In this tutorial we will learn about Zone Based Firewall, but before digging into details let’s start with basic concepts.

Security zone is a group of interfaces to which a policy can be applied. By default, traffic can flow freely within that zone but all traffic to and from that zone is dropped by default. To allow traffic pass between zones, administrators must explicitly declare by creating a zone-pair and a policy for that zone. Another notice is that traffic originated from the router itself is allowed to pass freely.

Zone-pair allows you to specify a uni-directional firewall policy between two zones. In other words, a zone-pair specifies the direction of the interesting traffic. This direction is defined by specifying a source and destination zone. Notice that we can’t defined a zone as both source and destination zone.

Zone Policy defines what we want to allow or deny to go between zones. For example we just want to allow HTTP while dropping SMTP, ICMP… We have 3 actions “pass”, “drop” and “inspect”. The “pass” and “drop” actions are self-explanatory. The action “inspect” tell the router to use a pre-defined class-map to filter the traffic.

Read more…

In this article, I want to introduce about the use of IPsec Site-to-site VPN, why we should use and how to configure it.

Nowadays, many companies and corporations have their branch offices far away from its headquarters but they need to communicate as if they were in a LAN. This is the place where site-to-site VPN comes into play. Site-to-site VPNs connect entire networks to each other, for example, they can connect a branch office network to a company headquarters network. In the past, a leased line or Frame Relay connection was required to connect sites, but because most corporations now have Internet access, these connections can be replaced with site-to-site VPNs.

Organizations use virtual private networks (VPNs) to create an end-to-end private network connection (tunnel) over third-party networks such as the Internet or extranets. The tunnel eliminates the distance barrier and enables remote users to access central site network resources. However, VPNs cannot guarantee that the information remains secure while traversing the tunnel. For this reason, modern cryptographic methods are applied to VPNs to establish secure, end-to-end, private network connections.

Read more…