Zone based Firewall - Online CCNA Security Training Video by Zoom Technologies. скачать в хорошем качестве

Zone based Firewall - Online CCNA Security Training Video by Zoom Technologies.

Zone based Firewall - Online CCNA Security Training Video by Zoom Technologies. Zoom Technologies, the pioneer in Cisco Security Training. Zoom Technologies offers Cisco Security Training and Certification. In this video you will learn : 1. What is Zone based firewall ? • Zone-based policy firewall is a stateful inspection firewall implementation on a router. • Zone-based policy firewall configuration model was introduced in 2006 with Cisco IOS Release 12.4(6)T. Stateful Inspection firewalls • Stateful inspection firewalls allow direct connection between client and host. • They evaluates packets based on previous connections. • Stateful inspection is designed to gather communication information & communication state for packet analysis. • Stateful Inspection firewalls Basic ZPF Zone Topology • In ZPF the router interfaces are assigned to zones (outside zone & inside zone) and an inspection policy is applied to traffic moving between the zones. • The default policy is to block all traffic unless explicitly allowed. • If a new interface is added to the inside zone, the hosts on the new interface can pass traffic to all hosts in the inside zone. The new interface also inherits all existing inside zone policies when passing traffic to other zones. 2. How Zone based firewall works ? Actions of ZPF Inspect • Configures Cisco IOS SPI (equivalent to IP inspect command). • It automatically allows for return traffic and potential ICMP messages. Pass • Analogous to a permit statement in an ACL. • It does not track the state of connections or sessions within the traffic. • Pass allows the traffic only in one direction. • A corresponding policy must be applied to allow return traffic to pass in the opposite direction. Drop • Analogous to a deny statement in an ACL. • Zone-Based Policy Firewall Traffic Inspection ZPF Rules • We can assign an interface to only one security zone. • If traffic is to flow between all interfaces in a router, each interface must be a member of a zone. • To permit traffic to and from a zone member interface, a policy allowing or inspecting traffic must be configured between that zone and any other zone. • Traffic cannot flow between a zone member interface and any interface that is not a zone member. • We can apply pass, inspect, and drop actions only between two zones. • If we do not want an interface to be part of the zone-based firewall policy, it might still be necessary to put that interface in a zone and configure a pass-all policy (also known as a dummy policy) between that zone and any other zone to which traffic flow is desired. The Self Zone • The ZPF rules for a zone-based policy firewall are different when the router is the source or the destination of the traffic. • When an interface is configured to be a zone member, the hosts that are connected to the interface are included in the zone. • However, traffic to the router is not subject to the zone policies. • By default, all router IP interfaces are part of the self zone. • A zone-pair that includes the self zone and associated policy, applies to router generated traffic or traffic destined to the router. • It does not apply to traffic traversing the router. • A policy can be defined using the self zone as either the source or the destination zone. • The self zone is a system-defined zone. • It does not require any interfaces to be configured as members. For more details visit http://www.zoomgroup.com