I have a few Cisco routers with Zone Based Firewall configured. Mostly I have followed Cisco documentation and some web examples. Some ZBF rules are not very clear to me:
Router has 3 zones (Private, Internet and self)
1. Preventing IP Spoofing.
If I do not allow any traffic from Internet zone to Private (Self zone allows only SSH connection from internet), do I have to configure IP Spoofing prevention on route direction from Internet --> Private or Internet -> self zone?
2. Network traffic from Self zone To private and vice-versa. Is it wise to allow all traffic to and from self zone to private zone?
3. What does ZBF check if
"parameter-map type inspect krneki"
Thank you and kind regards, Marko
1) No, there is no need to configure ip spoofing protection if all trafic is denied between the zones, however if any kind of traffic is permitted then the protection is recommended. In your case ip spoofing protection is not required between Internet and Private zones, but is required between Self and Internet zone since SSH is allowed.
2) The type of traffic allowed depends on the security policy or the role for which the zone has been setup. If all traffic is rquired to be permitted then it is better to have only a single zone instead of two seperate zones.
3) Parameter-map type inspect is used to configure an inspect type parameter map for connecting thresholds, timeouts, and other parameters pertaining to the inspect action. The option "alert on" turns on Cisco IOS stateful packet inspection alert messages; and the option "audit-trail on" turns audit trail messages on.