To demonstrate this model, Figure 10-1 shows three zones: Zone-based policy firewalls (sometimes referred to as ZBF, or zone-policy firewall ) change the firewall from the older interface-based model to a more flexible, more easily understood configuration model where interfaces are assigned to zones, and an inspection policy is applied to traffic moving between the zones. This configuration model limited the granularity of the firewall policies and caused confusion of the proper application of firewall policies, particularly in scenarios when firewall policies must be applied between multiple interfaces. All traffic passing through that interface received the same inspection policy. The original implementation of Cisco IOS Classic Firewall stateful inspection used an interface-based configuration model, in which a stateful inspection policy was applied to an interface. Recently, Cisco introduced Zone-Based Policy Firewall as an alternative to the older technology called Context-Based Access Control. Cisco IOS routers have been using many different techniques for firewalling over the years.
Many different types of techniques are used for firewalling. In this chapter, we cover the two first firewall technologies: Cisco IOS Firewall and Cisco ASA firewall.
Cisco Catalyst 6500 Series ASA Services Module.Cisco Virtual Security Gateway for Nexus 1000V Series Switch.Cisco ASA 5500 Adaptive Security Appliances.Currently, Cisco Firewall offerings include
The second section of this chapter introduces Cisco ASA functionality, features, and underlying technologies and demonstrates how to configure the Cisco ASA 5505 model for basic connectivity using Cisco Adaptive Security Device Manager (ASDM).Ĭisco offers multiple different firewall solutions, each geared to a different environment.
The first section of this chapter focuses on the features of Cisco IOS Zone-Based Policy Firewalls and how to use Cisco Configuration Professional to configure them.Ĭisco Adaptive Security Appliance (ASA) implements a rich set of security technologies and can be effectively implemented as a perimeter firewall using several deployment modes. The zone-based policy firewall changes the original implementation of Cisco IOS Classic Firewall stateful inspection from the older interface-based model to a more flexible, more easily understood zone-based configuration model.