
Basic Firewall o ACLs

Stateful Firewall o ACLs with “established” option

Reflexive Firewall

Implicit Deny applies to all ACLs created

Add ‘log’ to the end of an ACL to log packets (use sparingly)

ACLs numbered 1 to 99

Are created using: o Router(config)# access-list acl-number [permit/deny ] source address [wildcard]

Filter solely based on a source IP (layer 3)

ACLs numbered 100 to 199 or 2000 to 2699

Are created using: o Router(config)#access-list acl-number [permit/deny] protocol source address
[source wildcard] destination address[destination wildcard] established o A protocol must be specified o If destination address is set, the port parameter must also be set to allow any traffic to flow.


Can be used on both standard and extended ACLs
Allows you to reorder and remove specific entries where a numbered entry would delete the entire ACL
After creating an ACL, it must be applied to an interface on either Inbound or Outbound directions. e.g. Router(config-if)#ip access-group List # or name [in/out]
ACLs can also be applied to lines: e.g. Router(config-line)#access-class List # or name [in/out]

Zeros (0) indicate positions that must match in the anding process; ones (1) indicate positions that will be ignored e.g. [included 0.0.0.|ignored[255 ]
Standard ACLs should be placed as close to the destination address as possible to avoid adversely affecting packets by denying all traffic, valid or invalid
Extended ACLs should be as close to the source as possible to avoid unnecessary use of network resources. E.g. a packet traverses the network only to be dropped once it gets there
Configure > Additional Talks > ACL Editor
After configuring, in the ‘Add a Rule’ window, click Associate to assign it to an interface

Add the keyword established to ACLs

Established works only on TCP

Reflexive ACLs check source and destination ports, not just ACK bits
‘Established’ makes the router check if the ACK flag have been set on packets inspected, it permits all TCP traffic with an ACK flag set.

Also known as lock-and-key ACLs

IP traffic only

Dependant on Telnet/SSH

Challenge mechanism to authenticate individual users

Simplified management in larger networks

Reduced router processing

Less opportunities for hackers
Step One: Make a username/password
Two: Add an ACL that allows telnet access/ Add the dynamic ACL entry
Three: Apply the entry to inbound interface
Four: Configure autocommand on the vty lines

As a general rule, ACLs should be made, by default, to prevent access to private addressing ranges that do not exist in the companies’ topology.
Packet-Filtering

Typically, a router that has the ability to filter using L3 and L4

Uses ACLs

Also known as ‘static filter’
Stateful Firewall

Monitors the state of connections and checks whether it’s in initiation, transfer or termination states

Most common and versatile

Layers 3,4,5 – Primarily Layer 3

Improved performance

More log information is generated by Stateful than by packet filtering

Every time a connection is established, the information is added to the session flow table (src IP, dest IP, port, ACK, RST) for that session
Application gateway firewall (proxy firewall)

Filters information based on Layers 3,4,5 and 7

Usually configured in software
Address-Translation firewall

Expands the amount of IP addresses and hides the network topology

Layers 3 and 4
Host-based firewall

A PC or server running firewall software
Transparent Firewall

Filters traffic between a pair
Hybrid Firewall

Combination of 2 or more firewall technologies
Context based Access Control

Intelligently filters packets based on Application layers session information


Can block P2P

Can block IM

Can detect different types of network attacks including SYN flooding


Has 4 main functions o Traffic Filtering o Traffic Inspection o Intrusion Detection o Generation of Audits/Alerts

Not Dependant on ACLs

Set by default to block unless specifically allowed

Allows modular approach

To allow traffic flow using ZBF, all interfaces must belong to a zone

Traffic is allowed implicitly to flow between interfaces of the same zone
Configured using :
Create Zone:
zone security nameofzone
Define traffic type:
class-map type inspect nameofclassmap match access-group 101 (an ACL)
Specify policies: policy-map type inspect
To assign zone to interface: zone-pair security
Physical
Data
Net