Implementing Firewall Technologies
Objective: Configuring Zone-Based Policy Firewalls
Note: ISR G1 devices have Fast Ethernet interfaces instead of Gigabit Ethernet Interfaces.
Addressing Table
|
Device
|
Interface
|
IP Address
|
Subnet Mask
|
Default
|
Switch Port
|
|
R1-S0000
|
F0/1
|
192.168.1.1
|
255.255.255.0
|
N/A
|
S1-S0000 F0/1
|
|
|
S0/0 (DEC)
|
10.1.1.1
|
255.255.255.252
|
N/A
|
N/A
|
|
R2-S0000
|
S0/0
|
10.1.1.2
|
255.255.255.252
|
N/A
|
N/A
|
|
|
S0/1 (DCE)
|
10.2.2.2
|
255.255.255.252
|
N/A
|
N/A
|
|
R3-S0000
|
F0/0
|
192.168.33.1
|
255.255.255.0
|
N/A
|
N/A
|
|
|
F0/1
|
192.168.3.1
|
255.255.255.0
|
N/A
|
S3-S0000 F0/1
|
|
|
S0/1
|
10.2.2.1
|
255.255.255.252
|
N/A
|
N/A
|
|
PC-A-S0000
|
NIC
|
192.168.1.3
|
255.255.255.0
|
192.168.1.1
|
S1-S0000 F0/2
|
|
PC-B-S0000
|
NIC
|
192.168.3.3
|
255.255.255.0
|
192.168.3.1
|
S3-S0000 F0/2
|
|
PC-C-S0000
|
NIC
|
192.168.33.3
|
255.255.255.0
|
192.168.33.1
|
N/A
|
In this lab, you will perform the following tasks:
Part 1: Configure Basic Device Settings
- Configure basic settings such as host name, interface IP addresses, and access passwords.
- Configure static routing to enable end-to-end connectivity.
Part 2: Configuring a Zone-Based Policy Firewall (ZPF)
- Use the CLI to configure a Zone-Based Policy Firewall.
- Use the CLI to verify the configuration.
BACKGROUND
The most basic form of a Cisco IOS firewall uses access control lists (ACLs) to filter IP traffic and monitorest ablished traffic patterns. A traditional Cisco IOS firewall is an ACL-based firewall.
The newer Cisco IOS Firewall implementation uses a zone-based approach that operates as a function of interfaces instead of access control lists. A Zone-Based Policy Firewall (ZPF) allows different inspection policies to be applied to multiple host groups connected to the same router interface. It can be configured for extremely advanced, protocol specific, granular control. It prohibits traffic via a default deny-all policy between different firewall zones. ZPF is suited for multiple interfaces that have similar or varying security requirements.
In this lab, you build a multi-router network, configure the routers and PC hosts, and configure a Zone-Based Policy Firewall using the Cisco IOS command line interface (CLI).
Note: The router commands and output in this lab are from a Cisco 1941 with Cisco IOS Release 15.4(3)M2 (UniversalK9-M). Other routers and Cisco IOS versions can be used. See the Router Interface Summary Table at the end of the lab to determine which interface identifiers to use based on the equipment in the lab. Depending on the router model and Cisco IOS version, the commands available and output produced might vary from what is shown in this lab.
Note: Before beginning, ensure that the routers and switches have been erased and have no startup configurations.
Part 1: Configure Basic Device Settings
The desktop system assigned to you serves as an end-user terminal. You access and manage the lab environment from the student desktop system using GNS3 Software.
Part 2: Configuring a Zone-Based Policy Firewall (ZPF)
In Part 2 of this lab, you configure a zone-based policy firewall (ZPF) on R3 using the command line interface (CLI).
Task 1: Verify Current Router Configurations.
In this task, you will verify end-to-end network connectivity before implementing ZPF.
Task 2: Create a Zone-Based Policy Firewall
In this task, you will create a zone-based policy firewall on R3, making it act not only as a router but also as afirewall. R3 is currently responsible for routing packets for the three networks connected to it. R3's interface roles are configured as follows:
Serial 0/1 is connected to the Internet. Because this is a public network, it is considered an untrusted network and should have the lowest security level.
F0/1 is connected to the internal network. Only authorized users have access to this network. In addition, vital institution resources also reside in this network. The internal network is to be considered a trusted network and should have the highest security level.
F0/0 is connected to a conference room. The conference room is used to host meetings with people who are not part of the organization.
The security policy to be enforced by R3 when it is acting as a firewall dictates that:
- No traffic initiated from the Internet should be allowed into the internal or conference room networks.
- Returning Internet traffic (return packets coming from the Internet into the R3 site, in response to requests originating from any of the R3 networks) should be allowed.
- Computers in the R3 internal network are considered trusted and are allowed to initiate any type traffic (TCP, UDP or ICMP based traffic).
- Computers in the R3 conference room network are considered untrusted and are allowed to initiate only web traffic (HTTP or HTTPS) to the Internet.
- No traffic is allowed between the internal network and the conference room network. There is no guarantee regarding the condition of guest computers in the conference room network. Such machines could be infected with malware and might attempt to send out spam or other malicious traffic.
Part 3: ZPF Verification
Task 1: Verify ZPF Firewall Functionality
Challenge (optional)
Create the proper zone-pair, class-maps, and policy-maps and configure R3 to prevent Internet originating traffic from reaching the Self Zone.
Attachment:- Configuring Zone-Based Policy Firewalls.rar