0 penilaian0% menganggap dokumen ini bermanfaat (0 suara)
99 tayangan17 halaman
Zone-based policy firewall allows different inspection policies to be applied to multiple host groups connected to the same router interface. The default policy between zones is deny all. A zone-based firewall can take three possible actions when configured: Inspect - it automatically allows for return traffic and potential ICMP messages.
Zone-based policy firewall allows different inspection policies to be applied to multiple host groups connected to the same router interface. The default policy between zones is deny all. A zone-based firewall can take three possible actions when configured: Inspect - it automatically allows for return traffic and potential ICMP messages.
Hak Cipta:
Attribution Non-Commercial (BY-NC)
Format Tersedia
Unduh sebagai PDF, TXT atau baca online dari Scribd
Zone-based policy firewall allows different inspection policies to be applied to multiple host groups connected to the same router interface. The default policy between zones is deny all. A zone-based firewall can take three possible actions when configured: Inspect - it automatically allows for return traffic and potential ICMP messages.
Hak Cipta:
Attribution Non-Commercial (BY-NC)
Format Tersedia
Unduh sebagai PDF, TXT atau baca online dari Scribd
10ª Aula Prática – Firewalls : Zone Based Policy Firewall
(ZBPF) em routers Cisco
Ano lectivo 09/10
Milton Aguiar Zone-based Policy Firewall In 2006, Cisco Systems introduced the zone-based policy firewall configuration model with Cisco IOS Release 12.4(6)T.;
With this new model, interfaces are assigned to zones
and then an inspection policy is applied to traffic moving between the zones.
A zone-based firewall allows different inspection policies
to be applied to multiple host groups connected to the same router interface. It also has the ability to prohibit traffic via a default deny- all policy between firewall zones. Milton Aguiar 2009/2010 2 ZBPF
Milton Aguiar 2009/2010 3
ZBPF The primary motivations for network security professionals to migrate to the ZPF model are structure and ease of use.
Zones establish the security borders of a network.
The zone itself defines a boundary where traffic is
subjected to policy restrictions as it crosses over into another region of a network.
The default policy between zones is deny all. If no
policy is explicitly configured, all traffic moving between zones is blocked.
Milton Aguiar 2009/2010 4
ZBPF
Milton Aguiar 2009/2010 5
ZBPF Designing zone-based firewalls involves a few steps:
Step 1. Determine the Zones :The infrastructure under
consideration must be split into separate zones with various security levels. For example, the public network to which the internal network is connected is one zone.
Step 2. Establish policies between zones: For each
pair of "source-destination" zones (for example, from inside network to Internet), define the sessions that clients in the source zones can request from servers in destination zones.
Milton Aguiar 2009/2010 6
ZBPF Designing zone-based firewalls involves a few steps: (cont..) Step 3. Design the physical infrastructure: This includes dictating the number of devices between most- secure and least-secure zones and determining redundant devices.
Step 4. Identify subset within zones and merge
traffic requirements:the administrator must identify zone subsets connected to its interfaces and merge the traffic requirements for those zones.
Milton Aguiar 2009/2010 7
ZBPF Zone-based policy firewall can take three possible actions when configured: Inspect -It automatically allows for return traffic and potential ICMP messages; Drop - Analogous to a deny statement in an ACL; Pass - Analogous to a permit statement in an ACL.
Milton Aguiar 2009/2010 8
ZBPF
Milton Aguiar 2009/2010 9
ZBPF Several rules governing interface behavior, as is the traffic moving between zone member interfaces: A zone must be configured before an administrator can assign interfaces to the zone. If traffic is to flow between all interfaces in a router, each interface must be a member of a zone. An administrator can assign an interface to only one security zone. Traffic is implicitly allowed to flow by default among interfaces that are members of the same zone. To permit traffic to and from a zone member interface, a policy allowing or inspecting traffic must be configured between that zone and any other zone. Traffic cannot flow between a zone member interface and any interface that is not a zone Milton Aguiar 2009/2010 10 ZBPF Several rules governing interface behavior, as is the traffic moving between zone member interfaces (cont..): Interfaces that have not been assigned to a zone function can still use a CBAC stateful packet inspection configuration. If an administrator does not want an interface on the router to be part of the zone-based firewall policy, it might still be necessary to put that interface in a zone and configure a pass- all policy (also known as a dummy policy) between that zone and any other zone to which traffic flow is desired. All the IP interfaces on the router are automatically made part of the self zone when ZPF is configured. The self zone is the only exception to the default deny all policy. All traffic to any router interface is allowed until traffic is explicitly denied. Milton Aguiar 2009/2010 11 ZBPF
Milton Aguiar 2009/2010 12
ZBPF
Milton Aguiar 2009/2010 13
ZBPF
Milton Aguiar 2009/2010 14
ZBPF
Milton Aguiar 2009/2010 15
ZBPF
Milton Aguiar 2009/2010 16
ZBPF - TROUBLESHOOTING Use the show policy-map type inspect zone-pair session command to examine the active connections in the ZPF state table
[18476228 - Organization, Technology and Management in Construction_ an International Journal] Adaptive Reuse_ an Innovative Approach for Generating Sustainable Values for Historic Buildings in Developing Countries