Zone Based Firewalls
When I heard the word “Zone” my mind drafted to the very first form of VLANs I set up long ago; AppleTalk Zones. AT Zones were a great idea ahead of their time and certainly set up the world to understand that digital partitioning based upon a logical grouping is a very good thing. As I stepped out of the Way-Back Machine, I thought of a more common use for zones in networking today; Zone Based Firewall Policies on the ASA.
I was at the gym the other day, now before you jump to conclusions; I was just waiting on my son to finish his fencing class. He was learning how to sell stolen merchandise in Milwaukee… I was just sitting there minding my own business, eating a Snickers, box of Cracker Jacks, Twix (in case I needed to pause) and washing it down with a half gallon of DIET Sundrop when I heard someone say, “You’re in the ZONE!” to another meat head lifting weights or something like that. Of course it looked like that zone was the multiple forms of high/middle/low fives reminiscent of the cheesiest of 70’s cop shows. Solid Bro
Many firewall folks use the old school Context Based Access Control (CBAC) firewall rules where I type the command:
about a gazillion times to apply an inspection policy to an interface and all traffic is subject to that policy. Now that is all well and good but applying this between multiple interfaces or adjusting this to meet the latest and greatest software as service idea from the ivory tower is more of a pain in the tail riding a mountain bike without a seat. Cisco now calls CBAC (and I ain’t making this up) Classic Firewall. You know, like Classic Coke, same great filter you know, in a new and updated can…
There has got to be a better way!
Hey whatta ya know! Zone Based Firewall Policies might just be that way! They are certainly not equal to sucky “New Coke”. We call ‘um ZFW’s in the field. If you lower your voice an octave, then lower your chin just a bit, raise your eyes slowly and say; “Z.F.W.” you are totally in the drivers seat of a ’57 rag top Chevy to Fonz Land. When you are thinking about Z.F.W… think in terms of Private VLAN segmentation. Zones take me out of the boring snoozefest world of CBAC and interface per interface policy structure. They add color and flexibility. Now interfaces (with an “S”) are assigned to zones, and inspection policy is applied to traffic moving between the zones. I can also have Inter-zone policies so different inspection policies can be applied to multiple host groups connected to the same router interface.
The trick here is dividing my network up into use case zones. Normally, when I am planning for a ZFW implementation I have a minimum of three zones for a medium sized network I am trying to control access:
Of course we can get much more detailed then that, but the point is to look at your network based upon the access role each device/application plays and start grouping them up. I have to config up my zone policies first before I start assigning interfaces to them.
ZFW configs can get large and truthfully many folks abandon them after looking at CLI commands like:
zone security dmz
zone-pair security private-internet source private destination internet service-policy type inspect private-internet-policy
zone-pair security servers-clients source servers destination clients service-policy type inspect servers-clients-policy
and they think, “What are you a goober or something? How the heck is this better then IP INSPECT? I can up arrow, edit and go” then they go back to the CBAC model. That’s why I like to leave the local orbit of Planet CLI and had warp speed to the Secure Device Manager (SDM) and let it do it for me! A good rule of thumb is anytime I climb the OSI stack past layer 4, a GUI works tons better then the CLI for initial set up/config. Then I fine tune with the CLI. Pointing and clicking my way thru SDM is a real piece of cake PLUS the best part is that after I config up my ZFW, SDM will check it against my current config and if a conflict is found like having to pass BGP routing updates thru this policy and I spaced it, SDM warns me and allows me to correct it before deployment. That’s what I call; “Goober Proofing”
A few things to keep in mind about ZFW;
– Don’t be a wank. Use the SDM to get these up and going then fine tune them with the CLI.
– Try not to use VLANs to connect public/private zones on the same interface. This could result in a possible QnQ security breech. I see this all the time and it leaves you wide open.
– Don’t forget about NTP access for your firewall.
– You can have both ZFW and CBAC on the same firewall just not on the same interface.
– I got burnt on this one at a customer site. ZFW uses the Cisco Policy Language (CPL) which is like ACL/Class Mapping. Traffic moving between zones is implicitly denied by default. Now that’s different then the CBAC model because traffic is allowed until I block with an ACL. BUT the F. Lee Bailey exception to the ZFW deny by default approach is the traffic to and from the router. This traffic is permitted by default. To stop that and prevent the embarrassment of failing an audit and having to pay for rounds and supper that night is to write up an explicit policy to restrict this traffic. Grrrrr….
Zone Based Firewalls are really the stuff and something we should be taking a closer look at in our firewall deployments. The router runs better with ZFW vs. CBAC and they are much easier to manage/scale. A great starting point is the Cisco ZFW design guide at:
There is also a fantastic digital short from Cisco Press called: Deploying Zone Based Firewalls by Ivan Pepelnjak. http://www.ciscopress.com/bookstore/product.asp?isbn=1587053101
I really like the digital shorts because unlike every other security book out there, the digital shorts, get right to the point. Many security books I pick up have at least four throw away chapters (OSI model, History of…, Theory of, and Intro to security) that folks use just to bulk up the book and get it published. This book is great, well done and can be used as a ready reference for deployments.
Well looks like it time for S.W.A.T to come of TV Land. It’s not good to keep Hondo Harrelson waiting….
Jimmy Ray Purser
Trivial File Transfer Protocol
Galileo dropped out of the University of Pisa because he didn’t have the cash to pay the tuition. However in a couple of years he returned…as a Professor.