Professional Documents
Culture Documents
Firewall Technologies
CCNA-Security
Presentation_ID
Cisco Confidential
Chapter 4: Objectives
In this chapter you will:
Explain how Zone-Based Policy Firewalls are used to help secure a network.
Presentation_ID
Chapter
4.0 Introduction
4.1 Access Control Lists
4.2 Firewall Technologies
4.3 Zone-Based Policy Firewalls
4.4 Summary
Presentation_ID
Presentation_ID
Cisco Confidential
Presentation_ID
Presentation_ID
Presentation_ID
Presentation_ID
Order of statements
Presentation_ID
ACLs have a policy of first match; when a statement is matched, the list is
no longer examined.
Ensure that statements at the top of the ACL do not negate any statements
found lower.
Place specific ACL statements higher in the ACL and more general
statements near the end.
2008 Cisco Systems, Inc. All rights reserved.
10
Special packets
If the security policy requires filtering these types of packets, inbound ACLs
on adjacent routers or other router filter mechanisms must be used.
Modifying ACLs
Presentation_ID
New entries are added to an ACL, and are always added to the bottom.
Starting with Cisco IOS 12.3, sequence numbers can be used to edit an
ACL.
11
Presentation_ID
12
Presentation_ID
13
The access list is edited, adding a new ACE and replacing ACE line 20:
Presentation_ID
14
Presentation_ID
15
Presentation_ID
16
Presentation_ID
17
ACL Placement
Presentation_ID
18
ACL Design
Presentation_ID
19
Presentation_ID
20
Presentation_ID
21
Debugging ACLs
Presentation_ID
22
Presentation_ID
traceroute
23
R1(config)#access-list
R1(config)#access-list
R1(config)#access-list
R1(config)#access-list
R1(config)#access-list
R1(config)#access-list
R1(config)#access-list
Presentation_ID
150
150
150
150
150
150
150
deny
deny
deny
deny
deny
deny
deny
ip
ip
ip
ip
ip
ip
ip
24
Presentation_ID
25
Presentation_ID
26
Presentation_ID
27
Presentation_ID
28
IPv6 ACLs
IPv6 ACLs
IPv6 ACLs are similar to IPv4 ACLs. They allow filtering
on source and destination addresses, source and
destination ports, and protocol type.
IPv6 ACLs are created using the ipv6 access-list
command.
29
IPv6 ACLs
30
Object Groups
Presentation_ID
31
32
Presentation_ID
33
Presentation_ID
34
Presentation_ID
Cisco Confidential
35
Defining Firewalls
Presentation_ID
36
Presentation_ID
37
Limitations
If misconfigured, can have serious consequences, such as single point of
failure.
The data from many applications cannot be passed over firewalls securely.
Users might proactively search for ways around the firewall to receive blocked
material, exposing the network to potential attack.
Network performance can slow down.
Unauthorized traffic can be tunneled or hidden as legitimate traffic through the
firewall.
Presentation_ID
38
Types of Firewalls
Firewall Types
Packet filtering firewall - Typically is a router with the
capability to filter some packet content, such as Layer 3
and sometimes Layer 4 information.
Stateful firewall - Monitors the state of connections,
whether the connection is in an initiation, data transfer, or
termination state.
Application gateway firewall (proxy firewall) - A firewall
that filters information at Layers 3, 4, 5, and 7 of the OSI
reference model. Most of the firewall control and filtering is
done in the software.
Network address translation (NAT) firewall - A firewall
that expands the number of IP addresses available and
hides network addressing design.
Presentation_ID
39
Types of Firewalls
Presentation_ID
Source IP address
Destination IP address
Protocol
40
Types of Firewalls
Stateful Firewalls
Stateful firewalls are the most versatile and the most common
firewall technologies in use.
Stateful filtering tracks each connection traversing all interfaces
of the firewall and confirms that they are valid. The firewall
Presentation_ID
41
Types of Firewalls
Presentation_ID
42
Types of Firewalls
Presentation_ID
43
Classic Firewall
Classic Firewall
Classic Firewall, formerly known as context-based access control
(CBAC)
Classic Firewall provides four main functions that include traffic filtering,
traffic inspection, intrusion detection, and generation of audits and
alerts
Classic Firewall is a dramatic improvement over the TCP established
and reflexive ACL firewalls in several ways
Monitors TCP connection setup
Tracks TCP sequence numbers
Monitors UDP session information
Inspects DNS queries and replies
Inspects common ICMP message types
Supports applications that rely on multiple connections
Inspects embedded addresses
Inspects application layer information
Presentation_ID
44
Classic Firewall
Presentation_ID
45
Classic Firewall
Presentation_ID
46
Classic Firewall
Presentation_ID
47
Demilitarized Zones
Demilitarized Zones (DMZs) define the portions of a
network that are trusted and untrusted.
Presentation_ID
48
Layered Defense
Factors to consider when building a complete indepth defense.
Presentation_ID
49
Presentation_ID
50
Presentation_ID
Cisco Confidential
51
Presentation_ID
52
Presentation_ID
53
Presentation_ID
54
Pass
Analogous to a permit statement in an ACL.
It does not track the state of connections or sessions within the traffic.
Pass allows the traffic only in one direction.
A corresponding policy must be applied to allow return traffic to pass in the
opposite direction.
Drop
Presentation_ID
55
Presentation_ID
56
Presentation_ID
57
Presentation_ID
58
Presentation_ID
59
Creating Zones
Presentation_ID
60
Presentation_ID
61
Presentation_ID
62
Presentation_ID
63
4.4 Summary
Presentation_ID
Cisco Confidential
64
Chapter 4
Summary
Firewalls separate protected areas from non-protected
areas to prevent unauthorized users from accessing
protected network resources.
Common methods for implementing firewalls include:
Stateful firewall
65
Chapter 4
Summary (cont.)
Stateful firewalls can be implemented as follows:
Presentation_ID
66
Presentation_ID
67
Presentation_ID
68