Académique Documents
Professionnel Documents
Culture Documents
Firewall Technologies
CCNA-Security
Presentation_ID
Cisco Confidential
Chapter 4: Objectives
In this chapter you will:
Explain how Zone-Based Policy Firewalls are used to help secure a network.
Presentation_ID
Chapter
4.0 Introduction
4.1 Access Control Lists
4.2 Firewall Technologies
4.3 Zone-Based Policy Firewalls
4.4 Summary
Presentation_ID
Presentation_ID
Cisco Confidential
Presentation_ID
Presentation_ID
Presentation_ID
Presentation_ID
Presentation_ID
10
Presentation_ID
11
Order of statements
Presentation_ID
ACLs have a policy of first match; when a statement is matched, the list is
no longer examined.
Ensure that statements at the top of the ACL do not negate any
statements found lower.
Place specific ACL statements higher in the ACL and more general
statements near the end.
12
Special packets
Modifying ACLs
Presentation_ID
New entries are added to an ACL, and are always added to the bottom.
Starting with Cisco IOS 12.3, sequence numbers can be used to edit an
ACL.
The ACL is processed top-down based on the sequence numbers of the
statements (lowest to highest).
13
Presentation_ID
14
Presentation_ID
15
The access list is edited, adding a new ACE and replacing ACE line 20:
Presentation_ID
16
Presentation_ID
17
Presentation_ID
18
Presentation_ID
19
ACL Placement
Standard ACL Placement
Standard ACLs are placed as close to the destination as
possible.
Standard ACLs filter packets are based on the source address
only.
Placing standard ACLs that are too close to the source can deny
valid traffic.
Extended ACL Placement
Extended ACLs are placed on routers as close as possible to the
source that is being filtered.
Placing extended ACLs too far from the source is inefficient use of
network resources.
Presentation_ID
20
ACL Design
ACLs are used to prevent certain types of traffic from
entering a network.
ACLs are used to permit more secure types of traffic,
such as HTTPS (TCP port 443), to be used for
business purposes.
Effective use of ACLs requires a clear understanding of
which ports must be blocked versus permitted and
proper of extended ACLs
The Nmap program can be used to determine which
ports are open on a given device.
Presentation_ID
21
Presentation_ID
22
Presentation_ID
23
CCP Rules
CCP allows an administrator to create access rules that denies
certain types of traffic while permitting other types.
CCP provides default rules that an administrator can use.
The CCP Rules (ACLs) Summary window provides a summary of
the rules in the router configuration.
Presentation_ID
24
Creating a Rule
Using CCP an administrator can create and apply standard rules
(Standard ACLs) and extended rules (extended ACLs).
On the CCP menu, click Configure > Router > ACL >ACL Editor.
Click Add to display the
Add a Rule window.
In the Add a Rule window,
enter a name or number in
the Name/Number field.
From the Type drop-down
list, select Standard Rule.
Click Add. The Add a
Standard Rule Entry
window appears.
Presentation_ID
25
Presentation_ID
26
Delivering a Rule
After the access rule is created, in the Add a Rule window, click OK.
Presentation_ID
27
port
Presentation_ID
28
Presentation_ID
29
R1(config)# access-list 100 permit tcp any eq 443 192.168.1.0 0.0.0.255 established
R1(config)# access-list 100 deny ip any any
R1(config)# interface s0/0/0
R1(config-if)# ip access-group 100 in
Presentation_ID
30
Reflexive ACLs
In 1996, the second-generation IOS solution for session
filtering was Reflexive ACLs.
31
Presentation_ID
32
Presentation_ID
33
34
Dynamic ACLs
Dynamic ACLs are available for IP traffic only.
Dynamic ACLs are dependent on Telnet connectivity,
authentication (either local or remote), and extended
ACLs.
Dynamic ACLs offer these security benefits over
standard and static extended ACLs:
Challenge mechanism to authenticate individual users
Simplified management in large internetworks
Reduced router processing for ACLs
Presentation_ID
35
Presentation_ID
36
Presentation_ID
37
Presentation_ID
38
Presentation_ID
39
Time-Based ACLs
Time-based ACLs allow for access control based on
time.
Presentation_ID
40
Presentation_ID
41
42
Presentation_ID
43
Debugging ACLs
Presentation_ID
44
Presentation_ID
45
R1(config)#
R1(config)#
R1(config)#
R1(config)#
R1(config)#
R1(config)#
R1(config)#
Presentation_ID
access-list
access-list
access-list
access-list
access-list
access-list
access-list
150
150
150
150
150
150
150
deny
deny
deny
deny
deny
deny
deny
ip
ip
ip
ip
ip
ip
ip
46
Presentation_ID
47
Presentation_ID
48
Presentation_ID
49
IPv6 ACLs
IPv6 ACLs
IPv6 ACLs are similar to IPv4 ACLs. They allow filtering
on source and destination addresses, source and
destination ports, and protocol type.
IPv6 ACLs are created using the ipv6 access-list
command.
50
IPv6 ACLs
Like IPv4 ACLs, all IPv6 ACLs include an implicit deny as the
last statement.
deny ipv6 any any
These statements will not display in the configuration output.
A best practice is to manually enter all three implicit
commands.
Manually entering the implicit deny statement also allows you
to log denied packets without affecting neighbor discovery.
Presentation_ID
51
Object Groups
Object groups are used to classify users, devices, or
protocols into groups.
These groups can then be used to create access control
policies for groups of objects in easy to read statements.
Presentation_ID
52
53
Presentation_ID
54
Presentation_ID
55
Presentation_ID
Cisco Confidential
56
Defining Firewalls
A firewall prevents undesirable traffic from entering
prescribed areas within a network.
A firewall is a system or group of systems that enforces
an access control policy between networks. For
example:
A packet filtering router
A switch with two VLANs
Multiple hosts with firewall software
Presentation_ID
57
Presentation_ID
58
Limitations
If misconfigured, can have serious consequences, such as single point of
failure.
The data from many applications cannot be passed over firewalls securely.
Users might proactively search for ways around the firewall to receive blocked
material, exposing the network to potential attack.
Network performance can slow down.
59
Types of Firewalls
Firewall Types
Packet filtering firewall - Typically is a router with the
capability to filter some packet content, such as Layer 3
and sometimes Layer 4 information.
Stateful firewall - Monitors the state of connections,
whether the connection is in an initiation, data transfer, or
termination state.
Application gateway firewall (proxy firewall) - A firewall
that filters information at Layers 3, 4, 5, and 7 of the OSI
reference model. Most of the firewall control and filtering is
done in the software.
Network address translation (NAT) firewall - A firewall
that expands the number of IP addresses available and
hides network addressing design.
Presentation_ID
60
Types of Firewalls
Protocol
Source port number
Destination port number
Synchronize/start (SYN) packet receipt
Presentation_ID
61
Types of Firewalls
Stateful Firewalls
Stateful firewalls are the most versatile and the most common
firewall technologies in use.
Stateful filtering tracks each connection traversing all interfaces
of the firewall and confirms that they are valid. The firewall
Presentation_ID
62
Types of Firewalls
Presentation_ID
63
Types of Firewalls
Presentation_ID
64
Classic Firewall
Classic Firewall
Classic Firewall, formerly known as context-based access control
(CBAC)
Classic Firewall provides four main functions that include traffic filtering,
traffic inspection, intrusion detection, and generation of audits and
alerts
Classic Firewall is a dramatic improvement over the TCP established
and reflexive ACL firewalls in several ways
Monitors TCP connection setup
65
Classic Firewall
Presentation_ID
66
Classic Firewall
Presentation_ID
67
Classic Firewall
Presentation_ID
68
Demilitarized Zones
Demilitarized Zones (DMZs) define the portions of a
network that are trusted and untrusted.
Presentation_ID
69
Layered Defense
Factors to consider when building a complete indepth defense.
Presentation_ID
70
Presentation_ID
71
Presentation_ID
Cisco Confidential
72
Presentation_ID
73
Presentation_ID
74
Presentation_ID
75
Pass
Analogous to a permit statement in an ACL.
It does not track the state of connections or sessions within the traffic.
Pass allows the traffic only in one direction.
A corresponding policy must be applied to allow return traffic to pass in the
opposite direction.
Drop
Presentation_ID
76
Presentation_ID
77
Presentation_ID
78
Presentation_ID
79
Presentation_ID
80
Creating Zones
Presentation_ID
81
Presentation_ID
82
Presentation_ID
83
Presentation_ID
84
Presentation_ID
85
Presentation_ID
86
Presentation_ID
87
Deliver Configuration
Presentation_ID
88
Step 4. Define zone pairs and assign policy maps to the zone
pairs.
Presentation_ID
89
Defining Zones
A zone, or security zone, is a named group of interfaces
to which a security policy can be applied.
A zone can contain a single interface or multiple
interfaces; however, an interface cannot be a member of
more than one zone.
Presentation_ID
90
Presentation_ID
91
Presentation_ID
92
Presentation_ID
93
Presentation_ID
94
Presentation_ID
95
Presentation_ID
96
4.4 Summary
Presentation_ID
Cisco Confidential
97
Chapter 4
Summary
Firewalls separate protected areas from non-protected
areas to prevent unauthorized users from accessing
protected network resources.
Common methods for implementing firewalls include:
Stateful firewall
98
Chapter 4
Summary (cont.)
Stateful firewalls can be implemented as follows:
Presentation_ID
99
Presentation_ID
100