ZFW技术对原有的CBAC功能进行了增强,ZFW策略防火墙改变了基于接口的配置模式,并且提供了更容易理解和更灵活的配置方法。接口需要加入区域,针对流量的审查策略在区域间内部生效。区域内部策略提供了更灵活和更细致的流量审查,不同的审查策略可以应用在与路由器相同接口相连的多个组上。
ZFW提供了状态型的包检测,URL过滤,对DOS攻击的减缓等功能,同时提供了多种协议的支持,例如HTTP、POP3、IMAP、SMTP、ESMTP、SUN RPC、IM、P2P等协议。但是需要注意的是,以下特性ZFW暂时还不能支持:
Authentication proxy
Stateful firewall failover
Unified firewall MIB
IPv6 stateful inspection
TCP out of order support
与CBAC相比较而言第一点主要的改变是,ZFW是基于区域的配置。ZFW不在使用CBAC的命令。两种技术可以同时配置在路由器上,但是需要注意的是,这两种技术不能同时在接口上叠加。接口在加入了安全区域以后不能同时在该接口上配置ip inspect命令。
ZFW默认的策略为拒绝所有流量。如果没有配置放行策略,那么所有在区域间进行转发的流量将会被拒绝。而CBAC默认情况下允许转发所有的流量,除非通过使用ACL来对流量进行丢弃。
第二点主要的改变是ZFW的配置命令使用了MQC命令格式。可以使用更灵活的方式来定义ZFW的策略。
ZFW的策略规定如下:
在为接口指定区域之前,必须先配置这个区域。
一个接口只能被指定到一个区域内。
当一个接口被指定了一个区域后,除了在相同的区域内从这个接口始发终结的流量,以及从该接口到其他本路由器接口的流量,默认允许转发外,其他关于这个接口的流量都隐式的拒绝。
相同区域成员间的流量,默认转发。
如果要求流量从其他区域来或者到其他区域去,那么必须配置再要通信的区域间允许策略或者审查策略。
自身区域是唯一一个默认策略不是DENY的区域。从自身区域到任何区域的流量都是默认允许的,除非明确的配置了拒绝语句。
流量不能在一个设置了区域成员的接口和一个没有加入区域的接口间转发。pass,inspect和drop行为只能在两个区域之间进行配置。
一个没有加入任何区域的接口是可以使用CBAC特性的。
根据上面所提到的相关问题,我们可以知道,如果流量要在这个路由器的所有接口间转发,那么所有的接口都必须是区域的成员。
唯一一个例外是,到达或者从这个路由器始发的流量默认情况下是允许的(默认情况下路由器的自身接口属于self区域)。如果要限制这样的流量,则需要配置明确的限制策略。
ZFP策略包括三种:pass,deny,intercept。deny是默认行为,intercept是指对流量进行审查,返回流量通过查看路由器的session表来决定是否允许进入。pass行为不会跟踪连接的状态或者是流量的session。并且pass策略只能允许单方向的流量通过。必须定义一个相对应返回流量的策略来允许返回流量进入。
同时ZFW对与VPN流量也进行了特别的定义,当VPN配置以后,路由器动态的生成一个名叫VTI的接口(virtual tunnel interface),如果我们需要对VPN流量进行bypass或者是审查时,我们可以通过将VTI接口加入不同的区域来进行区分。
配置案例如下:
ip port-map user-tcp9527 port tcp 9527
ip port-map user-tcp8000 port tcp 8000
ip port-map user-tcp9528 port tcp 9528
#定义外到内的访问端口
!
class-map type inspect match-any Inside-To-Outside-Class
match protocol icmp
match protocol tcp
match protocol udp
class-map type inspect match-any Outside-To-Inside-Class
match protocol user-tcp9527
match protocol user-tcp9528
match protocol user-tcp8000
!
policy-map type inspect Inside-To-Outside-Policy
class type inspect Inside-To-Outside-Class
inspect
class class-default
drop
policy-map type inspect Outside-To-Inside-Policy
class type inspect Outside-To-Inside-Class
inspect
class class-default
drop
!
zone security Inside
zone security Outside
zone-pair security Inside-To-Outside source Inside destination Outside
service-policy type inspect Inside-To-Outside-Policy
zone-pair security Outside-To-Inside source Outside destination Inside
service-policy type inspect Outside-To-Inside-Policy
!
interface Dialer1
zone-member security Outside
!
interface Vlan50
zone-member security Inside
相关状态查看
NJ-Home-C897#show zone-pair security
Zone-pair name Inside-To-Outside
Source-Zone Inside Destination-Zone Outside
service-policy Inside-To-Outside-Policy
Zone-pair name Outside-To-Inside
Source-Zone Outside Destination-Zone Inside
service-policy Outside-To-Inside-Policy
NJ-Home-C897#show zone security
zone self
Description: System Defined Zone
zone Inside
Member Interfaces:
Vlan50
zone Outside
Member Interfaces:
Dialer1
NJ-Home-C897#show policy-map type inspect zone-pair sessions
policy exists on zp Inside-To-Outside
Zone-pair: Inside-To-Outside
Service-policy inspect : Inside-To-Outside-Policy
Class-map: Inside-To-Outside-Class (match-any)
Match: protocol icmp
2407 packets, 395177 bytes
30 second rate 0 bps
Match: protocol tcp
68578 packets, 2723688 bytes
30 second rate 0 bps
Match: protocol udp
109486 packets, 6559699 bytes
30 second rate 0 bps
Inspect
Number of Established Sessions = 15
Established Sessions
Session 25110E0 (192.168.50.164:51488)=>(118.26.252.11:5222) tcp SIS_OPEN/TCP_ESTAB
Created 20:35:53, Last heard 00:00:33
Bytes sent (initiator:responder) [58254:58481]
Session 113136A0 (192.168.50.188:53620)=>(17.252.156.153:5223) tcp SIS_OPEN/TCP_ESTAB
Created 14:11:15, Last heard 00:19:06
Bytes sent (initiator:responder) [30146:8997]
Session 2514C60 (192.168.50.164:33448)=>(118.26.252.75:443) tcp SIS_OPEN/TCP_CLOSEWAIT
Created 00:25:18, Last heard 00:24:12
Bytes sent (initiator:responder) [1860:5779]
Session 25164E0 (192.168.50.164:41084)=>(117.48.116.17:443) tcp SIS_OPEN/TCP_CLOSEWAIT
Created 00:25:18, Last heard 00:24:12
Bytes sent (initiator:responder) [1890:5808]
Session 251D160 (192.168.50.164:42362)=>(117.48.116.23:443) tcp SIS_OPEN/TCP_CLOSEWAIT
Created 00:25:18, Last heard 00:24:11
Bytes sent (initiator:responder) [1209:4839]
Session 2516BE0 (192.168.50.164:56901)=>(118.26.252.47:443) tcp SIS_OPEN/TCP_CLOSEWAIT
Created 00:25:17, Last heard 00:24:11
Bytes sent (initiator:responder) [1249:13662]
Session 2516860 (192.168.50.164:39796)=>(118.26.252.165:80) tcp SIS_OPEN/TCP_CLOSEWAIT
Created 00:25:03, Last heard 00:23:57
Bytes sent (initiator:responder) [1042:324]
Session 2511EE0 (192.168.50.164:37948)=>(118.26.252.147:443) tcp SIS_OPEN/TCP_CLOSEWAIT
Created 00:23:48, Last heard 00:22:42
Bytes sent (initiator:responder) [836:5846]
Session 2517660 (192.168.50.164:57774)=>(101.89.15.105:8080) tcp SIS_OPEN/TCP_ESTAB
Created 00:08:15, Last heard 00:01:14
Bytes sent (initiator:responder) [337:222]
Session 2514FE0 (192.168.50.6:50184)=>(220.200.165.43:5877) tcp SIS_OPEN/TCP_ESTAB
Created 00:08:02, Last heard 00:00:11
Bytes sent (initiator:responder) [385:1059]
Session 251DBE0 (192.168.50.164:58339)=>(203.100.92.156:443) tcp SIS_OPEN/TCP_CLOSEWAIT
Created 00:04:33, Last heard 00:03:27
Bytes sent (initiator:responder) [2226:6158]
Session 250F4E0 (192.168.50.6:6881)=>(90.151.93.101:3856) udp SIS_OPEN
Created 00:00:39, Last heard 00:00:20
Bytes sent (initiator:responder) [152:0]
Session 251DF60 (192.168.50.6:6881)=>(76.229.128.227:1045) udp SIS_OPEN
Created 00:00:20, Last heard 00:00:20
Bytes sent (initiator:responder) [58:70]
Session 2518B60 (192.168.50.6:6881)=>(73.36.178.128:10520) udp SIS_OPEN
Created 00:00:02, Last heard 00:00:01
Bytes sent (initiator:responder) [94:268]
Session 2515A60 (192.168.50.6:6881)=>(64.30.117.225:45682) udp SIS_OPEN
Created 00:00:01, Last heard 00:00:01
Bytes sent (initiator:responder) [58:70]
Class-map: class-default (match-any)
Match: any
Drop
0 packets, 0 bytes
policy exists on zp Outside-To-Inside
Zone-pair: Outside-To-Inside
Service-policy inspect : Outside-To-Inside-Policy
Class-map: Outside-To-Inside-Class (match-any)
Match: protocol user-tcp9527
1 packets, 20 bytes
30 second rate 0 bps
Match: protocol user-tcp9528
18944 packets, 637901 bytes
30 second rate 0 bps
Match: protocol user-tcp8000
0 packets, 0 bytes
30 second rate 0 bps
Inspect
Number of Established Sessions = 3
Established Sessions
Session 2512CE0 (110.7.216.97:28041)=>(192.168.50.6:9528) user-tcp9528:tcp SIS_OPEN/TCP_CLOSEWAIT
Created 00:13:17, Last heard 00:03:27
Bytes sent (initiator:responder) [354:374]
Session 250FBE0 (27.19.66.146:56963)=>(192.168.50.6:9528) user-tcp9528:tcp SIS_OPEN/TCP_ESTAB
Created 00:02:28, Last heard 00:00:17
Bytes sent (initiator:responder) [381:252]
Session 251C6E0 (114.219.17.12:65496)=>(192.168.50.6:9528) user-tcp9528:tcp SIS_OPEN/TCP_ESTAB
Created 00:00:03, Last heard 00:00:02
Bytes sent (initiator:responder) [477:232]
Class-map: class-default (match-any)
Match: any
Drop
39475 packets, 3069891 bytes
NJ-Home-C897#