Lecture CCNA security partner - Chapter 10: Cisco Firewalling Solutions Cisco IOS Zone-Based Firewall and Cisco ASA

This chapter explains the two Cisco Firewall solutions: Cisco IOS Zone-Based Policy Firewalls and Cisco Adaptive Security Appliance. It describes in detail Cisco IOS Zone-Based Policy Firewall, and how the solution uses the Cisco Common Classification Policy Language (C3PL) for creating firewall policies. The chapter then presents the Cisco ASA firewall, identifying key supported features and the building blocks of its configuration using ASDM.

1

Cisco Firewalling Solutions: Cisco IOS

Zone-Based Firewall and Cisco ASA

© 2012 Cisco and/or its affiliates All rights reserved 2

At the end of this chapter, you will be able to do the following:

• Introduce and describe the function, operational framework, and building blocks of Cisco IOS Zone-Based Firewalls

• Describe the functions of zones and zone pairs, as well as their

relationship in hierarchical policies

• Describe Cisco Common Classification Policy Language for creating

zone-based firewall policies

• List the default policies for the different combinations of zone types

• Demonstrate the configuration and verification of zone-based firewalls

using Cisco Configuration Professional and the CLI

• Demonstrate the configuration of NAT services for zone-based firewalls

• Describe the Cisco ASA family of products, identifying key supported

features

• Describe the building blocks of Cisco ASA configuration

• Describe the navigation options, features, and requirements of Cisco

ASDM

• Describe the use of access control lists on Cisco ASA

• Describe the deployment of policies using the Cisco Modular Policy

Framework

• Describe the configuration procedure to deploy basic outbound access

control on Cisco ASA using Cisco ASDM

Contents

Cisco offers multiple different firewall solutions, each geared to a different environment Currently, Cisco Firewall offerings include

• Cisco IOS Firewall

• Cisco ASA 5500 Adaptive Security Appliances

• Cisco ASA 1000V Cloud Firewall

• Cisco Virtual Security Gateway for Nexus 1000V Series Switch

• Cisco Catalyst 6500 Series ASA Services Module

• Cisco Catalyst 6500 Series Firewall Services Module

• Cisco Small Business SA500 Series Security Appliances

Cisco Firewall Solutions

Cisco IOS Zone-Based Policy Firewall

To demonstrate this model, the figure shows three zones:

• Untrusted: Represents the Internet

• DMZ: Demilitarized zone, which contains the corporate servers accessed

by the public

• Trusted: Represents the inside network

Zone-Based Policy Firewall Overview

The interzone policies in a Figure are as follows:

• Public-DMZ: DMZ policy that sets the rules for traffic originating from the untrusted zone with the DMZ as destination

• DMZ-Private: Private policy that sets the rules for the traffic originating

from the DMZ with the trusted zone as destination

• Private-DMZ: DMZ policy that sets the rules for the traffic originating from the trusted zone with the DMZ as destination

• Private-Public: Pubic policy that sets the rules for the traffic originating

from the trusted zone with the untrusted zone as destination

Interzone Policies

• Virtual routing and forwarding aware firewall

Cisco IOS Zone-Based Policy Firewalls

support the following features

Key benefits of zone-based policy firewall are as follows:

• It is not dependent on ACLs

• The router security posture is restrictive (which means block unless

explicitly allowed)

• C3PL makes policies easy to read and troubleshoot

• One policy affects any given traffic instead of needing multiple ACL and inspection actions

Benefits

Interfaces Belong to Zone

Zones and Zone Pairs

Zone-Based Topology Examples

Simple Firewall Topology with Two Security Domains

Medium-Sized Organization with Three Zones

To create firewall policies, complete the following tasks:

Step 1 Define a match criterion (class map)

Step 2 Associate actions to the match criteria (policy map)

Step 3 Attach the policy map to a zone pair (service policy)

Introduction to Cisco Common

Classification Policy Language

Components of Cisco Common

Classification Policy Language

Cisco Common Classification Policy Language policies are modular, object oriented, and hierarchical in nature:

• Modular and object oriented: These traits give the firewall administrator the flexibility

to create building-block objects such as class maps and policy maps, and reuse them within a given policy and across policies.

• Hierarchical: This feature results in powerful policies that can be expanded to

include customized inspection, application layer rules, and advanced inspection

features

C3PL: If-Then-Else Structure

Modular Object-Oriented Configuration

Design

• Class maps that analyze Layer 3 and Layer 4 traffic sort the traffic based

on the following criteria:

• If match-all is specified, traffic must match all of the class map criteria to

belong to that particular class.

Characteristics of class map objects

© 2012 Cisco and/or its affiliates All rights reserved 16

The Cisco IOS Zone-Based Policy Firewall can take three possible actions when you configure it using CCP or the CLI:

• inspect: This action configures Cisco IOS stateful packet

inspection

• drop: This action is analogous

to deny in an ACL An additional log option can be added to drop

to log dropped packets

• pass: This action is analogous

to permit in an ACL The pass action does not track the state of connections or sessions within the traffic; pass allows the traffic only in one direction A

corresponding policy must be applied to allow return traffic to pass in the opposite direction

Zone-Based Policy Firewall Actions

© 2012 Cisco and/or its affiliates All rights reserved 17

The membership of the router network interfaces in zones is subject to

several rules governing interface behavior, as is the traffic moving

between zone member interfaces:

• A zone must be configured before you can assign interfaces to the zone

• You can assign an interface to only one security zone

• Traffic is implicitly allowed to flow by default among interfaces that are

members of the same zone

• To permit traffic to and from a zone member interface, a policy allowing

or inspecting traffic must be configured between that zone and any other zone

• Traffic cannot flow between a zone member interface and any interface that is not a zone member You can apply pass, inspect, and drop actions only between two zones

• Interfaces that have not been assigned to a zone function as classical

router ports and might still use classical stateful inspection (CBAC)

configuration

• If you do not want an interface on the router to be part of the zone-based firewall policy, it might still be necessary to put that interface in a zone and configure a “pass all” policy (sort of a dummy policy) between that zone

and any other zone to which traffic flow is desired

• From the preceding rules it follows that if traffic is to flow among all the

interfaces in a router, all the interfaces must be part of the zoning model

(each interface must be a member of a zone)

Zone-Based Policy Firewall: Default

Policies, Traffic Flows, and Zone

Interaction

Zone-Based Policy Firewall: Rules for

Application Traffic

Zone-Based Policy Firewall: Rules for

Router Traffic

The following considerations should be weighted when designing Cisco

IOS Zone-Based Policy Firewalls:

• An interface can be assigned to one zone and one zone only

• An interface pair can be assigned one policy and one policy only

• Consider default traffic flows for interfaces without zones, traffic flows

between zones, and traffic flows to or from the router interfaces

themselves

• Inspection actions cannot be applied to the class-default class

• The default policy action for unclassified traffic is drop

Designing Cisco IOS Zone-Based Policy Firewalls

21

Configuring Basic Interzone Policies

Using CCP and the CLI

Step 1 Start the Basic Firewall wizard.

Step 2 Select trusted and untrusted interfaces

Step 3 Review and verify the resulting policies

Step 4 (Optional) Enable logging

Step 5 View firewall status and activity

Step 6 (Optional) Modify basic policy objects

Step 7 Verify CLI configuration

Cisco IOS Zone-Based Firewall

Configuration Scenario

Step 1: Start the Basic Firewall Wizard

• Outside (untrusted) interface: Select the router interface that is

connected to the Internet or to your organization’s WAN

• Inside (trusted) interfaces: Check the physical and logical interfaces

connecting to the LAN You can select multiple interfaces

Step 2: Select Trusted and Untrusted

Interfaces

© 2012 Cisco and/or its affiliates All rights reserved 25

Three levels are available, implementing the following policies:

• High Security

• The router identifies inbound and outbound instant messaging and

peer-to-peer traffic and drops it.

• The router checks inbound and outbound HTTP traffic and email traffic for

protocol compliance, and drops noncompliant traffic.

• The router returns traffic for other TCP and UDP applications if the session

was initiated inside the firewall.

• Choose this option if you want to prevent use of these applications on the

network.

• Medium Security

• The router identifies inbound and outbound instant messaging and

peer-to-peer traffic, and checks inbound and outbound HTTP traffic and email traffic for protocol compliance.

• The router returns TCP and UDP traffic on sessions initiated inside the firewall.

• Choose this option if you want to track use of these applications on the

network.

• Low Security

• The router does not identify application-specific traffic.

• The router returns TCP and UDP traffic on sessions initiated inside the firewall.

• Choose this option if you do not need to track use of these applications on the network.

Three levels

Defining Security Levels for the Policy

Step 3: Review and Verify the Resulting

Policies

Verifying and Tuning the Configuration

Step 4: Enabling Logging

Step 5: Verifying Firewall Status and

Activity

Step 6: Modifying Zone-Based Firewall

Configuration Objects

The following list shows the sequence of what is created and referenced:

1 ACL to identify the traffic

2 Zones

3 Class map

4 Policy map (actions can be inspect, pass, and drop, and dropped traffic can also be logged)

5 Zone pair (policy map + zones)

General Steps to Create ZBF

© 2012 Cisco and/or its affiliates All rights reserved 33

class-map type inspect

zone-member security PRIVATE

! interface serial 0/0/0 zone-member security INTERNET

!

zone-pair security TO-INTERNET source

PRIV-PRIVATE destination INTERNET

service-policy type inspect ACCESS-POLICY

Step 7: Verifying the Configuration Using the CLI

Configuring NAT Services for

Zone-Based Firewalls

© 2012 Cisco and/or its affiliates All rights reserved 35

There are three main steps to configure a NAT with Cisco IOS zone-based firewall:

Step 1 Run the Basic NAT wizard

Step 2 Select NAT interfaces:

• Outside interface with global IP address

• Inside interface with original IP address

Step 3 Verify the configuration

NAT with ZBF Configuration Scenario

• Basic NAT

• Advance NAT

Step 1: Run the Basic NAT Wizard

Step 2: Select NAT Inside and Outside

Interfaces

Finishing the Wizard

NAT CLI Configuration

ip nat inside source list 1 interface FastEthernet0/0 overload

access-list 1 permit 10.10.0.0 0.0.0.255

Step 3: Verify NAT with CCP and the CLI

Router# show ip nat translations

Pro Inside global Inside local Outside local Outside global

TCP 200.200.1.51:1050 10.10.10.20:1050 75.75.75.750:23 172.16.100.10:23

TCP 200.200.1.52:1776 10.10.10.10:1776 150.150.1.40:25 150.150.1.40:25

Current Translation for Live Traffic

41

Cisco ASA Firewall

ASA Models

Multi-Service (Firewall/VPN and IPS)

• The Cisco ASA security appliance is fundamentally a stateful packet

filter with application inspection and control

• A rich set of additional integrated software and hardware features that

enable you to expand its functionality beyond those fundamental filtering mechanisms

• The heart of the Cisco ASA is an application-aware stateful packet

inspection algorithm, which controls flows between networks that are

controlled by the security appliance

Stateful Packet Filtering and Application Awareness

State Table Created for All Inspected

Traffic

• Some of those additional services

• Network Address Translation

• DHCP server

• Routing

Network Services Offered by the Cisco ASA 5500

Series

These different varieties of NAT allow for flexible deployment of NAT

services:

• Inside and outside NAT

• Dynamic NAT and PAT

• Static NAT and PAT

• Policy NAT

• NAT exemption

In addition to the translation table kept by the Cisco ASA, which you can

Network Address Translation

• The Cisco ASA can provide a DHCP server or DHCP relay services to

DHCP clients attached to Cisco ASA interfaces

– The DHCP server provides network configuration parameters directly to

DHCP clients

– DHCP relay passes DHCP requests received on one interface to a DHCP

server located behind a different interface

– DHCP relay takes a DHCP broadcast and forwards it to the DHCP server

located on a different network as a unicast.

• The Cisco ASA security appliance supports RIP, OSPF, and EIGRP

dynamic routing protocols to integrate into existing routing

• Stateful inspection and application level controls

• Threat control and containment

• Network integration

Cisco ASA Security Technologies

• ACL packet filtering

• Object groups

• Application Inspection and Control (AIC)

• User-based access control (cut-through proxy)

• Identity firewall

• Session auditing

Stateful inspection and application level

controls

• IPS via Cisco ASA Advanced Inspection and Prevention Security

Services Module (AIP-SSM) and Advanced Inspection and Prevention

Security Services Card (AIP-SSC)

• Botnet traffic filtering

• Category-based URL filtering

• Threat detection (basic, advanced, scanning)

Threat control and containment

• Virtualization

• Security modules

• IPv6 and multicast support

• NAT and DHCP services

• Site-to-site and remote-access IPsec and SSL VPNs

• Transparent firewall mode

• IP routing

• High-availability failover

Network integration

In that sense, traffic flows are defined as inbound or outbound like this:

• Inbound traffic: Travels from a less trusted interface to a more trusted

interface; that is, from a lower security level to a higher security level

• Outbound traffic: Travels from a more trusted interface to a less trusted interface; that is, from a higher security level to a lower security level

Cisco ASA Configuration Fundamentals

Networks on a Firewall

High to low, good to go Low to high, must die

• Network access

• Inspection engines

• NetBIOS inspection engine: Applied only for outbound connections.

• SQL*Net inspection engine: If a control connection for the SQL*Net (formerly OraServ) port exists between a pair of hosts, then only an inbound data

connection is permitted through the Cisco ASA.

• Filtering

Security level controls

The appliance provides five configuration modes, similar to Cisco IOS

devices:

• ROM monitor mode

• User EXEC mode

• Privileged EXEC mode

• Global configuration mode

• Specific configuration modes

Managing the Cisco ASA Using the CLI

Cisco ASA Prompts

Cisco ASA 5505

• Physical switch ports

• Logical VLAN interfaces

© 2012 Cisco and/or its affiliates All rights reserved 57

Cisco ASDM is to the Cisco ASA what Switch Database Management

(SDM) or CCP is to Cisco IOS routers

With a factory default configuration, you can connect to Cisco ASDM using the following interface and network settings:

• The management interface depends on your model:

• Cisco ASA 5505: The switch port to which you connect to Cisco ASDM can be any port, except for Ethernet 0/0.

• Cisco ASA 5510 and later: The interface to which you connect to Cisco ASDM

is Management 0/0.

• The default management address is 192.168.1.1

• The clients that are allowed to access Cisco ASDM must be on the

192.168.1.0/24 network

Cisco ASDM