Chapter 4:

Implementing Firewall
Technologies
CCNA Security v2.0

4.0 Introduction
4.1 Access Control Lists

Chapter Outline

4.2 Firewall Technologies

4.3 Zone-Based Policy Firewalls
4.4 Summary

2013 Cisco and/or its affiliates. All rights reserved.

Cisco Public

Section 4.1:
Access Control List
Upon completion of this section, you should be able to:
Configure standard and extended IPv4 ACLs using CLI.
Use ACLs to mitigate common network attacks.
Configure IPv6 ACLs using CLI.

2013 Cisco and/or its affiliates. All rights reserved.

Cisco Public

Topic 4.1.1:
Configuring Standard and Extended
IPv4 ACLs with CLI

2013 Cisco and/or its affiliates. All rights reserved.

Cisco Public

Introduction to Access Control Lists

2013 Cisco and/or its affiliates. All rights reserved.

Cisco Public

Configuring Numbered and Named ACLs

Standard Numbered ACL Syntax

Extended Numbered ACL Syntax

Named ACL Syntax

Standard ACE Syntax

Extended ACE Syntax

2013 Cisco and/or its affiliates. All rights reserved.

Cisco Public

Applying an ACL
Syntax - Apply an ACL
to an interface
Syntax - Apply an ACL
to the VTY lines

Example - Named Standard ACL

Example - Named Extended ACL

2013 Cisco and/or its affiliates. All rights reserved.

Cisco Public

Applying an ACL (Cont.)

Syntax - Apply an ACL to the VTY lines

Example - Named ACL on VTY lines with logging

2013 Cisco and/or its affiliates. All rights reserved.

Cisco Public

ACL Configuration Guidelines

2013 Cisco and/or its affiliates. All rights reserved.

Cisco Public

Editing Existing ACLs

Existing access list has three entries

Access list has been edited, which adds a new ACE and replaces ACE line
20.

Updated access list has four entries

2013 Cisco and/or its affiliates. All rights reserved.

Cisco Public

10

Sequence Numbers and Standard ACLs

Existing access list has four entries

Access list has been edited, which adds a new ACE that permits a specific IP
address.

Updated access list places the new ACE before line 20

2013 Cisco and/or its affiliates. All rights reserved.

Cisco Public

11

Topic 4.1.2:
Mitigating Attacks with ACLs

2013 Cisco and/or its affiliates. All rights reserved.

Cisco Public

12

Antispoofing with ACLs

2013 Cisco and/or its affiliates. All rights reserved.

Cisco Public

13

Permitting Necessary Traffic through a

Firewall

2013 Cisco and/or its affiliates. All rights reserved.

Cisco Public

14

Mitigating ICMP Abuse

2013 Cisco and/or its affiliates. All rights reserved.

Cisco Public

15

Mitigating SNMP Exploits

2013 Cisco and/or its affiliates. All rights reserved.

Cisco Public

16

Topic 4.1.3:
IPv6 ACLs

2013 Cisco and/or its affiliates. All rights reserved.

Cisco Public

17

Introducing IPv6 ACLs

2013 Cisco and/or its affiliates. All rights reserved.

Cisco Public

18

IPv6 ACL Syntax

2013 Cisco and/or its affiliates. All rights reserved.

Cisco Public

19

Configure IPv6 ACLs

2013 Cisco and/or its affiliates. All rights reserved.

Cisco Public

20

Section 4.2:
Firewall Technologies
Upon completion of this section, you should be able to:
Explain how firewalls are used to help secure networks.
Describe the various types of firewalls.
Configure a classic firewall.
Explain design considerations for implementing firewall technologies.

2013 Cisco and/or its affiliates. All rights reserved.

Cisco Public

21

Topic 4.2.1:
Securing Networks with Firewalls

2013 Cisco and/or its affiliates. All rights reserved.

Cisco Public

22

Defining Firewalls

All firewalls:

Are resistant to attack

Are the only transit point

between networks
because all traffic flows
through the firewall

Enforce the access

control policy

2013 Cisco and/or its affiliates. All rights reserved.

Cisco Public

23

Benefits and Limitations of Firewalls

2013 Cisco and/or its affiliates. All rights reserved.

Cisco Public

24

Topic 4.2.2:
Types of Firewalls

2013 Cisco and/or its affiliates. All rights reserved.

Cisco Public

25

Firewall Type Descriptions

Packet Filtering Firewall

Application Gateway Firewall

Stateful Firewall

NAT Firewall

2013 Cisco and/or its affiliates. All rights reserved.

Cisco Public

26

Packet Filtering Firewall Benefits & Limitations

2013 Cisco and/or its affiliates. All rights reserved.

Cisco Public

27

Stateful Firewalls
Stateful Firewalls

State Tables

Stateful Firewall Operation

2013 Cisco and/or its affiliates. All rights reserved.

Cisco Public

28

Stateful Firewall Benefits and Limitations

Next Generation Firewalls

Granular identification, visibility, and control of behaviors within applications

Restricting web and web application use based on the reputation of the site

Proactive protection against Internet threats

Enforcement of policies based on the user, device, role, application type, and threat profile

Performance of NAT, VPN, and SPI

Use of an IPS

2013 Cisco and/or its affiliates. All rights reserved.

Cisco Public

29

Topic 4.2.3:
Classic Firewall

2013 Cisco and/or its affiliates. All rights reserved.

Cisco Public

30

Introducing Classic Firewall

2013 Cisco and/or its affiliates. All rights reserved.

Cisco Public

31

Classic Firewall Operation

2013 Cisco and/or its affiliates. All rights reserved.

Cisco Public

32

Classic Firewall Configuration

1. Choose the internal and

external interfaces.
2. Configure ACLs for each

interface.

Inspection Rules

3. Define inspection rules.

4. Apply an inspection rule

to an interface.

2013 Cisco and/or its affiliates. All rights reserved.

Cisco Public

33

Topic 4.2.4:
Firewalls in Network Design

2013 Cisco and/or its affiliates. All rights reserved.

Cisco Public

34

Inside and Outside Networks

2013 Cisco and/or its affiliates. All rights reserved.

Cisco Public

35

Demilitarized Zones

2013 Cisco and/or its affiliates. All rights reserved.

Cisco Public

36

Zone-Based Policy Firewalls

2013 Cisco and/or its affiliates. All rights reserved.

Cisco Public

37

Layered Defense
Considerations for network defense:
Network core security
Perimeter security
Endpoint security
Communications security

Firewall best practices include:

Position firewalls at security boundaries.
It is unwise to rely exclusively on a firewall for security.
Deny all traffic by default. Permit only services that are needed.
Ensure that physical access to the firewall is controlled.
Monitor firewall logs.
Practice change management for firewall configuration changes.
Remember that firewalls primarily protect from technical attacks originating from the

outside.
2013 Cisco and/or its affiliates. All rights reserved.

Cisco Public

38

Section 4.3:
Zone-Based Policy Firewalls
Upon completion of this section, you should be able to:
Explain how Zone-Based Policy Firewalls are used to help secure a network.
Explain the operation of a Zone-Based Policy Firewall.
Configure a Zone-Based Policy Firewall with CLI.

2013 Cisco and/or its affiliates. All rights reserved.

Cisco Public

39

Topic 4.3.1:
Zone-Based Policy Firewall Overview

2013 Cisco and/or its affiliates. All rights reserved.

Cisco Public

40

Benefits of ZPF
Not dependent on ACLs
Router security posture

is to block unless
explicitly allowed
Policies are easy to read

and troubleshoot with

C3PL
One policy affects any

given traffic, instead of

needing multiple ACLs
and inspection actions

2013 Cisco and/or its affiliates. All rights reserved.

Cisco Public

41

ZPF Design
Common designs include:
LAN-to-Internet
Firewalls between public servers
Redundant firewalls
Complex firewalls

Design steps:
1.

Determine the zones

2.

Establish policies between zones

3.

Design the physical infrastructure

4.

Identify subsets within zones and merge traffic requirements

2013 Cisco and/or its affiliates. All rights reserved.

Cisco Public

42

Topic 4.3.2:
ZPF Operation

2013 Cisco and/or its affiliates. All rights reserved.

Cisco Public

43

ZPF Actions
Inspect - Configures Cisco IOS stateful packet inspections.
Drop - Analogous to a deny statement in an ACL. A log option is available to log

the rejected packets.

Pass - Analogous to a permit statement in an ACL. The pass action does not

track the state of connections or sessions within the traffic.

2013 Cisco and/or its affiliates. All rights reserved.

Cisco Public

44

Rules for Transit Traffic

Rules for Traffic to the Self Zone

2013 Cisco and/or its affiliates. All rights reserved.

Cisco Public

45

Topic 4.3.3:
Configuring a ZPF

2013 Cisco and/or its affiliates. All rights reserved.

Cisco Public

46

Configure ZPF

2013 Cisco and/or its affiliates. All rights reserved.

Cisco Public

47

Step 1: Create Zones

2013 Cisco and/or its affiliates. All rights reserved.

Cisco Public

48

Step 2: Identify Traffic

Command Syntax for

class-map

Sub-Configuration
Command Syntax for
class-map

2013 Cisco and/or its affiliates. All rights reserved.

Cisco Public

49

Step 2: Identify Traffic (Cont.)

Example class-map Configuration

2013 Cisco and/or its affiliates. All rights reserved.

Cisco Public

50

Step 3: Define an Action

Command Syntax for

policy-map

Example policy-map
Configuration

2013 Cisco and/or its affiliates. All rights reserved.

Cisco Public

51

Step 4: Identify a Zone-Pair and Match to a Policy

Command Syntax for
zone-pair and
service-policy

Example service-policy
Configuration

2013 Cisco and/or its affiliates. All rights reserved.

Cisco Public

52

Step 5: Assign Zones to Interfaces

2013 Cisco and/or its affiliates. All rights reserved.

Cisco Public

53

Verify a ZPF Configuration

Verification commands:
show run | begin class-map
show policy-map type inspect zone-pair sessions
show class-map type inspect
show zone security
show zone-pair security
show policy-map type inspect

ZPF Configuration Considerations

No filtering is applied for intra-zone traffic
Only one zone is allowed per interface.
No Classic Firewall and ZPF configuration on same interface.
If only one zone member is assigned, all traffic is dropped.
Only explicitly allowed traffic is forwarded between zones.
Traffic to the self zone is not filtered.
2013 Cisco and/or its affiliates. All rights reserved.

Cisco Public

54

Section 4.4:
Summary
Chapter Objectives:
Implement ACLs to filter traffic and mitigate network attacks on a network.
Configure a classic firewall to mitigate network attacks.
Implement ZPF using CLI.

2013 Cisco and/or its affiliates. All rights reserved.

Cisco Public

55

Thank you.

Instructor Resources
Remember, there are

helpful tutorials and user

guides available via your
NetSpace home page.
(https://www.netacad.com)

1
2

These resources cover a

variety of topics including

navigation, assessments,
and assignments.
A screenshot has been

provided here highlighting

the tutorials related to
activating exams, managing
assessments, and creating
quizzes.

2013 Cisco and/or its affiliates. All rights reserved.

Cisco Public

57