Scribd Logo
Unggah

Selamat datang di Scribd!

  • Aula 10 - Firewalls - ZBF

    Diunggah oleh

    Milton Aguiar
    99 tayangan17 halaman
    Zone-based policy firewall allows different inspection policies to be applied to multiple host groups connected to the same router interface. The default policy between zones is deny all. A zone-based firewall can take three possible actions when configured: Inspect - it automatically allows for return traffic and potential ICMP messages.

    Deskripsi Asli:

    Hak Cipta

    © Attribution Non-Commercial (BY-NC)

    Format Tersedia

    PDF, TXT atau baca online dari Scribd

    Apakah menurut Anda dokumen ini bermanfaat?

    Apakah konten ini tidak pantas?

    Laporkan Dokumen Ini
    Zone-based policy firewall allows different inspection policies to be applied to multiple host groups connected to the same router interface. The default policy between zones is deny all. A zone-based firewall can take three possible actions when configured: Inspect - it automatically allows for return traffic and potential ICMP messages.

    Hak Cipta:

    Attribution Non-Commercial (BY-NC)
    Unduh sebagai PDF, TXT atau baca online dari Scribd
    Tandai sebagai konten tidak pantas
    99 tayangan17 halaman

    Aula 10 - Firewalls - ZBF

    Diunggah oleh

    Milton Aguiar
    Zone-based policy firewall allows different inspection policies to be applied to multiple host groups connected to the same router interface. The default policy between zones is deny all. A zone-based firewall can take three possible actions when configured: Inspect - it automatically allows for return traffic and potential ICMP messages.

    Hak Cipta:

    Attribution Non-Commercial (BY-NC)
    Unduh sebagai PDF, TXT atau baca online dari Scribd
    Tandai sebagai konten tidak pantas
    dari 17

    10ª Aula Prática – Firewalls : Zone Based Policy Firewall

    (ZBPF) em routers Cisco

    Ano lectivo 09/10


    Milton Aguiar
    Zone-based Policy Firewall
     In 2006, Cisco Systems introduced the zone-based policy
    firewall configuration model with Cisco IOS Release
    12.4(6)T.;

     With this new model, interfaces are assigned to zones


    and then an inspection policy is applied to traffic
    moving between the zones.

     A zone-based firewall allows different inspection policies


    to be applied to multiple host groups connected to the
    same router interface.
     It also has the ability to prohibit traffic via a default deny-
    all policy between firewall zones.
    Milton Aguiar 2009/2010 2
    ZBPF

    Milton Aguiar 2009/2010 3


    ZBPF
     The primary motivations for network security professionals
    to migrate to the ZPF model are structure and ease of
    use.

     Zones establish the security borders of a network.

     The zone itself defines a boundary where traffic is


    subjected to policy restrictions as it crosses over into
    another region of a network.

     The default policy between zones is deny all. If no


    policy is explicitly configured, all traffic moving between
    zones is blocked.

    Milton Aguiar 2009/2010 4


    ZBPF

    Milton Aguiar 2009/2010 5


    ZBPF
     Designing zone-based firewalls involves a few steps:

     Step 1. Determine the Zones :The infrastructure under


    consideration must be split into separate zones with
    various security levels. For example, the public network
    to which the internal network is connected is one zone.

     Step 2. Establish policies between zones: For each


    pair of "source-destination" zones (for example, from
    inside network to Internet), define the sessions that
    clients in the source zones can request from servers in
    destination zones.

    Milton Aguiar 2009/2010 6


    ZBPF
     Designing zone-based firewalls involves a few steps:
    (cont..)
     Step 3. Design the physical infrastructure: This
    includes dictating the number of devices between most-
    secure and least-secure zones and determining
    redundant devices.

     Step 4. Identify subset within zones and merge


    traffic requirements:the administrator must identify
    zone subsets connected to its interfaces and merge the
    traffic requirements for those zones.

    Milton Aguiar 2009/2010 7


    ZBPF
     Zone-based policy firewall can take three possible
    actions when configured:
     Inspect -It automatically allows for return traffic and
    potential ICMP messages;
     Drop - Analogous to a deny statement in an ACL;
     Pass - Analogous to a permit statement in an ACL.

    Milton Aguiar 2009/2010 8


    ZBPF

    Milton Aguiar 2009/2010 9


    ZBPF
     Several rules governing interface behavior, as is the traffic
    moving between zone member interfaces:
     A zone must be configured before an administrator can assign
    interfaces to the zone.
     If traffic is to flow between all interfaces in a router, each
    interface must be a member of a zone.
     An administrator can assign an interface to only one security
    zone.
     Traffic is implicitly allowed to flow by default among
    interfaces that are members of the same zone.
     To permit traffic to and from a zone member interface, a
    policy allowing or inspecting traffic must be configured
    between that zone and any other zone.
     Traffic cannot flow between a zone member interface and any
    interface that is not a zone
    Milton Aguiar 2009/2010 10
    ZBPF
     Several rules governing interface behavior, as is the traffic
    moving between zone member interfaces (cont..):
     Interfaces that have not been assigned to a zone function can
    still use a CBAC stateful packet inspection configuration.
     If an administrator does not want an interface on the router to
    be part of the zone-based firewall policy, it might still be
    necessary to put that interface in a zone and configure a pass-
    all policy (also known as a dummy policy) between that zone
    and any other zone to which traffic flow is desired.
     All the IP interfaces on the router are automatically
    made part of the self zone when ZPF is configured. The self
    zone is the only exception to the default deny all policy. All
    traffic to any router interface is allowed until traffic is
    explicitly denied.
    Milton Aguiar 2009/2010 11
    ZBPF

    Milton Aguiar 2009/2010 12


    ZBPF

    Milton Aguiar 2009/2010 13


    ZBPF

    Milton Aguiar 2009/2010 14


    ZBPF

    Milton Aguiar 2009/2010 15


    ZBPF

    Milton Aguiar 2009/2010 16


    ZBPF - TROUBLESHOOTING
     Use the show policy-map type inspect zone-pair
    session command to examine the active connections
    in the ZPF state table

    Milton Aguiar 2009/2010 17

    Anda mungkin juga menyukai