Presentation is loading. Please wait.

Presentation is loading. Please wait.

Chapter 4: Implementing Firewall Technologies

Published byAdan Bidgood Modified over 9 years ago

Similar presentations

Presentation on theme: "Chapter 4: Implementing Firewall Technologies"— Presentation transcript:

1 Chapter 4: Implementing Firewall Technologies
CCNA-Security

2 Chapter 4: Objectives In this chapter you will:
Configure standard and extended IPv4 ACLs using CLI. Verify the functionality of a configured ACL in relation to the network topology. Configure standard and extended IPv4 ACLs using CCP. Configure TCP established and reflexive ACLs. Configure dynamic ACLs. Configure time-based ACLs. Troubleshoot complex ACL implementations. Use ACLs to mitigate common network attacks. Configure IPv6 ACLs using CLI. Configure object groups for use within an access control entry. Explain how firewalls are used to help secure networks. Describe the various types of firewalls. Configure a classic firewall. Explain design considerations for implementing firewall technologies. Explain how Zone-Based Policy Firewalls are used to help secure a network. Explain the operation of a Zone-Based Policy Firewall. Configure Zone-Based Policy Firewall with CLI. Configure a Zone-Based Policy Firewall with CCP.

3 Chapter 4.0 Introduction 4.1 Access Control Lists 4.2 Firewall Technologies 4.3 Zone-Based Policy Firewalls 4.4 Summary

4 4.1 Access Control Lists

5 Configuring Standard and Extended IPv4 ACLs with CLI Introduction to Access Control Lists
Access Control Lists (ACLs) are widely used for mitigating network attacks and controlling network traffic Parameters used in security-related ACLs involve IPv4, IPv6 addresses, and TCP and UDP port numbers.

6 Standard Numbered IP ACL
Configuring Standard and Extended IPv4 ACLs with CLI Standard and Extended Numbered IP ACLs Standard Numbered IP ACL

7 ACLs numbered1–99 or 1300–1999 are standard IPv4 ACLs.
Configuring Standard and Extended IPv4 ACLs with CLI Standard and Extended Numbered IP ACLs Cont. ACLs numbered1–99 or 1300–1999 are standard IPv4 ACLs. Standard ACLs match packets by examining the source IP address field in the IP header of that packet. Standard ACLs are used to filter packets based solely on Layer 3 source information.

8 Extended Numbered IP ACLs
Configuring Standard and Extended IPv4 ACLs with CLI Standard and Extended Numbered IP ACLs Cont. Extended Numbered IP ACLs access-list { acl-# } { permit | deny | remark } protocol source-addr [ source-wildcard ]  destination-addr [destination-wildcard ] [ operator operand ] [port] [ established ][ log ]

9 ACLs numbered 100–199 or 2000–2699 are extended ACLs.
Configuring Standard and Extended IPv4 ACLs with CLI Standard and Extended Numbered IP ACLs Cont. ACLs numbered 100–199 or 2000–2699 are extended ACLs. Extended ACLs filter IP packets based on: Source and destination IP addresses Source and destination TCP and UDP Ports Protocol Type Standard and Extended ACLs are: Applied on an interface using the ip access-group command. Applied on a VTY port using the access-class command.

10 Standard Named IP ACL example:
Configuring Standard and Extended IPv4 ACLs with CLI Standard and Extended Named IP ACLs Router(config)# ip access list [standard | extended] name_of_ACL Standard Named IP ACL example: Extended Named IP ACL example:

11 Protocol - TCP, UDP, or ICMP
Configuring Standard and Extended IPv4 ACLs with CLI Logging ACL Matches The Log parameter can be used to log matches to ACLs. The following information is included: Action - Permit or deny Protocol - TCP, UDP, or ICMP Source and destination - IPv4 or IPv6 addresses TCP and UDP - Source and destination port numbers For ICMP - Message types Log messages are generated on the first packet match and then at five-minute intervals after that first packet match.

12 Standard ACL packet filtering
Configuring Standard and Extended IPv4 ACLs with CLI Access Control Entry (ACE) Rules An ACL is made up of one or more access control entries (ACEs). The caveats below should be considered when working with ACLs. Implicit deny all - All Cisco ACLs end with an implicit deny all statement. Standard ACL packet filtering Standard ACLs are limited to packet filtering based on source addresses only. Extended ACLs might need to be created to fully implement a security policy. Order of statements ACLs have a policy of first match; when a statement is matched, the list is no longer examined. Ensure that statements at the top of the ACL do not negate any statements found lower. Place specific ACL statements higher in the ACL and more general statements near the end.

13 Directional filtering
Configuring Standard and Extended IPv4 ACLs with CLI Access Control Entry Rules (Cont.) Directional filtering ACLs can be applied to inbound packets (toward the interface) or outbound packets (away from the interface). Double-check the direction of data that an ACL is filtering. Special packets Router-generated packets, such as routing table updates, are not subject to outbound ACL statements on the source router. If the security policy requires filtering these types of packets, inbound ACLs on adjacent routers or other router filter mechanisms must be used. Modifying ACLs New entries are added to an ACL, and are always added to the bottom. Starting with Cisco IOS 12.3, sequence numbers can be used to edit an ACL. The ACL is processed top-down based on the sequence numbers of the statements (lowest to highest).

14 Configuring Standard and Extended IPv4 ACLs with CLI Standard ACL Example
All traffic from subnet must be denied access to another subnet, but all other traffic should be permitted R1(config)# access-list 1 deny R1(config)# access-list 1 permit any R1(config)# interface FastEthernet 0/0 R1(config-if)# ip access-group 1 out

15 FTP traffic from one subnet must be denied on another subnet.
Configuring Standard and Extended IPv4 ACLs with CLI Extended ACL Example FTP traffic from one subnet must be denied on another subnet. R1(config)# access-list 101 deny tcp eq 21 R1(config)# access-list 101 deny tcp eq 20 R1(config)# access-list 101 permit ip any any

16 Configuring Standard and Extended IPv4 ACLs with CLI Editing Extended ACLs
The existing access list has three entries: The access list is edited, adding a new ACE and replacing ACE line 20: The updated access list has four entries:

17 Topology and Flow for ACLs How Cisco Routers Handle ACL Matches
The direction of traffic through a networking device is defined by the ingress (inbound) and egress (outbound) interfaces for the traffic. Inbound traffic refers to traffic as it enters into the router, prior to the routing table being accessed. Outbound traffic refers to traffic that entered the router and has been processed by the router to determine where to forward that data. Depending on the type of device and ACL configured, the return traffic can be dynamically tracked.

18 Topology and Flow for ACLs How Cisco Routers Handle ACL Matches Cont.
Inbound ACL Operation Flow

19 Topology and Flow for ACLs How Cisco Routers Handle ACL Matches Cont.
Outbound ACL Operation Flow

20 Topology and Flow for ACLs ACL Placement
Standard ACL Placement Standard ACLs are placed as close to the destination as possible. Standard ACLs filter packets are based on the source address only. Placing standard ACLs that are too close to the source can deny valid traffic. Extended ACL Placement Extended ACLs are placed on routers as close as possible to the source that is being filtered. Placing extended ACLs too far from the source is inefficient use of network resources.

21 Topology and Flow for ACLs ACL Design
ACLs are used to prevent certain types of traffic from entering a network. ACLs are used to permit more secure types of traffic, such as HTTPS (TCP port 443), to be used for business purposes.  Effective use of ACLs requires a clear understanding of which ports must be blocked versus permitted and proper of extended ACLs The Nmap program can be used to determine which ports are open on a given device.

22 Topology and Flow for ACLs Verifying ACL Functionality
show running-config command  show ip access-lists command 

23 Configuring Standard and Extended ACLs with CCP Configuring ACLs with CCP
To configure ACLs on a routing device using CCP, the router must first be selected from the drop-down list under Select Community Member. Next on the CCP application menu bar, click Configure to open the task list. Open the Router drop-down list >ACL to access the ACL configuration options.

24 Configuring Standard and Extended ACLs with CCP CCP Rules
CCP allows an administrator to create access rules that denies certain types of traffic while permitting other types. CCP provides default rules that an administrator can use. The CCP Rules (ACLs) Summary window provides a summary of the rules in the router configuration.

25 Configuring Standard and Extended ACLs with CCP Creating a Rule
Using CCP an administrator can create and apply standard rules (Standard ACLs) and extended rules (extended ACLs). On the CCP menu, click Configure > Router > ACL >ACL Editor. Click Add to display the Add a Rule window. In the Add a Rule window, enter a name or number in the Name/Number field. From the Type drop-down list, select Standard Rule. Click Add. The Add a Standard Rule Entry window appears.

26 Configuring Standard and Extended ACLs with CCP Applying a Rule to an Interface
After the Rule Entry list is complete, the next step is to apply the rule to an interface.  From the Add a Rule window, click Associate. The Associate with an Interface window displays. Only interfaces with a status of up/up appear in the drop-down list.

27 Configuring Standard and Extended ACLs with CCP Delivering a Rule
After the access rule is created, in the Add a Rule window, click OK.

28 Configuring TCP Established and Reflexive ACLs First-Generation Approach to Stateful Firewall
The first-generation IOS traffic filtering solution to support the two-way nature of TCP virtual circuits was the TCP established keyword for extended IP ACLs. Block all traffic coming from the Internet except for the TCP reply traffic associated with established TCP traffic initiated from inside network. The second generation IOS solution for session filtering was reflexive ACLs. Filter traffic based on source and destination addresses, and port numbers, and track sessions. The TCP established option and reflexive ACLs are examples of complex ACLs.

29 Configuring TCP Established and Reflexive ACLs Monitoring TCP Flag Settings
In 1995, the first-generation IOS traffic filtering solution based on the TCP established keyword for extended IP ACLs. The TCP established keyword blocks all traffic coming from the Internet, except for the TCP reply traffic associated with established TCP traffic initiated from the inside of the network. The established keyword forces the router to check whether the TCP ACK or RST control flag is set. If the ACK flag is set, the TCP traffic is allowed in. If not, it is assumed that the traffic is associated with a new connection initiated from the outside.

30 Configuring TCP Established and Reflexive ACLs TCP Established in Action
R1(config)# access-list 100 permit tcp any eq established R1(config)# access-list 100 deny ip any any R1(config)# interface s0/0/0 R1(config-if)# ip access-group 100 in

31 Configuring TCP Established and Reflexive ACLs Reflexive ACLs
In 1996, the second-generation IOS solution for session filtering was Reflexive ACLs. Unlike the TCP Established feature, which just used ACK and RST bits, reflexive ACLS filter traffic were based on source, destination addresses, and port numbers. Session filtering uses temporary filters that are removed when a session is over, adding a time limit on a hacker’s attack opportunity. Used to allow IP traffic for sessions originating from within the network while denying IP traffic for sessions originating outside the network.

32 Configuring TCP Established and Reflexive ACLs Reflexive ACLs (cont.)
The router examines the outbound traffic and when it sees a new connection, it adds an entry to a temporary ACL to allow replies back in. These entries are automatically created when a new IP session begins, for example, with an outbound packet, and the entries are automatically removed when the session ends.

33 Configuring TCP Established and Reflexive ACLs Using Reflexive ACLs
Step 1. Create an internal ACL that looks for new outbound sessions and creates temporary reflexive ACEs. Step 2. Create an external ACL that uses the reflexive ACLs to examine return traffic. Step 3. Activate the Named ACLs on the appropriate interfaces.

34 Configuring TCP Established and Reflexive ACLs Using Reflexive ACLs Cont.
Create a reflexive ACL that matches internal users surfing the Internet with a web browser and relying on DNS with a 10-second timeout period. R1(config)# ip access-list extended INTERNAL_ACL R1(config-ext-nacl)# permit tcp any any eq 80 reflect WEB-ONLY-REFLEXIVE-ACL R1(config-ext-nacl)# permit udp any any eq 53 reflect DNS-ONLY-REFLEXIVE-ACL timeout 10 R1(config-ext-nacl)# exit R1(config)# ip access-list extended EXTERNAL_ACL R1(config-ext-nacl)# evaluate WEB-ONLY-REFLEXIVE-ACL R1(config-ext-nacl)# evaluate DNS-ONLY-REFLEXIVE-ACL R1(config-ext-nacl)# deny ip any any R1(config)# interface s0/0/0 R1(config-if)# ip access-group INTERNAL_ACL out R1(config-if)# ip access-group EXTERNAL_ACL in

35 Configuring Dynamic ACLs Dynamic ACLs
Dynamic ACLs are available for IP traffic only. Dynamic ACLs are dependent on Telnet connectivity, authentication (either local or remote), and extended ACLs. Dynamic ACLs offer these security benefits over standard and static extended ACLs: Challenge mechanism to authenticate individual users Simplified management in large internetworks Reduced router processing for ACLs Less opportunity for network break-ins by network hackers Creation of dynamic user access through a firewall, without compromising other configured security restrictions.

36 Configuring Dynamic ACLs Dynamic ACL Operation
An extended ACL is applied to block all traffic through the router, except Telnet. Users who want to traverse the router are blocked by the ACL until they use Telnet to connect to the router and are authenticated. Users authenticate using Telnet, and then dropped. However, a single-entry dynamic ACL is added to the extended ACL that exists. This permits traffic for a particular period; idle and absolute timeouts are possible.

37 Configuring Dynamic ACLs Dynamic ACL Operation Cont.

38 Configuring Dynamic ACLs Configuring a Dynamic ACL

39 Configuring Dynamic ACLs Dynamic ACL Timeouts
Two timeouts are associated with dynamic ACL entries: absolute and idle. The absolute timer is specified in the dynamic ACL entry.  The idle timeout value is specified in the autocommand command, which enables lock-and-key authentication on the vty lines. If timeouts are not specified, the default is to never time out the entry; therefore, it is recommended to configure a timeout.

40 Configuring Time-Based ACLs Time-Based ACLs
Time-based ACLs allow for access control based on time. Timed-based ACLs enable traffic to be restricted based on the time of day, the day of the week, or the day of the month.

41 Configuring Time-Based ACLs Configuring Time-Based ACLs

42 Configuring Time-Based ACLs Time-Based ACL Scenario
Users are not allowed to access the Internet during business hours, except during lunch and after hours between 5:00 p.m. and 7:00 p.m. R1(config)# time-range EMPLOYEE-TIME R1(config-time-range)# periodic weekdays 12:00 to 13:00 R1(config-time-range)# periodic weekdays 17:00 to 19:00 R1(config-time-range)# exit R1(config)# access-list 100 permit ip any time-range EMPLOYEE-TIME R1(config)# access-list 100 deny ip any any R1(config)# interface FastEthernet 0/1 R1(config-if)# ip access-group 100 in R1(config-if)# exit

43 Two commands are very useful for troubleshooting ACLs:
Troubleshooting Complex ACL Implementations Verify and Troubleshoot ACLs Two commands are very useful for troubleshooting ACLs: show access-lists debug ip packet (detail)

44 Troubleshooting Complex ACL Implementations Debugging ACLs

45 Mitigating Attacks with ACLs Mitigating Spoofing and DoS Attacks
ACLs can be used to mitigate many network threats IP address spoofing, inbound and outbound DoS TCP SYN attacks DoS smurf attacks ACLs can also filter the following traffic ICMP messages (inbound and outbound) traceroute

46 Mitigating Attacks with ACLs Antispoofing with ACLs
Deny all IP packets containing the following IP addresses in their source field: Any local host addresses ( /8) Any reserved private addresses (RFC 1918) Any addresses in the IP multicast address range ( /4) R1(config)# access-list 150 deny ip any R1(config)# access-list 150 deny ip any R1(config)# access-list 150 deny ip any R1(config)# access-list 150 deny ip any R1(config)# access-list 150 deny ip any R1(config)# access-list 150 deny ip any R1(config)# access-list 150 deny ip host any

47 Mitigating Attacks with ACLs Permitting Necessary Traffic Through a Firewall
DNS, SMTP, and FTP are common services that often must be allowed through a firewall.

48 Mitigating Attacks with ACLs Mitigating ICMP Abuse
Hackers use ICMP packets for pings sweeps and DoS flood attacks, and use ICMP redirect messages to alter host routing tables. Both ICMP echo and redirect messages should be blocked inbound by the router.

49 Mitigating Attacks with ACLs Mitigating SNMP Exploits
Management protocols, such as SNMP, while useful for remote monitoring and management of networked devices, can be exploited. Apply interface ACLs to filter SNMP packets from non-authorized systems.

50 IPv6 ACLs are created using the ipv6 access-list command.
IPv6 ACLs IPv6 ACLs IPv6 ACLs are similar to IPv4 ACLs. They allow filtering on source and destination addresses, source and destination ports, and protocol type. IPv6 ACLs are created using the ipv6 access-list command. IPv6 ACLs are applied to an interface using the ipv6 traffic-filter access-list-name {in | out} command.

51 IPv6 ACLs Configuring IPv6 ACLs
All IPv6 ACLs contain two implicit permit statements to allow IPv6 neighbor discovery packets to be sent and received. permit icmp any any nd-na permit icmp any any nd-ns Like IPv4 ACLs, all IPv6 ACLs include an implicit deny as the last statement. deny ipv6 any any These statements will not display in the configuration output. A best practice is to manually enter all three implicit commands. Manually entering the implicit deny statement also allows you to log denied packets without affecting neighbor discovery.

52 Using Object Groups in ACEs Object Groups
Object groups are used to classify users, devices, or protocols into groups. These groups can then be used to create access control policies for groups of objects in easy to read statements. This feature lets the administrator use object groups instead of individual IP addresses, protocols, and ports, which are used in conventional ACLs. This results in fewer, more manageable Access Control Entries (ACEs). Both IPv4 and IPv6 ACLs can use object groups.

53 Using Object Groups in ACEs Network and Service Object Groups
Object groups must have unique names. Additional objects can be appended to existing object groups. Objects such as hosts, protocols, or services can be grouped. Cannot delete an object group or make an object group empty if it is being used in an ACE.

54 Using Object Groups in ACEs Configuring Network and Service Object Groups

55 Using Object Groups in ACEs Creating an Object Group-Based ACL
In this ACL, all IP addresses and networks specified within the eng_network_group are permitted all services specified in the eng_srv_group. In the example, the protocol argument (tcp, udp, icmp) is not necessary, because the protocol is specified within the services group.

56 4.2 Firewall Technologies
5.2 Address Resolution Protocol

57 Securing Networks with Firewalls Defining Firewalls
A firewall prevents undesirable traffic from entering prescribed areas within a network. A firewall is a system or group of systems that enforces an access control policy between networks. For example: A packet filtering router A switch with two VLANs Multiple hosts with firewall software In 1989, AT&T Bell Laboratories developed the first stateful firewall. A stateful firewall is able to determine if a packet belongs to an existing flow of data.

58 Securing Networks with Firewalls Defining Firewalls Cont.

59 Securing Networks with Firewalls Benefits and Limitations of Firewalls
Exposure of sensitive hosts and applications to untrusted users can be prevented. The protocol flow can be sanitized, preventing the exploitation of protocol flaws. Malicious data can be blocked from servers and clients. Security policy enforcement can be made simple, scalable, and robust. Limitations If misconfigured, can have serious consequences, such as single point of failure. The data from many applications cannot be passed over firewalls securely. Users might proactively search for ways around the firewall to receive blocked material, exposing the network to potential attack. Network performance can slow down. Unauthorized traffic can be tunneled or hidden as legitimate traffic through the firewall.

60 Types of Firewalls Firewall Types
Packet filtering firewall - Typically is a router with the capability to filter some packet content, such as Layer 3 and sometimes Layer 4 information. Stateful firewall - Monitors the state of connections, whether the connection is in an initiation, data transfer, or termination state. Application gateway firewall (proxy firewall) - A firewall that filters information at Layers 3, 4, 5, and 7 of the OSI reference model. Most of the firewall control and filtering is done in the software. Network address translation (NAT) firewall - A firewall that expands the number of IP addresses available and hides network addressing design.

61 Types of Firewalls Packet Filtering Firewall
Packet-filtering firewalls are usually part of a router firewall and primarily uses ACLs. It examines a packet based on the information in a packet header. Packet-filtering firewalls use a simple policy table lookup that permits or denies traffic based on specific criteria: Source IP address Destination IP address Protocol Source port number Destination port number Synchronize/start (SYN) packet receipt

62 Types of Firewalls Stateful Firewalls
Stateful firewalls are the most versatile and the most common firewall technologies in use.  Stateful filtering tracks each connection traversing all interfaces of the firewall and confirms that they are valid. The firewall examines information in the headers of Layer 3 packets and Layer 4 segments. Also called “stateful packet filters” and “application-aware packet filters.” Stateful firewalls have two main improvements over packet filters Maintain a session table (state table) where they track all connections. Recognize dynamic applications and know which additional connections will be initiated between the endpoints.

63 Types of Firewalls Stateful Firewalls Cont.
Stateful firewalls inspect every packet, compare the packet against the state table, and may examine the packet for any special protocol negotiations. Stateful firewalls operate mainly at the transport (TCP and UDP) layer.

64 Types of Firewalls Cisco Firewall Solutions
Cisco Systems provides several options for network security professionals to implement a firewall solution.

65 Classic Firewall Classic Firewall
Classic Firewall, formerly known as context-based access control (CBAC) Classic Firewall provides four main functions that include traffic filtering, traffic inspection, intrusion detection, and generation of audits and alerts Classic Firewall is a dramatic improvement over the TCP established and reflexive ACL firewalls in several ways Monitors TCP connection setup Tracks TCP sequence numbers Monitors UDP session information Inspects DNS queries and replies Inspects common ICMP message types Supports applications that rely on multiple connections Inspects embedded addresses Inspects application layer information

66 Classic Firewall Classic Firewall Operation

67 Classic Firewall Classic Firewall Operation Cont.
With Classic Firewall, the protocols to inspect are specified in an inspection rule. An inspection rule is applied to an interface in a direction, either in or out, where the inspection applies.

68 Classic Firewall Classic Firewall Configuration
To configure Classic Firewall: Step 1. Select an interface, either internal or external. Step 2. Configure IP ACLs at the interface. Step 3. Define inspection rules. Step 4. Apply an inspection rule to an interface.

69 Firewalls In Network Design Demilitarized Zones
Demilitarized Zones (DMZs) define the portions of a network that are trusted and untrusted. 

70 Firewalls In Network Design Layered Defense
Factors to consider when building a complete in-depth defense.

71 Firewalls In Network Design Firewalls and the Security Policy
Firewall Best Practices

72 4.3 Zone-Based Policy Firewalls
5.3 LAN Switches

73 Zone-Based Policy Firewall Characteristics Zone-Based Policy Firewalls
A Zone-Based Policy Firewall configuration model (ZPF or ZBF or ZFW) was introduced in 2006 with Cisco IOS Release 12.4(6)T. With ZPF, the interfaces are assigned to zones and then an inspection policy is applied to traffic moving between the zones. The default policy is to block all traffic, unless explicitly allowed (CBACs default was allow all). It supports previous firewall features, including Stateful Packet Inspection (SPI), application inspection, URL filtering, and DoS mitigation.

74 The router security posture is to block unless explicitly allowed.
Zone-Based Policy Firewall Characteristics Zone-Based Policy Firewalls Cont. Not dependent on ACLs. The router security posture is to block unless explicitly allowed. Policies are easy to read and troubleshoot with C3PL. One policy affects any given traffic, instead of needing multiple ACLs and inspection actions.

75 Zone-Based Policy Firewall Characteristics Zone-Based Policy Firewall Design
Determine the Zones - The internetworking infrastructure under consideration must be split into separate zones with various security levels focusing on the separation of the infrastructure into zones.  Establish policies between zones - For each pair of "source-destination" zones (for example, from inside network to Internet), define the sessions that clients in the source zones can request from servers in destination zones. Design the physical infrastructure - The administrator must design the physical infrastructure, considering security and availability requirements. Identify subset within zones and merge traffic requirements - For each firewall device in the design, the administrator must identify zone subsets connected to its interfaces and merge the traffic requirements for those zones.

76 Zone-Based Policy Firewall Operation Zone-Based Policy Firewall Actions
Inspect Configures Cisco IOS SPI (equivalent to the ip inspect command). It automatically allows for return traffic and potential ICMP messages. For protocols requiring multiple parallel signaling and data sessions (for example, FTP or H.323), the inspect action also handles the proper establishment of data sessions. Pass Analogous to a permit statement in an ACL. It does not track the state of connections or sessions within the traffic. Pass allows the traffic only in one direction. A corresponding policy must be applied to allow return traffic to pass in the opposite direction. Drop Analogous to a deny statement in an ACL. A log option is available to log the rejected packets.

77 Zone-Based Policy Firewall Operation Zone-Based Policy Firewall Rules
Rules for Application Traffic

78 Zone-Based Policy Firewall Operation Zone-Based Policy Firewall Rules for Routers
The ZBF rules for a zone-based policy firewall are different when the router is the source or the destination of the traffic. When an interface is configured to be a zone member, the hosts that are connected to the interface are included in the zone. However, traffic to the router is not subject to the zone policies. By default, all router IP interfaces are part of the self zone. A zone-pair that includes the self zone and associated policy, applies to router generated or traffic destined to the router. It does not apply to traffic traversing the router. A policy can be defined using the self zone as either the source or the destination zone. The self zone is a system-defined zone. It does not require any interfaces to be configured as members.

79 Zone-Based Policy Firewall Operation Zone-Based Policy Firewall Rules for Routers Cont.
The rules depend on whether the router is the source or the destination of the traffic.

80 Create the zones for the firewall. Define traffic classes.
Configuring a Zone-Based Policy Firewall with CLI Configuring Zone-Based Policy Firewalls with CLI Create the zones for the firewall. zone security Define traffic classes. class-map type inspect Specify firewall policies. policy-map type inspect Apply firewall policies to pairs of source destination zones. zone-pair Assign router interfaces to zones. zone-member security

81 Configuring a Zone-Based Policy Firewall with CLI Creating Zones

82 Configuring a Zone-Based Policy Firewall with CLI Defining Traffic Classes

83 Configuring a Zone-Based Policy Firewall with CLI Specifying Firewall Policies

84 Configuring a Zone-Based Policy Firewall with CLI Applying Firewall Policies and Assigning Router Interfaces The firewall policy is applied to traffic between a pair of zones using the zone-pair security command. To apply a policy, a zone pair must first be created. Specify the source zone, the destination zone, and the policy for handling the traffic between them. Finally the administrator must assign interfaces to the appropriate security zones using the zone-member interface command.

85 Configuring a Zone-Based Policy Firewall with CCP Wizard Basic and Advanced Firewall Wizards
The CCP Basic Firewall wizard helps implement a firewall with two zones: an in-zone and an out-zone.  The Advanced Firewall wizard can be used to define a security DMZ used for Internet accessible services, and allows the user to select the level of default security that is initially implemented.

86 Configuring a Zone-Based Policy Firewall with CCP Wizard Advanced Firewall Interface Configuration
The first task to enable an advanced firewall configuration is to define inside and outside interfaces.

87 Configuring a Zone-Based Policy Firewall with CCP Wizard Security Level Configuration
After performing the interface configuration, the Advanced Firewall Security Configuration window appears.

88 Configuring a Zone-Based Policy Firewall with CCP Wizard Deliver Configuration

89 Configuring a Zone-Based Policy Firewall with CCP Wizard Manual Configuration with CCP
There are four steps to configure ZPF with CCP: Step 1. Define zones in the Zone page. Step 2. Configure class maps to describe traffic between zones. Step 3. Create policy maps to apply actions to the traffic of the class maps. Step 4. Define zone pairs and assign policy maps to the zone pairs.

90 Configuring a Zone-Based Policy Firewall with CCP Wizard Defining Zones
A zone, or security zone, is a named group of interfaces to which a security policy can be applied. A zone can contain a single interface or multiple interfaces; however, an interface cannot be a member of more than one zone.

91 Configuring a Zone-Based Policy Firewall with CCP Wizard Configuring Class Maps
Class maps identify traffic and traffic parameters for the policy application.

92 Configuring a Zone-Based Policy Firewall with CCP Wizard Creating Policy Maps

93 Configuring a Zone-Based Policy Firewall with CCP Wizard Defining Zone Pairs

94 Configuring a Zone-Based Policy Firewall with CCP Wizard Editing Firewall Policy View

95 Configuring a Zone-Based Policy Firewall with CCP Wizard View Firewall Activity

96 Configuring a Zone-Based Policy Firewall with CCP Wizard Viewing the Zone-Based Policy Firewall State Table Use the show policy-map type inspect zone-pair session command to examine the active connections in the ZPF state table.

97 4.4 Summary

98 Common methods for implementing firewalls include:
Chapter 4 Summary Firewalls separate protected areas from non-protected areas to prevent unauthorized users from accessing protected network resources. Common methods for implementing firewalls include: Packet filtering firewall  Stateful firewall  Standard and extended IP ACLs are fundamental tools for basic network traffic filtering and to mitigate a wide range of network attacks. ACLs can also be configured to temporarily open a hole in a firewall (i.e., dynamic ACL). Additionally, time-based ALCs allow administrators to select the time of day and the days of the week for ACLs to be applied. Summary

99 Chapter 4 Summary (cont.)
Stateful firewalls can be implemented as follows: Traffic filtering solutions - Includes ACLs using the TCP established option and reflexive ACLs Context-based access control (CBAC) ACLs - CABCs enable sophisticated stateful filtering of most forms of modern application traffic. Zone-Based Policy Firewall - Introduced in 2006, is the state of the art in modern firewalling. The Zone-Based Policy Firewall operation centers around the creation of zones associated with various security levels. Summary

100

Download ppt "Chapter 4: Implementing Firewall Technologies"

Similar presentations

Access Control List (ACL)

Access Control List (ACL)
Implementing Firewall Technologies

Implementing Firewall Technologies
© 2008 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Chapter 9: Access Control Lists Routing & Switching.

© 2008 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Chapter 9: Access Control Lists Routing & Switching.
© 2008 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Access Control Lists John Mowry.

© 2008 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Access Control Lists John Mowry.
© 2008 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Lecture15: Network Address Translation for IPv4 Connecting Networks.

© 2008 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Lecture15: Network Address Translation for IPv4 Connecting Networks.
Chapter 9: Access Control Lists

Chapter 9: Access Control Lists
Basic IP Traffic Management with Access Lists

Basic IP Traffic Management with Access Lists
© 2006 Cisco Systems, Inc. All rights reserved. ICND v2.3—4-1 Managing IP Traffic with ACLs Configuring IP ACLs.

© 2006 Cisco Systems, Inc. All rights reserved. ICND v2.3—4-1 Managing IP Traffic with ACLs Configuring IP ACLs.
© 2007 Cisco Systems, Inc. All rights reserved.ICND2 v1.0—6-1 Access Control Lists Introducing ACL Operation.

© 2007 Cisco Systems, Inc. All rights reserved.ICND2 v1.0—6-1 Access Control Lists Introducing ACL Operation.
© 2006 Cisco Systems, Inc. All rights reserved.Cisco PublicITE I Chapter 6 1 Access Control Lists Accessing the WAN – Chapter 5.

© 2006 Cisco Systems, Inc. All rights reserved.Cisco PublicITE I Chapter 6 1 Access Control Lists Accessing the WAN – Chapter 5.
Firewalls and Intrusion Detection Systems

Firewalls and Intrusion Detection Systems
© 2012 Cisco and/or its affiliates. All rights reserved. 1 CCNA Security 1.1 Instructional Resource Chapter 4 – Implementing Firewall Technologies.

© 2012 Cisco and/or its affiliates. All rights reserved. 1 CCNA Security 1.1 Instructional Resource Chapter 4 – Implementing Firewall Technologies.
NESCOT CATC1 Access Control Lists CCNA 2 v3 – Module 11.

NESCOT CATC1 Access Control Lists CCNA 2 v3 – Module 11.
WXES2106 Network Technology Semester 1 2004/2005 Chapter 10 Access Control Lists CCNA2: Module 11.

WXES2106 Network Technology Semester /2005 Chapter 10 Access Control Lists CCNA2: Module 11.
FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 6 Packet Filtering By Whitman, Mattord, & Austin© 2008 Course Technology.

FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 6 Packet Filtering By Whitman, Mattord, & Austin© 2008 Course Technology.
Implementing Standard and Extended Access Control List (ACL) in Cisco Routers.

Implementing Standard and Extended Access Control List (ACL) in Cisco Routers.
CCNA2 Routing Perrine modified by Brierley Page 18/6/2015 Module 11 Access Control 172.16.3.0172.16.4.0 Non-172.16.0.0 e0e1 s0 172.16.4.13 server.

CCNA2 Routing Perrine modified by Brierley Page 18/6/2015 Module 11 Access Control Non e0e1 s server.
1 Semester 2 Module 11 Access Control Lists (ACLs) Yuda college of business James Chen

1 Semester 2 Module 11 Access Control Lists (ACLs) Yuda college of business James Chen
© 2006 Cisco Systems, Inc. All rights reserved. Implementing Secure Converged Wide Area Networks (ISCW) Module 6: Cisco IOS Threat Defense Features.

© 2006 Cisco Systems, Inc. All rights reserved. Implementing Secure Converged Wide Area Networks (ISCW) Module 6: Cisco IOS Threat Defense Features.
FIREWALL TECHNOLOGIES Tahani al jehani. Firewall benefits  A firewall functions as a choke point – all traffic in and out must pass through this single.

FIREWALL TECHNOLOGIES Tahani al jehani. Firewall benefits  A firewall functions as a choke point – all traffic in and out must pass through this single.

Similar presentations

Ads by Google