Cisco Firewall Technologies
Chapter 1: Firewall Technologies
Types of Firewall Technologies:
Cisco breaks firewall technologies down into two types. There are IOS devices that perform security and firewall services. Then, there are specific devices dedicated to being a firewall, which is purposely designed for security. IOS devices are generally routers, with the proper security version or licensed operating system to be able to perform security tasks. They can use access lists to help filter traffic from coming in or going out of the device. They can also be implemented as a zone based firewall, using zone pairs to filter traffic.
Firewall Policy Properties
Firewalls are in place to provide access control to a network. They are set up to not allow traffic from an untrusted interface to a trusted interface, or from the outside to the inside. All traffic flows that exit a network and enter a network should traverse a firewall. This way, an administrator can constantly keep logging information on the traffic that is successfully going through and the traffic that is being blocked. Firewalls are inherently resistant to attack but can be further modified to adapt to other new types of threats that may exist or come about.
There are many justifications for a firewall. Many companies and government agencies have sensitive data and assets that must be protected. The risk of having these assets compromised because of an attack and corruption could cost millions, not to mention reputations of the entity of secret information that can be leaked out. There can be unauthorized users trying to get into the network from the outside, but there can also be unauthorized internal users trying to gain access to information they are not supposed to have access to. Having traffic flow through the firewall can help identify who potential threats may be, especially from the inside, and eliminate them, as you have access to the source of the issue. Firewalls can also help mitigate threats against protocol flaws and malicious data being sent into the firewall. By logging this information, you can see if there is something in particular that could raise a security concern.
The default firewall configuration provides protection immediately. The ASA line of devices can immediately protect an entity from attacks when they are first plugged in and given an IP address. Keep in mind, a device is only as good as the person who is configuring it. In other words, if the person configuring the device does not understand exactly how to implement proper access control policy, the device cannot do its job properly, therefore letting in traffic that is detrimental to the organization. If a company happens to have any custom applications, this can also pose an issue when granting access through a firewall. A thorough understanding of the protocols and IP addressing scheme is needed in order to provide proper access through the firewall. There is also the fear of circumvention. An administrator can poke holes through the firewall to allow limited access for certain users or devices that is not granted to the rest of the organization. Also, a firewall is useless if there is full IP access permitted through the firewall.
Sometimes, administrators will set up a way to bypass the firewall and connect directly into the ISP device that is providing outside access. Administrators will do this in order to gain access to certain websites, or to stream music and video that may not be allowed on the network through the firewall. This actually goes against both the purpose of the firewall and against company policies.
In most cases, Cisco recommends a layered approach, called the Defense in Depth strategy. This means that there should be multiple layers of security, with multiple devices providing security. For example, a firewall should be in place at all network edges, and an IPS device should be used to monitor traffic and block malware infected packets. Both provide similar duties, yet complement one another. Having both devices may sometimes provide redundancy for internet access between the firewalls, but allows for multiple eyes to be on the lookout for malicious traffic.
Static Packet Filtering
There are different options on a firewall that can keep the network safe. The first option is called static packet filtering. Static packet filtering is knowing exactly what specific traffic you want to permit and deny on your network. On the layer 3 and layer 4 level, you must understand the subnets in which you want to allow or deny. This can include denying source or destination IP addresses. On the layer 4 level, you must determine what protocols are needed to be passed through the firewall in order to accurately make your filtering decisions. Administrators needs to ensure that access lists are tested thoroughly so that there is minimal impact on network performance and unintended results do not occur. Making access lists too long can become a nightmare to administer. Naming access lists and keeping them succinct is the best policy.
Proxy firewalls are another option. Proxy firewalls work on the layer 3 level and look very deep into traffic. They sit as an intermediary between the sender of the information and the destination. Logging can be very detailed, however, it is very hardware intensive because it requires a lot of processing in order to dive that deeply into traffic for analysis.
Stateful Packet Filtering
Stateful packet filtering is one of the most important options on firewalls. The word stateful is used because the firewall remembers the state of sessions established through a firewall. A stateful database is constructed based upon the source IP address information that is passing through the firewall. When return traffic comes back, it knows this traffic is legit because it recognizes the IP address and port information. Let’s use an example: You’re at a theme park, and you realize that you’ve left something in your car. You need to leave the theme park to go and get it. You can leave the park, but you must have your hand stamped. This stamp is so when you try and re-enter the park, the people at the gate know that you have already paid your admission and you can come back in. Stateful filtering packet filtering behaves the same way. It keeps track of the state of network connections. Stateful packet filtering is not only confined to being used on a firewall appliance, but can also be used on a router acting as a firewall.
Application Inspection Firewall
An application inspection firewall can analyze protocols within the traffic stream. It can see deep into conversations and can prevent types of attacks other than just filtering. It can look at protocols all the way up to layer 7 on the OSI model. This is usually done on zone based firewalls and ASAs as an addition to packet and stateful filtering.
Transparent firewalls are another option which uses stateful filtering, however, this is all done at the layer 2 level. The firewall is not given an IP address — only management — and the firewall is placed in the middle of a traffic flow. Traffic is forced through it and the data is analyzed. This can be beneficial for some as implementing this type of firewall can alleviate the administrator from re-IPing subnets in order to enable the firewall to be put in at layer 3.
Firewall Design and Implementation
There are some best practices to keep in mind when designing and implementing firewalls. Firewalls should be placed at the edge of networks and at the edge of security boundaries. An edge of a security boundary includes when different trust levels are implemented, from inside to outside. Firewalls should be implemented as the primary security device at the edge of a network, but as a part of a layered network approach. Other devices, like redundant firewalls and IPS devices should be implemented to have more than one device looking at and analyzing traffic. Access lists should be set to deny all and only permit statements listed to ensure that only specified traffic if flowing through the firewall. SSH should be implemented as the management protocol of choice in administrating the firewall. Firewall logs should be reviewed regularly to ensure that traffic flows look normal. Finally, a change management process should be implemented to document anyone that makes changes to the firewall. AAA should be set up on the firewall to ensure that users only have the specific access that they require.
Chapter 2: Types of Firewalls
Overview of Zone-Based Firewalls
Zone based firewalls are implementations on Cisco routers that act as a firewall device. Interfaces are put into zones, using names to identify them. For example, names are generally inside, outside and DMZ. Policies are then specified as to what type of traffic can traverse these zones. A good example is defining what traffic can be sent from the inside to the outside zone pair or traffic being sent from the DMZ to the outside zone pair. These zone pairs must be specifically defined on the device. Traffic pairs are set in a one way direction, like from inside to outside, or vice-versa. If you want outside to inside, you need to create another zone pair in order to assign a policy. Stateful filtering is a feature on zone based firewalls, in which you can expect traffic initiated from the inside to the outside will have the return traffic go through the firewall with no issue. Another feature available is being able to have multiple interfaces in the same zone. If you want to create another inside interface, you simply have to label the interface as inside, and it will automatically use the existing zone pair policy in place.
Features of Zone-Based Firewalls
There are many features of a zone-based firewall, including stateful inspection, application inspection, packet filtering, which uses ACLs in order to filter traffic, and URL filtering, which is the ability to prevent particular web address and URL information from being sent and received, and the ability to use it as a transparent firewall. These are all important tools, as discussed in the last chapter, and are very beneficial in helping discover malicious traffic. Packet filtering is by far the most popular option. With application inspection, you need to ensure that the device can actually handle the increased processing power required to dive deep into traffic streams to analyze protocols. This should be taken into careful consideration when choosing a router, as you need to ensure the router has strong enough processing power to complete your job tasks.
Rules for Zone-Based Firewalls
There are some general rules when it comes to zone based firewalls. By default, traffic between different zones is not permitted, unless a zone pair exists between them. Traffic is allowed by default between members of the same zone. Policies are created in order for traffic to flow between zone pairs.
To create a policy, you will need to understand the Cisco Common Classification Policy Language. This language is used to implement zone pairs for a zone based firewall. There are three primary components of this language. The first is a class map, which identifies traffic from layer 3 to layer 7. The second is policy maps, which are actions taken on the traffic being matched from within class maps. Finally, there are service policies, which apply the policy to the zone pair.
The class map is what identifies the traffic. Class maps match IP address information via access control lists. You can have multiple match conditions in the class maps, which reference numerous access lists. There are two type of match conditions, match all or match any. Match all means that no matter how many access lists you have in a class map, in order for it to be used it must match all access lists within the class map. Match any means that it just needs to match one of the instances in the class map, regardless of how many you have.
Policy maps reference back to the class map and take action on the traffic that is singled out. Policy maps can have multiple sections and are processed in order. The actions that can be taken are: inspect, which will provide stateful inspection of traffic; permit, which means traffic will be permitted without inspection; drop, which will not allow the traffic through; or log.
Service policies are applied to the zone pair and signify which zone should be actively trying to match traffic. Only one service policy can be applied to a zone pair. These zone pairs are uni-directional, meaning they will only treat traffic going in one direction, from inside to outside, or vice-versa. The inspect action should be applied for all intended reply traffic, which allows for stateful inspection. Routing will not occur immediately when zone based firewalls occur, and need to pass through the firewall first before decisions are made. Finally, if there is no policy applied to a zone pair, and traffic is being identified between the pair, it will be dropped.
Overview of Adaptive Security Appliance
The Adaptive Security Appliance, or ASA, is Cisco’s firewall appliance line. It replaced the Pix firewall appliance line years ago, and has leveraged some new features. There are many flavors of the ASA, including the new ASA-X line of firewall appliances that has just begun to come on to the market. The ASA 5505 is the entry level device, and is very affordable, especially for smaller businesses with a limited number of users. It can provide a great firewall solution for a small office, and includes 8 ports that can act as a switch. The 5505 is the only ASA that has a switch built into it, along with 2 power over Ethernet, or PoE ports. The next level is the 5510, 5520, 5540 and 5550, each of which grow in capacity with every device increment. There are four routable interfaces on each device, including an option to add an IPS module. The ASA 5585 is a high performance, high capacity device and supports numerous amounts of module add-ons. Finally, there is a firewall services module that is a blade that fits into systems like a Cisco 6500 chassis. This can provide firewall services within the 6500 switch. The ASA x-series is the next generation of firewalls that provides a more robust solution than the original ASA models. These ASAs also provide a software IPS module, instead of just a hardware option.
Adaptive Security Appliance Features
One of the features of the ASA is packet filtering. Access control lists are a part of regular configurations on ASAs. Stateful filtering is done by default on ASAs as well. Without any configuration on an ASA, it can be implemented into a network and provide protection immediately, as it allows return traffic without being blocked. ASAs perform application inspection, which is a deep dive into traffic flows to inspect the stream between devices. Network Address Translation is available on ASAs, with static NAT, PAT, and policy NAT available. DHCP is available on an ASA, and can act as a DHCP server to hand out addresses, as a client, or even both. Setting the outside interface to DHCP is common practice, as the ISP can hand that interface a DHCP address. Routing is also supported, with EIGRP, OSPF, RIP and static routing available on all versions. Note here that BGP is not an option. The ASA can act as a transparent firewall as well, putting itself inline between other layer two devices.
Another feature that is available on all series of the ASA is high availability. There is also the option to add another firewall and bundle the two together as a failover redundancy system. This can be useful for implementations that need as much uptime as possible. ASAs can be configured for VPN, IPSec remote access, site-to-site IPsec, clientless, and Anyconnect SSL VPN implementations. AAA is also supported on the device locally or to an external source.
Adaptive Security Appliance Fundamentals
Interfaces on an ASA are given a trust security level, ranging from 0 to 100. The higher the trust level, the more trusted the interface is. For example, the inside interface would be put at 100 if you knew it was connected to your internal network. The outside interface would be given a trust level of 0, because you cannot control what is coming in from that side. Descriptions are also supported on the interfaces. By default, traffic is allowed from a high trusted interface to a low trusted interface. Out of the box, the ASA can be plugged in and ready to work, only needing interfaces to be defined and configured with IP addresses. Traffic from a lower trusted interface is stopped before it can get to a higher trusted interface, unless it is reply traffic and statefully inspected. By default, traffic is not allowed between two of the same security level interfaces, however, you can modify this behavior with specific access lists. Traffic received on an interface will not route the same packet back out that same interface. This behavior is called hairpin routing, and can be modified, but by default, it will be blocked.
The ASA can be accessed via the command line and through ASDM, the Adaptive Security Device Manager, which is a GUI interface that provides an easy graphical representation of the configuration of the ASA. This enables the administrator with only a small amount of experience to still be able to monitor the device and navigate its settings rather easily. ASAs have a troubleshooting tool called packet tracer, which analyzes whether a packet will be allowed or denied based on the firewall rules. You can run this either in the GUI ASDM or on the CLI itself. This is advantageous when it comes to resolving any type of access issue or testing whether a firewall will deny or permit particular traffic.
In this chapter, we discussed zone based firewalls and ASAs, and the numerous amount of features that can be configured on each one. Both are excellent choices for you to implement, and which one you choose to use will depend on your network design.
Chapter 3: NAT and PAT
Purpose of NAT
NAT is essentially used to translate an IP address to another IP. Most of the time it’s used to translate an internal, private IP address to a public IP address usable for the internet. A private address group, as defined by RFC 1918 is 10.0.0.0 through 10.255.255.255, 172.16.0.0 through 172.31.255.255 and 192.168.0.0 through 192.168.0.0 through 192.168.255.255. NATalso helps with the issue of IP address waste for IPv4 by connecting two separate networks that need to be joined if they are using the same private IP space. An administrator can manipulate your IP scheme and use NAT to help you continue to use IPv4. NAT can also be used to keep a company’s internal IP addressing scheme hidden from the rest of the network. This can be deployed at the internet edge. A good example would be a merger taking place, and the IP addressing scheme being kept separate.
There are several variations of NAT that can be used. First is static NAT. This doesn’t help with the IPv4 depletion issue, but it does help translate local private IP addresses, called inside local, to public ones, which are called inside global. Static NAT essentially translates one IP address to another — a one-to-one translation. This is useful if you have an internal device that needs to have external access availability on the outside, like an FTP server or a mail server. The static NAT translation is strictly a one-for-one exchange, a one-IP-to-one-IP translation. If an administrator wanted to do this for all internal IP addresses to be able to access the external network with their own external IP address, it would require a verylarge amount of external IP addresses to translate each and every specific internal IP address.
To configure NAT, first, the NAT interfaces need to be specified. This tells NAT what the inside and outside interfaces should be. Next, the static NAT itself needs to be configured, identifying exactly what IP should be translated to what IP. The inside source references the inside interface of the NAT configuration, with the static keyword being used to state that this is a one-to-one translation, and nothing more. The inside local will reference the IP that should be used, which is in the same subnet of the inside NAT interface. The inside global references the need to use an IP that is in the subnet of the interface with the IP NAT outside designation.
The next type of NAT is dynamic NAT translation, which does a one-to-one NAT translation, but dynamically. A defined pool of translated addresses is created, called inside global IP’s. Then, an access list is created to define addresses that should be translated to this pool. So, when an IP hits the router, it queries the ACL to see if it needs to be translated. If it does, the pool assigns the next available IP address and sends traffic on its way. This translation will stay in the database for aslong as there is traffic flowing through it. This translation occurs for every protocol and port number between internal and external IP address. The dynamic mapping just keeps a database of the mappings, instead of the administrator statically mapping each IP to IP assignment.
To configure dynamic NAT, just like static NAT, the interfaces will need to be designated as inside and outside. Then, an ACL needs to be created for the NAT statement to reference what IPs the router should match to be translated. The NAT pool is then created with a name and references the range of IP addresses to be used to translate to on the external end. Finally, dynamic NAT will reference both the ACL number for internal IPs and the NAT pool for the external IPs.
Overloading NAT with PAT
Dynamic NAT won’t be able to help if you have a company of 500 users, and they all need internet access. In this case, you can use Overloading NAT with PAT, or Port Address Translation. Since the company does not have 500 external IP addresses, you can use overloading. Multiple users can communicate using their internal IP address and translate it to the same external IP address. But what PAT does is use unique port number information to map the different internal IP addresses to the external IP. Thisinformation is kept in the NAT table, and each internal to external IP address translation with the specific port number being used is listed. The Show IP NAT translations command in enabled mode can reveal this information. Therefore, when traffic leaves, it is marked in the pool with a particular port number, while using the same external, and when the traffic returns, the port number is referenced back to the proper internal IP address. This has indeed saved external IP addresses, and slowed the issue of IPv4 address depletion.
Policy NAT and Policy PAT is based on a set of rules that have been configured. For example, an administrator can define an “if/then” type of scenario with policy NAT. If traffic that comes into the device has a specific source IP address, destination IP address, or a particular port to be used, then the traffic would qualify to be NAT-ed. A specific source IP address that is designated for a certain destination address or specific ports will be translated to a specific address. Traffic that does not match this policy is forwarded based on normal forwarding and routing without translation.
In this course, we discussed different firewall technologies, and looked at the strengths and weaknesses that surround them. We reviewed the concept of a stateful firewall, and exactly what this means when it comes to protecting your network.
We took a look at zone based firewalls and the Cisco ASA series of firewall appliances. We identified ways in which we can implement these devices in our network. Finally, we defined network address translation and port address translation, and discussed why we need them both.