Cisco Firewalls

• Copyright 2011
• Edition: 1st

• eBook
• ISBN-10: 1-58714-110-8
• ISBN-13: 978-1-58714-110-2

Cisco Firewalls

Concepts, design and deployment for Cisco Stateful Firewall solutions

“ In this book, Alexandre proposes a totally different approach to the important subject of firewalls: Instead of just presenting configuration models, he uses a set of carefully crafted examples to illustrate the theory in action. A must read!” —Luc Billot, Security Consulting Engineer at Cisco

Cisco Firewalls thoroughly explains each of the leading Cisco firewall products, features, and solutions, and shows how they can add value to any network security design or operation. The author tightly links theory with practice, demonstrating how to integrate Cisco firewalls into highly secure, self-defending networks. Cisco Firewalls shows you how to deploy Cisco firewalls as an essential component of every network infrastructure. The book takes the unique approach of illustrating complex configuration concepts through step-by-step examples that demonstrate the theory in action. This is the first book with detailed coverage of firewalling Unified Communications systems, network virtualization architectures, and environments that include virtual machines. The author also presents indispensable information about integrating firewalls with other security elements such as IPS, VPNs, and load balancers; as well as a complete introduction to firewalling IPv6 networks. Cisco Firewalls will be an indispensable resource for engineers and architects designing and implementing firewalls; security administrators, operators, and support professionals; and anyone preparing for the CCNA Security, CCNP Security, or CCIE Security certification exams.

Alexandre Matos da Silva Pires de Moraes, CCIE No. 6063, has worked as a Systems Engineer for Cisco Brazil since 1998 in projects that involve not only Security and VPN technologies but also Routing Protocol and Campus Design, IP Multicast Routing, and MPLS Networks Design. He coordinated a team of Security engineers in Brazil and holds the CISSP, CCSP, and three CCIE certifications (Routing/Switching, Security, and Service Provider). A frequent speaker at Cisco Live, he holds a degree in electronic engineering from the Instituto Tecnológico de Aeronáutica (ITA – Brazil).

·        Create advanced security designs utilizing the entire Cisco firewall product family

·        Choose the right firewalls based on your performance requirements

·        Learn firewall  configuration fundamentals and master the tools that provide insight about firewall operations

·        Properly insert firewalls in your network’s topology using Layer 3 or Layer 2 connectivity

·        Use Cisco firewalls as part of a robust, secure virtualization architecture

·        Deploy Cisco ASA firewalls with or without NAT

·        Take full advantage of the classic IOS firewall feature set (CBAC)

·        Implement flexible security policies with the Zone Policy Firewall (ZPF)

·        Strengthen stateful inspection with antispoofing, TCP normalization, connection limiting, and IP fragmentation handling

·        Use application-layer inspection capabilities built into Cisco firewalls

·        Inspect IP voice protocols, including SCCP, H.323, SIP, and MGCP

·        Utilize identity to provide user-based stateful functionality

·        Understand how multicast traffic is handled through firewalls

·        Use firewalls to protect your IPv6 deployments

This security book is part of the Cisco Press Networking Technology Series. Security titles from Cisco Press help networking professionals secure critical data and resources, prevent and mitigate network attacks, and build end-to-end, self-defending networks.

Table of Contents

Foreword

Introduction

Chapter 1: Firewalls and Network Security

Security Is a Must. But, Where to Start?

Firewalls and Domains of Trust

Firewall Insertion in the Network Topology

    Routed Mode Versus Transparent Mode

    Network Address Translation and Port Address Translation

Main Categories of Network Firewalls

    Packet Filters

    Circuit-Level Proxies

    Application-Level Proxies

    Stateful Firewalls

The Evolution of Stateful Firewalls

    Application Awareness

    Identity Awareness

    Leveraging the Routing Table for Protection Tasks

    Virtual Firewalls and Network Segmentation

What Type of Stateful Firewall?

    Firewall Appliances

    Router-Based Firewalls

    Switch-Based Firewalls

Classic Topologies Using Stateful Firewalls

Stateful Firewalls and Security Design

    Stateful Firewalls and VPNs

    Stateful Firewalls and Intrusion Prevention

    Stateful Firewalls and Specialized Security Appliances

Summary

Chapter 2: Cisco Firewall Families Overview

Overview of ASA Appliances

    Positioning of ASA Appliances

    Firewall Performance Parameters

    Overview of ASA Hardware Models

Overview of the Firewall Services Module

Overview of IOS-Based Integrated Firewalls

    Integrated Services Routers

    Aggregation Services Routers

Summary

Chapter 3: Configuration Fundamentals

Device Access Using the CLI

Basic ASA Configuration

    Basic Configuration for ASA Appliances Other Than 5505

    Basic Configuration for the ASA 5505 Appliance

Basic FWSM Configuration

Remote Management Access to ASA and FWSM

    Telnet Access

    SSH Access

    HTTPS Access Using ASDM

IOS Baseline Configuration

    Configuring Interfaces on IOS Routers

Remote Management Access to IOS Devices

    Remote Access Using Telnet

    Remote Access Using SSH

    Remote Access Using HTTP and HTTPS

Clock Synchronization Using NTP

Obtaining an IP Address Through the PPPoE Client

DHCP Services

Summary

Further Reading

Chapter 4: Learn the Tools. Know the Firewall

Using Access Control Lists Beyond Packet Filtering

Event Logging

Debug Commands

Flow Accounting and Other Usages of Netflow

    Enabling Flow Collection on IOS

    Traditional Netflow

    Netflow v9 and Flexible Netflow

    Enabling NSEL on an ASA Appliance

Performance Monitoring Using ASDM

Correlation Between Graphical Interfaces and CLI

Packet Tracer on ASA

Packet Capture

    Embedded Packet Capture on an ASA Appliance

    Embedded Packet Capture on IOS

Summary

Chapter 5: Firewalls in the Network Topology

Introduction to IP Routing and Forwarding

Static Routing Overview

Basic Concepts of Routing Protocols

RIP Overview

    Configuring and Monitoring RIP

EIGRP Overview

    Configuring and Monitoring EIGRP

        EIGRP Configuration Fundamentals

        Understanding EIGRP Metrics

        Redistributing Routes into EIGRP

        Generating a Summary EIGRP Route

        Limiting Incoming Updates with a Distribute-List

        EIGRP QUERY and REPLY Messages

        EIGRP Stub Operation

OSPF Overview

    Configuring and Monitoring OSPF

        OSPF Configuration Fundamentals

        OSPF Scenario with Two Areas

Configuring Authentication for Routing Protocols

Bridged Operation

Summary

Chapter 6: Virtualization in the Firewall World

Some Initial Definitions

Starting with the Data Plane: VLANs and VRFs

    Virtual LANs

    VRFs

VRF-Aware Services

Beyond the Data Plane–Virtual Contexts

Management Access to Virtual Contexts

Allocating Resources to Virtual Contexts

Interconnecting Virtual Elements

    Interconnecting VRFs with an External Router

    Interconnecting Two Virtual Contexts That Do Not Share Any Interface

    Interconnecting Two FWSM Contexts That Share an Interface

    Interconnecting Two ASA Contexts That Share an Interface

Issues Associated with Security Contexts

Complete Architecture for Virtualization

    Virtualized FWSM and ACE Modules

    Segmented Transport

    Virtual Machines and the Nexus 1000V

Summary

Chapter 7: Through ASA Without NAT

Types of Access Through ASA-Based Firewalls

Additional Thoughts About Security Levels

    Internet Access Firewall Topology

    Extranet Topology

    Isolating Internal Departments

ICMP Connection Examples

    Outbound Ping

    Inbound Ping

    Windows Traceroute Through ASA

UDP Connection Examples

    Outbound IOS Traceroute Through ASA

TCP Connection Examples

    ASA Flags Associated with TCP Connections

    TCP Sequence Number Randomization

Same Security Access

Handling ACLs and Object-Groups

Summary

Chapter 8: Through ASA Using NAT

Nat-Control Model

Outbound NAT Analysis

    Dynamic NAT

    Dynamic PAT

    Identity NAT

    Static NAT

    Policy NAT

        Static Policy NAT

        Dynamic Policy NAT

        Dynamic Policy PAT

    NAT Exemption

    NAT Precedence Rules

Address Publishing for Inbound Access

    Publishing with the static Command

    Publishing with Port Redirection

    Publishing with NAT Exemption

Inbound NAT Analysis

    Dynamic PAT for Inbound

    Identity NAT for Inbound

    NAT Exemption for Inbound

    Static NAT for Inbound

Dual NAT

Disabling TCP Sequence Number Randomization

Defining Connection Limits with NAT Rules

Summary

Chapter 9: Classic IOS Firewall Overview

Motivations for CBAC

CBAC Basics

ICMP Connection Examples

UDP Connection Examples

TCP Connection Examples

Handling ACLs and Object-Groups

    Using Object-Groups with ACLs

    CBAC and Access Control Lists

IOS NAT Review

    Static NAT

    Dynamic NAT

    Policy NAT

    Dual NAT

    NAT and Flow Accounting

CBAC and NAT

Summary

Chapter 10: IOS Zone Policy Firewall Overview

Motivations for the ZFW

Building Blocks for Zone-Based Firewall Policies

ICMP Connection Examples

UDP Connection Examples

TCP Connection Examples

ZFW and ACLs

ZFW and NAT

ZFW in Transparent Mode

Defining Connection Limits

Inspection of Router Traffic

Intrazone Firewall Policies in IOS 15.X

Summary

Chapter 11: Additional Protection Mechanisms

Antispoofing

    Classic Antispoofing Using ACLs

    Antispoofing with uRPF on IOS

    Antispoofing with uRPF on ASA

TCP Flags Filtering

Filtering on the TTL Value

Handling IP Options

    Stateless Filtering of IP Options on IOS

    IP Options Drop on IOS

    IP Options Drop on ASA

Dealing with IP Fragmentation

    Stateless Filtering of IP Fragments in IOS

    Virtual Fragment Reassembly on IOS

    Virtual Fragment Reassembly on ASA

Flexible Packet Matching

Time-Based ACLs

    Time-Based ACLs on ASA

    Time-Based ACLs on IOS

Connection Limits on ASA

TCP Normalization on ASA

Threat Detection on ASA

Summary

Further Reading

Chapter 12: Application Inspection

Inspection Capabilities in the Classic IOS Firewall

Application Inspection in the Zone Policy Firewall

DNS Inspection in the Zone Policy Firewall

FTP Inspection in the Zone Policy Firewall

HTTP Inspection in the Zone Policy Firewall

IM Inspection in the Zone Policy Firewall

Overview of ASA Application Inspection

DNS Inspection in ASA

    DNS Guard

    DNS Doctoring

    DNS Inspection Parameters

    Some Additional DNS Inspection Capabilities

FTP Inspection in ASA

HTTP Inspection in ASA

Inspection of IM and Tunneling Traffic in ASA

Botnet Traffic Filtering in ASA

Summary

Further Reading

Chapter 13: Inspection of Voice Protocols

Introduction to Voice Terminology

Skinny Protocol

H.323 Framework

    H.323 Direct Calls

    H.323 Calls Through a Gatekeeper

Session Initiation Protocol (SIP)

MGCP Protocol

Cisco IP Phones and Digital Certificates

Advanced Voice Inspection with ASA TLS-Proxy

Advanced Voice Inspection with ASA Phone-Proxy

Summary

Further Reading

Chapter 14: Identity on Cisco Firewalls

Selecting the Authentication Protocol

ASA User-Level Control with Cut-Through Proxy

    Cut-Through Proxy Usage Scenarios

        Scenario 1: Simple Cut-Through Proxy (No Authorization)

        Scenario 2: Cut-Through Proxy with Downloadable ACEs

        Scenario 3: Cut-Through Proxy with Locally Defined ACL

        Scenario 4: Cut-Through Proxy with Downloadable ACLs

        Scenario 5: HTTP Listener

IOS User-Level Control with Auth-Proxy

    Scenario 1: IOS Auth-Proxy with Downloadable Access Control Entries

    Scenario 2: IOS Auth-Proxy with Downloadable ACLs

    Scenario 3: Combining Classic IP Inspection (CBAC) and Auth-Proxy

User-Based Zone Policy Firewall

    Establishing user-group Membership Awareness in IOS - Method 1

    Establishing user-group Membership Awareness in IOS - Method 2

    Integrating Auth-Proxy and the ZFW

Administrative Access Control on IOS

Administrative Access Control on ASA

Summary

Chapter 15: Firewalls and IP Multicast

Review of Multicast Addressing

Overview of Multicast Routing and Forwarding

    The Concept of Upstream and Downstream Interfaces

    RPF Interfaces and the RPF Check

Multicast Routing with PIM

    Enabling PIM on Cisco Routers

    PIM-DM Basics

    PIM-SM Basics

    Finding the Rendezvous Point on PIM-SM Topologies

Inserting ASA in a Multicast Routing Environment

    Enabling Multicast Routing in ASA

    Stub Multicast Routing in ASA

    ASA Acting as a PIM-SM Router

Summary of Multicast Forwarding Rules on ASA

Summary

Further Reading

Chapter 16: Cisco Firewalls and IPv6

Introduction to IPv6

Overview of IPv6 Addressing

IPv6 Header Format

IPv6 Connectivity Basics

Handling IOS IPv6 Access Control Lists

IPv6 Support in the Classic IOS Firewall

IPv6 Support in the Zone Policy Firewall

Handling ASA IPv6 ACLs and Object-Groups

Stateful Inspection of IPv6 in ASA

Establishing Connection Limits

    Setting an Upper Bound for Connections Through ASA

IPv6 and Antispoofing

    Antispoofing with uRPF on ASA

    Antispoofing with uRPF on IOS

IPv6 and Fragmentation

    Virtual Fragment Reassembly on ASA

    Virtual Fragment Reassembly on IOS

Summary

Further Reading

Chapter 17: Firewall Interactions

Firewalls and Intrusion Prevention Systems

Firewalls and Quality of Service

Firewalls and Private VLANs

Firewalls and Server Load Balancing

Firewalls and Virtual Machines

    Protecting Virtual Machines with External Firewalls

    Protecting Virtual Machines Using Virtual Firewall Appliances

Firewalls and IPv6 Tunneling Mechanisms

Firewalls and IPsec VPNs

    Classic IPsec Site-to-Site for IOS

    IPsec Site-to-Site Using a Virtual Tunnel Interface (VTI)

    IPsec Site-to-Site Using a GRE Tunnel

    NAT in the Middle of an IPsec Tunnel

    Post-Decryption Filtering in ASA

Firewalls and SSL VPNs

    Clientless Access

    Client-Based Access (AnyConnect)

Firewalls and MPLS Networks

Borderless Networks Vision

Summary

Further Reading

Appendix A: NAT and ACL Changes in ASA 8.3

Index

Submit Errata