CCNA Security Certification Tutorial:
The Cisco IOS Firewall Set
Welcome to this CCNA Security certification tutorial on the Cisco IOS Firewall Set!
Speaking of those certifications, be sure to find out how to get your CCNA Security certification for a mere 20 dollars!
Let's start with the basics of the Cisco IOS Firewall Set. When you put a firewall into place, you want two things to happen:
undesirable traffic should be stopped before it enters your network
desirable traffic should be allowed into the network, but still monitored -- or as I like to say, "trust but verify".
Cisco has specialized firewall devices available, but what we're working with here is the Cisco IOS Firewall Set, which will run on a Cisco router.
We're going to configure a router to act as our firewall, and later in this section you'll see that configuration put into place by our new best friend, Security Device Manager (SDM). We'll also take a look at common CLI commands as well. Cisco's website lists the following as benefits and support features of the IOS Firewall:
Stateful packet inspection
Authentication Proxy
Java Blocking
URL Filtering
Application inspection
Policy Control
That's a lot of features! We'll take a look at each, but before we do that, let's define some terms we'll run into throughout our CCNA Security studies.
It's easy to think of your network as the "inside", and everything else as "outside". However, we've got a third area when it comes to firewalls - a demilitarized zone , popularly referred to as the DMZ.
From a military standpoint, a DMZ is an area between two warring parties who have agreed not to fight in that area. It's also referred to as "no-man's land" - it doesn't belong to either side.
From an IT standpoint, the DMZ is the part of our network that is exposed to outside networks. It's common to find the following devices in a DMZ:
FTP server
Email server
E-commerce server
DNS servers
Web servers
Exposing some of our network servers to outside networks sounds risky, and it can be. A firewall's job is to lessen the chance of attacks on both our inside network and the DMZ.
One common architecture is the Dual Firewall approach, and I won't insult you by telling you how many firewalls this approach uses. Here's how a Dual Firewall approach is implemented:
The Dual Firewall approach is not a requirement; we can configure a single firewall to protect both our inside network and the DMZ. The configuration of a DMZ is itself optional, but many of today's networks have one. Firewalls carry out their work through stateless packet filtering , stateful filtering, and the Application Layer Gateway (ALG).
Stateless packet filtering is generally referred to simply as packet filtering. Packet filtering works much like an ACL. It's common to filter packets on one or more of the following:
Source IP address or port number
Destination IP address or port number
Protocol
Sounds great, right? There are some problems with this technique. Packet filtering only considers the values in the ACL - there's no attempt to determine if this packet is part of an already-existing connection, or attempting to create one. With protocols that use random port numbers at times - FTP, for example - there can be some real problems establishing a connection.
Stateful packet filtering does monitor the connection state, and that's particularly important when it comes to preventing TCP attacks. A stateful firewall will not only monitor the state of the TCP connection, but also the sequence numbers. Stateful firewalls accomplish this by keeping a session table, or state table.
Stateful filtering will not allow a TCP packet with the SYN bit set to enter the network, and would only allow one with the ACK bit set if the session table indicates that an inside user did indeed initiate the TCP handshake. A stateful firewall will monitor the TCP sequence numbers as well. TCP packets with sequence numbers outside an expected range will be dropped.
Stateful filtering is also easier on our FTP connections. From your CCNA studies, you know that FTP runs over TCP, and FTP uses one connection as a control connection and a separate connection for the actual data transfer.
The data channel is set up using a dynamically selected port number, and that's where stateless filters run into a problem. A stateful filter will recognize the FTP data channel construction and will allow it to be completed. An application layer gateway (ALG) serves as a go-between, or proxy, between your trusted users and the outside network. For example, if a trusted user needs to connect to a server outside the trusted network, that user will actually be connecting to the ALG, and in turn the ALG opens a connection to that server. The entire process is transparent to both the user and the server.
The Cisco IOS Firewall Feature Set Components
Not every IOS version will allow the configuration of a Cisco router to act as a firewall. When purchasing new routers, be sure to purchase this particular feature set if you plan to use the router as a firewall.
There are three major components to the IOS Firewall feature set - the IOS Firewall , the Intrusion Prevention System (IPS), and the Authentication Proxy. We'll tackle both the IOS Firewall and the AP in the next installment of this CCNA Security tutorial!
I'm Paying It Forward Bigger Than Before.
My Famous CCNA Study Package Is Now $25.
 
Chris Bryant
CCIE #12999
"The Computer Certification Bulldog"
chris@thebryantadvantage.com
 
|
