Just to mention few that comes to mind. Besides the obvious that it's much
easier to configure (MQC like configuration) as you mention:
- A ZFW is not dependant on ACLs
- The security posture is block unless explicitly allowed
- Easy to read and troubleshoot as it is similar to MPF on the ASA
- One policy may be applied to any given traffic rather than requiring
multiple ACLs and inspection actions
- More Layer 7 inspections
On Tue, Mar 1, 2011 at 6:29 AM, imran ali <immrccie_at_gmail.com> wrote:
>
>
> On Mon, Feb 28, 2011 at 9:51 PM, Narbik Kocharians <narbikk_at_gmail.com>wrote:
>
>> Don't try to compare it to an ASA, but when you compare it to CBAC, ZBFW
>> is much better.
>>
>>
>>
>
> narbik can plz explain how advantageous zbf is over cbac. (zbf simplifies
> configuration burden ..what else zbf gives that cbac lacks ?
> thanks
>
>
>
>>
>> On Mon, Feb 28, 2011 at 9:31 AM, Babatunde Sanda <sbabatunde1_at_ca.rr.com>wrote:
>>
>>> Use the argument match-any.
>>>
>>> Example:
>>>
>>> Class-map type inspect match-any TEST
>>> > Match access-group inside
>>> > match protocol http
>>> > match protocol ssh
>>> > match protocol telnet
>>> > match protocol snmp
>>> > match protocol ftp
>>> > match protocol icmp
>>> > match protocol tcp
>>> > match protocol udp
>>> >
>>>
>>> Babatunde Sanda B.Sc (Acct.) CCNP, CCVP, CCNA(R,S,V), MCSA, N+, A+.
>>> :: Sent from my Iphone. Apologies for errors and brevity. ::
>>>
>>> On Feb 28, 2011, at 5:38 AM, Chris Proctor <chris_at_cwproctor.net> wrote:
>>>
>>> > I'm coming from an ASA/PIX command set mentality for firewalls. I
>>> > don't see for the life of me why I have to specify each and every
>>> > inspect and ACL pairing instead of the "global policy" setup like on
>>> the
>>> > ASA.
>>> >
>>> > It really does feel like Dante's trip through hell. Everything is
>>> > nested and recursing through potentially thousands of lines of config.
>>> >
>>> > I'd like to know how to do the following (example):
>>> >
>>> > permit access-group inside
>>> > match protocol http
>>> > match protocol ssh
>>> > match protocol telnet
>>> > match protocol snmp
>>> > match protocol ftp
>>> > match protocol icmp
>>> > match protocol tcp
>>> > match protocol udp
>>> > inspect with best inspector for protocol
>>> >
>>> > Can this be done without using more than one class?
>>> >
>>> > Thanks!
>>> >
>>> > On 2/28/2011 6:56 AM, imran ali wrote:
>>> >>
>>> >>
>>> >> On Mon, Feb 28, 2011 at 9:44 AM, Chris Proctor <chris_at_cwproctor.net
>>> >> <mailto:chris_at_cwproctor.net>> wrote:
>>> >>
>>> >> Well, after beating my head against this for awhile I have come to
>>> >> three conclusions (call it venting if you will):
>>> >> 1.) Security zones are cool
>>> >> 2.) Inspect maps are overly complex pieces of crap
>>> >>
>>> >> cant agree with u here ..did u studied cisoc doc first before jumping
>>> >> to any vendor book ?
>>> >>
>>> >> 3.) Specialized inspect maps are even bigger pieces of crap
>>> >>
>>> >> partially agree with u
>>> >>
>>> >> I find myself hoping they won't get too carried away with this
>>> >> subject. Working out all of the possible regex's, etc and nesting
>>> >> of relationships could easily take me 20 hours for a complex
>>> >> enough configuration. Can anyone tell me if I'm wasting my time
>>> >> going through the lower levels of hell here?
>>> >>
>>> >> --
>>> >> Chris Proctor
>>> >>
>>> >>
>>> >> --
>>> >> This message was scanned by ESVA and is believed to be clean.
>>> >>
>>> >>
>>> >> Blogs and organic groups at http://www.ccie.net <
>>> http://www.ccie.net/>
>>> >>
>>> >>
>>> _______________________________________________________________________
>>> >> Subscription information may be found at:
>>> >> http://www.groupstudy.com/list/CCIELab.html
>>> >>
>>> >>
>>> >>
>>> >>
>>> >>
>>> >>
>>> >>
>>> >>
>>> >>
>>> >> --
>>> >> This message was scanned by ESVA and is believed to be clean.
>>> >> Click here to report this message as spam.
>>> >> <
>>> https://mail-relay.cwproctor.net/cgi-bin/learn-msg.cgi?id=1C77F28006.A5F2C
>>> >
>>> >
>>> >
>>> >
>>> > --
>>> > Chris Proctor
>>> >
>>> >
>>> > --
>>> > This message was scanned by ESVA and is believed to be clean.
>>> >
>>> >
>>> > Blogs and organic groups at http://www.ccie.net
>>> >
>>> > _______________________________________________________________________
>>> > Subscription information may be found at:
>>> > http://www.groupstudy.com/list/CCIELab.html
>>>
>>>
>>> Blogs and organic groups at http://www.ccie.net
>>>
>>> _______________________________________________________________________
>>> Subscription information may be found at:
>>> http://www.groupstudy.com/list/CCIELab.html
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>
>>
>> --
>> *Narbik Kocharians
>> *CCSI#30832, CCIE# 12410 (R&S, SP, Security)
>> www.MicronicsTraining.com <http://www.micronicstraining.com/>
>> Sr. Technical Instructor
>> *Ask about our FREE Lab Voucher with our Boot Camps*
>> YES! We take Cisco Learning Credits!
>> Training & Remote Racks available
>>
>>
>
-- *Narbik Kocharians *CCSI#30832, CCIE# 12410 (R&S, SP, Security) www.MicronicsTraining.com <http://www.micronicstraining.com/> Sr. Technical Instructor *Ask about our FREE Lab Voucher with our Boot Camps* YES! We take Cisco Learning Credits! Training & Remote Racks available Blogs and organic groups at http://www.ccie.netReceived on Tue Mar 01 2011 - 07:36:42 ART
This archive was generated by hypermail 2.2.0 : Tue Mar 01 2011 - 07:01:50 ART