Firewall basics
Download as PPTX, PDF0 likes560 views
The document outlines the fundamentals of firewalls, including their types, deployment modes, and access control mechanisms. It discusses the evolution of firewalls to include features like VPNs and NAT, and emphasizes the importance of security levels and access control lists (ACLs) in managing network traffic. Additionally, it covers high availability features and the configurations necessary for network address translation (NAT) to function effectively within firewall designs.
Firewall basics
- 2. • AGENDA § INTRODUCTION § FIREWALL DEPLOYMENT MODES § ACCESS CONTROL § HIGH AVAILABILITY FEATURES § UNDERSTANDING NAT
- 3. CISCO FIREWALL BASICS What is Firewall? A firewall is a security device which is configured to permit, deny or proxy data connections set by the organization's security policy. Firewalls can either be hardware or software based A firewall's basic task is to control traffic between computer networks with different zones of trust Today’s firewalls combine multilayer stateful packet inspection and multiprotocol application inspection Modern firewalls have evolved by providing additional services such as VPN, IDS/IPS, and URL filtering Despite these enhancements, the primary role of the firewall is to enforce security policy
- 4. FIREWALL DESIGN Simple Internet Firewall Design Two interfaces: trusted and untrusted Usually blocks all inbound access from untrusted networks and allows all access outbound from trusted network
- 5. INTERNET FIREWALL WITH DMZ A perimeter network or DMZ (De-Militarized Zone) is a common design element used to add an additional interface to a Firewall
- 6. FIREWALL DESIGN – MODES OF OPERATION Routed Mode is the traditional mode of the firewall. Two or more interfaces that separate L3 domains Transparent Mode is where the firewall acts as a bridge functioning mostly at L2 Multi-context mode involves the use of virtual firewalls, which can be either routed or transparent mode Mixed mode is the concept of using virtualization to combine routed and transparent mode virtual firewalls
- 7. FIREWALL SECURITY LEVELS A security level is a number between 0 and 100 that determines how firewall rules are processed for the data plane Security levels are tied to an interface: the inside or private side interface is always 100 (most trusted) and the outside or public interface is always 0 (least trusted) DMZ interfaces, if used, may be assigned numbers between 1 and 99 Traffic on the ASA is allowed by default from a higher security level interface to a lower security level interface An ACL must explicitly permit traffic from a lower security level interface to a higher (e.g. outside to in)
- 8. ACCESS CONTROL LISTS Type Description Standard Used for routing protocol, not firewall rules Extended Source/Dest. port and protocol Ethertype Used with transparent mode Webtype Used for clientless SSL VPN Like Cisco IOS, ACLs are processed from top down, sequentially with an implicit deny all at the bottom A criteria match will cause the ACL to be exited ACLs are made up of Access Control Entries (ACE) ACLs can be enabled/disabled based on time ranges
- 9. NAT AND FIREWALL NAT is simply a means of address translation; commonly this is a privately addressed source into a globally routed address pool (typically 1x1 mapping) Port Address Translation (PAT) is the idea of mapping multiple source addresses into one “outside” address, commonly the interface address of the firewall (1 to many mapping) NAT is available in both routed mode and transparent mode
- 10. NAT CONTROL NAT control is the concept that a packet from a high security interface (e.g. “inside”) must match a NAT policy when traversing a lower level security interface (e.g. “outside”) If the packet does not match a NAT policy, then it is dropped
- 11. DYNAMIC NAT Dynamic NAT is the most common application of NAT on the Cisco firewall It allocates addresses from a specified pool for hosts as they establish connections to meet the NAT policy There is no relationship between a host and the it’s translated address, hence it’s “dynamic” (vs. static)
- 12. PORT ADDRESS TRANSLATION (PAT) PAT is best used in small networks where a global address pool isn’t available Commonly the firewall interface address is used Best way to conserve addresses as translates all addresses into one address and uses port numbers for tracking
- 13. OPTIONS FOR BYPASSING NAT Identity NAT (Nat 0) – limits NAT on all interfaces, very little granularity, will not allow outside to inside connections even if permitted by ACL Static Identity NAT – based on interface, a host can be translated on one interface and not translated on another. Works with Policy NAT NAT exemption (Nat 0 with Access Control List) – more granular than Identity NAT as it allows bidirectional communication between inside and outside hosts. The ACL allows for very specific NAT policies to be created NAT exemption is the most common method for bypassing NAT today
- 14. POLICY NAT In some cases it may be necessary to have a NAT policy that translates based on source AND destination While dynamic NAT only considers the source address, policy NAT looks at both source and destination including port numbers Very useful when an application (e.g. FTP, VoIP) has secondary channels that need a specific policy The source, destination and all relevant ports are assigned via an ACL Policy NAT does not support time-based ACLs
- 15. CONFIGURING NAT NAT configuration requires at least two parts: a Nat statement and a matching global statement Asa(config)#Nat(inside) 1 10.1.2.0 255.255.255.0 Asa(config)#global (outside) 1 172.16.1.3-172.16.1.10
- 16. HIGH AVAILABILITY – INTERFACE REDUNDANCY Up to 8 redundant interface pairs are allowed. Compatible with all firewall modes (routed/transparent and single/multiple) and all HA deployments (A/A and A/S) When the active physical interface fails, traffic fails to the standby physical interface and routing adjacencies, connection, and auth state won’t need to be relearned.