-
5/22/2018 Stratix 5900 ZFW Configuration Guide 07142014
1/44
Copyright 2014 Rockwell Automation, Inc. All Rights Reserved.Rev 5058-CO900F
COMPANY INTERNALInternal Use Only
1783-SRKIT
Stratix 5900 Services Router:
Zone-Based Policy Firewall Configuration Guide Overview
-
5/22/2018 Stratix 5900 ZFW Configuration Guide 07142014
2/44
Copyright 2014 Rockwell Automation, Inc. All Rights Reserved.COMPANY INTERNAL - Internal Use Only 2
Agenda
Zone-Based Policy Firewall (ZFW) Overview
Firewall vs. Router
Additional Information
Configuring a Zone-Based Policy Firewall (ZFW)
-
5/22/2018 Stratix 5900 ZFW Configuration Guide 07142014
3/44
Copyright 2014 Rockwell Automation, Inc. All Rights Reserved.COMPANY INTERNAL - Internal Use Only 3
What is a Traditional Firewall?
A software or hardware device thatsprimary function is to permit or deny traffic
as it attempts to enter or leave the network
based on explicit preconfigured policies or
rules
Preconfigured rules are called Access
Control Lists (ACLs) ACLs are a collection of Permit and Deny
statements. Each permit and Deny Statement is
referred to as an Access Control Entry (ACE)
Firewalls are capable of inspecting the
following elements of a packet Source MAC or IP Address
Destination MAC or IP Address
Source TCP or UDP Port
Destination TCP or UDP Port
ProtocolLayer 2,3,4 or 7
Firewall
ACL
InsideInterface
OutsideInterface
10.10.30.10 192.168.10.100
ACEAllow ICMP(ping) Traffic
To 10.10.30.10
ACE
Allow HTTPS Traffic
To 10.10.30.10
ACEBlock All Other Traffic
-
5/22/2018 Stratix 5900 ZFW Configuration Guide 07142014
4/44
Copyright 2014 Rockwell Automation, Inc. All Rights Reserved.COMPANY INTERNAL - Internal Use Only 4
What is an Integrated Services Router(ISR)?
An ISR is a router that integrates additional network features into the router
Virtual Private Networks (VPN) support
Firewall
Encryption Services
ISR are routers by default and security features such as firewalls or AccessControl Lists (ACLs) must be implemented to secure the ISR
ISRs are different from firewalls in that you must enable security
whereas a firewall is secured by default
Firewalls require security rules to be written before communicationscan occur
-
5/22/2018 Stratix 5900 ZFW Configuration Guide 07142014
5/44
Copyright 2014 Rockwell Automation, Inc. All Rights Reserved.COMPANY INTERNAL - Internal Use Only 5
Firewall vs. Integrated Services Router
Similarities Firewall features can be done by either, depending on where in the architecture
Both are stateful
A stateful firewall keeps the state information of the source and destination IP Addresses, thesource and destination port and the connections flags. For instance, a stateful firewall willexpect to see a connection establishment consisting of a SYN, SYN/ACK, ACK packets
before allowing a TCP conversation to occur between the hosts. Differences
ASA 55xx firewallused for Industrial Demilitarized Zones (IDMZ)
ASA 55xx supports Deep Packet Inspection while not recommend for the Stratix5900
ASA 55xx is a security appliance that is not a good router while the Stratix 5900 isa router with limited security features.
Positioning within the Converged Plantwide Ethernet (CPwE) reference architectures
Stratix 5900Zone-Based Policy Firewall (ZFW) within the Cell/Area Zone or OEM application(machine or skid)
-
5/22/2018 Stratix 5900 ZFW Configuration Guide 07142014
6/44
Copyright 2014 Rockwell Automation, Inc. All Rights Reserved.COMPANY INTERNAL - Internal Use Only 6
Agenda
Zone-Based Policy Firewall (ZFW) Overview
Firewall vs. Router
Additional Information
Configuring a Zone-Based Policy Firewall (ZFW)
-
5/22/2018 Stratix 5900 ZFW Configuration Guide 07142014
7/44
Copyright 2014 Rockwell Automation, Inc. All Rights Reserved.COMPANY INTERNAL - Internal Use Only
What is a Zone-Based Policy Firewall?
7
A Zone-Based Policy Firewall (ZFW) isa Firewall that is configured to permit or
deny traffic as it attempts to enter or
leave a Security Zone based on explicit
preconfigured policies or rules
ZFW allows the designer to create
Security Zones
Security Policies called Policy Maps
are created to define the permit and
deny traffic rules
Zone Pairs use the Policy Maps to
define the traffic flow between the
Security Zones
Firewall
Zone Pair
(Inside SecurityZone To Outside
Security Zone)
InsideSecurityZone
OutsideSecurityZone
10.10.30.10 192.168.10.100
Policy MapPermit ICMP Traffic
To 10.10.30.10
Permit HTTPS Traffic
To 10.10.30.10
Deny All Other Traffic
Policy Map
Policy Map
-
5/22/2018 Stratix 5900 ZFW Configuration Guide 07142014
8/44
Copyright 2014 Rockwell Automation, Inc. All Rights Reserved.COMPANY INTERNAL - Internal Use Only
Zone-Based Policy Firewall
A ZFW changes the firewallconfiguration from the older interface-
based model to a more flexible, more
easily understood zone-based model
Security Zones with the same security
requirements are created
For example, an Inside Security
Zone can be implemented for the
Logix Controller(s) while an
Outside Security Zone can beimplemented to allow computers
running configuration software to
access the Logix Controller
Cell/Area A
Outside Security Zone
Inside Security Zone
VLAN 10Fa0
Stratix 5900_1
Fa1 Fa2 Fa3
Logix
1
E
N
E
T
Studio 5000
Layer 3 switch
10.10.30.10/24
192.168.10.100/24
172.28.42.2/24
172.28.42.1/24
Network A
Network B
Network C
WAN0
-
5/22/2018 Stratix 5900 ZFW Configuration Guide 07142014
9/44
Copyright 2014 Rockwell Automation, Inc. All Rights Reserved.COMPANY INTERNAL - Internal Use Only
Network Interface and VLAN SecurityZone Assignments
9
Network Interfaces and VLANs areassigned to a Security Zone
For example, the WAN 0 networkinterface is assigned to theOutside Security Zone
By placing the WAN 0 interface inthe Outside Security Zone, anytraffic entering the Stratix 5900through the WAN 0 interface canhave security policies applied asit traverses from the Outside tothe Inside Security Zone
VLAN 10 is assigned to the
Inside Security Zone where theLogix Controller is located
The Fast Ethernet NetworkInterfaces (Fa0-3)are assigned toVLAN 10 and therefore areassigned to the Inside SecurityZone
Cell/Area A
Outside Security Zone
Inside Security Zone
VLAN 10Fa0
Stratix 5900_1
Fa1 Fa2 Fa3
Logix
1
E
N
E
T
Studio 5000
Layer 3 switch
10.10.30.10/24
192.168.10.100/24
172.28.42.2/24
172.28.42.1/24
Network A
Network B
Network C
WAN0
-
5/22/2018 Stratix 5900 ZFW Configuration Guide 07142014
10/44Copyright 2014 Rockwell Automation, Inc. All Rights Reserved.COMPANY INTERNAL - Internal Use Only
Security Policy Maps
10
Security Policy Maps are created to Permitor Deny traffic between Security Zones
For example, a Policy Map would be
created to allow Studio 5000 using the
CIP protocol to communicate to the
Logix Controller using TCP port 44818
Cell/Area A
Outside Security Zone
Inside Security Zone
VLAN 10Fa0
Stratix 5900_1
Fa1 Fa2 Fa3
Logix
1
E
N
E
T
Studio 5000
Layer 3 switch
10.10.30.10/24
192.168.10.100/24
172.28.42.2/24
172.28.42.1/24
Network A
Network B
Network C
WAN0
INSPECT
CIP Class 3
Port 44818
Security Policy
Map10.10.30.10
192.168.10.100
Policy Map Name =
Outside-Inside-Map
-
5/22/2018 Stratix 5900 ZFW Configuration Guide 07142014
11/44Copyright 2014 Rockwell Automation, Inc. All Rights Reserved.COMPANY INTERNAL - Internal Use Only
Applying Policy Maps to Zone Pairs
11
Policy Maps are Applied to Security ZonePairs
For example, the Policy Map (Outside-
Inside-Map) would be assigned to
Inspect the traffic from the Outside
Security Zone to the Inside Security
Zone.
Cell/Area A
Outside Security Zone
Inside Security Zone
VLAN 10Fa0
Stratix 5900_1
Fa1 Fa2 Fa3
Logix
1
E
N
E
T
Studio 5000
Layer 3 switch
10.10.30.10/24
192.168.10.100/24
172.28.42.2/24
172.28.42.1/24
Network A
Network B
Network C
WAN0
INSPECT
CIP Class 3
Port 44818
Outside Security Zone
Inside Security Zone
Security Policy
Map10.10.30.10
192.168.10.100
Policy Map Name =
Outside-Inside-Map
-
5/22/2018 Stratix 5900 ZFW Configuration Guide 07142014
12/44Copyright 2014 Rockwell Automation, Inc. All Rights Reserved.COMPANY INTERNAL - Internal Use Only
Zone Pairs
12
A Zone-Pair allows you to specify a uni-directional firewall policy between two zones.
Zone pairs allow you to leverage Policy Maps
to define the communications between
different security zones. We define zone pairs based on the source
and destination security zone traffic flow
Inside
Security
Zone
VLAN 10
Zone Pair
Outside
Security
Zone
WAN0
Fa0 Fa1 Fa2 Fa3
In
2Out
Out
2In
Source
Security
Zone
Destination
Security
Zone
Outside Inside
Policy
Map
Name
Outside-
Inside-Map
OutsideInside Inside-Outside-Map
ZonePair
Out2In
In2Out
-
5/22/2018 Stratix 5900 ZFW Configuration Guide 07142014
13/44Copyright 2014 Rockwell Automation, Inc. All Rights Reserved.COMPANY INTERNAL - Internal Use Only 13
Agenda
Zone-Based Policy Firewall (ZFW) Overview
Firewall vs. Router
Additional Information
Configuring a Zone-Based Policy Firewall (ZFW)
-
5/22/2018 Stratix 5900 ZFW Configuration Guide 07142014
14/44Copyright 2014 Rockwell Automation, Inc. All Rights Reserved.COMPANY INTERNAL - Internal Use Only
Steps to Building A Zone-Based PolicyFirewall
14
The tasks to building a ZFW can be graphically depicted as a set of Configuration Steps.
Finishing the lowest foundational steps are recommended before moving to higher steps In the Configuration Steps below, defining the protocols that will be used with the firewall
should be accomplished first. It is the lowest and most foundational step of configuring a
ZFW
For this exercise, when a Configuration Step is completed, it will be depicted with blue
hash marks. For example, the Standard Protocol step is completed. The green box, UserDefined Protocols, represents the step you are currently accomplishing
Port to
Application
Mapping
Security Add
Standard Protocols User Defined Protocols
Class Map Inspection
Policy MapProtocol Inspection
Zones
ZonesPairs
Action Steps
User-CIP-
CLASS3
TCP
44818
User-CIP-
CLASS1
UDP
2222
User-CIP-
CLASS3
User-CIP-
CLASS1
Final ResultStratix
Configurator
Zone-Based Policy Firewall (ZFW)
Configuration Steps
ConfigurationSteps
ConfigurationAid
-
5/22/2018 Stratix 5900 ZFW Configuration Guide 07142014
15/44Copyright 2014 Rockwell Automation, Inc. All Rights Reserved.COMPANY INTERNAL - Internal Use Only 15
Configuration Aid:Steps to building a ZFW
Location in the Stratix Configurator
In order to find where to enter the configuration in the Stratix Configurator, you will see a
folder structure in the Configuration Aid. The folders represent where to find the neededdialog box or configuration window within the Stratix Configurator
Class Map:
CIP
Standard Protocols User Defined Protocols
Class Map Inspection
Policy MapProtocol Inspection
Zones
ZonesPairs
Action Steps
Security
C3PL
Class
MapsInspection
Add
Class Map
CIP
User-CIP-
CLASS3
TCP
44818
User-CIP-
CLASS1
2222
User-CIP-
CLASS3
User-CIP-
CLASS1
Final ResultStratix
Configurator
Zone-Based Policy Firewall (ZFW)
Configuration Steps
ConfigurationAid
-
5/22/2018 Stratix 5900 ZFW Configuration Guide 07142014
16/44Copyright 2014 Rockwell Automation, Inc. All Rights Reserved.COMPANY INTERNAL - Internal Use Only 16
Configuration Aid:Steps to building a ZFW
High Level Configuration Steps
You will also see an arrow labeled as Action Steps within the Configuration Aid. These
represent the high level actions or tasks that will be accomplished during this step.
Class Map:
CIP
Standard Protocols User Defined Protocols
Class Map Inspection
Policy MapProtocol Inspection
Zones
ZonesPairs
Action Steps
Security
C3PL
Class
MapsInspection
Add
Class Map
CIP
User-CIP-
CLASS3
TCP
44818
User-CIP-
CLASS1
2222
User-CIP-
CLASS3
User-CIP-
CLASS1
Final ResultStratix
Configurator
Zone-Based Policy Firewall (ZFW)
Configuration Steps
ConfigurationAid
-
5/22/2018 Stratix 5900 ZFW Configuration Guide 07142014
17/44Copyright 2014 Rockwell Automation, Inc. All Rights Reserved.COMPANY INTERNAL - Internal Use Only 17
Configuration Aid:Steps to building a ZFW
Final Product or Output
Finally within the Configuration Aid, you will see the Final Results column which
represents the final product or output of the step you have completed.
Class Map:
CIP
Standard Protocols User Defined Protocols
Class Map Inspection
Policy MapProtocol Inspection
Zones
ZonesPairs
Action Steps
Security
C3PL
Class
MapsInspection
Add
Class Map
CIP
User-CIP-
CLASS3
TCP
44818
User-CIP-
CLASS1
2222
User-CIP-
CLASS3
User-CIP-
CLASS1
Final ResultStratix
Configurator
Zone-Based Policy Firewall (ZFW)
Configuration Steps
ConfigurationAid
-
5/22/2018 Stratix 5900 ZFW Configuration Guide 07142014
18/44Copyright 2014 Rockwell Automation, Inc. All Rights Reserved.COMPANY INTERNAL - Internal Use Only
Configuring a ZFW:Pre-defined / Standard Protocols
The Stratix 5900 includes pre-defined protocols that can be used to configure security
policies These pre-defined protocols include HTTP, ICMP, FTP and others. The list can be found under the Configure
Tab ->Security -> C3PL -> Class Map -> Add in the Stratix Configurator
-
5/22/2018 Stratix 5900 ZFW Configuration Guide 07142014
19/44Copyright 2014 Rockwell Automation, Inc. All Rights Reserved.COMPANY INTERNAL - Internal Use Only
Configuring a ZFW:Adding User Defined Protocols
19
When you want to use a protocol that is not in the pre-defined protocol list, you must add a
User Defined Protocol. A User Defined Protocol such as CIP can be added through the Stratix Configurator ->
Security -> Port to Application Mapping Screen
Once completed, the User Defined Protocol will be available for use in the security policies
Port to
Application
Mapping
Security Add
Standard Protocols User Defined Protocols
Class Map Inspection
Policy MapProtocol Inspection
Zones
ZonesPairs
Action Steps
User-CIP-
CLASS3
TCP
44818
User-CIP-
CLASS1
UDP
2222
User-CIP-
CLASS3
User-CIP-
CLASS1
Final ResultStratix
Configurator
Zone-Based Policy Firewall (ZFW)
Configuration Steps
-
5/22/2018 Stratix 5900 ZFW Configuration Guide 07142014
20/44Copyright 2014 Rockwell Automation, Inc. All Rights Reserved.COMPANY INTERNAL - Internal Use Only
Configuring a ZFW:Port To Application Mapping
20
From the Port to
Application MappingScreen, select Add to
configure a new protocol
Be sure to use the key
word identifier user when
naming your protocol The Protocol name in this
example is user-CIP-Class3
Select the Port TypeTCP
Enter the port number 44818
All protocols that are not in
the pre-defined protocol listare defined using this
method
!
-
5/22/2018 Stratix 5900 ZFW Configuration Guide 07142014
21/44Copyright 2014 Rockwell Automation, Inc. All Rights Reserved.COMPANY INTERNAL - Internal Use Only
Configuring a ZFW:Adding Class Maps
21
Class-maps define the traffic that a ZFW selects for policy application
Class-maps sort the traffic based on the following criteria: Access-groupA standard, extended, or named Access-Control List can filter traffic based on source and
destination IP address and source and destination port
Protocol - Any well-known or user-defined service known to the Stratix 5900 may be specified
Class-mapA subordinate class-map providing additional match criteria can be nested inside another class-
map
NotThe not criterion specifies that any traffic that does not match a specified service (protocol), access-group or subordinate class-map will be selected for the class-map
Class Map:
CIP
Standard Protocols User Defined Protocols
Class Map Inspection
Policy MapProtocol Inspection
Zones
ZonesPairs
Action Steps
Security
C3PL
Class
MapsInspection
Add
Class Map
CIP
User-CIP-
CLASS3
TCP
44818
User-CIP-
CLASS1
2222
User-CIP-
CLASS3
User-CIP-
CLASS1
Final ResultStratix
Configurator
Zone-Based Policy Firewall (ZFW)
Configuration Steps
-
5/22/2018 Stratix 5900 ZFW Configuration Guide 07142014
22/44Copyright 2014 Rockwell Automation, Inc. All Rights Reserved.COMPANY INTERNAL - Internal Use Only
Configuring a ZFW:Class Maps: Selecting from Protocol List
22
Since we have added a User Defined Protocol named user-CIP-Class3 in previous steps,
we will see this protocol under the User Defined protocol list.
-
5/22/2018 Stratix 5900 ZFW Configuration Guide 07142014
23/44Copyright 2014 Rockwell Automation, Inc. All Rights Reserved.COMPANY INTERNAL - Internal Use Only
Configuring a ZFW:Class Maps
23
Class-maps can apply "match-any" or "match-all" operators to determine how to apply the
match criteria. If "match-any" is specified, traffic must meet only one of the match criteria inthe class-map. If "match-all" is specified, traffic must match all of the class-map's criteria to
belong to that particular class
-
5/22/2018 Stratix 5900 ZFW Configuration Guide 07142014
24/44Copyright 2014 Rockwell Automation, Inc. All Rights Reserved.COMPANY INTERNAL - Internal Use Only
Configuring a ZFW:Class Maps Completed
24
Once the Class Maps are configured, the list will display
Class Map Names Details of the Class Map, Including any Pre-defined and User Defined Protocols, other subordinate Class Maps
and Access Control Lists (ACLs)
-
5/22/2018 Stratix 5900 ZFW Configuration Guide 07142014
25/44Copyright 2014 Rockwell Automation, Inc. All Rights Reserved.COMPANY INTERNAL - Internal Use Only
Configuring a ZFW:Policy Maps
25
We now want to assign the previously defined Class Maps and associate them to the
following policies: Inside to Outside Security Zone Policy
Outside to Inside Security Zone Policy
Policy maps specify the actions to be taken when traffic matches defined criteria.
Policy Map:
Inspect
Standard Protocols User Defined Protocols
Class Map Inspection
Policy MapProtocol Inspection
Zones
ZonesPairs
Action Steps
Security
C3PL
Policy
MapProtocol
Inspection
Add
Policy Map
Industrial
Final Result
Inspect
Class Map:CIP
User-
CIP-CLASS
3
User-
CIP-CLASS
1
Class Map:
CIP
User-CIP-
CLASS3User-CIP-
CLASS1
StratixConfigurator
Zone-Based Policy F irewall (ZFW)
Configuration Steps
-
5/22/2018 Stratix 5900 ZFW Configuration Guide 07142014
26/44Copyright 2014 Rockwell Automation, Inc. All Rights Reserved.COMPANY INTERNAL - Internal Use Only
Configuring a ZFW:Policy Maps
26
Traffic types and criteria are defined in class maps associated with a policy
map. In order for a ZFW to use the information in a policy map and its associated
class maps, the policy map must be associated with a zone-pair.
We will configure Zone Pairs in future steps, but it is important to understand
that you will use the previously created objects. You will define if you wantto Drop, Pass or Inspect the protocols you have defined.
-
5/22/2018 Stratix 5900 ZFW Configuration Guide 07142014
27/44Copyright 2014 Rockwell Automation, Inc. All Rights Reserved.COMPANY INTERNAL - Internal Use Only
Configuring a ZFW:Adding Outside to Inside Policy Map
27
From the Policy Map Protocol Inspection screen, select Add
Enter the Policy Name and Description Select Add from the Add Protocol Inspection Policy Map window to associate your
Class Maps from the previous steps
-
5/22/2018 Stratix 5900 ZFW Configuration Guide 07142014
28/44Copyright 2014 Rockwell Automation, Inc. All Rights Reserved.COMPANY INTERNAL - Internal Use Only
Configuring a ZFW:Associate Class Map to Policy Map 1 of 2
28
From the Class Name pull down selector, choose Select A Class Map
-
5/22/2018 Stratix 5900 ZFW Configuration Guide 07142014
29/44Copyright 2014 Rockwell Automation, Inc. All Rights Reserved.COMPANY INTERNAL - Internal Use Only
Configuring a ZFW:Associate Class Map to Policy Map 2 of 2
29
From the Existing Class Map List, select Outside-Inside-Inspect
-
5/22/2018 Stratix 5900 ZFW Configuration Guide 07142014
30/44Copyright 2014 Rockwell Automation, Inc. All Rights Reserved.COMPANY INTERNAL - Internal Use Only
Configuring a ZFW:Inspect with Policy Maps
30
Once you have selected Outside-Inside-Inspect Class Map, you will now choose
Inspect
-
5/22/2018 Stratix 5900 ZFW Configuration Guide 07142014
31/44Copyright 2014 Rockwell Automation, Inc. All Rights Reserved.COMPANY INTERNAL - Internal Use Only
Pass Rule vs- Inspect Rule?Pass Rule Example
31
Interface
Inbound
Rules
Outbound
RulesDeny ALLPass ICMP
(ping)
Inside
Security
Zone
Outside
Security
Zone
1
23
In our example, if the host within the Inside
Security Zone were to send an ICMP (ping)message (Step 1) to the host in the Outside
Security Zone, then the firewall would pass the
ICMP message (Step 2) to the host.
See Outbound Rule = Pass ICMP The host from the Outside Security Zone
would respond (Step 3) but would be blocked
by the firewall because of the deny all rule. Inbound Rule = Deny ALL
In our example, an explicit Inbound ICMP Pass
Rule would have to be written to allow the host
in from the Outside Security Zone to send an
ICMP message to the host on the Inside
Security Zone
-
5/22/2018 Stratix 5900 ZFW Configuration Guide 07142014
32/44Copyright 2014 Rockwell Automation, Inc. All Rights Reserved.COMPANY INTERNAL - Internal Use Only
Pass Rule vs- Inspect Rule?Inspect Rule Example
32
Outside
Security
Zone
Interface
Inbound
RulesOutbound
Rules
Deny ALL
Inspect ICMP
(ping)
Inside
Security
Zone
Outside
Security
Zone
1
23
Create Temporary Firewall
Rule To Allow ICMP Reply
4
A
In this example, we see in Step 1, the host in the
Inside Security Zone issues an ICMP message.The firewall not only allows the ICMP message to
pass (Step 2) but it dynamically creates a rule to
allow the host on the Outside Security Zone to
respond (Step 3 and Step 4).
See Outbound Rule = Inspect ICMP Inspect Rules will dynamically open the return port
and keep track of the session information so when
the session is complete, it will close the port that
dynamically opened
We also see from our example, with a Deny AllInbound Rule, this will not allow any ICMP
messages to be created from the Outside Security
Zone to be passed to the Inside Security Zone
-
5/22/2018 Stratix 5900 ZFW Configuration Guide 07142014
33/44Copyright 2014 Rockwell Automation, Inc. All Rights Reserved.COMPANY INTERNAL - Internal Use Only
Configuring a ZFW:Policy Map Completed
33
Once the Policy Maps are configured, the list will display
Policy Map Names Details of the Policy Maps and the Action ( Drop, Pass, Inspect) of the Policy
-
5/22/2018 Stratix 5900 ZFW Configuration Guide 07142014
34/44
Copyright 2014 Rockwell Automation, Inc. All Rights Reserved.COMPANY INTERNAL - Internal Use Only
Configuring a ZFW:Security Zones
34
We now want to create our Security Zones
Outside Security Zonethe security zone that does not contain Logix processors orLogix I/O systems directly connected to the local Stratix 5900
Inside Security Zonethe security zone that contains locally connected Logix
processor and I/O
Zones
Action Steps
Security
Firewall
FirewallComponents Zones
Inside
VLAN 10
Final Result
Outside
Gigabit
Ethernet0
Inside Outside
Standard Protocols User Defined Protocols
Class Map Inspection
Policy MapProtocol Inspection
Zones
ZonesPairs
Add
StratixConfigurator
Zone-Based Policy Firewall (ZFW)
Configuration Steps
C f
-
5/22/2018 Stratix 5900 ZFW Configuration Guide 07142014
35/44
Copyright 2014 Rockwell Automation, Inc. All Rights Reserved.COMPANY INTERNAL - Internal Use Only
Configuring a ZFW:Adding the Outside Security Zone
35
From the Firewall Components -> Zones, select Add to create the Outside Security
Zone Select GigabitEthernet0 interface to be associated with the Outside Security Zone
C fi i ZFW
-
5/22/2018 Stratix 5900 ZFW Configuration Guide 07142014
36/44
Copyright 2014 Rockwell Automation, Inc. All Rights Reserved.COMPANY INTERNAL - Internal Use Only
Configuring a ZFW:Adding the Inside Security Zone
36
From the Firewall Components -> Zones, select Add to create the Inside Security Zone
Select VLAN 10 to be associated with the Inside Security Zone Rememberat the beginning of this presentation we assigned all Fast Ethernet Network Interfaces to VLAN
10, therefore, all Fast Ethernet Network Interfaces will be assigned to the Inside Security Zone!
C fi i ZFW
-
5/22/2018 Stratix 5900 ZFW Configuration Guide 07142014
37/44
Copyright 2014 Rockwell Automation, Inc. All Rights Reserved.COMPANY INTERNAL - Internal Use Only
Configuring a ZFW:Security Zone Pairs (Out2In)
37
In our example, we will define Outside to Inside and Inside to Outside zone pairs.
If you want traffic to flow from one zone to another, you need a zone-pair and a policy applied to that zone-pair We will create the Outside to Inside Zone Pair and we will name it Out2In
The same method is used to create the In2Out Zone pair
Security
Firewall
FirewallComponents ZonesPairs Source Zone:Outside
Destination
Zone:Inside
Standard Protocols User Defined Protocols
Class Map Inspection
Policy MapProtocol Inspection
Zones
ZonesPairs
Add:Out2In
Policy:
Outside-Inside-Policy
Action Steps Final ResultStratix
Configurator
Outside
Zone
Inside
Zone
Policy Map: Inside-
Outside-Policy
Zone-Based Policy Firewall (ZFW)
Configuration Steps
C fi i ZFW
-
5/22/2018 Stratix 5900 ZFW Configuration Guide 07142014
38/44
Copyright 2014 Rockwell Automation, Inc. All Rights Reserved.COMPANY INTERNAL - Internal Use Only
Configuring a ZFW:Out2In Zone Pair
38
From the Firewall Components -> Zones Pairs, select Add to create the Out2In Zone
Pair Select Outside as Source Zone and Inside as Destination Zone
Select Outside-Inside-Policy as the security policy
-
5/22/2018 Stratix 5900 ZFW Configuration Guide 07142014
39/44
Copyright 2014 Rockwell Automation, Inc. All Rights Reserved.COMPANY INTERNAL - Internal Use Only
Review
39
You have added a User Defined Protocol (user-CIP-Class3) to be used
within the Class Maps You have added the Outside-Inside-Inspect Class map to Match Any of
the user-CIP-Class3 protocols that will be used with the Policy Maps
You have Added Outside-Inside-Policy to Inspect the Outside-Inside-
Inspect Class Map that contains the user-CIP-Class3 Protocol You have added an Outside and Inside Security Zone
You have created Out2In and In2Out Security Zone Pairs to apply the
Outside-Inside-Policy Security Policy Map
Standard Protocols User Defined Protocols
Class Map Inspection
Policy MapProtocol Inspection
Zones
ZonesPairs
Zone-Based Policy Firewall (ZFW)
Configuration Steps
Z B d P li Fi ll
-
5/22/2018 Stratix 5900 ZFW Configuration Guide 07142014
40/44
Copyright 2014 Rockwell Automation, Inc. All Rights Reserved.COMPANY INTERNAL - Internal Use Only
Zone-Based Policy FirewallConfiguration Completed
40
With all the configuration steps
completed, Studio 5000 will beable to go online with the Logix
controller
Cell/Area A
Outside Security Zone
Inside Security Zone
VLAN 10
Fa0
Stratix 5900_1
Fa1 Fa2 Fa3
Logix
1
E
N
E
T
Studio 5000
Layer 3 switch
10.10.30.10/24
192.168.10.100/24
172.28.42.2/24
172.28.42.1/24
Network A
Network B
Network C
WAN0
-
5/22/2018 Stratix 5900 ZFW Configuration Guide 07142014
41/44
Copyright 2014 Rockwell Automation, Inc. All Rights Reserved.COMPANY INTERNAL - Internal Use Only 41
Agenda
Zone-Based Policy Firewall (ZFW) Overview
Firewall vs. Router
Additional Information
Configuring a Zone-Based Policy Firewall (ZFW)
St ti 5900 ZFW C fi ti G id
-
5/22/2018 Stratix 5900 ZFW Configuration Guide 07142014
42/44
Copyright 2014 Rockwell Automation, Inc. All Rights Reserved.COMPANY INTERNAL - Internal Use Only
Stratix 5900 ZFW Configuration GuideComing Soon
42
Stratix 5900 Zone-Based Policy Firewall (ZFW)Configuration Guide
To Be Released Summertime 2014
A guide to help customers understand thefundamentals of ZFW by providing step by step
configuration instructions to allow: Studio 5000 to communicate with a Logix
Controller
Produce / Consume messages between LogixControllers
The Statix 5900 ZFW Configuration Guide is moredetailed than this powerpoint
Includes Access Control List Examples
Includes Network Object Groups
-
5/22/2018 Stratix 5900 ZFW Configuration Guide 07142014
43/44
Copyright 2014 Rockwell Automation, Inc. All Rights Reserved.COMPANY INTERNAL - Internal Use Only
Other References
43
Zone-Based Policy Firewall Design and Application Guide Conceptual Difference Between Cisco IOS Classic and Zone-Based
Firewalls
Zone-Based Policy Firewalls
Zone Based Firewall 101 Video
http://www.cisco.com/c/en/us/support/docs/security/ios-firewall/98628-zone-design-guide.htmlhttp://www.cisco.com/c/en/us/products/collateral/security/ios-firewall/prod_white_paper0900aecd806f31f9.htmlhttp://www.cisco.com/c/en/us/products/collateral/security/ios-firewall/prod_white_paper0900aecd806f31f9.htmlhttp://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_data_zbf/configuration/xe-3s/asr1000/sec-data-zbf-xe-asr1k-book/sec-zone-pol-fw.htmlhttp://www.youtube.com/watch?v=ZmmvQH0seEchttp://www.youtube.com/watch?v=ZmmvQH0seEchttp://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_data_zbf/configuration/xe-3s/asr1000/sec-data-zbf-xe-asr1k-book/sec-zone-pol-fw.htmlhttp://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_data_zbf/configuration/xe-3s/asr1000/sec-data-zbf-xe-asr1k-book/sec-zone-pol-fw.htmlhttp://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_data_zbf/configuration/xe-3s/asr1000/sec-data-zbf-xe-asr1k-book/sec-zone-pol-fw.htmlhttp://www.cisco.com/c/en/us/products/collateral/security/ios-firewall/prod_white_paper0900aecd806f31f9.htmlhttp://www.cisco.com/c/en/us/products/collateral/security/ios-firewall/prod_white_paper0900aecd806f31f9.htmlhttp://www.cisco.com/c/en/us/products/collateral/security/ios-firewall/prod_white_paper0900aecd806f31f9.htmlhttp://www.cisco.com/c/en/us/products/collateral/security/ios-firewall/prod_white_paper0900aecd806f31f9.htmlhttp://www.cisco.com/c/en/us/support/docs/security/ios-firewall/98628-zone-design-guide.htmlhttp://www.cisco.com/c/en/us/support/docs/security/ios-firewall/98628-zone-design-guide.htmlhttp://www.cisco.com/c/en/us/support/docs/security/ios-firewall/98628-zone-design-guide.html -
5/22/2018 Stratix 5900 ZFW Configuration Guide 07142014
44/44
www.rockwellautomation.com
Follow ROKAutomation on Facebook & Twitter.Connect with us on LinkedIn.
COMPANY INTERNALInternal Use Only
Stratix 5900 Services Router:
Zone-Based Policy Firewall Configuration Guide Overview1783-SRKIT