Introduction
Cisco IOS has supported stateful inspection firewall capability since before Cisco IOS Software Version 12.0. Stateful Inspection Firewall features are supported through the Classic Firewall (formerly known as Context-Based Access Control, or CBAC). Cisco IOS Software introduced an additional configuration model for stateful inspection with the Zone-Based Policy Firewall (ZFW) in Cisco IOS Software version 12.4(6)T. Cisco IOS Software Classic Firewall will continue to be maintained for the foreseeable future, but will not be significantly enhanced with new features. Instead, the strategic development direction for Cisco IOS Software's stateful inspection firewall is carried by Zone-Based Policy firewall.
Policy Differences Between Classic Firewall and Zone-Based Policy
Classic Firewall and Zone-Based Policy Firewall differ substantially in their policy configuration concepts.
Classic Firewall policy is defined by applying static Access-Control List (ACL) configuration on router interfaces to define the types of traffic allowed through an interface. Stateful Packet Inspection is applied with "ip inspect" policies that monitor network traffic to allow desired return traffic through ACLs that would otherwise drop traffic that had been originated by trusted hosts. Complex Classic Firewall policy extrapolation may be difficult in circumstances where multiple ACLs affect traffic, especially when ACLs were applied for both router-local traffic as well as traffic "transiting" (entering the router and leaving by the same or a different interface) the router.
Figure 1.
Zone-Based Policy Firewall changes the IOS Stateful Inspection model from Classic Firewall's `interface-based' model to a more flexible, easier-understood zone-based configuration model. Router interfaces are assigned to security zones, and firewall inspection policy is applied to traffic moving between the zones. Zone-Based Policy Firewall enforces a secure inter-zone policy by default, such that a given interface cannot pass traffic to interfaces in other security zones until an explicit policy allowing traffic is defined. Firewall policies are configured using Class-Based Policy Language (CPL), which employs a hierarchical structure to define inspection for network protocols and the groups of hosts' traffic to which inspection will be applied. Inter-zone policies offer considerable flexibility and granularity, so different inspection policies can be applied to hosts, host groups, or subnets connected to the same router interface.
Figure 2.
Each interface can be a member of only one security zone, but zones can hold multiple interfaces. When an interface is made a zone-member, traffic will not pass between a given interface and interfaces in other zones until an explicit policy is configured to allow desired traffic. Zone-Based Policy Firewall enforces a default policy blocking traffic between zones.
Policies are established by configuring a class to define the traffic that the policy affects, then defining a policy that associates the traffic class with a given action, such as inspect, pass, or drop. Additional parameters can be applied to specify connection volumes or actions such as URL filtering for HTTP traffic. Policy-maps are associated with zone pairs to apply unidirectional traffic policy to traffic moving from one zone to another.
For more detailed discussion of Zone-Based Policy Firewall Concepts and Applications, refer to the Zone-Based Firewall Design Guide and Zone-Based Policy Firewall Configuration Guide indicated in the "Additional Reading" portion of this document.
Feature Parity
Cisco IOS Classic Firewall has been substantially enhanced during it lifetime. Zone-Based Policy Firewall addresses most of the functionality offered by the Classic Firewall, and is beginning to draw clear differentiators to address needed capabilities. Refer to Table 1 for a feature comparison between Cisco IOS Classic and Zone-Based Policy Firewall:
Table 1. Feature parity comparison between Cisco IOS Classic and Zone-Based Policy Firewall
* These capabilities are being investigated for inclusion in a future software release
Router Platform and Management Support
Classic Firewall is supported throughout the Cisco IOS router product family. Zone-Based Policy firewall support is limited to platforms that include the Cisco IOS Quality of Service system. Supported platforms are described in Table 2:
Table 2. Router platform support for Cisco IOS Classic and Zone-Based Policy Firewall
Graphical User Interface management for both firewalls is offered by Cisco Security Device Manager (SDM). Cisco Security Manager (CSM) only supports the Cisco IOS Classic Firewall at present, but future support for Zone-Based Policy Firewall in CSM is planned.
Conclusion
Cisco IOS Software Release 12.4(6)T introduced dramatic changes to default security posture and configuration model with Cisco IOS Zone-Based Policy Firewall. News features will only be introduced in the Zone-Based Policy Firewall. To take advantage of new capabilities, existing Classic IOS Firewall configurations will need to be migrated to Zone-Based Policy Firewall configuration.
Additional Reading
Zone-Based Policy Firewall Design and Application Guide http://www.cisco.com/en/US/products/sw/secursw/ps1018/products_configuration_example09186a00808bc994.shtml.