Cisco’s original implementation of a router-based stateful firewall is called Context Based Access Control (CBAC) or, sometimes, the Classic IOS Firewall. The basic configuration element of CBAC is the ip inspect command, which instructs IOS software to watch connection initiation requests for a particular (L4 or L7) protocol that arrive on a given router interface. The key point here is that CBAC inspection policies control traffic flows between pairs of interfaces and, as such, when a router has multiple interfaces that need firewall functionality, configuration complexity will automatically increase.
While dedicated firewalls (such as ASA appliances) are inherently closed from a security standpoint, a router is regarded as a connectivity provider, and therefore, normally does not impose restrictions by means of any implicit packet filter. Although CBAC is employed to transform the router into a true stateful firewall, it always does that on a per-interface basis. There is no method for globally ‘closing the router at once’ and this, eventually, makes some security-centric administrators treat this type of implementation with suspicion.
These challenges of scalability and ease of configuration motivated Cisco to develop a new approach for router-based firewalling known as the Zone-based Policy Firewall (ZFW). ZFW introduces the concept of security zones, which allow simpler definition of the degree of trustworthiness of a given interface, making administrators’ lives a lot easier when deploying firewall policies. The basic aspects associated with ZFW operations are listed below:
- Router interfaces are placed in security zones, and stateful inspection is applied to packets crossing the Firewall between two given zones. There are no interface-level policy definitions anymore and this significantly contributes to scalability.
- One interface residing on a given security zone is not allowed to pass packets to interfaces that are members of different zones, unless an inter-zone policy is explicitly defined.
- No traffic is allowed to flow between zone and non-zone interfaces.
- There is a default blocking between zones, which suggests a straightforward means of ‘closing the router’. (You just need to assign interfaces to security zones without creating a policy that permits interzone traffic).
- An interzone-policy requires the definition of the source and destination zones that it interconnects.
- The ZFW policies are unidirectional in nature: after inspecting traffic from the source zone, the router takes care of traffic returning from the destination zone.
- An interface cannot be a member of more than one security zone.
- A security zone may include multiple router interfaces that share a certain trust level (interfaces deemed internal or external, for instance). Given that ZFW policies interconnect zones (rather than interfaces), the rule creation becomes more logical. – What are the rules to cross the Zone firewall from the outside to the inside ?
- ZFW employs the Class-Based Policy Language (CPL) to build structured and hierarchical policies. The blocks used for policy construction are discussed on another post.
Interface ACLs are not suitable for use within a ZFW environment. To add IP address filtering to the inspection policies, ACLs need to be used inside class-maps, rather than in the form of ip access-groups applied to router interfaces). This paradigm shift from CBAC is so critical for ZFW operation, that it will devoted a specific post.
** Study Topics
- Understand the difference between regular class-maps and policy-maps (employed by MQC) and their type inspect counterparts.
- The notion of connection initiator is critical for correct implementation of a zone-based firewall policy. Before you start configuring the firewall rules it is very important to have a clear knowledge of the zones in which the clients and servers reside (for each protected application in your topology).
- Remember that interface access-lists are not welcome in a ZFW scenario.
- All posts about the Cisco Zone-based Policy Firewall assume the usage of an IOS release belonging to a 15.X train. If you need information about pre-15 releases, please visit Cisco online documentation or the Cisco Firewalls title (which covers not only ZFW on 15.X and 12.X but also CBAC).
** Related Posts:
- Zone Firewall Series: http://alexandremspmoraes.wordpress.com/tag/zone-firewall/
- ACL Series: http://alexandremspmoraes.wordpress.com/tag/identity/