Presentation is loading. Please wait.

Presentation is loading. Please wait.

© 2012 Cisco and/or its affiliates. All rights reserved. 1 CCNA Security 1.1 Instructional Resource Chapter 4 – Implementing Firewall Technologies.

Published byAshlynn Stevens Modified over 9 years ago

Similar presentations

Presentation on theme: "© 2012 Cisco and/or its affiliates. All rights reserved. 1 CCNA Security 1.1 Instructional Resource Chapter 4 – Implementing Firewall Technologies."— Presentation transcript:

1 © 2012 Cisco and/or its affiliates. All rights reserved. 1 CCNA Security 1.1 Instructional Resource Chapter 4 – Implementing Firewall Technologies

2 © 2012 Cisco and/or its affiliates. All rights reserved. 2 Describe numbered, named, standard and extended IP ACLs. Configure IP ACLs with IOS CLI and CCP. Describe and configure TCP established ACL functionality. Describe and configure reflexive, dynamic, and time-based ACLs. Describe attack mitigation with ACLs. Describe the major types of firewalls. Describe and configure CBAC (IOS Stateful Packet Inspection) with CLI. Describe and configure Zone-Based Policy Firewall with CLI and CCP.

3 © 2012 Cisco and/or its affiliates. All rights reserved. 3 4.0 Mitigating threats using IOS ACLs 4.1 Describe standard, extended, and named IP IOS ACLs to filter. 4.1.1 IPv4 ACLs 4.1.2 IPv6 ACLs 4.1.3 ACL Object groups 4.2 Describe considerations when building ACLs. 4.2.1 Sequencing of ACEs 4.2.2 Modification of ACEs 4.3 Implement IP ACLs to mitigate threats in a network. 4.3.1 Filter IP traffic 4.3.2 SNMP 4.3.3 DDoS attacks 4.3.4 CLI 4.3.5 CCP 4.3.6 IP ACLs to prevent IP spoofing

4 © 2012 Cisco and/or its affiliates. All rights reserved. 4 7.0 Implementing Cisco Firewall Technologies 7.1 Describe operational strengths and weaknesses of the different firewall technologies 7.1.1 Proxy firewalls 7.1.2 Packet and stateful packet 7.1.3 Application firewall 7.1.4 Personal firewall 7.2 Describe stateful firewalls 7.2.1 Operations 7.2.2 Function of the state table 7.4 Implement Zone Based Firewall using CCP 7.4.1 Zone to zone 7.4.2 Self zone

5 © 2012 Cisco and/or its affiliates. All rights reserved. 5 Access control lists (ACLs) are used throughout the network to identify traffic. ACLs contain one or more access control entries (ACEs). Each entry is designed to permit or deny traffic based on a variety of parameters including IP address of source or destination, upper layer protocol or other information. ACLs evaluate packets from the top down, one ACE at a time. If a packet header and an ACE match, the remaining ACEs are skipped, and the packet is permitted or denied as determined by the matched statement. If a packet header does not match an ACE, the packet is tested against the next ACE in the list. This matching process continues until the end of the list is reached. Remember that every ACL has an implied “ deny any ” ACE as the last statement.

6 © 2012 Cisco and/or its affiliates. All rights reserved. 6 ACLs can be used to provide a basic layer of protection for your network. ACLs do not act on packets that originate from the router itself, but rather on traffic that traverses the router either inbound or outbound with respect to an interface. There are several types of ACLs, including standard, extended, numbered and named. ACLs can be configured via CLI or CCP. With Cisco IOS Software Release 12.3, IP access list entry sequence numbering was introduced for both numbered and named ACLs. IP access list entry sequence numbering provides the following benefits: –You can edit the order of ACL statements. –You can remove individual statements from an ACL. –You can use the sequence number to insert new statements into the middle of the ACL.

7 © 2012 Cisco and/or its affiliates. All rights reserved. 7 All modern networks use some type of firewall to protect internal users and resources from attack. There are many types of firewalls and firewall implementations, but the stateful firewall is the most common and versatile. Stateful firewalls track each connection traversing all interfaces of the firewall and confirms that they are valid. A stateful firewall can be implemented in software or can be contained in a stand alone device. In 2006, Cisco Systems introduced the zone-based policy firewall configuration model with Cisco IOS Release 12.4(6)T. With this new model, interfaces are assigned to zones and then an inspection policy is applied to traffic moving between the zones. This model allows for structure and ease of use. A zone-based policy firewall can be configured via CLI or CCP.

8 © 2012 Cisco and/or its affiliates. All rights reserved. 8 Chapter 4 Lab A: Configuring CBAC and Zone-Based Firewalls –Part 1: Basic Router Configuration –Part 2: Configuring a Context-Based Access Control (CBAC) Firewall –Part 3: Configuring a Zone-Based Policy Firewall

9 © 2012 Cisco and/or its affiliates. All rights reserved. 9

10 10

11 © 2012 Cisco and/or its affiliates. All rights reserved. 11

12 © 2012 Cisco and/or its affiliates. All rights reserved. 12 Additional content on working with ACL entries (ACEs) and sequence numbering. New content on configuring standard and extended ACLs using CCP. New content covering mitigating SNMP threats. New content covering IPv6 ACLs. New content covering the use of ACL object groups for both IPv4 and IPv6 ACLs. New content covering configuraton of zone-based policy firewall using the CCP wizard.

13 © 2012 Cisco and/or its affiliates. All rights reserved. 13 ACL configuration, management and troubleshooting often present a challenge to students. Enforce and model systematic troubleshooting for students. This can be top-down or bottom-up, as long as it is consistent. Ensure that students test every ACE within the ACL to see that it is functioning as expected. This can be done using real gear or Packet Tracer. Packet Tracer allows the construction of PDUs of many protocols and ports that might be hard to generate with real gear. When testing ACLs, have students include the log keyword in order to better understand what is happening.

14 © 2012 Cisco and/or its affiliates. All rights reserved. 14 When explaining the importance of ACE placement within an ACL, it might be helpful to use the analogy of a coin sorter that sorts based on coin size. The first barrier that coins pass through is the largest, catching only quarters. The next barrier is smaller, catching nickels, and so on. If the sorter had the smaller holes on top, it would catch quarters as well as other coins. In the same way, ACEs should be ordered more general to more specific. (Search instructables.com for “loose change sorting trays” for an example.) Students may not be aware that the term “firewall” was originally used to describe a barrier that separated the parts of a building most likely to catch fire (the kitchen) from other parts of the building. This wall would slow or prevent the spread of the fire, saving lives and property. Firewalls are still in use today in building construction as well as in automobiles and airplanes.

15 © 2012 Cisco and/or its affiliates. All rights reserved. 15 ACL placement is just as important as the ACEs within the ACL. Discuss the implications of placing an ACL inbound on an interface where it should have been placed outbound. Use specific examples and analyze the impact on end users. Some early implementations of firewalls were host-based. Discuss the implications of host-based firewalls. Discuss what happens when a user disables the firewall in order to access something that was blocked. What happens if the user doesn’t update the firewall regularly?

16 © 2012 Cisco and/or its affiliates. All rights reserved. 16 ACL sequence numbers provide a convenient and safe way to insert and delete specific ACEs. Allow students to practice both inserting and deleting using sequence numbers. Contrast this with the older method of editing ACLs. Firewall configuration via CLI can be overwhelming to students. After students have some practice with CLI commands, have them use the CCP wizard. After running the CCP wizard, have students view the commands before delivering to the router. Talk about the differences between the CLI commands that they entered manually and the commands that will be delivered via CCP. Have them find and analyze specific commands that were generated via CCP, but were left out of CLI configuration.

17 © 2012 Cisco and/or its affiliates. All rights reserved. 17 Configuring IP Access Lists –http://www.cisco.com/en/US/products/sw/secursw/ps1018/products_tech_not e09186a00800a5b9a.shtmlhttp://www.cisco.com/en/US/products/sw/secursw/ps1018/products_tech_not e09186a00800a5b9a.shtml Configuring Commonly Used IP ACLs –http://www.cisco.com/en/US/tech/tk648/tk361/technologies_configuration_exa mple09186a0080100548.shtmlhttp://www.cisco.com/en/US/tech/tk648/tk361/technologies_configuration_exa mple09186a0080100548.shtml Zone-Based Policy Firewall Design and Application Guide –http://www.cisco.com/en/US/products/sw/secursw/ps1018/products_tech_not e09186a00808bc994.shtmlhttp://www.cisco.com/en/US/products/sw/secursw/ps1018/products_tech_not e09186a00808bc994.shtml Cisco Configuration Professional: Zone-Based Firewall Blocking Peer to Peer Traffic Configuration Example –http://www.cisco.com/en/US/products/ps9422/products_configuration_exampl e09186a0080b5a105.shtmlhttp://www.cisco.com/en/US/products/ps9422/products_configuration_exampl e09186a0080b5a105.shtml

18 © 2011 Cisco and/or its affiliates. All rights reserved. 18

Download ppt "© 2012 Cisco and/or its affiliates. All rights reserved. 1 CCNA Security 1.1 Instructional Resource Chapter 4 – Implementing Firewall Technologies."

Similar presentations

Implementing Firewall Technologies

Implementing Firewall Technologies
© 2008 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Chapter 9: Access Control Lists Routing & Switching.

© 2008 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Chapter 9: Access Control Lists Routing & Switching.
Chapter 9: Access Control Lists

Chapter 9: Access Control Lists
Chapter 4: Implementing Firewall Technologies

Chapter 4: Implementing Firewall Technologies
© 2007 Cisco Systems, Inc. All rights reserved.ICND2 v1.0—6-1 Access Control Lists Introducing ACL Operation.

© 2007 Cisco Systems, Inc. All rights reserved.ICND2 v1.0—6-1 Access Control Lists Introducing ACL Operation.
© 2006 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.0 Access Control Lists Accessing the WAN – Chapter 5.

© 2006 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.0 Access Control Lists Accessing the WAN – Chapter 5.
© 2006 Cisco Systems, Inc. All rights reserved.Cisco PublicITE I Chapter 6 1 Access Control Lists Accessing the WAN – Chapter 5.

© 2006 Cisco Systems, Inc. All rights reserved.Cisco PublicITE I Chapter 6 1 Access Control Lists Accessing the WAN – Chapter 5.
Standard, Extended and Named ACL.  In this lesson, you will learn: ◦ Purpose of ACLs  Its application to an enterprise network ◦ How ACLs are used to.

Standard, Extended and Named ACL.  In this lesson, you will learn: ◦ Purpose of ACLs  Its application to an enterprise network ◦ How ACLs are used to.
Implementing Standard and Extended Access Control List (ACL) in Cisco Routers.

Implementing Standard and Extended Access Control List (ACL) in Cisco Routers.
IOS Firewall IOS: Cisco’s Internetwork Operating System (the primary system running on Cisco’s routers) IOS Firewall: a stateful packet-filter firewall.

IOS Firewall IOS: Cisco’s Internetwork Operating System (the primary system running on Cisco’s routers) IOS Firewall: a stateful packet-filter firewall.
FIREWALL TECHNOLOGIES Tahani al jehani. Firewall benefits  A firewall functions as a choke point – all traffic in and out must pass through this single.

FIREWALL TECHNOLOGIES Tahani al jehani. Firewall benefits  A firewall functions as a choke point – all traffic in and out must pass through this single.
© 2012 Cisco and/or its affiliates. All rights reserved. 1 CCNA Security 1.1 Instructional Resource Chapter 10 – Implementing the Cisco Adaptive Security.

© 2012 Cisco and/or its affiliates. All rights reserved. 1 CCNA Security 1.1 Instructional Resource Chapter 10 – Implementing the Cisco Adaptive Security.
Chapter 8 PIX Firewall. Adaptive Security Algorithm (ASA)  Used by Cisco PIX Firewall  Keeps track of connections originating from the protected inside.

Chapter 8 PIX Firewall. Adaptive Security Algorithm (ASA)  Used by Cisco PIX Firewall  Keeps track of connections originating from the protected inside.
Cisco Confidential 1 © 2010 Cisco and/or its affiliates. All rights reserved. CCNA ACLs Deepdive February, 2012 Jaskaran Kalsi Assoc. Technical Manager.

Cisco Confidential 1 © 2010 Cisco and/or its affiliates. All rights reserved. CCNA ACLs Deepdive February, 2012 Jaskaran Kalsi Assoc. Technical Manager.
Network Security (Firewall) Instructor: Professor Morteza Anvari Student: Xiuxian Chen ID: 93036 Term: Spring 2001.

Network Security (Firewall) Instructor: Professor Morteza Anvari Student: Xiuxian Chen ID: Term: Spring 2001.
© 2012 Cisco and/or its affiliates. All rights reserved. 1 CCNA Security 1.1 Instructional Resource Chapter 5 – Implementing Intrusion Prevention.

© 2012 Cisco and/or its affiliates. All rights reserved. 1 CCNA Security 1.1 Instructional Resource Chapter 5 – Implementing Intrusion Prevention.
© 2008 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Chapter 9: Access Control Lists Routing & Switching.

© 2008 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Chapter 9: Access Control Lists Routing & Switching.
Access Control List ACL. Access Control List ACL.

Access Control List ACL. Access Control List ACL.
Windows 7 Firewall.

Windows 7 Firewall.
FIREWALLS Vivek Srinivasan. Contents Introduction Need for firewalls Different types of firewalls Conclusion.

FIREWALLS Vivek Srinivasan. Contents Introduction Need for firewalls Different types of firewalls Conclusion.

Similar presentations

Ads by Google