Upload
amberkurmi
View
279
Download
151
Embed Size (px)
Citation preview
7/30/2019 CCNA Security 04
1/99
1 2009 Cisco Learning Institute.
CCNA Security
Chapter Four
Implementing Firewall Technologies
7/30/2019 CCNA Security 04
2/99
222 2009 Cisco Learning Institute.
Lesson Planning
This lesson should take 3-6 hours to present
The lesson should include lecture,demonstrations, discussion and assessment
The lesson can be taught in person or usingremote instruction
7/30/2019 CCNA Security 04
3/99
333 2009 Cisco Learning Institute.
Major Concepts
Implement ACLs
Describe the purpose and operation of firewalltechnologies
Implement CBAC
Zone-based Policy Firewall using SDM and CLI
7/30/2019 CCNA Security 04
4/99
444 2009 Cisco Learning Institute.
Lesson Objectives
Upon completion of this lesson, the successful participantwill be able to:
1. Describe standard and extended ACLs
2. Describe applications of standard and extended ACLs
3. Describe the relationship between topology and flow for ACLsand describe the proper selection of ACL types for particulartopologies (ACL design methodology)
4. Describe how to implement ACLs with SDM
5. Describe the usage and syntax for complex ACLs6. Describe the usage and syntax for dynamic ACLs
7. Interpret the output of the show and debug commands used toverify and troubleshoot complex ACL implementations
7/30/2019 CCNA Security 04
5/99
555 2009 Cisco Learning Institute.
Lesson Objectives
8. Describe how to mitigate common network attacks with ACLs
9. Describe the purpose of firewalls and where they reside in amodern network
10. Describe the various types of firewalls
11. Describe design considerations for firewalls and the implicationsfor the network security policy
12. Describe the role of CBAC in a modern network
13. Describe the underlying operation of CBAC
14. Describe the configuration of CBAC
15. Describe the verification and troubleshooting of CBAC
7/30/2019 CCNA Security 04
6/99
666 2009 Cisco Learning Institute.
Lesson Objectives
16. Describe the role of Zone-Based Policy Firewall in a modernnetwork
17. Describe the underlying operation of Zone-Based Policy Firewall
18. Describe the implementation of Zone-Based Policy Firewall withCLI
19. Describe the implementation of Zone-Based Policy Firewall withmanual SDM
20. Describe the implementation of Zone-Based Policy Firewall with
the SDM Wizard
21. Describe the verification and troubleshooting of Zone-Based PolicyFirewall
7/30/2019 CCNA Security 04
7/99777 2009 Cisco Learning Institute.
ACL Topology and Types
7/30/2019 CCNA Security 04
8/99888 2009 Cisco Learning Institute.
Standard Numbered IP ACLs
The first value specifies the ACL number
The second value specifies whether to permit or deny the configuredsource IP address traffic
The third value is the source IP address that must be matched
The fourth value is the wildcard mask to be applied to the previouslyconfigured IP address to indicate the range
All ACLs assume an implicit deny statement at the end of the ACL6+
At least one permit statement should be included or all traffic will bedropped once that ACL is applied to an interface
Router(config)# access-list {1-99} {permit | deny}source-addr[source-mask]
7/30/2019 CCNA Security 04
9/99999 2009 Cisco Learning Institute.
Extended Numbered IP ACLs
The first value specifies the ACL number
The second value specifies whether to permit or deny accordingly
The third value indicates protocol type
The source IP address and wildcard mask determine where trafficoriginates. The destination IP address and wildcard mask are used to
indicate the final destination of the network traffic
The command to apply the standard or extended numbered ACL:
Router(config)# access-list {100-199} {permit | deny}protocol source-addr[source-mask] [operator operand]destination-addr[destination-mask] [operator operand][established]
Router(config-if)# ip access-group number {in | out}
7/30/2019 CCNA Security 04
10/99101010 2009 Cisco Learning Institute.
Named IP ACLs
Router(config)# ip access-list extended vachon1Router(config-ext-nacl)# deny ip any 200.1.2.100.0.0.1Router(config-ext-nacl)# permit tcp any host200.1.1.11 eq 80Router(config-ext-nacl)# permit tcp any host200.1.1.10 eq 25Router(config-ext-nacl)# permit tcp any eq 25 host200.1.1.10 any establishedRouter(config-ext-nacl)# permit tcp any 200.1.2.00.0.0.255 establishedRouter(config-ext-nacl)# permit udp any eq 53200.1.2.0 0.0.0.255Router(config-ext-nacl)# deny ip any any
Router(config-ext-nacl)# interface ethernet 1Router(config-if)# ip access-group vachon1 inRouter(config-if)# exit
Standard
Extended
7/30/2019 CCNA Security 04
11/99111111 2009 Cisco Learning Institute.
The log Parameter
There are several pieces of information logged:
The actionpermit or deny
The protocolTCP, UDP, or ICMP
The source and destination addresses
For TCP and UDPthe source and destination port numbers
For ICMPthe message types
*May 1 22:12:13.243: %SEC-6-IPACCESSLOGP: list ACL-IPv4-E0/0-IN permitted tcp 192.168.1.3(1024) -> 192.168.2.1(22), 1 packet
*May 1 22:17:16.647: %SEC-6-IPACCESSLOGP: list ACL-IPv4-E0/0-IN permitted tcp 192.168.1.3(1024) -> 192.168.2.1(22), 9 packets
7/30/2019 CCNA Security 04
12/99121212 2009 Cisco Learning Institute.
ACL Configuration Guidelines
ACLs are created globally and then applied to interfaces
ACLs filter traffic going through the router, or traffic toand from the router, depending on how it is applied
Only one ACL per interface, per protocol, per direction Standard or extended indicates the information that is
used to filter packets
ACLs are process top-down. The most specificstatements must go at the top of the list
All ACLs have an implicit deny all statement at the end,therefore every list must have at least one permitstatement to allow any traffic to pass
7/30/2019 CCNA Security 04
13/99131313 2009 Cisco Learning Institute.
r1
Use a standard ACL to block all traffic from
172.16.4.0/24 network, but allow all other traffic.
r1(config)# access-list 1 deny172.16.4.0 0.0.0.255r1(config)# access-list 1 permit anyr1(config)# interface ethernet 0r1(config-if)# ip access-group 1 out
Applying Standard ACLs
7/30/2019 CCNA Security 04
14/99141414 2009 Cisco Learning Institute.
Applying Extended ACLs
r1
Use an extended ACL to block all FTP traffic from172.16.4.0/24 network, but allow all other traffic.
access-list 101 deny tcp 172.16.4.0 0.0.0.255172.16.3.0 0.0.0.255 eq 21access-list 101 deny tcp 172.16.4.0 0.0.0.255
172.16.3.0 0.0.0.255 eq 20access-list 101 permit ip any any
7/30/2019 CCNA Security 04
15/99151515 2009 Cisco Learning Institute.
Other CLI Commands
To ensure that only traffic from a subnet isblocked and all other traffic is allowed:access-list 1 permit any
To place an ACL on the inbound E1 interface:
interface ethernet 1ip access-group 101 in
To check the intended effect of an ACL:
show ip access-list
7/30/2019 CCNA Security 04
16/99161616 2009 Cisco Learning Institute.
Click to view examples
How ACLs Work
Inbound ACL Outbound ACL
7/30/2019 CCNA Security 04
17/99171717 2009 Cisco Learning Institute.
ACL Placement
Extended ACLs should be placed on routers as close as possibleto the source that is being filtered. If placed too far from thesource being filtered, there is inefficient use of network resources.
Standard ACLs should be placed as close to the destination aspossible. Standard ACLs filter packets based on the source addressonly. If placed too close to the source, it can deny all traffic, includingvalid traffic.
7/30/2019 CCNA Security 04
18/99181818 2009 Cisco Learning Institute.
PC A
F0/0
Serial 0/0/0
R1R3
R2
POP3 Server
192.168.20.2/24
F0/1
Using Nmap for Planning
PC-A$ nmap --system-dns 192.168.20.0/24
Interesting ports on webserver.branch1.com (192.168.20.2):(The 1669 ports scanned but not shown below are in state: filtered)PORT STATE SERVICE110 open pop3
7/30/2019 CCNA Security 04
19/99191919 2009 Cisco Learning Institute.
Using SDM
Choose the Configure optionfor configuring ACLs
7/30/2019 CCNA Security 04
20/99
202020 2009 Cisco Learning Institute.
Access Rules
Choose Configure > Additional Tasks > ACL Editor
Rule types: Access Rules NAT Rules Ipsec Rules NAC Rules
Firewall Rules QoS Rules Unsupported Rules Externally Defined Rules Cisco SDM Default Rules
Configuring Standard Rules
7/30/2019 CCNA Security 04
21/99
212121 2009 Cisco Learning Institute.
Configuring Standard RulesUsing SDM
1. Choose Configure > Additional Tasks > ACL Editor > Access Rules
5. Click Add
3. Enter a name or number
4. Choose Standard Rule
Optionally, enter a description
2. Click Add
6. Choose Permit or Deny
7. Choose an address type
8. Complete this field basedon the choice made in #7
9. Enter an optional description
10. Optional checkbox
11. Click OK
12. Continue adding or editing rules
7/30/2019 CCNA Security 04
22/99
222222 2009 Cisco Learning Institute.
Applying a Rule to an Interface
1. Click Associate
2. Choose the interface
3. Choose a direction
4.An information box with optionsappears if a rule is alreadyassociated with that interface,that direction.
7/30/2019 CCNA Security 04
23/99
232323 2009 Cisco Learning Institute.
Viewing Commands
R1# show running-config!hostname R1enable secret 5
$1$MJD8$.1LWYcJ6iUi133Yg7vGHG/
crypto pki trustpoint TP-self-signed-1789018390enrollment selfsignedsubject-name cn=IOS-Self-Signed-
Certificate-1789018390revocation-check nonersakeypair TP-self-signed-1789018390!crypto pki certificate chain TP-self-
signed-1789018390certificate self-signed 013082023A 308201A3 A0030201 02020101300D0609 2A864886 F70D0101 04050030
1BF29620 A084B701 5B92483D D934BE31ECB7AB56 8FFDEA93 E2061F33 8356
quit
interface FastEthernet0/1ip address 192.168.1.1 255.255.255.0ip access-group Outbound in!interface Serial0/0/0ip address 10.1.1.1 255.255.255.252clock rate 128000
!no ip http serverip http secure-server!ip access-list standard Outboundremark SDM_ACL Category=1permit 192.168.1.3!access-list 100 remark SDM_ACL Category=16access-list 100 deny tcp any host
192.168.1.3 eq telnet logaccess-list 100 permit ip any any!!
7/30/2019 CCNA Security 04
24/99
242424 2009 Cisco Learning Institute.
Standard IP ACLs
Extended IP ACLs
Extended IP ACLs using TCP established
Reflexive IP ACLs
Dynamic ACLs
Time-Based ACLs Context-based Access Control (CBAC) ACLs
Types of ACLs
7/30/2019 CCNA Security 04
25/99
252525 2009 Cisco Learning Institute.
Syntax for TCP Established
The established keyword:
Forces a check by the routers to see if the ACK, FIN,PSH, RST, SYN or URG TCP control flags are set. If flagis set, the TCP traffic is allowed in.
Does not implement a stateful firewall on a router Hackers can take advantage of the open hole
Option does not apply to UDP or ICMP traffic
Router(config)# access-list access-list-number{permit | deny}protocol source source-wildcard[operator port] destination destination-wildcard[operator port] [established]
7/30/2019 CCNA Security 04
26/99
262626 2009 Cisco Learning Institute.
PC A
F0/1 F0/1
Serial 0/0/0
Serial0/0/0Serial0/0/1
Serial0/0/1
R1
R3
R2
PC C
R1
192.168.1.3/24
access-list 100 permit tcp any eq 443 192.168.1.0 0.0.0.255
establishedaccess-list 100 permit tcp any 192.168.1.3 eq 22access-list 100 deny ip any anyinterface s0/0/0ip access-group 100 in
Example Using TCP Established
7/30/2019 CCNA Security 04
27/99
272727 2009 Cisco Learning Institute.
F0/1 F0/1
Serial 0/0/0
Serial0/0/0Serial0/0/1
Serial0/0/1
R1
R3
R
2
PC A PC C
R1
192.168.1.3/24
Reflexive ACLs
Provide a truer form ofsession filtering
Much harder to spoof
Allow an administrator to
perform actual sessionfiltering for any type of IPtraffic
Work by using temporaryaccess control entries
(ACEs)
Configuring a Router to
7/30/2019 CCNA Security 04
28/99
282828 2009 Cisco Learning Institute.
Serial 0/0/0
Serial0/0/0
Serial0/0/1
R1
R
2
PC A
Internet
Configuring a Router toUse Reflexive ACLs
1. Create an internal ACL thatlooks for new outboundsessions and createstemporary reflexive ACEs
2. Create an external ACL thatuses the reflexive ACLs toexamine return traffic
3. Activate the named ACLs onthe appropriate interfaces
7/30/2019 CCNA Security 04
29/99
292929 2009 Cisco Learning Institute.
Dynamic ACL Overview
Available for IP traffic only
Dependent on Telnet connectivity, authentication, and extendedACLs
Security benefits include:
- Use of a challenge mechanism to authenticate users
- Simplified management in large internetworks
- Reduction of the amount of router processing that is required for ACLs
- Reduction of the opportunity for network break-ins by network hackers
- Creation of dynamic user access through a firewall withoutcompromising other configured security restrictions
7/30/2019 CCNA Security 04
30/99
303030 2009 Cisco Learning Institute.
Implementing a Dynamic ACL
Remote user opens a Telnet orSSH connection to the router.The router prompts the user fora username and password
The routerauthenticates theconnection
Dynamic ACL entryadded that grantsuser access
User can access theinternal resources
7/30/2019 CCNA Security 04
31/99
313131 2009 Cisco Learning Institute.
Setting up a Dynamic ACL
Router(config)# access-list ACL_# dynamic dynamic_ACL_name [timeoutminutes] {deny | permit} IP_protocol source_IP_address src_wildcard_maskdestination_IP_address dst_wildcard_mask [established] [log]
7/30/2019 CCNA Security 04
32/99
323232 2009 Cisco Learning Institute.
CLI Commands
7/30/2019 CCNA Security 04
33/99
333333 2009 Cisco Learning Institute.
Time-based ACLs
7/30/2019 CCNA Security 04
34/99
343434 2009 Cisco Learning Institute.
CLI Commands
7/30/2019 CCNA Security 04
35/99
353535 2009 Cisco Learning Institute.
I cant surf the
web at 10:00A.M. because
of the time-based ACL!
Serial 0/0/0
Serial0/0/1
R1
R2Internet
192.168.1.0/24
10.1.1.1
Example Configuration
Perimeter(config)# time-range employee-timePerimeter(config-time)# periodic weekdays 12:00 to 13:00Perimeter(config-time)# periodic weekdays 17:00 to 19:00Perimeter(config-time)# exitPerimeter(config)# access-list 100 permit tcp any host200.1.1.11 eq 25Perimeter(config)# access-list 100 permit tcp any eq 25host 200.1.1.11 establishedPerimeter(config)# access-list 100 permit udp any host200.1.1.12 eq 53Perimeter(config)# access-list 100 permit udp any eq 53host 200.1.1.12Perimeter(config)# access-list 100 permit tcp any200.1.1.0 0.0.0.255 established time-range employee-timePerimeter(config)# access-list 100 deny ip any anyPerimeter(config)# interface ethernet 1Perimeter(config-if)# ip access-group 100 inPerimeter(config-if)# exitPerimeter(config)# access-list 101 permit tcp host200.1.1.11 eq 25 anyPerimeter(config)# access-list 101 permit tcp host
200.1.1.11 any eq 25Perimeter(config)# access-list 101 permit udp host200.1.1.12 eq 53 anyPerimeter(config)# access-list 101 permit udp host200.1.1.12 any eq 53Perimeter(config)# access-list 101 permit tcp 200.1.1.00.0.0.255 any time-range employee-timePerimeter(config)# access-list 100 deny ip any anyPerimeter(config)# interface ethernet 1Perimeter(config-if)# ip access-group 101 out
7/30/2019 CCNA Security 04
36/99
363636 2009 Cisco Learning Institute.
The ACLs areimplemented.
Now it is time toverify that they
are working
properly.
F0/1 F0/1
Serial 0/0/0
Serial0/0/0Serial0/0/1
Serial0/0/1
R1
R3
R2
PC C
R1
Router# show access-lists [access-list-number|access-list-name]
Verifying ACL Configuration
7/30/2019 CCNA Security 04
37/99
373737 2009 Cisco Learning Institute.
Perimeter# show access-list 100
Extended IP access list 100
permit tcp any host 200.1.1.14 eq www (189 matches)
permit udp any host 200.1.1.13 eq domain (32 matches)
permit tcp any host 200.1.1.12 eq smtp
permit tcp any eq smtp host 200.1.1.12 established
permit tcp any host 200.1.1.11 eq ftp
permit tcp any host 200.1.1.11 eq ftp-data
permit tcp any eq www 200.1.2.0 0.0.0.255 established
permit udp any eq domain 200.1.2.0 0.0.0.255
deny ip any any (1237 matches)
Confirmation
7/30/2019 CCNA Security 04
38/99
383838 2009 Cisco Learning Institute.
Perimeter# debug ip packet
IP packet debugging is on
IP: s=172.69.13.44 (Serial0/0), d=10.125.254.1 (Serial0/1), g=172.69.16.2, forward
IP: s=200.0.2.2 (Ethernet0), d=10.36.125.2 (Serial0/1), g=172.69.16.2, forwardIP: s=200.0.2.6 (Ethernet0), d=255.255.255.255, rcvd 2IP: s=200.0.2.55 (Ethernet0), d=172.69.2.42 (Serial0/0), g=172.69.13.6, forwardIP: s=200.0.2.33 (Ethernet0), d=10.130.2.156 (Serial0/1), g=172.69.16.2, forwardIP: s=200.0.2.27 (Ethernet0), d=172.69.43.126 (Serial0/0), g=172.69.23.5, forwardIP: s=200.0.2.27 (Ethernet0), d=172.69.43.126 (Serial0/0), g=172.69.13.6, forwardIP: s=200.5.5.5 (Ethernet1), d=255.255.255.255, rcvd 2IP: s=200.0.2.2 (Ethernet0), d=10.36.125.2 (Serial0/1), g=172.69.16.2, access denied
Troubleshooting
7/30/2019 CCNA Security 04
39/99
393939 2009 Cisco Learning Institute.
Attacks Mitigated
ACLs can be used to:
Mitigate IP address spoofinginbound
Mitigate IP address spoofingoutbound
Mitigate Denial of service (DoS) TCP synchronizes (SYN) attacksblocking external attacks
Mitigate DoS TCP SYN attacksusing TCP intercept
Mitigate DoS smurf attacks
Filter Internet Control Message Protocol (ICMP) messagesinbound Filter ICMP messagesoutbound
Filter traceroute
R2
7/30/2019 CCNA Security 04
40/99
404040 2009 Cisco Learning Institute.
R1(config)#access-list 150 deny ip 0.0.0.0 0.255.255.255 anyR1(config)#access-list 150 deny ip 10.0.0.0 0.255.255.255 anyR1(config)#access-list 150 deny ip 127.0.0.0 0.255.255.255 anyR1(config)#access-list 150 deny ip 172.16.0.0 0.15.255.255 anyR1(config)#access-list 150 deny ip 192.168.0.0 0.0.255.255 any
R1(config)#access-list 150 deny ip 224.0.0.0 15.255.255.255 anyR1(config)#access-list 150 deny ip host 255.255.255.255 any
Inbound
R1(config)#access-list 105 permit ip 192.168.1.0 0.0.0.255 any
Outbound
CLI Commands
7/30/2019 CCNA Security 04
41/99
414141 2009 Cisco Learning Institute.
Allowing Common Services
R1(config)#access-list 122 permit udp any host 192.168.20.2 eq domainR1(config)#access-list 122 permit tcp any host 192.168.20.2 eq smtpR1(config)#access-list 122 permit tcp any host 192.168.20.2 eq ftp
R1(config)#access-list 180 permit tcp host 200.5.5.5 host 10.0.1.1 eq telnetR1(config)#access-list 180 permit tcp host 200.5.5.5 host 10.0.1.1 eq 22
R1(config)#access-list 180 permit udp host 200.5.5.5 host 10.0.1.1 eq syslogR1(config)#access-list 180 permit udp host 200.5.5.5 host 10.0.1.1 eq snmptrap
R1
Internet
F0/0
Serial 0/0/0
R1
DNS, SMTP, FTP
192.168.20.2/24
F0/1
PC A
200.5.5.5/24
7/30/2019 CCNA Security 04
42/99
424242 2009 Cisco Learning Institute.
R1(config)#access-list 112 permit icmp any any echo-replyR1(config)#access-list 112 permit icmp any any source-quench
R1(config)#access-list 112 permit icmp any any unreachableR1(config)#access-list 112 deny icmp any any
R1(config)#access-list 114 permit icmp 192.168.1.0 0.0.0.255 any echoR1(config)#access-list 114 permit icmp 192.168.1.0 0.0.0.255 any parameter-problemR1(config)#access-list 114 permit icmp 192.168.1.0 0.0.0.255 any packet-too-bigR1(config)#access-list 114 permit icmp 192.168.1.0 0.0.0.255 any source-quench
Inbound on S0/0/0
Outbound on S0/0/0
R1
Internet
F0/0
Serial 0/0/0
R1
192.168.20.2/24
F0/1
PC A
200.5.5.5/24
Controlling ICMP Messages
7/30/2019 CCNA Security 04
43/99
434343 2009 Cisco Learning Institute.
Firewalls
A firewall is a system that enforces an accesscontrol policy between network
Common properties of firewalls:
- The firewall is resistant to attacks
- The firewall is the only transit point between networks
- The firewall enforces the access control policy
7/30/2019 CCNA Security 04
44/99
444444 2009 Cisco Learning Institute.
Benefits of Firewalls
Prevents exposing sensitivehosts and applications tountrusted users
Prevent the exploitation of
protocol flaws by sanitizing theprotocol flow
Firewalls prevent maliciousdata from being sent to serversand clients.
Properly configured firewalls
make security policyenforcement simple, scalable,and robust.
A firewall reduces thecomplexity of security
management by offloadingmost of the network accesscontrol to a couple of points inthe network.
7/30/2019 CCNA Security 04
45/99
454545 2009 Cisco Learning Institute.
Types of Filtering Firewalls
Packet-filtering firewallis typically a router that has) the capabilityto filter on some of the contents of packets (examines Layer 3 andsometimes Layer 4 information)
Stateful firewallkeeps track of the state of a connection: whether
the connection is in an initiation, data transfer, or termination state Application gateway firewall (proxy firewall) filters information at
Layers 3, 4, 5, and 7. Firewall control and filtering done in software.
Address-translation firewallexpands the number of IP addressesavailable and hides network addressing design.
7/30/2019 CCNA Security 04
46/99
464646 2009 Cisco Learning Institute.
Types of Filtering Firewalls
Host-based (server and personal) firewalla PC or server withfirewall software running on it.
Transparent firewallfilters IP traffic between a pair of bridgedinterfaces.
Hybrid firewallssome combination of the above firewalls. Forexample, an application inspection firewall combines a statefulfirewall with an application gateway firewall.
Packet-Filtering Firewall
7/30/2019 CCNA Security 04
47/99
474747 2009 Cisco Learning Institute.
Packet Filtering FirewallAdvantages
Are based on simple permit or deny rule set
Have a low impact on network performance
Are easy to implement
Are supported by most routers
Afford an initial degree of security at a low
network layer
Perform 90% of what higher-end firewalls do, ata much lower cost
Packet-Filtering Firewall
7/30/2019 CCNA Security 04
48/99
484848 2009 Cisco Learning Institute.
Packet Filtering FirewallDisadvantages
Packet filtering is susceptible to IP spoofing. Hackers
send arbitrary packets that fit ACL criteria and pass
through the filter.
Packet filters do not filter fragmented packets well.
Because fragmented IP packets carry the TCP header inthe first fragment and packet filters filter on TCP header
information, all fragments after the first fragment are
passed unconditionally.
Complex ACLs are difficult to implement and maintaincorrectly.
Packet filters cannot dynamically filter certain services.
Packet filters are stateless.
7/30/2019 CCNA Security 04
49/99
494949 2009 Cisco Learning Institute.
Stateful Firewall
10.1.1.1 200.3.3.3
Inside ACL
(Outgoing Traffic)
Outside ACL
(Incoming Traffic)
permit ip 10.0.0.0 0.0.0.255 any
Dynamic: permit tcp host 200.3.3.3
eq 80 host 10.1.1.1 eq 1500
permit tcp any host 10.1.1.2 eq 25
permit udp any host 10.1.1.2 eq 53
deny ip any any
source port 1500 destination port 80
Stateful Firewalls
7/30/2019 CCNA Security 04
50/99
505050 2009 Cisco Learning Institute.
Advantages
Often used as a primary means of defense by filtering unwanted,unnecessary, or undesirable traffic.
Strengthens packet filtering by providing more stringent control
over security than packet filtering
Improves performance over packet filters or proxy servers.
Defends against spoofing and DoS attacks
Allows for more log information than a packet filtering firewall
Disadvantages
Cannot prevent application layer attacks because it does not
examine the actual contents of the HTTP connection
Not all protocols are stateful, such UDP and ICMP Some applications open multiple connections requiring a whole
new range of ports opened to allow this second connection
Stateful firewalls do not support user authentication
State u e a sAdvantages/Disadvantages
7/30/2019 CCNA Security 04
51/99
515151 2009 Cisco Learning Institute.
Cisco Systems Firewall Solutions
IOS FirewallZone-based policy framework for intuitive management
Instant messenger and peer-to-peer application filtering
VoIP protocol firewalling
Virtual routing and forwarding (VRF) firewalling
Wireless integration
Stateful failover
Local URL whitelist and blacklist support
Application inspection for web and e-mail traffic
PIX 500 Series
ASA 5500 Series
7/30/2019 CCNA Security 04
52/99
525252 2009 Cisco Learning Institute.
Design with DMZ
DMZ
UntrustedTrusted
Private-PublicPolicy
Public-DMZPolicy
DMZ-PrivatePolicy
Private-DMZPolicy
Internet
7/30/2019 CCNA Security 04
53/99
535353 2009 Cisco Learning Institute.
Layered Defense Scenario
Endpoint security:Provides identity and devicesecurity policy compliance
Core network security:Protects against malicioussoftware and traffic anomalies,enforces network policies, andensures survivability
NetworkCore
Disaster recovery:Offsite storage and redundant architecture
Communications security:Provides information assurance
Perimeter security:Secures boundaries between zones
7/30/2019 CCNA Security 04
54/99
545454 2009 Cisco Learning Institute.
Firewall Best Practices
Position firewalls at security boundaries.
Firewalls are the primary security device. It is unwise torely exclusively on a firewall for security.
Deny all traffic by default. Permit only services that areneeded.
Ensure that physical access to the firewall is controlled.
Regularly monitor firewall logs.
Practice change management for firewall configurationchanges.
Remember that firewalls primarily protect from technicalattacks originating from the outside.
7/30/2019 CCNA Security 04
55/99
555555 2009 Cisco Learning Institute.
Design Example
F0/1
F0/0
F0/0
F0/1
Serial0/0/0
Serial0/0/1
R1
R3
R2
F0/5
S2
S3
F0/1
F0/1
F0/6
F0/18
F0/18
F0/5
S1
PC A(RADIUS/TACA
CS+)
PCC
Cisco Routerwith
IOS Firewall
CiscoRouterwithIOS
Firewall
Internet
7/30/2019 CCNA Security 04
56/99
565656 2009 Cisco Learning Institute.
Introduction to CBAC
Filters TCP and UDP packets
based on application layerprotocol session information
Provides stateful applicationlayer filtering
Provides four main functions:
- Traffic Filtering
- Traffic Inspection
- Intrusion Detection
- Generation of Audits andAlerts
7/30/2019 CCNA Security 04
57/99
575757 2009 Cisco Learning Institute.
CBAC Capabilities
Monitors TCP Connection Setup
Examines TCP Sequence Numbers
Inspects DNS Queries and Replies
Inspects Common ICMP Message Types
Supports Applications with Multiple Channels, such asFTP and Multimedia
Inspects Embedded Addresses
Inspects Application Layer Information
7/30/2019 CCNA Security 04
58/99
585858 2009 Cisco Learning Institute.
CBAC Overview
b
7/30/2019 CCNA Security 04
59/99
595959 2009 Cisco Learning Institute.
Step-by-Step
Request Telnet 209.x.x.x
5. Once the session is terminated by the client, the routerwill remove the state entry and dynamic ACL entry.
Fa0/0S0/0/0
1. Examines the fa0/0 inboundACL to determine if telnetrequests are permitted to leavethe network.
2. IOS compares packet typeto inspection rules todetermine if Telent shouldbe tracked.
3. Adds information to thestate type to track the
Telnet session.
4. Adds a dynamic entry to theinbound ACL on s0/0/0 to allowreply packets back into theinternal network.
CBAC TCP H dli
7/30/2019 CCNA Security 04
60/99
606060 2009 Cisco Learning Institute.
CBAC TCP Handling
CBAC UDP H dli
7/30/2019 CCNA Security 04
61/99
616161 2009 Cisco Learning Institute.
CBAC UDP Handling
CBAC E l
7/30/2019 CCNA Security 04
62/99
626262 2009 Cisco Learning Institute.
CBAC Example
C fi ti f CBAC
7/30/2019 CCNA Security 04
63/99
636363 2009 Cisco Learning Institute.
Configuration of CBAC
Four Steps to Configure
Step 1: Pick an Interface
Step 2: Configure IP ACLs at the Interface Step 3: Define Inspection Rules
Step 4: Apply an Inspection Rule to an Interface
St 1 Pi k I t f
7/30/2019 CCNA Security 04
64/99
646464 2009 Cisco Learning Institute.
Step 1: Pick an Interface
Two-Interface
Three-Interface
Step 2: Configure IP ACLs
7/30/2019 CCNA Security 04
65/99
656565 2009 Cisco Learning Institute.
p gat the Interface
St 3 D fi I ti R l
7/30/2019 CCNA Security 04
66/99
666666 2009 Cisco Learning Institute.
Step 3: Define Inspection Rules
ip inspect name inspection_nameprotocol [alert {on | off}] [audit-trail{on | off}] [timeout seconds]Router(config)#
Step 4: Apply an Inspection Rulef
7/30/2019 CCNA Security 04
67/99
676767 2009 Cisco Learning Institute.
to an Interface
Verification and Troubleshooting
7/30/2019 CCNA Security 04
68/99
686868 2009 Cisco Learning Institute.
gof CBAC
Alerts and Audits
show ip inspect Parameters
debug ip inspect Parameters
Alerts and Audits
7/30/2019 CCNA Security 04
69/99
696969 2009 Cisco Learning Institute.
Alerts and Audits
*note: Alerts are enabled by default and automatically display on theconsole line of the router. If alerts have been disabled using the ipinspect alert-off command, the no form of that command, as
seen above, is required to re-enable alerts.
h i i t Parameters
7/30/2019 CCNA Security 04
70/99
707070 2009 Cisco Learning Institute.
show ip inspect Parameters
deb g ip inspect Parameters
7/30/2019 CCNA Security 04
71/99
717171 2009 Cisco Learning Institute.
debug ip inspect Parameters
Topology Example
7/30/2019 CCNA Security 04
72/99
727272 2009 Cisco Learning Institute.
Topology Example
If an additional interface is added to the private zone, the hostsconnected to the new interface in the private zone can pass traffic to allhosts on the existing interface in the same zone. Additionally, hostsconnected to the new interface in the private zone must adhere to allexisting private policies related to that zone when passing traffic toother zones.
Each zone holds onlyone interface.
Benefits
7/30/2019 CCNA Security 04
73/99
737373 2009 Cisco Learning Institute.
Benefits
Zone-based policy firewall is not dependent on ACLs
The router security posture is now block unless explicitly allowed
C3PL makes policies easy to read and troubleshoot
One policy affects any given traffic, instead of needing multipleACLs and inspection actions.
Two Zones
The Design Process
7/30/2019 CCNA Security 04
74/99
747474 2009 Cisco Learning Institute.
The Design Process
1. Internetworking infrastructure under consideration is split into well-documented separate zones with various security levels
2. For each pair of source-destination zones, the sessions that clientsin source zones are allowed to open to servers in destination zonesare defined. For traffic that is not based on the concept of sessions(for example, IPsec Encapsulating Security Payload [ESP]), theadministrator must define unidirectional traffic flows from source todestination and vice versa.
3. The administrator must design the physical infrastructure.
4. For each firewall device in the design, the administrator mustidentify zone subsets connected to its interfaces and merge thetraffic requirements for those zones, resulting in a device-specificinterzone policy.
Common Designs
7/30/2019 CCNA Security 04
75/99
757575 2009 Cisco Learning Institute.
Common Designs
LAN-to-Internet Public Servers
Redundant Firewalls Complex Firewall
Zones Simplify Complex Firewall
7/30/2019 CCNA Security 04
76/99
767676 2009 Cisco Learning Institute.
Zones Simplify Complex Firewall
Actions
7/30/2019 CCNA Security 04
77/99
777777 2009 Cisco Learning Institute.
Actions
Inspect Thisaction configuresCisco IOS statefulpacket inspection
Drop This action isanalogous to deny inan ACL
Pass This action isanalogous to permitin an ACL
Rules for Application Traffic
7/30/2019 CCNA Security 04
78/99
787878 2009 Cisco Learning Institute.
Sourceinterface
member of
zone?
Destinationinterface
member of
zone?
Zone-pairexists? Policy exists? RESULT
NO NO N/A N/ANo impact of
zoning/policy
YES (zone 1) YES (zone 1) N/A* N/ANo policy
lookup
(PASS)
YES NO N/A N/A DROP
NO YES N/A N/A DROP
YES (zone 1) YES (zone 2) NO N/A DROP
YES (zone 1) YES (zone 2) YES NO DROP
YES (zone 1) YES (zone 2) YES YES policy actions
*zone-pair must have different zone as source and destination
Rules for Application Traffic
Rules for Router Traffic
7/30/2019 CCNA Security 04
79/99
797979 2009 Cisco Learning Institute.
Rules for Router Traffic
Sourceinterface
member of
zone?
Destinationinterface
member of
zone?
Zone-pair
exists?
Policy
exists?RESULT
ROUTER YES NO - PASS
ROUTER YES YES NO PASS
ROUTER YES YES YESpolicy
actions
YES ROUTER NO - PASS
YES ROUTER YES NO PASS
YES ROUTER YES YESpolicy
actions
Implementing Zone-based PolicyFirewall with CLI
7/30/2019 CCNA Security 04
80/99
808080 2009 Cisco Learning Institute.
Firewall with CLI
1. Create the zones for the firewall
with the zone securitycommand
3. Specify firewall policies withthe policy-map typeinspect command
2. Define traffic classes with the
class-map type inspectcommand
4. Apply firewall policies to pairs ofsource and destination zones withzone-pair security
5. Assign router interfaces to zones using the zone-member securityinterface command
Step 1: Create the Zones
7/30/2019 CCNA Security 04
81/99
818181 2009 Cisco Learning Institute.
Step 1: Create the Zones
FW(config)# zone security Inside
FW(config-sec-zone)# description Inside networkFW(config)# zone security OutsideFW(config-sec-zone)# description Outside network
Step 2: Define Traffic Classes
7/30/2019 CCNA Security 04
82/99
828282 2009 Cisco Learning Institute.
Step 2: Define Traffic Classes
FW(config)# class-map type inspect FOREXAMPLE
FW(config-cmap)# match access-group 101FW(config-cmap)# match protocol tcpFW(config-cmap)# match protocol udpFW(config-cmap)# match protocol icmpFW(config-cmap)# exitFW(config)# access-list 101 permit ip 10.0.0.00.0.0.255 any
Step 3: Define Firewall Policies
7/30/2019 CCNA Security 04
83/99
838383 2009 Cisco Learning Institute.
Step 3: Define Firewall Policies
FW(config)# policy-map type inspect InsideToOutsideFW(config-pmap)# class type inspect FOREXAMPLEFW(config-pmap-c)# inspect
Step 4: Assign Policy Maps to Zone Pairsd A i R t I t f t Z
7/30/2019 CCNA Security 04
84/99
848484 2009 Cisco Learning Institute.
and Assign Router Interfaces to Zones
FW(config)# zone-pair security InsideToOutside source Insidedestination OutsideFW(config-sec-zone-pair)# description Internet Access
FW(config-sec-zone-pair)# service-policy type inspectInsideToOutsideFW(config-sec-zone-pair)# interface F0/0FW(config-if)# zone-member security InsideFW(config-if)# interface S0/0/0.100 point-to-pointFW(config-if)# zone-member security Outside
Final ZPF Configuration
7/30/2019 CCNA Security 04
85/99
858585 2009 Cisco Learning Institute.
Final ZPF Configuration
policy-map type inspect InsideToOutside classclass-default inspect!zone security Inside description Insidenetwork
zone security Outside description Outsidenetworkzone-pair security InsideToOutside sourceInside destination Outsideservice-policy type inspect InsideToOutside!
interface FastEthernet0/0 zone-membersecurity Inside!interface Serial0/0/0.100 point-to-pointzone-member security Outside
Manually Implementing Zone-basedPolicy Firewall with SDM
7/30/2019 CCNA Security 04
86/99
868686 2009 Cisco Learning Institute.
Policy Firewall with SDM
Step 1: Define zones
Step 2: Configure class maps to describe trafficbetween zones
Step 3: Create policy maps to apply actions tothe traffic of the class maps
Step 4: Define zone pairs and assign policy
maps to the zone pairs
Define Zones
7/30/2019 CCNA Security 04
87/99
878787 2009 Cisco Learning Institute.
Define Zones
1. Choose Configure > Additional Tasks > Zones
2. Click Add
3. Enter a zone name
4. Choose the interfacesfor this zone
5. Click OK to create the zone and click OK atthe Commands Delivery Status window
Configure Class Maps
7/30/2019 CCNA Security 04
88/99
888888 2009 Cisco Learning Institute.
Configure Class Maps
1. Choose Configure > Additional Tasks > C3PL > Class Map > Inspections
2. Review, create, and edit class maps. To edit a classmap, choose the class map from the list and click Edit
Create Policy Maps
7/30/2019 CCNA Security 04
89/99
898989 2009 Cisco Learning Institute.
Create Policy Maps
1. Choose Configure > Additional Tasks >
C3PL > Policy Map > Protocol Inspection2. Click Add
3. Enter a policy name and description
4. Click Add to add a new class map
5. Enter the name of the class mapto apply. Click the down arrow for a
pop-up menu, if name unknown
6. Choose Pass, Drop, or Inspect
7. Click OK
8. To add another class map, click Add, to modify/delete the actionsof a class map, choose the class map and click Edit/Delete
9. Click OK. At the Command Delivery Status window, click OK
Define Zone Pairs
7/30/2019 CCNA Security 04
90/99
909090 2009 Cisco Learning Institute.
Define Zone Pairs
1. Choose Configure > Additional Tasks > Zone Pairs
2. Click Add
3. Enter a name for the zonepair. Choose a source zone, adestination zone and a policy
4. Click OK and click OK in the Command Delivery Status window
Accessing the Basic FirewallConfiguration
7/30/2019 CCNA Security 04
91/99
919191 2009 Cisco Learning Institute.
Configuration
1. Choose Configuration > Firewall and ACL
2. Click the Basic Firewall option andclick Launch the Selected Task button
3. Click Next to begin configuration
Configuring a Firewall
7/30/2019 CCNA Security 04
92/99
929292 2009 Cisco Learning Institute.
Configuring a Firewall
1. Check the outside (untrusted) check box and theinside (trusted) check box to identify each interface
2. (Optional) Check box if the intent is to allow users outside
of the firewall to be able to access the router using SDM.After clicking Next, a screen displays that allows the adminto specify a host IP address or network address
3. Click Next. If the Allow Secure SDM Access check box is checked,
the Configuring Firewall for Remote Access window appears
4. From the Configuring Firewall choose Network address, Host Ipaddress or any from the Type drop-down list
Basic Firewall Security Configuration
7/30/2019 CCNA Security 04
93/99
939393 2009 Cisco Learning Institute.
Basic Firewall Security Configuration
1. Select the security level
2. Click the Preview CommandsButton to view the IOS commands
Firewall Configuration Summary
7/30/2019 CCNA Security 04
94/99
949494 2009 Cisco Learning Institute.
e a Co gu at o Su a y
Click Finish
Reviewing Policy
7/30/2019 CCNA Security 04
95/99
959595 2009 Cisco Learning Institute.
g y
1. Choose Configure > Firewall and ACL
2. Click Edit Firewall Policy tab
CLI Generated Output
7/30/2019 CCNA Security 04
96/99
969696 2009 Cisco Learning Institute.
p
class-map type inspect match-any iinsprotocolsmatch protocol httpmatch protocol smtpmatch protocol ftp!policy-map type inspect iinspolicyclass type inspect iinsprotocolsinspect
!zone security privatezone security internet!interface fastethernet 0/0zone-member security private!interface serial 0/0/0
zone-member security internet!zone-pair security priv-to-internet source private destination internetservice-policy type inspect iinspolicy!
List ofservices
defined in thefirewall policy
Apply action (inspect =stateful inspection)
Zones created
Interfaces assigned tozones
Inspection appliedfrom private topublic zones
Firewall Status Information
7/30/2019 CCNA Security 04
97/99
979797 2009 Cisco Learning Institute.
1. Choose Monitor > Firewall Status
2. Choose one of the following options: Real-time data every 10 sec
60 minutes of data polled every 1 minute 12 hours of data polled every 12 minutes
Display Active Connection
7/30/2019 CCNA Security 04
98/99
989898 2009 Cisco Learning Institute.
p y
Router# show policy-map type inspect zone-pair session
Shows zone-based policy firewall sessionstatistics
7/30/2019 CCNA Security 04
99/99