Professional Documents
Culture Documents
Implementing Firewall
Technologies
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 2
Upon completion of this section, you should be able to:
• Configure standard and extended IPv4 ACLs using CLI.
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 3
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 4
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 5
Standard Numbered ACL Syntax
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 6
Syntax - Apply an ACL
to an interface
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 7
Syntax - Apply an ACL to the VTY lines
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 8
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 9
Existing access list has three entries
Access list has been edited, which adds a new ACE and replaces ACE line
20.
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 10
Existing access list has four entries
Access list has been edited, which adds a new ACE that permits a specific IP
address.
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 11
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 12
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 13
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 14
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 15
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 16
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 17
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 18
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 19
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 20
Upon completion of this section, you should be able to:
• Explain how firewalls are used to help secure networks.
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 21
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 22
All firewalls:
• Are resistant to attack
• Are the only transit point
between networks
because all traffic flows
through the firewall
• Enforce the access
control policy
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 23
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 24
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 25
Packet Filtering Firewall Application Gateway Firewall
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 26
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 27
Stateful Firewalls State Tables
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 28
• Granular identification, visibility, and control of behaviors within applications
• Restricting web and web application use based on the reputation of the site
• Enforcement of policies based on the user, device, role, application type, and threat profile
• Use of an IPS
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 29
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 30
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 31
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 32
1. Choose the internal and
external interfaces.
2. Configure ACLs for each
interface.
Inspection Rules
3. Define inspection rules.
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 33
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 34
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 35
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 36
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 37
Considerations for network defense:
• Network core security
• Perimeter security
• Endpoint security
• Communications security
• Deny all traffic by default. Permit only services that are needed.
• Remember that firewalls primarily protect from technical attacks originating from the
outside.
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 38
Upon completion of this section, you should be able to:
• Explain how Zone-Based Policy Firewalls are used to help secure a network.
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 39
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 40
• Not dependent on ACLs
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 41
Common designs include:
• LAN-to-Internet
• Redundant firewalls
• Complex firewalls
Design steps:
1. Determine the zones
2. Establish policies between zones
3. Design the physical infrastructure
4. Identify subsets within zones and merge traffic requirements
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 42
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 43
• Inspect - Configures Cisco IOS stateful packet inspections.
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 44
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 45
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 46
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 47
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 48
Command Syntax for
class-map
Sub-Configuration
Command Syntax for
class-map
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 49
Example class-map Configuration
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 50
Command Syntax for
policy-map
Example policy-map
Configuration
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 51
Command Syntax for
zone-pair and
service-policy
Example service-policy
Configuration
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 52
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 53
Verification commands:
• show run | begin class-map
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 54
Chapter Objectives:
• Implement ACLs to filter traffic and mitigate network attacks on a network.
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 55
Thank you.
• Remember, there are
helpful tutorials and user
guides available via your
NetSpace home page. 1
(https://www.netacad.com) 2
• These resources cover a
variety of topics including
navigation, assessments,
and assignments.
• A screenshot has been
provided here highlighting
the tutorials related to
activating exams, managing
assessments, and creating
quizzes.
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 57