CCNA Security 09- ios firewall fundamentals

1© 2009 Cisco Learning Institute.

08- IOS Firewall Fundamentals

Ahmed Sultan CCNA | CCNA Security | CCNP Security | JNCIA-Junos | CEH


ACL Topology and Types


Standard Numbered IP ACLs

• The first value specifies the ACL number

• The second value specifies whether to permit or deny the configured source IP address traffic

• The third value is the source IP address that must be matched

• The fourth value is the wildcard mask to be applied to the previously configured IP address to indicate the range

• All ACLs assume an implicit deny statement at the end of the ACL6+

• At least one permit statement should be included or all traffic will be dropped once that ACL is applied to an interface

Router(config)# access-list {1-99} {permit | deny} source-addr [source-mask]


Extended Numbered IP ACLs

• The first value specifies the ACL number

• The second value specifies whether to permit or deny accordingly

• The third value indicates protocol type

• The source IP address and wildcard mask determine where traffic originates. The destination IP address and wildcard mask are used to indicate the final destination of the network traffic

• The command to apply the standard or extended numbered ACL:

Router(config)# access-list {100-199} {permit | deny} protocol source-addr [source-mask] [operator operand] destination-addr [destination-mask] [operator operand] [established]

Router(config-if)# ip access-group number {in | out}


Named IP ACLsRouter(config)# ip access-list extended vachon1 Router(config-ext-nacl)# deny ip any 200.1.2.10 0.0.0.1Router(config-ext-nacl)# permit tcp any host 200.1.1.11 eq 80Router(config-ext-nacl)# permit tcp any host 200.1.1.10 eq 25Router(config-ext-nacl)# permit tcp any eq 25 host 200.1.1.10 any establishedRouter(config-ext-nacl)# permit tcp any 200.1.2.0 0.0.0.255 establishedRouter(config-ext-nacl)# permit udp any eq 53 200.1.2.0 0.0.0.255Router(config-ext-nacl)# deny ip any any Router(config-ext-nacl)# interface ethernet 1Router(config-if)# ip access-group vachon1 in Router(config-if)# exit

Standard

Extended


r1

Use a standard ACL to block all traffic from 172.16.4.0/24 network, but allow all other traffic.

R1(config)# access-list 1 deny 172.16.4.0 0.0.0.255R1(config)# access-list 1 permit anyR1(config)# interface ethernet 0R1(config-if)# ip access-group 1 out

Applying Standard ACLs


Applying Extended ACLs

r1

Use an extended ACL to block all FTP traffic from 172.16.4.0/24 network, but allow all other traffic.

R1(config)# access-list 101 deny tcp 172.16.4.0 0.0.0.255 172.16.3.0 0.0.0.255 eq 21R1(config)# access-list 101 deny tcp 172.16.4.0 0.0.0.255 172.16.3.0 0.0.0.255 eq 20R1(config)# access-list 101 permit ip any any


Attacks Mitigated

ACLs can be used to:

• Mitigate IP address spoofing—inbound/outbound

• Mitigate Denial of service (DoS) TCP synchronizes (SYN) attacks—blocking external attacks

• Mitigate DoS TCP SYN attacks—using TCP intercept

• Mitigate DoS smurf attacks

• Filter Internet Control Message Protocol (ICMP) messages—inbound

• Filter ICMP messages—outbound

• Filter traceroute


R1(config)#access-list 150 deny ip 0.0.0.0 0.255.255.255 any R1(config)#access-list 150 deny ip 10.0.0.0 0.255.255.255 any R1(config)#access-list 150 deny ip 127.0.0.0 0.255.255.255 any R1(config)#access-list 150 deny ip 172.16.0.0 0.15.255.255 any R1(config)#access-list 150 deny ip 192.168.0.0 0.0.255.255 any R1(config)#access-list 150 deny ip 224.0.0.0 15.255.255.255 any R1(config)#access-list 150 deny ip host 255.255.255.255 any

Inbound

R1(config)#access-list 105 permit ip 192.168.1.0 0.0.0.255 any

Outbound

CLI Commands


Allowing Common Services

R1(config)#access-list 122 permit udp any host 192.168.20.2 eq domain R1(config)#access-list 122 permit tcp any host 192.168.20.2 eq smtp R1(config)#access-list 122 permit tcp any host 192.168.20.2 eq ftp

R1(config)#access-list 180 permit tcp host 200.5.5.5 host 10.0.1.1 eq telnetR1(config)#access-list 180 permit tcp host 200.5.5.5 host 10.0.1.1 eq 22 R1(config)#access-list 180 permit udp host 200.5.5.5 host 10.0.1.1 eq syslogR1(config)#access-list 180 permit udp host 200.5.5.5 host 10.0.1.1 eq snmptrap

R1

Internet

F0/0

Serial 0/0/0

R1

DNS, SMTP, FTP

192.168.20.2/24

F0/1

PC A

200.5.5.5/24


R1(config)#access-list 112 permit icmp any any echo-reply R1(config)#access-list 112 permit icmp any any source-quench R1(config)#access-list 112 permit icmp any any unreachableR1(config)#access-list 112 deny icmp any any

R1(config)#access-list 114 permit icmp 192.168.1.0 0.0.0.255 any echoR1(config)#access-list 114 permit icmp 192.168.1.0 0.0.0.255 any parameter-problemR1(config)#access-list 114 permit icmp 192.168.1.0 0.0.0.255 any packet-too-big R1(config)#access-list 114 permit icmp 192.168.1.0 0.0.0.255 any source-quench

Inbound on S0/0/0

Outbound on S0/0/0

R1

Internet

F0/0

Serial 0/0/0

R1

192.168.20.2/24

F0/1

PC A

200.5.5.5/24

Controlling ICMP Messages


Firewalls

• A firewall is a system that enforces an access control policy between network

• Common properties of firewalls:

- The firewall is resistant to attacks

- The firewall is the only transit point between networks

- The firewall enforces the access control policy


Benefits of Firewalls

• Prevents exposing sensitive hosts and applications to untrusted users

• Prevent the exploitation of protocol flaws by sanitizing the protocol flow

• Firewalls prevent malicious data from being sent to servers and clients.

• Properly configured firewalls make security policy enforcement simple, scalable, and robust.

• A firewall reduces the complexity of security management by offloading most of the network access control to a couple of points in the network.


Types of Filtering Firewalls

• Packet-filtering firewall—is typically a router that has the capability to filter on some of the contents of packets (examines Layer 3 and sometimes Layer 4 information)

• Stateful firewall—keeps track of the state of a connection: whether the connection is in an initiation, data transfer, or termination state

• Application gateway firewall (proxy firewall) —filters information at Layers 3, 4, 5, and 7. Firewall control and filtering done in software.

• Address-translation firewall—expands the number of IP addresses available and hides network addressing design.


Types of Filtering Firewalls

• Host-based (server and personal) firewall—a PC or server with firewall software running on it.

• Transparent firewall—filters IP traffic between a pair of bridged interfaces.

• Hybrid firewalls—some combination of the above firewalls. For example, an application inspection firewall combines a stateful firewall with an application gateway firewall.


Packet-Filtering Firewall

• Are based on simple permit or deny rule set• Have a low impact on network performance• Are easy to implement• Are supported by most routers• Afford an initial degree of security at a low

network layer • Perform 90% of what higher-end firewalls do, at

a much lower cost


Stateful Firewall

10.1.1.1 200.3.3.3

Inside ACL(Outgoing Traffic)

Outside ACL (Incoming Traffic)

permit ip 10.0.0.0 0.0.0.255 any

Dynamic: permit tcp host 200.3.3.3 eq 80 host 10.1.1.1 eq 1500 permit tcp any host 10.1.1.2 eq 25permit udp any host 10.1.1.2 eq 53deny ip any any

source port 1500 destination port 80


Cisco Systems Firewall Solutions

• IOS Firewall–Zone-based policy framework for intuitive management

–Instant messenger and peer-to-peer application filtering

–VoIP protocol firewalling

–Virtual routing and forwarding (VRF) firewalling

–Wireless integration

–Stateful failover

–Local URL whitelist and blacklist support

–Application inspection for web and e-mail traffic

• PIX 500 Series

• ASA 5500 Series


Design with DMZ

DMZ

UntrustedTrusted

Private-Public Policy

Public-DMZ Policy

DMZ-Private Policy

Private-DMZ Policy

Internet


CBAC Example


Configuration of CBAC

Four Steps to Configure

• Step 1: Pick an Interface

• Step 2: Configure IP ACLs at the Interface

• Step 3: Define Inspection Rules

• Step 4: Apply an Inspection Rule to an Interface


Step 1: Pick an Interface

Two-Interface

Three-Interface


Step 2: Configure IP ACLs at the Interface


Step 3: Define Inspection Rules

ip inspect name inspection_name protocol [alert {on | off}] [audit-trail {on | off}] [timeout seconds]

Router(config)#


Step 4: Apply an Inspection Ruleto an Interface


Zone Based Firewall

• If an additional interface is added to the private zone, the hosts connected to the new interface in the private zone can pass traffic to all hosts on the existing interface in the same zone.

• Additionally, hosts connected to the new interface in the private zone must adhere to all existing “private” policies related to that zone when passing traffic to other zones.

Each zone holds only one interface.


Benefits

• Zone-based policy firewall is not dependent on ACLs

• The router security posture is now “block unless explicitly allowed”

• C3PL (Cisco Common Classification Policy Language) makes policies easy to read and troubleshoot

• One policy affects any given traffic, instead of needing multiple ACLs and inspection actions.

Two Zones


Common Designs

LAN-to-Internet Public Servers

Redundant Firewalls Complex Firewall


Actions

Inspect – This action configures Cisco IOS stateful packet inspection

Drop – This action is analogous to deny in an ACL

Pass – This action is analogous to permit in an ACL


Manually Implementing Zone-basedPolicy Firewall with CCP

• Step 1: Define zones

• Step 2: Configure class maps to describe traffic between zones

• Step 3: Create policy maps to apply actions to the traffic of the class maps

• Step 4: Define zone pairs and assign policy maps to the zone pairs


Implementing Zone-based PolicyFirewall with CLI1. Create the zones for the firewall

with the zone security command

3. Specify firewall policies with the policy-map type inspect command

2. Define traffic classes with the class-map type inspect command

4. Apply firewall policies to pairs of source and destination zones with zone-pair security

5. Assign router interfaces to zones using the zone-member security interface command


Step 1: Create the Zones

FW(config)# zone security InsideFW(config-sec-zone)# description Inside networkFW(config)# zone security OutsideFW(config-sec-zone)# description Outside network


Step 2: Define Traffic Classes

FW(config)# class-map type inspect FOREXAMPLE FW(config-cmap)# match access-group 101FW(config-cmap)# match protocol tcpFW(config-cmap)# match protocol udpFW(config-cmap)# match protocol icmpFW(config-cmap)# exitFW(config)# access-list 101 permit ip 10.0.0.0 0.0.0.255 any


Step 3: Define Firewall Policies

FW(config)# policy-map type inspect InsideToOutside FW(config-pmap)# class type inspect FOREXAMPLEFW(config-pmap-c)# inspect


Step 4: Assign Policy Maps to Zone Pairsand Assign Router Interfaces to Zones

FW(config)# zone-pair security InsideToOutside source Inside destination OutsideFW(config-sec-zone-pair)# description Internet AccessFW(config-sec-zone-pair)# service-policy type inspect InsideToOutside FW(config-sec-zone-pair)# interface F0/0FW(config-if)# zone-member security InsideFW(config-if)# interface S0/0/0.100 point-to-pointFW(config-if)# zone-member security Outside

Education

CCNA Security 09- ios firewall fundamentals