Cisco Firewall Basics

Mark Cairns, Consulting Systems Engineer

BRKSEC-1020
Mark Cairns
Consulting Systems Engineer, GSSO supporting US Commercial
Based in Richmond, VA and cover select accounts in VA, DC and MD
17 years experience with Cisco Security Products
CCIE #17755, Security
You can reach me at marcairn@cisco.com and @12LISN2
Session Information
Basic Firewall Understanding
This is an introductory session
It is not meant for professionals with deep knowledge of firewalls and Cisco ASA
This session is not for you if you want to deep dive into configurations for specific
features / functionality
References may be made to advanced functionality for context but we will stay at a fairly
high level
Agenda
Introduction
Back to Basics - Firewalls in General
Where and Why The Edge, Data Center and Hosted
Environment
What Cloud Management, Security Zones, Physical and
Virtual Appliances
Additional Functions When a Taller Wall Isnt Enough
Did you know? Two use cases for ASA and Secure Group
Tags
Firewalls in General
Securing/Hardening for What Purpose or Need?

Subversion Disruption
Bots, Viruses, and Worms Denial of service attacks
Spyware and Adware Advanced Persistent
Threats (APTs)

Penetration Attempt Data Loss

Zero-day Attacks Data theft and/or
interception
Hacker Attacks
Identity theft
Firewalls
What are they?

Primary filtering appliances/VMs that work at both the network and application layers
Provide a platform for the features/functionality needed for network security
VPNs (remote-access and site to site)
NGIPS
Anti-malware
Next-generation security should not abandon proven stateful inspection capabilities in
favor of application and user ID awareness by itself
Comprehensive network security solution needs includes firewalls, next-generation
firewalls (application inspection and filtering) and next generation intrusion prevention
systems (context aware)
The firewall often is the conduit from which other defense components combat the threats
that face the network
Where and Why
Filtering on a Tuple? Packet

The genesis of firewalls was initially a

means to filter traffic based on the five
tuple
Source IP address the IP address of the
initiator of the IP packet
Destination IP Address the IP address of
the destination of the IP packet
Source Port UDP or TCP port used by
initiator to establish communications with
destination
Destination Port UDP or TCP port used by
destination to establish communications with
source
IP Protocol the specific IP protocol used in
the communication
Filtering IP Protocols Packet

ICMP (1)
TCP (6)
UDP (17)
GRE (47)
ESP (50)
AH (51)
EIGRP (88)
OSPF (89)
http://www.iana.org/assignments/protocol-
numbers/protocol-numbers.xhtml
 Stateful Inspection Src IP 2.2.2.2
Dest IP 1.1.1.1
Src Port TCP/80
Most routers and switches can filter Dest Port TCP/35478
based on the five tuplewhy a firewall Packet
then?
Stateful firewalls track L3/L4 traffic as it
leaves and returns to the network
Connections are maintained in the
connection table tracking five tuple and
additional information such as sequence
Packet
TCP outside:2.2.2.2/80 (2.2.2.2/80) inside:1.1.1.1/35478 (1.1.1.1/35478), Src IP 1.1.1.1
flags UIO, idle 4m39s, uptime 6m16s, timeout 1h0m, bytes 3002 Dest IP 2.2.2.2
Src Port TCP/35478
*Best Practice Limit outbound Dest Port TCP/80

connections to known services and hosts

such as SMTP servers only for port 25.
Network Address Translation Src IP 3.3.3.3
Dest IP 2.2.2.2
Src Port TCP/35478
Network address translation (NAT) is the Dest Port TCP/80
mapping of IP addresses from a private
network to a public network
NAT gives network administrators and
security administrators:
Access to non-publically routable IPv4
space
Cost savings because addresses are not
cheap Packet
Allows for masquerading of internal network Src IP 10.1.1.1
addresses Dest IP 2.2.2.2
Src Port TCP/35478
IPv4 Address space is exhausted Dest Port TCP/80
Edge With DMZ
Similar to a basic edge design with
the addition of inbound traffic
Traffic inbound from the DMZ to the
trusted network may or may not
pass the firewall.
Edge With DMZ - VPN
Multiple path options for VPN with
trusted and untrusted packets.
VPN Concentrator may be
connected outside the firewall
Trusted traffic path usually depends
on source. Employee or Vendor,
B2B, etc.
*Best Practices Remember that controlling
access from a VPN to an internal resource is
not a dead end! Jump box scenario.
Hide your firewall with private IP space on
the outside.
Tiered DMZs
Typically seen in multi-tiered
hosting for e-commerce
Forces all traffic between tiers
to pass firewall rules
Can help mitigate risk and
contain exploits and/or
breaches within a DMZ
Bridge across your DMZs
Sometimes referred to as clean and
dirty DMZs
VPN, Video, etc.
Avoids hair-pinning

*Best Practice Use destination NAT with

a block of unused private IPs for outbound
L2L VPN instead of routing individual
remote IPs.
Split Firewalls
Not common without Layer 3
Forces routing on endpoints
Split Firewalls
Layer 3 hop between firewalls
Avoids hair-pinning
May still have an optional trusted
connection
Securing the WAN
Typical MPLS WAN
Does not ensure privacy
Internet based WAN
Lower cost alternative to MPLS
Dictates VPN for routing and privacy
Direct Internet Access (DIA) adds
security risk
Internet based WAN
Secure router combines functions
Inspect DIA
Typically no need for inbound
access directly from Internet
From branch to SOHO
Add trusted connectivity to an
untrusted environment
Leverages firewalling and
authentication
Manage to Scale
Growth dictates migration from
on-box to off-box management
Control and Data plane is local
to firewall
Scale to the Cloud
Move control plane to cloud
portal
Data plane remains local
OpEx cost reduction
Data Center Clustering for Performance and Scale
Handles asymmetric traffic
associated with VPC/VSS
N+1 redundancy
Keeps DC design intact
Scale to 16 firewalls
Securing VMs and Hosting Environments
What is the right solution?
Cloud Networking Group
About Cisco Cloud-Managed Networking
Cisco Meraki: a complete cloud-managed networking solution
Wireless, switching, security, WAN optimization, and MDM, centrally managed over the
web
Built from the ground up for cloud management
Integrated hardware, software, and cloud services

Leader in cloud-managed networking

Among Ciscos fastest-growing portfolios
Tens of millions of devices connected worldwide

Recognized for innovation

Gartner Magic Quadrant, InfoWorld Technology of the Year, CRN Coolest Technologies
 Distributed networks

Centralized cloud
management scales to
thousands of sites

Multi-site visibility and control Map-based dashboard; configuration sync; remote diagnostics; automatic monitoring and alerts

Zero-touch provisioning Devices automatically provision from the cloud, no staging required; self-configuring site-to-site VPN

Traffic acceleration WAN optimization and web caching accelerates and de-duplicates network traffic; application-aware QoS prioritizes productivity apps
 Automated site-to-site VPN

Site-to-site IPsec VPN in just two

clicks in the Dashboard

Simple Creates L3 site-to-site VPN tunnels with just 2 clicks in the dashboard

Automatic Comparable to Cisco DMVPN, it creates a mesh or hub-and-spoke VPN tunnel

between all peers and adjusts to IP changes
Resilient Automatic failover over to secondary WAN link or 3G/4G USB modem
 Diverse Security

Sourcefire IDS / IPS, updated

Best IPS
every day

Content 4+ billions URLS, updated in

Filtering real-time

Geo-based Block attackers from rogue

security countries

AV / anti- Kaspersky AV, updated every

phishing hour

PCI PCI L1 certified cloud-based

compliance management
Choosing the right MX for your environment
Where Unique Features FW Throughput
Small branches
(~50 users) 802.11ac Wireless 200 Mbps
MX64 / 64W (MX64W)

Mid-size branches
(~100 users) Large Web cache (1TB) 250 Mbps Z1

MX80 For teleworkers

(1-5 users)
Mid-size branches Gigabit uplinks
(~500 users) Large Web cache (1TB) 500 Mbps Dual-radio wireless
MX100
FW throughput: 50
High-speed uplinks Mbps
Large Built-in redundancy
branch/campus 1 Gbps
Modular interface
MX400 (~2,000 users) Large Web cache (1TB)

High-speed uplinks
Large Built-in redundancy
branch/campus 2 Gbps
Modular interface
MX600 (~10,000 users) Large Web cache (4TB) All devices support 3G/4G
Zone Based Firewall
Zone Based Firewall
Support for:
ISR, ASR, CSR
NAT DMZ
All Traffic
WAAS Permit
VRFs G0/1.103
Redundancy
VTIs for VPNs G0/1.101 G0/0
Deep Packet
Inspection Trusted Internet

TCP/UDP/ICMP
Response OK
Configuring ZBF
zone security Internet
zone security Trusted Create Zones
zone security DMZ

interface LISP0
zone-member security DMZ
!
interface GigabitEthernet0/0
description Public Outside
zone-member security Internet
! Assign interfaces to
interface GigabitEthernet0/1.101
description Inside security zones
zone-member security Trusted
!
interface GigabitEthernet0/1.103
description Public DMZ
zone-member security DMZ
Configuring ZBF
class-map type inspect match-any All_Protocols
description - Match all outgoing protocols
match protocol tcp Create Inspection Class
match protocol udp
match protocol icmp

policy-map type inspect trusted-to-internet

class type inspect All_Protocols
inspect
class class-default
drop
Create Inspection Policy
policy-map type inspect DMZ
class class-default Create Zone Pairs and
pass Associate Policy
zone-pair security Trusted->Internet source Trusted destination Internet
service-policy type inspect trusted-to-internet
zone-pair security Internet->DMZ source Internet destination DMZ
service-policy type inspect DMZ
zone-pair security DMZ->Internet source DMZ destination Internet
service-policy type inspect DMZ
ASA Physical and Virtual
 Cisco ASA 5500 Series Portfolio
ASA 5585-X SSP-60
Comprehensive Solutions from SOHO to the Data Center (40 Gbps, 350K cps)

ASA 5585-X SSP-40

(20 Gbps, 200K cps)

ASA 5585-X SSP-20

(10 Gbps, 125K cps)
Performance and Scalability

ASA 5585-X SSP-10

Multi-Service (4 Gbps, 50K cps)
(Firewall/VPN and IPS) ASA 5555-X
(4 Gbps,50K cps)
ASA 5545-X
(3 Gbps,30K cps)
ASA 5525-X
(2 Gbps,20K cps)
ASA 5515-X
(1.2 Gbps,15K cps)
ASA 5512-X
(1 Gbps, 10K cps)
ASA 5505
(150 Mbps, 4K cps)

SOHO Branch Office Internet Edge Campus Data Center

 ASA 5500-X Firewall Hardware Comparison
ASA 5512-X ASA 5515-X ASA 5525-X ASA 5545-X ASA 5555-X
ASA 5500-X
64Bit Multi Core Processors Yes Yes Yes Yes Yes

Maximum Memory 4 GB 8 GB 8 GB 12 GB 16 GB

Maximum Storage Form Factor 8 GB eUSB 8 GB eUSB 8 GB eUSB 8 GB eUSB

6 x 1GbE Cu 6 x 1GbE Cu 8 x 1GbE Cu 8 x 1GbE Cu 8 x 1GbE Cu

Base I/O Ports
1 x 1GbE Cu Mgmt 1 x 1GbE Cu Mgmt 1 x 1GbE Cu Mgmt 1 x 1GbE Cu Mgmt 1 x 1GbE Cu

6 x 1GbE Cu 6 x 1GbE Cu 6 x 1GbE Cu 6 x 1GbE Cu 6 x 1GbE Cu

Expansion I/O Module
or 6 x 1GbE SFP or 6 x 1GbE SFP or 6 x 1GbE SFP or 6 x 1GbE SFP or 6 x 1GbE SFP

Dual Hot-Swappable Dual Hot-Swappable

Single Fixed Power Single Fixed Power Single Fixed Power
Power Supply Redundant Power Redundant Power
Supply Supply Supply
Supply Supply

VPN Crypto Hardware

Yes Yes Yes Yes Yes
Accelerator

IPS Hardware Accelerator No No Yes Yes Yes

ASA 5585-X Firewall Module Hardware Comparison

ASA SSP-10 ASA SSP-20 ASA SSP-40 ASA SSP-60

ASA 5585-X
1 x 2.0 GHz 1 x 2.13 GHz 2 x 2.13 GHz 2 x 2.46 GHz
Processor (2 cores/ (4 cores/ (8 cores/ (12 cores/
4 threads) 8 threads) 16 threads) 24 threads)
Maximum memory 6 GB 12 GB 12 GB 12 GB

Maximum storage 2 GB eUSB 2 GB eUSB 2 GB eUSB 2 GB eUSB

2 SFP+ 2 SFP+ 4 SFP+ 4 SFP+

Ports 8 x 1 GE Cu 8 x 1GE Cu 6 x 1 GE Cu 6 x 1GE Cu
2 x 1 GE Cu mgmt 2 x 1 GE Cu mgmt 2 x 1 GE Cu mgmt 2 x 1 GE Cu mgmt

1 Cavium Nitrox 1620 2 Cavium Nitrox 1620 3 Cavium Nitrox 1620 4 Cavium Nitrox 1620
Security 1.5 Gbps 3 Gbps 4.5 Gbps 6 Gbps
AES 256 AES 256 AES 256 AES 256
ASA 5585-X (FirePOWER Next-Generation IPS)

Internet Edge/ Internet Campus/

Data Center
Campus Edge/Campus Data Center
ASA 5585 SSP60F60
ASA 5585 SSP10F10 ASA 5585 SSP20F20 ASA 5585 SSP40F40

Performance
Max firewall 4 Gbps 10 Gbps 20 Gbps 40 Gbps
Max traditional IPS 2 Gbps 3 Gbps 5 Gbps 10 Gbps
Max IPS 2.5 Gbps 7 Gbps 10 Gbps 15 Gbps
Max IPS + AVC 2 Gbps 3.5 Gbps 6 Gbps 10 Gbps
Max IPsec VPN 1 Gbps 2 Gbps 3 Gbps 5 Gbps
Max IPsec/SSL VPN peers 5000 10,000 10,000 10,000

Platform Capabilities
Max firewall connections 1 million 2 million 4 million 10 million
Max connections per second 50,000 125,000 200,000 350,000
Packets per second (64 byte) 1.5 million 3 million 5 million 9 million
Base I/O 8 x 1 GE + 2 x 10 GE 8 x 1 GE + 2 x 10 GE 6 x 1 GE + 4 x 10 GE 6 x 1 GE + 4 x 10 GE
Max I/O 16 x 1 GE + 4 x 10 GE 16 x 1 GE + 4 x 10 GE 12 x 1 GE + 8 x 10 GE 12 x 1 GE + 8 x 10 GE
VLANs supported 250 250 250 250
High availability supported A/A and A/S A/A and A/S A/A and A/S A/A and A/S
 New Additions to the 5500 Portfolio
5506X with FirePOWER Services

Max 250 Mbps AVC throughput

Max 125 Mbps AVC and NGIPS
90 Mbps AVC or IPS with 440
byte HTTP
ASDM 7.3.x or CSM and
FireSIGHT
Available in hardened and
wireless configurations
 New Additions to the 5500 Portfolio
5508X with FirePOWER Services

Max 450 Mbps AVC throughput

Max 250 Mbps AVC and NGIPS
180 Mbps AVC or IPS with 440
byte HTTP
ASDM 7.3.x or CSM and
FireSIGHT
 New Additions to the 5500 Portfolio
5516X with FirePOWER Services

Max 850 Mbps AVC throughput

Max 425 Mbps AVC and NGIPS
300 Mbps AVC or IPS with 440
byte HTTP
ASDM 7.3.x or CSM and
FireSIGHT
 Horizontal Scaling through Clustering

Firewall maximum throughput: 640 Gbps

Firewall + FirePOWER IPS maximum

throughput: 160+ Gbps

FirePOWER IPS 440-byte throughput: 96 Gbps

Up to 16 Units
Cisco ASAv Firewall and Management Features
Cisco ASA 9 Feature Set
10 vNIC interfaces and VLAN tagging
Virtualization displaces multiple-context and clustering
Parity with all other Cisco ASA platform features

SDN (Cisco APIC) and traditional (Cisco ASDM and CSM)

Cisco management tools
ASAv Dynamic routing includes OSPF, EIGRP, and BGP
IPv6 inspection support, NAT66, and NAT46/NAT64
REST API for programmed configuration and monitoring
Cisco TrustSec PEP with SGT-based ACLs
Zone-based firewall
Equal-Cost Multipath
Removed clustering and
Failover Active/Standby HA model
multiple-context mode
Cisco ASAv Platforms

Cisco
ASAv5 100 Mbps

Cisco 1 Gbps
ASAv10

Cisco
2 Gbps
ASAv30

* Lab Edition license is built in with 100-Kbps throughput and 100 total
connections allowed
 ASAv Deployed in Amazon Web Services
admin
Internet Internet
Management (required) interface - used for SSH/ASDM
access from the Jumpbox, and is provided by default. Ubuntu1
It has no Public/Elastic IPs and can not be used for through jumpbox

traffic.
Outside Management
Outside Interface (required) - used to connect ASAv to the (default route) (no routes)

public network and is an alternative path for management

Cisco
access ASAv30
In AWS
Inside
Inside Interface (required) and DMZ Interface (optional) as
DMZ
in previous slides are used to connect ASAv to internal
subnets Ubuntu2

Ubuntu3
Routed Firewall
Routed Tenant Edge use case Gateway 1 Gateway 2

Traditional Layer 3 boundary

First-hop gateway to hosts
Outside1
Enable physical and VM hosts host1 Outside2

Dynamic routing Shared

Cisco
Support VPN Security Zone ASAv
Inside Routed
Inside

client DMZ

host2
Transparent Firewall
Bridge up to 4 interfaces / sub-interfaces Gateway

NAT and ACLs are available

Traditional Layer 2 boundary between hosts
Segment-1
All segments in one broadcast domain host1

Segment-2

Cisco
ASAv
Transp
Segment-3

Segment-4
client

host2
 9.3.2
Cisco ASAv Data Sheet - Performance and Scale
Data Sheet Metric Cisco ASAv5 Cisco ASAv10 Cisco ASAv30

Stateful Inspection Throughput (Maximum) 100 Mbps 1 Gbps 2 Gbps

Stateful Inspection Throughput

50 Mbps 500 Mbps 1 Gbps
(Multi-Protocol)

3DES/AES VPN Throughput 30 Mbps 125 Mbps 300 Mbps

Connections per Second 8,000 20,000 60,000

Concurrent Sessions 50,000 100,000 500,000

VLANS 25 50 200
Bridge Groups (2 VLANs/BVI) 12 25 100

Cisco Cloud Web Security Users 50 150 500

IPsec VPN Peers 50 250 750

Cisco AnyConnect or
50 250 750
Clientless User Sessions
UC Phone Proxy 50 250 1000

Cisco UCS C260 M2

Tested on
Cisco UCS B200 M3
Hardware Intel Xeon processor E5-2640
Over, Through or Around
The Wall
Things Change
Introducing

Industrys First Threat-Focused NGFW Proven Cisco ASA firewalling

Industry leading NGIPS and AMP

Cisco ASA with FirePOWER Services

Integrating defense layers helps organizations

get the best visibility
Enable dynamic controls
to automatically adapt
Protect against advanced threats
#1 Cisco Security announcement of the year! across the entire attack continuum
Application Visibility and Control
Host Profiles
What OS?
What Services?
What Applications?
What Vulnerabilities?
Impact Assessment
Administrator
Impact Flag Why
Action

Event corresponds
Act immediately,
1 vulnerable
to vulnerability
mapped to host

Relevant port open

Investigate,
2 potentially vulnerable
or protocol in use,
but no vuln mapped

Good to know, Relevant port not

3 currently not
vulnerable
open or protocol
not in use

Good to know, Monitored network,

4 unknown target but unknown host

Good to know,
0 unknown network
Unmonitored network
Indications of Compromise (IoCs)

IPS Events SI Events Malware Events

Malware Backdoors Connections Malware Detections

Exploit Kits to Known CnC IPs Office/PDF/Java Compromises
Web App Attacks Malware Executions
CnC Connections Dropper Infections
Admin Privilege Escalations
Advanced Malware Analysis
Network File Trajectory Where Has It Been Seen?
Host File Trajectory What Has It Done?
Security Threats and Notifications

http://www.cisco.com/security

Notification Registration

Current News
Use Cases For Secure
Group Tags
ASA Policy Enforcement with MDM
8 ASA
3
WLC SXP Policy on ASA by
Security Group Web
9 Server

7
AP Security Group 2
Query
5 Leverage security
groups to authorize
endpoints based on
Create Security MDM compliance.
4 1 Groups on ISE
1 Compliant
6
2 Non-Compliant ISE MDM
Compliance check
ASA Policy Enforcement with Nexus 1000V
10 ASA
Policy on ASA by 1000V
WLC SXP Security Group 5
Virtual
11 Web
SXP 6
Server
9
Security Group HTTPS
AP Query 2 3
8
7
vCenter
4
Create Port
1 Profiles on
N1000V Leverage security groups to
DMZ ISE automate provisioning of
Web virtual servers.
HR
Thank you
Complete Your Online Session Evaluation
Give us your feedback to be
entered into a Daily Survey
Drawing. A daily winner
will receive a $750 Amazon
gift card.
Complete your session surveys
though the Cisco Live mobile
app or your computer on
Cisco Live Connect.
Dont forget: Cisco Live sessions will be available
for viewing on-demand after the event at
CiscoLive.com/Online
Participate in the My Favorite Speaker Contest
Promote Your Favorite Speaker and You Could Be a Winner
Promote your favorite speaker through Twitter and you could win $200 of Cisco
Press products (@CiscoPress)
Send a tweet and include
Your favorite speakers Twitter handle @12LISN2
Two hashtags: #CLUS #MyFavoriteSpeaker

You can submit an entry for more than one of your favorite speakers
Dont forget to follow @CiscoLive and @CiscoPress
View the official rules at http://bit.ly/CLUSwin
Continue Your Education
Demos in the Cisco campus
Walk-in Self-Paced Labs
Table Topics
Meet the Engineer 1:1 meetings
Related sessions
Security Cisco Education Offerings
Course
Implementing Cisco IOS Network Security (IINS)
Implementing Cisco Edge Network Security Solutions
(SENSS)
Implementing Cisco Threat Control Solutions (SITCS)
Implementing Cisco Secure Access Solutions (SISAS)
Implementing Cisco Secure Mobility Solutions
(SIMOS)
Securing Cisco Networks with Threat Detection and
Analysis (SCYBER)
Network Security Product and Solutions Training
For more details, please visit: http://learningnetwork.cisco.com
Questions? Visit the Learning@Cisco Booth or contact ask-edu-pm-dcv@cisco.com
Description Cisco Certification
Focuses on the design, implementation, and monitoring of a comprehensive CCNA Security
security policy, using Cisco IOS security features
Configure Cisco perimeter edge security solutions utilizing Cisco Switches, Cisco
Routers, and Cisco Adaptive Security Appliance (ASA) Firewalls
Deploy Ciscos Next Generation Firewall (NGFW) as well as Web Security, Email
Security and Cloud Web Security
Deploy Ciscos Identity Services Engine and 802.1X secure network access
Protect data traversing a public or shared infrastructure such as the Internet by
implementing and maintaining Cisco VPN solutions
Designed for professional security analysts, the course covers essential areas of Cisco Cybersecurity Specialist
competency including event monitoring, security event/alarm/traffic analysis, and
incident response
For official product training on Ciscos latest security products, including Adaptive
Security Appliances, NGIPS, Advanced Malware Protection, Identity Services
Engine, Email and Web Security Appliances see
www.cisco.com/go/securitytraining
Design Cisco Education Offerings
Course Description Cisco Certification
Designing Cisco Network Service Architectures Provides learner with the ability to perform conceptual, intermediate, and CCDP (Design Professional)
(ARCH) detailed design of a network infrastructure that supports desired capacity,
performance, availability required for converged Enterprise network
services and applications.

Designing for Cisco Internetwork Solutions Instructor led training focused on fundamental design methodologies used CCDA (Design Associate)
(DESGN) to determine requirements for network performance, security, voice, and
wireless solutions. Prepares candidates for the CCDA certification exam.

For more details, please visit: http://learningnetwork.cisco.com

Questions? Visit the Learning@Cisco Booth or contact ask-edu-pm-dcv@cisco.com