Официален блог на WebEKM EKM очаквайте сайта онлайн скоро.
Download Free Templates http://bigtheme.net/ free full Wordpress, Joomla, Mgento - premium themes.
Zone Based Firewall – turning IOS router into ASA firewall
Zone Based Firewall in IOS, combines 2 concepts: Modular Policy Framework and well-known Zones from ASA firewalls. ZBF solution is more secure than ACLs, easier to implement and to troubleshoot. Rely on statefull filtering what is also well-known from ASA firewalls. Despite this, is not fresh solution, but still works out very well.
The ZBF feature allows us to apply statefull inspection in IOS based on stateful filtering, what in shorts means traffic that left a router will be allowed to get back. Router keeps a statefull database with ip addresses, tcp ports, and thanks to this knows what tcp header of incoming packet should be and sequence number as well. If the user from inside initiate traffic to the outside server, returning traffic will pass the router easily without being subjected to any checking. Without statefull inspection it wouldn’t be possible.and every single packet would be checked similar as we had applied ACLs
There is a couple of steps that have to be done in order to implement Zone Based Firewall:
1. creating zones
2. assigning interfaces to zones
3. creating class map
4. creating policy map
5. creating zone pairs
6. applying MPF to the zone (counterpart of service policy in MPF)
Traffic flow may be subjected to inspection, passed, droped or loged.
Zone Based Firewall LAB
We have 3 zones, www server OUT, FTP server in DMZ zone and a user in IN zone.
We want to statefully allow for trafic from IN to OUT (udp,tcp,icmp) and from OUT to DMZ (http)
zone security OUT
zone security DMZ
interface fa1/0
zone-member security OUT
interface fa2/0
zone-member security IN
interface fa3/0
zone-member security DMZ
ip access-list extended IN-OUT-ACL
permit ip any any
class-map type inspect match-all IN-OUT-CLASS
match access-group name IN-OUT-ACL
policy-map type inspect IN-OUT-POLICY
class type inspect IN-OUT-CLASS
inspect icmp
inspect tcp
inspect udp
zone-pair security IN-OUT-ZP source IN destination OUT
service-policy type inspect IN-OUT-POLICY
————————————————————–
class-map type inspect match-any WEB-CLASS
match protocol http
policy-map type inspect WEB-POLICY
class type inspect WEB-CLASS
zone-pair security OUT-DMZ-ZP source OUT destination DMZ
service-policy type inspect WEB-POLICY
—————————————————————-