0 packets, 0 bytes
        30 second rate 0 bps
      Match: protocol udp
        0 packets, 0 bytes
        30 second rate 0 bps
      Match: protocol icmp
        0 packets, 0 bytes
        30 second rate 0 bps
   Inspect
    Class-map: class-default (match-any)
      Match: any
      Drop
        0 packets, 0 bytes

PARAMETER MAP can be created to tune to drop logs, handle alarms, max&min session numbers and much more, for example:
(config)# parameter-map type inspect eng-network-profile
(config-profile)# tcp synwait-time 3 <-HOW LONG TO WAIT FOR SYN FOR THE TCP SESSION

No comments:

Post a Comment

Most Popular Posts