Cisco Systems CL-28826-01 Security Camera User Manual


  Open as PDF
of 2616
 
21-11
User Guide for Cisco Security Manager 4.4
OL-28826-01
Chapter 21 Managing Zone-based Firewall Rules
General Recommendations for Zone-based Firewall Rules
In general, you can leave the default entry (IP) in the Services field for all of your zone-based
firewall rules, using the Protocol table to identify specific protocols that you want to Drop, Pass, or
Inspect.
If you do elect to specify a Service other than IP, ensure that your selection does not conflict with
any protocols listed in the Protocol table. For example, do not specify UDP in the Services field, and
then list a TCP-based protocol in the table. In general, for a given rule, if you specify a specific
service in the Services field, do not enter any protocols in the Protocol table.
Protocol – The Protocol table, in the Action area of the Add and Edit Zone Based Rule dialog boxes,
is used to select one or more protocols, add custom port application mappings (if you specify
non-default ports), and apply deep inspection policy maps. You can specify very specific protocols,
such as DNS, general protocols such as TCP and UDP, and even custom protocols that identify ports
you use for special applications.
As a general rule, leave Services set to IP and use the Protocol table to identify the protocols (which are
also services) for all of your zone-based rules for the Drop, Pass, and Inspect actions. (The Content Filter
action automatically uses the HTTP protocol, which you can configure but not change.) Following this
approach will create a configuration that is as “clean” and easy to interpret (and troubleshoot) as
possible.
For more detailed information on how these fields are used when generating device configurations, see
Troubleshooting Zone-based Rules and Configurations, page 21-53.
General Recommendations for Zone-based Firewall Rules
Zone-based firewall rules allow a wide variety of configurations. You can quickly generate a set of rules
that will be very complex and difficult to analyze, because you can use the zone-based rules in place of
the standard access rules, inspection rules, and Web filter rules.
When defining zone-based rules, strive to keep them as simple and straightforward as possible. Consider
the following recommendations for helping to maintain simplicity in your zone-based firewall policy:
Only use Permit rules. The chosen Action determines what happens to matched traffic, and Deny
rules are difficult to analyze. For more information, see Understanding the Relationship Between
Permit/Deny and Action in Zone-based Firewall Rules, page 21-7.
The Drop and Pass rules are equivalent to standard interface access rules, but are applied to the
specified zone pair. You can use either the Services field or the Protocol table to identify the type of
traffic, but we recommend using the Protocol table exclusively. To drop traffic, specify Permit with
the Action Drop.
You do not need to first pass traffic before inspecting it. For example, if you want to allow HTTP
traffic between zones, you need only a single Permit/Inspect rule; you do not need to first create a
Permit/Pass rule. If you do use Pass rules, note that you must also create a Pass rule in the return
direction if you want to allow returning traffic. In practice, you generally can avoid creating Pass
rules, using only Inspect rules.
You can use Permit/Pass and Permit/Drop rules to perform the same functions as standard access
rules. Thus, you can eliminate your access rules policy and use only zone-based firewall rules.
However, because there are several tools available for analyzing interface access rules, and Security
Manager allows you to use the same interface roles in zone-base rules and access rules, you might
find it more convenient to create your Pass/Drop policies (which are Permit/Deny in standard access
rules) in the access rules table instead of the zone rules table. Use the zone rules table primarily for
zone-based Inspection and Content Filter rules.