Sunteți pe pagina 1din 44

Copyright 2014 Rockwell Automation, Inc. All Rights Reserved.

Rev 5058-CO900F
COMPANY INTERNAL
Internal Use Only
1783-SRKIT
Stratix 5900 Services Router:
Zone-Based Policy Firewall Configuration Guide Overview
Copyright 2014 Rockwell Automation, Inc. All Rights Reserved. COMPANY INTERNAL - Internal Use Only 2
Agenda
Zone-Based Policy Firewall (ZFW) Overview
Firewall vs. Router
Additional Information
Configuring a Zone-Based Policy Firewall (ZFW)
Copyright 2014 Rockwell Automation, Inc. All Rights Reserved. COMPANY INTERNAL - Internal Use Only 3
What is a Traditional Firewall?
A software or hardware device thats
primary function is to permit or deny traffic
as it attempts to enter or leave the network
based on explicit preconfigured policies or
rules
Preconfigured rules are called Access
Control Lists (ACLs)
ACLs are a collection of Permit and Deny
statements. Each permit and Deny Statement is
referred to as an Access Control Entry (ACE)
Firewalls are capable of inspecting the
following elements of a packet
Source MAC or IP Address
Destination MAC or IP Address
Source TCP or UDP Port
Destination TCP or UDP Port
Protocol Layer 2,3,4 or 7
Firewall
ACL


Inside
Interface
Outside
Interface
10.10.30.10
192.168.10.100
ACE


Allow ICMP(ping) Traffic
To 10.10.30.10
ACE


Allow HTTPS Traffic
To 10.10.30.10
ACE


Block All Other Traffic
Copyright 2014 Rockwell Automation, Inc. All Rights Reserved. COMPANY INTERNAL - Internal Use Only 4
What is an Integrated Services Router
(ISR)?
An ISR is a router that integrates additional network features into the router
Virtual Private Networks (VPN) support
Firewall
Encryption Services
ISR are routers by default and security features such as firewalls or Access
Control Lists (ACLs) must be implemented to secure the ISR
ISRs are different from firewalls in that you must enable security
whereas a firewall is secured by default
Firewalls require security rules to be written before communications
can occur
Copyright 2014 Rockwell Automation, Inc. All Rights Reserved. COMPANY INTERNAL - Internal Use Only 5
Firewall vs. Integrated Services Router
Similarities
Firewall features can be done by either, depending on where in the architecture
Both are stateful
A stateful firewall keeps the state information of the source and destination IP Addresses, the
source and destination port and the connections flags. For instance, a stateful firewall will
expect to see a connection establishment consisting of a SYN, SYN/ACK, ACK packets
before allowing a TCP conversation to occur between the hosts.
Differences
ASA 55xx firewall used for Industrial Demilitarized Zones (IDMZ)
ASA 55xx supports Deep Packet Inspection while not recommend for the Stratix
5900
ASA 55xx is a security appliance that is not a good router while the Stratix 5900 is
a router with limited security features.
Positioning within the Converged Plantwide Ethernet (CPwE) reference architectures
Stratix 5900 Zone-Based Policy Firewall (ZFW) within the Cell/Area Zone or OEM application
(machine or skid)
Copyright 2014 Rockwell Automation, Inc. All Rights Reserved. COMPANY INTERNAL - Internal Use Only 6
Agenda
Zone-Based Policy Firewall (ZFW) Overview
Firewall vs. Router
Additional Information
Configuring a Zone-Based Policy Firewall (ZFW)
Copyright 2014 Rockwell Automation, Inc. All Rights Reserved. COMPANY INTERNAL - Internal Use Only
What is a Zone-Based Policy Firewall?
7
A Zone-Based Policy Firewall (ZFW) is
a Firewall that is configured to permit or
deny traffic as it attempts to enter or
leave a Security Zone based on explicit
preconfigured policies or rules
ZFW allows the designer to create
Security Zones
Security Policies called Policy Maps
are created to define the permit and
deny traffic rules
Zone Pairs use the Policy Maps to
define the traffic flow between the
Security Zones
Firewall
Zone Pair
(Inside Security
Zone To Outside
Security Zone)


Inside
Security
Zone
Outside
Security
Zone
10.10.30.10
192.168.10.100
Policy Map


Permit ICMP Traffic
To 10.10.30.10
Permit HTTPS Traffic
To 10.10.30.10
Deny All Other Traffic
Policy Map


Policy Map


Copyright 2014 Rockwell Automation, Inc. All Rights Reserved. COMPANY INTERNAL - Internal Use Only
Zone-Based Policy Firewall
A ZFW changes the firewall
configuration from the older interface-
based model to a more flexible, more
easily understood zone-based model
Security Zones with the same security
requirements are created
For example, an Inside Security
Zone can be implemented for the
Logix Controller(s) while an
Outside Security Zone can be
implemented to allow computers
running configuration software to
access the Logix Controller
Cell/Area A
Outside Security Zone
Inside Security Zone
VLAN 10
Fa0
Stratix 5900_1
Fa1 Fa2 Fa3
Logix
1
E
N
E
T
Studio 5000
Layer 3 switch
10.10.30.10/24
192.168.10.100/24
172.28.42.2/24
172.28.42.1/24
Network A
Network B
Network C
WAN0
Copyright 2014 Rockwell Automation, Inc. All Rights Reserved. COMPANY INTERNAL - Internal Use Only
Network Interface and VLAN Security
Zone Assignments
9
Network Interfaces and VLANs are
assigned to a Security Zone
For example, the WAN 0 network
interface is assigned to the
Outside Security Zone
By placing the WAN 0 interface in
the Outside Security Zone, any
traffic entering the Stratix 5900
through the WAN 0 interface can
have security policies applied as
it traverses from the Outside to
the Inside Security Zone
VLAN 10 is assigned to the
Inside Security Zone where the
Logix Controller is located
The Fast Ethernet Network
Interfaces (Fa0-3)are assigned to
VLAN 10 and therefore are
assigned to the Inside Security
Zone

Cell/Area A
Outside Security Zone
Inside Security Zone
VLAN 10
Fa0
Stratix 5900_1
Fa1 Fa2 Fa3
Logix
1
E
N
E
T
Studio 5000
Layer 3 switch
10.10.30.10/24
192.168.10.100/24
172.28.42.2/24
172.28.42.1/24
Network A
Network B
Network C
WAN0
Copyright 2014 Rockwell Automation, Inc. All Rights Reserved. COMPANY INTERNAL - Internal Use Only
Security Policy Maps
10
Security Policy Maps are created to Permit
or Deny traffic between Security Zones
For example, a Policy Map would be
created to allow Studio 5000 using the
CIP protocol to communicate to the
Logix Controller using TCP port 44818
Cell/Area A
Outside Security Zone
Inside Security Zone
VLAN 10
Fa0
Stratix 5900_1
Fa1 Fa2 Fa3
Logix
1
E
N
E
T
Studio 5000
Layer 3 switch
10.10.30.10/24
192.168.10.100/24
172.28.42.2/24
172.28.42.1/24
Network A
Network B
Network C
WAN0
INSPECT
CIP Class 3
Port 44818
Security Policy
Map
10.10.30.10
192.168.10.100
Policy Map Name =
Outside-Inside-Map
Copyright 2014 Rockwell Automation, Inc. All Rights Reserved. COMPANY INTERNAL - Internal Use Only
Applying Policy Maps to Zone Pairs
11
Policy Maps are Applied to Security Zone
Pairs
For example, the Policy Map (Outside-
Inside-Map) would be assigned to
Inspect the traffic from the Outside
Security Zone to the Inside Security
Zone.
Cell/Area A
Outside Security Zone
Inside Security Zone
VLAN 10
Fa0
Stratix 5900_1
Fa1 Fa2 Fa3
Logix
1
E
N
E
T
Studio 5000
Layer 3 switch
10.10.30.10/24
192.168.10.100/24
172.28.42.2/24
172.28.42.1/24
Network A
Network B
Network C
WAN0
INSPECT
CIP Class 3
Port 44818
Outside Security Zone
Inside Security Zone
Security Policy
Map
10.10.30.10
192.168.10.100
Policy Map Name =
Outside-Inside-Map
Copyright 2014 Rockwell Automation, Inc. All Rights Reserved. COMPANY INTERNAL - Internal Use Only
Zone Pairs
12
A Zone-Pair allows you to specify a uni-
directional firewall policy between two zones.
Zone pairs allow you to leverage Policy Maps
to define the communications between
different security zones.
We define zone pairs based on the source
and destination security zone traffic flow
Inside
Security
Zone
VLAN 10
Zone Pair
Outside
Security
Zone
WAN0
Fa0 Fa1 Fa2 Fa3
In
2
Out
Out
2
In
Source
Security
Zone
Destination
Security
Zone
Outside Inside
Policy
Map
Name
Outside-
Inside-Map
Outside Inside
Inside-
Outside-Map
Zone
Pair
Out2In
In2Out
Copyright 2014 Rockwell Automation, Inc. All Rights Reserved. COMPANY INTERNAL - Internal Use Only 13
Agenda
Zone-Based Policy Firewall (ZFW) Overview
Firewall vs. Router
Additional Information
Configuring a Zone-Based Policy Firewall (ZFW)
Copyright 2014 Rockwell Automation, Inc. All Rights Reserved. COMPANY INTERNAL - Internal Use Only
Steps to Building A Zone-Based Policy
Firewall
14
The tasks to building a ZFW can be graphically depicted as a set of Configuration Steps.
Finishing the lowest foundational steps are recommended before moving to higher steps
In the Configuration Steps below, defining the protocols that will be used with the firewall
should be accomplished first. It is the lowest and most foundational step of configuring a
ZFW
For this exercise, when a Configuration Step is completed, it will be depicted with blue
hash marks. For example, the Standard Protocol step is completed. The green box, User
Defined Protocols, represents the step you are currently accomplishing
Port to
Application
Mapping
Security
Add
Standard Protocols User Defined Protocols
Class Map Inspection
Policy Map Protocol Inspection
Zones
Zones Pairs
Action Steps
User-CIP-
CLASS3
TCP
44818
User-CIP-
CLASS1
UDP
2222
User-CIP-
CLASS3
User-CIP-
CLASS1
Final Result
Stratix
Configurator
Zone-Based Policy Firewall (ZFW)
Configuration Steps
Configuration
Steps
Configuration
Aid
Copyright 2014 Rockwell Automation, Inc. All Rights Reserved. COMPANY INTERNAL - Internal Use Only 15
Configuration Aid:
Steps to building a ZFW
Location in the Stratix Configurator
In order to find where to enter the configuration in the Stratix Configurator, you will see a
folder structure in the Configuration Aid. The folders represent where to find the needed
dialog box or configuration window within the Stratix Configurator
Class Map:
CIP
Standard Protocols User Defined Protocols
Class Map Inspection
Policy Map Protocol Inspection
Zones
Zones Pairs
Action Steps
Security
C3PL
Class
Maps
Inspection
Add
Class Map
CIP
User-CIP-
CLASS3
TCP
44818
User-CIP-
CLASS1
2222
User-CIP-
CLASS3
User-CIP-
CLASS1
Final Result
Stratix
Configurator
Zone-Based Policy Firewall (ZFW)
Configuration Steps
Configuration
Aid
Copyright 2014 Rockwell Automation, Inc. All Rights Reserved. COMPANY INTERNAL - Internal Use Only 16
Configuration Aid:
Steps to building a ZFW
High Level Configuration Steps
You will also see an arrow labeled as Action Steps within the Configuration Aid. These
represent the high level actions or tasks that will be accomplished during this step.
Class Map:
CIP
Standard Protocols User Defined Protocols
Class Map Inspection
Policy Map Protocol Inspection
Zones
Zones Pairs
Action Steps
Security
C3PL
Class
Maps
Inspection
Add
Class Map
CIP
User-CIP-
CLASS3
TCP
44818
User-CIP-
CLASS1
2222
User-CIP-
CLASS3
User-CIP-
CLASS1
Final Result
Stratix
Configurator
Zone-Based Policy Firewall (ZFW)
Configuration Steps
Configuration
Aid
Copyright 2014 Rockwell Automation, Inc. All Rights Reserved. COMPANY INTERNAL - Internal Use Only 17
Configuration Aid:
Steps to building a ZFW
Final Product or Output
Finally within the Configuration Aid, you will see the Final Results column which
represents the final product or output of the step you have completed.
Class Map:
CIP
Standard Protocols User Defined Protocols
Class Map Inspection
Policy Map Protocol Inspection
Zones
Zones Pairs
Action Steps
Security
C3PL
Class
Maps
Inspection
Add
Class Map
CIP
User-CIP-
CLASS3
TCP
44818
User-CIP-
CLASS1
2222
User-CIP-
CLASS3
User-CIP-
CLASS1
Final Result
Stratix
Configurator
Zone-Based Policy Firewall (ZFW)
Configuration Steps
Configuration
Aid
Copyright 2014 Rockwell Automation, Inc. All Rights Reserved. COMPANY INTERNAL - Internal Use Only




Configuring a ZFW:
Pre-defined / Standard Protocols
18
The Stratix 5900 includes pre-defined protocols that can be used to configure security
policies
These pre-defined protocols include HTTP, ICMP, FTP and others. The list can be found under the Configure
Tab ->Security -> C3PL -> Class Map -> Add in the Stratix Configurator
Copyright 2014 Rockwell Automation, Inc. All Rights Reserved. COMPANY INTERNAL - Internal Use Only

Configuring a ZFW:
Adding User Defined Protocols
19
When you want to use a protocol that is not in the pre-defined protocol list, you must add a
User Defined Protocol.
A User Defined Protocol such as CIP can be added through the Stratix Configurator ->
Security -> Port to Application Mapping Screen
Once completed, the User Defined Protocol will be available for use in the security policies
Port to
Application
Mapping
Security
Add
Standard Protocols User Defined Protocols
Class Map Inspection
Policy Map Protocol Inspection
Zones
Zones Pairs
Action Steps
User-CIP-
CLASS3
TCP
44818
User-CIP-
CLASS1
UDP
2222
User-CIP-
CLASS3
User-CIP-
CLASS1
Final Result
Stratix
Configurator
Zone-Based Policy Firewall (ZFW)
Configuration Steps
Copyright 2014 Rockwell Automation, Inc. All Rights Reserved. COMPANY INTERNAL - Internal Use Only

Configuring a ZFW:
Port To Application Mapping
20
From the Port to
Application Mapping
Screen, select Add to
configure a new protocol
Be sure to use the key
word identifier user when
naming your protocol
The Protocol name in this
example is user-CIP-Class3
Select the Port Type TCP
Enter the port number 44818
All protocols that are not in
the pre-defined protocol list
are defined using this
method

!
Copyright 2014 Rockwell Automation, Inc. All Rights Reserved. COMPANY INTERNAL - Internal Use Only
Configuring a ZFW:
Adding Class Maps
21
Class-maps define the traffic that a ZFW selects for policy application
Class-maps sort the traffic based on the following criteria:
Access-groupA standard, extended, or named Access-Control List can filter traffic based on source and
destination IP address and source and destination port
Protocol - Any well-known or user-defined service known to the Stratix 5900 may be specified
Class-mapA subordinate class-map providing additional match criteria can be nested inside another class-
map
NotThe not criterion specifies that any traffic that does not match a specified service (protocol), access-
group or subordinate class-map will be selected for the class-map

Class Map:
CIP
Standard Protocols User Defined Protocols
Class Map Inspection
Policy Map Protocol Inspection
Zones
Zones Pairs
Action Steps
Security
C3PL
Class
Maps
Inspection
Add
Class Map
CIP
User-CIP-
CLASS3
TCP
44818
User-CIP-
CLASS1
2222
User-CIP-
CLASS3
User-CIP-
CLASS1
Final Result
Stratix
Configurator
Zone-Based Policy Firewall (ZFW)
Configuration Steps
Copyright 2014 Rockwell Automation, Inc. All Rights Reserved. COMPANY INTERNAL - Internal Use Only
Configuring a ZFW:
Class Maps: Selecting from Protocol List
22
Since we have added a User Defined Protocol named user-CIP-Class3 in previous steps,
we will see this protocol under the User Defined protocol list.
Copyright 2014 Rockwell Automation, Inc. All Rights Reserved. COMPANY INTERNAL - Internal Use Only

Configuring a ZFW:
Class Maps
23
Class-maps can apply "match-any" or "match-all" operators to determine how to apply the
match criteria. If "match-any" is specified, traffic must meet only one of the match criteria in
the class-map. If "match-all" is specified, traffic must match all of the class-map's criteria to
belong to that particular class
Copyright 2014 Rockwell Automation, Inc. All Rights Reserved. COMPANY INTERNAL - Internal Use Only
Configuring a ZFW:
Class Maps Completed
24
Once the Class Maps are configured, the list will display
Class Map Names
Details of the Class Map, Including any Pre-defined and User Defined Protocols, other subordinate Class Maps
and Access Control Lists (ACLs)
Copyright 2014 Rockwell Automation, Inc. All Rights Reserved. COMPANY INTERNAL - Internal Use Only
Configuring a ZFW:
Policy Maps
25
We now want to assign the previously defined Class Maps and associate them to the
following policies:
Inside to Outside Security Zone Policy
Outside to Inside Security Zone Policy
Policy maps specify the actions to be taken when traffic matches defined criteria.

Policy Map:
Inspect
Standard Protocols User Defined Protocols
Class Map Inspection
Policy Map Protocol Inspection
Zones
Zones Pairs
Action Steps
Security
C3PL
Policy
Map
Protocol
Inspection
Add
Policy Map
Industrial
Final Result
Inspect
Class Map:
CIP
User-
CIP-
CLASS
3
User-
CIP-
CLASS
1
Class Map:
CIP
User-CIP-
CLASS3
User-CIP-
CLASS1
Stratix
Configurator
Zone-Based Policy Firewall (ZFW)
Configuration Steps
Copyright 2014 Rockwell Automation, Inc. All Rights Reserved. COMPANY INTERNAL - Internal Use Only
Configuring a ZFW:
Policy Maps
26
Traffic types and criteria are defined in class maps associated with a policy
map.
In order for a ZFW to use the information in a policy map and its associated
class maps, the policy map must be associated with a zone-pair.
We will configure Zone Pairs in future steps, but it is important to understand
that you will use the previously created objects. You will define if you want
to Drop, Pass or Inspect the protocols you have defined.
Copyright 2014 Rockwell Automation, Inc. All Rights Reserved. COMPANY INTERNAL - Internal Use Only
Configuring a ZFW:
Adding Outside to Inside Policy Map
27
From the Policy Map Protocol Inspection screen, select Add
Enter the Policy Name and Description
Select Add from the Add Protocol Inspection Policy Map window to associate your
Class Maps from the previous steps

Copyright 2014 Rockwell Automation, Inc. All Rights Reserved. COMPANY INTERNAL - Internal Use Only
Configuring a ZFW:
Associate Class Map to Policy Map 1 of 2
28
From the Class Name pull down selector, choose Select A Class Map

Copyright 2014 Rockwell Automation, Inc. All Rights Reserved. COMPANY INTERNAL - Internal Use Only
Configuring a ZFW:
Associate Class Map to Policy Map 2 of 2
29
From the Existing Class Map List, select Outside-Inside-Inspect

Copyright 2014 Rockwell Automation, Inc. All Rights Reserved. COMPANY INTERNAL - Internal Use Only
Configuring a ZFW:
Inspect with Policy Maps
30
Once you have selected Outside-Inside-Inspect Class Map, you will now choose
Inspect

Copyright 2014 Rockwell Automation, Inc. All Rights Reserved. COMPANY INTERNAL - Internal Use Only
Pass Rule vs- Inspect Rule?
Pass Rule Example
31
Interface
Inbound
Rules
Outbound
Rules
Deny ALL
Pass ICMP
(ping)
Inside
Security
Zone
Outside
Security
Zone
1
2 3
In our example, if the host within the Inside
Security Zone were to send an ICMP (ping)
message (Step 1) to the host in the Outside
Security Zone, then the firewall would pass the
ICMP message (Step 2) to the host.
See Outbound Rule = Pass ICMP
The host from the Outside Security Zone
would respond (Step 3) but would be blocked
by the firewall because of the deny all rule.
Inbound Rule = Deny ALL
In our example, an explicit Inbound ICMP Pass
Rule would have to be written to allow the host
in from the Outside Security Zone to send an
ICMP message to the host on the Inside
Security Zone
Copyright 2014 Rockwell Automation, Inc. All Rights Reserved. COMPANY INTERNAL - Internal Use Only
Pass Rule vs- Inspect Rule?
Inspect Rule Example
32
Outside
Security
Zone
Interface
Inbound
Rules
Outbound
Rules
Deny ALL
Inspect ICMP
(ping)
Inside
Security
Zone
Outside
Security
Zone
1
2 3
Create Temporary Firewall
Rule To Allow ICMP Reply
4
A
In this example, we see in Step 1, the host in the
Inside Security Zone issues an ICMP message.
The firewall not only allows the ICMP message to
pass (Step 2) but it dynamically creates a rule to
allow the host on the Outside Security Zone to
respond (Step 3 and Step 4).
See Outbound Rule = Inspect ICMP
Inspect Rules will dynamically open the return port
and keep track of the session information so when
the session is complete, it will close the port that
dynamically opened
We also see from our example, with a Deny All
Inbound Rule, this will not allow any ICMP
messages to be created from the Outside Security
Zone to be passed to the Inside Security Zone
Copyright 2014 Rockwell Automation, Inc. All Rights Reserved. COMPANY INTERNAL - Internal Use Only
Configuring a ZFW:
Policy Map Completed
33
Once the Policy Maps are configured, the list will display
Policy Map Names
Details of the Policy Maps and the Action ( Drop, Pass, Inspect) of the Policy
Copyright 2014 Rockwell Automation, Inc. All Rights Reserved. COMPANY INTERNAL - Internal Use Only
Configuring a ZFW:
Security Zones
34
We now want to create our Security Zones
Outside Security Zone the security zone that does not contain Logix processors or
Logix I/O systems directly connected to the local Stratix 5900
Inside Security Zone the security zone that contains locally connected Logix
processor and I/O
Zones
Action Steps
Security
Firewall
Firewall
Components
Zones
Inside
VLAN 10
Final Result
Outside
Gigabit
Ethernet0
Inside Outside
Standard Protocols User Defined Protocols
Class Map Inspection
Policy Map Protocol Inspection
Zones
Zones Pairs
Add
Stratix
Configurator
Zone-Based Policy Firewall (ZFW)
Configuration Steps
Copyright 2014 Rockwell Automation, Inc. All Rights Reserved. COMPANY INTERNAL - Internal Use Only
Configuring a ZFW:
Adding the Outside Security Zone
35
From the Firewall Components -> Zones, select Add to create the Outside Security
Zone
Select GigabitEthernet0 interface to be associated with the Outside Security Zone
Copyright 2014 Rockwell Automation, Inc. All Rights Reserved. COMPANY INTERNAL - Internal Use Only
Configuring a ZFW:
Adding the Inside Security Zone
36
From the Firewall Components -> Zones, select Add to create the Inside Security Zone
Select VLAN 10 to be associated with the Inside Security Zone
Remember at the beginning of this presentation we assigned all Fast Ethernet Network Interfaces to VLAN
10, therefore, all Fast Ethernet Network Interfaces will be assigned to the Inside Security Zone
!
Copyright 2014 Rockwell Automation, Inc. All Rights Reserved. COMPANY INTERNAL - Internal Use Only
Configuring a ZFW:
Security Zone Pairs (Out2In)
37
In our example, we will define Outside to Inside and Inside to Outside zone pairs.
If you want traffic to flow from one zone to another, you need a zone-pair and a policy applied to that zone-pair
We will create the Outside to Inside Zone Pair and we will name it Out2In
The same method is used to create the In2Out Zone pair
Security
Firewall
Firewall
Components
Zones
Pairs
Source Zone:
Outside
Destination
Zone:
Inside
Standard Protocols User Defined Protocols
Class Map Inspection
Policy Map Protocol Inspection
Zones
Zones Pairs
Add:
Out2In
Policy:
Outside-Inside-
Policy
Action Steps Final Result
Stratix
Configurator
Outside
Zone
Inside
Zone
Policy Map: Inside-
Outside-Policy
Zone-Based Policy Firewall (ZFW)
Configuration Steps
Copyright 2014 Rockwell Automation, Inc. All Rights Reserved. COMPANY INTERNAL - Internal Use Only
Configuring a ZFW:
Out2In Zone Pair
38
From the Firewall Components -> Zones Pairs, select Add to create the Out2In Zone
Pair
Select Outside as Source Zone and Inside as Destination Zone
Select Outside-Inside-Policy as the security policy
Copyright 2014 Rockwell Automation, Inc. All Rights Reserved. COMPANY INTERNAL - Internal Use Only
Review
39
You have added a User Defined Protocol (user-CIP-Class3) to be used
within the Class Maps
You have added the Outside-Inside-Inspect Class map to Match Any of
the user-CIP-Class3 protocols that will be used with the Policy Maps
You have Added Outside-Inside-Policy to Inspect the Outside-Inside-
Inspect Class Map that contains the user-CIP-Class3 Protocol
You have added an Outside and Inside Security Zone
You have created Out2In and In2Out Security Zone Pairs to apply the
Outside-Inside-Policy Security Policy Map
Standard Protocols User Defined Protocols
Class Map Inspection
Policy Map Protocol Inspection
Zones
Zones Pairs
Zone-Based Policy Firewall (ZFW)
Configuration Steps
Copyright 2014 Rockwell Automation, Inc. All Rights Reserved. COMPANY INTERNAL - Internal Use Only
Zone-Based Policy Firewall
Configuration Completed
40
With all the configuration steps
completed, Studio 5000 will be
able to go online with the Logix
controller

Cell/Area A
Outside Security Zone
Inside Security Zone
VLAN 10
Fa0
Stratix 5900_1
Fa1 Fa2 Fa3
Logix
1
E
N
E
T
Studio 5000
Layer 3 switch
10.10.30.10/24
192.168.10.100/24
172.28.42.2/24
172.28.42.1/24
Network A
Network B
Network C
WAN0
Copyright 2014 Rockwell Automation, Inc. All Rights Reserved. COMPANY INTERNAL - Internal Use Only 41
Agenda
Zone-Based Policy Firewall (ZFW) Overview
Firewall vs. Router
Additional Information
Configuring a Zone-Based Policy Firewall (ZFW)
Copyright 2014 Rockwell Automation, Inc. All Rights Reserved. COMPANY INTERNAL - Internal Use Only
Stratix 5900 ZFW Configuration Guide
Coming Soon
42
Stratix 5900 Zone-Based Policy Firewall (ZFW)
Configuration Guide
To Be Released Summertime 2014
A guide to help customers understand the
fundamentals of ZFW by providing step by step
configuration instructions to allow:
Studio 5000 to communicate with a Logix
Controller
Produce / Consume messages between Logix
Controllers
The Statix 5900 ZFW Configuration Guide is more
detailed than this powerpoint
Includes Access Control List Examples
Includes Network Object Groups

Copyright 2014 Rockwell Automation, Inc. All Rights Reserved. COMPANY INTERNAL - Internal Use Only
Other References
43
Zone-Based Policy Firewall Design and Application Guide
Conceptual Difference Between Cisco IOS Classic and Zone-Based
Firewalls
Zone-Based Policy Firewalls
Zone Based Firewall 101 Video

Copyright 2014 Rockwell Automation, Inc. All Rights Reserved.
www.rockwellautomation.com
Follow ROKAutomation on Facebook & Twitter.
Connect with us on LinkedIn.
Rev 5058-CO900F
COMPANY INTERNAL
Internal Use Only
Stratix 5900 Services Router:
Zone-Based Policy Firewall Configuration Guide Overview
1783-SRKIT