Ccnas Ch4 Slides

Chapter 4: Implementing
Firewall Technologies
CCNA-Security
Presentation_ID
2008 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
Chapter 4: Objectives
In this chapter you will:
Configure standard and extended IPv4 ACLs using CLI.
Verify the functionality of a configured ACL in relation to the network topology.
Configure standard and extended IPv4 ACLs using CCP.
Configure TCP established and reflexive ACLs.
Configure dynamic ACLs.
Configure time-based ACLs.
Troubleshoot complex ACL implementations.
Use ACLs to mitigate common network attacks.
Configure IPv6 ACLs using CLI.
Configure object groups for use within an access control entry.
Explain how firewalls are used to help secure networks.
Describe the various types of firewalls.
Configure a classic firewall.
Explain design considerations for implementing firewall technologies.
Explain how Zone-Based Policy Firewalls are used to help secure a network.
Explain the operation of a Zone-Based Policy Firewall.
Configure Zone-Based Policy Firewall with CLI.
Configure a Zone-Based Policy Firewall with CCP.
Presentation_ID
Chapter
4.0 Introduction
4.1 Access Control Lists
4.2 Firewall Technologies
4.3 Zone-Based Policy Firewalls
4.4 Summary
Presentation_ID
4.1 Access Control Lists
Presentation_ID
Cisco Confidential
Configuring Standard and Extended IPv4 ACLs with CLI
Introduction to Access Control Lists

Access Control Lists (ACLs) are widely used for mitigating
network attacks and controlling network traffic
Parameters used in security-related ACLs involve IPv4, IPv6

addresses, and TCP and UDP port numbers.
Presentation_ID
Standard and Extended Numbered IP ACLs

Standard Numbered IP ACL
Presentation_ID
Standard and Extended Numbered IP ACLs Cont.

ACLs numbered199 or 13001999 are standard IPv4
ACLs.
Standard ACLs match packets by examining the source IP
address field in the IP header of that packet.
Standard ACLs are used to filter packets based solely on
Layer 3 source information.
Presentation_ID

Extended Numbered IP ACLs
access-list { acl-# } { permit | deny | remark } protocol
source-addr [ source-wildcard ] destinationaddr [destination-wildcard ] [ operator operand ] [port]
[ established ][ log ]
Presentation_ID

ACLs numbered 100199 or 20002699 are extended ACLs.
Extended ACLs filter IP packets based on:
Source and destination IP addresses

Source and destination TCP and UDP Ports
Protocol Type
Standard and Extended ACLs are:
Applied on an interface using the ip access-group
command.
Applied on a VTY port using the access-class command.
Presentation_ID
Standard and Extended Named IP ACLs

Router(config)# ip access list [standard | extended] name_of_ACL
Standard Named IP ACL example:
Extended Named IP ACL example:
Presentation_ID
10
Logging ACL Matches

The Log parameter can be used to log matches to ACLs. The
following information is included:
Action - Permit or deny
Protocol - TCP, UDP, or ICMP
Source and destination - IPv4 or IPv6 addresses
TCP and UDP - Source and destination port numbers
For ICMP - Message types
Log messages are generated on the first packet match and then at
five-minute intervals after that first packet match.
Presentation_ID
11
Access Control Entry (ACE) Rules

An ACL is made up of one or more access control entries (ACEs). The
caveats below should be considered when working with ACLs.
Implicit deny all - All Cisco ACLs end with an implicit deny all statement.
Standard ACL packet filtering
Standard ACLs are limited to packet filtering based on source addresses

only.
Extended ACLs might need to be created to fully implement a security
policy.
Order of statements
Presentation_ID
ACLs have a policy of first match; when a statement is matched, the list is
no longer examined.
Ensure that statements at the top of the ACL do not negate any
statements found lower.
Place specific ACL statements higher in the ACL and more general
statements near the end.
12
Access Control Entry Rules (Cont.)

Directional filtering
ACLs can be applied to inbound packets (toward the interface) or

outbound packets (away from the interface).
Double-check the direction of data that an ACL is filtering.
Special packets
Router-generated packets, such as routing table updates, are not subject

to outbound ACL statements on the source router.
If the security policy requires filtering these types of packets, inbound
ACLs on adjacent routers or other router filter mechanisms must be used.
Modifying ACLs
Presentation_ID
New entries are added to an ACL, and are always added to the bottom.
Starting with Cisco IOS 12.3, sequence numbers can be used to edit an
ACL.
The ACL is processed top-down based on the sequence numbers of the
statements (lowest to highest).
13
Standard ACL Example

All traffic from subnet 172.16.4.0 must be denied access to another
subnet, but all other traffic should be permitted
R1(config)# access-list 1 deny 172.16.4.0 0.0.0.255
R1(config)# access-list 1 permit any
R1(config)# interface FastEthernet 0/0
R1(config-if)# ip access-group 1 out
Presentation_ID
14
Extended ACL Example

FTP traffic from one subnet must be denied on another subnet.
R1(config)# access-list 101 deny tcp 172.16.4.0
0.0.0.255 172.16.3.0 0.0.0.255 eq 21
R1(config)# access-list 101 deny tcp 172.16.4.0
0.0.0.255 172.16.3.0 0.0.0.255 eq 20
R1(config)# access-list 101 permit ip any any
Presentation_ID
15
Editing Extended ACLs

The existing access list has three entries:
The access list is edited, adding a new ACE and replacing ACE line 20:
The updated access list has four entries:
Presentation_ID
16
Topology and Flow for ACLs
How Cisco Routers Handle ACL Matches

The direction of traffic through a networking device is
defined by the ingress (inbound) and egress (outbound)
interfaces for the traffic.
Inbound traffic refers to traffic as it enters into the

router, prior to the routing table being accessed.
Outbound traffic refers to traffic that entered the router
and has been processed by the router to determine
where to forward that data.
Depending on the type of device and ACL configured,
the return traffic can be dynamically tracked.
Presentation_ID
17
How Cisco Routers Handle ACL Matches Cont.

Inbound ACL Operation Flow
Presentation_ID
18
How Cisco Routers Handle ACL Matches Cont.

Outbound ACL Operation Flow
Presentation_ID
19
ACL Placement
Standard ACL Placement
Standard ACLs are placed as close to the destination as
possible.
Standard ACLs filter packets are based on the source address
only.
Placing standard ACLs that are too close to the source can deny
valid traffic.
Extended ACL Placement
Extended ACLs are placed on routers as close as possible to the
source that is being filtered.
Placing extended ACLs too far from the source is inefficient use of
network resources.
Presentation_ID
20
ACL Design
ACLs are used to prevent certain types of traffic from
entering a network.
ACLs are used to permit more secure types of traffic,
such as HTTPS (TCP port 443), to be used for
business purposes.
Effective use of ACLs requires a clear understanding of
which ports must be blocked versus permitted and
proper of extended ACLs
The Nmap program can be used to determine which
ports are open on a given device.
Presentation_ID
21
Verifying ACL Functionality

show running-config command
show ip access-lists command
Presentation_ID
22
Configuring Standard and Extended ACLs with CCP
Configuring ACLs with CCP

To configure ACLs on a routing device using CCP, the router must
first be selected from the drop-down list under Select Community
Member.
Next on the CCP application menu bar, click
Configure to open the task list.
Open the Router drop-down list >ACL to
access the ACL configuration options.
Presentation_ID
23
CCP Rules
CCP allows an administrator to create access rules that denies
certain types of traffic while permitting other types.
CCP provides default rules that an administrator can use.
The CCP Rules (ACLs) Summary window provides a summary of
the rules in the router configuration.
Presentation_ID
24
Creating a Rule
Using CCP an administrator can create and apply standard rules
(Standard ACLs) and extended rules (extended ACLs).
On the CCP menu, click Configure > Router > ACL >ACL Editor.
Click Add to display the
Add a Rule window.
In the Add a Rule window,
enter a name or number in
the Name/Number field.
From the Type drop-down
list, select Standard Rule.
Click Add. The Add a
Standard Rule Entry
window appears.
Presentation_ID
25
Applying a Rule to an Interface

After the Rule Entry list is complete, the next step is to apply the
rule to an interface.
From the Add a Rule window, click Associate. The Associate with
an Interface window displays. Only interfaces with a status of
up/up appear in the drop-down list.
Presentation_ID
26
Delivering a Rule
After the access rule is created, in the Add a Rule window, click OK.
Presentation_ID
27
Configuring TCP Established and Reflexive ACLs
First-Generation Approach to Stateful Firewall

The first-generation IOS traffic filtering solution to support the twoway nature of TCP virtual circuits was the TCP
established keyword for extended IP ACLs.
Block all traffic coming from the Internet except for the TCP reply
traffic associated with established TCP traffic initiated from inside
network.
The second generation IOS solution for session filtering was
reflexive ACLs.
Filter traffic based on source and destination addresses, and
numbers, and track sessions.
port
The TCP established option and reflexive ACLs are examples of

complex ACLs.
Presentation_ID
28
Monitoring TCP Flag Settings

In 1995, the first-generation IOS traffic filtering solution based on
the TCP established keyword for extended IP ACLs.
The TCP established keyword blocks all traffic coming from
the Internet, except for the TCP reply traffic associated with
established TCP traffic initiated from the inside of the network.
The established keyword forces the router to check whether
the TCP ACK or RST control flag is set.
If the ACK flag is set, the TCP traffic is allowed in. If not, it is
assumed that the traffic is associated with a new connection
initiated from the outside.
Presentation_ID
29
TCP Established in Action
R1(config)# access-list 100 permit tcp any eq 443 192.168.1.0 0.0.0.255 established
R1(config)# access-list 100 deny ip any any
R1(config)# interface s0/0/0
R1(config-if)# ip access-group 100 in
Presentation_ID
30
Reflexive ACLs
In 1996, the second-generation IOS solution for session
filtering was Reflexive ACLs.
Unlike the TCP Established feature, which just used

ACK and RST bits, reflexive ACLS filter traffic were
based on source, destination addresses, and port
numbers.
Session filtering uses temporary filters that are
removed when a session is over, adding a time limit on
a hackers attack opportunity.
Used to allow IP traffic for sessions originating from
within the network while denying IP traffic for sessions
originating outside the network.
Presentation_ID
31
Reflexive ACLs (cont.)

The router examines the outbound traffic and when it
sees a new connection, it adds an entry to a temporary
ACL to allow replies back in.
These entries are automatically created when a new IP
session begins, for example, with an outbound packet,
and the entries are automatically removed when the
session ends.
Presentation_ID
32
Using Reflexive ACLs

Step 1. Create an internal ACL that looks for new
outbound sessions and creates temporary
reflexive ACEs.
Step 2. Create an external ACL that uses the reflexive
ACLs to examine return traffic.
Step 3. Activate the Named ACLs on the appropriate
interfaces.
Presentation_ID
33
Using Reflexive ACLs Cont.

Create a reflexive ACL that
matches internal users surfing
the Internet with a web browser
and relying on DNS with a 10second timeout period.
R1(config)# ip access-list extended INTERNAL_ACL

R1(config-ext-nacl)# permit tcp any any eq 80 reflect WEB-ONLY-REFLEXIVE-ACL
R1(config-ext-nacl)# permit udp any any eq 53 reflect DNS-ONLY-REFLEXIVE-ACL timeout 10
R1(config-ext-nacl)# exit
R1(config)# ip access-list extended EXTERNAL_ACL
R1(config-ext-nacl)# evaluate WEB-ONLY-REFLEXIVE-ACL
R1(config-ext-nacl)# evaluate DNS-ONLY-REFLEXIVE-ACL
R1(config-ext-nacl)# deny ip any any
R1(config-ext-nacl)# exit
R1(config)# interface s0/0/0
R1(config-if)# ip access-group INTERNAL_ACL out
R1(config-if)# ip access-group EXTERNAL_ACL in
Presentation_ID
34
Configuring Dynamic ACLs
Dynamic ACLs
Dynamic ACLs are available for IP traffic only.
Dynamic ACLs are dependent on Telnet connectivity,
authentication (either local or remote), and extended
ACLs.
Dynamic ACLs offer these security benefits over
standard and static extended ACLs:
Challenge mechanism to authenticate individual users
Simplified management in large internetworks
Reduced router processing for ACLs
Less opportunity for network break-ins by network hackers

Creation of dynamic user access through a firewall, without
compromising other configured security restrictions.
Presentation_ID
35
Dynamic ACL Operation

An extended ACL is applied to block all traffic through
the router, except Telnet. Users who want to traverse
the router are blocked by the ACL until they use Telnet
to connect to the router and are authenticated.
Users authenticate using Telnet, and then dropped.
However, a single-entry dynamic ACL is added to the
extended ACL that exists.
This permits traffic for a particular period; idle and absolute
timeouts are possible.
Presentation_ID
36
Dynamic ACL Operation Cont.
Presentation_ID
37
Configuring a Dynamic ACL
Presentation_ID
38
Dynamic ACL Timeouts

Two timeouts are associated with dynamic ACL
entries: absolute and idle.
The absolute timer is specified in the dynamic ACL

entry.
The idle timeout value is specified in the
autocommand command, which enables lock-and-key
authentication on the vty lines.
If timeouts are not specified, the default is to never
time out the entry; therefore, it is recommended to
configure a timeout.
Presentation_ID
39
Configuring Time-Based ACLs
Time-Based ACLs
Time-based ACLs allow for access control based on
time.
Timed-based ACLs enable traffic to be restricted based

on the time of day, the day of the week, or the day of
the month.
Presentation_ID
40
Presentation_ID
41
Time-Based ACL Scenario

Users are not allowed to access the
Internet during business hours,
except during lunch and after hours
between 5:00 p.m. and 7:00 p.m.
R1(config)# time-range EMPLOYEE-TIME

R1(config-time-range)# periodic weekdays 12:00 to 13:00
R1(config-time-range)# periodic weekdays 17:00 to 19:00
R1(config-time-range)# exit
R1(config)# access-list 100 permit ip 192.168.1.0 0.0.0.255 any time-range EMPLOYEE-TIME
R1(config)# access-list 100 deny ip any any
R1(config)# interface FastEthernet 0/1
R1(config-if)# ip access-group 100 in
R1(config-if)# exit
Presentation_ID
42
Troubleshooting Complex ACL Implementations
Verify and Troubleshoot ACLs

Two commands are very useful for troubleshooting ACLs:
show access-lists
debug ip packet (detail)
Presentation_ID
43
Troubleshooting Complex ACL Implementations
Debugging ACLs
Presentation_ID
44
Mitigating Attacks with ACLs
Mitigating Spoofing and DoS Attacks

ACLs can be used to mitigate many network threats
IP address spoofing, inbound and outbound
DoS TCP SYN attacks
DoS smurf attacks
ACLs can also filter the following traffic

ICMP messages (inbound and outbound)
traceroute
Presentation_ID
45
Antispoofing with ACLs

Deny all IP packets containing the
following IP addresses in their
source field:
Any local host addresses
(127.0.0.0/8)
Any reserved private addresses

(RFC 1918)
Any addresses in the IP
multicast address range
(224.0.0.0/4)
R1(config)#
R1(config)#
R1(config)#
R1(config)#
R1(config)#
R1(config)#
R1(config)#
Presentation_ID
access-list
access-list
access-list
access-list
access-list
access-list
access-list
150
150
150
150
150
150
150
deny
deny
deny
deny
deny
deny
deny
ip
ip
ip
ip
ip
ip
ip
0.0.0.0 0.255.255.255 any

10.0.0.0 0.255.255.255 any
127.0.0.0 0.255.255.255 any
172.16.0.0 0.15.255.255 any
192.168.0.0 0.0.255.255 any
224.0.0.0 15.255.255.255 any
host 255.255.255.255 any
46
Permitting Necessary Traffic Through a Firewall

DNS, SMTP, and FTP are common services that often
must be allowed through a firewall.
Presentation_ID
47
Mitigating ICMP Abuse

Hackers use ICMP packets for pings sweeps and DoS flood attacks,
and use ICMP redirect messages to alter host routing tables.
Both ICMP echo and redirect messages should be blocked inbound
by the router.
Presentation_ID
48
Mitigating SNMP Exploits

Management protocols, such as SNMP, while useful for remote
monitoring and management of networked devices, can be
exploited.
Apply interface ACLs to filter SNMP packets from non-authorized
systems.
Presentation_ID
49
IPv6 ACLs
IPv6 ACLs
IPv6 ACLs are similar to IPv4 ACLs. They allow filtering
on source and destination addresses, source and
destination ports, and protocol type.
IPv6 ACLs are created using the ipv6 access-list
command.
IPv6 ACLs are applied to an interface using the ipv6

traffic-filter access-list-name {in | out}
command.
Presentation_ID
50
IPv6 ACLs
Configuring IPv6 ACLs

All IPv6 ACLs contain two implicit permit statements to allow
IPv6 neighbor discovery packets to be sent and received.
permit icmp any any nd-na
permit icmp any any nd-ns
Like IPv4 ACLs, all IPv6 ACLs include an implicit deny as the
last statement.
deny ipv6 any any
These statements will not display in the configuration output.
A best practice is to manually enter all three implicit
commands.
Manually entering the implicit deny statement also allows you
to log denied packets without affecting neighbor discovery.
Presentation_ID
51
Using Object Groups in ACEs
Object Groups
Object groups are used to classify users, devices, or
protocols into groups.
These groups can then be used to create access control
policies for groups of objects in easy to read statements.
This feature lets the administrator use object groups

instead of individual IP addresses, protocols, and ports,
which are used in conventional ACLs.
This results in fewer, more manageable Access Control
Entries (ACEs).
Both IPv4 and IPv6 ACLs can use object groups.
Presentation_ID
52
Network and Service Object Groups
Object groups must have unique names.

Additional objects can be appended to existing object groups.
Objects such as hosts, protocols, or services can be grouped.
Cannot delete an object group or make an object group empty if it is
being used in an ACE.
Presentation_ID
53
Configuring Network and Service Object Groups
Presentation_ID
54
Creating an Object Group-Based ACL

In this ACL, all IP addresses and networks specified within the
eng_network_group are permitted all services specified in the
eng_srv_group.
In the example, the protocol argument (tcp, udp, icmp) is not
necessary, because the protocol is specified within the services
group.
Presentation_ID
55
4.2 Firewall Technologies
Presentation_ID
Cisco Confidential
56
Securing Networks with Firewalls
Defining Firewalls
A firewall prevents undesirable traffic from entering
prescribed areas within a network.
A firewall is a system or group of systems that enforces
an access control policy between networks. For
example:
A packet filtering router
A switch with two VLANs
Multiple hosts with firewall software
In 1989, AT&T Bell Laboratories developed the first

stateful firewall. A stateful firewall is able to determine if
a packet belongs to an existing flow of data.
Presentation_ID
57
Defining Firewalls Cont.
Presentation_ID
58
Benefits and Limitations of Firewalls

Benefits
Exposure of sensitive hosts and applications to untrusted users can be
prevented.
The protocol flow can be sanitized, preventing the exploitation of protocol flaws.
Malicious data can be blocked from servers and clients.
Security policy enforcement can be made simple, scalable, and robust.
Limitations
If misconfigured, can have serious consequences, such as single point of
failure.
The data from many applications cannot be passed over firewalls securely.
Users might proactively search for ways around the firewall to receive blocked
material, exposing the network to potential attack.
Network performance can slow down.
Unauthorized traffic can be tunneled or hidden as legitimate traffic through the

firewall.
Presentation_ID
59
Types of Firewalls
Firewall Types
Packet filtering firewall - Typically is a router with the
capability to filter some packet content, such as Layer 3
and sometimes Layer 4 information.
Stateful firewall - Monitors the state of connections,
whether the connection is in an initiation, data transfer, or
termination state.
Application gateway firewall (proxy firewall) - A firewall
that filters information at Layers 3, 4, 5, and 7 of the OSI
reference model. Most of the firewall control and filtering is
done in the software.
Network address translation (NAT) firewall - A firewall
that expands the number of IP addresses available and
hides network addressing design.
Presentation_ID
60
Types of Firewalls
Packet Filtering Firewall

Packet-filtering firewalls are usually part of a router firewall
and primarily uses ACLs. It examines a packet based on
the information in a packet header.
Packet-filtering firewalls use a simple policy table lookup
that permits or denies traffic based on specific criteria:
Source IP address
Destination IP address
Protocol
Source port number
Destination port number
Synchronize/start (SYN) packet receipt
Presentation_ID
61
Types of Firewalls
Stateful Firewalls
Stateful firewalls are the most versatile and the most common
firewall technologies in use.
Stateful filtering tracks each connection traversing all interfaces
of the firewall and confirms that they are valid. The firewall
examines information in the headers of Layer 3 packets

and Layer 4 segments.
Also called stateful packet filters and application-aware
packet filters.
Stateful firewalls have two main improvements over packet filters
Maintain a session table (state table) where they track all
connections.
Recognize dynamic applications and know which additional

connections will be initiated between the endpoints.
Presentation_ID
62
Types of Firewalls
Stateful Firewalls Cont.

Stateful firewalls inspect every packet, compare the packet against the
state table, and may examine the packet for any special protocol
negotiations.
Stateful firewalls operate mainly at the transport (TCP and UDP) layer.
Presentation_ID
63
Types of Firewalls
Cisco Firewall Solutions

Cisco Systems provides several options for network security
professionals to implement a firewall solution.
Presentation_ID
64
Classic Firewall
Classic Firewall
Classic Firewall, formerly known as context-based access control
(CBAC)
Classic Firewall provides four main functions that include traffic filtering,
traffic inspection, intrusion detection, and generation of audits and
alerts
Classic Firewall is a dramatic improvement over the TCP established
and reflexive ACL firewalls in several ways
Monitors TCP connection setup
Tracks TCP sequence numbers

Monitors UDP session information
Inspects DNS queries and replies
Inspects common ICMP message types
Supports applications that rely on multiple connections

Inspects embedded addresses
Inspects application layer information
Presentation_ID
65
Classic Firewall
Classic Firewall Operation
Presentation_ID
66
Classic Firewall
Classic Firewall Operation Cont.

With Classic Firewall, the protocols to inspect are specified
in an inspection rule.
An inspection rule is applied to an interface in a direction,
either in or out, where the inspection applies.
Presentation_ID
67
Classic Firewall
Classic Firewall Configuration

To configure Classic Firewall:
Step 1. Select an interface, either
internal or external.
Step 2. Configure IP ACLs at the
interface.
Step 3. Define inspection rules.
Step 4. Apply an inspection rule

to an interface.
Presentation_ID
68
Firewalls In Network Design
Demilitarized Zones
Demilitarized Zones (DMZs) define the portions of a
network that are trusted and untrusted.
Presentation_ID
69
Layered Defense
Factors to consider when building a complete indepth defense.
Presentation_ID
70
Firewalls and the Security Policy

Firewall Best Practices
Presentation_ID
71
4.3 Zone-Based Policy

Firewalls
Presentation_ID
Cisco Confidential
72
Zone-Based Policy Firewall Characteristics
Zone-Based Policy Firewalls

A Zone-Based Policy Firewall configuration model
(ZPF or ZBF or ZFW) was introduced in 2006 with
Cisco IOS Release 12.4(6)T.
With ZPF, the interfaces are assigned to zones and

then an inspection policy is applied to traffic moving
between the zones.
The default policy is to block all traffic, unless explicitly
allowed (CBACs default was allow all).
It supports previous firewall features, including Stateful
Packet Inspection (SPI), application inspection, URL
filtering, and DoS mitigation.
Presentation_ID
73
Zone-Based Policy Firewalls Cont.

Not dependent on ACLs.
The router security posture is to block unless
explicitly allowed.
Policies are easy to read and troubleshoot with
C3PL.
One policy affects any given traffic, instead of
needing multiple ACLs and inspection actions.
Presentation_ID
74
Zone-Based Policy Firewall Design

Determine the Zones - The internetworking infrastructure under
consideration must be split into separate zones with various security
levels focusing on the separation of the infrastructure into zones.
Establish policies between zones - For each pair of "sourcedestination" zones (for example, from inside network to Internet),
define the sessions that clients in the source zones can request from
servers in destination zones.
Design the physical infrastructure - The administrator must design
the physical infrastructure, considering security and availability
requirements.
Identify subset within zones and merge traffic requirements - For
each firewall device in the design, the administrator must identify
zone subsets connected to its interfaces and merge the traffic
requirements for those zones.
Presentation_ID
75
Zone-Based Policy Firewall Operation
Zone-Based Policy Firewall Actions

Inspect
Configures Cisco IOS SPI (equivalent to the ip inspect command).
It automatically allows for return traffic and potential ICMP messages.
For protocols requiring multiple parallel signaling and data sessions (for
example, FTP or H.323), the inspect action also handles the proper
establishment of data sessions.
Pass
Analogous to a permit statement in an ACL.
It does not track the state of connections or sessions within the traffic.
Pass allows the traffic only in one direction.
A corresponding policy must be applied to allow return traffic to pass in the
opposite direction.
Drop
Presentation_ID
Analogous to a deny statement in an ACL.
A log option is available to log the rejected packets.

76
Zone-Based Policy Firewall Rules

Rules for Application Traffic
Presentation_ID
77
Zone-Based Policy Firewall Rules for Routers

The ZBF rules for a zone-based policy firewall are different
when the router is the source or the destination of the traffic.
When an interface is configured to be a zone member, the hosts
that are connected to the interface are included in the zone.
However, traffic to the router is not subject to the zone policies.
By default, all router IP interfaces are part of the self zone.
A zone-pair that includes the self zone and associated

policy, applies to router generated or traffic destined to the
router. It does not apply to traffic traversing the router.
A policy can be defined using the self zone as either the

source or the destination zone.
The self zone is a system-defined zone.
It does not require any interfaces to be configured as members.
Presentation_ID
78
Zone-Based Policy Firewall Rules for Routers Cont.

The rules depend on whether the router is the source or the
destination of the traffic.
Presentation_ID
79
Configuring a Zone-Based Policy Firewall with CLI
Configuring Zone-Based Policy Firewalls with CLI

Create the zones for the firewall.
zone security
Define traffic classes.

class-map type inspect
Specify firewall policies.

policy-map type inspect
Apply firewall policies to pairs of source destination zones.

zone-pair
Assign router interfaces to zones.

zone-member security
Presentation_ID
80
Creating Zones
Presentation_ID
81
Defining Traffic Classes
Presentation_ID
82
Specifying Firewall Policies
Presentation_ID
83
Applying Firewall Policies and Assigning Router Interfaces

The firewall policy is applied to traffic between a pair of zones using the
zone-pair security command.
To apply a policy, a zone pair must first be created.
Specify the source zone, the destination zone, and the policy for handling
the traffic between them.
Finally the administrator must assign interfaces to the appropriate

security zones using the zone-member interface command.
Presentation_ID
84
Configuring a Zone-Based Policy Firewall with CCP Wizard
Basic and Advanced Firewall Wizards

The CCP Basic Firewall wizard helps implement a firewall with two
zones: an in-zone and an out-zone.
The Advanced Firewall wizard can be used to define a security DMZ
used for Internet accessible services, and allows the user to select the
level of default security that is initially implemented.
Presentation_ID
85
Advanced Firewall Interface Configuration

The first task to enable an advanced firewall configuration is to define
inside and outside interfaces.
Presentation_ID
86
Security Level Configuration

After performing the interface configuration, the Advanced
Firewall Security Configuration window appears.
Presentation_ID
87
Deliver Configuration
Presentation_ID
88
Manual Configuration with CCP

There are four steps to configure ZPF with CCP:
Step 1. Define zones in the Zone page.
Step 2. Configure class maps to describe traffic between
zones.
Step 3. Create policy maps to apply actions to the traffic of
the class maps.
Step 4. Define zone pairs and assign policy maps to the zone
pairs.
Presentation_ID
89
Defining Zones
A zone, or security zone, is a named group of interfaces
to which a security policy can be applied.
A zone can contain a single interface or multiple
interfaces; however, an interface cannot be a member of
more than one zone.
Presentation_ID
90
Configuring Class Maps

Class maps identify traffic and traffic parameters for
the policy application.
Presentation_ID
91
Creating Policy Maps
Presentation_ID
92
Defining Zone Pairs
Presentation_ID
93
Editing Firewall Policy View
Presentation_ID
94
View Firewall Activity
Presentation_ID
95
Viewing the Zone-Based Policy Firewall State Table

Use the show policy-map type inspect zone-pair
session command to examine the active connections in the ZPF state
table.
Presentation_ID
96
4.4 Summary
Presentation_ID
Cisco Confidential
97
Chapter 4
Summary
Firewalls separate protected areas from non-protected
areas to prevent unauthorized users from accessing
protected network resources.
Common methods for implementing firewalls include:
Packet filtering firewall
Stateful firewall
Standard and extended IP ACLs are fundamental tools for

basic network traffic filtering and to mitigate a wide range of
network attacks.
ACLs can also be configured to temporarily open a hole in a
firewall (i.e., dynamic ACL). Additionally, time-based ALCs
allow administrators to select the time of day and the days
of the week for ACLs to be applied.
Presentation_ID
98
Chapter 4
Summary (cont.)
Stateful firewalls can be implemented as follows:
Presentation_ID
Traffic filtering solutions - Includes ACLs using the TCP

established option and reflexive ACLs
Context-based access control (CBAC) ACLs - CABCs enable

sophisticated stateful filtering of most forms of modern application
traffic.
Zone-Based Policy Firewall - Introduced in 2006, is the state of

the art in modern firewalling. The Zone-Based Policy Firewall
operation centers around the creation of zones associated with
various security levels.
99
Presentation_ID
100

Ccnas Ch4 Slides

Hochgeladen von

Dokumentinformationen

Copyright

Verfügbare Formate

Dieses Dokument teilen

Dokument teilen oder einbetten

Freigabeoptionen

Stufen Sie dieses Dokument als nützlich ein?

Sind diese Inhalte unangemessen?

Copyright:

Verfügbare Formate

Ccnas Ch4 Slides

Hochgeladen von

Copyright:

Verfügbare Formate

Chapter 4: Implementing

2008 Cisco Systems, Inc. All rights reserved.

Configure standard and extended IPv4 ACLs using CLI.

Verify the functionality of a configured ACL in relation to the network topology.

Configure standard and extended IPv4 ACLs using CCP.

Configure TCP established and reflexive ACLs.

Configure dynamic ACLs.

Configure time-based ACLs.

Troubleshoot complex ACL implementations.

Use ACLs to mitigate common network attacks.

Configure IPv6 ACLs using CLI.

Configure object groups for use within an access control entry.

Explain how firewalls are used to help secure networks.

Describe the various types of firewalls.

Configure a classic firewall.

Explain design considerations for implementing firewall technologies.

Explain the operation of a Zone-Based Policy Firewall.

Configure Zone-Based Policy Firewall with CLI.

Configure a Zone-Based Policy Firewall with CCP.

2008 Cisco Systems, Inc. All rights reserved.

2008 Cisco Systems, Inc. All rights reserved.

4.1 Access Control Lists

2008 Cisco Systems, Inc. All rights reserved.

Configuring Standard and Extended IPv4 ACLs with CLI

Introduction to Access Control Lists

Parameters used in security-related ACLs involve IPv4, IPv6

2008 Cisco Systems, Inc. All rights reserved.

Configuring Standard and Extended IPv4 ACLs with CLI

Standard and Extended Numbered IP ACLs

2008 Cisco Systems, Inc. All rights reserved.

Configuring Standard and Extended IPv4 ACLs with CLI

Standard and Extended Numbered IP ACLs Cont.

2008 Cisco Systems, Inc. All rights reserved.

Configuring Standard and Extended IPv4 ACLs with CLI

Standard and Extended Numbered IP ACLs Cont.

2008 Cisco Systems, Inc. All rights reserved.

Configuring Standard and Extended IPv4 ACLs with CLI

Standard and Extended Numbered IP ACLs Cont.

Source and destination IP addresses

2008 Cisco Systems, Inc. All rights reserved.

Configuring Standard and Extended IPv4 ACLs with CLI

Standard and Extended Named IP ACLs

Standard Named IP ACL example:

Extended Named IP ACL example:

2008 Cisco Systems, Inc. All rights reserved.

Configuring Standard and Extended IPv4 ACLs with CLI

Logging ACL Matches

2008 Cisco Systems, Inc. All rights reserved.

Configuring Standard and Extended IPv4 ACLs with CLI

Access Control Entry (ACE) Rules

Standard ACLs are limited to packet filtering based on source addresses

2008 Cisco Systems, Inc. All rights reserved.

Configuring Standard and Extended IPv4 ACLs with CLI

Access Control Entry Rules (Cont.)

ACLs can be applied to inbound packets (toward the interface) or

Router-generated packets, such as routing table updates, are not subject

2008 Cisco Systems, Inc. All rights reserved.

Configuring Standard and Extended IPv4 ACLs with CLI

Standard ACL Example

2008 Cisco Systems, Inc. All rights reserved.

Configuring Standard and Extended IPv4 ACLs with CLI

Extended ACL Example

2008 Cisco Systems, Inc. All rights reserved.

Configuring Standard and Extended IPv4 ACLs with CLI