CCNA Security
Chapter 4
Implementing Firewall Technologies
1.01 (KEY IDEAS 01) – MEDIA: N/A
Describe numbered and named, standard and extended IP ACLs.
Configure IP ACLs with IOS CLI and SDM.
Describe TCP established ACL functionality.
Configure ACLs with TCP established.
Describe and configure reflexive ACLs.
Describe and configure dynamic ACLs.
Describe and configure time-based ACLs.
Describe attack mitigation with ACLs.
Describe the major types of firewalls.
Describe and configure CBAC (IOS Stateful Packet Inspection) with CLI.
Describe and configure Zone-Based Policy Firewall with CLI and SDM.
1.02 (TEACHING GOALS 01) – MEDIA: N/A
1. Describe the difference between standard and extended ACLs.
2. Explain and demonstrate the use of standard, extended and named ACLS.
3. Explain the evolution and purpose of network firewalls.
4. Discuss the benefits of using a network firewall.
5. Discuss the hardware and software components of a network firewall.
6. Discuss the different types of network firewalls.
7. Demonstrate the configuration and testing of a network firewall.
8. Discuss the importance of monitoring firewall logs.
9. Explain the various locations that a network firewall may be placed.
10. Explain the difference between host-based and appliance-based firewalls.
11. Discuss the purpose and operation of context-based ACLs.
12. Demonstrate the use of context-based ACLs.
13. Explain the four functions of context-based ACLs.
14. Demonstrate the configuration options with context-based ACLs.
15. Discuss the function and operation of Zone-based Policy Firewalls (ZBF).
16. Explain and demonstrate the four step process to implement and configuration ZBF.
17. Discuss the three possible actions when configuring ZBF using SDM.
18. Identify the subject rules implemented by ZBF.
19. Demonstrate the five step process for implementing the ZBF using the CLI.
20. Discuss the factors that must be considered when configuring ZBF.
21. Demonstrate the process to create a zone.
22. Demonstrate the process to define a class.
23. Demonstrate the process to define and implement a policy.
24. Discuss the use of the Basic Firewall Wizard.
25. Demonstrate the use of SDM Basic Firewall Wizard to configure and implement the firewalls and ACLs.
1.03 (CRITICAL CONCEPTS 01) – MEDIA: N/A
• Standard and Extended IP ACLs
• Applications of Standard and Extended IP ACLs
• Using SDM to Configure ACL
• Topology and Flow for Access Control Lists
• ACLs with Security Device Manager
• TCP Established and Reflexive ACLs
• Dynamic ACLs
• Time-Based ACLs
• Validating Complex ACL Implementations
• Mitigating Attacks with ACLs
• Packet Filtering Firewall
• Stateful Firewall
• Cisco Systems Firewall Solutions
• Context-based Access Control List CBACs
• Verification and Troubleshooting CBAC
• Zone-Based Policy Firewall
• Configuring Zone-Based Policy Firewall
• Using SDM to Configure, Verification and Troubleshooting Zone-Based Policy Firewall
• Verification and Troubleshooting Zone-Based Policy Firewall
1.04 (CRITICAL CONCEPTS 02) – MEDIA: N/A
Misconceptions and Errors
Access Control List ACLs are used for many different router features.
Then CPU power in modern Cisco routers make them very capable of serving multiple services in SOHO applications.
All ACLs assume an implicit deny, meaning that if a packet does not match any of the criteria specified in the ACL, the
packet is denied. Once an ACL is created, at least one permit statement should be included or all traffic will be dropped
once that ACL is applied to an interface.
Zone-based ACL’s provide new a power firewall technology to IOS based routers.
1.05 (CRITICAL CONCEPTS 03) – MEDIA: N/A
Keywords
DMZ
Trusted network
Untrusted network
Standard and Extended IP ACLs
ACLs with Security Device Manager
TCP Established and Reflexive ACLs
Dynamic ACLs
Time-Based ACLs
Packet Filtering Firewall
Stateful Firewall
Context-based Access Control List CBACs
Zone-Based Policy Firewall
Zone pairs
Policy Maps
1.06 (HOW TO TEACH 01) – MEDIA: N/A
Student Preparation for Class
Before coming to class, students should have read Chapter 4, Implementing Firewall Technologies online.
Instructor prep
Instructors should prepare Chapter 4 presentation. Review and prepare to complete the labs.
Lab Preparation – Required Resources
3 routers with SDM 2.5 installed (Cisco 1841 with Cisco IOS Release 12.4(20)T1 or comparable)
2 switches (Cisco 2960 or comparable)
PC-A (Windows XP or Vista)
PC-C (Windows XP or Vista)
Serial and Ethernet cables as shown in the topology
Rollover cables to configure the routers via the console
Download the latest Windows version of nmap from http://nmap.org/download.html.
1.06 (HOW TO TEACH 02) – MEDIA: N/A
Class Warm-up
Introduce the class to access-control lists and the concept of a firewall. Show the following Cisco videos to the class.
IOS_Firewall
1.06 (HOW TO TEACH 03) – MEDIA: N/A
Standard and Extended ACLs
Several caveats should be considered when working with ACLs:
Implicit deny all - All Cisco ACLs end with an implicit "deny all" statement.
Standard ACL packet filtering - Standard ACLs are limited to packet filtering based on source addresses
only.
Order of statements - ACLs have a policy of first match. When a statement is matched, the list is no longer
examined. Certain ACL statements are more specific than others and, therefore, must be placed higher in
the ACL.
Directional filtering - Cisco ACLs have a directional filter that determines whether inbound packets (toward
the interface) or outbound packets (away from the interface) are examined.
Modifying ACLs - When a router compares a packet to an ACL, the ACL entries are examined from the top
down. When a router locates a statement with matching criteria, the ACL processing stops and the packet is
either permitted or denied based on the ACL entry. When new entries are added to an ACL, they are always
added to the bottom.
Special packets - Router-generated packets, such as routing table updates, are not subject to outbound
ACL statements on the source router. If the security policy requires filtering these types of packets, inbound
ACLs on adjacent routers or other router filter mechanisms using ACLs must do the filtering task.
1.06 (HOW TO TEACH 04) – MEDIA: N/A
Topology and Flow of ACLs
It is important to keep the placement of ACLs in mind. Placement depends on the type of ACL being used.
Extended ACL placement - Extended ACLs are placed on routers as close as possible to the source that is
being filtered. Placing Extended ACLs too far from the source is inefficient use of network resources. For
example, packets can be sent a long way only to be dropped or denied.
Standard ACL placement - Standard ACLs are placed as close to the destination as possible. Standard
ACLs filter packets based on the source address only. Placing these ACLs too close to the source can
adversely affect packets by denying all traffic, including valid traffic.
Test you ACL knowledge:
Use the diagram below to have student properly place both standard and extended ACLs.
Examples: Have students properly identify the location for a standard ACL that denies 192.168.3.1 to access the web
server 192.168.1.1.
1.06 (HOW TO TEACH 05) – MEDIA: N/A
Configuring Standard and Extended ACLs with SDM
The SDM Rules (ACLs) Summary window provides a summary of the rules in the router configuration and access to
other windows to create, edit, and delete rules. To access this window, choose Configure > Additional Tasks >
ACL Editor. These are the types of rules that Cisco SDM manages:
Access Rules - Govern the traffic that can enter and leave the network. An administrator can apply access
rules to router interfaces and to vty lines.
NAT Rules - Determine which private IP addresses are translated into valid Internet IP addresses.
IPsec Rules - Determine which traffic is encrypted on secure connections.
NAC Rules - Specify which IP addresses are admitted to the network or blocked from the network.
Firewall Rules - Specify the source and destination addresses and whether the traffic is permitted or denied.
QoS Rules - Specify traffic that belongs to the quality of service (QoS) class to which the rule is associated.
Unsupported Rules - Not created using Cisco SDM and not supported by Cisco SDM. These rules are read
only and cannot be modified using Cisco SDM.
Externally-defined Rules - Not created using Cisco SDM, but supported by Cisco SDM. These rules cannot
be associated with any interface.
SDM Default Rules - Predefined rules that are used by Cisco SDM wizards.
After the Rule Entry list is complete, the next step is to apply the rule to an interface.
1.06 (HOW TO TEACH 06) – MEDIA: N/A
Other Types of ACLs
Extended ACL using Established
This is the syntax for the TCP established option in a numbered extended IP ACL.
Router(config)# access-list {100-199} {permit | deny} protocol source-addr
[source-wildcard] [operator operand] destination-addr [destination-wildcard]
[operator operand] [established]
The established keyword forces the router to check whether the TCP ACK or RST control flag is set. If the ACK flag
is set, the TCP traffic is allowed in. If not, it is assumed that the traffic is associated with a new connection initiated
from the outside.
Reflexive ACLs
Reflexive ACLs work by using temporary access control entries (ACEs) inserted into an extended ACL, which is
applied on the external interface of the perimeter router. When the session ends or the temporary entry times out, it is
removed from the ACL configuration of the external interface. This reduces network exposure to DoS attacks. The
reflexive access-list is what provides stateful firewall protection.
1.07 (HOW TO TEACH 07) – MEDIA: N/A
Firewalls
The key to managing a perimeter firewall is controlling traffic inbound and outbound of the network. After
implementing a stateful firewall on the perimeter router have the student construct rules to allow acceptable traffic
and deny potentially dangerous traffic:
Allow the following Traffic
Source Address Destination Address Rule
192.168.3.1 192.168.1.1 Inbound All Telnet Traffic
192.168.3.3 192.168.1.1 Inbound All SSH Traffic
192.168.3.0 subnet 192.168.1.0 Subnet All inbound and outbound https traffic
192.168.3.1 192.168.1.1 All skype traffic
1.08 (HOW TO TEACH 08) – MEDIA: N/A
Context-Based Access Control
The Context−Based Access Control (CBAC) feature of the Cisco IOS® Firewall Feature Set actively inspects the
activity behind a firewall. CBAC specifies what traffic needs to be let in and what traffic needs to be let out by using
access lists (in the same way that Cisco IOS uses access lists). However, CBAC access lists include ip inspect
statements that allow the inspection of the protocol to make sure that it is not tampered with before the protocol goes
to the systems behind the firewall.
Have the students read and annotate the paper on CBACS “Context−Based Access Control (CBAC): Introduction
and Configuration”.
Have student configure and test the sample configuration provided in the paper. Discuss their annotations a address
any miss conceptions.
router1#configure
Configuring from terminal, memory, or network [terminal]? Enter configuration
commands, one per line. End with CNTL/Z.
router1(config)#ip inspect name mysite ftp
router1(config)#ip inspect name mysite smtp
router1(config)#ip inspect name mysite tcp
router1#show ip inspect config
Session audit trail is disabled
one−minute (sampling period) thresholds are [400:500]connections
max−incomplete sessions thresholds are [400:500]
max−incomplete tcp connections per host is 50.
Block−time 0 minute.
tcp synwait−time is 30 sec −− tcp finwait−time is 5 sec
tcp idle−time is 3600 sec −− udp idle−time is 30 sec
dns−timeout is 5 sec
Inspection Rule Configuration
Inspection name mysite
ftp timeout 3600
smtp timeout 3600
tcp timeout 3600
1.09 (HOW TO TEACH (9) – MEDIA: N/A
Zone-Based Policy Firewall
Cisco IOS Zone-based policy firewall configuration model was introduced in 2006. The key concept behind the new
model is the ability to assign router interfaces to zones. This structure allows an inspection policy to be applied to
traffic moving between the zones.
Note: A zone-based firewall allows different inspection policies to be applied to multiple host groups connected to the
same router interface. It also has the ability to prohibit traffic via a default deny-all policy between firewall zones.
The primary motivations for network security professionals to migrate to the ZPF model are structure and ease of
use. The structured approach is useful for documentation and communication. The ease of use makes network
security implementations more accessible to a larger community of security professionals. Review the Zone-based
firewall policy for Applications Traffic.
Have the students create a board game to reinforce these concepts.
1.09 (DISCUSSION/ACTIVITIES 03) – MEDIA: N/A
Tips and Tricks
Have students pair off in teams of two. Demonstrate the multi-user feature of packet tracer to test each others firewalls and
ACLs.
Step 1 – Have UserA of the pair open the Multi-UserA packet tracer configuration.
Step 2 – Select Extensions from the Windows menu. Select “Multiuser” then “Listen”.
Step 3 – Set the port number to 380XX represents their team number in the class. Also set the password to cisco. Click the “OK”
button.
Step 4 - Select Extensions from the Windows menu. Select “Port Visability” then click the box for R1. Click the “OK” button.
Step 5 - Have UserB of the pair open the Multi-UserB packet tracer configuration.
Step 6 – Click on the multiuser cloud and provide the following information: Then click the “Connect” button.
Step 7 – UserA must accept the connect request from userb.
At this point the students can work together and test each others firewall and ACL configurations.
Self Check
1. What command is used to apply a ACL to an interface?
2. Give an example of using a zone-based policy firewall.
3. How many access-list can be assigned to an individual interface?
4. What types of ICMP message can be inspected by an ACL?
5. Is a firewall able to detect and prevent attacks launch from inside the network perimeter?
6. What is another name for an application gateway firewall?
1.10 (DISCUSSION/ACTIVITIES 02) – MEDIA: N/A
Resources (web links)
How to Use Cisco IOS Access Lists - Part 1
Cisco access-list tutorial
Access Control Lists: Overview and Guidelines
ACL Command Reference
Cisco Router Command Quick Reference
Cisco access list syntax checker
Managed Services: Cisco IOS Firewall
White Paper Zone-Based Policy Firewall
Zone-Based Policy Firewall
Zone-Based Policy Firewall Design and Application Guide