Zone based Firewall is a new approach to configuring access control in the IOS firewall. Before this technology, traffic filtering was accomplished using access lists and inspection (CBAC). Both access list and inspection rules apply directly to the physical interfaces, which is not a very effective solution.
A new core concept of ZFW is zone, which groups different interfaces sharing the same security attributes, the same level of trust. For ex, you may have security zones that reflect your enterprise security levels partitioning.
Please refer the following figure----
Zone Based Firewall achieves the following things---
Identify “similar” interfaces – group them into zones
Identify targets – Target is a virtual context specifying traffic flowing from one zone to another
Target manifests itself as a zone-pair, consisting of a source-zone and a destination-zone. Sense of direction is contained in the target
Unidirectional policy is applied between zones
Default inter-zone policy is DENY ALL
Multiple traffic classes and actions can be applied per zone-pair
Zone-pair-specific TCP parameters can be configured
ZBF also helps us achieving the following-----
Offers easy-to-understand configuration model
Firewall policies are configured on traffic moving between zones
Simplifies firewall policy troubleshooting by applying explicit policy on inter-zone traffic
Firewall policy configuration is very flexible
Varying policies can be applied to different host groups, based on ACL configuration
Legacy inspection configuration
Zone-Based Policy Firewall Configuration
Step by Step Configure a ZBP Firewall--
1. Identify and define network zones
2. Assign interfaces to zones
3. Determine both directions’ traffic between zones
4. Set up zone pairs for any policy other than deny all
5. Define class-maps to describe traffic between zones
6. Associate class-maps with policy-maps to define actions applied to specific policies
7. Assign policy-maps to zone-pairs
Simple Firewall Policy configuration
Configure a router with two zones
Allow simple tcp connections (and return traffic) from workstation in zone 1 to server in zone 2
Identify and Configure Zones
Identify and define zones
Configure a zone for any group of hosts that you must isolate from other hosts.
Zones need not follow subnet boundaries, particularly for transparent firewall.
Assign interfaces to zones
Assign Interfaces to Zones
As soon as an interface is assigned to a zone, traffic will only flow to interfaces in the same zone
Identify zone pairs where traffic will be allowed between zones.
Remember, the default inter-zone policy is deny all. If you don’t want traffic in a particular direction on a zone-pair, traffic is implicitly denied. You don’t need to configure anything.
Class-Maps define the traffic to which you will apply a policy other than implicit deny
Policy-Maps assign a policy to the traffic defined in a class-map
You only need to define inspect Zone A to Zone B. Inspection will handle reflexive policies.
Apply Policy-Map to Zone-Pair
That is it for this blog. I am thinking of coming up with some scenarios or some more details on different types of class and policy maps allowed withing ZBF. Please let me know what you want to hear more on.