Chapter34 Zone-Based Policy Firewall
Zone Window
34-4
Cisco Router and Security Device Manager 2.5 User’s Guide
OL-4015-12
An interface can be assigned to only one security zone.
All traffic to/from a given interface is implicitly blocked when the interface
is assigned to a zone, excepting traffic to/from other interfaces in t he same
zone, and traffic to any interface on the router.
Traffic is implicitly allowed to flow by default among interfaces that are
members of the same zone.
To permit traffic to/from a zone member interface, a policy allowing or
inspecting traffic must be configured between that zone and any other zone.
The self zone is the only exception to the default deny-all policy. All traffic
to any router interface is allowed until traffic is explicitly denied.
Traffic cannot flow between a zone member interface and any interface that
is not a zone member.
Pass, inspect, and drop actions can only be applied between two zones.
Interfaces that have not been assigned to a zone function as classical router
ports and might still use classical stateful inspection/CBAC configuration.
If it is required that an interface on the box not be part of the zoning/firewall
policy, it might still be necessary to put that interface in a zone and configure
a pass all policy (sort of a dummy policy) between that zone and any other
zone to which traffic flow is desired.
From the preceding it follows that, if traffic is to flow among all the interfaces
in a router, all the interfaces must be part of the zoning model (each interface
must be a member of one zone or another).
The only exception to the preceding deny by default approach is the traffic
to/from the router, which will be permitted by default. An explicit policy can
be configured to restrict such traffic.
This set of rules was taken from The Zone-Based Policy Firewall Design Guide
available at the following link:
http://www.cisco.com/en/US/products/ps6350/products_feature_guide09186a00
8072c6e3.html