CCNA Security 1.1
Instructional Resource
Chapter 4 – Implementing Firewall Technologies
© 2012 Cisco and/or its affiliates. All rights reserved.
1
• Describe numbered, named, standard and extended IP ACLs.
• Configure IP ACLs with IOS CLI and CCP.
• Describe and configure TCP established ACL functionality.
• Describe and configure reflexive, dynamic, and time-based ACLs.
• Describe attack mitigation with ACLs.
• Describe the major types of firewalls.
• Describe and configure CBAC (IOS Stateful Packet Inspection)
with CLI.
• Describe and configure Zone-Based Policy Firewall with CLI and
CCP.
© 2012 Cisco and/or its affiliates. All rights reserved.
2
4.0 Mitigating threats using IOS ACLs
4.1 Describe standard, extended, and named IP IOS ACLs to filter.
4.1.1 IPv4 ACLs
4.1.2 IPv6 ACLs
4.1.3 ACL Object groups
4.2 Describe considerations when building ACLs.
4.2.1 Sequencing of ACEs
4.2.2 Modification of ACEs
4.3 Implement IP ACLs to mitigate threats in a network.
4.3.1 Filter IP traffic
4.3.2 SNMP
4.3.3 DDoS attacks
4.3.4 CLI
4.3.5 CCP
4.3.6 IP ACLs to prevent IP spoofing
© 2012 Cisco and/or its affiliates. All rights reserved.
3
7.0 Implementing Cisco Firewall Technologies
7.1 Describe operational strengths and weaknesses of the different firewall
technologies
7.1.1 Proxy firewalls
7.1.2 Packet and stateful packet
7.1.3 Application firewall
7.1.4 Personal firewall
7.2 Describe stateful firewalls
7.2.1 Operations
7.2.2 Function of the state table
7.4 Implement Zone Based Firewall using CCP
7.4.1 Zone to zone
7.4.2 Self zone
© 2012 Cisco and/or its affiliates. All rights reserved.
4
• Access control lists (ACLs) are used throughout the network to
identify traffic.
• ACLs contain one or more access control entries (ACEs). Each
entry is designed to permit or deny traffic based on a variety of
parameters including IP address of source or destination, upper
layer protocol or other information.
• ACLs evaluate packets from the top down, one ACE at a time. If a
packet header and an ACE match, the remaining ACEs are
skipped, and the packet is permitted or denied as determined by
the matched statement. If a packet header does not match an
ACE, the packet is tested against the next ACE in the list. This
matching process continues until the end of the list is reached.
Remember that every ACL has an implied “deny any” ACE as
the last statement.
© 2012 Cisco and/or its affiliates. All rights reserved.
5
• ACLs can be used to provide a basic layer of protection for your
network.
• ACLs do not act on packets that originate from the router itself,
but rather on traffic that traverses the router either inbound or
outbound with respect to an interface.
• There are several types of ACLs, including standard, extended,
numbered and named. ACLs can be configured via CLI or CCP.
• With Cisco IOS Software Release 12.3, IP access list entry
sequence numbering was introduced for both numbered and
named ACLs. IP access list entry sequence numbering provides
the following benefits:
– You can edit the order of ACL statements.
– You can remove individual statements from an ACL.
– You can use the sequence number to insert new statements into the middle of
the ACL.
© 2012 Cisco and/or its affiliates. All rights reserved.
6
• All modern networks use some type of firewall to protect internal
users and resources from attack.
• There are many types of firewalls and firewall implementations,
but the stateful firewall is the most common and versatile. Stateful
firewalls track each connection traversing all interfaces of the
firewall and confirms that they are valid.
• A stateful firewall can be implemented in software or can be
contained in a stand alone device.
• In 2006, Cisco Systems introduced the zone-based policy firewall
configuration model with Cisco IOS Release 12.4(6)T. With this
new model, interfaces are assigned to zones and then an
inspection policy is applied to traffic moving between the zones.
This model allows for structure and ease of use.
• A zone-based policy firewall can be configured via CLI or CCP.
© 2012 Cisco and/or its affiliates. All rights reserved.
7
• Chapter 4 Lab A: Configuring CBAC and Zone-Based Firewalls
– Part 1: Basic Router Configuration
– Part 2: Configuring a Context-Based Access Control (CBAC) Firewall
– Part 3: Configuring a Zone-Based Policy Firewall
© 2012 Cisco and/or its affiliates. All rights reserved.
8
ACL
access control list
ACE
access control entry
standard ACL
ACLs numbered 1-99 or 1300-1999 are standard IPv4 ACLs.
Standard ACLs match packets by examining the source IP
address field in the IP header of that packet. These ACLs are
used to filter packets based solely on Layer 3 source
information.
extended ACL
Extended ACLs match packets based on Layer 3 and Layer 4
source and destination information. ACLs numbered 100-199
or 2000-2699 are extended ACLs.
named ACL
Starting with IOS 11.2, Cisco allowed you to use names to
reference your ACLs instead of, or in combination with,
numbered ACLs. Named ACLs can be standard or extended.
reflexive ACL
Reflexive ACLs were introduced to the IOS in 1996. These
ACLs filter traffic based on source and destination addresses,
and port numbers, and keep track of sessions. Reflexive ACL
session filtering uses temporary filters which are removed
when a session is over.
© 2012 Cisco and/or its affiliates. All rights reserved.
9
dynamic ACL
Dynamic ACLs, also known as lock-and-key ACLs, are
available for IP traffic only. Dynamic ACLs are dependent on
Telnet connectivity, authentication (local or remote), and
Extended ACLs.
time-based ACL
Timed-based ACLs enable traffic to be restricted based on the
time of day, the day of the week, or the day of the month.
sequence number
Sequence numbers are used to indicate the order in which the
ACEs within the ACL are processed. They also provide a way
to insert or delete individual ACEs.
TTL
Time to Live (TTL) values in packets control how many hops a
packet can take before reaching a router in the network.
object group
Object groups are used to classify users, devices, or protocols
into groups. Those groups can be used in ACLs to create
access control policies for a group of objects.
firewall
A firewall is a system or group of systems that enforces an
access control policy between networks. It can include options
such as a packet filtering router, a switch with two VLANs, and
multiple hosts with firewall software.
packet filtering firewall
Typically is a router with the capability to filter some packet
content, such as Layer 3 and sometimes Layer 4 information.
© 2012 Cisco and/or its affiliates. All rights reserved.
10
stateful firewall
Stateful firewalls provide stateful packet filtering using
connection information maintained in a state table. Stateful
filtering tracks each connection traversing all interfaces of the
firewall and confirms that they are valid.
DMZ
A demilitarized zone (DMZ) is a portion of a network bounded
by a firewall or set of firewalls. DMZs define the portions of a
network that are trusted and the portions that are untrusted.
CBAC
Context-based access control (CBAC) is a solution available
within the Cisco IOS Firewall. CBAC intelligently filters TCP
and UDP packets based on Application Layer protocol session
information.
ZPF or ZBF or ZFW
With the zone-based policy firewall configuration model
interfaces are assigned to zones and then an inspection policy
is applied to traffic moving between the zones. A zone-based
firewall allows different inspection policies to be applied to
multiple host groups connected to the same router interface.
C3PL
Cisco Common Classification Policy Language (C3PL), uses a
hierarchical structure to define network protocol inspection and
allows hosts to be grouped under one inspection policy.
© 2012 Cisco and/or its affiliates. All rights reserved.
11
• Additional content on working with ACL entries (ACEs) and
sequence numbering.
• New content on configuring standard and extended ACLs using
CCP.
• New content covering mitigating SNMP threats.
• New content covering IPv6 ACLs.
• New content covering the use of ACL object groups for both IPv4
and IPv6 ACLs.
• New content covering configuraton of zone-based policy firewall
using the CCP wizard.
© 2012 Cisco and/or its affiliates. All rights reserved.
12
• ACL configuration, management and troubleshooting often
present a challenge to students. Enforce and model systematic
troubleshooting for students. This can be top-down or bottom-up,
as long as it is consistent.
• Ensure that students test every ACE within the ACL to see that it
is functioning as expected. This can be done using real gear or
Packet Tracer. Packet Tracer allows the construction of PDUs of
many protocols and ports that might be hard to generate with real
gear.
• When testing ACLs, have students include the log keyword in
order to better understand what is happening.
© 2012 Cisco and/or its affiliates. All rights reserved.
13
• When explaining the importance of ACE placement within an
ACL, it might be helpful to use the analogy of a coin sorter that
sorts based on coin size. The first barrier that coins pass through
is the largest, catching only quarters. The next barrier is smaller,
catching nickels, and so on. If the sorter had the smaller holes on
top, it would catch quarters as well as other coins. In the same
way, ACEs should be ordered more general to more specific.
(Search instructables.com for “loose change sorting trays” for an
example.)
• Students may not be aware that the term “firewall” was originally
used to describe a barrier that separated the parts of a building
most likely to catch fire (the kitchen) from other parts of the
building. This wall would slow or prevent the spread of the fire,
saving lives and property. Firewalls are still in use today in
building construction as well as in automobiles and airplanes.
© 2012 Cisco and/or its affiliates. All rights reserved.
14
• ACL placement is just as important as the ACEs within the ACL.
Discuss the implications of placing an ACL inbound on an
interface where it should have been placed outbound. Use
specific examples and analyze the impact on end users.
• Some early implementations of firewalls were host-based.
Discuss the implications of host-based firewalls. Discuss what
happens when a user disables the firewall in order to access
something that was blocked. What happens if the user doesn’t
update the firewall regularly?
© 2012 Cisco and/or its affiliates. All rights reserved.
15
• ACL sequence numbers provide a convenient and safe way to
insert and delete specific ACEs. Allow students to practice both
inserting and deleting using sequence numbers. Contrast this with
the older method of editing ACLs.
• Firewall configuration via CLI can be overwhelming to students.
After students have some practice with CLI commands, have
them use the CCP wizard. After running the CCP wizard, have
students view the commands before delivering to the router. Talk
about the differences between the CLI commands that they
entered manually and the commands that will be delivered via
CCP. Have them find and analyze specific commands that were
generated via CCP, but were left out of CLI configuration.
© 2012 Cisco and/or its affiliates. All rights reserved.
16
• Configuring IP Access Lists
– http://www.cisco.com/en/US/products/sw/secursw/ps1018/products_tech_not
e09186a00800a5b9a.shtml
• Configuring Commonly Used IP ACLs
– http://www.cisco.com/en/US/tech/tk648/tk361/technologies_configuration_exa
mple09186a0080100548.shtml
• Zone-Based Policy Firewall Design and Application Guide
– http://www.cisco.com/en/US/products/sw/secursw/ps1018/products_tech_not
e09186a00808bc994.shtml
• Cisco Configuration Professional: Zone-Based Firewall Blocking
Peer to Peer Traffic Configuration Example
– http://www.cisco.com/en/US/products/ps9422/products_configuration_exampl
e09186a0080b5a105.shtml
© 2012 Cisco and/or its affiliates. All rights reserved.
17
© 2011 Cisco and/or its affiliates. All rights reserved.
18