CCNA Security 2.0 Study Material – Chapter 4: Implementing Firewall Technologies

Chapter Outline:

4.0 Introduction
4.1 Access Control Lists
4.2 Firewall Technologies
4.3 Zone-Based Policy Firewalls
4.4 Summary

Section 4.1: Access Control List

Upon completion of this section, you should be able to:

  • Configure standard and extended IPv4 ACLs using CLI.
  • Use ACLs to mitigate common network attacks.
  • Configure IPv6 ACLs using CLI.

Topic 4.1.1: Configuring Standard and Extended IPv4 ACLs with CLI

Introduction to Access Control Lists

CCNA Security 2.0 Study Material – Chapter 4: Implementing Firewall Technologies 57

CCNA Security 2.0 Study Material – Chapter 4: Implementing Firewall Technologies 58

Configuring Numbered and Named ACLs

Standard Numbered ACL Syntax

CCNA Security 2.0 Study Material – Chapter 4: Implementing Firewall Technologies 59

Extended Numbered ACL Syntax

CCNA Security 2.0 Study Material – Chapter 4: Implementing Firewall Technologies 60

Named ACL Syntax

CCNA Security 2.0 Study Material – Chapter 4: Implementing Firewall Technologies 61

Standard ACE Syntax

CCNA Security 2.0 Study Material – Chapter 4: Implementing Firewall Technologies 62

Extended ACE Syntax

CCNA Security 2.0 Study Material – Chapter 4: Implementing Firewall Technologies 63

Applying an ACL

Syntax – Apply an ACL to an interface

CCNA Security 2.0 Study Material – Chapter 4: Implementing Firewall Technologies 64

Syntax – Apply an ACL to the VTY lines

CCNA Security 2.0 Study Material – Chapter 4: Implementing Firewall Technologies 65

Example – Named Standard ACL

CCNA Security 2.0 Study Material – Chapter 4: Implementing Firewall Technologies 66

Example – Named Extended ACL

CCNA Security 2.0 Study Material – Chapter 4: Implementing Firewall Technologies 67

Syntax – Apply an ACL to the VTY lines

CCNA Security 2.0 Study Material – Chapter 4: Implementing Firewall Technologies 68

Example – Named ACL on VTY lines with logging

CCNA Security 2.0 Study Material – Chapter 4: Implementing Firewall Technologies 69

ACL Configuration Guidelines

CCNA Security 2.0 Study Material – Chapter 4: Implementing Firewall Technologies 70

Editing Existing ACLs

Existing access list has three entries

CCNA Security 2.0 Study Material – Chapter 4: Implementing Firewall Technologies 71

Access list has been edited, which adds a new ACE and replaces ACE line 20.

CCNA Security 2.0 Study Material – Chapter 4: Implementing Firewall Technologies 72

Updated access list has four entries

CCNA Security 2.0 Study Material – Chapter 4: Implementing Firewall Technologies 73

Sequence Numbers and Standard ACLs

Existing access list has four entries

CCNA Security 2.0 Study Material – Chapter 4: Implementing Firewall Technologies 74

Access list has been edited, which adds a new ACE that permits a specific IP address.

CCNA Security 2.0 Study Material – Chapter 4: Implementing Firewall Technologies 75

Updated access list places the new ACE before line 20

CCNA Security 2.0 Study Material – Chapter 4: Implementing Firewall Technologies 76

Topic 4.1.2: Mitigating Attacks with ACLs

Antispoofing with ACLs

CCNA Security 2.0 Study Material – Chapter 4: Implementing Firewall Technologies 77

Permitting Necessary Traffic through a Firewall

CCNA Security 2.0 Study Material – Chapter 4: Implementing Firewall Technologies 78

Mitigating ICMP Abuse

CCNA Security 2.0 Study Material – Chapter 4: Implementing Firewall Technologies 79

Mitigating SNMP Exploits

CCNA Security 2.0 Study Material – Chapter 4: Implementing Firewall Technologies 80

Topic 4.1.3: IPv6 ACLs

Introducing IPv6 ACLs

CCNA Security 2.0 Study Material – Chapter 4: Implementing Firewall Technologies 81

IPv6 ACL Syntax

CCNA Security 2.0 Study Material – Chapter 4: Implementing Firewall Technologies 82

Configure IPv6 ACLs

CCNA Security 2.0 Study Material – Chapter 4: Implementing Firewall Technologies 83

Section 4.2: Firewall Technologies

Upon completion of this section, you should be able to:

  • Explain how firewalls are used to help secure networks.
  • Describe the various types of firewalls.
  • Configure a classic firewall.
  • Explain design considerations for implementing firewall technologies.

Topic 4.2.1: Securing Networks with Firewalls

Defining Firewalls

All firewalls:

  • Are resistant to attack
  • Are the only transit point between networks because all traffic flows through the firewall
  • Enforce the access control policy

Benefits and Limitations of Firewalls

CCNA Security 2.0 Study Material – Chapter 4: Implementing Firewall Technologies 84

Topic 4.2.2: Types of Firewalls

Firewall Type Descriptions

Packet Filtering Firewall

CCNA Security 2.0 Study Material – Chapter 4: Implementing Firewall Technologies 85

Packet Filtering Firewall

CCNA Security 2.0 Study Material – Chapter 4: Implementing Firewall Technologies 86

Stateful Firewall

CCNA Security 2.0 Study Material – Chapter 4: Implementing Firewall Technologies 87

NAT Firewall

CCNA Security 2.0 Study Material – Chapter 4: Implementing Firewall Technologies 88

Packet Filtering Firewall Benefits & Limitations

CCNA Security 2.0 Study Material – Chapter 4: Implementing Firewall Technologies 89

Stateful Firewalls

Stateful Firewalls

CCNA Security 2.0 Study Material – Chapter 4: Implementing Firewall Technologies 90

State Tables

CCNA Security 2.0 Study Material – Chapter 4: Implementing Firewall Technologies 91

Stateful Firewall Operation

CCNA Security 2.0 Study Material – Chapter 4: Implementing Firewall Technologies 92

Stateful Firewall Benefits and Limitations

CCNA Security 2.0 Study Material – Chapter 4: Implementing Firewall Technologies 93

Next Generation Firewalls

  • Granular identification, visibility, and control of behaviors within applications
  • Restricting web and web application use based on the reputation of the site
  • Proactive protection against Internet threats
  • Enforcement of policies based on the user, device, role, application type, and threat profile
  • Performance of NAT, VPN, and SPI
  • Use of an IPS

Topic 4.2.3: Classic Firewall

Introducing Classic Firewall

CCNA Security 2.0 Study Material – Chapter 4: Implementing Firewall Technologies 94

Classic Firewall Operation

CCNA Security 2.0 Study Material – Chapter 4: Implementing Firewall Technologies 95

Classic Firewall Configuration

  1. Choose the internal and external interfaces.
  2. Configure ACLs for each interface.
  3. Define inspection rules.
  4. Apply an inspection rule to an interface.

Inspection Rules

CCNA Security 2.0 Study Material – Chapter 4: Implementing Firewall Technologies 96

Topic 4.2.4: Firewalls in Network Design

Inside and Outside Networks

CCNA Security 2.0 Study Material – Chapter 4: Implementing Firewall Technologies 97

Demilitarized Zones

CCNA Security 2.0 Study Material – Chapter 4: Implementing Firewall Technologies 98

Zone-Based Policy Firewalls

CCNA Security 2.0 Study Material – Chapter 4: Implementing Firewall Technologies 99

Layered Defense

Considerations for network defense:

  • Network core security
  • Perimeter security
  • Endpoint security
  • Communications security

Firewall best practices include:

  • Position firewalls at security boundaries.
  • It is unwise to rely exclusively on a firewall for security.
  • Deny all traffic by default. Permit only services that are needed.
  • Ensure that physical access to the firewall is controlled.
  • Monitor firewall logs.
  • Practice change management for firewall configuration changes.
  • Remember that firewalls primarily protect from technical attacks originating from the outside.

Section 4.3: Zone-Based Policy Firewalls

Upon completion of this section, you should be able to:

  • Explain how Zone-Based Policy Firewalls are used to help secure a network.
  • Explain the operation of a Zone-Based Policy Firewall.
  • Configure a Zone-Based Policy Firewall with CLI.

Topic 4.3.1: Zone-Based Policy Firewall Overview

Benefits of ZPF

  • Not dependent on ACLs
  • Router security posture is to block unless explicitly allowed
  • Policies are easy to read and troubleshoot with C3PL
  • One policy affects any given traffic, instead of needing multiple ACLs and inspection actions

CCNA Security 2.0 Study Material – Chapter 4: Implementing Firewall Technologies 100

ZPF Design

Common designs include:

  • LAN-to-Internet
  • Firewalls between public servers
  • Redundant firewalls
  • Complex firewalls

Design steps:

  1. Determine the zones
  2. Establish policies between zones
  3. Design the physical infrastructure
  4. Identify subsets within zones and merge traffic requirements

Topic 4.3.2: ZPF Operation

ZPF Actions

  • Inspect – Configures Cisco IOS stateful packet inspections.
  • Drop – Analogous to a deny statement in an ACL. A log option is available to log the rejected packets.
  • Pass – Analogous to a permit statement in an ACL. The pass action does not track the state of connections or sessions within the traffic.

Rules for Transit Traffic

CCNA Security 2.0 Study Material – Chapter 4: Implementing Firewall Technologies 101

Rules for Traffic to the Self Zone

CCNA Security 2.0 Study Material – Chapter 4: Implementing Firewall Technologies 102

Topic 4.3.3: Configuring a ZPF

Configure ZPF

CCNA Security 2.0 Study Material – Chapter 4: Implementing Firewall Technologies 103

Step 1: Create Zones

CCNA Security 2.0 Study Material – Chapter 4: Implementing Firewall Technologies 104

Step 2: Identify Traffic

Command Syntax for class-map

CCNA Security 2.0 Study Material – Chapter 4: Implementing Firewall Technologies 105

Sub-Configuration Command Syntax for class-map

CCNA Security 2.0 Study Material – Chapter 4: Implementing Firewall Technologies 106

Example class-map Configuration

CCNA Security 2.0 Study Material – Chapter 4: Implementing Firewall Technologies 107

Step 3: Define an Action

Command Syntax for policy-map

CCNA Security 2.0 Study Material – Chapter 4: Implementing Firewall Technologies 108

Example policy-map Configuration

CCNA Security 2.0 Study Material – Chapter 4: Implementing Firewall Technologies 109

Step 4: Identify a Zone-Pair and Match to a Policy

Command Syntax for zone-pair and service-policy

CCNA Security 2.0 Study Material – Chapter 4: Implementing Firewall Technologies 110

Example service-policy Configuration

CCNA Security 2.0 Study Material – Chapter 4: Implementing Firewall Technologies 111

Step 5: Assign Zones to Interfaces

CCNA Security 2.0 Study Material – Chapter 4: Implementing Firewall Technologies 112

Verify a ZPF Configuration

Verification commands:

  • show run | begin class-map
  • show policy-map type inspect zone-pair sessions
  • show class-map type inspect
  • show zone security
  • show zone-pair security
  • show policy-map type inspect

ZPF Configuration Considerations

  • No filtering is applied for intra-zone traffic
  • Only one zone is allowed per interface.
  • No Classic Firewall and ZPF configuration on same interface.
  • If only one zone member is assigned, all traffic is dropped.
  • Only explicitly allowed traffic is forwarded between zones.
  • Traffic to the self zone is not filtered.

Section 4.4: Summary

Chapter Objectives:

  • Implement ACLs to filter traffic and mitigate network attacks on a network.
  • Configure a classic firewall to mitigate network attacks.
  • Implement ZPF using CLI.

Download Slide PowerPoint (pptx):


Related Articles

guest
0 Comments
Inline Feedbacks
View all comments