topic Default blocking with ZBF in Network Security

Default blocking with ZBF

Joe Conklin — Fri, 21 Feb 2020 14:14:43 GMT

I am performing a POC config for a project I am working on. I have configured a ZBF and it works as intended with one exception, traffic in from the Internet is not inheritly blocked, I think, to the self zone. In the below config I am allowing ICMP out from LAN and allowing telnet out from the DMZ. Similarly I am allowing telnet in to simulate traffic being inspected/passed to a server in the DMZ.

What I was surprised to see what I could still ping the outside interface 1.1.1.1. I presumed, maybe incorrectly, ZBF would inheritly blocked traffic such as ping to the outside interface because it wasn't specified as an exception. How can I block ping to my outside interface 1.1.1.1 without creating an ACL to allow only icmp echo-reply? If I go the route of allowing just icmp echo-reply I will end up having to specifiy everything else I want to pass which defeats the simplicty of ZBF.

My config works as intended. The only thing I want to do is block, or filter icmp allowing only echo-reply, so that my outside interface isn't pingable. I want to do so in the simplest manner possible so I can only worry about adding inspect statements to my ZBF and allowing exceptions for inbound rules per ACL FIREWALL-EXCEPTIONS-ACL.

class-map type inspect match-any FIREWALL-EXCEPTIONS
match access-group name FIREWALL-EXCEPTIONS-ACL
class-map type inspect match-any DMZ-ALLOWED-PROTOCOLS
match protocol telnet
class-map type inspect match-any LAN-ALLOWED-PROTOCOLS
match protocol icmp
!
policy-map type inspect FIREWALL-EXCEPTIONS-POLICY
class type inspect FIREWALL-EXCEPTIONS
inspect
class class-default
drop
policy-map type inspect LAN-TO-INTERNET-POLICY
class type inspect LAN-ALLOWED-PROTOCOLS
inspect
class class-default
policy-map type inspect DMZ-TO-INTERNET-POLICY
class type inspect DMZ-ALLOWED-PROTOCOLS
inspect
class class-default
!
zone security INTERNET
zone security LAN
zone security DMZ
zone-pair security ZP-LAN-TO-INTERNET source LAN destination INTERNET
service-policy type inspect LAN-TO-INTERNET-POLICY
zone-pair security ZP-DMZ-TO-INTERNET source DMZ destination INTERNET
service-policy type inspect DMZ-TO-INTERNET-POLICY
zone-pair security ZP-INTERNET-TO-DMZ source INTERNET destination DMZ
service-policy type inspect FIREWALL-EXCEPTIONS-POLICY
!
interface FastEthernet0/0
ip address 1.1.1.1 255.255.255.248
ip nat outside
zone-member security INTERNET
!
interface FastEthernet0/1
ip address 10.1.0.1 255.255.255.0
ip nat inside
zone-member security DMZ
!
interface FastEthernet1/0
ip address 10.1.10.1 255.255.255.0
zone-member security LAN
!
ip nat inside source list 1 interface FastEthernet0/0 overload
ip nat inside source static tcp 10.1.0.3 23 1.1.1.1 2323 extendable
!
ip access-list extended FIREWALL-EXCEPTIONS-ACL
permit tcp any host 10.1.0.2 eq telnet
permit tcp any host 10.1.0.3 eq telnet
!
access-list 1 permit 10.1.10.0 0.0.0.255
access-list 1 permit 10.1.0.0 0.0.0.255
access-list 1 deny any

Re: Default blocking with ZBF

Marvin Rhoads — Sat, 26 Aug 2017 04:25:27 GMT

You will be able to reach self zone because "Traffic to and from the Self zone is unrestricted until you configure explicit rules to the contrary".

Source

https://www.cisco.com/c/en/us/td/docs/security/security_management/cisco_security_manager/security_manager/4-1/user/guide/CSMUserGuide_wrapper/fwzbf.html#pgfId-340286

There is a how-to doc with more details on setting up self zone rules posted here:

https://supportforums.cisco.com/t5/security-documents/zbfw-self-zone-integration/ta-p/3154572

Re: Default blocking with ZBF

Joe Conklin — Sat, 26 Aug 2017 14:58:35 GMT

I appended the below to my configuration I posted in my original post. This seems to work and block traffic the self zone. Is there anything about the below you might change? Since I'm defining traffic for self to inspect I do need to add other inspect rules but per the class-default if its not inspected it dropped so I think the below is rather secure. Any disagreement?

object-group network ROUTER-INTERFACES
host 1.1.1.1
host 10.1.10.1
host 10.1.0.1
!
policy-map type inspect INTERNET-TO-SELF-POLICY
class class-default
drop log
!
zone-pair security ZP-INTERNET-TO-SELF source INTERNET destination self
service-policy type inspect INTERNET-TO-SELF-POLICY

Re: Default blocking with ZBF

Marvin Rhoads — Sat, 26 Aug 2017 16:28:38 GMT

Your frustration with the limitations and complexity of IOS ZBFW are understandable. That's one reason why we don't see many of them in real world implementations. Most customers elect instead to put in a proper firewall, be it from Cisco or a third party vendor.

Re: Default blocking with ZBF

Joe Conklin — Sat, 26 Aug 2017 21:31:24 GMT

No frustration, just lacked the right configuration. Yes, a Palo Alto or ASA would make this far easier but that's neither here nor there. I simply needed to confirm the exact steps to limit traffic to the self zone effentiently but now I do without the gratuitous use of ACLs.

The below policy-map and zone-pair will do exactly what I wanted which is block all traffic from the Internet by default unless otherwise allowed in as per the exceptions, policy-map type inspect FIREWALL-EXCEPTIONS-POLICY, in the original config in my first post.

policy-map type inspect INTERNET-TO-SELF-POLICY
 class class-default
  drop log
!
zone-pair security ZP-INTERNET-TO-SELF source INTERNET destination self
 service-policy type inspect INTERNET-TO-SELF-POLICY