Beruflich Dokumente
Kultur Dokumente
As networks continued to grow over time, they were increasingly used to transfer and store
sensitive data. This intensified the need for stronger security technologies, which led to the
invention of the firewall. The term firewall originally referred to a fireproof wall, usually made
of stone or metal that prevented flames from spreading between connected structures. In the
world of networking, firewalls separate protected areas from non-protected areas. This
prevents unauthorized users from accessing protected network resources.
Initially, basic access control lists (ACLs), including standard, extended, numbered, and
named, were the only means of providing firewall protection. Other firewall technologies
began to mature in the late 1990s. Stateful firewalls use tables to track the real-time state of
end-to-end sessions. Stateful firewalls consider the session-oriented nature of network traffic.
The first stateful firewalls used the “TCP established” option for ACLs.
Today there are many types of firewalls in existence, such as packet filtering, stateful,
application gateway, proxy, address translation, host-based, transparent, and hybrid firewalls.
Modern network design must carefully include proper placement of one or more firewalls to
protect resources that must be protected while allowing secure access to resources that must
remain available.
Page | 1
4.1 Access Control Lists4.1.1 Configuring Standard and Extended IPv4 ACLs with CLI
Introduction to Access Control Lists
ACLs are widely used in computer networking and in network security for mitigating network
attacks and controlling network traffic. Administrators can use ACLs to define and control
classes of traffic on networking devices to meet a given set of security requirements, as shown
in Figure 1. ACLs can be defined for Layers 2, 3, 4, and 7 of the Open Systems Interconnection
(OSI) model.
Historically, the type of ACL could be identified by the number, as shown in Figure 2. For
example, numbered ACLs with a range of 200–299 were used to control traffic according to
Ethernet type. An ACL numbered 700–799 would indicate that the traffic is classified and
controlled based on MAC addresses.
Today, when classifying traffic, the most common types of ACLs use IPv4 and IPv6 addresses
and Transmission Control Protocol (TCP) and User Datagram Protocol (UDP) port numbers.
Standard and extended IPv4 ACLs can be named or numbered. IPv6 ACLs must use a name.
Page | 2
Page | 3
Configuring Numbered and Named ACLs
An ACL is a sequential list of permit or deny statements, known as access control entries
(ACEs). ACEs are also commonly called ACL statements. ACEs can be created to filter traffic
based on certain criteria such as: the source address, destination address, the protocol, and port
numbers.
Standard ACLs match packets by examining the source IP address field in the IP header of
that packet. These ACLs are used to filter packets based solely on Layer 3 source information.
To configure a numbered standard ACL, use the command syntax shown in Figure 1.
Extended ACLs match packets based on Layer 3 and Layer 4 source and destination
information. Layer 4 can include TCP and UDP port information. Extended ACLs give greater
flexibility and control over network access than standard ACLs. To configure a numbered
extended ACL, use the command syntax shown in Figure 2.
Instead of using a number, a name can be used to configure an ACL. Named ACLs must be
specified as either standard or extended. To configure a named standard or extended ACL, use
the command syntax shown in Figure 3.
Page | 4
Page | 5
Applying an ACL
After creating an ACL, the administrator can apply it in a number of different ways. Figure 1
shows the command syntax to apply an ACL to an interface or to the vty lines. Figure 2 shows
a named standard ACL applied to outbound traffic. Figure 3 shows two named extended ACLs.
The SURFING ACL is applied to inbound traffic and the BROWSING ACL is applied to
outbound traffic. Figure 4 shows a named standard ACL applied to inbound traffic on the vty
lines. Logging has been enabled with the log parameter. Log messages are generated on the
first packet match and then at five minute intervals after that first packet match. You can use
the show access-list command to see how many packets have matched a statement.
Enabling the log parameter on a Cisco router or switch seriously affects the performance of
that device. The log parameter should only be used when the network is under attack, and an
administrator is trying to determine who the attacker is.
Applying ACLs to interfaces and lines is just one of the many possible uses. ACLs are also an
integral part of other security configurations, such as zone-based firewalls, intrusion
prevention systems, and virtual private networks.
Page | 6
Page | 7
Page | 8
ACL Configuration Guidelines
An ACL is made up of one or more access control entries (ACEs) or statements. When
configuring and applying an ACL, be aware of the guidelines summarized in the figure.
Page | 9
Editing Existing ACLs
By default, sequence numbering happens in increments of 10, and they are assigned to each
access control entry (ACE) within an ACL. After an ACL is created and applied, it can be
edited using these sequence numbers. Use sequence numbers to delete or add specific ACEs
at various places within a sequence, as shown in the figure. If a sequence number is not
specified for a new entry, the router automatically places the entry at the bottom of the list and
assigns an appropriate sequence number.
Page | 10
Sequence Numbers and Standard ACLs
On standard access lists, the Cisco IOS applies an internal logic to configuring ACEs and
verifying ACLs. The host statements (those with specific IPv4 addresses) are listed first, but
not necessarily in the order that they were entered. First, the IOS puts host statements in a
particular order determined by a special hashing function. The resulting order optimizes the
search for a host ACL entry. It is not necessarily in order of IPv4 addresses.
The example in the figure shows the different entries of an existing standard ACL 19. An
administrator attempts to add an entry in access list 19, using sequence number 25, which will
permit the IP address 172.22.1.1. Even though the sequence number specified is larger than
the sequence number of the network 10.10.10.0, the entry is added prior to the 10.10.10.0
ACE. This gives priority to the specific host statement rather than to the network or range
statement.
The sequence number does not dictate processing order in a standard ACL. However, it can
be used as an identifier for deleting a specific entry.
Note: Initially, the sequence numbers indicate the order that the statements were entered, not
the order in which the statements will be processed. After the router is reloaded, the show
access-lists sequence numbers are renumbered to reflect the new sequence.
Page | 11
Activity – Configuring Standard ACLs
Page | 12
Page | 13
Activity – Creating an Extended ACL Statement
Page | 14
Page | 15
Activity – Evaluating Extended ACLs
Page | 16
Packet Tracer – Configuring Extended ACLs Scenario 1
ACLs can be used to mitigate many network threats, such as IP address spoofing and denial
of service (DoS) attacks. Most DoS attacks use some type of spoofing. IP address spoofing
overrides the normal packet creation process by inserting a custom IP header with a different
source IP address. Attackers can hide their identity by spoofing the source IP address. Click
here to learn more about IP spoofing.
There are many well-known classes of IP addresses that should never be seen as source IP
addresses for traffic entering an organization’s network. For example, in the figure the
S0/0/0 interface is attached to the Internet and should never accept inbound packets from the
following addresses:
Broadcast addresses
The 192.168.1.0/24 network is attached to the R1 G0/0 interface. This interface should only
allow inbound packets with a source address from that network. The ACL for G0/0 shown in
the figure will only permit inbound packets from the 192.168.1.0/24 network. All others will
be discarded.
Page | 18
Page | 19
Permitting Necessary Traffic through a Firewall
An effective strategy for mitigating attacks is to explicitly permit only certain types of traffic
through a firewall. For example, Domain Name System (DNS), Simple Mail Transfer
Protocol (SMTP), and FTP are services that often must be allowed through a firewall. It is
also common to configure a firewall so that it permits administrators remote access through
the firewall. Secure Shell (SSH), syslog, and Simple Network Management Protocol
(SNMP) are examples of services that a router may need to include. While many of these
services are useful, they should be controlled and monitored. Exploitation of these services
leads to security vulnerabilities.
The figure shows a sample topology with possible ACL configurations to permit specific
services on the Serial 0/0/0 interface.
Page | 20
Mitigating ICMP Abuse
Hackers can use Internet Control Message Protocol (ICMP) echo packets (pings) to discover
subnets and hosts on a protected network and to generate DoS flood attacks. Hackers can use
ICMP redirect messages to alter host routing tables. Both ICMP echo and redirect messages
should be blocked inbound by the router.
Several ICMP messages are recommended for proper network operation and should be
allowed into the internal network:
Source quench - Requests that the sender decrease the traffic rate of messages.
Several ICMP messages are required for proper network operation and should be allowed to
exit the network:
Packet too big – Enables packet maximum transmission unit (MTU) discovery.
ACLs are used to block IP address spoofing, selectively permit specific services through a
firewall, and to allow only required ICMP messages. The figure shows a sample topology
and possible ACL configurations to permit specific ICMP services on the G0/0 and S0/0/0
interfaces.
Page | 21
Page | 22
Mitigating SNMP Exploits
Management protocols, such as SNMP, are useful for remote monitoring and management of
networked devices. However, they can still be exploited. If SNMP is necessary, exploitation
of SNMP vulnerabilities can be mitigated by applying interface ACLs to filter SNMP
packets from non-authorized systems. An exploit may still be possible if the SNMP packet is
sourced from an address that has been spoofed and is permitted by the ACL.
These security measures are helpful, but the most effective means of exploitation prevention
is to disable the SNMP server on IOS devices for which it is not required. As shown in the
figure, use the command no snmp-server to disable SNMP processing on the Cisco IOS
devices.
Use ACLs to ensure remote access to the routers is available from only management
station PC-C.
Page | 23
4.1.3 IPv6 ACLs
In recent years, many networks have begun the transition to an IPv6 environment. Part of the
need for the transition to IPv6 is because of the inherent weaknesses in IPv4. IPv4 was
designed without several modern-day network requirements:
Unfortunately, as the migration to IPv6 continues, IPv6 attacks are becoming more
pervasive. IPv4 will not disappear overnight. IPv4 will coexist with IPv6 and then gradually
be replaced by IPv6. This creates potential security holes. An example of a security concern
is attackers leveraging IPv4 to exploit IPv6 in dual stack. Dual stack is an integration method
in which a device has implementation and connectivity to both IPv4 and IPv6 networks. As a
result, the device has two protocol stacks.
Attackers can accomplish stealth attacks that result in trust exploitation by using dual stacked
hosts, rogue Neighbor Discovery Protocol (NDP) messages, and tunneling techniques.
Teredo tunneling, for example, is an IPv6 transition technology that provides automatic IPv6
address assignment when IPv4/IPv6 hosts are located behind IPv4 network address
translation (NAT) devices. It accomplishes this by embedding the IPv6 packets inside IPv4
UDP packets. The attacker gains a foothold in the IPv4 network. The compromised host
sends rogue router advertisements, which triggers dual stacked hosts to obtain an IPv6
address. The attacker can then use this foothold to move around or pivot inside the network.
The attacker can compromise additional hosts before sending traffic back out of the network,
as shown in the figure.
Page | 24
Page | 25
IPv6 ACL Syntax
The ACL functionality in IPv6 is similar to ACLs in IPv4. However, there is no equivalent
to the IPv4 standard ACLs and all IPv6 ACLs must be configured with a name. IPv6 ACLs
allow filtering based on source and destination addresses that are traveling inbound and
outbound to a specific interface. They also support traffic filtering based on IPv6 option
headers and optional, upper-layer protocol type information for finer granularity of control,
similar to extended ACLs in IPv4. To configure an IPv6 ACL, use the ipv6 access-list
command to enter into IPv6 ACL configuration mode. Next, use the syntax shown in the
figure to configure each access list entry to specifically permit or deny traffic. Apply an IPv6
ACL to an interface with the ipv6 traffic-filter command.
Page | 26
Configure IPv6 ACLs
An IPv6 ACL contains an implicit deny ipv6 any. Each IPv6 ACL also contains implicit
permit rules to enable IPv6 neighbor discovery. The IPv6 NDP requires the use of the IPv6
network layer to send neighbor advertisements (NAs) and neighbor solicitations (NSs). If an
administrator configures the deny ipv6 any command without explicitly permitting neighbor
discovery, then the NDP will be disabled.
In the figure, R1 is permitting inbound traffic on G0/0 from the 2001:DB8:1:1::/64 network.
Any NA and NS packets are explicitly permitted. Traffic sourced from any other IPv6
address is explicitly denied. If the administrator only configured the first permit statement,
the ACL would have the same effect. However, it is a good practice to document the implicit
statements by explicitly configuring them.
Page | 27
4.2 Firewall Technologies
Defining Firewalls
The term firewall originally referred to a fireproof wall, usually made of stone or metal that
prevented flames from spreading to connected structures. Later the term firewall was applied
to the metal sheet that separated the engine compartment of a vehicle or aircraft from the
passenger compartment. Eventually, the term was adapted for use with computer networks: a
firewall prevents undesirable traffic from entering prescribed areas within a network.
Firewalls are different things to different people and organizations, but all firewalls share
some common properties:
Firewalls are the only transit point between networks because all traffic flows through
the firewall.
In 1988, Digital Equipment Corporation (DEC) created the first network firewall in the form
of a packet filter firewall. These early firewalls inspected packets to see if they matched sets
of rules, and then chose to forward or drop the packets accordingly. This type of packet
filtering, known as stateless filtering, occurs regardless of whether a packet is part of an
existing flow of data. Each packet is filtered based solely on the values of certain parameters
in the packet header, which is similar to how ACLs filter packets.
In 1989, AT&T Bell Laboratories developed the first stateful firewall. Stateful firewalls
evaluate the state of connections in data flows to filter packets. The stateful firewall is able to
determine if a packet belongs to an existing flow of data. Static rules, as in packet filter
firewalls, are supplemented with dynamic rules created in real time to define these active
flows. Stateful firewalls help to mitigate DoS attacks that exploit active connections through
a networking device.
The original firewalls were not standalone devices. They were routers or servers with
software features added to provide firewall functionality. Over time, several companies
developed standalone firewalls. Dedicated firewall devices enabled routers and switches to
off-load the memory-intensive and processor-intensive activity of filtering packets. Modern
routers, such as the integrated services routers (ISRs), can also be used as sophisticated
stateful firewalls for organizations that may not require a dedicated firewall.
A firewall is a system or group of systems that enforces an access control policy between
networks, as shown in the figure. It can include options, such as a packet filtering router, a
switch with two VLANs, and multiple hosts with firewall software.
Page | 28
Page | 29
Benefits and Limitations of Firewalls
Prevent the exposure of sensitive hosts, resources, and applications to untrusted users.
A misconfigured firewall can have serious consequences for the network, such as
becoming a single point of failure.
The data from many applications cannot be passed over firewalls securely.
Users might proactively search for ways around the firewall to receive blocked material,
which exposes the network to potential attack.
Unauthorized traffic can be tunneled or hidden as legitimate traffic through the firewall.
Page | 30
Page | 31
4.2.2 Firewall Technologies
Firewall Type Descriptions
A firewall system can be composed of many different devices and components. One
component is traffic filtering, which is what most people commonly call a firewall. The
following three firewalls are covered in this chapter:
Packet filtering firewall - Typically a router with the capability to filter some packet
content, such as Layer 3 and sometimes Layer 4 information (Figure 1).
Page | 32
Page | 33
Page | 34
Packet Filtering Firewall Benefits and Limitations
Packet filtering firewalls are usually part of a router firewall, which permits or denies traffic
based on Layer 3 and Layer 4 information. They are stateless firewalls that use a simple
policy table look-up that filters traffic based on specific criteria, as shown in the figure. For
example, SMTP servers listen to port 25 by default. An administrator can configure the
packet filtering firewall to block port 25 from a specific workstation to prevent it from
broadcasting an email virus.
Packet filters are easy to implement, and are supported by most routers.
Packet filters perform almost all the tasks of a high-end firewall at a much lower cost.
Packet filters do not represent a complete firewall solution, but they are an important element
of a firewall security policy. There are several disadvantages of using a packet filtering
firewall:
Packet filters are susceptible to IP spoofing. Hackers can send arbitrary packets that
meet ACL criteria and pass through the filter.
Packet filters do not reliably filter fragmented packets. Because fragmented IP packets
carry the TCP header in the first fragment and packet filters filter on TCP header
information, all fragments after the first fragment are passed unconditionally. Decisions
to use packet filters assume that the filter of the first fragment accurately enforces the
policy.
Packet filters use complex ACLs, which can be difficult to implement and maintain.
Packet filters cannot dynamically filter certain services. For example, sessions that use
dynamic port negotiations are difficult to filter without opening access to a whole range
of ports.
Packet filters are stateless. They examine each packet individually rather than in the
context of the state of a connection.
Page | 35
Page | 36
Stateful Firewalls
Stateful firewalls are the most versatile and the most common firewall technologies in use.
Stateful firewalls provide stateful packet filtering by using connection information
maintained in a state table. Stateful filtering is a firewall architecture that is classified at the
network layer. It also analyzes traffic at OSI Layer 4 and Layer 5, as shown in Figure 1.
Unlike a stateless firewall that uses static packet filtering, stateful filtering tracks each
connection traversing all interfaces of the firewall and confirms that they are valid. Stateful
firewalls use a state table to keep track of the actual communication process, as shown in
Figure 2. The firewall examines information in the headers of Layer 3 packets and Layer 4
segments. For example, the firewall looks at the TCP header for synchronize (SYN), reset
(RST), acknowledgment (ACK), finish (FIN), and other control codes to determine the state
of the connection.
Each time a TCP or UDP connection is established for inbound or outbound connections, a
stateful firewall logs the information in a state table for that specific flow. For example, in
Figure 3 host 10.1.1.1 is requesting a web page from the server at 209.165.201.3. The
stateful packet filter firewall retains certain details by saving the state of the request in the
state table. In this example, the router dynamically added an access control entry for return
traffic sourced from server 209.165.201.3, on port 80, and destined to host 10.1.1.1 on port
1500.
Note: This is the way that previous versions of IOS firewall implemented stateful behavior.
Newer Cisco IOS Firewall implementations use the zone-based approach discussed later in
the chapter.
Page | 37
Page | 38
Stateful Firewall Benefits and Limitations
Stateful firewalls are often used as a primary means of defense by filtering unwanted,
unnecessary, or undesirable traffic.
Stateful firewalls strengthen packet filtering by providing more stringent control over
security.
Stateful firewalls defend against spoofing and DoS attacks by determining whether
packets belong to an existing connection or are from an unauthorized source.
Stateful firewalls provide more log information than a packet filtering firewall.
Stateful firewalls cannot prevent Application Layer attacks because they do not examine
the actual contents of the HTTP connection.
Not all protocols are stateful. For example, UDP and ICMP do not generate connection
information for a state table, and, therefore, do not garner as much support for filtering.
It is difficult to track connections that use dynamic port negotiation. Some applications
open multiple connections. This requires a whole new range of ports that must be
opened to allow this second connection.
Page | 39
Next Generation Firewalls
A next-generation firewall goes beyond the stateful firewall in several important ways:
Restricting web and web application use based on the reputation of the site
Enforcement of policies based on the user, device, role, application type, and threat
profile
In August 2014, Cisco announced the integration of Sourcefire’s FirePOWER services into
the Cisco Adaptive Security Appliance (ASA). Designed with advanced malware protection,
the Cisco ASA with FirePOWER services is also called the Cisco ASA Next-Generation
Firewall because it is an adaptive, threat-focused firewall. It is designed to provide defense
across the entire attack continuum, which includes before, during, and after attacks.
Click here to view a TechWise TV episode titled "Cisco ASA with FirePOWER Services"
and more about what integrated threat defense across the entire attack continuum looks like.
Click here for more information about Cisco’s entire suite of security solutions.
Page | 40
4.2.3 Classic Firewall
Introducing Classic Firewall
Cisco IOS Classic Firewall, formerly known as context-based access control (CBAC), is a
stateful firewall feature added to the Cisco IOS prior to version 12.0. Classic Firewall provides
four main functions: traffic filtering (shown in the figure), traffic inspection, intrusion
detection, and generation of audits and alerts. Classic Firewall can also examine supported
connections for embedded NAT and Port Address Translation (PAT) information and perform
the necessary address translations. Classic Firewall can block peer-to-peer (P2P) connections,
such as those used by the Gnutella and KaZaA applications. Instant messaging traffic, such as
Yahoo!, AOL, and MSN, can be blocked.
However, Classic Firewall only provides filtering for those protocols that are specified by an
administrator. If a protocol is not specified, the existing ACLs determine how that protocol is
filtered and no temporary opening is created. Additionally, Classic Firewall only detects and
protects against attacks that travel through the firewall. It does not typically protect against
attacks originating from within the protected network unless that traffic travels through an
internal router with the Cisco IOS Firewall enabled.
Cisco IOS Software Classic Firewall will continue to be maintained for the foreseeable future,
but will not be significantly enhanced with new features. Instead, the strategic development
direction for Cisco IOS Software's stateful inspection firewall is carried by the Zone-Based
Policy Firewall (ZPF).
Page | 41
Classic Firewall Operation
Classic Firewall creates temporary openings in the ACL to allow returning traffic. These
entries are created as inspected traffic leaves the network and are removed when the
connection terminates or the idle timeout period for the connection is reached.
For example, assume that a user initiates an outbound SSH connection from a protected
network to an external network, and Classic Firewall is enabled to inspect SSH traffic. Also
assume that an ACL is applied on the external interface preventing SSH traffic from entering
the protected network. This connection will go through a multistep operation that will create
a temporary opening in the firewall, as shown in the figure:
1. When traffic is first generated, and it passes through the router, the inbound ACL is
processed. If the ACL denies this type of connection, the packet is dropped. If the ACL permits
the connection, the Classic Firewall inspection rules are examined.
2. Based on the inspection rules for Classic Firewall, the Cisco IOS software might inspect the
connection. If SSH traffic is not inspected the packet is allowed through, and no other
information is gathered. Otherwise, the connection goes to the next step.
3. The connection information is compared to entries in the state table. If the connection does
not currently exist, the entry is added. If it does exist, the idle timer for the connection is reset.
4. If a new entry is added, a dynamic ACL entry is added to allow the returning SSH traffic
that is part of the same SSH connection. This temporary opening is only active for as long as
the session is open. These dynamic ACL entries are not saved to NVRAM.
5. When the session terminates, the dynamic information from the state table and the dynamic
ACL entry are removed.
Classic Firewall can also be configured to inspect traffic in two directions: in and out. This is
useful when protecting two parts of a network, in which both sides initiate certain connections
and allow the returning traffic to reach its source.
Page | 42
Page | 43
Classic Firewall Configuration
Consider the topology shown in the figure. The administrator wants to allow SSH sessions
between the 10.0.0.0 and 172.30.0.0 networks. However, only hosts from the 10.0.0.0 network
are allowed to initiate SSH sessions. All other access is denied. There are four steps to
configure this policy using a Classic Firewall.
Step 1. Choose the internal and external interfaces.
In this example, G0/0 is the inside interface and G0/1 is the outside interface.
The inspection rule FWRULE specifies that traffic will be inspected for SSH connections.
This inspection rule has no effect until it is applied to an interface. Although an SSH
connection would be allowed in the G0/0 interface and out to host on the 172.30.0.0 network,
returning SSH traffic inbound to G0/1 would still be denied.
When the FWRULE is applied to inbound traffic on the G0/0 interface, the Classic Firewall
configuration will dynamically add an entry to allow inbound SSH traffic between the two
hosts. This can be verified with the show ip inspect sessions command.
Page | 44
Page | 45
4.2.4 Firewalls in Network Design
Inside and Outside Networks
Firewall design is primarily about device interfaces permitting or denying traffic based on the
source, the destination, and the type of traffic. Some designs are as simple as designating an
outside network and inside network, which are determined by two interfaces on a firewall. As
shown in the figure, the public network (or outside network) is untrusted, and the private
network (or inside network) is trusted. Typically a firewall with two interfaces is configured
as follows:
Traffic originating from the private network is permitted and inspected as it travels toward
the public network. Inspected traffic returning from the public network and associated
with traffic that originated from the private network is permitted.
Traffic originating from the public network and traveling to the private network is
generally blocked.
Page | 46
Demilitarized Zones
A demilitarized zone (DMZ) is a firewall design where there is typically one inside interface
connected to the private network, one outside interface connected to the public network, and
one DMZ interface, as shown in the figure.
Traffic originating from the private network is inspected as it travels toward the public or
DMZ network. This traffic is permitted with little or no restriction. Inspected traffic
returning from the DMZ or public network to the private network is permitted.
Traffic originating from the DMZ network and traveling to the private network is usually
blocked.
Traffic originating from the DMZ network and traveling to the public network is
selectively permitted based on service requirements.
Traffic originating from the public network and traveling toward the DMZ is selectively
permitted and inspected. This type of traffic is typically email, DNS, HTTP, or HTTPS
traffic. Return traffic from the DMZ to the public network is dynamically permitted.
Traffic originating from the public network and traveling to the private network is
blocked.
Page | 47
ZPFs
ZPFs use the concept of zones to provide additional flexibility. A zone is a group of one or
more interfaces that have similar functions or features. Zones help you specify where a Cisco
IOS firewall should be applied. In the figure, security policies for LAN 1 and LAN 2 are
similar and can be grouped into a zone for firewall configurations. By default, the traffic
between interfaces in the same zone is not subject to any policy and passes freely. However,
all zone-to-zone traffic is blocked. In order to permit traffic between zones, a policy allowing
or inspecting traffic must be configured.
The only exception to this default deny any policy is the router self zone. The self zone is the
router itself and includes all the router interface IP addresses. Policy configurations that
include the self zone would apply to traffic destined to and sourced from the router. By default,
there is no policy for this type of traffic. Traffic that should be considered when designing a
policy for the self zone includes management plane and control plane traffic, such as SSH,
SNMP, and routing protocols.
Page | 48
Layered Defense
A layered defense uses different types of firewalls that are combined in layers to add depth to
the security of an organization. Click each layer in Figure 1 for more information. Policies can
be enforced between the layers and inside the layers. These policy enforcement points
determine whether traffic is forwarded or discarded. For example, traffic that comes in from
the untrusted network first encounters a packet filter on the edge router. If allowed by the
policy, the traffic goes to the screened firewall or bastion host system that applies more rules
to the traffic and discards suspect packets. A bastion host is a hardened computer that is
typically located in the DMZ. Then the traffic goes to an interior screening router. The traffic
moves to the internal destination host only after successfully passing through all policy
enforcement points between the outside router and the inside network. This type of DMZ setup
is called a screened subnet configuration.
A layered defense approach is not all that is needed to ensure a safe internal network. A
network administrator must consider many factors when building a complete in-depth defense:
Firewalls typically do not stop intrusions that come from hosts within a network or zone.
Firewalls do not replace backup and disaster recovery mechanisms resulting from attack
or hardware failure.
The partial list of best practices in Figure 2 can serve as a starting point for a firewall security
policy.
Page | 49
Network Core Security: Protects against malicious software and traffic anomalies, enforces
network policies, and ensures survivability.
Perimeter Security: Secures boundaries between zones.
Endpoint Security: Provides identity and device security policy compliance.
Communications Security: Provides information assurance.
Page | 50
4.3 Zone-Based Policy Firewalls
4.3.1 ZPF Overview
Benefits of a ZPF
Classic Firewall - The traditional configuration model in which firewall policy is applied
on interfaces.
ZPF - The new configuration mode in which interfaces are assigned to security zones, and
firewall policy is applied to traffic moving between the zones.
As shown in the figure, if an additional interface is added to the private zone, the hosts
connected to the new interface in the private zone can pass traffic to all hosts on the existing
interface in the same zone.
The primary motivations for network security professionals to migrate to the ZPF model are
structure and ease of use. The structured approach is useful for documentation and
communication. The ease of use makes network security implementations more accessible to
a larger community of security professionals.
Policies are easy to read and troubleshoot with the Cisco Common Classification Policy
Language (C3PL). C3PL is a structured method to create traffic policies based on events,
conditions, and actions. Provides scalability by having one policy affects any given traffic,
instead of needing multiple ACLs and inspection actions.
When deciding whether to implement Classic Firewall or a ZPF, it is important to note that
both configuration models can be enabled concurrently on a router. However, the models
cannot be combined on a single interface. For example, an interface cannot be simultaneously
configured as a security zone member and for IP inspection.
Page | 51
Page | 52
ZPF Design
Common ZPF designs are LAN-to-Internet, as shown in Figure 1. A firewall with public
servers is shown in Figures 2 and 3. Figure 4 shows redundant firewalls. Complex firewalls
are shown in Figure 5.
Step 4. Identify subsets within zones and merge traffic requirements - For each firewall
device in the design, the administrator must identify zone subsets connected to its interfaces
and merge the traffic requirements for those zones. For example, multiple zones might be
indirectly attached to a single interface of a firewall. This would result in a device-specific
interzone policy. Although an important consideration, implementing zone subsets is beyond
the scope of this curriculum.
Page | 53
Page | 54
Page | 55
Page | 56
Activity - Compare Classic Firewall and ZPF Operation
Page | 57
4.3.2 ZPF Operation
ZPF Actions
Drop - Analogous to a deny statement in an ACL. A log option is available to log the
rejected packets.
Pass - Analogous to a permit statement in an ACL. The pass action does not track the
state of connections or sessions within the traffic.
Page | 58
Rules for Transit Traffic
Traffic transiting through router interfaces is subject to several rules governing interface
behavior. For the transit traffic example, refer to the topology shown in Figure 1. The rules
depend on whether or not the ingress and egress interfaces are members of the same zone, as
shown in Figure 2:
If neither interface is a zone member, then the resulting action is to pass the traffic.
If both interfaces are members of the same zone, then the resulting action is to pass the
traffic.
If one interface is a zone member, but the other is not, then the resulting action is to drop
the traffic regardless of whether a zone-pair exists.
If both interfaces belong to the same zone-pair and a policy exists, then the resulting action
is inspect, allow, or drop as defined by the policy.
Page | 59
Page | 60
Rules for Traffic to the Self Zone
The self zone is the router itself and includes all of the IP addresses assigned to the router
interfaces. The rules for a ZPF are different for the self zone. For the self zone traffic example,
refer to the topology shown in Figure 1. The rules depend on whether the router is the source
or the destination of the traffic, as shown in Figure 2. If the router is the source or the
destination, then all traffic is permitted. The only exception is if the source and destination are
a zone-pair with a specific service-policy. In that case, the policy is applied to all traffic.
Page | 61
Activity - Rules for Transit Traffic
Page | 62
4.3.3 Configuring a ZPF
Configure ZPF
The topology and steps shown in the figure will be used throughout the remainder of this topic
to demonstrate ZPF configuration. The sequence of steps is not required. However, some
configurations must be completed in order. For instance, you must configure a class-map
before you assign a class-map to a policy-map. Similarly, you cannot assign a policy-map to
a zone-pair until you have configured the policy. If you try to configure a section that relies
on another portion of the configuration that you have not yet configured, the router responds
with an error message.
Page | 63
Create Zones
The first step, as shown in Figure 1, is to create the zones. However, before creating the
zones answer a few questions:
In the example topology, we have two interfaces, two zones, and traffic flowing in one
direction. Traffic sourced from the public zone will not be allowed. Create the zones for the
firewall with the zone security command, as shown in Figure 2.
Page | 64
Page | 65
Identify Traffic
The second step, as shown in Figure 1, is to use a class-map to identify the traffic. A class is a
way of identifying a set of packets based on its contents using “match” conditions. Typically,
you define a class so that you can apply an action to the identified traffic that reflects a policy.
A class is defined with class-maps.
Figure 2 shows the syntax for the class-map command. There are several types of class-maps.
For a ZPF configuration, use the inspect keyword to define a class-map. Determine how
packets are evaluated when multiple match criteria exist. Packets must meet one of the match
criteria (match-any) or all of the match criteria (match-all) to be considered a member of the
class.
Figure 3 shows the syntax for the match statements in class-map sub-configuration mode.
Match traffic to an ACL, a specific protocol, or even another class-map.
In the topology shown in Figure 4, HTTP traffic is being allowed to traverse R1 to the PUBLIC
zone. When allowing HTTP traffic, it is recommended to specifically include HTTPS and
DNS protocols. Traffic can match any of the statements to become a member of the HTTP-
TRAFFIC class.
Page | 66
Page | 67
Page | 68
Define an Action
The third step, as shown in Figure 1, is to use a policy-map to define what action should be
taken for traffic that is a member of a class. Figure 2 shows the command syntax to configure
a policy-map. An action is a specific functionality. It is typically associated with a traffic class.
For example, inspect, drop, andpass are actions.
inspect - This action offers state-based traffic control. For example, if traffic traveling
from the PRIVATE zone to the PUBLIC zone is inspected, the router maintains
connection or session information for TCP and UDP traffic. The router would then permit
return traffic sent from PUBLIC zone hosts in reply to PRIVATE zone connection
requests.
drop - This is the default action for all traffic. Similar to the implicit deny any at the end
of every ACL, there is an explicitdrop applied by the IOS to the end of every policy−map.
It is listed as class class-default in the last section of any policy-map configuration. Other
class−maps within a policy−map can also be configured to drop unwanted traffic. Unlike
ACLs, traffic is silently dropped, and no ICMP unreachable messages are sent to the
source of the traffic.
pass - This action allows the router to forward traffic from one zone to another. The pass
action does not track the state of connections. Pass only allows the traffic in one direction.
A corresponding policy must be applied to allow return traffic to pass in the opposite
direction. The pass action is ideal for secure protocols with predictable behavior, such as
IPsec. However, most application traffic is better handled in the ZPF with
the inspect action.
Page | 69
Page | 70
Page | 71
Identify a Zone-Pair and Match to a Policy
The fourth step, as shown in Figure 1, is to identify a zone pair and associate that zone pair to
a policy-map. Figure 2 shows the command syntax. Create a zone-pair with the zone-pair
security command. Then use the service-policy type inspect command to attach a policy-
map and its associated action to the zone-pair.
Figure 3 shows an example of a zone-pair configuration. A zone-pair named PRIV-PUB is
created with PRIVATE assigned as the source zone and PUBLIC assigned as the destination
zone. Then the policy-map created in the previous step is associated to the zone-pair.
After the firewall policy has been configured, the administrator applies it to traffic between a
pair of zones using the zone-pair security command. To apply a policy, it is assigned to a zone
pair. The zone pair needs to specify the source zone, the destination zone, and the policy for
handling the traffic between the source and destination zones.
Page | 72
Page | 73
Assign Zones to Interfaces
The fifth step, as shown in Figure 1, is to assign zones to the appropriate interfaces. Associating
a zone to an interface will immediately apply the service-policy that has been associated with
the zone. If no service-policy is yet configured for the zone, all transit traffic will be dropped.
Use the zone-member security command, as shown in Figure 2, to assign a zone to an interface.
In the example, GigabitEthernet 0/0 is assigned the PRIVATE zone, and Serial 0/0/0 is
assigned the PUBLIC zone.
The service-policy is now active. HTTP, HTTPS, and DNS traffic sourced from the PRIVATE
zone and destined for the PUBLIC zone will be inspected. Traffic sourced from the PUBLIC
zone and destined for the PRIVATE zone will only be allowed if it is part of sessions originally
initiated by PRIVATE zone hosts.
Page | 74
Page | 75
Verify a ZPF Configuration
Verify a ZPF configuration by viewing the running configuration, as shown in Figure 1. Notice
that the class-map is listed first. Then the policy-map makes use of the class-map. Also, notice
the highlighted class class-default that will drop all other traffic that is not a member of the
HTTP-TRAFFIC class.
The zone configurations follow the policy-map configurations with zone naming, zone pairing,
and associating a service-policy to the zone pair. Finally, the interfaces are assigned zones.
Figure 2 shows verification information after a test of the ZPF configuration. A PRIVATE
zone host 192.168.1.3 established an HTTPS session with a web server at 10.1.1.2. Notice
further down in the command output that four packets matched the class class-default. This
verification information was generated by having host 192.168.1.3 ping the web server at
10.1.1.2.
Figure 3 shows additional verification commands that allow a view of specific portions of the
ZPF configuration.
Use the Syntax Checker in Figure 4 to configure R1 with a ZPF.
Page | 76
Page | 77
Page | 78
Page | 79
Page | 80
Page | 81
ZPF Configuration Considerations
When configuring a ZPF with the CLI, there are several factors to consider:
The router never filters the traffic between interfaces in the same zone.
An interface cannot belong to multiple zones. To create a union of security zones, specify
a new zone and appropriate policy map and zone pairs.
ZPF can coexist with Classic Firewall although they cannot be used on the same interface.
Remove the ip inspect interface configuration command before applying the zone-
member security command.
Traffic can never flow between an interface assigned to a zone and an interface without a
zone assignment. Applying the zone-member configuration command always results in a
temporary interruption of service until the other zone-member is configured.
The default inter-zone policy is to drop all traffic unless otherwise specifically allowed by
the service-policy configured for the zone-pair.
The zone-member command does not protect the router itself (traffic to and from the
router is not affected) unless the zone- pairs are configured using the predefined self zone.
Page | 82
Video Demonstration – ZPFs
This video demonstrates how to configure a Zone-Based Policy Firewall on a Cisco 1941
router by completing the following:
Create zones.
Page | 83
Packet Tracer - Configuring a ZPF
Page | 84
Chapter 4: Implementing Firewall Technologies Summary
Firewalls separate protected areas from non-protected areas. This prevents unauthorized users
from accessing protected network resources. There are two common methods for
implementing firewalls:
Packet filtering firewall - Usually a router with the capability to filter packet content,
such as Layer 3 and sometimes Layer 4 information using ACLs.
Standard and extended IP ACLs can be used to provide packet filtering firewall capabilities.
They are the fundamental tools used for basic network traffic filtering and to mitigate a wide
range of network attacks. Deciding which one to use depends on the type of traffic and the
source and destination of the traffic. ACLs are linked to the flow of network traffic. The
network topology determines how ACLs are created and applied.
Stateful firewalls can be implemented in three ways:
Traffic filtering solutions - Includes ACLs using the TCP established option and
reflexive ACLs that extend the function of ACLs to consider the two-way nature of
network traffic.
Cisco IOS Classic Firewall - Formerly known as CBAC, Classic Firewall offers
sophisticated stateful filtering of most forms of modern application traffic. Classic
Firewall configuration is very complex and relies on ACLs and inspection rules applied
on appropriate interfaces.
ZPF - Introduced in 2006, this is the state of the art in modern firewalling. A ZPF
configuration centers on the creation of zones that are associated with various areas of the
network and are meant for different levels of security. Implementing a ZPF is more
structured and easier to understand than CBAC. The ZPF uses class-maps and policy maps
in order to classify and filter traffic.
Page | 85