Cisco IOS routers have a new firewall configuration method.  Ok so its not so new (Feb 2006), but I tend to let drastic new technologies like this “cook” for a while before I’ll partake.  Plus I finally got a handle on the Inspect/CBAC way of doing things!!  BTW the “old” method is now called the IOS Classic Firewall

The new method is called Zone Based Firewall, or Zone Based Policy Firewall if you want, and definitely improves the simplicity of configuring a firewall policy.

If you’re used to working with the PIX/ASA firewalls, the learning curve is not as high because they work off the concepts of Zones also.

This document shows a very simple example of what the new ZBF configuration looks like.  They also provide some performance numbers, but what is absent is a comparison of performance from the previous Inspect/CBAC method.

That all being said SDM 2.5 builds ZBF configurations by default.  If you have an existing Inspect/CBAC configuration however SDM will continue to support it (at least for now).

I’ll be honest, when I first saw SDM build a ZBF firewall configuration I immediately pulled it out, put in my own Inspect/CBAC configuration, and then went on happily.

But times are changing, and if you need to firewall more than two interfaces, with varying degrees of lock-down, the ZBF truly looks like the way to go.  Managing multiple ACL’s and Inspect/CBAC configurations gets really tedious after a while, which makes it easy to screw something up inadvertently.

Here are a few other overview links to get you started:

Cisco IOS Firewall Performance Guidelines for Cisco Integrated Services Routers

Zone-Based Policy Firewall Design and Application Guide

Cisco IOS Firewall Zone-Based Policy Firewall Release 12.4(6)T Technical Discussion February 2006

Zone-Based Policy Firewall

Ivan Pepelnjak’s Deploying Zone-Based Firewalls book

IOS Zone Based Firewall Configuration

A great set of tools for working with Cisco IP phones is here.

Here is a summary of what is available:

Phone Remote

Phone Remote allows you to take control a Cisco IP phone (7940, 7941, 7960, 7961, 7970 and 7971 models) from anywhere with network connectivity.

Background Deployment

Background Deployment allows an administrator to remotely push a background image to java based phones (7941, 7961, 7970 and 7971 phones)

Ringtone Deployment Tool

Ring Tone Deployment is a utility which allows an administrator to remotely deploy a default ring type to 7940, 7941, 7960, 7961, 7970, 7971 model IP phones.