...

Wednesday, April 28, 2010

CCNA Security 09

When you ask security analysts what a firewall is, you'd be surprised how many different answers can come up. A firewall can be a static packet-filtering firewall, an application layer gateway, a stateful packet-filtering firewall, an application inspection firewall or a transparent firewall. Due to the different uses for each of them, Cisco decided to generalize the definition of firewall:
"A firewall is a system or a group of systems that enforce an access control policy between two networks"

A good firewall is a firewall that is the only transit point between networks. An ideal firewall mitigates risk of network compromise through enforcement of access control policies. Since a firewall (remember, a system of devices) is the first line of defense, it must be hardened against attacks.

The most basic form of firewall, a static packet-filtering firewall, is implemented through access lists. Typically, to ensure layer 4 filtering, extended lists must be used. For example, to allow only HTTP traffic from the 192.168.0-3.0/24 subnet to go through F0/0 interface outwards (to the internet or something), the implementation would be:
ip access-list extended STATICHTTPFIREWALL
permit tcp 192.168.0.0 0.0.3.255 any eq www
in f0/0
ip access-group STATICHTTPFIREWALL out


If you wish to only allow TCP traffic established outwards, but not the other way round, you can make use of something known as a Reflexive/Established Access-List. This reflexive access list only allows TCP traffic with the established flag coming from outside in. This means that the session must first be established inside-out. To create such an access-list an to apply it to the F0/0 interface facing the internet, type:
ip access-list extended REFLEXIVEESTABLISHED
permit tcp any any established
in f0/0
ip access-group REFLEXIVEESTABLISHED in


Unknown to many, IP actually has a protocol ID (also known as PID) field to identify the upper layer encapsulation used. Below is a list of common protocol IDs:
ICMP - 1
TCP - 6
UDP - 17
GRE - 47
ESP - 50
EIGRP - 88

It is best practice to filter commonly spoofed IP. These addresses are:
-255.255.255.255 for source
-Any address that starts with a 0
-Any multicast address
-Addresses from reserved ranges

Zone-based Policy Firewall is the replacement for Cisco IOS Firewall (which is a replacement for CBAC). Zone-based Policy Firewall allows you to group interfaces together into zones. The zones can then be manipulated as if they were individual interfaces. This significantly reduces the number of access lists required to filter traffic between them.

Rules for traffic going between interfaces are defined using C3PL, which stands for Cisco Common Classification Policy Language.

Implementation of ZPF is simple. You begin by creating zones. Zones are groups of interfaces which you can name. For example, if you have two interfaces connecting to different DMZ subnets, then you can group them as a DMZ zone. Similarly, you can group all internal interfaces as an INSIDE zone. Finally, the internet interface can be in its own INTERNET zone.

By default ZPF denies all traffic. To allow traffic you have to explicitly specify them. This is done by creating zone pairs. A zone pair consists of a source and destination zone. For example, if we have a DMZ, INSIDE and INTERNET zone, we will typically have these pairs:
-INSIDE-to-INTERNET
-DMZ-to-INTERNET
-INTERNET-to-INSIDE
-INTERNET-to-DMZ

You can then create inspection policies for each direction through C3PL. Depending on the policies, a traffic can be subject to one of three actions:
-Inspect - Similar to CBAC/Cisco IOS Firewall Operation. Performs stateful inspection to the traffic to make sure that the TCP sessions are valid.
-Drop - Drop traffic, similar to a deny
-Pass - Allow traffic, similar to a permit

An inbound ACL is applied before ZPF policies. An outbound ACL is applied after ZPF policies. Traffic from a zone cannot traverse to an interface that is not in a zone. If that's the case, I bet you're wondering about the traffic originating from the router. Router traffic are considered to be in the "self" zone. The "self" zone is treated like any other zones.

No comments :

Post a Comment

<