CHAP TER
21-1
User Guide for Cisco Security Manager 4.4
OL-28826-01
21
Managing Zone-based Firewall Rules
The Zone-based Firewall feature (also known as Zone-based Policy Firewall) allows unidirectional
application of IOS firewall policies between groups of interfaces known as “zones.” That is, interfaces
are assigned to zones, and firewall rules are applied to specific types of traffic moving in one direction
between the zones. Zone-based firewalls enforce a secure inter-zone policy by default, meaning traffic
cannot pass between security zones until an explicit policy allowing that traffic is defined.
The “zone” itself is an abstraction—multiple interfaces with the same or similar security requirements
that can be logically grouped together. For example, router interfaces Ethernet 0/0 and Ethernet 0/1
might be connected to the local LAN. When viewed from a firewall perspective, these two interfaces are
similar in that they represent the internal network, and they can be grouped into a single zone for the
purposes of firewall configuration. Then you can specify firewall policies between that and other zones.
These inter-zone policies offer considerable flexibility and granularity, so different inspection policies
can be applied to multiple host groups connected to the same router interface.
Note The zone-based firewall feature is supported on IOS devices running 12.4(6)T or later, and ASR devices
running 12.2(33) or later.
A Simple Example
A security zone should be configured for each region of similar security within the network, so that all
interfaces assigned to the same zone are protected with a similar level of security. For example, consider
an access router with three interfaces:
One interface is connected to the public Internet
One interface is connected to a private LAN that must not be accessible from the public Internet
One interface is connected to an Internet-service “demilitarized zone” (DMZ), where a Web server,
Domain Name System (DNS) server, and e-mail server must have access to the public Internet
Each interface in this network would be assigned to its own zone, as shown in the following figure.