Cisco Systems CL-28826-01 Security Camera User Manual


  Open as PDF
of 2616
 
21-3
User Guide for Cisco Security Manager 4.4
OL-28826-01
Chapter 21 Managing Zone-based Firewall Rules
Understanding the Zone-based Firewall Rules
Zone-based Firewall Rules Page, page 21-57
Understanding the Zone-based Firewall Rules
Zones establish the security borders of your network. A zone defines a boundary where traffic is
subjected to inspection or filtering as it crosses to another region of your network. The default
zone-based firewall policy between zones is “deny all.” Thus, if no zone-based firewall rules are
explicitly configured, all traffic moving between all zones is blocked.
Zone-based firewall rules apply specific actions—Drop, Pass, Inspect, and Content Filter—to various
types of unidirectional traffic between pairs of zones. The direction of the traffic is determined by
specifying a source and destination zone as part of each rule.
Logging
Zone-based firewall rules offer syslog, alert, and audit-trail logging options. Most messages are logged
to the router console unless a syslog server is configured. See Logging on Cisco IOS Routers, page 62-1
for information about configuring syslog logging.
Important Points
Please note the following points regarding zones and zone-based firewall rules:
Zone-based firewall rules are supported only for IOS versions 12.4(6)T or later.
If a zone-based firewall rule and an IOS Inspection rule use the same interface, an error results.
The zone-based firewall model and the earlier interface-based inspection rules model are not
mutually exclusive on the router, but they cannot be combined on any given interface. That is, an
interface cannot be configured as a member of a security zone if it is configured with Inspection
rules. Further, configuring a router to use both models at the same time is not recommended.
An interface can be assigned to only one security zone, but zones can include multiple interfaces. If
an interface is assigned to more than one zone, an error results.
All traffic to and from a given interface is implicitly blocked when the interface is assigned to a zone
(except traffic to and from other interfaces in the same zone, and traffic to any interface on the
router). Thus, to permit traffic to and from a zone-member interface, one or more rules allowing or
inspecting traffic must be configured between that zone and any other zone.
Traffic is implicitly allowed to flow between interfaces that are members of the same zone. However,
you can define rules that require inspection of traffic between same-zone members.
The “Self” zone is a default zone that defines the router itself as a separate security zone, which you
can specify as either the source or destination zone. The Self zone is the only exception to the default
“deny all” policy. All traffic to any router interface is allowed until explicitly denied.
A zone-based firewall rule that includes the Self zone applies to local traffic—that is, traffic directed
to the router, or to traffic generated by the router; it does not apply to traffic through the router. See
The Self Zone, page 21-5 for more information.
The Inspect action is not allowed in rules that apply to the Self zone.
The Pass action permits traffic in one direction only. You must explicitly define rules for return
traffic. However, with the Inspect action, return traffic is automatically allowed for established
connections.
Traffic cannot flow between a zone-member interface and any interface that is not a zone member.