; CCNA_Security_04-bupt
Documents
Resources
Learning Center
Upload
Plans & pricing Sign in
Sign Out
Your Federal Quarterly Tax Payments are due April 15th Get Help Now >>

CCNA_Security_04-bupt

VIEWS: 2 PAGES: 122

  • pg 1
									        CCNA Security


          Chapter Four
Implementing Firewall Technologies



                                     1
Lesson Planning


 •   This lesson should take 3-6 hours to present
 •   The lesson should include lecture,
     demonstrations, discussion and assessment
 •   The lesson can be taught in person or using
     remote instruction




                   北京邮电大学思科网络技术学院                   2
Major Concepts


 • Implement ACLs
 • Describe the purpose and operation of firewall
   technologies
 • Implement CBAC
 • Zone-based Policy Firewall using SDM and CLI




                   北京邮电大学思科网络技术学院                   3
Lesson Objectives

 Upon completion of this lesson, the successful participant
 will be able to:
   1. Describe standard and extended ACLs
   2. Describe applications of standard and extended ACLs
   3. Describe the relationship between topology and flow for ACLs
      and describe the proper selection of ACL types for particular
      topologies (ACL design methodology)
   4. Describe how to implement ACLs with SDM
   5. Describe the usage and syntax for complex ACLs
   6. Describe the usage and syntax for dynamic ACLs
   7. Interpret the output of the show and debug commands used to
      verify and troubleshoot complex ACL implementations


                        北京邮电大学思科网络技术学院                                4
Lesson Objectives

 8.   Describe how to mitigate common network attacks with ACLs
 9.   Describe the purpose of firewalls and where they reside in a
      modern network
 10. Describe the various types of firewalls
 11. Describe design considerations for firewalls and the implications
     for the network security policy
 12. Describe the role of CBAC in a modern network
 13. Describe the underlying operation of CBAC
 14. Describe the configuration of CBAC
 15. Describe the verification and troubleshooting of CBAC



                          北京邮电大学思科网络技术学院                                 5
Lesson Objectives

 16. Describe the role of Zone-Based Policy Firewall in a modern
     network
 17. Describe the underlying operation of Zone-Based Policy Firewall
 18. Describe the implementation of Zone-Based Policy Firewall with
     CLI
 19. Describe the implementation of Zone-Based Policy Firewall with
     manual SDM
 20. Describe the implementation of Zone-Based Policy Firewall with
     the SDM Wizard
 21. Describe the verification and troubleshooting of Zone-Based Policy
     Firewall



                         北京邮电大学思科网络技术学院                                   6
Implementing Firewall Technologies


 • 4.1 Access Control Lists
 • 4.2 Firewall Technologies
 • 4.3 Context-Based Access Control
 • 4.4 Zone-Based Policy Firewall




                   北京邮电大学思科网络技术学院     7
4.1 Access Control Lists

 • 4.1.1 Standard and Extended IP ACLs
 • 4.1.2 Applications of Standard and Extended IP ACLs
 • 4.1.3 Topology and Flow for Access Control Lists
 • 4.1.4 ACLs with Security Device Manager
 • 4.1.5 TCP Established and Reflexive ACLs
 • 4.1.6 Dynamic ACLs
 • 4.1.7 Time-Based ACLs
 • 4.1.8 Validating Complex ACL Implementations
 • 4.1.9 Mitigating Attacks with ACLs

                     北京邮电大学思科网络技术学院                      8
4.1.1 Standard and Extended IP ACLs


 • ACL Topology and Types
 • Standard and Extended Numbered IP ACLs
 • Named IP ACLs
 • The log Parameter
 • ACL Configuration Guidelines




                   北京邮电大学思科网络技术学院           9
ACL Topology and Types




               北京邮电大学思科网络技术学院   10
Standard Numbered IP ACLs

     Router(config)# access-list {1-99} {permit | deny}
     source-addr [source-mask]

 • The first value specifies the ACL number
 • The second value specifies whether to permit or deny the configured
   source IP address traffic
 •    The third value is the source IP address that must be matched
 • The fourth value is the wildcard mask to be applied to the previously
   configured IP address to indicate the range
 • All ACLs assume an implicit deny statement at the end of the ACL6+
 • At least one permit statement should be included or all traffic will be
   dropped once that ACL is applied to an interface


                           北京邮电大学思科网络技术学院                                    11
Extended Numbered IP ACLs

  Router(config)# access-list {100-199} {permit | deny}
  protocol source-addr [source-mask] [operator operand]
  destination-addr [destination-mask] [operator operand]
  [established]

 • The first value specifies the ACL number
 • The second value specifies whether to permit or deny accordingly
 • The third value indicates protocol type
 • The source IP address and wildcard mask determine where traffic
   originates. The destination IP address and wildcard mask are used to
   indicate the final destination of the network traffic
 • The command to apply the standard or extended numbered ACL:
Router(config-if)# ip access-group number {in | out}


                          北京邮电大学思科网络技术学院                                  12
Named IP ACLs
          Standard



                                                                Extended




      Router(config)# ip access-list extended vachon1
      Router(config-ext-nacl)# deny ip any 200.1.2.10 0.0.0.1
      Router(config-ext-nacl)# permit tcp any host 200.1.1.11 eq 80
      Router(config-ext-nacl)# permit tcp any host 200.1.1.10 eq 25
      Router(config-ext-nacl)# permit tcp any eq 25 host 200.1.1.10 any established
      Router(config-ext-nacl)# permit tcp any 200.1.2.0 0.0.0.255 established
      Router(config-ext-nacl)# permit udp any eq 53 200.1.2.0 0.0.0.255
      Router(config-ext-nacl)# deny ip any any
      Router(config-ext-nacl)# interface ethernet 1
      Router(config-if)# ip access-group vachon1 in
      Router(config-if)# exit

                         北京邮电大学思科网络技术学院                                           13
The log Parameter

R1(config)# access-list 101 permit tcp 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255 eq 22 log


   *May 1 22:12:13.243: %SEC-6-IPACCESSLOGP: list ACL-IPv4-E0/0-IN
   permitted tcp 192.168.1.3(1024) -> 192.168.2.1(22), 1 packet

   *May 1 22:17:16.647: %SEC-6-IPACCESSLOGP: list ACL-IPv4-E0/0-IN
   permitted tcp 192.168.1.3(1024) -> 192.168.2.1(22), 9 packets


  There are several pieces of information logged:
  • The action—permit or deny
  • The protocol—TCP, UDP, or ICMP
  • The source and destination addresses
  • For TCP and UDP—the source and destination port numbers
  • For ICMP—the message types
                                 北京邮电大学思科网络技术学院                                           14
ACL Configuration Guidelines

 • ACLs are created globally and then applied to interfaces
 • ACLs filter traffic going through the router, or traffic to
   and from the router, depending on how it is applied
 • Only one ACL per interface, per protocol, per direction
 • Standard or extended indicates the information that is
   used to filter packets
 • ACLs are process top-down. The most specific
   statements must go at the top of the list
 • All ACLs have an implicit “deny all” statement at the end,
   therefore every list must have at least one permit
   statement to allow any traffic to pass


                        北京邮电大学思科网络技术学院                           15
4.1.2 Applications of Standard and Extended IP ACLs


 • Applying Standard ACLs
 • Applying Extended ACLs
 • Other CLI Commands




                  北京邮电大学思科网络技术学院                      16
Applying Standard ACLs
      Use a standard ACL to block all traffic from
      172.16.4.0/24 network, but allow all other traffic.




                              r1

      r1(config)# access-list 1 deny
      172.16.4.0 0.0.0.255
      r1(config)# access-list 1 permit any
      r1(config)# interface ethernet 0
      r1(config-if)# ip access-group 1 out
                      北京邮电大学思科网络技术学院                        17
Applying Extended ACLs
          Use an extended ACL to block all FTP traffic from
          172.16.4.0/24 network, but allow all other traffic.




                            r1

   access-list 101 deny tcp 172.16.4.0 0.0.0.255
   172.16.3.0 0.0.0.255 eq 21
   access-list 101 deny tcp 172.16.4.0 0.0.0.255
   172.16.3.0 0.0.0.255 eq 20
   access-list 101 permit ip any any

                      北京邮电大学思科网络技术学院                            18
Other CLI Commands


 • To ensure that only traffic from a subnet is
   blocked and all other traffic is allowed:
   access-list 1 permit any
 • To place an ACL on the inbound E1 interface:
  interface ethernet 1
  ip access-group 101 in
 • To check the intended effect of an ACL:
 • show ip access-list

                   北京邮电大学思科网络技术学院                 19
4.1.3 Topology and Flow for Access Control Lists


 • How ACLs Work
 • ACL Placement
 • Using Nmap for Planning




                   北京邮电大学思科网络技术学院                  20
How ACLs Work




          Click to view examples




     Inbound ACL           Outbound ACL
                北京邮电大学思科网络技术学院            21
ACL Placement
 Standard ACLs should be placed as close to the destination as possible.
 Standard ACLs filter packets based on the source address only. If placed
 too close to the source, it can deny all traffic, including valid traffic.




Extended ACLs should be placed on routers as close as possible to the
source that is being filtered. If placed too far from the source being filtered,
there is inefficient use of network resources.
                            北京邮电大学思科网络技术学院                                     22
Using Nmap for Planning




               北京邮电大学思科网络技术学院   23
4.1.4 ACLs with Security Device Manager


 • Using SDM
 • Access Rules
 • Configuring Standard Rules Using SDM
 • Applying a Rule to an Interface
 • Viewing Commands




                   北京邮电大学思科网络技术学院         24
Using SDM


                         Choose the Configure option
                         for configuring ACLs




            北京邮电大学思科网络技术学院                             25
Access Rules
      Choose Configure > Additional Tasks > ACL Editor




                               Rule types:
                               • Access Rules
                               • NAT Rules
                               • Ipsec Rules
                               • NAC Rules
                               • Firewall Rules
                               • QoS Rules
                               • Unsupported Rules
                               • Externally Defined Rules
                               • Cisco SDM Default Rules

                      北京邮电大学思科网络技术学院                        26
Configuring Standard Rules
Using SDM
 1. Choose Configure > Additional Tasks > ACL Editor > Access Rules
 2. Click Add
 3. Enter a name or number                     6. Choose Permit or Deny

        4. Choose Standard Rule
           Optionally, enter a description    7. Choose an address type


                      5. Click Add      8. Complete this field based
                                           on the choice made in #7
                                        9. Enter an optional description
                                        10. Optional checkbox

                                                11. Click OK

                     12. Continue adding or editing rules
                          北京邮电大学思科网络技术学院                                   27
Applying a Rule to an Interface




                                2. Choose the interface



                                3. Choose a direction


                                4. An information box with options
                                  appears if a rule is already
                                  associated with that interface,
                                  that direction.
               1. Click Associate

                 北京邮电大学思科网络技术学院                                 28
Viewing Commands

 R1# show running-config                   interface FastEthernet0/1
 <output omitted>                            ip address 192.168.1.1 255.255.255.0
 !                                           ip access-group Outbound in
 hostname R1                               <output omitted>
 <output omitted>                          !
 enable secret 5                           interface Serial0/0/0
     $1$MJD8$.1LWYcJ6iUi133Yg7vGHG/          ip address 10.1.1.1 255.255.255.252
 <output omitted>                            clock rate 128000
 crypto pki trustpoint TP-self-signed-     !
     1789018390                            <output omitted>
   enrollment selfsigned                   no ip http server
   subject-name cn=IOS-Self-Signed-        ip http secure-server
     Certificate-1789018390                !
   revocation-check none                   ip access-list standard Outbound
   rsakeypair TP-self-signed-1789018390      remark SDM_ACL Category=1
 !                                           permit 192.168.1.3
 crypto pki certificate chain TP-self-     !
     signed-1789018390                     access-list 100 remark SDM_ACL Category=16
   certificate self-signed 01              access-list 100 deny    tcp any host
    3082023A 308201A3 A0030201 02020101        192.168.1.3 eq telnet log
     300D0609 2A864886 F70D0101 04050030   access-list 100 permit ip any any
 <output omitted>                          !
    1BF29620 A084B701 5B92483D D934BE31    <output omitted>
     ECB7AB56 8FFDEA93 E2061F33 8356       !
          quit



                                北京邮电大学思科网络技术学院                                          29
4.1.5 TCP Established and Reflexive ACLs


 • Types of ACLs
 • Syntax for TCP Established
 • Example with TCP Established
 • Reflexive ACLs
 • Configuring a Router to Use Reflexive ACLs




                    北京邮电大学思科网络技术学院              30
Types of ACLs

• Standard IP ACLs
• Extended IP ACLs
• Extended IP ACLs using TCP established
• Reflexive IP ACLs
• Dynamic ACLs
• Time-Based ACLs
• Context-based Access Control (CBAC) ACLs




                        北京邮电大学思科网络技术学院       31
Syntax for TCP Established

  Router(config)#     access-list access-list-number
  {permit | deny}     protocol source source-wildcard
  [operator port]     destination destination-wildcard
  [operator port]     [established]

 The established keyword:
 • Forces a check by the routers to see if the ACK, RST
   TCP control flags are set. If flag is set, the TCP traffic is
   allowed in.
 • Does not implement a stateful firewall on a router
 • Hackers can take advantage of the open hole
 • Option does not apply to UDP or ICMP traffic

                        北京邮电大学思科网络技术学院                             32
Example Using TCP Established
          access-list 100 permit tcp any eq 443 192.168.1.0 0.0.0.255 established
       R1 access-list 100 permit tcp any 192.168.1.3 eq 22
          access-list 100 deny ip any any
          interface s0/0/0ip access-group 100 in




                        北京邮电大学思科网络技术学院                                              33
Reflexive ACLs


                              • Provide a truer form of
                                session filtering
                              • Much harder to spoof
                              • Allow an administrator to
                                perform actual session
                                filtering for any type of IP
                                traffic
                              • Work by using temporary
                                access control entries
                                (ACEs)




                 北京邮电大学思科网络技术学院                                34
Configuring a Router to Use Reflexive ACLs




                           1. Create an internal ACL that
                              looks for new outbound
                              sessions and creates
                              temporary reflexive ACLs
                           2. Create an external ACL that
                              uses the reflexive ACLs to
                              examine return traffic
                           3. Activate the named ACLs on
                              the appropriate interfaces

                   北京邮电大学思科网络技术学院                           35
4.1.6 Dynamic ACLs


 • Overview
 • Creating a Dynamic ACL
 • Setting up a Dynamic ACL
 • CLI Commands




                  北京邮电大学思科网络技术学院   36
Dynamic ACL Overview

 • Available for IP traffic only
 • Dependent on Telnet connectivity, authentication, and extended
   ACLs
 • Security benefits include:
       - Use of a challenge mechanism to authenticate users
       - Simplified management in large internetworks
       - Reduction of the amount of router processing that is required for ACLs
       - Reduction of the opportunity for network break-ins by network hackers
       - Creation of dynamic user access through a firewall without
         compromising other configured security restrictions




                            北京邮电大学思科网络技术学院                                        37
Implementing a Dynamic ACL




               北京邮电大学思科网络技术学院   38
Setting up a Dynamic ACL




Router(config)# access-list ACL_# dynamic dynamic_ACL_name [timeout
minutes] {deny | permit} IP_protocol source_IP_address src_wildcard_mask
destination_IP_address dst_wildcard_mask [established] [log]


                          北京邮电大学思科网络技术学院                                   39
CLI Commands




               北京邮电大学思科网络技术学院   40
4.1.7 Time-based ACLs


 • Overview
 • CLI Commands
 • Example Configuration




                  北京邮电大学思科网络技术学院   41
Overview




           北京邮电大学思科网络技术学院   42
CLI Commands




               北京邮电大学思科网络技术学院   43
Example Configuration




               R1(config)# time-range employee-time
               R1(config-time-range)# periodic weekdays 12:00 to 13:00
               R1(config-time-range)# periodic weekdays 17:00 to 19:00
               R1(config-time-range)# exit
               R1(config)# access-list 100 permit ip 192.168.1.0 0.0.0.255 any time-
               range employee-time
               R1(config)# access-list 100 deny ip any any
               R1(config)# interface FastEthernet 0/1
               R1(config-if)# ip access-group 100 in
               R1(config-if)# exit


                 北京邮电大学思科网络技术学院                                                   44
4.1.8 Validating Complex ACL Implementations


 • Verifying ACL Configuration
 • Confirmation
 • Troubleshooting




                     北京邮电大学思科网络技术学院            45
Verifying ACL Configuration




                                              R    Serial0/0/1
                             Serial0/0/0      2

   The ACLs are
   implemented.                                             Serial0/0/1
                               Serial 0/0/0
  Now it is time to
  verify that they    R                                      R
    are working       1
                      F0/1                                   3    F0/1
     properly.
                                Router# show access-lists [access-list-number |
                                access-list-name]
                      R
                      1

                                                  PC C


                          北京邮电大学思科网络技术学院                                          46
Confirmation




               北京邮电大学思科网络技术学院   47
Troubleshooting




                  北京邮电大学思科网络技术学院   48
4.1.9 Mitigating Attacks with ACLs


 • Attacks Mitigated
 • CLI Commands
 • Allowing Command Services
 • Controlling ICMP Messages




                   北京邮电大学思科网络技术学院    49
Attacks Mitigated
 • ACLs can be used to mitigate many network threats:
     - IP address spoofing, inbound and outbound
     - DoS TCP SYN attacks
     - DoS smurf attacks
 • ACLs can also filter the following traffic:
     - ICMP messages, inbound and outbound
     - traceroute




                            北京邮电大学思科网络技术学院              50
CLI Commands




               北京邮电大学思科网络技术学院   51
Allowing Common Services




               北京邮电大学思科网络技术学院   52
Controlling ICMP Messages




               北京邮电大学思科网络技术学院   53
4.2 Firewall Technologies

 • 4.2.1 Securing Networks with Firewalls
 • 4.2.2 Types of Firewalls
 • 4.2.3 Firewalls in Network Design




                   北京邮电大学思科网络技术学院           54
4.2.1 Securing Networks with Firewalls

• Overview
• Benefits




                北京邮电大学思科网络技术学院           55
Overview


 • A firewall is a system that enforces an access
   control policy between network
 • Common properties of firewalls:
     - The firewall is resistant to attacks
     - The firewall is the only transit point between networks
     - The firewall enforces the access control policy




                       北京邮电大学思科网络技术学院                            56
Benefits of Firewalls


 • Exposure of sensitive hosts and applications to untrusted
   users can be prevented.
 • The protocol flow can be sanitized, preventing the
   exploitation of protocol flaws.
 • Malicious data can be blocked from servers and clients.
 • Security policy enforcement can be made simple,
   scalable, and robust with a properly configured firewall.
 • Offloading most of the network access control to a few
   points in the network can reduce the complexity of
   security management.

                      北京邮电大学思科网络技术学院                           57
Limitations of Firewalls

• If misconfigured, a firewall can have serious consequences
  (single point of failure).
• Many applications cannot be passed over firewalls
  securely.
• Users might proactively search for ways around the firewall
  to receive blocked material, exposing the network to
  potential attack.
• Network performance can slow down.
• Unauthorized traffic can be tunneled or hidden as
  legitimate traffic through the firewall.


                     北京邮电大学思科网络技术学院                         58
4.2.2 Types of Firewalls


 • Filtering Firewalls
 • Packet Filtering Firewall
 • Stateful Firewall
 • Cisco Systems Firewall Solutions




                       北京邮电大学思科网络技术学院   59
Types of Filtering Firewalls

• Packet-filtering firewall—is typically a router that has the capability to filter on
  some of the contents of packets (examines Layer 3 and sometimes Layer 4
  information)
• Stateful firewall—keeps track of the state of a connection: whether the
  connection is in an initiation, data transfer, or termination state
• Application gateway firewall (proxy firewall) —filters information at Layers 3, 4,
  5, and 7. Firewall control and filtering done in software.
• Address-translation firewall—expands the number of IP addresses available
  and hides network addressing design.
• Host-based (server and personal) firewall—a PC or server with firewall software
  running on it.
• Transparent firewall—filters IP traffic between a pair of bridged interfaces.
• Hybrid firewalls—some combination of the above firewalls. For example, an
  application inspection firewall combines a stateful firewall with an application
  gateway firewall.

                                北京邮电大学思科网络技术学院                                           60
Packet-Filtering Firewall

• Packet-filtering firewalls use a simple policy table lookup
  that permits or denies traffic based on specific criteria:
    - Source IP address
    - Destination IP address
    - Protocol
    - Source port number
    - Destination port number
    - Synchronize/start (SYN) packet receipt




                           北京邮电大学思科网络技术学院                       61
Packet-Filtering Firewall




                  北京邮电大学思科网络技术学院   62
Stateful Firewall




                    北京邮电大学思科网络技术学院   63
Stateful Firewall


 10.1.1.1                                                                  200.3.3.3


                 source port 1500                                   destination port 80


                     Inside ACL                          Outside ACL
                  (Outgoing Traffic)                  (Incoming Traffic)
                                               Dynamic: permit tcp host 200.3.3.3
                                               eq 80 host 10.1.1.1 eq 1500
            permit ip 10.0.0.0 0.0.0.255 any   permit tcp any host 10.1.1.2 eq 25
                                               permit udp any host 10.1.1.2 eq 53
                                               deny ip any any




                                    北京邮电大学思科网络技术学院                                        64
Stateful Firewalls Advantages/Disadvantages


                   • Often used as a primary means of defense by filtering unwanted,
                     unnecessary, or undesirable traffic.
   Advantages




                   • Strengthens packet filtering by providing more stringent control
                     over security than packet filtering
                   • Improves performance over packet filters or proxy servers.
                   • Defends against spoofing and DoS attacks
                   • Allows for more log information than a packet filtering firewall


                   • Cannot prevent application layer attacks because it does not
   Disadvantages




                     examine the actual contents of the HTTP connection
                   • Not all protocols are stateful, such UDP and ICMP
                   • Some applications open multiple connections requiring a whole
                     new range of ports opened to allow this second connection
                   • Stateful firewalls do not support user authentication

                                      北京邮电大学思科网络技术学院                                    65
Cisco Systems Firewall Solutions




                 北京邮电大学思科网络技术学院    66
4.2.3 Firewalls in Network Design


 • DMZ Scenario
 • Layered Defense Scenario
 • Firewall Best Practices
 • Design Example




                   北京邮电大学思科网络技术学院   67
Design with DMZ




                  北京邮电大学思科网络技术学院   68
Layered Defense Scenario




               北京邮电大学思科网络技术学院   69
Firewall Best Practices

• Position firewalls at security boundaries.
• Firewalls are the primary security device. It is unwise to rely
  exclusively on a firewall for security.
• Deny all traffic by default. Permit only services that are
  needed.
• Ensure that physical access to the firewall is controlled.
• Regularly monitor firewall logs.
• Practice change management for firewall configuration
  changes.
• Remember that firewalls primarily protect from technical
  attacks originating from the outside.

                       北京邮电大学思科网络技术学院                           70
Design Example




                 北京邮电大学思科网络技术学院   71
4.3 Context-Based Access Control


 • 4.3.1 CBAC Characteristics
 • 4.3.2 CBAC Operation
 • 4.3.3 Configuring CBAC
 • 4.3.4 Troubleshooting CBAC




                  北京邮电大学思科网络技术学院   72
4.3.1 CBAC Characteristics


 • Overview
 • CBAC Capabilities




                 北京邮电大学思科网络技术学院   73
Overview




• Filters TCP and UDP packets           • Provides four main functions:
  based on application layer                 - Traffic Filtering
  protocol session information
                                             - Traffic Inspection
• Provides stateful application layer        - Intrusion Detection
  filtering
                                             - Generation of Audits and Alerts
                            北京邮电大学思科网络技术学院                                       74
CBAC Capabilities




                北京邮电大学思科网络技术学院   75
4.3.2 CBAC Operation


 • Overview
 • Step-by-Step
 • CBAC TCP and UDP Handling
 • CBAC Example




                  北京邮电大学思科网络技术学院   76
Overview




• CBAC examines not only Network Layer and Transport Layer information but
  also examines Application Layer protocol information to learn about the state of
  the session.
• The state table tracks the sessions and inspects all packets that pass through
  the stateful packet filter firewall.
• CBAC then uses the state table to build dynamic ACL entries that permit
  returning traffic through the perimeter router or firewall.

                            北京邮电大学思科网络技术学院                                       77
Step-by-Step




               北京邮电大学思科网络技术学院   78
CBAC TCP Handling




              北京邮电大学思科网络技术学院   79
CBAC UDP Handling




              北京邮电大学思科网络技术学院   80
CBAC Example




               北京邮电大学思科网络技术学院   81
4.3.3 Configuration of CBAC

Four Steps to Configure
• Step 1: Pick an Interface
• Step 2: Configure IP ACLs at the Interface
• Step 3: Define Inspection Rules
• Step 4: Apply an Inspection Rule to an Interface




                   北京邮电大学思科网络技术学院                    82
Step 1: Pick an Interface
                     Two-Interface




                Three-Interface




                 北京邮电大学思科网络技术学院      83
Step 2: Configure IP ACLs at the Interface




                   北京邮电大学思科网络技术学院            84
Step 3: Define Inspection Rules




                北京邮电大学思科网络技术学院    85
Step 4: Apply an Inspection Rule to an Interface




                   北京邮电大学思科网络技术学院                  86
4.3.4 Troubleshooting CBAC

 • Alerts and Audits
 • show ip inspect Parameters
 • debug ip inspect Parameters




                   北京邮电大学思科网络技术学院   87
Alerts and Audits




                    北京邮电大学思科网络技术学院   88
show ip inspect Parameters




             北京邮电大学思科网络技术学院   89
debug ip inspect Parameters




             北京邮电大学思科网络技术学院   90
4.4 Zone-Based Policy Firewall


• 4.4.1 Zone-Based Policy Firewall Characteristics

• 4.4.2 Zone-Based Policy Firewall Operation

• 4.4.3 Configuring Zone-Based Policy Firewall with CLI

• 4.4.4 Configuring Zone-Based Policy Firewall with Manually SDM

• 4.4.5 Configuring Zone-Based Policy Firewall with SDM Wizard

• 4.4.6 Troubleshooting Zone-Based Policy Firewall




                          北京邮电大学思科网络技术学院                           91
4.4.1 Zone-Based Policy Firewall Characteristics


 • Topology
 • Benefits
 • The Design Process
 • Common Designs




                   北京邮电大学思科网络技术学院                  92
Topology Example




              北京邮电大学思科网络技术学院   93
Benefits




• Zone-based policy firewall is not dependent on ACLs
• The router security posture is now “block unless explicitly allowed”
• C3PL makes policies easy to read and troubleshoot
• One policy affects any given traffic, instead of needing multiple ACLs
  and inspection actions.
                          北京邮电大学思科网络技术学院                                   94
The Design Process


 • Step 1. Determine the Zone

 • Step 2. Establish policies between zones

 • Step 3. Design the physical infrastructure

 • Step 4. Identify subset within zones and merge traffic

   requirements



                      北京邮电大学思科网络技术学院                        95
Common Designs

   LAN-to-Internet                    Public Servers




                                            Complex Firewall
   Redundant Firewalls




                     北京邮电大学思科网络技术学院                            96
Zones Simplify Complex Firewall




                北京邮电大学思科网络技术学院    97
4.4.2 Zone-Based Policy Firewall Operation


 • Actions
 • Rules for Application Traffic
 • Rules for Router Traffic




                    北京邮电大学思科网络技术学院           98
Actions




Inspect – This action        Drop – This action is   Pass – This action is
configures Cisco IOS         analogous to deny in    analogous to permit in
stateful packet inspection   an ACL                  an ACL



                             北京邮电大学思科网络技术学院                              99
Rules for Application Traffic

     Source      Destination      Zone-pair       Policy exists?       RESULT
    interface     interface        exists?
   member of     member of
      zone?         zone?
                                                                     No impact of
      NO             NO               N/A               N/A
                                                                     zoning/policy
                                                                       No policy
  YES (zone 1)   YES (zone 1)         N/A*              N/A              lookup
                                                                        (PASS)
     YES             NO               N/A               N/A             DROP
      NO            YES               N/A               N/A             DROP
  YES (zone 1)   YES (zone 2)         NO                N/A             DROP
  YES (zone 1)   YES (zone 2)        YES                NO              DROP
  YES (zone 1)   YES (zone 2)        YES               YES          policy actions

                      *zone-pair must have different zone as source and destination
                          北京邮电大学思科网络技术学院                                              100
Rules for Router Traffic

       Source     Destination
                                Zone-
      interface    interface              Policy
                                 pair               RESULT
     member of    member of               exists?
                                exists?
        zone?        zone?
      ROUTER         YES         NO          -      PASS
      ROUTER         YES         YES       NO       PASS
                                                     policy
      ROUTER         YES         YES       YES
                                                    actions
       YES        ROUTER         NO         -        PASS
       YES        ROUTER         YES       NO        PASS
                                                     policy
       YES        ROUTER         YES       YES
                                                    actions



                     北京邮电大学思科网络技术学院                           101
4.4.3 Configuring Zone-Based Policy Firewall with CLI

1. Create the zones for the firewall 2. Define traffic classes with the
   with the zone security               class-map type inspect
   command                              command




3. Specify firewall policies with     4. Apply firewall policies to pairs of
   the policy-map type                   source and destination zones with
   inspect command                       zone-pair security

5. Assign router interfaces to zones using the zone-member security
   interface command
                            北京邮电大学思科网络技术学院                                     102
Step 1: Create the Zones




                北京邮电大学思科网络技术学院   103
Step 2: Define Traffic Classes




FW(config)# class-map type inspect FOREXAMPLE
FW(config-cmap)# match access-group 101
FW(config-cmap)# match protocol tcp
FW(config-cmap)# match protocol udp
FW(config-cmap)# match protocol icmp
FW(config-cmap)# exit
FW(config)# access-list 101 permit ip 10.0.0.0 0.0.0.255 any

                      北京邮电大学思科网络技术学院                           104
Step 3: Define Firewall Policies




 FW(config)# policy-map type inspect InsideToOutside
 FW(config-pmap)# class type inspect FOREXAMPLE
 FW(config-pmap-c)# inspect




                   北京邮电大学思科网络技术学院                      105
Step 4: Assign Policy Maps to Zone Pairs
and Assign Router Interfaces to Zones




                  北京邮电大学思科网络技术学院           106
4.4.4 Manually Implementing Zone-based
Policy Firewall with SDM

• Step 1: Define zones
• Step 2: Configure class maps to describe traffic between
  zones
• Step 3: Create policy maps to apply actions to the traffic of
  the class maps
• Step 4: Define zone pairs and assign policy maps to the
  zone pairs




                       北京邮电大学思科网络技术学院                             107
Define Zones
   1. Choose Configure > Additional Tasks > Zones

                                              2. Click Add



                                           3. Enter a zone name


                                           4. Choose the interfaces
                                              for this zone




                   5. Click OK to create the zone and click OK at
                      the Commands Delivery Status window
                       北京邮电大学思科网络技术学院                                 108
Configure Class Maps
1. Choose Configure > Additional Tasks > C3PL > Class Map > Inspections




              2. Review, create, and edit class maps. To edit a class
                 map, choose the class map from the list and click Edit

                         北京邮电大学思科网络技术学院                                   109
Create Policy Maps
     1. Choose Configure > Additional Tasks >
        C3PL > Policy Map > Protocol Inspection
                                        2. Click Add

                            3. Enter a policy name and description
                                   4. Click Add to add a new class map

                       6. Choose Pass, Drop, or Inspect
                                5. Enter the name of the class map
                                to apply. Click the down arrow for a
              7. Click OK       pop-up menu, if name unknown

   8. To add another class map, click Add, to modify/delete the actions
      of a class map, choose the class map and click Edit/Delete
       9. Click OK. At the Command Delivery Status window, click OK
                        北京邮电大学思科网络技术学院                                    110
Define Zone Pairs
     1. Choose Configure > Additional Tasks > Zone Pairs

                                              2. Click Add




                                      3. Enter a name for the zone
                                         pair. Choose a source zone, a
                                         destination zone and a policy




        4. Click OK and click OK in the Command Delivery Status window


                      北京邮电大学思科网络技术学院                                111
4.4.5 Implementing Zone-based Policy
Firewall with SDM Wizard


 • Accessing the Basic Firewall Configuration
 • Configuring a Firewall
 • Basic Firewall Configuration Summary
 • Firewall Configuration Summary




                   北京邮电大学思科网络技术学院               112
Accessing the Basic Firewall Configuration
     1. Choose Configuration > Firewall and ACL




                 2. Click the Basic Firewall option and
                    click Launch the Selected Task button




                             3. Click Next to begin configuration




                       北京邮电大学思科网络技术学院                               113
Configuring a Firewall


             1. Check the outside (untrusted) check box and the
                inside (trusted) check box to identify each interface

         2. (Optional) Check box if the intent is to allow users outside
            of the firewall to be able to access the router using SDM.
            After clicking Next, a screen displays that allows the admin
            to specify a host IP address or network address


  3. Click Next. If the Allow Secure SDM Access check box is checked,
     the Configuring Firewall for Remote Access window appears


  4. From the Configuring Firewall choose Network address, Host Ip
     address or any from the Type drop-down list

                         北京邮电大学思科网络技术学院                                    114
Basic Firewall Security Configuration




                                 2. Click the Preview Commands
                                    Button to view the IOS commands

         1. Select the security level




                      北京邮电大学思科网络技术学院                              115
Firewall Configuration Summary




                                 Click Finish




                北京邮电大学思科网络技术学院                  116
4.4.6 Troubleshooting Zone-Based Policy Firewall


 • Reviewing Policy
 • CLI Generated Output
 • Firewall Status Information
 • Active Connection




                   北京邮电大学思科网络技术学院                  117
Reviewing Policy
      1. Choose Configure > Firewall and ACL


                       2. Click Edit Firewall Policy tab




                      北京邮电大学思科网络技术学院                       118
CLI Generated Output
                                                                      List of
                                                                     services
 class-map type inspect match-any iinsprotocols                   defined in the
  match protocol http                                             firewall policy
  match protocol smtp
  match protocol ftp
 !
 policy-map type inspect iinspolicy                   Apply action (inspect =
  class type inspect iinsprotocols                      stateful inspection)
   inspect
 !
 zone security private                                Zones created
 zone security internet
 !
 interface fastethernet 0/0                         Interfaces assigned to
  zone-member security private                               zones
 !
 interface serial 0/0/0
  zone-member security internet
 !
 zone-pair security priv-to-internet source private destination internet
  service-policy type inspect iinspolicy
 !                                                         Inspection applied
                                                             from private to
                                                              public zones


                            北京邮电大学思科网络技术学院                                          119
Firewall Status Information

      1. Choose Monitor > Firewall Status




                 2. Choose one of the following options:
                     • Real-time data every 10 sec
                     • 60 minutes of data polled every 1 minute
                     • 12 hours of data polled every 12 minutes




                      北京邮电大学思科网络技术学院                              120
Display Active Connection



Router# show policy-map type inspect zone-pair session


  • Shows zone-based policy firewall session
    statistics




                   北京邮电大学思科网络技术学院                        121
北京邮电大学思科网络技术学院   122

								
To top