Scribd
Upload
182 views

CCNA Security 04

CCNA Security Chapter Four Implementing Firewall Technologies (c) 2009 Cisco Learning Institute. Lesson should include lecture, demonstrations, discussion and assessment. Successful participant will be able to: describe standard and extended ACLs. Describe the proper selection of ACL types for particular topologies.

Uploaded by

mcvaldebenito
Copyright
© Attribution Non-Commercial (BY-NC)
Available Formats
Download as PPT, PDF, TXT or read online on Scribd
182 views

CCNA Security 04

CCNA Security Chapter Four Implementing Firewall Technologies (c) 2009 Cisco Learning Institute. Lesson should include lecture, demonstrations, discussion and assessment. Successful participant will be able to: describe standard and extended ACLs. Describe the proper selection of ACL types for particular topologies.

Uploaded by

mcvaldebenito
Copyright
© Attribution Non-Commercial (BY-NC)
Available Formats
Download as PPT, PDF, TXT or read online on Scribd
You are on page 1/ 121

CCNA Security

Chapter Four Implementing Firewall Technologies

2009 Cisco Learning Institute.

Lesson Planning
This lesson should take 3-6 hours to present The lesson should include lecture, demonstrations, discussion and assessment The lesson can be taught in person or using remote instruction

2009 Cisco Learning Institute.

Major Concepts
Implement ACLs Describe the purpose and operation of firewall technologies Implement CBAC Zone-based Policy Firewall using SDM and CLI

2009 Cisco Learning Institute.

Lesson Objectives
Upon completion of this lesson, the successful participant will be able to:
1. Describe standard and extended ACLs 2. Describe applications of standard and extended ACLs 3. Describe the relationship between topology and flow for ACLs and describe the proper selection of ACL types for particular topologies (ACL design methodology) 4. Describe how to implement ACLs with SDM 5. Describe the usage and syntax for complex ACLs 6. Describe the usage and syntax for dynamic ACLs

7. Interpret the output of the show and debug commands used to verify and troubleshoot complex ACL implementations

2009 Cisco Learning Institute.

Lesson Objectives
8. 9. Describe how to mitigate common network attacks with ACLs Describe the purpose of firewalls and where they reside in a modern network

10. Describe the various types of firewalls 11. Describe design considerations for firewalls and the implications for the network security policy

12. Describe the role of CBAC in a modern network


13. Describe the underlying operation of CBAC 14. Describe the configuration of CBAC 15. Describe the verification and troubleshooting of CBAC

2009 Cisco Learning Institute.

Lesson Objectives
16. Describe the role of Zone-Based Policy Firewall in a modern network 17. Describe the underlying operation of Zone-Based Policy Firewall 18. Describe the implementation of Zone-Based Policy Firewall with CLI 19. Describe the implementation of Zone-Based Policy Firewall with manual SDM 20. Describe the implementation of Zone-Based Policy Firewall with the SDM Wizard 21. Describe the verification and troubleshooting of Zone-Based Policy Firewall

2009 Cisco Learning Institute.

Access Control Lists


Standard and Extended IP ACLs Applications of Standard and Extended IP ACLs Topology and Flow for Access Control Lists ACLs with Security Device Manager TCP Established and Reflexive ACLs Dynamic ACLs Time-Based ACLs Validating Complex ACL Implementations Mitigating Attacks with ACLs

2009 Cisco Learning Institute.

Standard and Extended IP ACLs


ACL Topology and Types Standard and Extended Numbered IP ACLs Named IP ACLs The log Parameter

ACL Configuration Guidelines

2009 Cisco Learning Institute.

ACL Topology and Types

2009 Cisco Learning Institute.

Standard Numbered IP ACLs


Router(config)# access-list {1-99} {permit | deny} source-addr [source-mask] The first value specifies the ACL number The second value specifies whether to permit or deny the configured source IP address traffic The third value is the source IP address that must be matched The fourth value is the wildcard mask to be applied to the previously configured IP address to indicate the range All ACLs assume an implicit deny statement at the end of the ACL6+ At least one permit statement should be included or all traffic will be dropped once that ACL is applied to an interface

2009 Cisco Learning Institute.

10

Extended Numbered IP ACLs


Router(config)# access-list {100-199} {permit | deny} protocol source-addr [source-mask] [operator operand] destination-addr [destination-mask] [operator operand] [established]

The first value specifies the ACL number The second value specifies whether to permit or deny accordingly The third value indicates protocol type The source IP address and wildcard mask determine where traffic originates. The destination IP address and wildcard mask are used to indicate the final destination of the network traffic The command to apply the standard or extended numbered ACL:

Router(config-if)# ip access-group number {in | out}

2009 Cisco Learning Institute.

11

Named IP ACLs
Standard
Router(config)# ip access-list extended vachon1 Router(config-ext-nacl)# deny ip any 200.1.2.10 0.0.0.1 Router(config-ext-nacl)# permit tcp any host 200.1.1.11 eq 80 Router(config-ext-nacl)# permit tcp any host 200.1.1.10 eq 25 Router(config-ext-nacl)# permit tcp any eq 25 host 200.1.1.10 any established Router(config-ext-nacl)# permit tcp any 200.1.2.0 0.0.0.255 established Router(config-ext-nacl)# permit udp any eq 53 200.1.2.0 0.0.0.255 Router(config-ext-nacl)# deny ip any any Router(config-ext-nacl)# interface ethernet 1 Router(config-if)# ip access-group vachon1 in Router(config-if)# exit

Extended

2009 Cisco Learning Institute.

12

The log Parameter


*May 1 22:12:13.243: %SEC-6-IPACCESSLOGP: list ACL-IPv4-E0/0IN permitted tcp 192.168.1.3(1024) -> 192.168.2.1(22), 1 packet *May 1 22:17:16.647: %SEC-6-IPACCESSLOGP: list ACL-IPv4-E0/0IN permitted tcp 192.168.1.3(1024) -> 192.168.2.1(22), 9 packets

There are several pieces of information logged: The actionpermit or deny The protocolTCP, UDP, or ICMP The source and destination addresses For TCP and UDPthe source and destination port numbers For ICMPthe message types

2009 Cisco Learning Institute.

13

ACL Configuration Guidelines


ACLs are created globally and then applied to interfaces ACLs filter traffic going through the router, or traffic to and from the router, depending on how it is applied Only one ACL per interface, per protocol, per direction Standard or extended indicates the information that is used to filter packets

ACLs are process top-down. The most specific statements must go at the top of the list
All ACLs have an implicit deny all statement at the end, therefore every list must have at least one permit statement to allow any traffic to pass

2009 Cisco Learning Institute.

14

Applications of Standard and Extended IP ACLs


Applying Standard ACLs Applying Extended ACLs Other CLI Commands

2009 Cisco Learning Institute.

15

Applying Standard ACLs


Use a standard ACL to block all traffic from 172.16.4.0/24 network, but allow all other traffic.

r1

r1(config)# access-list 1 deny 172.16.4.0 0.0.0.255 r1(config)# access-list 1 permit any r1(config)# interface ethernet 0 r1(config-if)# ip access-group 1 out
2009 Cisco Learning Institute.

16

Applying Extended ACLs


Use an extended ACL to block all FTP traffic from 172.16.4.0/24 network, but allow all other traffic.

r1 access-list 101 deny tcp 172.16.4.0 0.0.0.255 172.16.3.0 0.0.0.255 eq 21 access-list 101 deny tcp 172.16.4.0 0.0.0.255 172.16.3.0 0.0.0.255 eq 20 access-list 101 permit ip any any
2009 Cisco Learning Institute.

17

Other CLI Commands


To ensure that only traffic from a subnet is blocked and all other traffic is allowed: access-list 1 permit any To place an ACL on the inbound E1 interface: interface ethernet 1 ip access-group 101 in To check the intended effect of an ACL: show ip access-list
18

2009 Cisco Learning Institute.

Topology and Flow for Access Control Lists


How ACLs Work ACL Placement Using Nmap for Planning

2009 Cisco Learning Institute.

19

How ACLs Work

Click to view examples

Inbound ACL
2009 Cisco Learning Institute.

Outbound ACL
20

ACL Placement
Standard ACLs should be placed as close to the destination as possible. Standard ACLs filter packets based on the source address only. If placed too close to the source, it can deny all traffic, including valid traffic.

Extended ACLs should be placed on routers as close as possible to the source that is being filtered. If placed too far from the source being filtered, there is inefficient use of network resources.
2009 Cisco Learning Institute.

21

Using Nmap for Planning


PC-A$ nmap --system-dns 192.168.20.0/24 Interesting ports on webserver.branch1.com (192.168.20.2): (The 1669 ports scanned but not shown below are in state: filtered) PORT STATE SERVICE 110 open pop3

R2
Serial 0/0/0

F0/1

R1
F0/0

R3

192.168.20.2/24

PC A
2009 Cisco Learning Institute.

POP3 Server

22

ACLs with Security Device Manager


Using SDM Access Rules Configuring Standard Rules Using SDM Applying a Rule to an Interface

Viewing Commands

2009 Cisco Learning Institute.

23

Using SDM

Choose the Configure option for configuring ACLs

2009 Cisco Learning Institute.

24

Access Rules
Choose Configure > Additional Tasks > ACL Editor

Rule types: Access Rules NAT Rules Ipsec Rules NAC Rules Firewall Rules QoS Rules Unsupported Rules Externally Defined Rules Cisco SDM Default Rules
2009 Cisco Learning Institute.

25

Configuring Standard Rules Using SDM


1. Choose Configure > Additional Tasks > ACL Editor > Access Rules 2. Click Add 3. Enter a name or number 4. Choose Standard Rule Optionally, enter a description 5. Click Add 6. Choose Permit or Deny 7. Choose an address type

8. Complete this field based on the choice made in #7 9. Enter an optional description

10. Optional checkbox


11. Click OK 12. Continue adding or editing rules
2009 Cisco Learning Institute.

26

Applying a Rule to an Interface

2. Choose the interface

3. Choose a direction

4. An information box with options appears if a rule is already associated with that interface, that direction. 1. Click Associate
2009 Cisco Learning Institute.

27

Viewing Commands
R1# show running-config <output omitted> ! hostname R1 <output omitted> enable secret 5 $1$MJD8$.1LWYcJ6iUi133Yg7vGHG/ <output omitted> crypto pki trustpoint TP-self-signed1789018390 enrollment selfsigned subject-name cn=IOS-Self-SignedCertificate-1789018390 revocation-check none rsakeypair TP-self-signed-1789018390 ! crypto pki certificate chain TP-selfsigned-1789018390 certificate self-signed 01 3082023A 308201A3 A0030201 02020101 300D0609 2A864886 F70D0101 04050030 <output omitted> 1BF29620 A084B701 5B92483D D934BE31 ECB7AB56 8FFDEA93 E2061F33 8356 quit interface FastEthernet0/1 ip address 192.168.1.1 255.255.255.0 ip access-group Outbound in <output omitted> ! interface Serial0/0/0 ip address 10.1.1.1 255.255.255.252 clock rate 128000 ! <output omitted> no ip http server ip http secure-server ! ip access-list standard Outbound remark SDM_ACL Category=1 permit 192.168.1.3 ! access-list 100 remark SDM_ACL Category=16 access-list 100 deny tcp any host 192.168.1.3 eq telnet log access-list 100 permit ip any any ! <output omitted> !

2009 Cisco Learning Institute.

28

TCP Established and Reflexive ACLs


Types of ACLs Syntax for TCP Established Example with TCP Established Reflexive ACLs

Configuring a Router to Use Reflexive ACLs

2009 Cisco Learning Institute.

29

Types of ACLs
Standard IP ACLs Extended IP ACLs

Extended IP ACLs using TCP established


Reflexive IP ACLs Dynamic ACLs Time-Based ACLs Context-based Access Control (CBAC) ACLs

2009 Cisco Learning Institute.

30

Syntax for TCP Established


Router(config)# {permit | deny} [operator port] [operator port] access-list access-list-number protocol source source-wildcard destination destination-wildcard [established]

The established keyword: Forces a check by the routers to see if the ACK, FIN, PSH, RST, SYN or URG TCP control flags are set. If flag is set, the TCP traffic is allowed in. Does not implement a stateful firewall on a router Hackers can take advantage of the open hole Option does not apply to UDP or ICMP traffic
2009 Cisco Learning Institute.

31

Example Using TCP Established


access-list 100 permit tcp any eq 443 192.168.1.0 0.0.0.255 established access-list 100 permit tcp any 192.168.1.3 eq 22 access-list 100 deny ip any any interface s0/0/0ip access-group 100 in

Serial0/0/0

R 2

Serial0/0/1

Serial 0/0/0

Serial0/0/1

R 1 F0/1

R 3

F0/1

R 1 PC A
192.168.1.3/24

PC C

2009 Cisco Learning Institute.

32

Reflexive ACLs
Provide a truer form of session filtering Much harder to spoof
Serial0/0/0

R 2

Serial0/0/1

Serial 0/0/0

Serial0/0/1

Allow an administrator to perform actual session filtering for any type of IP traffic Work by using temporary access control entries (ACEs)

R 1 F0/1

F0/1

R 3

R 1 PC A
192.168.1.3/24

PC C

2009 Cisco Learning Institute.

33

Configuring a Router to Use Reflexive ACLs


1. Create an internal ACL that looks for new outbound sessions and creates temporary reflexive ACEs Create an external ACL that uses the reflexive ACLs to examine return traffic Activate the named ACLs on the appropriate interfaces

Serial0/ 0/0

R Internet 2

Serial0/0/1

2.

Serial 0/0/0

3.
R 1

PC A
2009 Cisco Learning Institute.

34

Dynamic ACLs
Overview Creating a Dynamic ACL Setting up a Dynamic ACL CLI Commands

2009 Cisco Learning Institute.

35

Dynamic ACL Overview


Available for IP traffic only Dependent on Telnet connectivity, authentication, and extended ACLs Security benefits include:
- Use of a challenge mechanism to authenticate users - Simplified management in large internetworks - Reduction of the amount of router processing that is required for ACLs - Reduction of the opportunity for network break-ins by network hackers - Creation of dynamic user access through a firewall without compromising other configured security restrictions

2009 Cisco Learning Institute.

36

Implementing a Dynamic ACL


The router authenticates the connection Dynamic ACL entry added that grants user access Remote user opens a Telnet or SSH connection to the router. The router prompts the user for a username and password

User can access the internal resources

2009 Cisco Learning Institute.

37

Setting up a Dynamic ACL

Router(config)# access-list ACL_# dynamic dynamic_ACL_name [timeout minutes] {deny | permit} IP_protocol source_IP_address src_wildcard_mask destination_IP_address dst_wildcard_mask [established] [log]
38

2009 Cisco Learning Institute.

CLI Commands

2009 Cisco Learning Institute.

39

Time-based ACLs
Overview CLI Commands Example Configuration

2009 Cisco Learning Institute.

40

Overview

2009 Cisco Learning Institute.

41

CLI Commands

2009 Cisco Learning Institute.

42

Example Configuration
Perimeter(config)# time-range employee-time Perimeter(config-time)# periodic weekdays 12:00 to 13:00 Perimeter(config-time)# periodic weekdays 17:00 to 19:00 Perimeter(config-time)# exit Perimeter(config)# access-list 100 permit tcp any host 200.1.1.11 eq 25 Perimeter(config)# access-list 100 permit tcp any eq 25 host 200.1.1.11 established Perimeter(config)# access-list 100 permit udp any host 200.1.1.12 eq 53 Perimeter(config)# access-list 100 permit udp any eq 53 host 200.1.1.12 Perimeter(config)# access-list 100 permit tcp any 200.1.1.0 0.0.0.255 established time-range employeetime Perimeter(config)# access-list 100 deny ip any any Perimeter(config)# interface ethernet 1 Perimeter(config-if)# ip access-group 100 in Perimeter(config-if)# exit Perimeter(config)# access-list 101 permit tcp host 200.1.1.11 eq 25 any Perimeter(config)# access-list 101 permit tcp host 200.1.1.11 any eq 25 Perimeter(config)# access-list 101 permit udp host 200.1.1.12 eq 53 any Perimeter(config)# access-list 101 permit udp host 200.1.1.12 any eq 53 Perimeter(config)# access-list 101 permit tcp 200.1.1.0 0.0.0.255 any time-range employee-time Perimeter(config)# access-list 100 deny ip any any Perimeter(config)# interface ethernet 1 Perimeter(config-if)# ip access-group 101 out
43

R2 Internet

Serial0/0/1

Serial 0/0/0

10.1.1.1

R1
192.168.1.0/24

I cant surf the web at 10:00 A.M. because of the timebased ACL!

2009 Cisco Learning Institute.

Validating Complex ACL Implementations


Verifying ACL Configuration Confirmation Troubleshooting

2009 Cisco Learning Institute.

44

Verifying ACL Configuration

Serial0/0/0

R 2

Serial0/0/1

The ACLs are implemented. Now it is time to verify that they are working properly.

Serial0/0/1 Serial 0/0/0

R 1 F0/1

R 3

F0/1

R 1

Router# show access-lists [access-list-number | access-list-name]

PC C

2009 Cisco Learning Institute.

45

Confirmation

Perimeter# show access-list 100 Extended IP access list 100 permit tcp any host 200.1.1.14 eq www permit tcp any host 200.1.1.12 eq smtp permit tcp any eq smtp host 200.1.1.12 established permit tcp any host 200.1.1.11 eq ftp permit tcp any host 200.1.1.11 eq ftp-data permit tcp any eq www 200.1.2.0 0.0.0.255 established permit udp any eq domain 200.1.2.0 0.0.0.255 deny ip any any (1237 matches)
2009 Cisco Learning Institute.

(189 matches)

permit udp any host 200.1.1.13 eq domain (32 matches)

46

Troubleshooting

Perimeter# debug ip packet IP packet debugging is on IP: IP: IP: IP: IP: IP: IP: IP: IP: s=172.69.13.44 (Serial0/0), d=10.125.254.1 (Serial0/1), g=172.69.16.2, forward s=200.0.2.2 (Ethernet0), d=10.36.125.2 (Serial0/1), g=172.69.16.2, forward s=200.0.2.6 (Ethernet0), d=255.255.255.255, rcvd 2 s=200.0.2.55 (Ethernet0), d=172.69.2.42 (Serial0/0), g=172.69.13.6, forward s=200.0.2.33 (Ethernet0), d=10.130.2.156 (Serial0/1), g=172.69.16.2, forward s=200.0.2.27 (Ethernet0), d=172.69.43.126 (Serial0/0), g=172.69.23.5, forward s=200.0.2.27 (Ethernet0), d=172.69.43.126 (Serial0/0), g=172.69.13.6, forward s=200.5.5.5 (Ethernet1), d=255.255.255.255, rcvd 2 s=200.0.2.2 (Ethernet0), d=10.36.125.2 (Serial0/1), g=172.69.16.2, access denied

2009 Cisco Learning Institute.

47

Mitigating Attacks with ACLs


Attacks Mitigated CLI Commands Allowing Command Services Controlling ICMP Messages

2009 Cisco Learning Institute.

48

Attacks Mitigated
ACLs can be used to: Mitigate IP address spoofinginbound

Mitigate IP address spoofingoutbound


Mitigate Denial of service (DoS) TCP synchronizes (SYN) attacks blocking external attacks Mitigate DoS TCP SYN attacksusing TCP intercept Mitigate DoS smurf attacks Filter Internet Control Message Protocol (ICMP) messagesinbound Filter ICMP messagesoutbound
R2

Filter traceroute

2009 Cisco Learning Institute.

49

CLI Commands
Inbound
R1(config)#access-list R1(config)#access-list R1(config)#access-list R1(config)#access-list R1(config)#access-list R1(config)#access-list R1(config)#access-list 150 150 150 150 150 150 150 deny deny deny deny deny deny deny ip ip ip ip ip ip ip 0.0.0.0 0.255.255.255 any 10.0.0.0 0.255.255.255 any 127.0.0.0 0.255.255.255 any 172.16.0.0 0.15.255.255 any 192.168.0.0 0.0.255.255 any 224.0.0.0 15.255.255.255 any host 255.255.255.255 any

Outbound
R1(config)#access-list 105 permit ip 192.168.1.0 0.0.0.255 any

2009 Cisco Learning Institute.

50

Allowing Common Services


Internet

Serial 0/0/0
200.5.5.5/24

F0/1

R1

F0/0

DNS, SMTP, FTP R1 PC A


192.168.20.2/24

R1(config)#access-list 122 permit udp any host 192.168.20.2 eq domain R1(config)#access-list 122 permit tcp any host 192.168.20.2 eq smtp R1(config)#access-list 122 permit tcp any host 192.168.20.2 eq ftp
R1(config)#access-list R1(config)#access-list R1(config)#access-list R1(config)#access-list
2009 Cisco Learning Institute.

180 180 180 180

permit permit permit permit

tcp tcp udp udp

host host host host

200.5.5.5 200.5.5.5 200.5.5.5 200.5.5.5

host host host host

10.0.1.1 10.0.1.1 10.0.1.1 10.0.1.1

eq eq eq eq

telnet 22 syslog snmptrap


51

Controlling ICMP Messages


Internet

Serial 0/0/0
200.5.5.5/24

F0/1

R1

F0/0
192.168.20.2/24

Inbound on S0/0/0

R1 112 112 112 112

PC A permit icmp any any echo-reply permit icmp any any source-quench permit icmp any any unreachable deny icmp any any

R1(config)#access-list R1(config)#access-list R1(config)#access-list R1(config)#access-list

Outbound on S0/0/0
R1(config)#access-list R1(config)#access-list R1(config)#access-list R1(config)#access-list
2009 Cisco Learning Institute.

114 114 114 114

permit permit permit permit

icmp icmp icmp icmp

192.168.1.0 192.168.1.0 192.168.1.0 192.168.1.0

0.0.0.255 0.0.0.255 0.0.0.255 0.0.0.255

any any any any

echo parameter-problem packet-too-big source-quench


52

Firewall Technologies
Role of Firewalls in Securing Networks

Types of Firewalls
Firewalls in Network Design

2009 Cisco Learning Institute.

53

Role of Firewalls in Securing Networks


Overview Benefits

2009 Cisco Learning Institute.

54

Overview
A firewall is a system that enforces an access control policy between network

Common properties of firewalls:


- The firewall is resistant to attacks - The firewall is the only transit point between networks - The firewall enforces the access control policy

2009 Cisco Learning Institute.

55

Benefits of Firewalls
Prevents exposing sensitive hosts and applications to untrusted users Firewalls prevent malicious data from being sent to servers and clients.

Prevent the exploitation of protocol flaws by sanitizing the protocol flow

Properly configured firewalls make security policy enforcement simple, scalable, and robust.
A firewall reduces the complexity of security management by offloading most of the network access control to a couple of points in the network.

2009 Cisco Learning Institute.

56

Types of Firewalls
Filtering Firewalls Packet Filtering Firewall Stateful Firewall Cisco Systems Firewall Solutions

2009 Cisco Learning Institute.

57

Types of Filtering Firewalls


Packet-filtering firewallis typically a router that has) the capability to filter on some of the contents of packets (examines Layer 3 and sometimes Layer 4 information)

Stateful firewallkeeps track of the state of a connection: whether the connection is in an initiation, data transfer, or termination state
Application gateway firewall (proxy firewall) filters information at Layers 3, 4, 5, and 7. Firewall control and filtering done in software.

Address-translation firewallexpands the number of IP addresses available and hides network addressing design.

2009 Cisco Learning Institute.

58

Types of Filtering Firewalls


Host-based (server and personal) firewalla PC or server with firewall software running on it. Transparent firewallfilters IP traffic between a pair of bridged interfaces. Hybrid firewallssome combination of the above firewalls. For example, an application inspection firewall combines a stateful firewall with an application gateway firewall.

2009 Cisco Learning Institute.

59

Packet-Filtering Firewall Advantages


Are based on simple permit or deny rule set Have a low impact on network performance Are easy to implement Are supported by most routers Afford an initial degree of security at a low network layer Perform 90% of what higher-end firewalls do, at a much lower cost

2009 Cisco Learning Institute.

60

Packet-Filtering Firewall Disadvantages


Packet filtering is susceptible to IP spoofing. Hackers send arbitrary packets that fit ACL criteria and pass through the filter. Packet filters do not filter fragmented packets well. Because fragmented IP packets carry the TCP header in the first fragment and packet filters filter on TCP header information, all fragments after the first fragment are passed unconditionally. Complex ACLs are difficult to implement and maintain correctly. Packet filters cannot dynamically filter certain services. Packet filters are stateless.
2009 Cisco Learning Institute.

61

Stateful Firewall

10.1.1.1

200.3.3.3

source port 1500

destination port 80

Inside ACL (Outgoing Traffic)

Outside ACL (Incoming Traffic)


Dynamic: permit tcp host 200.3.3.3 eq 80 host 10.1.1.1 eq 1500 permit tcp any host 10.1.1.2 eq 25 permit udp any host 10.1.1.2 eq 53 deny ip any any

permit ip 10.0.0.0 0.0.0.255 any

2009 Cisco Learning Institute.

62

Stateful Firewalls Advantages/Disadvantages


Often used as a primary means of defense by filtering unwanted, unnecessary, or undesirable traffic. Strengthens packet filtering by providing more stringent control over security than packet filtering Improves performance over packet filters or proxy servers. Defends against spoofing and DoS attacks Allows for more log information than a packet filtering firewall Cannot prevent application layer attacks because it does not examine the actual contents of the HTTP connection Not all protocols are stateful, such UDP and ICMP Some applications open multiple connections requiring a whole new range of ports opened to allow this second connection Stateful firewalls do not support user authentication

Disadvantages

Advantages

2009 Cisco Learning Institute.

63

Cisco Systems Firewall Solutions


IOS Firewall
Zone-based policy framework for intuitive management Instant messenger and peer-to-peer application filtering VoIP protocol firewalling Virtual routing and forwarding (VRF) firewalling Wireless integration

Stateful failover
Local URL whitelist and blacklist support Application inspection for web and e-mail traffic

PIX 500 Series ASA 5500 Series


2009 Cisco Learning Institute.

64

Firewalls in Network Design


DMZ Scenario Layered Defense Scenario Firewall Best Practices Design Example

2009 Cisco Learning Institute.

65

Design with DMZ

Private-DMZ Policy DMZ-Private Policy

DMZ
Public-DMZ Policy

Trusted
Private-Public Policy

Internet

Untrusted

2009 Cisco Learning Institute.

66

Layered Defense Scenario


Endpoint security: Provides identity and device security policy compliance

Communications security: Provides information assurance

Perimeter security: Secures boundaries between zones

Network Core

Core network security: Protects against malicious software and traffic anomalies, enforces network policies, and ensures survivability Disaster recovery: Offsite storage and redundant architecture
2009 Cisco Learning Institute.

67

Firewall Best Practices


Position firewalls at security boundaries. Firewalls are the primary security device. It is unwise to rely exclusively on a firewall for security. Deny all traffic by default. Permit only services that are needed. Ensure that physical access to the firewall is controlled. Regularly monitor firewall logs. Practice change management for firewall configuration changes.

Remember that firewalls primarily protect from technical attacks originating from the outside.
2009 Cisco Learning Institute.

68

Design Example
Internet R
2 Cisco Router with IOS Firewall

Cisco Router with IOS Firewall

Serial 0/0/0

Serial0/0/1 F0/ 0 F0/ 0

F0/ 1
F0/ 5
F0/6

R 1

R 3 F0/
1 F0/ 5

S 1

F0/1 F0/1

S 3 S
F0/1 2 8

F0/1 8

PC A (RADIUS/TACA CS+)
2009 Cisco Learning Institute.

PC C

69

Context-Based Access Control


Introduction to CBAC

CBAC Operation
Configuration of CBAC Verification and Troubleshooting CBAC

2009 Cisco Learning Institute.

70

Introduction to CBAC
Overview CBAC Capabilities

2009 Cisco Learning Institute.

71

Overview

Provides four main functions: Filters TCP and UDP packets based on application layer protocol session information
- Traffic Filtering - Traffic Inspection - Intrusion Detection - Generation of Audits and Alerts
72

Provides stateful application layer filtering

2009 Cisco Learning Institute.

CBAC Capabilities
Monitors TCP Connection Setup

Examines TCP Sequence Numbers


Inspects DNS Queries and Replies Inspects Common ICMP Message Types Supports Applications with Multiple Channels, such as FTP and Multimedia Inspects Embedded Addresses Inspects Application Layer Information

2009 Cisco Learning Institute.

73

CBAC Operation
Overview Step-by-Step CBAC TCP and UDP Handling CBAC Example

2009 Cisco Learning Institute.

74

Overview

2009 Cisco Learning Institute.

75

Step-by-Step

1. Examines the fa0/0 inbound ACL to determine if telnet requests are permitted to leave the network.
Request Telnet 209.x.x.x
Fa0/0 S0/0/0

2. IOS compares packet type to inspection rules to determine if Telent should be tracked.

3. Adds information to the state type to track the Telnet session.

4. Adds a dynamic entry to the inbound ACL on s0/0/0 to allow reply packets back into the internal network.

5. Once the session is terminated by the client, the router will remove the state entry and dynamic ACL entry.

2009 Cisco Learning Institute.

76

CBAC TCP Handling

2009 Cisco Learning Institute.

77

CBAC UDP Handling

2009 Cisco Learning Institute.

78

CBAC Example

2009 Cisco Learning Institute.

79

Configuration of CBAC
Four Steps to Configure Step 1: Pick an Interface Step 2: Configure IP ACLs at the Interface Step 3: Define Inspection Rules

Step 4: Apply an Inspection Rule to an Interface

2009 Cisco Learning Institute.

80

Step 1: Pick an Interface

Two-Interface

Three-Interface

2009 Cisco Learning Institute.

81

Step 2: Configure IP ACLs at the Interface

2009 Cisco Learning Institute.

82

Step 3: Define Inspection Rules


Router(config)#
ip inspect name inspection_name protocol [alert {on | off}] [audit-trail {on | off}] [timeout seconds]

2009 Cisco Learning Institute.

83

Step 4: Apply an Inspection Rule to an Interface

2009 Cisco Learning Institute.

84

Verification and Troubleshooting of CBAC


Alerts and Audits show ip inspect Parameters debug ip inspect Parameters

2009 Cisco Learning Institute.

85

Alerts and Audits

*note: Alerts are enabled by default and automatically display on the console line of the router. If alerts have been disabled using the ip inspect alert-off command, the no form of that command, as seen above, is required to re-enable alerts.

2009 Cisco Learning Institute.

86

show ip inspect Parameters

2009 Cisco Learning Institute.

87

debug ip inspect Parameters

2009 Cisco Learning Institute.

88

Zone-Based Policy Firewall


Introduction

Operation
Implementing with CLI Manually Implementing with SDM Implementing with SDM Wizard Verification and Troubleshooting

2009 Cisco Learning Institute.

89

Introduction to Zone-Based Policy Firewall


Topology Benefits The Design Process Common Designs

2009 Cisco Learning Institute.

90

Topology Example

Each zone holds only one interface.

If an additional interface is added to the private zone, the hosts connected to the new interface in the private zone can pass traffic to all hosts on the existing interface in the same zone. Additionally, hosts connected to the new interface in the private zone must adhere to all existing private policies related to that zone when passing traffic to other zones.
2009 Cisco Learning Institute.

91

Benefits
Two Zones

Zone-based policy firewall is not dependent on ACLs The router security posture is now block unless explicitly allowed C3PL makes policies easy to read and troubleshoot One policy affects any given traffic, instead of needing multiple ACLs and inspection actions.

2009 Cisco Learning Institute.

92

The Design Process


1. Internetworking infrastructure under consideration is split into welldocumented separate zones with various security levels 2. For each pair of source-destination zones, the sessions that clients in source zones are allowed to open to servers in destination zones are defined. For traffic that is not based on the concept of sessions (for example, IPsec Encapsulating Security Payload [ESP]), the administrator must define unidirectional traffic flows from source to destination and vice versa. 3. The administrator must design the physical infrastructure. 4. For each firewall device in the design, the administrator must identify zone subsets connected to its interfaces and merge the traffic requirements for those zones, resulting in a device-specific interzone policy.

2009 Cisco Learning Institute.

93

Common Designs
LAN-to-Internet Public Servers

Redundant Firewalls

Complex Firewall

2009 Cisco Learning Institute.

94

Zones Simplify Complex Firewall

2009 Cisco Learning Institute.

95

Operation of Zone-Based Policy Firewall


Actions Rules for Application Traffic Rules for Router Traffic

2009 Cisco Learning Institute.

96

Actions

Inspect This action configures Cisco IOS stateful packet inspection

Drop This action is analogous to deny in an ACL

Pass This action is analogous to permit in an ACL

2009 Cisco Learning Institute.

97

Rules for Application Traffic


Source interface member of zone? NO YES (zone 1) YES NO YES (zone 1) YES (zone 1) YES (zone 1) Destination interface member of zone? NO YES (zone 1) NO YES YES (zone 2) YES (zone 2) YES (zone 2) Zone-pair exists? Policy exists? RESULT

N/A N/A* N/A N/A NO YES YES

N/A N/A N/A N/A N/A NO YES

No impact of zoning/policy No policy lookup (PASS) DROP DROP DROP DROP policy actions

*zone-pair must have different zone as source and destination


2009 Cisco Learning Institute.

98

Rules for Router Traffic


Source interface member of zone? ROUTER ROUTER ROUTER YES YES YES Destination interface member of zone? YES YES YES ROUTER ROUTER ROUTER Zonepair exists? NO YES YES NO YES YES Policy exists? NO YES NO YES

RESULT

PASS PASS policy actions PASS PASS policy actions

2009 Cisco Learning Institute.

99

Implementing Zone-based Policy Firewall with CLI


1. Create the zones for the firewall 2. Define traffic classes with the class-map type inspect with the zone security command command

3. Specify firewall policies with the policy-map type inspect command

4. Apply firewall policies to pairs of source and destination zones with zone-pair security

5. Assign router interfaces to zones using the zone-member security interface command
2009 Cisco Learning Institute.

100

Step 1: Create the Zones

FW(config)# zone security Inside FW(config-sec-zone)# description Inside network FW(config)# zone security Outside FW(config-sec-zone)# description Outside network

2009 Cisco Learning Institute.

101

Step 2: Define Traffic Classes

FW(config)# class-map type inspect FOREXAMPLE FW(config-cmap)# match access-group 101 FW(config-cmap)# match protocol tcp FW(config-cmap)# match protocol udp FW(config-cmap)# match protocol icmp FW(config-cmap)# exit FW(config)# access-list 101 permit ip 10.0.0.0 0.0.0.255 any
2009 Cisco Learning Institute.

102

Step 3: Define Firewall Policies

FW(config)# policy-map type inspect InsideToOutside FW(config-pmap)# class type inspect FOREXAMPLE FW(config-pmap-c)# inspect

2009 Cisco Learning Institute.

103

Step 4: Assign Policy Maps to Zone Pairs and Assign Router Interfaces to Zones

FW(config)# zone-pair security InsideToOutside source Inside destination Outside FW(config-sec-zone-pair)# description Internet Access FW(config-sec-zone-pair)# service-policy type inspect InsideToOutside FW(config-sec-zone-pair)# interface F0/0 FW(config-if)# zone-member security Inside FW(config-if)# interface S0/0/0.100 point-to-point FW(config-if)# zone-member security Outside

2009 Cisco Learning Institute.

104

Final ZPF Configuration


policy-map type inspect InsideToOutside class class-default inspect ! zone security Inside description Inside network zone security Outside description Outside network zone-pair security InsideToOutside source Inside destination Outside service-policy type inspect InsideToOutside ! interface FastEthernet0/0 zone-member security Inside ! interface Serial0/0/0.100 point-to-point zone-member security Outside
2009 Cisco Learning Institute.

105

Manually Implementing Zone-based Policy Firewall with SDM


Step 1: Define zones Step 2: Configure class maps to describe traffic between zones Step 3: Create policy maps to apply actions to the traffic of the class maps Step 4: Define zone pairs and assign policy maps to the zone pairs

2009 Cisco Learning Institute.

106

Define Zones
1. Choose Configure > Additional Tasks > Zones

2. Click Add

3. Enter a zone name

4. Choose the interfaces for this zone

5. Click OK to create the zone and click OK at the Commands Delivery Status window
2009 Cisco Learning Institute.

107

Configure Class Maps


1. Choose Configure > Additional Tasks > C3PL > Class Map > Inspections

2. Review, create, and edit class maps. To edit a class map, choose the class map from the list and click Edit
2009 Cisco Learning Institute.

108

Create Policy Maps


1. Choose Configure > Additional Tasks > C3PL > Policy Map > Protocol Inspection

2. Click Add
3. Enter a policy name and description 4. Click Add to add a new class map 6. Choose Pass, Drop, or Inspect 5. Enter the name of the class map to apply. Click the down arrow for a pop-up menu, if name unknown

7. Click OK

8. To add another class map, click Add, to modify/delete the actions of a class map, choose the class map and click Edit/Delete 9. Click OK. At the Command Delivery Status window, click OK
2009 Cisco Learning Institute.

109

Define Zone Pairs


1. Choose Configure > Additional Tasks > Zone Pairs 2. Click Add

3. Enter a name for the zone pair. Choose a source zone, a destination zone and a policy

4. Click OK and click OK in the Command Delivery Status window

2009 Cisco Learning Institute.

110

Implementing Zone-based Policy Firewall with SDM Wizard


Accessing the Basic Firewall Configuration Configuring a Firewall Basic Firewall Configuration Summary Firewall Configuration Summary

2009 Cisco Learning Institute.

111

Accessing the Basic Firewall Configuration


1. Choose Configuration > Firewall and ACL

2. Click the Basic Firewall option and click Launch the Selected Task button

3. Click Next to begin configuration

2009 Cisco Learning Institute.

112

Configuring a Firewall

1. Check the outside (untrusted) check box and the inside (trusted) check box to identify each interface
2. (Optional) Check box if the intent is to allow users outside of the firewall to be able to access the router using SDM. After clicking Next, a screen displays that allows the admin to specify a host IP address or network address 3. Click Next. If the Allow Secure SDM Access check box is checked, the Configuring Firewall for Remote Access window appears 4. From the Configuring Firewall choose Network address, Host Ip address or any from the Type drop-down list
2009 Cisco Learning Institute.

113

Basic Firewall Security Configuration

2. Click the Preview Commands Button to view the IOS commands 1. Select the security level

2009 Cisco Learning Institute.

114

Firewall Configuration Summary

Click Finish

2009 Cisco Learning Institute.

115

Verification and Troubleshooting of Zone-based Policy Firewall


Reviewing Policy CLI Generated Output Firewall Status Information Active Connection

2009 Cisco Learning Institute.

116

Reviewing Policy
1. Choose Configure > Firewall and ACL

2. Click Edit Firewall Policy tab

2009 Cisco Learning Institute.

117

CLI Generated Output


class-map type inspect match-any iinsprotocols match protocol http match protocol smtp match protocol ftp ! Apply action (inspect = policy-map type inspect iinspolicy stateful inspection) class type inspect iinsprotocols inspect ! zone security private Zones created zone security internet ! interface fastethernet 0/0 Interfaces assigned to zone-member security private zones ! interface serial 0/0/0 zone-member security internet ! zone-pair security priv-to-internet source private destination internet service-policy type inspect iinspolicy Inspection applied ! from private to public zones List of services defined in the firewall policy

2009 Cisco Learning Institute.

118

Firewall Status Information


1. Choose Monitor > Firewall Status

2. Choose one of the following options: Real-time data every 10 sec 60 minutes of data polled every 1 minute 12 hours of data polled every 12 minutes

2009 Cisco Learning Institute.

119

Display Active Connection

Router# show policy-map type inspect zone-pair session

Shows zone-based policy firewall session statistics

2009 Cisco Learning Institute.

120

2009 Cisco Learning Institute.

121

You might also like