Network Security (Version1.0) Modules 8 – 10: ACLs and Firewalls Group Test Online

Hint

In order to document the purpose of an ACL and identify its function more easily, the remark keyword is used when building the ACL. The established keyword is used to allow connections that were initially sourced from the current device. The eq operator is used to specify a port number for denying or permitting traffic. The description keyword is used when configuring and documenting interfaces.

Hint

Standard ACLs can be numbered 1 to 99 and 1300 to 1999. Standard IP ACLs filter only on the source IP address.

Hint

To completely remove an ACL from a router requires two steps. Removing the actual ACL with the no access-list command and removing the association of the ACL from the appropriate interface.

Hint

The following addresses should not be permitted inbound from the Internet in order to mitigate IP spoofing and DoS attacks:

• All zero address
• Broadcast addresses
• Local host addresses that start with 127
• Reserved private addresses
• IP multicast addresses

Hint

IPv6 address to MAC address resolution is performed through the exchange of ICMPv6 neighbor discovery packets comprised of neighbor solicitation and neighbor advertisement packets. Unless these packets are permitted on a router interface, the interface will not be able to perform MAC address resolution.

Hint

IPv6 access lists have distinct characteristics that are different than IPv4 access lists:

• They use prefix lengths instead of wildcard masks to match network bits.
• They permit two ICMPv6 message types: neighbor solicitations and neighbor advertisements by default.
• They are only created as named access lists.
• They use the command ipv6 taffic-filter when applied to an interface.

Hint

When an IPv6 ACE is created and is to be processed before an existing ACE is processed, the next command entered must use the sequence argument with a number lower than the existing ACE. This allows an entry to be placed before an existing entry, as the default sequence numbers are commonly numbered by increments of 10. Thus, using a sequence number of 5 on an ACE will place it in front of a prior existing entry with a sequence number of 10.

Hint

A firewall is a system that enforces an access control policy and prevents the exposure of sensitive hosts, resources, and applications to untrusted users.

Hint

Firewalls have some limitations:

• A misconfigured firewall can have serious consequences for the network, such as becoming a single point of failure.
• The data from many applications cannot be passed over firewalls securely.
• Users might proactively search for ways around the firewall to receive blocked material, which exposes the network to potential attack.
• Network performance can slow down.
• Unauthorized traffic can be tunneled or hidden as legitimate traffic through the firewall.

Hint

An application gateway firewall, also called a proxy firewall, filters information at Layers 3, 4, 5, and 7 of the OSI model. It uses a proxy server to connect to remote servers on behalf of clients. Remote servers will see only a connection from the proxy server, not from the individual clients.

Hint

When traffic is originating from the public network it will usually be blocked when traveling to the private network. Traffic that originates from the private network will be selectively allowed to be returned to the public network.

Hint

There are two configuration models for Cisco IOS Firewalls, IOS Classic Firewalls and zone-based policy firewalls (ZPF). Both configuration models can be enabled concurrently on a router but they cannot be combined on a single interface. One benefit of using ZPF is that ZPF is not dependent on ACLs.

Hint

Designing ZPFs involves several steps:

• Step 1 . Determine the zones – The administrator focuses on the separation of the network into zones. Zones establish the security borders of a network.
• Step 2 . Establish policies between zones – For each pair of “source-destination” zones, define the sessions that clients in the source zones can request from servers in destination zones.
• Step 3 . Design the physical infrastructure – After the zones have been identified, and the traffic requirements between them documented, the administrator must design the physical infrastructure. This includes dictating the number of devices between most-secure and least-secure zones and determining redundant devices.
• Step 4 . Identify subsets within zones and merge traffic requirements – For each firewall device in the design, the administrator must identify zone subsets that are connected to its interfaces and merge the traffic requirements for those zones.

Hint

The inspect CCP action is similar to the classic firewall ip inspect command in that it inspects traffic going through the firewall and allowing return traffic that is part of the same flow to pass through the firewall. The drop action is similar to the deny parameter in an ACL. This action drops whatever traffic fits the defined policy. The pass action is similar to a permit ACL statement–traffic is allowed to pass through because it met the criteria of the defined policy statement.

Hint

After configuring the firewall policy, apply the policy to traffic that would flow between a pair of zones. Use the zone-pair security command in global configuration mode.

Hint

The steps for configuring a Cisco IOS zone-based policy firewall are as follows:

1. Create zones.
2. Define traffic classes.
3. Define firewall policies.
4. Apply policy maps to zone pairs.
5. Assign router interfaces to zones.

Hint

A stateful firewall performs better than a proxy server. A stateful firewall cannot authenticate users or prevent Layer 7 attacks. Both a stateful firewall and a proxy server can filter packets.

Hint

With a three interface firewall design that has internal, external, and DMZ connections, typical configurations include the following:

• Traffic originating from DMZ destined for the internal network is normally blocked.
• Traffic originating from the DMZ destined for external networks is typically permitted based on what services are being used in the DMZ.
• Traffic originating from the internal network destined from the DMZ is normally inspected and allowed to return.
• Traffic originating from external networks (the public network) is typically allowed in the DMZ only for specific services.

Hint

Limitations of stateful firewalls include the following:

• Stateful firewalls cannot prevent application layer attacks.
• Protocols such as UDP and ICMP are not stateful and do not generate information needed for a state table.
• An entire range of ports must sometimes be opened in order to support specific applications that open multiple ports.
• Stateful firewalls lack user authentication.

Hint

The pass action allows traffic only in one direction. Interfaces automatically become members of the self zone. Interfaces are assigned to zones in interface configuration mode, but most configuration takes place in global configuration mode and associated submodes. Interfaces can belong to only one zone at any time.

Hint

All traffic is permitted in the self zone if the traffic originates from, or is destined for, the router.

Hint

Standard ACLs can only filter on source addresses. That is why they are normally placed closest to the destination. Extended ACLs can filter on source and destination IP addresses, port numbers, and specific message types within a particular protocol such as echo request within the ICMP protocol.

Hint

When a packet comes into a router that has an ACL configured on the interface, the router compares the condition of each ACE to determine if the defined criteria has been met. If met, the router takes the action defined in the ACE (allows the packet through or discards it). If the defined criteria has not been met, the router proceeds to the next ACE. An implicit deny any statement is at the end of every standard ACL.

Hint

The wildcard mask indicates that any IP address within the range of 172.16.0.0 to 172.16.15.255 matches.

Hint

The ACL statement access-list 10 permit 192.168.16.0 0.0.3.255 will match all four network prefixes. All four prefixes have the same 22 high order bits. These 22 high order bits are matched by the network prefix and wildcard mask of 192.168.16.0 0.0.3.255.

Hint

Standard ACLs filter traffic based solely on a specified source IP address. Extended ACLs can filter by source or destination, protocol, or port. Both standard and extended ACLs contain an implicit deny as a final statement. Standard and extended ACLs can be identified by either names or numbers.

Hint

The established argument allows TCP return traffic from established connections to be sent on an outgoing interface to a network.

Hint

The host keyword is used when using a specific device IP address in an ACL. For example, the deny host 192.168.5.5 command is the same is the deny 192.168.5.5 0.0.0.0 command. The any keyword is used to allow any mask through that meets the criteria. For example, the permit any command is the same as permit 0.0.0.0 255.255.255.255 command.

Hint

A best practice for configuring an extended ACL is to ensure that the most specific ACE is placed higher in the ACL. Consider the two permit UDP statements. If both of these were in an ACL, the SNMP ACE is more specific than the UDP statement that permits a range of 10,001 UDP port numbers. The SNMP ACE would be entered before the other UDP ACE. The ACEs from most specific to least specific are as follows:

permit udp 172.16.0.0 0.0.255.255 host 172.16.1.5 eq snmptrap
deny udp any host 172.16.1.5 eq snmptrap
permit tcp 172.16.0.0 0.0.3.255 any established
deny tcp any any eq telnet
permit udp any any range 10000 20000
permit ip any any

Hint

By allowing the ICMP echo reply message inbound to the organization, internal users are allowed to ping external addresses (and the reply message allowed to return).

Hint

The ACL requires an ACE denying Telnet access from all users in the LAN to the file server at 2001:db8:48:1c::50/64. The IPv6 ACL also has an implicit deny, so a permit statement is required to allow all other traffic. With IPv6, the ipv6 traffic filter command is used to bind the ACL to the interface.

Hint

Stateful firewalls are the most versatile and the most common firewall technologies in use. Stateful firewalls provide stateful packet filtering by using connection information maintained in a state table. Stateful filtering is a firewall architecture that is classified at the network layer. It also analyzes traffic at OSI Layers 4 and 5.​ Stateful firewalls cannot prevent application layer attacks because they do not examine the actual contents of an HTTP connection.

Hint

There are many differences between a stateless and stateful firewall. Stateless firewalls: are susceptible to IP spoofing do not reliably filter fragmented packets use complex ACLs, which can be difficult to implement and maintain cannot dynamically filter certain services examine each packet individually rather than in the context of the state of a connection Stateful firewalls: are often used as a primary means of defense by filtering unwanted, unnecessary, or undesirable traffic strengthen packet filtering by providing more stringent control over security improve performance over packet filters or proxy servers defend against spoofing and DoS attacks by determining whether packets belong to an existing connection or are from an unauthorized source provide more log information than a packet filtering firewall

Hint

A zone-based policy firewall uses the concept of zones to specify where firewall rules and policies should be applied. By default, the traffic between interfaces that exist in the same zone is not subject to any policy and passes freely.