Cisco IOS Threat Control for CCNP Security (300-206) SENSS

This course teaches you the ins and outs of Cisco IOS Zone-based firewalls. In this course, you will learn how to control traffic between interfaces assigned to zones and how to perform filtering all the way up to layer 7. You will also learn how to configure URL filtering, creating a custom white and black list.
Course info
Level
Intermediate
Updated
Aug 6, 2015
Duration
3h 13m
Table of contents
Description
Course info
Level
Intermediate
Updated
Aug 6, 2015
Duration
3h 13m
Description

There are many appliances that are designed to prevent a network from attack; however, many overlook the capabilities of Cisco IOS. Cisco IOS routers support Zone-based firewall features that allow stateful filtering from L3 to L7 of the OSI model. In this course, you will learn how to configure and control the Cisco IOS ZBFW while also covering important topics of the 300-206 SENSS exam.

About the author
About the author

Brandon is a CCIE (Security, #23837), Cisco Press author, and has over 13 years experience as a Cisco Instructor.

More from the author
VPN Fundamentals for CCNP® Security
Intermediate
1h 52m
12 Feb 2018
ISE BYOD for CCNP Security (300-208) SISAS
Intermediate
2h 8m
8 Nov 2017
More courses by Brandon Carroll
Section Introduction Transcripts
Section Introduction Transcripts

Self Zone Inspection
Well we talked about it right at the end of the last module, this is Self Zone Inspection. In this module, we're going to overview what the self zone is and talk about how it functions, what makes it a special zone and why we need it, and then we're going to configure the self zone in our lab environment. So let's start out with what the self zone is, and we can start out by just looking at this topology. You'll note from this topology that this is what our lab looks like right now, this is what we have set up. We have a zone called inside, we have a zone called outside, and we have a zone called server-dmz. What we don't see here is how the router itself right in the middle functions. Well there's a special zone, and that zone is called zone self, and that zone self represents the control and the management plane on this router. So what we can do with that self zone is we can apply policy to it, and from that policy we can statefully track the sessions to and from the router itself rather than just the traffic that is transiting the router. Now what we want to understand is that once we start to apply policy to zone self, it changes the default behavior of the router, whereas the router by default will accept connections to the device and we are not filtering connections from the device. Once we have that zone policy applied, now we go ahead and start to inspect that traffic, we can control it with policy. So let's take a look at the default policy. Very similar to the scenario that we looked at in a previous module that explains how the router would behave if we did have policy applied there or if we didn't have policy applied there.

L7 Inspection and URL Filtering
And welcome everyone to Layer 7 Inspection and URL Filtering. In this module we're going to take a look at the application inspection features of our IOS zone-based policy firewall, and we're going to specifically look at HTTP inspection, we'll examine that in just a little bit in this module. We're also going to talk about URL filtering and implement that. So let's go ahead and get started with our application inspection features. So one of the neat things about our IOS zone-based policy firewall is that while they do function at layer 3/layer 4 with that whole configuration that we've already been building with our class maps, policy maps, applying it to a zone pair with a service policy, they also support the ability to be a little more advanced than that and look all the way up into the application layer so we get some visibility up there into the application layer. Now this is nice because it's going to help us to protect against application layer vulnerabilities, and we know that that's where we have a large attack surface there is when we're running multiple applications, these applications can be susceptible to attacks. So we're going to use the AIC functionality, the Application, Inspection, and Control functions of our IOS zone-based firewall, and we're going to configure it so that it can control specific applications. There are a number of applications that it will support, we'll mention those as we go through this module. We're going to specifically focus on the HTTP capabilities. And then we're going to round things out with URL filtering and talk about how we can do URL filtering with the routers and we'll see how we can do local URL filtering.