Professional Documents
Culture Documents
Implementing Firewall
Technologies
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 2
Section 3.1:
Access Control List
Upon completion of this section, you should be able to:
• Configure standard and extended IPv4 ACLs using CLI.
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 3
Topic 3.1.1:
Configuring Standard and Extended
IPv4 ACLs with CLI
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 4
Introduction to Access Control Lists
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 5
Introduction to Access Control Lists
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 6
Introduction to Access Control Lists
So router will not be able to distinguish between user’s packet and adversary’s
packet.
From router’s point of view, both packets have correct destination address so
they should be forwarded from exit interface.
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 7
Introduction to Access Control Lists
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 8
Introduction to Access Control Lists
• Suppose we tell the router that only 10.0.0.10 has the right to access the
30.0.0.1. To match with this condition router will take following actions:-
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 9
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 10
Introduction to Access Control Lists
• Now only the packets from 10.0.0.10 are allowed to pass from router.
• With this condition adversary will not be able to access the server.
• Outbound ACLs filter the traffic after the router makes forward decision.\
• An ACL filter condition has to two actions; permit and deny. We can permit
certain types of traffic while blocking rest or we can block certain types of
traffic while allowing rest.
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 11
Introduction to Access Control Lists
• 2 types of ACLs :
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 12
Configuring Standard ACLs
• How to configure:
R1(config)#access-list [acl_num]
[permit/deny] [source_address]
[source_wildcard]
R1(config)#access-list 9 deny
192.168.15.99 0.0.0.0
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 13
Configuring Extended ACLs
• How to configure:
Eg:
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 14
• Router(config)#interface fa0/1
• Router(config-t)#ip access-group 45 in
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 15
ACL Configuration Guidelines
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 16
Editing Existing ACLs
Existing access list has three entries
Access list has been edited, which adds a new ACE and replaces ACE line
20.
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 17
Sequence Numbers and Standard ACLs
Existing access list has four entries
Access list has been edited, which adds a new ACE that permits a specific IP
address.
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 18
Topic 3.1.2:
Mitigating Attacks with ACLs
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 19
Antispoofing with ACLs
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 20
Permitting Necessary Traffic through a Firewall
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 21
Mitigating ICMP Abuse
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 22
Mitigating SNMP Exploits
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 23
Topic 3.1.3:
IPv6 ACLs
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 24
Introducing IPv6 ACLs
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 25
IPv6 ACL Syntax
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 26
Configure IPv6 ACLs
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 27
Configure IPv6 ACLs
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 28
Section 3.2:
Firewall Technologies
Upon completion of this section, you should be able to:
• Explain how firewalls are used to help secure networks.
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 29
Topic 3.2.1:
Securing Networks with Firewalls
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 30
Defining Firewalls
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 31
Benefits and Limitations of Firewalls
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 32
Topic 3.2.2:
Types of Firewalls
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 33
Firewall Type Descriptions
Packet Filtering Firewall Application Gateway Firewall
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 34
Packet Filtering Firewall Benefits & Limitations
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 35
Stateful Firewalls
Stateful Firewalls State Tables
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 36
Stateful Firewall Benefits and Limitations
• Restricting web and web application use based on the reputation of the site
• Enforcement of policies based on the user, device, role, application type, and threat profile
• Use of an IPS
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 37
Topic 3.2.3:
Classic Firewall
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 38
Introducing Classic Firewall
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 39
Introducing Classic Firewall
Cisco IOS Classic Firewall, formerly known as context-based access control
(CBAC), is a stateful firewall feature added to the Cisco IOS prior to version
12.0.
It provides four main functions:
1. traffic filtering (shown in the figure),
2. traffic inspection,
3. intrusion detection,
4. generation of audits and alerts.
Can examine supported connections for embedded NAT and Port Address
Translation (PAT) information and perform the necessary address
translations.
Can block peer-to-peer (P2P) connections, such as those used by the
Gnutella and KaZaA applications. Instant messaging traffic, such as Yahoo!,
AOL, and MSN, can be blocked.
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 40
Introducing Classic Firewall
However, Classic Firewall only provides filtering for those protocols that
are specified by an administrator.
If a protocol is not specified, the existing ACLs determine how that protocol is
filtered and no temporary opening is created.
Additionally, Classic Firewall only detects and protects against attacks
that travel through the firewall.
It does not typically protect against attacks originating from within the
protected network unless that traffic travels through an internal router with
the Cisco IOS Firewall enabled.
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 41
Classic Firewall Operation
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 42
Classic Firewall Operation
1. When traffic is first generated, and it passes through the router, the
inbound ACL is processed. If the ACL denies this type of connection, the
packet is dropped. If the ACL permits the connection, the Classic Firewall
inspection rules are examined.
2. Based on the inspection rules for Classic Firewall, the Cisco IOS software
might inspect the connection. If SSH traffic is not inspected the packet is
allowed through, and no other information is gathered. Otherwise, the
connection goes to the next step.
3. The connection information is compared to entries in the state table. If the
connection does not currently exist, the entry is added. If it does exist, the
idle timer for the connection is reset.
4. If a new entry is added, a dynamic ACL entry is added to allow the
returning SSH traffic that is part of the same SSH connection. This temporary
opening is only active for as long as the session is open. These dynamic ACL
entries are not saved to NVRAM.
5. When the session terminates, the dynamic information from the state table
and the dynamic ACL entry are removed.
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 43
Classic Firewall Operation
It creates temporary openings in the ACL to allow returning traffic.
These entries are created as inspected traffic leaves the network and are
removed when the connection terminates or the idle timeout period for the
connection is reached.
Classic Firewall can also be configured to inspect traffic in two directions: in
and out.
This is useful when protecting two parts of a network, in which both sides
initiate certain connections and allow the returning traffic to reach its source.
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 44
Classic Firewall Configuration
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 45
Classic Firewall Configuration
There are four steps to configure this policy using a Classic Firewall.
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 46
Classic Firewall Configuration
In this example, G0/0 is the inside interface and G0/1 is the outside interface.
The INSIDE ACL allows only SSH traffic from the 10.0.0.0 network. It is applied to the G0/0
interface. Until the inspection rule is configured, the OUTSIDE ACL will deny inbound traffic
from the 172.30.0.0 network. It is applied to the G0/1 interface.
The inspection rule FWRULE specifies that traffic will be inspected for SSH connections. This
inspection rule has no effect until it is applied to an interface. Although an SSH connection
would be allowed in the G0/0 interface and out to host on the 172.30.0.0 network, returning
SSH traffic inbound to G0/1 would still be denied.
When the FWRULE is applied to inbound traffic on the G0/0 interface, the Classic Firewall
configuration will dynamically add an entry to allow inbound SSH traffic between the two
hosts. This can be verified with the show ip inspect sessions command.
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 47
Topic 3.2.4:
Firewalls in Network Design
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 48
Inside and Outside Networks
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 49
Inside and Outside Networks
Firewall design is primarily about device interfaces permitting or denying
traffic based on the source, the destination, and the type of traffic.
Some designs are as simple as designating an outside network and inside
network, which are determined by two interfaces on a firewall.
As shown in the figure, the public network (or outside network) is untrusted,
and the private network (or inside network) is trusted.
Typically a firewall with two interfaces is configured as follows:
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 50
Demilitarized Zones
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 51
Demilitarized Zones
A demilitarized zone (DMZ) is a firewall design where there is typically one
inside interface connected to the private network, one outside interface
connected to the public network, and one DMZ interface, as shown in the
figure.
• Traffic originating from the private network is inspected as it travels toward
the public or DMZ network.
• This traffic is permitted with little or no restriction. Inspected traffic returning
from the DMZ or public network to the private network is permitted.
• Traffic originating from the DMZ network and traveling to the private network
is usually blocked.
• Traffic originating from the DMZ network and traveling to the public network is
selectively permitted based on service requirements.
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 52
Demilitarized Zones
• Traffic originating from the public network and traveling toward the DMZ is
selectively permitted and inspected. This type of traffic is typically email,
DNS, HTTP, or HTTPS traffic. Return traffic from the DMZ to the public
network is dynamically permitted.
• Traffic originating from the public network and traveling to the private network
is blocked.
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 53
Zone-Based Policy Firewalls (ZPFs)
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 54
Zone-Based Policy Firewalls
ZPFs use the concept of zones to provide additional flexibility.
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 55
Layered Defense
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 56
Layered Defense
Considerations for network defense:
• Network core security
• Perimeter security
• Endpoint security
• Communications security
• Deny all traffic by default. Permit only services that are needed.
• Remember that firewalls primarily protect from technical attacks originating from the
outside.
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 57
Section 3.3:
Zone-Based Policy Firewalls
Upon completion of this section, you should be able to:
• Explain how Zone-Based Policy Firewalls are used to help secure a network.
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 58
Topic 3.3.1:
Zone-Based Policy Firewall Overview
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 59
Zone-based Policy Firewall
ZPFs use the concept of zones to provide additional flexibility.
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 60
Benefits of ZPF
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 61
ZPF Design
Common designs include:
• LAN-to-Internet
• Redundant firewalls
• Complex firewalls
Design steps:
1. Determine the zones
2. Establish policies between zones
3. Design the physical infrastructure
4. Identify subsets within zones and merge traffic requirements
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 62
Topic 4.3.2:
ZPF Operation
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 63
ZPF Actions
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 64
Rules for Transit Traffic
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 65
Topic 4.3.3:
Configuring a ZPF
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 66
Configure ZPF
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 67
Step 1: Create Zones
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 68
Step 2: Identify Traffic
Sub-Configuration
Command Syntax for
class-map
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 69
Step 2: Identify Traffic (Cont.)
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 70
Step 3: Define an Action
Example policy-map
Configuration
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 71
Step 4: Identify a Zone-Pair and Match to a Policy
Example service-policy
Configuration
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 72
Step 5: Assign Zones to Interfaces
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 73
Verify a ZPF Configuration
Verification commands:
• show run | begin class-map
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 74
Section 4.4:
Summary
Chapter Objectives:
• Implement ACLs to filter traffic and mitigate network attacks on a network.
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 75
Thank you.
Instructor Resources
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 77