SEMESTER 1 Chapter 5 - DOC by wuyunyi


									CCNA Security Chapter 4
Implementing Firewall Technologies   Describe the most common types of                 IPv4 and IPv6 addresses as well as TCP and UDP port
          parameters used in security-related Access        numbers.
          Control Lists (ACLs):   Describe how Standard ACLs affect traffic on      Standard ACLs permit or deny traffic based on source
          an interface and list the command syntax for      address.
          configuring a standard numbered IP ACL:
                                                            Router(config)# access-list {1-99} {permit | deny} source-
                                                            address [source-wildcard]   Describe how Extended ACLs affect traffic on      Extended ACLs match packets based on Layer 3 and
          an interface and list the command syntax for      Layer 4 source and destination information. Layer 4
          configuring an extended numbered IP ACL:          information can include TCP and UDP port information.

                                                            Router(config)# access-list {100-199} {permit | deny}
                                                            protocol source-address [source-wildcard] [operator
                                                            operand] destination-address [destination-wildcard]
                                                            [operator operand] [established]   What is implied at the end of any ACL?            There is an implicit deny at the end of every ACL. If no
                                                            match is found in the list all traffic is denied.   How is the ACL searched?                          sequentially   What is the command to create a named ACL?        Router(config)# ip access-list [standard | extended]
                                                            name_of_ACL   What command creates a standard named             Router(config-std-nacl)# permit | deny {source [source-
          ACL?                                              wildcard] | any}   What command creates a extended named             Router(config-ext-nacl)# {permit | deny} protocol source-
          ACL?                                              addr [source-wildcard] [operator operand] destination-addr
                                                            [destination-wildcard] [operator operand] [established]   Describe two advantages of named ACLs?            An administrator can delete a specific entry in a named
                                                            An administrator can add entries in the middle of a named
                                                            ACL   What command activates an ACL on a specific       Router(config-if)# ip access-group access-list-name {in |
          port?                                             out}   What command activates an ACL on a vty line?      Router(config-line)# access-class access-list-name {in |
                                                            out}   What types of information are logged if the log   Action - permit or deny
          parameter is used with an ACL?                    Protocol - TCP, UDP, or ICMP
                                                            Source and destination addresses
                                                            For TCP and UDP - source and destination port numbers
                                                            For ICMP - message types

                                                    Page 1 of 11
CCNA Security Chapter 4
Implementing Firewall Technologies   Describe some common ACL configuration             *ACLs are created globally and then applied to interfaces.
          guidelines:                                        *An ACL can filter traffic going through the router, or traffic
                                                             to and from the router, depending on how it is applied.
                                                             *Only one ACL per interface, per protocol, per direction is
                                                             *Standard or extended indicates the information that is
                                                             used to filter packets.
                                                             *ACLs are processed top-down. Once a packet meets an
                                                             ACL test, the ACL processing stops and the packet is
                                                             either permitted or denied; therefore, the most specific
                                                             statements must go at the top of the list.
                                                             *All ACLs have an implicit “deny all” statement at the end,
                                                             therefore every list must have at least one permit statement
                                                             to allow any traffic to pass.   Study the diagrams to understand how the flow
          of traffic is effected by an ACL.   Describe the difference between inbound and        Inbound traffic refers to traffic as it enters into the router,
          outbound traffic.                                  prior to the routing table being accessed.
                                                             Outbound traffic refers to traffic that entered the router
                                                             and has been processed by the router to determine where
                                                             to forward that data. Prior to the data being forwarded out
                                                             of that interface, an outbound ACL is examined.   Describe the placement of ACLs:                    Extended ACLs are placed on routers as close as
                                                             possible to the source that is being filtered.
                                                             Standard ACLs are placed as close to the destination as
                                                             possible.   What IOS command will show the number of           Router#show ip access-list
          packets matching a given access control entry
          (ACE)?                                             Router#show running-config

          What IOS command will show which interfaces
          have ACLs applied?   What keyword included in an ACL statement          established
          forces the router to check whether the TCP
          ACK or RST control flag is set?   Give an example of an extended ACL                 R1(config)# access-list 100 permit tcp any eq 443
          statement that uses the established keyword: established   Explain how the reflect parameter dynamically      As traffic is leaving the network, if it matches a permit
          alters an ACL:                                     statement with a reflect parameter, a temporary entry is
                                                             added to the reflexive ACL. For each permit-reflect
                                                             statement, the router builds a separate reflexive ACL.   List and explain the steps to configure a router   Step 1. Create an internal ACL that looks for new outbound
          to use reflexive ACLs:                             sessions and creates temporary reflexive ACEs.
                                                             Step 2. Create an external ACL that uses the reflexive
                                                             ACLs to examine return traffic.
                                                             Step 3. Activate the Named ACLs on the appropriate

                                                     Page 2 of 11
CCNA Security Chapter 4
Implementing Firewall Technologies

                                                            interfaces.   Give an example of the command syntax for         R1(config)# ip access-list extended internal_ACL
          creating a reflexive ACL:                         R1(config-ext-nacl)# permit tcp any any eq 80 reflect web-
                                                            R1(config-ext-nacl)# permit udp any any eq 53 reflect dns-
                                                            only-reflexive-ACL timeout 10
                                                            R1(config)# ip access-list extended external_ACL
                                                            R1(config-ext-nacl)# evaluate web-only-reflexive-ACL
                                                            R1(config-ext-nacl)# evaluate dns-only-reflexive-ACL
                                                            R1(config-ext-nacl)# deny ip any any
                                                            R1(config)# interface s0/0/0
                                                            R1(config-if)# description connection to the ISP.
                                                            R1(config-if)# ip access-group internal_ACL out
                                                            R1(config-if)# ip access-group external_ACL in   Explain the security benefits Dynamic ACLs        * Challenge mechanism to authenticate individual users
          offer over standard and static extended ACLs:     * Simplified management in large internetworks
                                                            * Reduced router processing for ACLs
                                                            * Less opportunity for network break-ins by hackers
                                                            * Creation of dynamic user access through a firewall,
                                                            without compromising other configured security restrictions   Explain the operation of dynamic ACLs:            * User opens a Telnet or SSH session.
                                                            * Successful authentication activates a dynamic ACL entry.
                                                            * Dynamic entry allows access to internal resources.   What three methods of authentication are          * Local (the username database)
          supported by dynamic ACLs?                        * AAA server
                                                            * Line password.   What Cisco IOS command creates a dynamic          Router(config)# access-list {100-199} dynamic
          ACL entry?                                        dynamic_ACL_name [timeout minutes] {permit | deny}
                                                            protocol source-address [source-wildcard] [operator
                                                            operand] destination-address [destination-wildcard]
                                                            [operator operand] [established]   What Cisco IOS command specifies lock-and-        autocommand access-enable
          key authentication?   What parameters can be used to restrict traffic   * time of day
          with time-based ACLs?                             * day of the week
                                                            * day of the month   In a time-based ACL what two types of ranges      * absolute - one-time only
          can be specified by the time-range command?       * periodic - recurring   What command will allow you to analyze traffic    Router# debug ip packet [access-list-number | access-
          affected by ACLs?                                 list-name] [detail]

                                                     Page 3 of 11
CCNA Security Chapter 4
Implementing Firewall Technologies   What command will show how many packets             Router# show access-lists [access-list-number | access-
          are matched (permitted or denied) by each line      list-name]
          of an ACL?   What are some threats that ACLs can be used         * IP address spoofing, inbound and outbound
          to mitigate?                                        * DoS TCP SYN attacks
                                                              * DoS smurf attacks
                                                              * ICMP messages, inbound and outbound
                                                              * traceroute   Describe three types of addresses that should       * Any local host addresses (
          always be blocked inbound to a private              * Any reserved private addresses (RFC 1918, Address
          network:                                            Allocation for Private Internets)
                                                              * Any addresses in the IP multicast address range
                                                              (   List protocols and services that often need to      DNS, SMTP, FTP, Telnet, SSH, syslog, and SNMP
          be allowed through a firewall:   List and describe ICMP messages that are            * Echo - Allows users to ping external hosts.
          required for proper network operation and that      * Parameter problem - Informs the host of packet header
          should be allowed outbound:                         problems.
                                                              * Packet too big - Required for packet maximum
                                                              transmission unit (MTU) discovery.
                                                              * Source quench - Throttles down traffic when necessary.
                                                              * As a rule, block all other ICMP message types outbound.   Describe a firewall as it applies to computer       A firewall is a system or group of systems that enforces an
          networks:                                           access control policy between networks. It can include
                                                              options such as a packet filtering router, a switch with two
                                                              VLANs, and multiple hosts with firewall software.   Describe some common properties of network          * Resistant to attacks
          firewalls:                                          * Only transit point between networks (all traffic flows
                                                              through the firewall)
                                                              * Enforces the access control policy

4,2,1,2   List and describe the benefits and limitations of   Benefits:
          using a firewall in a network:
                                                              * Exposure of sensitive hosts and applications to untrusted
                                                              users can be prevented.
                                                              * The protocol flow can be sanitized, preventing the
                                                              exploitation of protocol flaws.
                                                              * Malicious data can be blocked from servers and clients.
                                                              * Security policy enforcement can be made simple,
                                                              scalable, and robust with a properly configured firewall.
                                                              * Offloading most of the network access control to a few
                                                              points in the network can reduce the complexity of security


                                                     Page 4 of 11
CCNA Security Chapter 4
Implementing Firewall Technologies

                                                               * If misconfigured, a firewall can have serious
                                                               consequences (single point of failure).
                                                               * Many applications cannot be passed over firewalls
                                                               * Users might proactively search for ways around the
                                                               firewall to receive blocked material, exposing the network
                                                               to potential attack.
                                                               * Network performance can slow down.
                                                               * Unauthorized traffic can be tunneled or hidden as
                                                               legitimate traffic through the firewall.   List and describe several types of filtering         * Packet-filtering firewall - Typically is a router with the
          firewalls:                                           capability to filter some packet content, such as Layer 3
                                                               and sometimes Layer 4 information.
                                                               * Stateful firewall - Monitors the state of connections,
                                                               whether the connection is in an initiation, data transfer, or
                                                               termination state.
                                                               * Application gateway firewall (proxy firewall) - A firewall
                                                               that filters information at Layers 3, 4, 5, and 7 of the OSI
                                                               reference model. Most of the firewall control and filtering is
                                                               done in software.
                                                               * Address-translation firewall - A firewall that expands the
                                                               number of IP addresses available and hides network
                                                               addressing design.
                                                               * Host-based (server and personal) firewall - A PC or
                                                               server with firewall software running on it.
                                                               * Transparent firewall - A firewall that filters IP traffic
                                                               between a pair of bridged interfaces.
                                                               * Hybrid firewall - A firewall that is a combination of the
                                                               various firewalls types. For example, an application
                                                               inspection firewall combines a stateful firewall with an
                                                               application gateway firewall.   What specific criteria do packet-filtering           * Source IP address
          firewalls use to permit or deny traffic?             * Destination IP address
                                                               * Protocol
                                                               * Source port number
                                                               * Destination port number
                                                               * Synchronize/start (SYN) packet receipt   Describe the operation of a stateful packet filter   When an outside service is accessed, the stateful packet
          firewall:                                            filter firewall retains certain details of the request by saving
                                                               the state of the request in the state table. The stateful
                                                               inspection tracks each connection traversing all interfaces
                                                               of the firewall and confirms that they are valid.   What type of traffic is typically allowed into the   Email, DNS, HTTP, or HTTPS
          DMZ from an untrusted interface?   In addition to a layered firewall topology what      * A significant number of intrusions come from hosts within
          are some other factors that must be considered       the network. For example, firewalls often do little to protect
          when building a complete in-depth defense:           against viruses that are downloaded through email.
                                                               * Firewalls do not protect against rogue modem
                                                               installations. In addition, and most importantly, a firewall is
                                                               no substitute for informed administrators and users.
                                                         Page 5 of 11
CCNA Security Chapter 4
Implementing Firewall Technologies

                                                            * Firewalls do not replace backup and disaster recovery
                                                            mechanisms resulting from attack or hardware failure. An
                                                            in-depth defense also includes offsite storage and
                                                            redundant hardware topologies.   Describe some key factors to consider when        * Position firewalls at key security boundaries.
          designing a firewall security policy:             * Firewalls are the primary security device, but it is unwise
                                                            to rely exclusively on a firewall for security.
                                                            * Deny all traffic by default, and permit only services that
                                                            are needed.
                                                            * Ensure that physical access to the firewall is controlled.
                                                            * Regularly monitor firewall logs. Cisco Security Monitoring,
                                                            Analysis, and Response System (MARS) is especially
                                                            useful in monitoring firewall logs.
                                                            * Practice change management for firewall configuration
                                                            * Firewalls primarily protect from technical attacks
                                                            originating from the outside. Inside attacks tend to be
                                                            nontechnical in nature.   What four main functions does CBAC provide?       * traffic filtering
                                                            * traffic inspection
                                                            * intrusion detection
                                                            * generation of audits and alerts.   List several ways in which CBAC can improve       CBAC:
          network security:                                 Monitors TCP connection setup
                                                            Tracks TCP sequence numbers
                                                            Inspects DNS queries and replies
                                                            Inspects common ICMP message types
                                                            Supports applications that rely on multiple connections
                                                            Inspects embedded addresses
                                                            Inspects Application Layer information   Describe the operation of the CBAC state table:   The state table tracks the sessions and inspects all packets
                                                            that pass through the stateful packet filter firewall. CBAC
                                                            then uses the state table to build dynamic ACL entries that
                                                            permit returning traffic through the perimeter router or
                                                            firewall.   Describe the four steps to configure CBAC:        Step 1. Pick an interface - internal or external.
                                                            Step 2. Configure IP ACLs at the interface.
                                                            Step 3. Define inspection rules.
                                                            Step 4. Apply an inspection rule to an interface.   Describe the guidelines for configuring IP ACLs   Start with a basic configuration. A basic initial
          on a Cisco IOS Firewall:                          configuration allows all network traffic to flow from
                                                            protected networks to unprotected networks while blocking
                                                            network traffic from unprotected networks.
                                                            Permit traffic that the Cisco IOS Firewall is to inspect.
                                                            For example, if the firewall is set to inspect Telnet, Telnet
                                                            traffic should be permitted on all ACLs that apply to the
                                                            initial Telnet flow.
                                                            Use extended ACLs to filter traffic that enters the
                                                            router from unprotected networks. For a Cisco IOS

                                                   Page 6 of 11
CCNA Security Chapter 4
Implementing Firewall Technologies

                                                             Firewall to dynamically create temporary openings, the
                                                             ACL for the return traffic must be an extended ACL. If the
                                                             firewall only has two connections, one to the internal
                                                             network and one to the external network, applying ACLs
                                                             inbound on both interfaces works well because packets are
                                                             stopped before they have a chance to affect the router.
                                                             Set up antispoofing protection by denying any inbound
                                                             traffic (incoming on an external interface) from a source
                                                             address that matches an address on the protected
                                                             network. Antispoofing protection prevents traffic from an
                                                             unprotected network from assuming the identity of a device
                                                             on the protected network.
                                                             Deny broadcast messages with a source address of
                                                    This entry helps prevent broadcast
                                                             By default, the last entry in an ACL is an implicit denial of
                                                             all IP traffic that is not specifically allowed by other entries
                                                             in the ACL. Optionally, an administrator can add an entry
                                                             to the ACL that denies IP traffic with any source or
                                                             destination address, thus making the denial rule explicit.
                                                             Adding this entry is especially useful if it is necessary to log
                                                             information about the denied packets.   What is the Cisco IOS global configuration         Router(config)# ip inspect name inspection_name
          command used to configure inspection rules?        protocol [alert {on | off}] [audit-trail {on | off}] [timeout
                                                             seconds]   Describe the two guiding principles for applying   1. On the interface where traffic initiates, apply the ACL in
          inspection rules and ACLs on the router:           the inward direction that permits only wanted traffic and
                                                             apply the rule in the inward direction that inspects wanted
                                                             2. On all other interfaces, apply the ACL in the inward
                                                             direction that denies all traffic, except traffic that has not
                                                             been inspected by the firewall, such as GRE and ICMP
                                                             traffic that is not related to echo and echo reply messages.   What Cisco IOS command is used to activate         Router(config-if)# ip inspect inspection_name {in | out}
          an inspection rule on an interface?   What Cisco IOS command is used to remove           Router(config)# no ip inspect
          CBAC from the router?   Give some examples of alert messages that          * Sending unapproved SMTP commands to an email
          CBAC might send for SMTP attacks:                  server
                                                             * Sending a pipe (|) in the To or From fields of an email
                                                             * Sending :decode@ in the email header
                                                             * Using old SMTP wiz or debug commands on the SMTP
                                                             * Executing arbitrary commands to exploit a bug in the
                                                             Majordomo email program.   What Cisco IOS command is used to enable           Router(config)# ip inspect audit-trail

                                                    Page 7 of 11
CCNA Security Chapter 4
Implementing Firewall Technologies   What Cisco IOS command is used to view            Router# show ip inspect [parameter]
          information about CBAC inspections?   What parameters can be used with the show         Name
          ip inspect command?                               Config
                                                            Sessions [detail]
                                                            All   What Cisco IOS command is used to allow the       Router# debug ip inspect protocol parameter
          administrator to see the real time operation of
          CBAC on the router?
          .   Describe the zone-based policy firewall:          A zone-based firewall allows different inspection policies to
                                                            be applied to multiple host groups connected to the same
                                                            router interface. It also has the ability to prohibit traffic via a
                                                            default deny-all policy between firewall zones.   Describe CBAC limitations:                        * Multiple inspection policies and ACLs on several
                                                            interfaces on a router make it difficult to correlate the
                                                            policies for traffic between multiple interfaces.
                                                            * Policies cannot be tied to a host group or subnet with an
                                                            ACL. All traffic through a given interface is subject to the
                                                            same inspection.
                                                            * The process relies too heavily on ACLs.   Describe Some of the benefits of Zone-based       * Not dependent on ACLs.
          Policy Firewalls:                                 * The router security posture is to block unless explicitly
                                                            * Policies are easy to read and troubleshoot with C3PL.
                                                            * One policy affects any given traffic, instead of needing
                                                            multiple ACLs and inspection actions.   What are the steps in designing zone-based        Step 1. Determine the Zones
          firewalls?                                        Step 2. Establish policies between zones
                                                            Step 3. Design the physical infrastructure
                                                            Step 4. Identify subset within zones and merge traffic
                                                            requirements   Describe the three possible actions the Cisco     Inspect - Configures Cisco IOS stateful packet inspection.
          IOS zone-based policy firewall can take when      This action is equivalent to the CBAC ip inspect command.
          configured using Cisco SDM:                       It automatically allows for return traffic and potential ICMP
                                                            messages. For protocols requiring multiple parallel
                                                            signaling and data sessions (for example, FTP or H.323),
                                                            the inspect action also handles the proper establishment of
                                                            data sessions.
                                                            Drop - Analogous to a deny statement in an ACL. A log
                                                            option is available to log the rejected packets.
                                                            Pass - Analogous to a permit statement in an ACL. The
                                                            pass action does not track the state of connections or
                                                            sessions within the traffic. Pass allows the traffic only in
                                                            one direction. A corresponding policy must be applied to
                                                            allow return traffic to pass in the opposite direction.

                                                    Page 8 of 11
CCNA Security Chapter 4
Implementing Firewall Technologies

                                                            To apply rate limits to the traffic of a specified class, the
                                                            police option can be used in conjunction with the inspect
                                                            or pass command.   Describe the rules governing interface behavior   * A zone must be configured before an administrator can
          for the traffic moving between zone member        assign interfaces to the zone.
          interfaces:                                       * If traffic is to flow between all interfaces in a router, each
                                                            interface must be a member of a zone.
                                                            * An administrator can assign an interface to only one
                                                            security zone.
                                                            * Traffic is implicitly allowed to flow by default among
                                                            interfaces that are members of the same zone.
                                                            * To permit traffic to and from a zone member interface, a
                                                            policy allowing or inspecting traffic must be configured
                                                            between that zone and any other zone.
                                                            * Traffic cannot flow between a zone member interface and
                                                            any interface that is not a zone member. An administrator
                                                            can apply pass, inspect, and drop actions only between
                                                            two zones.
                                                            * Interfaces that have not been assigned to a zone function
                                                            can still use a CBAC stateful packet inspection
                                                            * If an administrator does not want an interface on the
                                                            router to be part of the zone-based firewall policy, it might
                                                            still be necessary to put that interface in a zone and
                                                            configure a pass-all policy (also known as a dummy policy)
                                                            between that zone and any other zone to which traffic flow
                                                            is desired.   What additional rules for zone-based policy       * All traffic to and from a given interface is implicitly blocked
          firewalls govern interface behavior when the      when the interface is assigned to a zone, except traffic to
          router is involved in the traffic flow?           or from other interfaces in the same zone and traffic to any
                                                            interface on the router.
                                                            * All the IP interfaces on the router are automatically made
                                                            part of the self zone when ZPF is configured. The self zone
                                                            is the only exception to the default deny all policy. All traffic
                                                            to any router interface is allowed until traffic is explicitly
                                                            denied.   What are the steps for configuring ZPF with the   Step 1. Create the zones for the firewall with the zone
          CLI?                                              security command.
                                                            Router(config)# zone security zone-name
                                                            Router(config-sec-zone)# description line-of-description

                                                            Step 2. Define traffic classes with the class-map type
                                                            inspect command.
                                                            Router(config)# class-map type inspect [match-any |
                                                            match-all] class-map-name

                                                            To reference an access list:
                                                            Router(config-cmap)# match access-group {access-
                                                            group | name access-group-name}

                                                            To match protocols:
                                                            Router(config-cmap)# match protocol protocol-name
                                                    Page 9 of 11
CCNA Security Chapter 4
Implementing Firewall Technologies

                                                          To nest class maps:
                                                          Router(config-cmap)# match class-map class-map-

                                                          Step 3. Specify firewall policies with the policy-map type
                                                          inspect command.
                                                          Router(config)# policy-map type inspect policy-map-
                                                          To perform an action on a traffic class:
                                                          Router(config-pmap)# class type inspect class-name

                                                          To match all remaining traffic:
                                                          Router(config-pmap)# class class-default

                                                          To take action on the traffic is specified:
                                                          Router(config-pmap-c)# pass | inspect | drop [log] |

                                                          Step 4. Apply firewall policies to pairs of source and
                                                          destination zones using the zone-pair security command.

                                                          To create a zone-pair:
                                                          Router(config)# zone-pair security zone-pair-name
                                                          [source source-zone-name | self] destination [self |

                                                          To attach a policy-map to a zone-pair:
                                                          Router(config-sec-zone-pair)# service-policy type
                                                          inspect policy-map-name

                                                          To configure deep-packet inspection (Layer 7):
                                                          Router(config-pmap-c)# service-policy {h323 | http | im
                                                          | imap | p2p | pop3 | sip | smtp | sunrpc | urlfilter} policy-

                                                          To assign an interface to a security zone:
                                                          Router(config-if)# zone-member security zone-name

                                                          Step 5. Assign router interfaces to zones using the zone-
                                                          member security interface command.   Describe the four steps to configure ZPF with   Step 1. Define zones.
          Cisco SDM:
                                                          Step 2. Configure class maps to describe traffic between

                                                          Step 3. Create policy maps to apply actions to the traffic of
                                                          the class maps.

                                                          Step 4. Define zone pairs and assign policy maps to the
                                                          zone pairs.

                                                   Page 10 of 11
CCNA Security Chapter 4
Implementing Firewall Technologies   Describe the steps to use the Basic Firewall   Step 1. From Cisco SDM, choose Configuration > Firewall
          Configuration wizard:                          and ACL.

                                                         Step 2. In the Create Firewall tab, click the Basic Firewall
                                                         option and click Launch the Selected Task button.

                                                         Step 3. The Basic Firewall Configuration Wizard window
                                                         appears. Click Next to begin the configuration.   What Cisco IOS command allows the              Router# show policy-map type inspect zone-pair
          examination of active connections in the ZPF   session
          state table?

                                                   Page 11 of 11

To top