CCNA Security Certification Tutorial:

The Cisco IOS Firewall Set (Part 6 & Review)

The Advanced Firewall Wizard & Security Device Manager (SDM)

Chris Bryant, CCIE #12933

In Part 5 of this CCNA Security and ISCW exam tutorial, we used the Basic Firewall Wizard in Cisco's Security Device Manager to configure a firewall.

Now we'll use the Advanced Firewall Wizard to do so and compare the Basic and Advanced wizards as we go along.

The Create Firewall tab in SDM mentions two capabilities of the Advanced wizard that the Basic wizard does not have - DMZ configuration and the creation of custom application policies.

When you click Advanced Firewall, note the illustration mentions an optional DMZ.

The Advanced Wizard allows the configuration of multiple outside interfaces as well.  (Both the Basic and Advanced allow multiple inside interfaces to be configured.)

Here's SDM's description of the Advanced Wizard.

The Advanced Firewall Interface Configuration window gives the option of choosing a DMZ interface.

We'll continue this illustrated look at the Cisco SDM Advanced Firewall Wizard right after this brief and important message!

I'm Paying It Forward Bigger Than Ever.

My Famous CCNA Study Package Is Now $25.

And if you're working on the CCNA Security certification instead - click that link and earn that certification for twenty bucks!

Now let's get back to the SDM Advanced Firewall Wizard...

One more option in the Advanced Wizard I want to show you is the Firewall Security Configuration window.

The default policies here in Advanced are the same as they are with the Basic wizard; note the Advanced Wizard also allows the creation and selection of a custom Application Security Policy.

The configuration of a custom policy is beyond the scope of the ISCW and CCNA Security exams, but since I mentioned this capability several times, I wanted you to know where you can select it.

We've covered a lot of ground in this six-part tutorial, so be sure to go back and review the previous sections... and below you'll find a review of the tutorial's high points.

When you're done here, be sure to take advantage of my $20 CCNA Security certification offer!

Thanks for making The Bryant Advantage part of your CCNA Security and CCNP studies!

Chris Bryant

CCIE #12933

"The Computer Certification Bulldog"

chris@thebryantadvantage.com

"Hot Spots And Gotchas" For The Cisco IOS Firewall Set

The DMZ contains servers that are in a "middle ground" between the inside and outside networks. 

Our IOS Firewall protects against several potential network attacks, including SYN attacks and IP Spoofing.  The firewall configuration also allows you to change default TCP timeout values, and also allows you to stop the download of potentially dangerous Java applets.

The IOS Firewall Feature Set has three main features:

The IOS Firewall allows for additional security for UDP-based applications as well as TCP-based applications, and this security can be applied on a per-application basis as well as the generic TCP and UDP protection schemes.

Stateful firewalls have the capability to monitor TCP sequence numbers, looking for TCP packets that do not belong to an existing stream.  Since UDP packets do not have sequence numbers, those numbers can't be monitored.

As we saw in SDM, the firewall allows GRE and IPSec traffic to pass through "as needed", since encrypted traffic is the very heart of GRE and IPSec.

The Authentication Proxy (AP) allows us to store user-specific security profiles on a TACACS+ or RADIUS server.  When a user successfully authenticates, that profile is downloaded from the server and applied to that user's session.

To run SDM on a router, make sure you have these three commands running - ip http server, ip http secure-server (to use HTTPS), and ip http authentication local.

R1(config)#ip http server
R1(config)#ip http authentication local
R1(config)#ip http secure-server
% Generating 1024 bit RSA keys, keys will be non-exportable...[OK]

R1(config)#
11:44:05: %SSH-5-ENABLED: SSH 1.99 has been enabled
R1(config)#
11:44:06: %PKI-4-NOAUTOSAVE: Configuration was modified.  Issue "write memory" to save new certificate

Additionally, the username used to log in via SDM must have a privilege level of 15.

Branch(config)#username chris priv 15 password bryant

Both the Basic and Advanced Firewall Wizards allow you to use the Configuring Firewall For Remote Access window to allow SDM to be launched through the untrusted interface.  (We saw that option in the lab, but did not check the box.) 

There are major differences between those two wizards, though.  Only the Advanced firewall allows the configuration of a DMZ or of more than one untrusted interface.

Only the Advanced Firewall Wizard allows the creation of custom application security policies.  These are particularly important when voice and video protocols are in use, such as the Cisco-proprietary protocol Skinny or H.323.

No Gimmicks -- Just Results.

Get CCNA Security Certified Today For $20.

I'm Paying It Forward Bigger Than Ever.

My Famous CCNA Study Package Is Now $25.

Chris Bryant

CCIE #12999

"The Computer Certification Bulldog"

chris@thebryantadvantage.com