CCNA Security 1.1 Instructional Resource Chapter 4 – Implementing Firewall Technologies © 2012 Cisco and/or its affiliates. All rights reserved. 1 • Describe numbered, named, standard and extended IP ACLs. • Configure IP ACLs with IOS CLI and CCP. • Describe and configure TCP established ACL functionality. • Describe and configure reflexive, dynamic, and time-based ACLs. • Describe attack mitigation with ACLs. • Describe the major types of firewalls. • Describe and configure CBAC (IOS Stateful Packet Inspection) with CLI. • Describe and configure Zone-Based Policy Firewall with CLI and CCP. © 2012 Cisco and/or its affiliates. All rights reserved. 2 4.0 Mitigating threats using IOS ACLs 4.1 Describe standard, extended, and named IP IOS ACLs to filter. 4.1.1 IPv4 ACLs 4.1.2 IPv6 ACLs 4.1.3 ACL Object groups 4.2 Describe considerations when building ACLs. 4.2.1 Sequencing of ACEs 4.2.2 Modification of ACEs 4.3 Implement IP ACLs to mitigate threats in a network. 4.3.1 Filter IP traffic 4.3.2 SNMP 4.3.3 DDoS attacks 4.3.4 CLI 4.3.5 CCP 4.3.6 IP ACLs to prevent IP spoofing © 2012 Cisco and/or its affiliates. All rights reserved. 3 7.0 Implementing Cisco Firewall Technologies 7.1 Describe operational strengths and weaknesses of the different firewall technologies 7.1.1 Proxy firewalls 7.1.2 Packet and stateful packet 7.1.3 Application firewall 7.1.4 Personal firewall 7.2 Describe stateful firewalls 7.2.1 Operations 7.2.2 Function of the state table 7.4 Implement Zone Based Firewall using CCP 7.4.1 Zone to zone 7.4.2 Self zone © 2012 Cisco and/or its affiliates. All rights reserved. 4 • Access control lists (ACLs) are used throughout the network to identify traffic. • ACLs contain one or more access control entries (ACEs). Each entry is designed to permit or deny traffic based on a variety of parameters including IP address of source or destination, upper layer protocol or other information. • ACLs evaluate packets from the top down, one ACE at a time. If a packet header and an ACE match, the remaining ACEs are skipped, and the packet is permitted or denied as determined by the matched statement. If a packet header does not match an ACE, the packet is tested against the next ACE in the list. This matching process continues until the end of the list is reached. Remember that every ACL has an implied “deny any” ACE as the last statement. © 2012 Cisco and/or its affiliates. All rights reserved. 5 • ACLs can be used to provide a basic layer of protection for your network. • ACLs do not act on packets that originate from the router itself, but rather on traffic that traverses the router either inbound or outbound with respect to an interface. • There are several types of ACLs, including standard, extended, numbered and named. ACLs can be configured via CLI or CCP. • With Cisco IOS Software Release 12.3, IP access list entry sequence numbering was introduced for both numbered and named ACLs. IP access list entry sequence numbering provides the following benefits: – You can edit the order of ACL statements. – You can remove individual statements from an ACL. – You can use the sequence number to insert new statements into the middle of the ACL. © 2012 Cisco and/or its affiliates. All rights reserved. 6 • All modern networks use some type of firewall to protect internal users and resources from attack. • There are many types of firewalls and firewall implementations, but the stateful firewall is the most common and versatile. Stateful firewalls track each connection traversing all interfaces of the firewall and confirms that they are valid. • A stateful firewall can be implemented in software or can be contained in a stand alone device. • In 2006, Cisco Systems introduced the zone-based policy firewall configuration model with Cisco IOS Release 12.4(6)T. With this new model, interfaces are assigned to zones and then an inspection policy is applied to traffic moving between the zones. This model allows for structure and ease of use. • A zone-based policy firewall can be configured via CLI or CCP. © 2012 Cisco and/or its affiliates. All rights reserved. 7 • Chapter 4 Lab A: Configuring CBAC and Zone-Based Firewalls – Part 1: Basic Router Configuration – Part 2: Configuring a Context-Based Access Control (CBAC) Firewall – Part 3: Configuring a Zone-Based Policy Firewall © 2012 Cisco and/or its affiliates. All rights reserved. 8 ACL access control list ACE access control entry standard ACL ACLs numbered 1-99 or 1300-1999 are standard IPv4 ACLs. Standard ACLs match packets by examining the source IP address field in the IP header of that packet. These ACLs are used to filter packets based solely on Layer 3 source information. extended ACL Extended ACLs match packets based on Layer 3 and Layer 4 source and destination information. ACLs numbered 100-199 or 2000-2699 are extended ACLs. named ACL Starting with IOS 11.2, Cisco allowed you to use names to reference your ACLs instead of, or in combination with, numbered ACLs. Named ACLs can be standard or extended. reflexive ACL Reflexive ACLs were introduced to the IOS in 1996. These ACLs filter traffic based on source and destination addresses, and port numbers, and keep track of sessions. Reflexive ACL session filtering uses temporary filters which are removed when a session is over. © 2012 Cisco and/or its affiliates. All rights reserved. 9 dynamic ACL Dynamic ACLs, also known as lock-and-key ACLs, are available for IP traffic only. Dynamic ACLs are dependent on Telnet connectivity, authentication (local or remote), and Extended ACLs. time-based ACL Timed-based ACLs enable traffic to be restricted based on the time of day, the day of the week, or the day of the month. sequence number Sequence numbers are used to indicate the order in which the ACEs within the ACL are processed. They also provide a way to insert or delete individual ACEs. TTL Time to Live (TTL) values in packets control how many hops a packet can take before reaching a router in the network. object group Object groups are used to classify users, devices, or protocols into groups. Those groups can be used in ACLs to create access control policies for a group of objects. firewall A firewall is a system or group of systems that enforces an access control policy between networks. It can include options such as a packet filtering router, a switch with two VLANs, and multiple hosts with firewall software. packet filtering firewall Typically is a router with the capability to filter some packet content, such as Layer 3 and sometimes Layer 4 information. © 2012 Cisco and/or its affiliates. All rights reserved. 10 stateful firewall Stateful firewalls provide stateful packet filtering using connection information maintained in a state table. Stateful filtering tracks each connection traversing all interfaces of the firewall and confirms that they are valid. DMZ A demilitarized zone (DMZ) is a portion of a network bounded by a firewall or set of firewalls. DMZs define the portions of a network that are trusted and the portions that are untrusted. CBAC Context-based access control (CBAC) is a solution available within the Cisco IOS Firewall. CBAC intelligently filters TCP and UDP packets based on Application Layer protocol session information. ZPF or ZBF or ZFW With the zone-based policy firewall configuration model interfaces are assigned to zones and then an inspection policy is applied to traffic moving between the zones. A zone-based firewall allows different inspection policies to be applied to multiple host groups connected to the same router interface. C3PL Cisco Common Classification Policy Language (C3PL), uses a hierarchical structure to define network protocol inspection and allows hosts to be grouped under one inspection policy. © 2012 Cisco and/or its affiliates. All rights reserved. 11 • Additional content on working with ACL entries (ACEs) and sequence numbering. • New content on configuring standard and extended ACLs using CCP. • New content covering mitigating SNMP threats. • New content covering IPv6 ACLs. • New content covering the use of ACL object groups for both IPv4 and IPv6 ACLs. • New content covering configuraton of zone-based policy firewall using the CCP wizard. © 2012 Cisco and/or its affiliates. All rights reserved. 12 • ACL configuration, management and troubleshooting often present a challenge to students. Enforce and model systematic troubleshooting for students. This can be top-down or bottom-up, as long as it is consistent. • Ensure that students test every ACE within the ACL to see that it is functioning as expected. This can be done using real gear or Packet Tracer. Packet Tracer allows the construction of PDUs of many protocols and ports that might be hard to generate with real gear. • When testing ACLs, have students include the log keyword in order to better understand what is happening. © 2012 Cisco and/or its affiliates. All rights reserved. 13 • When explaining the importance of ACE placement within an ACL, it might be helpful to use the analogy of a coin sorter that sorts based on coin size. The first barrier that coins pass through is the largest, catching only quarters. The next barrier is smaller, catching nickels, and so on. If the sorter had the smaller holes on top, it would catch quarters as well as other coins. In the same way, ACEs should be ordered more general to more specific. (Search instructables.com for “loose change sorting trays” for an example.) • Students may not be aware that the term “firewall” was originally used to describe a barrier that separated the parts of a building most likely to catch fire (the kitchen) from other parts of the building. This wall would slow or prevent the spread of the fire, saving lives and property. Firewalls are still in use today in building construction as well as in automobiles and airplanes. © 2012 Cisco and/or its affiliates. All rights reserved. 14 • ACL placement is just as important as the ACEs within the ACL. Discuss the implications of placing an ACL inbound on an interface where it should have been placed outbound. Use specific examples and analyze the impact on end users. • Some early implementations of firewalls were host-based. Discuss the implications of host-based firewalls. Discuss what happens when a user disables the firewall in order to access something that was blocked. What happens if the user doesn’t update the firewall regularly? © 2012 Cisco and/or its affiliates. All rights reserved. 15 • ACL sequence numbers provide a convenient and safe way to insert and delete specific ACEs. Allow students to practice both inserting and deleting using sequence numbers. Contrast this with the older method of editing ACLs. • Firewall configuration via CLI can be overwhelming to students. After students have some practice with CLI commands, have them use the CCP wizard. After running the CCP wizard, have students view the commands before delivering to the router. Talk about the differences between the CLI commands that they entered manually and the commands that will be delivered via CCP. Have them find and analyze specific commands that were generated via CCP, but were left out of CLI configuration. © 2012 Cisco and/or its affiliates. All rights reserved. 16 • Configuring IP Access Lists – http://www.cisco.com/en/US/products/sw/secursw/ps1018/products_tech_not e09186a00800a5b9a.shtml • Configuring Commonly Used IP ACLs – http://www.cisco.com/en/US/tech/tk648/tk361/technologies_configuration_exa mple09186a0080100548.shtml • Zone-Based Policy Firewall Design and Application Guide – http://www.cisco.com/en/US/products/sw/secursw/ps1018/products_tech_not e09186a00808bc994.shtml • Cisco Configuration Professional: Zone-Based Firewall Blocking Peer to Peer Traffic Configuration Example – http://www.cisco.com/en/US/products/ps9422/products_configuration_exampl e09186a0080b5a105.shtml © 2012 Cisco and/or its affiliates. All rights reserved. 17 © 2011 Cisco and/or its affiliates. All rights reserved. 18