CCIE R&S Security

Turgon

One of the trickiest sections on the R&S study trail to get down, the questions seem so **** going by the practice labs. Let this be the thread to discuss R&S security topics.

ciscog33k

Am I the only one that hates zone-based firewalls?

Turgon

ciscog33k wrote: »

Am I the only one that hates zone-based firewalls?

Probably not. Never worked with them yet. Something I have to cover. 2 points on the test. Thanks for contributing! What is this stuff all about then? IOS feature?

kalebksp

ciscog33k wrote: »

Am I the only one that hates zone-based firewalls?

Other than the lack of IPv6 support I really like ZBF. I've only used it on my home router so take my opinion for what it's worth.

mikej412

Turgon wrote: »

IOS feature?

Yep -- came in 12.4(6)T but had some tweaks in 12.4(9)T and 12.4(11)T that make the last two versions the ones to run for the ZBF in the CCNA:Security. You need the IP Security or greater feature set.

It's definitely worth the 20 minutes to Lab up.

kalebksp

For those unfamiliar with the Zone-Based Firewall it essentially groups your interfaces into different "zones" then you apply your policy unidirectionally between the zones rather than using CBAC on a per-interface basis. All members of a zone can freely pass traffic. By default members of different zones cannot pass traffic, except for the self zone (aka the router) which all zones can communicate with by default. If one interface is in a zone and another is not in a zone they cannot communicate at all. ZBF and CBAC are mutually exclusive on an interface. ZBF uses the MQC syntax, so if you're familiar with QoS configuration it's pretty easy.

I find it much easier logically and in configuration to define how I want different zones to communicate rather than how each interface should be able to communicate with every other interface.

laidbackfreak

kalebksp wrote: »

For those unfamiliar with the Zone-Based Firewall it essentially groups your interfaces into different "zones" then you apply your policy unidirectionally between the zones rather than using CBAC on a per-interface basis. All members of a zone can freely pass traffic. By default members of different zones cannot pass traffic, except for the self zone (aka the router) which all zones can communicate with by default. If one interface is in a zone and another is not in a zone they cannot communicate at all. ZBF and CBAC are mutually exclusive on an interface. ZBF uses the MQC syntax, so if you're familiar with QoS configuration it's pretty easy.

I find it much easier logically and in configuration to define how I want different zones to communicate rather than how each interface should be able to communicate with every other interface.

Good write up fella pretty much how I feel about it too... MQC its the future lol

ciscog33k

Ok I guess I'm in the minority. I can't remember what I was trying to do with it, but it seemed like a pain in the butt at the time. Disclaimer though... I was much less competent with cisco gear back then (hadn't even started my ccnp). Now that I understand ios at a much higher level, maybe I should play with it a little.

DevilWAH

ZBF is the only one I have much experience with.. And I think its great, nice and logical. OK I am only using it on a small production network, but considering the price, and being able to keep it all on one box (ok not great for security, but when the network is only 20 end stations + a few web servers, this is a big plus in my book)

And the fact is has such a similar configuration method to QOS is another plus.

The fact I can configure it from the CLI, and read back my configs, is also good