ZFW技術對原有的CBAC功能進行了增強,ZFW政策防火牆改變了基于接口的配置模式,并且提供了更容易了解和更靈活的配置方法。接口需要加入區域,針對流量的審查政策在區域間内部生效。區域内部政策提供了更靈活和更細緻的流量審查,不同的審查政策可以應用在與路由器相同接口相連的多個組上。
ZFW提供了狀态型的包檢測,URL過濾,對DOS攻擊的減緩等功能,同時提供了多種協定的支援,例如HTTP、POP3、IMAP、SMTP、ESMTP、SUN RPC、IM、P2P等協定。但是需要注意的是,以下特性ZFW暫時還不能支援:
- Authentication proxy
- Stateful firewall failover
- Unified firewall MIB
- IPv6 stateful inspection
- TCP out of order support
與CBAC相比較而言第一點主要的改變是,ZFW是基于區域的配置。ZFW不在使用CBAC的指令。兩種技術可以同時配置在路由器上,但是需要注意的是,這兩種技術不能同時在接口上疊加。接口在加入了安全區域以後不能同時在該接口上配置ip inspect指令。
ZFW預設的政策為拒絕所有流量。如果沒有配置放行政策,那麼所有在區域間進行轉發的流量将會被拒絕。而CBAC預設情況下允許轉發所有的流量,除非通過使用ACL來對流量進行丢棄。
第二點主要的改變是ZFW的配置指令使用了MQC指令格式。可以使用更靈活的方式來定義ZFW的政策。
ZFW的政策規定如下:
- 在為接口指定區域之前,必須先配置這個區域。
- 一個接口隻能被指定到一個區域内。
- 當一個接口被指定了一個區域後,除了在相同的區域内從這個接口始發終結的流量,以及從該接口到其他本路由器接口的流量,預設允許轉發外,其他關于這個接口的流量都隐式的拒絕。
- 相同區域成員間的流量,預設轉發。
- 如果要求流量從其他區域來或者到其他區域去,那麼必須配置再要通信的區域間允許政策或者審查政策。
- 自身區域是唯一一個預設政策不是DENY的區域。從自身區域到任何區域的流量都是預設允許的,除非明确的配置了拒絕語句。
- 流量不能在一個設定了區域成員的接口和一個沒有加入區域的接口間轉發。pass,inspect和drop行為隻能在兩個區域之間進行配置。
- 一個沒有加入任何區域的接口是可以使用CBAC特性的。
- 根據上面所提到的相關問題,我們可以知道,如果流量要在這個路由器的所有接口間轉發,那麼所有的接口都必須是區域的成員。
- 唯一一個例外是,到達或者從這個路由器始發的流量預設情況下是允許的(預設情況下路由器的自身接口屬于self區域)。如果要限制這樣的流量,則需要配置明确的限制政策。
ZFP政策包括三種:pass,deny,intercept。deny是預設行為,intercept是指對流量進行審查,傳回流量通過檢視路由器的session表來決定是否允許進入。pass行為不會跟蹤連接配接的狀态或者是流量的session。并且pass政策隻能允許單方向的流量通過。必須定義一個相對應傳回流量的政策來允許傳回流量進入。
同時ZFW對與VPN流量也進行了特别的定義,當VPN配置以後,路由器動态的生成一個名叫VTI的接口(virtual tunnel interface),如果我們需要對VPN流量進行bypass或者是審查時,我們可以通過将VTI接口加入不同的區域來進行區分。
配置案例如下:
ip port-map user-tcp9527 port tcp 9527
ip port-map user-tcp8000 port tcp 8000
ip port-map user-tcp9528 port tcp 9528
#定義外到内的通路端口
!
class-map type inspect match-any Inside-To-Outside-Class
match protocol icmp
match protocol tcp
match protocol udp
class-map type inspect match-any Outside-To-Inside-Class
match protocol user-tcp9527
match protocol user-tcp9528
match protocol user-tcp8000
!
policy-map type inspect Inside-To-Outside-Policy
class type inspect Inside-To-Outside-Class
inspect
class class-default
drop
policy-map type inspect Outside-To-Inside-Policy
class type inspect Outside-To-Inside-Class
inspect
class class-default
drop
!
zone security Inside
zone security Outside
zone-pair security Inside-To-Outside source Inside destination Outside
service-policy type inspect Inside-To-Outside-Policy
zone-pair security Outside-To-Inside source Outside destination Inside
service-policy type inspect Outside-To-Inside-Policy
!
interface Dialer1
zone-member security Outside
!
interface Vlan50
zone-member security Inside
相關狀态檢視
NJ-Home-C897#show zone-pair security
Zone-pair name Inside-To-Outside
Source-Zone Inside Destination-Zone Outside
service-policy Inside-To-Outside-Policy
Zone-pair name Outside-To-Inside
Source-Zone Outside Destination-Zone Inside
service-policy Outside-To-Inside-Policy
NJ-Home-C897#show zone security
zone self
Description: System Defined Zone
zone Inside
Member Interfaces:
Vlan50
zone Outside
Member Interfaces:
Dialer1
NJ-Home-C897#show policy-map type inspect zone-pair sessions
policy exists on zp Inside-To-Outside
Zone-pair: Inside-To-Outside
Service-policy inspect : Inside-To-Outside-Policy
Class-map: Inside-To-Outside-Class (match-any)
Match: protocol icmp
2407 packets, 395177 bytes
30 second rate 0 bps
Match: protocol tcp
68578 packets, 2723688 bytes
30 second rate 0 bps
Match: protocol udp
109486 packets, 6559699 bytes
30 second rate 0 bps
Inspect
Number of Established Sessions = 15
Established Sessions
Session 25110E0 (192.168.50.164:51488)=>(118.26.252.11:5222) tcp SIS_OPEN/TCP_ESTAB
Created 20:35:53, Last heard 00:00:33
Bytes sent (initiator:responder) [58254:58481]
Session 113136A0 (192.168.50.188:53620)=>(17.252.156.153:5223) tcp SIS_OPEN/TCP_ESTAB
Created 14:11:15, Last heard 00:19:06
Bytes sent (initiator:responder) [30146:8997]
Session 2514C60 (192.168.50.164:33448)=>(118.26.252.75:443) tcp SIS_OPEN/TCP_CLOSEWAIT
Created 00:25:18, Last heard 00:24:12
Bytes sent (initiator:responder) [1860:5779]
Session 25164E0 (192.168.50.164:41084)=>(117.48.116.17:443) tcp SIS_OPEN/TCP_CLOSEWAIT
Created 00:25:18, Last heard 00:24:12
Bytes sent (initiator:responder) [1890:5808]
Session 251D160 (192.168.50.164:42362)=>(117.48.116.23:443) tcp SIS_OPEN/TCP_CLOSEWAIT
Created 00:25:18, Last heard 00:24:11
Bytes sent (initiator:responder) [1209:4839]
Session 2516BE0 (192.168.50.164:56901)=>(118.26.252.47:443) tcp SIS_OPEN/TCP_CLOSEWAIT
Created 00:25:17, Last heard 00:24:11
Bytes sent (initiator:responder) [1249:13662]
Session 2516860 (192.168.50.164:39796)=>(118.26.252.165:80) tcp SIS_OPEN/TCP_CLOSEWAIT
Created 00:25:03, Last heard 00:23:57
Bytes sent (initiator:responder) [1042:324]
Session 2511EE0 (192.168.50.164:37948)=>(118.26.252.147:443) tcp SIS_OPEN/TCP_CLOSEWAIT
Created 00:23:48, Last heard 00:22:42
Bytes sent (initiator:responder) [836:5846]
Session 2517660 (192.168.50.164:57774)=>(101.89.15.105:8080) tcp SIS_OPEN/TCP_ESTAB
Created 00:08:15, Last heard 00:01:14
Bytes sent (initiator:responder) [337:222]
Session 2514FE0 (192.168.50.6:50184)=>(220.200.165.43:5877) tcp SIS_OPEN/TCP_ESTAB
Created 00:08:02, Last heard 00:00:11
Bytes sent (initiator:responder) [385:1059]
Session 251DBE0 (192.168.50.164:58339)=>(203.100.92.156:443) tcp SIS_OPEN/TCP_CLOSEWAIT
Created 00:04:33, Last heard 00:03:27
Bytes sent (initiator:responder) [2226:6158]
Session 250F4E0 (192.168.50.6:6881)=>(90.151.93.101:3856) udp SIS_OPEN
Created 00:00:39, Last heard 00:00:20
Bytes sent (initiator:responder) [152:0]
Session 251DF60 (192.168.50.6:6881)=>(76.229.128.227:1045) udp SIS_OPEN
Created 00:00:20, Last heard 00:00:20
Bytes sent (initiator:responder) [58:70]
Session 2518B60 (192.168.50.6:6881)=>(73.36.178.128:10520) udp SIS_OPEN
Created 00:00:02, Last heard 00:00:01
Bytes sent (initiator:responder) [94:268]
Session 2515A60 (192.168.50.6:6881)=>(64.30.117.225:45682) udp SIS_OPEN
Created 00:00:01, Last heard 00:00:01
Bytes sent (initiator:responder) [58:70]
Class-map: class-default (match-any)
Match: any
Drop
0 packets, 0 bytes
policy exists on zp Outside-To-Inside
Zone-pair: Outside-To-Inside
Service-policy inspect : Outside-To-Inside-Policy
Class-map: Outside-To-Inside-Class (match-any)
Match: protocol user-tcp9527
1 packets, 20 bytes
30 second rate 0 bps
Match: protocol user-tcp9528
18944 packets, 637901 bytes
30 second rate 0 bps
Match: protocol user-tcp8000
0 packets, 0 bytes
30 second rate 0 bps
Inspect
Number of Established Sessions = 3
Established Sessions
Session 2512CE0 (110.7.216.97:28041)=>(192.168.50.6:9528) user-tcp9528:tcp SIS_OPEN/TCP_CLOSEWAIT
Created 00:13:17, Last heard 00:03:27
Bytes sent (initiator:responder) [354:374]
Session 250FBE0 (27.19.66.146:56963)=>(192.168.50.6:9528) user-tcp9528:tcp SIS_OPEN/TCP_ESTAB
Created 00:02:28, Last heard 00:00:17
Bytes sent (initiator:responder) [381:252]
Session 251C6E0 (114.219.17.12:65496)=>(192.168.50.6:9528) user-tcp9528:tcp SIS_OPEN/TCP_ESTAB
Created 00:00:03, Last heard 00:00:02
Bytes sent (initiator:responder) [477:232]
Class-map: class-default (match-any)
Match: any
Drop
39475 packets, 3069891 bytes
NJ-Home-C897#