In previous posts we studied many aspects of the Cisco Zone-based Policy Firewall (ZFW) operation:
- How the ZFW compares with Context Based Access Control (CBAC)
- Building blocks of a Zone-based firewall policy
- The default deny behavior of the ZFW
- How to build a simple L4 policy with the Zone firewall
- How to log connections and dropped packets a ZFW environment
- Integration of the Zone firewall with Access Control Lists (ACLs)
- How to integrate the ZFW with Network Address Translation (NAT) and ACLs
The next step in our series about the Zone-based Firewall is to illustrate a basic configuration for ZFW operating in transparent mode. If you are not acquainted with the basic concepts pertaining to transparent firewalling, please check the post: “Quick Review of Firewall Connectivity options: Routed Mode and Transparent Mode” [ https://alexandremspmoraes.wordpress.com/2012/01/19/quick-review-of-firewall-connectivity-options-routed-mode-and-transparent-mode/ ].
It is easy to observe in the reference topology that the building blocks for the zone-based firewall policy are identical to those already studied. The significant change has to do with connectivity and not with rule construction. The figure also registers an audit-trail message and the command used to verify established sessions.
- Reference topology for the Cisco Zone-based Policy Firewall in transparent mode
The audit-trail message and the show policy-firewall session command clearly show that the connection initiator (10.5.5.1) and the responder (10.5.5.2) are on the same IP subnet.
As discussed before, we could add L3/L4 restrictions to the basic inspection policy.
The ZFW interfaces shown in the figure (F0 and F1) are assigned to bridge-group 1.
The IP address of the ZFW needs to be configured in a Bridged Virtual Interface (BVI). Specifically, interface bvi 1, to match the bridge-group number. It is important to emphasize, however, that this IP is not used as a gateway address when hosts on interfaces F1 and F0 need to communicate.
To interconnect this BVI with the other IP-enabled interfaces, you need to enable Integrated Routing and Bridging (IRB) on your Cisco IOS router. This is accomplished with the bridge irb and bridge 1 route ip configuration commands.
** Related Posts:
Before it can start enforcing access control policies between domains of trust, firewalls need to be inserted in the network topology. The two basic firewall connectivity options, Routed Mode and Transparent Mode, are briefly examined below:
- Routed Mode: in such an arrangement, the firewall works as a Layer 3 element (much like a router) from the perspective of hosts connecting to it. Each of its interfaces is assigned to a different logical subnet and the packets are conditionally routed between them. In the reference scenario, the inside interface has the IP address 192.168.2.2, whereas the outside uses the address 172.20.20.2. Considering that the hosts are interconnected by the firewall, machines on the inside need to configure the address 192.168.2.2 as their L3 gateway in order to reach outside destinations.
- Transparent Mode: the firewall acts as conditional (transparent) bridge, forwarding frames between interfaces using Layer 2 information. In this case, the two interfaces represented in the figure are connected to the same L3 subnet and the inside hosts use the external router (192.168.1.1) as their gateway to reach outside destinations. The great motivation for this connectivity model relates to the fact that the firewall can be inserted in the network without impacting the existent IP addressing scheme (which may be quite convenient in various situations).
Contrasting firewall connectivity options: routed-mode and transparent-mode
A technical term may sound not so intuitive the first time you hear it. For example, during a presentation, a customer once told me that he did not understand why “his transparent firewall was blocking everything“. “After all, it was supposed to be transparent…”
I just registered this situation to emphasize one key point: the term “transparent” relates with “transparent bridging” (the basic bridging technology for Ethernet interfaces). It is used with connectivity in mind and does not imply less security.
Actually, as we will see in other posts, the construction of firewall policies is basically the same for transparent and routed modes.
- Transparent mode is often called bridge mode. (Why ?)
- A transparent firewall is sometimes referred to as a stealth firewall (because it is not used as an L3 gateway).
- A transparent firewall is very interesting to add filtering capabilities between elements that require L3 adjacency. This is the case for two neighbor routers running an Interior Gateway Protocol (IGP) such as OSPF or EIGRP.
- Another common use of a transparent firewall is in a multicast routing scenario. The firewall just bridges the multicast packets and does not participate in multicast routing.
** Topics for Study:
- Do a quick review of transparent bridging technology
- What is a Bridged Virtual Interface (BVI) ?
** Related Posts: