CCNA Security 09- ios firewall fundamentals
Download as PPT, PDF13 likes2,567 views
This document provides an overview of firewall fundamentals and Cisco firewall solutions. It discusses the basics of standard and extended ACLs, stateful packet inspection, and zone-based policy firewalls. The key steps to configure Cisco's zone-based policy firewall using CLI are defined as: 1) create security zones, 2) define traffic classes with class-maps, 3) create policy maps to apply actions, and 4) apply policies to zone pairs and assign interfaces to zones.
![Standard Numbered IP ACLs
Router(config)# access-list {1-99} {permit | deny}
source-addr [source-mask]
• The first value specifies the ACL number
• The second value specifies whether to permit or deny the configured
source IP address traffic
• The third value is the source IP address that must be matched
• The fourth value is the wildcard mask to be applied to the previously
configured IP address to indicate the range
• All ACLs assume an implicit deny statement at the end of the ACL6+
• At least one permit statement should be included or all traffic will be
dropped once that ACL is applied to an interface
© 2009 Cisco Learning Institute. 3](https://image.slidesharecdn.com/08-iosfirewallfundamentals-141023225006-conversion-gate01/85/CCNA-Security-09-ios-firewall-fundamentals-3-320.jpg)
![Extended Numbered IP ACLs
Router(config)# access-list {100-199} {permit | deny}
protocol source-addr [source-mask] [operator operand]
destination-addr [destination-mask] [operator operand]
[established]
• The first value specifies the ACL number
• The second value specifies whether to permit or deny accordingly
• The third value indicates protocol type
• The source IP address and wildcard mask determine where traffic
originates. The destination IP address and wildcard mask are used
to indicate the final destination of the network traffic
• The command to apply the standard or extended numbered ACL:
Router(config-if)# ip access-group number {in | out}
© 2009 Cisco Learning Institute. 4](https://image.slidesharecdn.com/08-iosfirewallfundamentals-141023225006-conversion-gate01/85/CCNA-Security-09-ios-firewall-fundamentals-4-320.jpg)
![Step 3: Define Inspection Rules
Router(config)#
ip inspect name inspection_name protocol [alert {on | off}] [audit-trail
{on | off}] [timeout seconds]
© 2009 Cisco Learning Institute. 24](https://image.slidesharecdn.com/08-iosfirewallfundamentals-141023225006-conversion-gate01/85/CCNA-Security-09-ios-firewall-fundamentals-24-320.jpg)
CCNA Security 09- ios firewall fundamentals
- 1. 08- IOS Firewall Fundamentals Ahmed Sultan CCNA | CCNA Security | CCNP Security | JNCIA-Junos | CEH © 2009 Cisco Learning Institute. 1
- 2. ACL Topology and Types © 2009 Cisco Learning Institute. 2
- 3. Standard Numbered IP ACLs Router(config)# access-list {1-99} {permit | deny} source-addr [source-mask] • The first value specifies the ACL number • The second value specifies whether to permit or deny the configured source IP address traffic • The third value is the source IP address that must be matched • The fourth value is the wildcard mask to be applied to the previously configured IP address to indicate the range • All ACLs assume an implicit deny statement at the end of the ACL6+ • At least one permit statement should be included or all traffic will be dropped once that ACL is applied to an interface © 2009 Cisco Learning Institute. 3
- 4. Extended Numbered IP ACLs Router(config)# access-list {100-199} {permit | deny} protocol source-addr [source-mask] [operator operand] destination-addr [destination-mask] [operator operand] [established] • The first value specifies the ACL number • The second value specifies whether to permit or deny accordingly • The third value indicates protocol type • The source IP address and wildcard mask determine where traffic originates. The destination IP address and wildcard mask are used to indicate the final destination of the network traffic • The command to apply the standard or extended numbered ACL: Router(config-if)# ip access-group number {in | out} © 2009 Cisco Learning Institute. 4
- 5. Named IP ACLs Router(config)# ip access-list extended vachon1 Router(config-ext-nacl)# deny ip any 200.1.2.10 0.0.0.1 Router(config-ext-nacl)# permit tcp any host 200.1.1.11 eq 80 Router(config-ext-nacl)# permit tcp any host 200.1.1.10 eq 25 Router(config-ext-nacl)# permit tcp any eq 25 host 200.1.1.10 any established Router(config-ext-nacl)# permit tcp any 200.1.2.0 0.0.0.255 established Router(config-ext-nacl)# permit udp any eq 53 200.1.2.0 0.0.0.255 Router(config-ext-nacl)# deny ip any any Router(config-ext-nacl)# interface ethernet 1 Router(config-if)# ip access-group vachon1 in Router(config-if)# exit Standard Extended © 2009 Cisco Learning Institute. 5
- 6. Applying Standard ACLs Use a standard ACL to block all traffic from 172.16.4.0/24 network, but allow all other traffic. r1 R1(config)# access-list 1 deny 172.16.4.0 0.0.0.255 R1(config)# access-list 1 permit any R1(config)# interface ethernet 0 R1(config-if)# ip access-group 1 out © 2009 Cisco Learning Institute. 6
- 7. Applying Extended ACLs Use an extended ACL to block all FTP traffic from 172.16.4.0/24 network, but allow all other traffic. r1 R1(config)# access-list 101 deny tcp 172.16.4.0 0.0.0.255 172.16.3.0 0.0.0.255 eq 21 R1(config)# access-list 101 deny tcp 172.16.4.0 0.0.0.255 172.16.3.0 0.0.0.255 eq 20 R1(config)# access-list 101 permit ip any any © 2009 Cisco Learning Institute. 7
- 8. Attacks Mitigated ACLs can be used to: • Mitigate IP address spoofing—inbound/outbound • Mitigate Denial of service (DoS) TCP synchronizes (SYN) attacks— blocking external attacks • Mitigate DoS TCP SYN attacks—using TCP intercept • Mitigate DoS smurf attacks • Filter Internet Control Message Protocol (ICMP) messages—inbound • Filter ICMP messages—outbound • Filter traceroute © 2009 Cisco Learning Institute. 8
- 9. Inbound CLI Commands R1(config)#access-list 150 deny ip 0.0.0.0 0.255.255.255 any R1(config)#access-list 150 deny ip 10.0.0.0 0.255.255.255 any R1(config)#access-list 150 deny ip 127.0.0.0 0.255.255.255 any R1(config)#access-list 150 deny ip 172.16.0.0 0.15.255.255 any R1(config)#access-list 150 deny ip 192.168.0.0 0.0.255.255 any R1(config)#access-list 150 deny ip 224.0.0.0 15.255.255.255 any R1(config)#access-list 150 deny ip host 255.255.255.255 any Outbound R1(config)#access-list 105 permit ip 192.168.1.0 0.0.0.255 any © 2009 Cisco Learning Institute. 9
- 10. Allowing Common Services R1 Internet Serial 0/0/0 F0/0 R1 DNS, SMTP, FTP 192.168.20.2/24 F0/1 PC A 200.5.5.5/24 R1(config)#access-list 122 permit udp any host 192.168.20.2 eq domain R1(config)#access-list 122 permit tcp any host 192.168.20.2 eq smtp R1(config)#access-list 122 permit tcp any host 192.168.20.2 eq ftp R1(config)#access-list 180 permit tcp host 200.5.5.5 host 10.0.1.1 eq telnet R1(config)#access-list 180 permit tcp host 200.5.5.5 host 10.0.1.1 eq 22 R1(config)#access-list 180 permit udp host 200.5.5.5 host 10.0.1.1 eq syslog R1(config)#access-list 180 permit udp host 200.5.5.5 host 10.0.1.1 eq snmptrap © 2009 Cisco Learning Institute. 10
- 11. Controlling ICMP Messages 200.5.5.5/24 Inbound on S0/0/0 R1 Internet Serial 0/0/0 F0/0 R1 192.168.20.2/24 F0/1 PC A R1(config)#access-list 112 permit icmp any any echo-reply R1(config)#access-list 112 permit icmp any any source-quench R1(config)#access-list 112 permit icmp any any unreachable R1(config)#access-list 112 deny icmp any any Outbound on S0/0/0 R1(config)#access-list 114 permit icmp 192.168.1.0 0.0.0.255 any echo R1(config)#access-list 114 permit icmp 192.168.1.0 0.0.0.255 any parameter-problem R1(config)#access-list 114 permit icmp 192.168.1.0 0.0.0.255 any packet-too-big R1(config)#access-list 114 permit icmp 192.168.1.0 0.0.0.255 any source-quench © 2009 Cisco Learning Institute. 11
- 12. Firewalls • A firewall is a system that enforces an access control policy between network • Common properties of firewalls: - The firewall is resistant to attacks - The firewall is the only transit point between networks - The firewall enforces the access control policy © 2009 Cisco Learning Institute. 12
- 13. Benefits of Firewalls • Prevents exposing sensitive hosts and applications to untrusted users • Prevent the exploitation of protocol flaws by sanitizing the protocol flow • Firewalls prevent malicious data from being sent to servers and clients. • Properly configured firewalls make security policy enforcement simple, scalable, and robust. • A firewall reduces the complexity of security management by offloading most of the network access control to a couple of points in the network. © 2009 Cisco Learning Institute. 13
- 14. Types of Filtering Firewalls • Packet-filtering firewall—is typically a router that has the capability to filter on some of the contents of packets (examines Layer 3 and sometimes Layer 4 information) • Stateful firewall—keeps track of the state of a connection: whether the connection is in an initiation, data transfer, or termination state • Application gateway firewall (proxy firewall) —filters information at Layers 3, 4, 5, and 7. Firewall control and filtering done in software. • Address-translation firewall—expands the number of IP addresses available and hides network addressing design. © 2009 Cisco Learning Institute. 14
- 15. Types of Filtering Firewalls • Host-based (server and personal) firewall—a PC or server with firewall software running on it. • Transparent firewall—filters IP traffic between a pair of bridged interfaces. • Hybrid firewalls—some combination of the above firewalls. For example, an application inspection firewall combines a stateful firewall with an application gateway firewall. © 2009 Cisco Learning Institute. 15
- 16. Packet-Filtering Firewall • Are based on simple permit or deny rule set • Have a low impact on network performance • Are easy to implement • Are supported by most routers • Afford an initial degree of security at a low network layer • Perform 90% of what higher-end firewalls do, at a much lower cost © 2009 Cisco Learning Institute. 16
- 17. Stateful Firewall 10.1.1.1 200.3.3.3 source port 1500 destination port 80 Inside ACL (Outgoing Traffic) Outside ACL (Incoming Traffic) permit ip 10.0.0.0 0.0.0.255 any Dynamic: permit tcp host 200.3.3.3 eq 80 host 10.1.1.1 eq 1500 permit tcp any host 10.1.1.2 eq 25 permit udp any host 10.1.1.2 eq 53 deny ip any any © 2009 Cisco Learning Institute. 17
- 18. Cisco Systems Firewall Solutions • IOS Firewall –Zone-based policy framework for intuitive management –Instant messenger and peer-to-peer application filtering –VoIP protocol firewalling –Virtual routing and forwarding (VRF) firewalling –Wireless integration –Stateful failover –Local URL whitelist and blacklist support –Application inspection for web and e-mail traffic • PIX 500 Series • ASA 5500 Series © 2009 Cisco Learning Institute. 18
- 19. Design with DMZ DMZ Public-DMZ Policy Private-DMZ DMZ-Private Policy Policy Trusted Untrusted Private-Public Policy Internet © 2009 Cisco Learning Institute. 19
- 20. CBAC Example © 2009 Cisco Learning Institute. 20
- 21. Configuration of CBAC Four Steps to Configure • Step 1: Pick an Interface • Step 2: Configure IP ACLs at the Interface • Step 3: Define Inspection Rules • Step 4: Apply an Inspection Rule to an Interface © 2009 Cisco Learning Institute. 21
- 22. Step 1: Pick an Interface Two-Interface Three-Interface © 2009 Cisco Learning Institute. 22
- 23. Step 2: Configure IP ACLs at the Interface © 2009 Cisco Learning Institute. 23
- 24. Step 3: Define Inspection Rules Router(config)# ip inspect name inspection_name protocol [alert {on | off}] [audit-trail {on | off}] [timeout seconds] © 2009 Cisco Learning Institute. 24
- 25. Step 4: Apply an Inspection Rule to an Interface © 2009 Cisco Learning Institute. 25
- 26. Zone Based Firewall Each zone holds only one interface. • If an additional interface is added to the private zone, the hosts connected to the new interface in the private zone can pass traffic to all hosts on the existing interface in the same zone. • Additionally, hosts connected to the new interface in the private zone must adhere to all existing “private” policies related to that zone when passing traffic to other zones. © 2009 Cisco Learning Institute. 26
- 27. Benefits Two Zones • Zone-based policy firewall is not dependent on ACLs • The router security posture is now “block unless explicitly allowed” • C3PL (Cisco Common Classification Policy Language) makes policies easy to read and troubleshoot • One policy affects any given traffic, instead of needing multiple ACLs and inspection actions. © 2009 Cisco Learning Institute. 27
- 28. Common Designs LAN-to-Internet Public Servers Redundant Firewalls Complex Firewall © 2009 Cisco Learning Institute. 28
- 29. Actions Inspect – This action configures Cisco IOS stateful packet inspection Drop – This action is analogous to deny in an ACL Pass – This action is analogous to permit in an ACL © 2009 Cisco Learning Institute. 29
- 30. Manually Implementing Zone-based Policy Firewall with CCP • Step 1: Define zones • Step 2: Configure class maps to describe traffic between zones • Step 3: Create policy maps to apply actions to the traffic of the class maps • Step 4: Define zone pairs and assign policy maps to the zone pairs © 2009 Cisco Learning Institute. 30
- 31. Implementing Zone-based Policy Firewall with CLI 1. Create the zones for the firewall with the zone security command 3. Specify firewall policies with the policy-map type inspect command 2. Define traffic classes with the class-map type inspect command 4. Apply firewall policies to pairs of source and destination zones with zone-pair security 5. Assign router interfaces to zones using the zone-member security interface command © 2009 Cisco Learning Institute. 31
- 32. Step 1: Create the Zones FW(config)# zone security Inside FW(config-sec-zone)# description Inside network FW(config)# zone security Outside FW(config-sec-zone)# description Outside network © 2009 Cisco Learning Institute. 32
- 33. Step 2: Define Traffic Classes FW(config)# class-map type inspect FOREXAMPLE FW(config-cmap)# match access-group 101 FW(config-cmap)# match protocol tcp FW(config-cmap)# match protocol udp FW(config-cmap)# match protocol icmp FW(config-cmap)# exit FW(config)# access-list 101 permit ip 10.0.0.0 0.0.0.255 any © 2009 Cisco Learning Institute. 33
- 34. Step 3: Define Firewall Policies FW(config)# policy-map type inspect InsideToOutside FW(config-pmap)# class type inspect FOREXAMPLE FW(config-pmap-c)# inspect © 2009 Cisco Learning Institute. 34
- 35. Step 4: Assign Policy Maps to Zone Pairs and Assign Router Interfaces to Zones FW(config)# zone-pair security InsideToOutside source Inside destination Outside FW(config-sec-zone-pair)# description Internet Access FW(config-sec-zone-pair)# service-policy type inspect InsideToOutside FW(config-sec-zone-pair)# interface F0/0 FW(config-if)# zone-member security Inside FW(config-if)# interface S0/0/0.100 point-to-point FW(config-if)# zone-member security Outside © 2009 Cisco Learning Institute. 35