To make students acquainted with Zone-Based Firewall technology periodically used in cases when using of special hardware firewalls is impossible or not economically reasonable, but a set of their functions is needed. In abbreviated form Zone-Based Firewall technology is called ZFW or ZBFW.
This lab emulates an enterprise network (R2 router and the devices placed left from it), which has a connection to the global network (R3 router). Server host is included into DMZ-segment.
The network is built with the help of GNS3 emulator. Cisco 7200 model with the version of the operating system (IOS) recommended by the tutor is used as a router.
The lab does not contain detailed manuals on setting of additional functions providing operating of the enterprise network and its interaction with a provider. It’s assumed that students should be familiar with the functionality in question from other labs or practical classes at the university. During performing the lab a student can use literature or any other information sources about using technologies or protocols.
The first, second and fourth ports of SW1 switch are placed in different virtual networks. Port 3 of this switch is set up in trunk mode. For emulating the global network use Loopback 0 interface of R3 router with 126.96.36.199/32 ip address. Settings of Zone-Based Firewall in this lab are performed on R2 router.
- Think over an address plan used in the company.
- Perform all connections shown at the scheme and turn on the equipment.
- Assign IP addresses to all devices of the company and provider.
- Configure static routing on all routers so that all devices are available to each other.
- Make sure of L3 connectivity between all devices of the company and provider.
- On R2 router create IN, OUT and DMZ zones. Creating a zone is performed with the help of zone security name command, where name is a name of a creating zone. In zone configuration mode with the help of description command create the description of a creating zone. Within IN Zone ordinary PC of the company employees will be located. The resources of the global network belong to OUT zone. Servers of the company to which it’s needed to perform access from the global network should be included to DMZ zone.
- View created zones with the help of sho zone security command.
- Create all necessary zone pairs with the help of zone-pair security name source szone destination dzone command, where name is a name of zone pair, szone and dzone are zone-source and zone-destination of traffic correspondingly. It’s required to create pairs for only “direct” traffic, back packets will be enabled automatically. In this step, it’s needed to enable data transmitting from the internal network of the company to the Internet and DMZ segment. Also it’s necessary to provide access of users from the global network to the resources of the DMZ-network.
- In zone-pair configuration mode with the help of description command add the description to a zone-pair.
- View created zone-pairs with the help of sho zone-pair security command.
- Now it’s needed to create traffic classes with the help of which the traffic will be chosen for transmitting, blocking or inspecting. Traffic can be selected with the help of access list (ACL) or specifying a certain protocol. In this lab it’s needed to allow transmitting of ICMP-traffic between IN and OUT zones and telnet packets to the address of Loopback 0 interface of R3 router. The example of this traffic class is shown below. The keyword match-any specifies that for selecting the traffic with the help of this construction any condition should be matched. With the help of keyword match-all one can select traffic that meets all conditions simultaneously. Students also need to create classes for the traffic from IN to DMZ zone and from OUT zone to DMZ one. To simplify the task we consider that one should enable transmitting only ICMP-traffic to DMZ-segment.
ip access-list extended TELNET
permit tcp any host 188.8.131.52 eq telnet
class-map type inspect match-any in2out
match protocol icmp
match access-group name TELNET
- View created traffic classes with the help of sho class-map type inspect command.
- One can create policy performing particular actions for the traffic class with the help of policy-map type inspect name command, where name is a name of created policy. Traffic of a particular class can be transmitted, dropped or inspected. The policy can describe actions for several traffic classes. The example of the policy is shown below. This policy inspects traffic of the earlier created class in2out. One can pass the traffic with the help of keyword pass, dropping is performed with the help of drop option. Create all necessary policies for zone pairs.
policy-map type inspect in2out
class type inspect in2out
- One can view created policies using sho policy-map type inspect command.
- Now it’s necessary to assign created policy to zone pair using service-policy type inspect name command in zone pair configuration mode, where name is a name of assigning policy. Assign earlier created policies to corresponding zone pairs.
- View all earlier created zone pairs. Make sure of successful adding of a corresponding policy.
- Add all necessary interfaces to corresponding zones. This addition can be performed with the help of interface command zone-member security name, where name is zone name.
- With the help of sho zone security command make sure of successful adding of all necessary interfaces to zones.
- Check that the traffic is successfully transmitted within a zone.
- Configure R3 router the way that one can manage it remotely using telnet protocol.
- Make sure of successful traffic routing from the internal network to R3 router.
- Check successful traffic transmitting to DMZ-segment.
- On R1 and R2 routers configure a dynamic routing protocol for exchanging prefixes with each other.
- Check that neighboring between R1 and R2 with the use of a chosen protocol is set up successfully.
- Create new classes, policies, zone pairs the way that one cannot manage R2 router from DMZ-segment and global network and can connect for managing it from the internal network only from a particular host. Setting of IGP neighboring should not be enabled from the global network or DMZ-segment. On creating a zone pair, self zone, automatically configured by the router, should be the second zone.
Zone-Based Firewall technology provides extended functionality for limitation of transmitting traffic (this is not used in this lab). For example, one can limit the number of half-open (embryonic) TCP-connections. The example of this limitation is shown below. The specified setting allows setting maximum number of half-open connections and limiting their number for a host.
parameter-map type inspect TCP_embryonic
max-incomplete high 100
tcp max-incomplete host 10 block-time 0
policy-map type inspect protect_tcp
class type inspect TCP_half-open
Apart from limitation of the number of half-open TCP-connections, ZFW allows performing deep traffic inspection. The example below shows blocking of HTTP-traffic containing requests for objects which have URL longer than 250 bytes.
class-map type inspect http LONG_URLS
match request uri length gt 250
policy-map type inspect http HTTP_POLICY
class type inspect http LONG_URLS
class-map type inspect match-all HTTP_TRAF
match protocol http
policy-map type inspect inspect_HTTP
class type inspect HTTP_TRAF
service-policy http HTTP_POLICY