IOS Zone-Based Firewall Zone Based Firewall is the most advanced method of a stateful firewall that is available on Cisco IOS routers. The idea behind ZBF is that we don’t assign access-lists to interfaces but we will create different zones. Interfaces will be assigned to the different zones and security policies will be assigned to traffic between zones.
Overview of Zone-Based Policy Network Security A security zone must be configured for each region of relative security with in the network, so that all interfaces that are assigned to the same zone are protected with a similar level of security. For example, consider an access router with three interfaces: 1. One interface connected to the public internet 2. One interface connected to a private LAN that must not be accessible from the public internet 3. One interface connected to an internet service demilitarized zone (DMZ), where a Web server, Domain Name System (DNS) server, and e-mail server must be accessible to the public internet
Figure 1 Overview
of Zone-Based Firewall
In this example, each zone holds only one interface. I f an additional interface is added to the private zone, the hosts connected to the new interface in the zone can pass traffic to all hosts on the existing interface in the same zone. Additionally, the hosts’ traffic to hosts in other zones is similarly affected by existing policies.