Chapter Outline:
4.0 Introduction
4.1 Access Control Lists
4.2 Firewall Technologies
4.3 Zone-Based Policy Firewalls
4.4 Summary
Section 4.1: Access Control List
Upon completion of this section, you should be able to:
- Configure standard and extended IPv4 ACLs using CLI.
- Use ACLs to mitigate common network attacks.
- Configure IPv6 ACLs using CLI.
Topic 4.1.1: Configuring Standard and Extended IPv4 ACLs with CLI
Introduction to Access Control Lists
Configuring Numbered and Named ACLs
Applying an ACL
Syntax – Apply an ACL to an interface
Syntax – Apply an ACL to the VTY lines
Example – Named Standard ACL
Example – Named Extended ACL
Syntax – Apply an ACL to the VTY lines
Example – Named ACL on VTY lines with logging
ACL Configuration Guidelines
Editing Existing ACLs
Existing access list has three entries
Access list has been edited, which adds a new ACE and replaces ACE line 20.
Updated access list has four entries
Sequence Numbers and Standard ACLs
Existing access list has four entries
Access list has been edited, which adds a new ACE that permits a specific IP address.
Updated access list places the new ACE before line 20
Topic 4.1.2: Mitigating Attacks with ACLs
Antispoofing with ACLs
Permitting Necessary Traffic through a Firewall
Mitigating ICMP Abuse
Mitigating SNMP Exploits
Topic 4.1.3: IPv6 ACLs
Introducing IPv6 ACLs
IPv6 ACL Syntax
Configure IPv6 ACLs
Section 4.2: Firewall Technologies
Upon completion of this section, you should be able to:
- Explain how firewalls are used to help secure networks.
- Describe the various types of firewalls.
- Configure a classic firewall.
- Explain design considerations for implementing firewall technologies.
Topic 4.2.1: Securing Networks with Firewalls
Defining Firewalls
All firewalls:
- Are resistant to attack
- Are the only transit point between networks because all traffic flows through the firewall
- Enforce the access control policy
Benefits and Limitations of Firewalls
Topic 4.2.2: Types of Firewalls
Firewall Type Descriptions
Packet Filtering Firewall
Application Gateway Firewall
Stateful Firewall
NAT Firewall
Packet Filtering Firewall Benefits & Limitations
Stateful Firewalls
Stateful Firewalls
State Tables
Stateful Firewall Operation
Stateful Firewall Benefits and Limitations
Next Generation Firewalls
- Granular identification, visibility, and control of behaviors within applications
- Restricting web and web application use based on the reputation of the site
- Proactive protection against Internet threats
- Enforcement of policies based on the user, device, role, application type, and threat profile
- Performance of NAT, VPN, and SPI
- Use of an IPS
Topic 4.2.3: Classic Firewall
Introducing Classic Firewall
Classic Firewall Operation
Classic Firewall Configuration
- Choose the internal and external interfaces.
- Configure ACLs for each interface.
- Define inspection rules.
- Apply an inspection rule to an interface.
Inspection Rules
Topic 4.2.4: Firewalls in Network Design
Inside and Outside Networks
Demilitarized Zones
Zone-Based Policy Firewalls
Layered Defense
Considerations for network defense:
- Network core security
- Perimeter security
- Endpoint security
- Communications security
Firewall best practices include:
- Position firewalls at security boundaries.
- It is unwise to rely exclusively on a firewall for security.
- Deny all traffic by default. Permit only services that are needed.
- Ensure that physical access to the firewall is controlled.
- Monitor firewall logs.
- Practice change management for firewall configuration changes.
- Remember that firewalls primarily protect from technical attacks originating from the outside.
Section 4.3: Zone-Based Policy Firewalls
Upon completion of this section, you should be able to:
- Explain how Zone-Based Policy Firewalls are used to help secure a network.
- Explain the operation of a Zone-Based Policy Firewall.
- Configure a Zone-Based Policy Firewall with CLI.
Topic 4.3.1: Zone-Based Policy Firewall Overview
Benefits of ZPF
- Not dependent on ACLs
- Router security posture is to block unless explicitly allowed
- Policies are easy to read and troubleshoot with C3PL
- One policy affects any given traffic, instead of needing multiple ACLs and inspection actions
ZPF Design
Common designs include:
- LAN-to-Internet
- Firewalls between public servers
- Redundant firewalls
- Complex firewalls
Design steps:
- Determine the zones
- Establish policies between zones
- Design the physical infrastructure
- Identify subsets within zones and merge traffic requirements
Topic 4.3.2: ZPF Operation
ZPF Actions
- Inspect – Configures Cisco IOS stateful packet inspections.
- Drop – Analogous to a deny statement in an ACL. A log option is available to log the rejected packets.
- Pass – Analogous to a permit statement in an ACL. The pass action does not track the state of connections or sessions within the traffic.
Rules for Transit Traffic
Rules for Traffic to the Self Zone
Topic 4.3.3: Configuring a ZPF
Configure ZPF
Step 1: Create Zones
Step 2: Identify Traffic
Command Syntax for class-map
Sub-Configuration Command Syntax for class-map
Example class-map Configuration
Step 3: Define an Action
Command Syntax for policy-map
Example policy-map Configuration
Step 4: Identify a Zone-Pair and Match to a Policy
Command Syntax for zone-pair and service-policy
Example service-policy Configuration
Step 5: Assign Zones to Interfaces
Verify a ZPF Configuration
Verification commands:
- show run | begin class-map
- show policy-map type inspect zone-pair sessions
- show class-map type inspect
- show zone security
- show zone-pair security
- show policy-map type inspect
ZPF Configuration Considerations
- No filtering is applied for intra-zone traffic
- Only one zone is allowed per interface.
- No Classic Firewall and ZPF configuration on same interface.
- If only one zone member is assigned, all traffic is dropped.
- Only explicitly allowed traffic is forwarded between zones.
- Traffic to the self zone is not filtered.
Section 4.4: Summary
Chapter Objectives:
- Implement ACLs to filter traffic and mitigate network attacks on a network.
- Configure a classic firewall to mitigate network attacks.
- Implement ZPF using CLI.
Download Slide PowerPoint (pptx):
[sociallocker id=”2293″][wpdm_package id=’2950′][/sociallocker]