Thursday 4 April 2013

Transparent Firewall - CBAC vs. ZFW


  • CBAC Transparent Firewall
The transparent Firewall is a Layer 2 bridge acting as a Firewall, with the capability of filtering IP-based packets using Context-Based Access Control (CBAC).
A Layer 2 Firewall has the advantage of being able to insert a transparent Firewall into a pre-existing subnet without having to readdress or reconfigure the attached devices.

Configuring a Bridge Group
The first step in configuring a transparent Firewall is to configure transparent bridging on two of the interfaces

bridge irb
interface FastEthernet1/0
 no ip address
 bridge-group 1
!
interface FastEthernet1/1
 no ip address
 bridge-group 1
!
interface BVI1
 ip address 10.1.1.3 255.255.255.0
!
bridge 1 protocol ieee
bridge 1 route ip
Configuring Inspection and ACLs

ip inspect name INSPECT icmp
interface FastEthernet1/0
 ip inspect INSPECT in
 ip access-group DENY in
interface FastEthernet1/1
 ip access-group DENY in
ip access-list extended DENY
 deny   ip any any
  • ZFW Transparent Firewall
To configure ZFW, simply apply zone names to the interfaces configured for
Ethernet bridging
Any BVI interfaces on the router automatically belong to the “self” zone, and the
policy should be configured appropriately


Configuring a Bridge Group
The first step in configuring a transparent Firewall is to configure transparent bridging on two of the interfaces

bridge irb
interface FastEthernet1/0
 no ip address
 bridge-group 1
 bridge-group 1 input-type-list 201
zone-member security inside
!
interface FastEthernet1/1
 no ip address
 bridge-group 1
 bridge-group 1 input-type-list 201
zone-member security outside
!
interface BVI1
 ip address 10.1.1.3 255.255.255.0
!
bridge 1 protocol ieee
bridge 1 route ip

Configuring Zones and Policies

zone security inside
zone security outside
class-map type inspect match-all CMAP_INSIDE_TO_OUTSIDE_TRAFFIC
 match protocol http
!
!
policy-map type inspect PMAP_INSIDE_TO_OUTSIDE
 class type inspect CMAP_INSIDE_TO_OUTSIDE_TRAFFIC
  inspect
 class class-default
  drop log
zone-pair security INSIDE_TO_OUTSIDE source inside destination outside
 service-policy type inspect PMAP_INSIDE_TO_OUTSIDE



Posted by at
Labels:

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)