Dfn40143 Network Security Chapter 3 Part 1 Firewall Technologies

Chapter 3:
Implementing Firewall
Technologies
CCNA Security v2.0

3.0 Introduction
3.1 Access Control Lists
Chapter Outline 3.2 Firewall Technologies

3.3 Zone-Based Policy Firewalls
3.4 Summary
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 2
Section 3.1:
Access Control List
Upon completion of this section, you should be able to:
• Configure standard and extended IPv4 ACLs using CLI.
• Use ACLs to mitigate common network attacks.
• Configure IPv6 ACLs using CLI.
Topic 3.1.1:
Configuring Standard and Extended
IPv4 ACLs with CLI
Introduction to Access Control Lists
What is access control list?

• ACL is the integrated feature of IOS software that is used to filter the network
traffic passing through the IOS devices.
• Network traffic flows in the form of packets. A packet contains small piece of
data and all necessary information which are required to deliver it.
• By default when a router receives a packet in interface, it takes following
actions:-
 Grab destination address from the packet.
 Find an entry for destination address in routing table.
 If match found, forwards the packet from associate interface.
 If no match found, discard the packet immediately.
 This default behavior does not provide any security. Anyone who know the
correct destination address can send his packet through the router.
 In this network, no security policy is applied on router.
 So router will not be able to distinguish between user’s packet and adversary’s
packet.
 From router’s point of view, both packets have correct destination address so
they should be forwarded from exit interface.
• Suppose we tell the router that only 10.0.0.10 has the right to access the
30.0.0.1. To match with this condition router will take following actions:-
 Grab source and destination address from the packet

 Match both addresses with given condition
 If packet is not arrived from 10.0.0.10, drop the packet immediately.
 If packet is not intended from 30.0.0.1, drop the packet immediately.
 If both condition match find an entry for destination address in routing table
 If match found, forwards the packet from associate interface
 If no match found, discard the packet immediately.
• Now only the packets from 10.0.0.10 are allowed to pass from router.
• With this condition adversary will not be able to access the server.
• We can create as much conditions as we want  these conditions are known

as ACLs.
• Besides filtering unwanted traffic, ACLs are used for several other purposes
such as prioritizing traffic for QoS (Quality of Services), triggering alert,
restricting remote access, debugging, VPN and much more.
• ACL conditions applied on entrance work as inbound filter. ACL conditions
applied on exit work as outbound filter.
• Inbound ACLs filter the traffic before router makes forward decision.
• Outbound ACLs filter the traffic after the router makes forward decision.\
• An ACL filter condition has to two actions; permit and deny. We can permit
certain types of traffic while blocking rest or we can block certain types of
traffic while allowing rest.
• 2 types of ACLs :
Standard ACLs (1 – 99 and 1300 - 1999)

 Standard ACLs are used for normal filtering. Standard ACLs filter the
packet based on its source IP address.
Extended ACLs (100 – 199 and 2000 - 2699)

 Over the time security becomes more challenging. To mitigate current
security threats, advance filtering is required.
 Extended ACLs can filter a packet based on its sources address,
destination address, port number, protocol and much more.
 Named ACL
Configuring Standard ACLs
• How to configure:
R1(config)#access-list [acl_num]
[permit/deny] [source_address]
[source_wildcard]
R1(config)#access-list 9 deny
192.168.15.99 0.0.0.0
Configuring Extended ACLs
• How to configure:
Router(config)# access-list {100-199} {permit|

deny} protocol source-addr [source-wildcard]
destination-addr [destination-wildcard] [operator
operand] protocol_type
Eg:
R1(config)#access-list 9 deny tcp 192.168.30.0

0.0.0.255 10.0.0.0 0.255.255.255 eq 80
• Router(config)#interface fa0/1
• Router(config-t)#ip access-group 45 in
ACL Configuration Guidelines
Editing Existing ACLs
Existing access list has three entries
Access list has been edited, which adds a new ACE and replaces ACE line
20.
Updated access list has four entries
Sequence Numbers and Standard ACLs
Existing access list has four entries
Access list has been edited, which adds a new ACE that permits a specific IP
address.
Updated access list places the new ACE before line 20
Topic 3.1.2:
Mitigating Attacks with ACLs
Antispoofing with ACLs
Permitting Necessary Traffic through a Firewall
Mitigating ICMP Abuse
Mitigating SNMP Exploits
Topic 3.1.3:
IPv6 ACLs
Introducing IPv6 ACLs
IPv6 ACL Syntax
Configure IPv6 ACLs
Configure IPv6 ACLs
Section 3.2:
Firewall Technologies
• Explain how firewalls are used to help secure networks.
• Describe the various types of firewalls.
• Configure a classic firewall.
• Explain design considerations for implementing firewall technologies.
Topic 3.2.1:
Securing Networks with Firewalls
Defining Firewalls
Firewalls share some common

properties :
• Are resistant to attack
• Are the only transit point
between networks because
all traffic flows through the
firewall
• Enforce the access control
policy
Benefits and Limitations of Firewalls
Topic 3.2.2:
Types of Firewalls
Firewall Type Descriptions
Packet Filtering Firewall Application Gateway Firewall
Stateful Firewall NAT Firewall
Packet Filtering Firewall Benefits & Limitations
Stateful Firewalls
Stateful Firewalls State Tables
Stateful Firewall Operation
Stateful Firewall Benefits and Limitations
Next Generation Firewalls

• Granular identification, visibility, and control of behaviors within applications
• Restricting web and web application use based on the reputation of the site
• Proactive protection against Internet threats
• Enforcement of policies based on the user, device, role, application type, and threat profile
• Performance of NAT, VPN, and SPI
• Use of an IPS
Topic 3.2.3:
Classic Firewall
Introducing Classic Firewall
 Cisco IOS Classic Firewall, formerly known as context-based access control
(CBAC), is a stateful firewall feature added to the Cisco IOS prior to version
12.0.
 It provides four main functions:
1. traffic filtering (shown in the figure),
2. traffic inspection,
3. intrusion detection,
4. generation of audits and alerts.
 Can examine supported connections for embedded NAT and Port Address
Translation (PAT) information and perform the necessary address
translations.
 Can block peer-to-peer (P2P) connections, such as those used by the
Gnutella and KaZaA applications. Instant messaging traffic, such as Yahoo!,
AOL, and MSN, can be blocked.
 However, Classic Firewall only provides filtering for those protocols that
are specified by an administrator.
 If a protocol is not specified, the existing ACLs determine how that protocol is
filtered and no temporary opening is created.
 Additionally, Classic Firewall only detects and protects against attacks
that travel through the firewall.
 It does not typically protect against attacks originating from within the
protected network unless that traffic travels through an internal router with
the Cisco IOS Firewall enabled.
Classic Firewall Operation
 1. When traffic is first generated, and it passes through the router, the
inbound ACL is processed. If the ACL denies this type of connection, the
packet is dropped. If the ACL permits the connection, the Classic Firewall
inspection rules are examined.
 2. Based on the inspection rules for Classic Firewall, the Cisco IOS software
might inspect the connection. If SSH traffic is not inspected the packet is
allowed through, and no other information is gathered. Otherwise, the
connection goes to the next step.
 3. The connection information is compared to entries in the state table. If the
connection does not currently exist, the entry is added. If it does exist, the
idle timer for the connection is reset.
 4. If a new entry is added, a dynamic ACL entry is added to allow the
returning SSH traffic that is part of the same SSH connection. This temporary
opening is only active for as long as the session is open. These dynamic ACL
entries are not saved to NVRAM.
 5. When the session terminates, the dynamic information from the state table
and the dynamic ACL entry are removed.
 It creates temporary openings in the ACL to allow returning traffic.
 These entries are created as inspected traffic leaves the network and are
removed when the connection terminates or the idle timeout period for the
connection is reached.
 Classic Firewall can also be configured to inspect traffic in two directions: in
and out.
 This is useful when protecting two parts of a network, in which both sides
initiate certain connections and allow the returning traffic to reach its source.
Classic Firewall Configuration
Consider the topology shown in the figure above.

 The administrator wants to allow SSH sessions between the 10.0.0.0 and
172.30.0.0 networks.
 However, only hosts from the 10.0.0.0 network are allowed to initiate SSH
sessions.
 All other access is denied.
 There are four steps to configure this policy using a Classic Firewall.
Step 1. Choose the internal and external interfaces.
In this example, G0/0 is the inside interface and G0/1 is the outside interface.
Step 2. Configure ACLs for each interface.
The INSIDE ACL allows only SSH traffic from the 10.0.0.0 network. It is applied to the G0/0
interface. Until the inspection rule is configured, the OUTSIDE ACL will deny inbound traffic
from the 172.30.0.0 network. It is applied to the G0/1 interface.
Step 3. Define inspection rules.
The inspection rule FWRULE specifies that traffic will be inspected for SSH connections. This
inspection rule has no effect until it is applied to an interface. Although an SSH connection
would be allowed in the G0/0 interface and out to host on the 172.30.0.0 network, returning
SSH traffic inbound to G0/1 would still be denied.
Step 4. Apply an inspection rule to an interface.
When the FWRULE is applied to inbound traffic on the G0/0 interface, the Classic Firewall
configuration will dynamically add an entry to allow inbound SSH traffic between the two
hosts. This can be verified with the show ip inspect sessions command.
Topic 3.2.4:
Firewalls in Network Design
Inside and Outside Networks
Inside and Outside Networks
 Firewall design is primarily about device interfaces permitting or denying
traffic based on the source, the destination, and the type of traffic.
 Some designs are as simple as designating an outside network and inside
network, which are determined by two interfaces on a firewall.
 As shown in the figure, the public network (or outside network) is untrusted,
and the private network (or inside network) is trusted.
 Typically a firewall with two interfaces is configured as follows:
 Traffic originating from the private network is permitted and inspected as it

travels toward the public network. Inspected traffic returning from the public
network and associated with traffic that originated from the private network is
permitted.
 Traffic originating from the public network and traveling to the private network
is generally blocked.
Demilitarized Zones
Demilitarized Zones
 A demilitarized zone (DMZ) is a firewall design where there is typically one
inside interface connected to the private network, one outside interface
connected to the public network, and one DMZ interface, as shown in the
figure.
• Traffic originating from the private network is inspected as it travels toward
the public or DMZ network.
• This traffic is permitted with little or no restriction. Inspected traffic returning
from the DMZ or public network to the private network is permitted.
• Traffic originating from the DMZ network and traveling to the private network
is usually blocked.
• Traffic originating from the DMZ network and traveling to the public network is
selectively permitted based on service requirements.
Demilitarized Zones
• Traffic originating from the public network and traveling toward the DMZ is
selectively permitted and inspected. This type of traffic is typically email,
DNS, HTTP, or HTTPS traffic. Return traffic from the DMZ to the public
network is dynamically permitted.
• Traffic originating from the public network and traveling to the private network
is blocked.
Zone-Based Policy Firewalls (ZPFs)
Zone-Based Policy Firewalls
 ZPFs use the concept of zones to provide additional flexibility.
 A zone is a group of one or more interfaces that have similar functions or

features.
 Zones help you specify where a Cisco IOS firewall should be applied. In the
figure, security policies for LAN 1 and LAN 2 are similar and can be grouped
into a zone for firewall configurations.
 By default, the traffic between interfaces in the same zone is not subject to
any policy and passes freely.
 However, all zone-to-zone traffic is blocked. In order to permit traffic between
zones, a policy allowing or inspecting traffic must be configured.
Layered Defense
Layered Defense
Considerations for network defense:
• Network core security
• Perimeter security
• Endpoint security
• Communications security
Firewall best practices include:

• Position firewalls at security boundaries.
• It is unwise to rely exclusively on a firewall for security.
• Deny all traffic by default. Permit only services that are needed.
• Ensure that physical access to the firewall is controlled.
• Monitor firewall logs.
• Practice change management for firewall configuration changes.
• Remember that firewalls primarily protect from technical attacks originating from the
outside.
Section 3.3:
Zone-Based Policy Firewalls
• Explain how Zone-Based Policy Firewalls are used to help secure a network.
• Explain the operation of a Zone-Based Policy Firewall.
• Configure a Zone-Based Policy Firewall with CLI.
Topic 3.3.1:
Zone-Based Policy Firewall Overview
Zone-based Policy Firewall
 ZPFs use the concept of zones to provide additional flexibility.
 A zone is a group of one or more interfaces that have similar functions or

features. Zones help you specify where a Cisco IOS firewall should be
applied.
Benefits of ZPF
• Not dependent on ACLs
• Router security posture

is to block unless
explicitly allowed
• Policies are easy to read
and troubleshoot with
C3PL
• One policy affects any
given traffic, instead of
needing multiple ACLs
and inspection actions
ZPF Design
Common designs include:
• LAN-to-Internet
• Firewalls between public servers
• Redundant firewalls
• Complex firewalls
Design steps:
1. Determine the zones
2. Establish policies between zones
3. Design the physical infrastructure
4. Identify subsets within zones and merge traffic requirements
Topic 4.3.2:
ZPF Operation
ZPF Actions
• Inspect - Configures Cisco IOS stateful packet inspections.
• Drop - Analogous to a deny statement in an ACL. A log option is available to log

the rejected packets.
• Pass - Analogous to a permit statement in an ACL. The pass action does not
track the state of connections or sessions within the traffic.
Rules for Transit Traffic
Rules for Traffic to the Self Zone
Topic 4.3.3:
Configuring a ZPF
Configure ZPF
Step 1: Create Zones
Step 2: Identify Traffic
Command Syntax for

class-map
Sub-Configuration
Command Syntax for
class-map
Step 2: Identify Traffic (Cont.)
Example class-map Configuration
Step 3: Define an Action
Command Syntax for

policy-map
Example policy-map
Configuration
Step 4: Identify a Zone-Pair and Match to a Policy
Command Syntax for

zone-pair and
service-policy
Example service-policy
Configuration
Step 5: Assign Zones to Interfaces
Verify a ZPF Configuration
Verification commands:
• show run | begin class-map
• show policy-map type inspect zone-pair sessions
• show class-map type inspect
• show zone security
• show zone-pair security
• show policy-map type inspect
ZPF Configuration Considerations

• No filtering is applied for intra-zone traffic
• Only one zone is allowed per interface.
• No Classic Firewall and ZPF configuration on same interface.
• If only one zone member is assigned, all traffic is dropped.
• Only explicitly allowed traffic is forwarded between zones.
• Traffic to the self zone is not filtered.
Section 4.4:
Summary
Chapter Objectives:
• Implement ACLs to filter traffic and mitigate network attacks on a network.
• Configure a classic firewall to mitigate network attacks.
• Implement ZPF using CLI.
Thank you.
Instructor Resources
• Remember, there are

helpful tutorials and user
guides available via your
NetSpace home page. 1
(https://www.netacad.com) 2
• These resources cover a
variety of topics including
navigation, assessments,
and assignments.
• A screenshot has been
provided here highlighting
the tutorials related to
activating exams, managing
assessments, and creating
quizzes.

Dfn40143 Network Security Chapter 3 Part 1 Firewall Technologies

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Dfn40143 Network Security Chapter 3 Part 1 Firewall Technologies

Uploaded by

Copyright:

Available Formats

Chapter 3:

CCNA Security v2.0

Chapter Outline 3.2 Firewall Technologies

• Use ACLs to mitigate common network attacks.

• Configure IPv6 ACLs using CLI.

What is access control list?

 In this network, no security policy is applied on router.

 Grab source and destination address from the packet

• We can create as much conditions as we want  these conditions are known

Standard ACLs (1 – 99 and 1300 - 1999)

Extended ACLs (100 – 199 and 2000 - 2699)

Router(config)# access-list {100-199} {permit|

R1(config)#access-list 9 deny tcp 192.168.30.0

Updated access list has four entries

Updated access list places the new ACE before line 20

• Describe the various types of firewalls.

• Configure a classic firewall.

• Explain design considerations for implementing firewall technologies.

Firewalls share some common

Stateful Firewall NAT Firewall

Stateful Firewall Operation

Next Generation Firewalls

• Proactive protection against Internet threats

• Performance of NAT, VPN, and SPI

Consider the topology shown in the figure above.

Step 1. Choose the internal and external interfaces.

Step 2. Configure ACLs for each interface.

Step 3. Define inspection rules.

Step 4. Apply an inspection rule to an interface.

 Traffic originating from the private network is permitted and inspected as it

 A zone is a group of one or more interfaces that have similar functions or

Firewall best practices include:

• It is unwise to rely exclusively on a firewall for security.

• Ensure that physical access to the firewall is controlled.

• Monitor firewall logs.

• Practice change management for firewall configuration changes.

• Explain the operation of a Zone-Based Policy Firewall.

• Configure a Zone-Based Policy Firewall with CLI.

 A zone is a group of one or more interfaces that have similar functions or

• Not dependent on ACLs

• Router security posture

• Firewalls between public servers

• Inspect - Configures Cisco IOS stateful packet inspections.

• Drop - Analogous to a deny statement in an ACL. A log option is available to log

Rules for Traffic to the Self Zone

Command Syntax for

Example class-map Configuration

Command Syntax for

Command Syntax for

• show policy-map type inspect zone-pair sessions

• show class-map type inspect

• show zone security

• show zone-pair security

• show policy-map type inspect

ZPF Configuration Considerations

• Only one zone is allowed per interface.

• No Classic Firewall and ZPF configuration on same interface.

• If only one zone member is assigned, all traffic is dropped.

• Only explicitly allowed traffic is forwarded between zones.

• Traffic to the self zone is not filtered.

• Configure a classic firewall to mitigate network attacks.

• Implement ZPF using CLI.

• Remember, there are

You might also like