CCNA_Security_04-bupt

CCNA_Security_04-bupt - CCNA Security Chapter 4:...

Info iconThis preview shows page 1. Sign up to view the full content.

View Full Document Right Arrow Icon
This is the end of the preview. Sign up to access the rest of the document.

Unformatted text preview: CCNA Security Chapter 4: Implementing Firewall Technologies Chapter Firewall 1 Lesson Objectives Describe numbered and named, standard and Describe extended IP ACLs. extended Configure IP ACLs with IOS CLI and SDM. Describe TCP established ACL functionality. Configure ACLs with TCP established. Describe and configure reflexive ACLs. Describe and configure dynamic ACLs. 2 Lesson Objectives Describe and configure time-based ACLs. Describe attack mitigation with ACLs. Describe attack Describe the major types of firewalls. Describe major Describe and configure CBAC (IOS Stateful Packet Describe CBAC Inspection) with CLI. Inspection) Describe and configure Zone-Based Policy Firewall Describe Zone-Based with CLI and SDM. with 3 Implementing Firewall Technologies 4.1 Access Control Lists 4.2 Firewall Technologies 4.2 Technologies 4.3 Context-Based Access Control 4.3 Context-Based 4.4 Zone-Based Policy Firewall 4.4 Zone-Based 4 4.1 Access Control Lists 5 4.1 Access Control Lists 4.1.1 Standard and Extended IP ACLs 4.1.1 Standard Extended 4.1.2 Using Standard and Extended IP ACLs 4.1.2 Using 4.1.3 Topology and Flow for Access Control Lists 4.1.4 ACLs with Security Device Manager 4.1.4 Security 4.1.5 TCP Established and Reflexive ACLs 4.1.5 TCP 4.1.6 Dynamic ACLs 4.1.7 Time-Based ACLs 4.1.7 Time-Based 4.1.8 Validating Complex ACL Implementations 4.1.8 Validating 4.1.9 Mitigating Attacks with ACLs 4.1.9 Mitigating 6 4.1.1 Standard and Extended IP ACLs ACL Topology and Types Standard and Extended Numbered IP ACLs Named IP ACLs The log Parameter ACL Configuration Guidelines 7 ACL Topology and Types 8 Standard Numbered IP ACLs Standard ACLs filter IP packets based on source address only. source only Router(config)# access-list {1-99} {permit | access-list {permit deny} source-addr [source-mask] source-addr Apply ACLs to interface: Router(config-if)# ip access-group number Router(config-if)# access-group {in | out} {in 9 Extended Numbered IP ACLs Extended ACLs filter IP packets based on the following: – Source and destination IP address – Source and destination TCP and UDP port port – Protocol type (IP, ICMP, UDP, TCP, or protocol number) number) Router(config)# access-list {100-199} {permit | deny} Router(config)# protocol source-addr [source-mask] [operator operand] source-addr [operator destination-addr [destination-mask] [operator destination-addr operand] [established] operand] 10 Named IP ACLs — Standard Standard Router(config)# ip access­list standard RESTRICT_V TY Router(config­std­nacl)# remark Per mit onl y Admin host Router(config­std­nacl)# per mit host 1 1 11 92.68..0 Router(config­std­nacl)# exit Router(config)# line vty 0 4 Router(config­line)# access­class RESTRICT_V TY in 11 Named IP ACLs — Extended Extended R1(config)# ip access­list extended ACL­1 R1(config­ext­nacl)# remark LAN ACL R1(config­ext­nacl)# deny ip host 192.168.1.6 any R1(config­ext­nacl)# permit tcp 192.168.1.0 0.0.0.255 any established R1(config­ext­nacl)# exit R1(config)# int f0/0 R1(config­if)# ip access­group ACL­1 in 12 The log Parameter R1(config)# access­list 101 permit tcp 192.168.1.0 R1(config)# access­list 101 permit tcp 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255 eq 22 log *May 1 22:12:13.243: %SEC-6-IPACCESSLOGP: list ACLIPv4-E0/0-IN permitted tcp 192.168.1.3(1024) -> IPv4-E0/0-IN permitted tcp 192.168.1.3(1024) 192.168.2.1(22), 1 packet 192.168.2.1(22) packet *May 1 22:17:16.647: %SEC-6-IPACCESSLOGP: list ACL*May IPv4-E0/0-IN permitted tcp 192.168.1.3(1024) -> IPv4-E0/0-IN 192.168.2.1(22), 9 packets 13 ACL Configuration Guidelines ACLs are created globally, then applied to interfaces. ACLs globally then interfaces. Only one ACL per interface, per protocol, per direction Only one ACLs are process top-down. The most specific ACLs top-down The statements must go at the top of the list statements Implicit “deny all” Modifying ACLs Special packets — routing table update 14 4.1.2 Using Standard and Extended IP ACLs Using Applying Standard ACLs Applying Extended ACLs Other CLI Commands 15 Applying Standard ACLs r1 r1(config)# access-list 1 deny 172.16.4.0 0.0.0.255 r1(config)# access-list 1 permit any r1(config)# interface ethernet 0 r1(config-if)# ip access-group 1 out 16 Applying Extended ACLs R1(config)# access-list 101 deny tcp 172.16.4.0 tcp r1 0.0.0.255 172.16.3.0 0.0.0.255 eq 21 eq R1(config)# access-list 101 deny tcp 172.16.4.0 0.0.0.255 172.16.3.0 0.0.0.255 eq 20 eq R1(config)# access-list 101 permit ip any any permit R1(config)# interface ethernet 1 R1(config-if)# ip access-group 101 in in 17 4.1.3 Topology and Flow for ACLis How ACLs Work How Work ACL Placement ACL Placement Using Nmap for Planning 18 How ACLs Work 19 How ACLs Work Inbound ACLs 20 How ACLs Work Outbound ACLs 21 ACL Placement — Standard ACL Close to the destination 22 ACL Placement — Extended ACL Close to the source 23 Using Nmap for Planning 24 4.1.4 ACLs with Security Device Manager Using SDM Access Rules Configuring Standard Rules Using SDM Applying a Rule to an Interface Viewing Commands 25 Using SDM Choose the Configure option for configuring ACLs 26 Access Rules Choose Configure > Additional Tasks > ACL Editor Rule types: • Access Rules • NAT Rules • Ipsec Rules • NAC Rules • Firewall Rules • QoS Rules • Unsupported Rules • Externally Defined Rules • Cisco SDM Default Rules 27 Configuring Standard Rules Using SDM 1. Choose Configure > Additional Tasks > ACL Editor > Access Rules 2. Click Add 3. Enter a name or number 4. Choose Standard Rule Optionally, enter a description 5. Click Add 6. Choose Permit or Deny 7. Choose an address type 8. Complete this field based on the choice made in #7 9. Enter an optional description 10. Optional checkbox 11. Click OK 12. Continue adding or editing rules 28 Applying a Rule to an Interface 2. Choose the interface 3. Choose a direction 4. An information box with options appears if a rule is already associated with that interface, that direction. 1. Click Associate 29 Viewing Commands R1# show running-config <output omitted> ! hostname R1 <output omitted> interface FastEthernet0/1 ip address 192.168.1.1 255.255.255.0 ip access-group Outbound in ip <output omitted> ip access-list standard Outbound remark SDM_ACL Category=1 remark permit 192.168.1.3 permit ! access-list 100 remark SDM_ACL Category=16 access-list 100 deny tcp any host 192.168.1.3 eq telnet log access-list 100 permit ip any any ! <output omitted> ! 30 4.1.5 TCP Established and Reflexive ACLs Types of ACLs Syntax for TCP Established Example with TCP Established Reflexive ACLs Configuring a Router to Use Reflexive ACLs 31 Types of ACLs Standard IP ACLs Extended IP ACLs Extended IP ACLs using TCP established Reflexive IP ACLs Dynamic ACLs Time-Based ACLs Context-based Access Control (CBAC) ACLs 32 Syntax for TCP Established Router(config)# {permit | deny} [operator port] [operator port] access-list access-list-number protocol source source-wildcard destination destination-wildcard [established] The established keyword: Forces a check by the routers to see if the ACK, RST TCP control flags are set. If flag is set, the TCP traffic is allowed in. Does not implement a stateful firewall on a router Hackers can take advantage of the open hole Option does not apply to UDP or ICMP traffic 33 Example Using TCP Established R1 access-list 100 permit tcp any eq 443 192.168.1.0 0.0.0.255 established access-list 100 permit tcp any 192.168.1.3 eq 22 access-list 100 deny ip any any interface s0/0/0 ip access-group 100 in 34 Reflexive ACLs Provide a truer form of session filtering Much harder to spoof Allow an administrator to perform actual session filtering for any type of IP traffic Work by using temporary access control entries (ACEs) 35 Configuring a Router to Use Reflexive ACLs 1. Create an internal ACL that looks for new outbound sessions and creates temporary reflexive ACLs Create an external ACL that uses the reflexive ACLs to examine return traffic Activate the named ACLs on the appropriate interfaces 2. 3. 36 4.1.6 Dynamic ACLs Overview Creating a Dynamic ACL Setting up a Dynamic ACL CLI Commands 37 Dynamic ACL Overview Available for IP traffic only Dependent on Telnet connectivity, authentication, and extended ACLs Security benefits include: Use of a challenge mechanism to authenticate users Simplified management in large internetworks Reduction of the amount of router processing that is required for ACLs Reduction of the opportunity for network break-ins by network hackers Creation of dynamic user access through a firewall without compromising other configured security restrictions 38 Implementing a Dynamic ACL 39 Setting up a Dynamic ACL Router(config)# access-list ACL_# dynamic dynamic_ACL_name [timeout minutes] {deny | permit} IP_protocol source_IP_address src_wildcard_mask destination_IP_address dst_wildcard_mask [established] [log] 40 CLI Commands 41 4.1.7 Time-based ACLs Overview CLI Commands Example Configuration 42 Overview 43 CLI Commands 44 Example Configuration R1(config)# time-range employee-time time-range R1(config-time-range)# periodic weekdays 12:00 to 13:00 periodic R1(config-time-range)# periodic weekdays 17:00 to 19:00 periodic R1(config-time-range)# exit R1(config)# access-list 100 permit ip 192.168.1.0 0.0.0.255 any timeaccess-list range employee-time R1(config)# access-list 100 deny ip any any R1(config)# interface FastEthernet 0/1 R1(config-if)# ip access-group 100 in 45 4.1.8 Validating Complex ACL Implementations Verifying ACL Configuration Confirmation Troubleshooting 46 Verifying ACL Configuration Router# show access-lists Router# show [access-list-number | accessaccesslist-name] 47 Confirmation 48 Troubleshooting 49 4.1.9 Mitigating Attacks with ACLs Attacks Mitigated CLI Commands Allowing Command Services Controlling ICMP Messages 50 Attacks Mitigated ACLs can be used to mitigate many network threats: mitigate IP address spoofing, inbound and outbound DoS TCP SYN attacks DoS smurf attacks ACLs can also filter the following traffic: filter ICMP messages, inbound and outbound traceroute 51 CLI Commands 52 Allowing Common Services 53 Controlling ICMP Messages 54 4.2 Firewall Technologies 55 4.2 Firewall Technologies 4.2.1 Securing Networks with Firewalls 4.2.2 Types of Firewalls 4.2.3 Firewalls in Network Design 56 4.2.1 Securing Networks with Firewalls 57 Overview Common properties of firewalls: – Resistant to attacks Resistant – The only transit point between networks only – Enforces the access control policy access 58 Limitations of Firewalls Single point of failure Many applications cannot be passed Many applications Network performance can slow down ...... 59 4.2.2 Types of Firewalls Filtering Firewalls Packet Filtering Firewall Stateful Firewall Stateful Firewall Cisco Systems Firewall Solutions 60 Types of Filtering Firewalls Packet-filtering Packet-filtering Stateful Application gateway Address-translation Address-translation Host-based Transparent Transparent Hybrid 61 Packet-Filtering Firewall Source IP address Destination IP address Protocol Source port number Destination port number SYN 62 Advantages of Packet-Filtering Firewall Simple permit/deny rules rules Little or no impact on network performance network Simple to configure Supported on most routers most 90% of effectiveness of high-end firewalls at an appreciably lower cost 63 Disadvantages of Packet-Filtering Firewall Difficult to catch IP spoofing IP Filtering fragmented IP packets is problematic fragmented Implementation and maintenance of complex ACLs complex Some applications/services cannot be filtered applications/services Stateless (only one packet at a time) 64 Stateful Firewall 65 Stateful Firewall 10.1.1.1 200.3.3.3 source port 1500 destination port 80 Inside ACL (Outgoing Traffic) permit ip 10.0.0.0 0.0.0.255 any Outside ACL (Incoming Traffic) Dynamic: permit tcp host 200.3.3.3 eq 80 host 10.1.1.1 eq 1500 permit tcp any host 10.1.1.2 eq 25 permit udp any host 10.1.1.2 eq 53 deny ip any any 66 Advantages of Stateful Firewalls Intelligent first level of defense first Primary defense mechanism Augmenting static packet filtering Improving routing throughput Proof against spoofing and DoS attacks spoofing Allows for more log information more 67 Limitations of Stateful Firewalls Doesn’t filter at the application layer. application Not all protocols are stateful like TCP (for example: ICMP, UDP, some routing protocols). Some applications use multiple channels and dynamic multiple port numbers negotiated above the transport layer (for example: FTP, RealAudio, some multimedia). Cannot authenticate users to connections (because authenticate this occurs at a higher layer of the OSI model). 68 Cisco Systems Firewall Solutions 69 4.2.3 Firewalls in Network Design DMZ Scenario Layered Defense Scenario Firewall Best Practices Design Example 70 Design with DMZ 71 Layered Defense Scenario 72 Firewall Best Practices Position firewalls at security boundaries. Position security Firewalls are the primary security device. Firewalls primary Deny all traffic by default. Physical access to the firewall is controlled. Regularly monitor firewall logs. Practice change management for configuration. Practice change Remember that firewalls primarily protect from technical attacks originating from the outside. outside 73 Design Example 74 4.3 Context-Based Access Control 75 4.3 Context-Based Access Control 4.3.1 CBAC Characteristics 4.3.2 CBAC Operation 4.3.3 Configuring CBAC 4.3.3 Configuring 4.3.4 Troubleshooting CBAC 76 4.3.1 CBAC Characteristics Overview CBAC Capabilities 77 Overview CBAC provides four main functions: – Traffic Filtering Filtering – Traffic Inspection Inspection – Intrusion Detection Intrusion – Generation of Audits and Alerts Audits Alerts 78 CBAC Capabilities 79 4.3.2 CBAC Operation Overview Step-by-Step CBAC TCP and UDP Handling CBAC Example 80 Overview CBAC examines not only Network Layer and Transport Layer information but also examines Application Layer protocol information to learn about the state of the session. The state table tracks the sessions and inspects all packets that pass through the stateful packet filter firewall. CBAC then uses the state table to build dynamic ACL entries that permit returning traffic through the perimeter router or firewall. 81 Step-by-Step 82 CBAC TCP Handling 83 CBAC UDP Handling 84 4.3.3 Configuration of CBAC Four Steps to Configure Step 1: Pick an Interface Step 2: Configure IP ACLs at the Interface Step 3: Define Inspection Rules Step 4: Apply an Inspection Rule to an Interface 85 4.3.3 Configuration of CBAC (No ACL) Define Inspection Rules 172.16.0.1/30 172.16.0.2/30 R1 192.168.1.1/24 F0/0 R2 S0/0 R3 192.168.1.2/24 R2(config)# ip inspect name TEST tcp ip 86 4.3.3 Configuration of CBAC (No ACL) Apply an Inspection Rule to an Apply an Interface Interface R1 F0/0 R2 S0/0 R3 R2(config)# int f0/0 (config)# f0/0 R2(config-if)# ip inspect TEST in (config-if)# ip 87 4.3.3 Configuration of CBAC (No ACL) Check ip inspect R1# telnet 172.16.0.2 telnet Trying 172.16.0.2 ... Open User Access Verification Password: R3> 172.16.0.1/30 F0/0 172.16.0.2/30 R1 192.168.1.1/24 R2 S0/0 R3 192.168.1.2/24 R2# show ip inspect sessions detail detail Established Sessions Session 64BADE54 (192.168.1.1:35050)=>(172.16.0.2:23) tcp SIS_OPEN Session Created 00:00:16, Last heard 00:00:14 Created Bytes sent (initiator:responder) [37:74] Bytes 88 4.3.3 Configuration of CBAC (No Inspect) Define ACL 172.16.0.1/30 172.16.0.2/30 R1 192.168.1.1/24 F0/0 R2 S0/0 R3 192.168.1.2/24 R2(config)# access-list 100 permit ip 100 permit 192.168.1.0 0.0.0.255 any 192.168.1.0 R2(config)# access-list 101 deny ip any any (config)# 101 deny any 89 4.3.3 Configuration of CBAC (No Inspect) Apply ACL to Interfaces Apply Interfaces R2(config)# int f0/0 R2(config)# f0/0 R2(config-if)# ip access-group 100 in R2(config-if)# 100 R1 F0/0 R2 S0/0 R3 R2(config)# int s0/0 R2(config)# s0/0 R2(config-if)# ip access-group 101 in R2(config-if)# 101 90 4.3.3 Configuration of CBAC (No Inspect) Check ACL R1> telnet 172.16.0.2 172.16.0.2 Trying 172.16.0.2... % Connection timed out; remote host not responding 172.16.0.1/30 172.16.0.2/30 R1 192.168.1.1/24 F0/0 R2 S0/0 R3 192.168.1.2/24 91 4.3.3 Configuration of CBAC (ACL+Inspect) Example R2(config)# ip inspect name TEST tcp ip name R2(config)# int f0/0 int 172.16.0. 172.16.0.2/30 R2(config-if)# ip inspect TEST in 1/30 ip R2(config-if)# ip access-group 100 in ip F0/0 R1 int s0/0 R2 S0/0 R3 R2(config)# int R2(config-if)# 1p access-group 101 in i /24 192.168.1.2/24 192.168.1. ip R2(config)# access-list 100 permit ip 192.168.1.0 0.0.0.255 access-list any any R2(config)# access-list 101 deny ip any any access-list 92 4.3.3 Configuration of CBAC (ACL+Inspect) Check Result R1# telnet 172.16.0.2 telnet Trying 172.16.0.2 ... Open User Access Verification Password: R3> 172.16.0.1/30 F0/0 172.16.0.2/30 R1 192.168.1.1/24 R2 S0/0 R3 192.168.1.2/24 R2# sh ip inspect sessions detail sh Established Sessions Session 64BADE54 (192.168.1.1:30257)=>(172.16.0.2:23) tcp SIS_OPEN Session Created 00:00:45, Last heard 00:00:41 Bytes sent (initiator:responder) [37:74] In SID 172.16.0.2[23:23]=>192.168.1.1[30257:30257] on ACL 101 (10 matches) In 93 Step 1: Pick an Interface Two-Interface Three-Interface 94 Step 2: Configure IP ACLs at the Interface 95 Step 3: Define Inspection Rules 96 Step 4: Apply an Inspection Rule to an Interface 97 4.3.4 Troubleshooting CBAC Alerts and Audits Audits show ip inspect Parameters Parameters debug ip inspect Parameters Parameters 98 Alerts and Audits 99 Alerts and Audits *Jan 15 06:13:15.138: %FW-6SESS_AUDIT_TRAIL_START: Start tcp session: initiator (192.168.1.1:28354) -- responder (172.16.0.2:23) *Jan 15 06:14:01.506: %FW-6-SESS_AUDIT_TRAIL: Stop tcp session: initiator (192.168.1.1:28354) sent 51 Stop bytes -- responder (172.16.0.2:23) sent 94 bytes 100 show ip inspect Parameters 101 debug ip inspect Parameters 102 4.4 Zone-Based Policy Firewall 103 4.4 Zone-Based Policy Firewall 4.4.1 Zone-Based Policy Firewall Characteristics 4.4.2 Zone-Based Policy Firewall Operation 4.4.3 Configuring Zone-Based Policy Firewall with CLI 4.4.3 with 4.4.4 Configuring Zone-Based Policy Firewall with Manually SDM 4.4.5 Configuring Zone-Based Policy Firewall with SDM Wizard 4.4.6 Troubleshooting Zone-Based Policy Firewall 4.4.6 104 4.4.1 Zone-Based Policy Firewall Characteristics Topology Benefits The Design Process Common Designs 105 Topology Example 106 Benefits Zone-based policy firewall is not dependent on ACLs Zone-based not The router security posture is now “block unless block explicitly allowed” explicitly C3PL makes policies easy to read and troubleshoot easy One policy affects any given traffic, instead of One affects needing multiple ACLs and inspection actions. needing 107 The Design Process Step 1. Determine the Zone Step Step 2. Establish policies between zones Step Step 3. Design the physical infrastructure Step Step 4. Identify subset within zones and merge traffic requirements Step 108 Common Designs LAN-to-Internet Public Servers Redundant Firewalls Complex Firewall 109 Zones Simplify Complex Firewall 110 4.4.2 Zone-Based Policy Firewall Operation Actions Rules for Application Traffic Rules Application Rules for Router Traffic Rules Router 111 Actions Inspect Drop Pass 112 4.4.3 Configuring Zone-Based Policy Firewall with CLI 1. Create the zones for the firewall 2. Define traffic classes with the with the zone security class-map type inspect command command 3. Specify firewall policies with the policy-map type inspect command 4. Apply firewall policies to pairs of source and destination zones with zone-pair security 5. Assign router interfaces to zones using the zone-member security interface command 113 Step 1: Create the Zones Create FW(config)# zone security Inside FW(config)# zone FW(config-sec-zone)# description Inside network FW(config)# zone security Outside FW(config)# zone FW(config-sec-zone)# description Outside network 114 Step 2: Define Traffic Classes Traffic Default match: Match ALL Default Match FW(config)# class-map type inspect PROTOCOL FW(config)# class-map FW(config-cmap)# match protocol tcp FW(config-cmap)# match FW(config-cmap)# match protocol udp FW(config-cmap)# match protocol icmp FW# show class-map type inspect PROTOCOL FW# show Class Map type inspect match-all PROTOCOL (id 5) match-all Match protocol tcp Match Match protocol udp Match Match protocol icmp No packet matches it 115 Step 2: Define Traffic Classes Traffic Match ANY FW(config)# class-map type inspect match-any PROTOCOL class-map match-any FW(config-cmap)# match protocol tcp FW(config-cmap)# match FW(config-cmap)# match protocol udp FW(config-cmap)# match protocol icmp FW(config)# class-map type inspect FOREXAMPLE (match-all) FW(config-cmap)# match access-group 101 FW(config-cmap)# match FW(config-cmap)# match class-map PROTOCOL FW(config-cmap)# match PROTOCOL FW(config-cmap)# exit FW(config)# access-list 101 permit ip 10.0.0.0 0.0.0.255 any FW(config)# access-list 116 Step 3: Define Firewall Policies FW(config)# policy-map type inspect InsideToOutside FW(config)# policy-map FW(config-pmap)# class type inspect FOREXAMPLE class FW(config-pmap-c)# inspect FW(config-pmap-c)# 117 Step 3: Define Firewall Policies FW(config)# policy-map type inspect InsideToOutside FW(config)# policy-map FW(config-pmap)# class type inspect FOREXAMPLE FW(config-pmap)# FW(config-pmap-c)# inspect FW(config-pmap-c)# FW(config-pmap)# class type inspect TEST1 FW(config-pmap)# class FW(config-pmap-c)# drop FW(config-pmap)# class type inspect TEST2 class FW(config-pmap-c)# pass pass 118 Step 4: Assign Policy Maps to Zone Pairs Maps FW(config)# zone-pair security InToOut source Inside destination Outside zone-pair security FW(config-sec-zone-pair)# description Internet Access FW(config-sec-zone-pair)# service-policy type inspect InsideToOutside service-policy 119 Step 5: Assign Router Interfaces to Zones Interfaces FW(config)# interface F0/0 F0/0 FW(config-if)# zone-member security Inside zone-member FW(config)# interface S0/0 S0/0 FW(config-if)# zone-member security Outside zone-member 120 Rules for Application Traffic Source interface Destination Zone-pair exists? member of zone? interface member of zone? NO NO N/A YES (zone 1) YES NO YES (zone 1) YES (zone 1) YES (zone 1) YES (zone 1) NO YES YES (zone 2) YES (zone 2) YES (zone 2) N/A* N/A N/A NO YES YES Policy exists? N/A N/A N/A N/A N/A NO YES RESULT No impact of zoning/policy No policy lookup (PASS) DROP DROP DROP DROP policy actions *zone-pair must have different zone as source and destination 121 Rules for Router Traffic Source interface member of zone? ROUTER ROUTER ROUTER YES YES YES Destination interface member of zone? YES YES YES ROUTER ROUTER ROUTER Zone-pair exists? Policy exists? RESULT NO YES YES NO YES YES NO YES NO YES PASS PASS policy actions PASS PASS policy actions 122 4.4.4 Manually Implementing Zone-based Policy Firewall with SDM Step 1: Define zones Step 2: Configure class maps to describe traffic between zones Step 3: Create policy maps to apply actions to the traffic of the class maps Step 4: Define zone pairs and assign policy maps to the zone pairs 123 Define Zones 1. Choose Configure > Additional Tasks > Zones 2. Click Add 3. Enter a zone name 4. Choose the interfaces for this zone 5. Click OK to create the zone and click OK at the Commands Delivery Status window 124 Configure Class Maps 1. Choose Configure > Additional Tasks > C3PL > Class Map > Inspections 2. Review, create, and edit class maps. To edit a class map, choose the class map from the list and click Edit 125 Create Policy Maps 1. Choose Configure > Additional Tasks > C3PL > Policy Map > Protocol Inspection 2. Click Add 3. Enter a policy name and description 4. Click Add to add a new class map 6. Choose Pass, Drop, or Inspect 5. Enter the name of the class map to apply. Click the down arrow for a pop-up menu, if name unknown 7. Click OK 8. To add another class map, click Add, to modify/delete the actions of a class map, choose the class map and click Edit/Delete 9. Click OK. At the Command Delivery Status window, click OK 126 Define Zone Pairs 1. Choose Configure > Additional Tasks > Zone Pairs 2. Click Add 3. Enter a name for the zone pair. Choose a source zone, a destination zone and a policy 4. Click OK and click OK in the Command Delivery Status window 127 4.4.5 Implementing Zone-based Policy Firewall with SDM Wizard Accessing the Basic Firewall Configuration Configuring a Firewall Basic Firewall Configuration Summary Firewall Configuration Summary 128 Accessing the Basic Firewall Configuration 1. Choose Configuration > Firewall and ACL 2. Click the Basic Firewall option and click Launch the Selected Task button 3. Click Next to begin configuration 129 Configuring a Firewall 1. Check the outside (untrusted) check box and the inside (trusted) check box to identify each interface 2. (Optional) Check box if the intent is to allow users outside of the firewall to be able to access the router using SDM. After clicking Next, a screen displays that allows the admin to specify a host IP address or network address 3. Click Next. If the Allow Secure SDM Access check box is checked, the Configuring Firewall for Remote Access window appears 4. From the Configuring Firewall choose Network address, Host Ip address or any from the Type drop-down list 130 Basic Firewall Security Configuration 2. Click the Preview Commands Button to view the IOS commands 1. Select the security level 131 Firewall Configuration Summary Click Finish 132 4.4.6 Troubleshooting Zone-Based Policy Firewall Reviewing Policy CLI Generated Output Firewall Status Information Active Connection 133 Reviewing Policy 1. Choose Configure > Firewall and ACL 2. Click Edit Firewall Policy tab 134 CLI Generated Output class-map type inspect match-any iinsprotocols match protocol http match protocol smtp match protocol ftp ! Apply action (inspect = policy-map type inspect iinspolicy stateful inspection) class type inspect iinsprotocols inspect ! zone security private Zones created zone security internet ! interface fastethernet 0/0 Interfaces assigned to zone-member security private zones ! interface serial 0/0/0 zone-member security internet ! zone-pair security priv-to-internet source private destination internet service-policy type inspect iinspolicy Inspection applied ! from private to public zones List of services defined in the firewall policy 135 Firewall Status Information 1. Choose Monitor > Firewall Status 2. Choose one of the following options: •Real-time data every 10 sec •60 minutes of data polled every 1 minute •12 hours of data polled every 12 minutes 136 Display Active Connection R1# show policy-map type inspect zone-pair session R1# • Shows zone-based policy firewall session statistics 137 138 ...
View Full Document

Ask a homework question - tutors are online