Tuesday, May 12, 2009

Cisco IOS Zone-Based Firewall vs CBAC

Having had some experience with PIX firewalls in the past, I was interested when I learned a similar firewall technology appeared in IOS. So, I've started reading about the newer zone-based firewall in IOS, and wanted to 'upgrade' from my well-working CBAC, if not only to simplify DMZ or guest LAN configurations. I found the lack of an equivalent "router-traffic" command to be a major inhibitor, especially because on the routers in question, NTP, Dynamic DNS and GRE/IPSec (DMVPN) are all connections that are initiated by the router, and even with a relaxed or no inbound ACL, this traffic has to be configured (allowed) from the self zone to the Internet. Anyway, by the time I had an almost fully working configuration, it was a lot lengthier than my original CBAC config. I think perhaps, if I had had more than a couple of DMZ's, the ZBF might have been worth it. But for a simple 3-zone [Internet Zone, internal Zone, and Guest Zone] setup on a small 800 series router, CBAC is still the way to go! If anyone knows when Cisco will improve/shorten the ZBF configs for such router-initiated traffic as above, I'd be anxious to find out!

2 comments: