CCNP-Security Lab Workbook v.

Firewall

Firewall
Before defining and exploring firewall lets describe the word firewalls origin. Basically word firewall originated in mechanical engineering as a partitioning wall in cars which separate cars engine and seating compartment.in early days of cars, engines used to blown off frequently and that fire in engine caused harm to persons, To protect those people in car they implanted a shield in car which use to defend fire and protect persons. That shield was called as a firewall Now lets come to our network where we need to protect our local LAN or say corporate network from Outer World of Internet to accomplish this task we introduced a device in network which blocks unwanted traffic from getting in. As the job of this device is similar to the shield in car we are calling this device as FIREWALL. If you look back on your router and its job. Its basically meant to do routing i.e. a router need path (route) to reach the destination if it has that then it forwards the packet. Now inverse to it the firewall will block the all traffic even if it has path (route) for destination. A firewall needs permission to forward the packet not route. Now a days lot of advancements has been made to that firewall device and it is being defined as A firewall is a system which manages access between two or more networks There are numerous ways of accomplishing job of managing networks using firewall but all techniques works on basic three technologies i. ii. iii. Packet Filtering Proxy Server Stateful Packet Filtering

Packet Filtering Controlling the connections on the basis of their address and ports is packets filtering basically the access-list on which you we have been work from our CCNA days are called as a packet filter these are much robust and faster as well as less CPU Intensive Proxy Server All the Connections will be passed by a central server from where only valid connections are allowed Stateful Packet Filtering This is an advanced packet filtering where a state table is maintained for all outbound connections and inbound connections are allowed with respect to that state table, its less CPU intensive and much faster than proxy server

Netmetric Infosolutions (P) Limited Hyderabad, IN

www.netmetric-solutions.com

CCNP-Security Lab Workbook v.1 Router as a Firewall

Firewall

Before proceeding with a separate firewall device lets proceed by changing our existing router to work as firewall and when we change our router to work as firewall its commonly known as IOS Firewall and its donated by a symbols

Initially the only method of making IOS Router as IOS Firewall was CBAC (Context Based Access Control) but later to meet the shortcomings of CBAC a new method introduced and its Zone Based Firewall which is much granular than CBAC When Zone Based Firewall introduced then cisco renamed CBAC as IOS Classic Firewall Following to this lets configure IOS Classic Firewall or Context Based Access Control Zone Based Firewall

Netmetric Infosolutions (P) Limited Hyderabad, IN

www.netmetric-solutions.com

CCNP-Security Lab Workbook v.1

Firewall

LAB 01
Classic IOS Firewall (CBAC)
When you say you are working with ACLs it means you are filtering the traffic on the basis of their names(i.e. IP Addresses) or services and more over you cannot configure ACL to be such intelligent that it should identify the originator of traffic and reply traffic. To make the packet filtering more enhanced we came up with Context-based access control (CBAC) it intelligently filters TCP and UDP packets based on application layer protocol session information.in CBAC we dont work with IP Addresses now we allow or deny the services from inside to outside or vise -versa. And even CBAC maintains a state table in which it makes the record of traffic going out of interface and depending on that it will allow the incoming traffic

Steps to configure: Use any routing protocol to make networks reachable we are using rip in this case Block all the inbound traffic for private or local network Allow traffic to only DMZ Network from outside Create an inspection rule depending on the interesting traffic for each interface Apply the inspection rule on the respective interfaces

Interface Configuration
Device Outside DMZ CBAC-FW PC Interface Fast Ethernet 0/0 Fast Ethernet 0/0 Fast Ethernet 0/0 Fast Ethernet 0/1 Fast Ethernet 1/0 NIC IP Address 2.2.2.2 3.3.3.3 1.1.1.1 (Connected to PC) 2.2.2.1 (Connected to outside) 3.3.3.1 (Connected to DMZ) 1.1.1.2

Basically Here we want to achieve a typical DMZ network Setup where We want to make sure that an INSIDER can Access Outside network as well as DMZ An Outsider Cant access inside network but can access DMZ network And DMZ Cant access any network both Inside and Outside
www.netmetric-solutions.com

Netmetric Infosolutions (P) Limited Hyderabad, IN

CCNP-Security Lab Workbook v.1

Firewall

By using a simple block statement in access-list we are denying all the traffic for inside network from other networks CBAC-FW(config)#access-list 101 deny ip any any CBAC-FW(config)#int f 0/0 CBAC-FW(config-if)#ip access-group 101 OUT Now when all the traffic is blocked from other network to inside network then even the reply traffic for the queries done from inside network is blocked To allow that reply traffic we are making an inspection rule with desired protocols and services to be inspected and maintain a state table CBAC-FW(config)#ip inspect name my-cbac tcp CBAC-FW(config)#ip inspect name my-cbac icmp CBAC-FW(config)#ip inspect name my-cbac udp With the above commands we are starting to maintain the state table for tcp, udp and icmp now we will apply this inspection rule on the interface which is connected to outside CBAC-FW(config)#int f 0/1 CBAC-FW(config-if)#ip inspect my-cbac out Now we dont want DMZ to interact with any network CBAC-FW(config)#access-list 102 deny ip any any CBAC-FW(config)#interface FastEthernet1/0 CBAC-FW(config-if)#ip access-group 102 in But we want outside network should be able to communicate with dmz so create a separate inspection for that traffic CBAC-FW(config)#ip inspect name cbac-dmz http CBAC-FW(config)#ip inspect name cbac-dmz telnet CBAC-FW(config)#ip inspect name cbac-dmz icmp Apply that inspection rule on the interface in outbound direction on which DMZ is connected CBAC-FW(config)#interface FastEthernet1/0 CBAC-FW(config-if)# ip inspect cbac-dmz out

Netmetric Infosolutions (P) Limited Hyderabad, IN

www.netmetric-solutions.com

CCNP-Security Lab Workbook v.1

Firewall

From outside allow only the specific traffic which is meant for the DMZ network and block all the rest traffic CBAC-FW(config)#access-list 103 permit ip any host 3.3.3.3 CBAC-FW(config)#access-list 103 deny ip any any CBAC-FW(config)#interface FastEthernet0/1 CBAC-FW(config-if)#ip access-group 103 in The traffic which is generated from inside is allowed to go to outside network and reply is allowed to come back

From outside the connection is not successful to inside but its successful to DMZ Outside>ping 1.1.1.2 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 1.1.1.2, timeout is 2 seconds: U.U.U Success rate is 0 percent (0/5) Outside>ping 3.3.3.3 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 3.3.3.3, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 8/44/112 ms

Netmetric Infosolutions (P) Limited Hyderabad, IN

www.netmetric-solutions.com

CCNP-Security Lab Workbook v.1

Firewall

LAB 02
Zone Based Policy IOS Firewall (ZFW)
Somehow using CBAC we succeeded to maintain the state table in our router and even configured our router to work as firewall. But very soon after working with CBAC Network Admins realized that there are few short comings in working with CBAC majorly, CBAC failed to filter the applications for specific users (i.e. you cannot configure inspection rule for set of users rules are applicable on all users) and when you are working with multiple interfaces as the number of interfaces increases the complications in implementing CBAC increases.to meet these short comings a new method of implementing Firewall has been introduced Zone Based Firewall herein we are configuring ACLs to catch interesting traffic and we are configuring a group of interfaces as a single zone and then the rules will be applied on them.

Steps to configure: Use any routing protocol to make networks reachable we are using rip in this case Create Security Zones and associate interfaces with zones Create a class map of type inspect to define the interesting traffic Create a policy map of type inspect to define the action on interesting traffic Create Zone pairs to define the source and destination of traffic

Interface Configuration
Device Outside DMZ ZBF PC Interface Fast Ethernet 0/0 Fast Ethernet 0/0 Fast Ethernet 0/0 Fast Ethernet 0/1 Fast Ethernet 1/0 NIC IP Address 2.2.2.2 3.3.3.3 1.1.1.1 (Connected to PC) 2.2.2.1 (Connected to outside) 3.3.3.1 (Connected to DMZ) 1.1.1.2

We are implementing the same typical DMZ network Setup here what we did in previous lab
Netmetric Infosolutions (P) Limited Hyderabad, IN www.netmetric-solutions.com

CCNP-Security Lab Workbook v.1

Firewall

First of all we are configuring RIP on all devices to advertise all networks and making all the three networks reachable from every one
Check the Reachability from each device to each device then proceed with configuration

Unlike CBAC where I implement the rules depending on the interfaces here I want to implement the rules on the group of interfaces which I call as a zone, as per our requirement I am creating three zones named DMZ, OUTSIDE and INSIDE ZBF(config)#zone security INSIDE ZBF(config-sec-zone)#exit ZBF(config)#zone security OUTSIDE ZBF(config-sec-zone)#exit ZBF(config)#zone security DMZ ZBF(config-sec-zone)#exit After Creating of Security zones there will be no change in the behavior of device then you associate those zones with interfaces ZBF(config)#int f 0/0 ZBF(config-if)#zone-member security INSIDE ZBF(config)#int f 0/1 ZBF(config-if)#zone-member security OUTSIDE ZBF(config-if)#int f 1/0 ZBF(config-if)#zone-member security DMZ

Remember that as soon as we associate those zones with interfaces the communication within all the zones will be blocked and no two interfaces belongs to different zones can communicate neither an unzone interface (interface which is not associated with any zone) can communicate to a zoned interface but two interfaces which belongs to same zone and even the two interfaces which are unzone can communicate with each other. Now we need to create a class map of type inspect to identify the interesting traffic. Before defining interesting traffic in class-map we need to create an access list to define source and destination of desired inspection traffic and even we need to define the protocol which we want to inspect ZBF(config)#access-list 101 permit ip any any ZBF(config)#class-map type inspect c-map-1 ZBF(config-cmap)#match access-group 101 ZBF(config-cmap)#match protocol icmp

Netmetric Infosolutions (P) Limited Hyderabad, IN

www.netmetric-solutions.com

CCNP-Security Lab Workbook v.1

Firewall

After defining the traffic in class map now its time to define the action on the interesting traffic for that we need to create a policy map of type inspect then call the class of interesting traffic. In that class define the desired action. As per our requirement we need inspection to be done on our traffic so we are defining inspect as our action. ZBF(config)#policy-map type inspect p-map-1 ZBF(config-pmap)#class c-map-1 ZBF(config-pmap-c)#inspect Now the only left out task is to apply that policy map and to define the source and the destination of our traffic this is done by configuring zone-pairs ZBF(config)#zone-pair security allow-in-out source INSIDE destination OUTSIDE ZBF(config-sec-zone-pair)#service-policy type inspect p-map-1 ZBF(config-sec-zone-pair)#exit With this task our insiders can access outside network now but outsiders cant access inside as we defined source to be INSIDE and destination to be OUTSIDE. Remember that this zone pair works unidirectional only As we want insiders to access DMZ as well and even we want outsiders to access DMZ so we need to create two more zone pairs with respective source and destinations ZBF(config)#zone-pair security allow-in-dmz source INSIDE destination DMZ ZBF(config-sec-zone-pair)#service-policy type inspect p-map-1 ZBF(config-sec-zone-pair)#exit ZBF(config)#zone-pair security allow-out-dmz source OUTSIDE destination DMZ ZBF(config-sec-zone-pair)##service-policy type inspect p-map-1 ZBF(config-sec-zone-pair)#exit

Netmetric Infosolutions (P) Limited Hyderabad, IN

www.netmetric-solutions.com