无法吮吸的防火墙功能：基于区域的防火墙策略

前几天我在健身房，现在在你跳到结论之前;我只是在等我的儿子完成他的击剑课。他正在学习如何在密尔沃基销售被盗的商品......我只是坐在那里，坐在那里，我自己的事业，吃了一只嘲笑者，傻瓜盒的饼干杰克，Twix（如果我需要暂停）并用半加仑洗净它当我听到一些恼人的类型“a”夹具肉头叶片时，饮食sundrop的饮食。“你在该区！”到另一个肉头。当然它看起来像那些区域是多种形式的高/中/低菲尔夫，其中组合拳头颠簸让人想起70年代厚厚的70年代的警察表演。好的......当我听到“区域”这个词时，我的思绪起草到了我很久以前建立的第一个形式的VLAN;AppleTalk区域。在地区是一个伟大的主意，在他们的时间之后，当然建立了世界，了解基于逻辑分组的数字分区是一件非常好的事情。 As I stepped out of the Way-Back Machine, I thought of a more common use for zones in networking today; Zone Based Firewall Policies on the ASA. Many firewall folks use the old school Context Based Access Control (CBAC) firewall rules where I type the command:TechWiseasa（Config-If）#ip检查关于将检查政策应用于界面的Gazillion时期，并且所有流量都受到该政策的影响。现在这一切都很好，很好，但在多个接口之间应用这一点或调整它以满足最新和最伟大的软件，因为从象牙塔的服务理念是尾巴的痛苦，然后骑山地自行车没有座位。思科现在称CBAC（我不制作这个）经典防火墙。你知道，如经典的可乐，同样伟大的品味，具有新的和改进的营销旋转。必须是更好的方法！嘿，什么知道！基于区域的防火墙策略可能只是那样！它们肯定不等于糟透的“新焦”。我们在现场称之为“UM ZFW”。如果你将声音降低了八度音，那么稍微降低你的下巴，慢慢地抬起眼睛;“Z.F.W.”您完全是酷火车到Fonz Land。当你思考z.f.w ...（所有aaaboooard！）在私人VLAN分段方面思考。区域带我走出了钻孔的CBAC和接口界面的无聊的Snoozefest世界。它们增加了颜色和灵活性。现在接口（具有“s”）被分配给区域，并将检查策略应用于在区域之间移动的流量。 I can also have Inter-zone policies so different inspection policies can be applied to multiple host groups connected to the same router interface. The trick here is dividing my network up into use case zones. Normally, when I am planning for a ZFW implementation I have a minimum of three zones for a medium sized network I am trying to control access: - Internet - Private - DMZ Of course we can get much more detailed then that, but the point is to look at your network based upon the access role each device/application plays and start grouping them up. I have to config up my zone policies first before I start assigning interfaces to them. ZFW configs can get large and truthfully many folks abandon them after looking at CLI commands like: zone security dmz zone-pair security private-internet source private destination internet service-policy type inspect private-internet-policy zone-pair security servers-clients source servers destination clients service-policy type inspect servers-clients-policy and they think, "How the heck is this better then IP INSPECT? I can up arrow, edit and go" then they go back to the CBAC model. That’s why I like to leave the local orbit of Planet CLI and head warp speed to the Secure Device Manager (SDM) and let it do it for me! A good rule of thumb is anytime I climb the OSI stack past layer 4, a GUI works tons better then the CLI for initial set up/config. Then I fine tune with the CLI. Pointing and clicking my way thru SDM is a real piece of cake PLUS the best part is that after I config up my ZFW, SDM will check it against my current config. If a conflict is found, let say like having to pass BGP routing updates thru this policy and I spaced it, SDM warns me and allows me to correct it before deployment. That’s what I call;“Goer Disping”有几件事要记住ZFW： -不要是一个。使用SDM来获得这些，然后使用CLI进行微调。-尽量不要使用VLAN在同一界面上连接公共/私有区域。这可能导致可能的QNQ安全后膛。我一直看到这个，它让你敞开了。-不要忘记防火墙的NTP访问。- 如果你还想踢它旧学校，您可以在同一防火墙上具有ZFW和CBAC，而不是在同一界面上。-我在这个客户网站上烧了这一点。ZFW使用思科策略语言（CPL），它就像ACL / Class映射一样。默认情况下，隐式拒绝在区域之间移动的流量。现在，CBAC模型现在是不同的，因为允许流量直到我通过ACL阻止。但默认方法的ZFW拒绝的F. Lee Bailey异常是往返路由器的流量。默认情况下允许此流量。停止这一点，防止失败审计并必须支付圆形和翅膀的尴尬，那天晚上是写出明确的政策来限制这种流量。GRRRRR .... GEEK STATUS -2基于区域的防火墙真的是我们应该在我们的防火墙部署中仔细阅读的东西。路由器使用ZFW与CBAC进行更好运行，它们更易于管理/缩放。一个伟大的起点是Cisco ZFW设计指南：http：//www.cisco.com/en/us/products/sw / products_tech_note09186a00808bc994.shtml还有思科新闻的奇妙数字短片，称为：部署基于区域的防火墙由Ivan Pepelnjak。 http://www.ciscopress.com/bookstore/product.asp?isbn=1587053101 I really like the digital shorts because unlike every other security book out there, the digital shorts, get right to the point. Many security books I pick up have at least four throw away chapters (OSI model, History of, Theory of, and Intro to security) that folks use just to bulk up the book and get it published. This book is great, well done and can be used as a ready reference for deployments. Well looks like it time for S.W.A.T to come on TV Land. It’s not good to keep Hondo Harrelson waiting…. Jimmy Ray Purser Trivial File Transfer Protocol Galileo dropped out of the University of Pisa because he didn’t have the cash to pay the tuition. However in a couple of years he returned...as a Professor.