REDES DE DATOS I

Class 21. Firewalls

Alberto Arellano A. Ing. Msc.
aarellano@espoch.edu.ec
CCNA – CCNP – CCSP-JNCIA
What is Network firewall
A firewall is a network security device that monitors incoming and outgoing network
traffic and decides whether to allow or block specific traffic based on a defined set
of security rules.

Firewalls have been a first line of defense in network security for over 25 years. They
establish a barrier between secured and controlled internal networks that can be
trusted and untrusted outside networks, such as the Internet.
Stateful Firewall
Stateful firewalls are a more advanced and modern extension of stateless
packet filtering firewalls, in the sense that they can continuously track the state of
the network and the active connections it has, such as TCP flows or
communication with User Datagram Protocol (UDP)
UTM Firewall
Unified Threat Management products are security systems that perform
certain security-related functions such as firewall, antivirus, virtual private
networking, antispam, etc.
UTM DISTRIBUTION OPENSOURCE
GARTNER REPORT 2021 - NGFW
Next-generation firewall (NGFW)
A next generation firewall (NGFW) is, as Gartner defines it, a “deep-packet
inspection firewall that moves beyond port/protocol inspection and blocking to add
application-level inspection, intrusion prevention, and bringing intelligence from
outside the firewall.”
Firewall Fortigate - Lab
FORTIGATE INITIAL CONFIGURATION

config system interface

edit port1
show
set mode static
set ip 192.168.83.20 255.255.255.0
set allowaccess ping https http ssh fgfm
show
end
IP Address Interfaces
Static Routes
Firewall Policy Default
Check connectivity
Create Objects – Server IP Address
Create Objects – LAN Network Address
Create Firewall Policy
Check connectivity
Check connectivity
Check connectivity
Create Specific Firewall Policy
LAN 1 -- > WWW-1
Create Specific Firewall Policy
LAN 2 -- > WWW-2
Create Specific Firewall Policy
LAN 1 -- > FTP-2
Create Specific Firewall Policy
LAN 2 -- > FTP-1
Check Firewall Policies
Check connectivity
Check Access LAN1 to WWW1
Check Access LAN1 to WWW2
Check Access LAN1 to FTP-2
Check Access LAN1 to FTP-1
CISCO IOS ZBF
Zone Based Firewall is the most advanced method of a stateful firewall that is
available on Cisco IOS routers. The idea behind ZBF is that we don’t assign
access-lists to interfaces but we will create different zones. Interfaces will be
assigned to the different zones and security policies will be assigned to traffic
between zones.
CISCO IOS ZBF
The interfaces are assigned to the correct zone and now we can apply
security policies to traffic between zones.
For example:
• LAN to WAN
• LAN to DMZ
• WAN to LAN
• WAN to DMZ
• DMZ to WAN
• DMZ to LAN
CISCO IOS-XE ZBF Configuration
CISCO IOS-XE ZBF Configuration
LAB – CISCO CSRV1000 - ZBF
CONFIGURE WEBUI ACCESS
WEBUI Dashboard
Configure WAN Interface
Configure LAN Interface
Configure DMZ Interface
CHECK CONNECTIVY – PC5  Ubuntu-1
CHECK WEB ACCESS
Configure Zone Base Firewall
Configure Zones
Configure Zones
SECURITY ACTIONS

One of three security actions can be taken on traffic

matched :

• Drop - The traffic is dropped.

• Pass - The traffic is permitted.

• Inspect - The traffic is permitted and inspected

statefully so that return traffic in the opposite
direction is also permitted. (A   B )
Create Security Policies
ADD Rule to Security Policies
ADD Rule to Security Policies
Check connectivity – LAN to WAN
Check Connectivity – WAN to LAN
Check connectivity – WAN to LAN
Configure Access WWW1 – WAN to DMZ
Check connectivity – WAN to DMZ