Add to collection(s) Add to saved
  1. No category
Uploaded by Alan Galeana Vega

Implementing Firewall Technologies

Chapter 4:
Implementing Firewall
Technologies
CCNA Security v2.0
4.0 Introduction
4.1 Access Control Lists
4.2 Firewall Technologies
4.3 Zone-Based Policy Firewalls
4.4 Summary
© 2013 Cisco and/or its affiliates. All rights reserved.
Cisco Public
2
Upon completion of this section, you should be able to:
• Configure standard and extended IPv4 ACLs using CLI.
• Use ACLs to mitigate common network attacks.
• Configure IPv6 ACLs using CLI.
© 2013 Cisco and/or its affiliates. All rights reserved.
Cisco Public
3
© 2013 Cisco and/or its affiliates. All rights reserved.
Cisco Public
4
© 2013 Cisco and/or its affiliates. All rights reserved.
Cisco Public
5
Standard Numbered ACL Syntax
Extended Numbered ACL Syntax
Named ACL Syntax
Standard ACE Syntax
Extended ACE Syntax
© 2013 Cisco and/or its affiliates. All rights reserved.
Cisco Public
6
Syntax - Apply an ACL
to an interface
Syntax - Apply an ACL
to the VTY lines
Example - Named Standard ACL
Example - Named Extended ACL
© 2013 Cisco and/or its affiliates. All rights reserved.
Cisco Public
7
Syntax - Apply an ACL to the VTY lines
Example - Named ACL on VTY lines with logging
© 2013 Cisco and/or its affiliates. All rights reserved.
Cisco Public
8
© 2013 Cisco and/or its affiliates. All rights reserved.
Cisco Public
9
Existing access list has three entries
Access list has been edited, which adds a new ACE and replaces ACE line
20.
Updated access list has four entries
© 2013 Cisco and/or its affiliates. All rights reserved.
Cisco Public
10
Existing access list has four entries
Access list has been edited, which adds a new ACE that permits a specific IP
address.
Updated access list places the new ACE before line 20
© 2013 Cisco and/or its affiliates. All rights reserved.
Cisco Public
11
© 2013 Cisco and/or its affiliates. All rights reserved.
Cisco Public
12
© 2013 Cisco and/or its affiliates. All rights reserved.
Cisco Public
13
© 2013 Cisco and/or its affiliates. All rights reserved.
Cisco Public
14
© 2013 Cisco and/or its affiliates. All rights reserved.
Cisco Public
15
V.g. ICMP Redirect can
alter Routing tables
© 2013 Cisco and/or its affiliates. All rights reserved.
Cisco Public
16
Filter SNMP requests from non
authorized sources.
Disable SNMP if not required on a
device
© 2013 Cisco and/or its affiliates. All rights reserved.
Cisco Public
17
© 2013 Cisco and/or its affiliates. All rights reserved.
Cisco Public
18
© 2013 Cisco and/or its affiliates. All rights reserved.
Cisco Public
19
© 2013 Cisco and/or its affiliates. All rights reserved.
Cisco Public
20
© 2013 Cisco and/or its affiliates. All rights reserved.
Cisco Public
21
© 2013 Cisco and/or its affiliates. All rights reserved.
Cisco Public
22
Upon completion of this section, you should be able to:
• Explain how firewalls are used to help secure networks.
• Describe the various types of firewalls.
• Configure a classic firewall.
• Explain design considerations for implementing firewall technologies.
© 2013 Cisco and/or its affiliates. All rights reserved.
Cisco Public
23
© 2013 Cisco and/or its affiliates. All rights reserved.
Cisco Public
24
All firewalls:
•
Are resistant to attack
•
Are the only transit point
between networks
because all traffic flows
through the firewall
•
Enforce the access
control policy
© 2013 Cisco and/or its affiliates. All rights reserved.
Cisco Public
25
© 2013 Cisco and/or its affiliates. All rights reserved.
Cisco Public
27
© 2013 Cisco and/or its affiliates. All rights reserved.
Cisco Public
28
They are stateless FWs
Similar to ACLs
Benefits:
Easy to implement
Low impact in network performance
© 2013 Cisco and/or its affiliates. All rights reserved.
Cisco Public
29
Disadvantages:
Packet filters are susceptible to IP spoofing. Hackers can send arbitrary
packets that meet ACL criteria and pass through the filter.
Packet filters are stateless. They examine each packet individually rather
than in the context of the state of a connection.
Do not reliably filter fragmented packets. Because fragmented IP packets
carry the TCP header in the first fragment and packet filters filter on TCP
header information, all fragments after the first fragment are passed
unconditionally.
Filter rules ca grow in size, making the system to use complex ACLs,
difficult to implement and maintain.
© 2013 Cisco and/or its affiliates. All rights reserved.
Cisco Public
30
Stateful Firewalls
Monitors the state of
connections,
whether the
connection is in an
initiation, data
transfer, or
termination state
© 2013 Cisco and/or its affiliates. All rights reserved.
Cisco Public
31
The firewall examines information in the headers of Layer 3 packets and Layer
4 segments.
For example, it looks at the TCP header for synchronize (SYN), reset (RST),
acknowledgment (ACK), finish (FIN), and other control codes to determine the
state of the connection.
State Tables
© 2013 Cisco and/or its affiliates. All rights reserved.
Cisco Public
32
Each time a TCP or UDP connection
is established, a stateful firewall logs
the information in a state table for
that specific flow.
State Tables
© 2013 Cisco and/or its affiliates. All rights reserved.
Cisco Public
33
Benefits:
• Defend against IP spoofing and DoS attacks by determining whether
packets belong to an existing connection or are from an unauthorized
source.
• Provide more log information than a packet filtering firewall.
Some disadvantages:
• It cannot prevent Application Layer attacks because they do not
examine the actual contents of, for example, an HTTP connection.
• Not all protocols are stateful. For example, UDP and ICMP do not
generate connection information for a state table
© 2013 Cisco and/or its affiliates. All rights reserved.
Cisco Public
34
•
Granular identification, visibility, and control of behaviors within applications
•
Restricting web and web application use based on the reputation of the site
•
Proactive protection against Internet threats
•
Enforcement of policies based on the user, device, role, application type, and threat profile
•
Performance of NAT, VPN, and SPI
•
Use of an IPS
4.2.2.7 Activity - Identify the Type
of Firewall
© 2013 Cisco and/or its affiliates. All rights reserved.
Cisco Public
35
© 2013 Cisco and/or its affiliates. All rights reserved.
Cisco Public
36
Classic Firewall (formerly known as CBAC) provides:
• traffic filtering
• traffic inspection
• intrusion detection
It will be on the market for a
• generation of audits and alerts
while
Planned to be replaced by ZPF
© 2013 Cisco and/or its affiliates. All rights reserved.
Cisco Public
37
© 2013 Cisco and/or its affiliates. All rights reserved.
Cisco Public
38
1. Choose the internal and external
interfaces.
2. Configure ACLs for each interface.
3. Define inspection rules.
4. Apply an inspection rule to an
interface.
© 2013 Cisco and/or its affiliates. All rights reserved.
Cisco Public
39
© 2013 Cisco and/or its affiliates. All rights reserved.
Cisco Public
40
© 2013 Cisco and/or its affiliates. All rights reserved.
Cisco Public
41
© 2013 Cisco and/or its affiliates. All rights reserved.
Cisco Public
42
© 2013 Cisco and/or its affiliates. All rights reserved.
Cisco Public
43
By default, traffic between
interfaces in the same zone is
not subject to any policy and
passes freely.
All zone-to-zone traffic is
blocked. In order to permit
traffic between zones, a policy
allowing or inspecting traffic
must be configured.
© 2013 Cisco and/or its affiliates. All rights reserved.
Cisco Public
44
• Position firewalls at security boundaries.
• It is unwise to rely exclusively on a firewall for security.
• Deny all traffic by default. Permit only services that are needed.
• Ensure that physical access to the firewall is controlled.
• Monitor firewall logs.
• Practice change management for firewall configuration changes.
• Remember that firewalls primarily protect from technical attacks originating from the
outside.
© 2013 Cisco and/or its affiliates. All rights reserved.
Cisco Public
45
Upon completion of this section, you should be able to:
• Explain how Zone-Based Policy Firewalls are used to help secure a network.
• Explain the operation of a Zone-Based Policy Firewall.
• Configure a Zone-Based Policy Firewall with CLI.
© 2013 Cisco and/or its affiliates. All rights reserved.
Cisco Public
46
© 2013 Cisco and/or its affiliates. All rights reserved.
Cisco Public
47
ZPF - Interfaces are assigned to
security zones, and firewall
policy is applied to traffic moving
between the zones.
• Not dependent on ACLs
• Router security posture
is to block unless
explicitly allowed
• Policies are easy to read
and troubleshoot with
C3PL
• One policy affects any
given traffic, instead of
needing multiple ACLs
and inspection actions
Cisco Common Classification
Policy Language
© 2013 Cisco and/or its affiliates. All rights reserved.
Cisco Public
48
Common designs include:
LAN-to-Internet
Firewalls between
public servers
© 2013 Cisco and/or its affiliates. All rights reserved.
Cisco Public
49
Redundant firewalls
Complex
firewalls
4.3.1.3 Activity - Compare Classic Firewall and
ZPF Operation
© 2013 Cisco and/or its affiliates. All rights reserved.
Cisco Public
50
© 2013 Cisco and/or its affiliates. All rights reserved.
Cisco Public
52
• Inspect - Configures Cisco IOS stateful packet inspections.
• Drop - Analogous to a deny statement in an ACL. A log option is available to log
the rejected packets.
• Pass - Analogous to a permit statement in an ACL. The pass action does not
track the state of connections or sessions within the traffic.
© 2013 Cisco and/or its affiliates. All rights reserved.
Cisco Public
53
• If neither interface is a zone member, then the resulting action
is to pass the traffic.
• If both interfaces are members of the same zone, then the
resulting action is to pass the traffic.
• If one interface is a zone member, but the other is not, then
the resulting action is to drop the traffic regardless of whether
a zone-pair exists.
• If both interfaces belong to the same zone-pair and a policy
exists, then the resulting action is inspect, allow, or drop as
defined by the policy.
© 2013 Cisco and/or its affiliates. All rights reserved.
Cisco Public
54
© 2013 Cisco and/or its affiliates. All rights reserved.
Cisco Public
55
drop
© 2013 Cisco and/or its affiliates. All rights reserved.
Cisco Public
56
The self zone is the router itself and includes all of the IP
addresses assigned to the router interfaces.
IP2
IP3
IP1
Self Zone
IP4
© 2013 Cisco and/or its affiliates. All rights reserved.
Cisco Public
57
• Rules depend on whether the router is the
source or the destination of the traffic
• If the router is the Source OR the Destination,
then all traffic is permitted.
Router’s interfaces are somehow
“high priority”
• INSPECT only if Source AND Destination are a zone-pair and
a policy exists.
© 2013 Cisco and/or its affiliates. All rights reserved.
Cisco Public
58
4.3.2.4 Activity - Rules for Transit Traffic
© 2013 Cisco and/or its affiliates. All rights reserved.
Cisco Public
59
© 2013 Cisco and/or its affiliates. All rights reserved.
Cisco Public
60
© 2013 Cisco and/or its affiliates. All rights reserved.
Cisco Public
61
© 2013 Cisco and/or its affiliates. All rights reserved.
Cisco Public
62
Command Syntax for
class-map
© 2013 Cisco and/or its affiliates. All rights reserved.
Cisco Public
63
Sub-Configuration
Command Syntax for
class-map
© 2013 Cisco and/or its affiliates. All rights reserved.
Cisco Public
64
Example class-map Configuration
© 2013 Cisco and/or its affiliates. All rights reserved.
Cisco Public
65
Command Syntax for
policy-map
Similar to the implicit deny any of
an ACL
there is an explicit drop at the end
of every policy−map
© 2013 Cisco and/or its affiliates. All rights reserved.
There is no track of the
connection
Cisco Public
66
Example policy-map
Configuration
© 2013 Cisco and/or its affiliates. All rights reserved.
Cisco Public
67
Command Syntax for zonepair and service-policy
© 2013 Cisco and/or its affiliates. All rights reserved.
Cisco Public
68
Example service-policy
Configuration
© 2013 Cisco and/or its affiliates. All rights reserved.
Cisco Public
69
© 2013 Cisco and/or its affiliates. All rights reserved.
Cisco Public
70
Verification commands:
• show run | begin class-map
• show policy-map type inspect zone-pair sessions
• show class-map type inspect
• show zone security
• show zone-pair security
• show policy-map type inspect
• No filtering is applied for intra-zone traffic
• Only one zone is allowed per interface.
• No Classic Firewall and ZPF configuration on same interface.
• If only one zone member is assigned, all traffic is dropped.
• Only explicitly allowed traffic is forwarded between zones.
• Traffic to the self zone is not filtered.
© 2013 Cisco and/or its affiliates. All rights reserved.
Cisco Public
71
Chapter Objectives:
• Implement ACLs to filter traffic and mitigate network attacks on a network.
• Configure a classic firewall to mitigate network attacks.
• Implement ZPF using CLI.
© 2013 Cisco and/or its affiliates. All rights reserved.
Cisco Public
72
Thank you.
Related documents
1.1.1.2 Lab - How Connected are You
1.1.1.2 Lab - How Connected are You
Module Summary
Module Summary
10_2_1_2 Worksheet - Answer Security Policy Questions
10_2_1_2 Worksheet - Answer Security Policy Questions
Download