Network Security – Firewall 2/2

Firewall configuration examples

Firewall types

+ Personal firewall …
Packet filtering rules or filters can be configured to allow or deny
traffic based on one or more of the following variables:
•Source IP address
•Destination IP address
•Protocol type (TCP/UDP)
•Source port
•Destination port
Note: All firewalls are capable of doing some form of packet
filtering.

Example: Cisco Access-list

Stateful packet inspection uses
the same fundamental packet
screening technique that packet
filtering does.

In addition, it examines the

packet header information from
the network layer of the OSI
model to the application layer to
verify that the packet is part of a
legitimate connection and the
protocols are behaving as
expected.
As packets pass through the firewall, packet header
information is examined and fed into a dynamic state table
where it is stored.

The packets are compared to pre-configured rules or filters

and allow or deny decisions are made based on the results of
the comparison.

The data in the state table is then used to evaluate subsequent

packets to verify that they are part of the same connection.
The connection state is derived from information gathered in
previous packets. It is an essential factor in making the decision
for new communication attempts.

Stateful packet inspection compares the packets against the rules

or filters and then checks the dynamic state table to verify that the
packets are part of a valid, established connection.

By having the ability to "remember" the status of a connection,

this method of packet screening is better equipped to guard
against attacks than standard packet filtering.
Unlike packet filtering and stateful
packet inspection, an application
gateway/proxy can see all aspects of the
application layer so it can look for more
specific pieces of information.

Client/server model broken

It can, for instance, tell the difference between a piece of e-mail
containing text and a piece of e-mail containing a graphic
image, or the difference between a webpage using Java and a
webpage without.

From a security standpoint, the application gateway/proxy

packet screening method is far superior to the other types of
packet screening.

However, this method isn't always the most practical to use.

Weaknesses
The most significant weakness or disadvantage of application
gateways/proxies is the impact they can have on performance.

Since all incoming and outgoing traffic is inspected at the application

level, they are typically slower than packet filtering and stateful packet
inspection methods that look at traffic at the network layer.

All traffic must pass through all layers of the TCPIP model prior to
being inspected.

As a result, the inspection process requires more processing power

and has the potential to become a bottleneck for the network.
Scalability can be an issue.
Another drawback of application gateways/proxies is that each
protocol (HTTP, SMTP, etc.) requires its own gateway/proxy
application.

If one does not exist, then the corresponding protocol will not be
allowed through the firewall.

In addition, since each protocol requires its own gateway/proxy,

support for new applications can become a problem.
Application gateways/proxies typically require additional client
configuration. Clients on the network may require configuration
changes to be able to connect to the application gateway/proxy.

Application gateways/proxies installed on general-purpose

operating systems are vulnerable to the security loopholes of the
underlying system. If the underlying system is not secure, the
firewall is not secure.

In some instances, implementation costs can be prohibitive. The

enhanced security of application gateways/proxies may require
the purchase of additional hardware, software, expertise, or
support, which in turn drives up the cost of the firewall solution.
LAN architecture and security

1. Router with access-list

2. Router with FW IOS

3. Firewall without DMZ

4. Firewall with DMZ

5. Two firewall (back to back)

 What Is a DMZ?
• DMZs are also known as perimeter networks or
screened networks
• A network region separate from the private internal
network, but access is still restricted from the external
world
• Created to give un-trusted users access to required data
while minimizing the risk to the internal network
• Servers in the DMZ are considered “expendable” –
they could be lost and should only host data that is
easily replaced
 Different Types of Perimeter
Networks

• Three-homed or three-legged perimeter

network
• Back-to-back perimeter network
 Perimeter Network with Three-
Homed Firewall

Perimeter Network
(DMZ)

Internet

Firewall

Internal Network
 Understanding Packet Filtering
Perimeter Network

192.168.2.200

192.168.1.1 192.168.2.1

10.0.0.1
Packet filter
Server

Internal Network

Source / Port Destination / Port Protocol Direction Type

Any / Any 192.168.2.200 / 25 TCP Incoming Allow
 Back-to-Back Perimeter Network
Requirements
• Two firewalls required

• Only the external interface of the external FW

contain routable IP addresses
 Back-to-Back Perimeter Network
Access Control
• Web or server publishing is used to allow
external traffic to access servers in the perimeter
network
• Web or server publishing is also used to allow
perimeter network servers to access servers on
the internal network
• Protocol rules are used to allow outbound traffic
from either the internal or perimeter network
Perimeter Network with Back-to-Back
Firewalls

Perimeter Network

Internet

External
Firewall
Internal
Firewall
 DNS and Firewall
• Let’s suppose that the customer DNS
service is managed by TELCO and NAT
operated by the external firewall

• How internal users can access their own

web server with its URL ?
 Firewall Basics
Cisco PIX example

Software products based on standard OS: … security ?

Checkpoint Firewall-1 (GUI)

Standalone products:
Cisco PIX (replaced by ASA)
2007: ASA replaces PIX

Cisco ASA 5500 Series Adaptive Security Appliances are easy-to-

deploy solutions that integrate firewall, Unified Communications
(voice/video) security, SSL and IPsec VPN, intrusion prevention
(IPS), and content security services in a flexible, modular product
family

Cisco ASA 5500 Series delivers content security services including:

URL filtering, anti-phishing, anti-spam, antivirus, anti-spyware,
and content filtering - which can help lower operations costs, reduce
liability, and improve employee productivity.
ASA family

From
Cisco ASA 5505 10 Firewall Edition Bundle
Includes: 8-port Fast Ethernet switch with 2 Power over Ethernet
ports, 10 IPsec VPN peers, 2 SSL VPN peers, Triple Data
Encryption Standard/Advanced Encryption Standard
(3DES/AES) license

To:
Cisco ASA 5580-40 Firewall Edition 4 x 10GE Bundle
Includes: 4 10Gigabit Ethernet interfaces, 2 Management
interfaces, 5000 IPsec VPN peers,

… and highest performance with ASA 5585 for Data Center

ASA Options:

Active/Active or Active/Standby high availability

Content Security
Control Security Services Module for advanced antivirus,
antispam,
 Solutions Ranging from SMB to Large
Enterprise
Cisco Cisco Cisco
ASA 5510 ASA 5520 ASA 5540

Target Market SMB and SME Enterprise Large Enterprise

Starting at Starting at Starting at

List Price $3,495 $7,995 $16,995

Performance 300 Mbps 450 Mbps 650 Mbps

Max Firewall 150 Mbps 375 Mbps 450 Mbps
Max Threat Mitig. (FW+IPS) 170 Mbps 225 Mbps 325 Mbps
Max IPSec VPN

App FW, IPSec and Same as 5510, plus

Base Platform Same as 5520, with
SSL VPN, and more A/A Failover,
higher performance
Services A/S HA (Upg.), VPN Clustering,
and scalability
3 FE to 5 FE 4 GE + 1 FE
 Delivering Comprehensive Protection and
Control
THREAT TYPES PROTECTION
Unauthorized ASA 5500 with CSC-SSM
Access Resource & Information
Access Protection
Intrusions &
Attacks Hacker Protection
Insecure
Comms.
DDoS Protection

Viruses Protected Email

Granular Policy Controls Communication
Spyware
Protected Web Browsing
NEW Anti-X Service Extensions

Malware Comprehensive Malware

Protected File Exchange
Protection
Phishing
Unwanted Visitor Control
Spam Advanced Content Filtering Audit & Regulatory
Assistance
Inappropriate
URLs Integrated Message
Non-work Related Web
Security Sites
Identity Theft
Easy to Use Identity Protection
Offensive
Content
 Cisco ASA 5500 Series Anti-X Edition
Key Technologies and Innovations
Unified Threat
• Granular Policy Controls Prevention
– Built on Cisco PIX Firewall
technology
• Comprehensive Malware
Protection
– Integrates Trend Micro antivirus
and malware technology to stop
virtually all threats
• Advanced Content Filtering
– Secures employee productivity and
reduces legal liability
• Integrated Message Security
– Removes unsolicited email
 Antivirus and Anti-Spyware
Email and Web Protection
Email System Protection
• Protects your internal e-mail servers from viruses through
effective scanning of SMTP and Webmail traffic
• Scans POP3 e-mail to prevent virus attacks through
personal Internet e-mail accounts or from ISP hosted e-
mail Internet
Web Protection
• Protects networks against web-based attacks, including Web
viruses, Trojans, spyware, … Server
• Filters HTTP and FTP traffic with minimal impact to
web performance
• Actively scans downloaded Internet files for malicious
content
• Prevents employees from accidentally introducing Antivirus
Anti-Spyware
viruses through personal Internet e-mail Web / Email

• Scans suspicious web programming codes such as Java

scripts and applets
Email
Mail / Web Scanning Spyware Scanning Server
• Incoming and outgoing • Spyware • Adware
• Compressed file handling • Hacking Tools • Remote
• Large message filtering • Password Access
• High recipient filtering Crackers • Others
 Comprehensive Content and Message
Compliance
URL Filtering
• Restricts employee Internet usage by category, group, time
Web Sites
of day, day of week, and bandwidth quotas
• Filters Web content through an ever-expanding database
with millions of URLs categorized to block inappropriate
websites

Content Filtering
Database of
• Filters inbound and outbound email to ensure message URLs
compliance
• Enables IT managers to construct rules using Boolean and
regular expressions for complex content filtering
• Reduces legal liability by adding company-specific legal Content
Filtering
disclaimers to outgoing email based on message
characteristics
Anti-Phishing
• Detects and blocks known phishing sites using PhishTrap
technology
URL Filtering Content Filtering
• Company-prohibited • Keyword
Internal Users
• Not work related • True file types
• Attachment names
• File sizes
 Integrated Message Security
Anti-Spam Filters Out Unwanted Emails
Key Benefits

• Increases Productivity
ASA 5500 Filters unwelcome email traffic
and CSC-SSM Desktop
minimizing employee
distraction
Internet
Desktop
• Frees IT Resources
network transmissions without
non-business-relevant traffic
Desktop

• Removes most unsolicited

email before it hits the mail
server
• Increases employee
productivity
• Prevents wasting network Anti-Spam

bandwidth and storage

 Application Inspection & Control Engines
Provide Control over Application Usage & Network Access

• Application and protocol-aware inspection services provides

strong application-layer security
• Performs conformance checking, state tracking, security checks,
NAT/PAT support and dynamic port allocation

Multimedia / Voice over IP Over Database / OS Services

H.323 v1-4 30 ILS / LDAP
SIP Engin Oracle / SQL*Net (V1/V2)
SCCP (Skinny) es Microsoft Networking
GTP (3G Wireless) NFS
MGCP RSH
RTSP Core Internet Protocols SunRPC / NIS+
TAPI / JTAPI X Windows (XDMCP)
HTTP
FTP
Specific Applications TFTP Security Services
Microsoft Windows Messenger SMTP / ESMTP
Microsoft NetMeeting DNS / EDNS IKE
Real Player ICMP IPSec
Cisco IP Phones TCP PPTP
Cisco Softphones UDP 32
 Advanced Web-Traffic Security
Protects Networks from Web-based
Threats
Protection Against Peer-to-Peer, IM, and Mail Attachment Threats.
Ensuring Network Performance by Controlling Application Abuse.

• Advanced HTTP inspection services help protect from web-

based attacks and other types of “port 80 misuse”
– Includes customizable policies for detecting and blocking tunneled
applications and attacks, including:
• - Instant messaging applications (AIM, MSN Messenger, Yahoo)
- Peer-to-peer applications (KaZaA)
- And more!
– Adds advanced TCP stream engines for hidden attack detection

Cisco Confidential – NDA Use Only 33

 Cisco VPN Services for Any Deployment Scenario
SSL and IPSec VPN Services with Comprehensive Security

Supply Partner
Requires access
to ordering databases
Branch Office
Requires Site-to-Site

Public
Hourly Employee Internet
Requires access to online schedule
and timesheets (specific apps) ASA 5500

Converged VPN, Firewall, and Threat Mitigation:

Inspect/Control VPN Sessions
Integrated Malware Mitigation
Employee at Home Single RA VPN Device Infrastructure
Requires consistent
LAN-like access Unified User Management

Provides fully secured, highly customizable access for any user from any
location
 Customizable Remote Application Access
Full Network Access: IPSec and SSL VPN

ASA 5500

• Customizable access and streamlined management –

comprehensive IPSec and SSL VPN solutions on one platform
• Ease of administration – dynamically downloadable SSL VPN client
is centrally configured and easy to update
• Fast initiation and operation – multiple delivery methods and small
download size ensures broad compatibility and rapid download
 Customizable Application Access
SSL VPN Client for WebVPN

Leverages depth of Cisco encryption client experience to deliver a

lightweight, stable and easy-to-support SSL VPN tunneling client
Features Benefits
• Enables IPSec-like application • Fast client download time
access through “web-pushed”
client
• Less than 250KB download via
Java, Active X or .exe
• No re-boot required after
installation
• Client may be either removed
at end of session or left
permanently installed
 Cisco Secure Desktop
How it Works
Step One: A user on the road connects to HQ and the
Cisco Secure Desktop
is pushed down to the endpoint

Step Two: An encrypted hard drive

partition is created for the user to work in

Step Three: The user logs in

ASA 5500
Step Four: At Logout the Virtual Desktop
that the user has been working in is
eradicated and the user is notified
Cisco Secure
Clientless
Desktop
SSL VPN
Note: CSD download and
eradication is seamless to the
user. If the user forgets to
terminate the session auto-
timeout will close the session www… Employee-
and erase all session
Owned Desktop
information
PIX configuration examples
PIX configuration

Assigning an IP Address and Subnet Mask

Assign an ip address command to each interface in

your PIX Firewall that connects to another network.

The format for the ip address command is as follows:

ip address inside ip_address netmask
ip address outside ip_address netmask
Changing Interface Names or Security Levels

Each interface has a unique name and security level

that you can change using the nameif command. By
default, Ethernet0 is named outside and assigned the
level security0.
Ethernet1 is named inside with the level security 100.

The default security level of interfaces starts at

security10 for ethernet2, and increments by 5 for each
additional interface.
Use the show nameif command to view the current
names and security levels for each interface. The results
of this command for a PIX Firewall with three
interfaces might be as follows.

nameif ethernet0 outside security0

nameif ethernet1 inside security100
nameif ethernet2 intf2 security10
100 = higher security
Security levels let you control access between systems on
different interfaces and the way you enable or restrict access
depends on the relative security level of the interfaces:

•To enable access to a higher security level interface from a

lower level interface—use the static and access-list
commands

•To enable access to a lower level interface from a higher

level interface—use the nat and global commands
Enter the default route:route outside 0 0 209.165.201.2 1

In addition, add static routes for the networks that connect

to the inside router as follows:

route inside 192.168.5.0 255.255.255.0 192.168.0.2 1

route inside 192.168.6.0 255.255.255.0 192.168.0.2 1

Add a nat command statement for each higher security level interface
from which you want users to start connections to interfaces with
lower security levels:
   a. To let inside users start connections on any lower security
interface, use the nat (inside) 1 0 0 command.
   b. To let dmz4 users start connections on any lower security
interface such as dmz3, dmz2, dmz1, or the outside, use the
nat (dmz4) 1 0 0 command.
   c. To let dmz3 users start connections on any lower security
interface such as dmz2, dmz1, or the outside, use the
nat (dmz3) 1 0 0 command.
   d. To let dmz2 users start connections on any lower security
interface, such as dmz1 or outside, use the nat (dmz2) 1 0 0
command.
   e. To let dmz1 users start connections to the outside, use the nat
(dmz1) 1 0 0 command.
Instead of specifying "0 0," to let all hosts start
connections, you can specify a host or a network address
and mask.
For example, to let only host 192.168.2.42 start
connections on the dmz2 interface, you could specify the
following:

nat (dmz2) 1 192.168.2.42 255.255.255.255

The "1" after the interface specifier is the NAT ID.
You can use one ID for all interfaces and the PIX Firewall sorts out
which nat command statement pertains to which global command
statement on which interface, or you can specify a unique NAT ID
to limit access to specific interface. Remember that the nat
command opens access to all lower security level interfaces so
that if you want users on the inside to access the perimeter
interfaces as well as the outside, then use one NAT ID for all
interfaces. If you only want inside users to access the dmz1
interface but not the outside interface, use unique NAT IDs for
each interface.

The NAT ID in the nat command has to be the same NAT ID

you use for the corresponding global command.
NAT ID 0 means to disable Network Address Translation.
Add a global command statement for each lower security
interface which you want users to have access to; for
example, on the outside, dmz1, and dmz2. The global
command creates a pool of addresses that translated
connections pass through.
There should be enough global addresses to handle the
number of users each interface may have trying to access
the lower security interface. You can specify a single PAT
entry, which permits up to 64,000 hosts to use a single IP
address.
For example:
global (outside) 1 209.165.201.5 netmask 255.255.255.224
global (outside) 1 209.165.201.10-209.165.201.20 netmask
255.255.255.224
The first global command statement specifies a single IP
address, which the PIX Firewall interprets as a PAT.

The PAT lets up to 65,535 hosts start connections to the

outside. PIX Firewall permits one PAT global command
statement for each interface.

The second global command statement augments the

pool of global addresses on the outside interface. It
creates a pool of addresses used only when the addresses
in the first global command statement are in use.
global (dmz1) 1 192.168.1.10-192.168.1.100 netmask
255.255.255.0

global (dmz2) 1 192.168.2.10-192.168.2.100 netmask

255.255.255.0

The global command statement for dmz1 lets users on the

inside,dmz2, dmz3, and dmz4 start connections on the
dmz1 interface.

The global command statement for dmz2 lets users on the

inside, dmz3, and dmz4 start connections on the dmz2
interface. (not DMZ1 cause ithas the lowest security level)
Two Interfaces Without NAT
Two Interfaces Without NAT

nameif ethernet0 outside security0

nameif ethernet1 inside security100
ip address outside 209.165.201.3 255.255.255.224
ip address inside 192.168.3.254 255.255.255.0
hostname pixfirewall
nat (inside) 0 192.168.3.0 255.255.255.0
route outside 0.0.0.0 0.0.0.0 209.165.201.1 1
 Two Interfaces with NAT

nameif ethernet0 outside security0

nameif ethernet1 inside security100
ip address outside 209.165.201.3 255.255.255.224
ip address inside 192.168.3.0 255.255.255.0
hostname pixfirewall
nat (inside) 1 0 0
global (outside) 1 209.165.201.10-209.165.201.30
global (outside) 1 209.165.201.8
route outside 0.0.0.0 0.0.0.0 209.165.201.1 1
Three-interface Configuration
The network has the following IP addresses and network masks:

•Outside network interface address: 209.165.201.2, network

mask: 255.255.255.248

•Inside network interface address: 209.165.201.9, network

mask: 255.255.255.248

•DMZ network interface address: 209.165.201.17, network

mask: 255.255.255.248
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 dmz security50
ip address outside 209.165.201.2 255.255.255.248
ip address inside 209.165.201.9 255.255.255.248
ip address dmz 209.165.201.17 255.255.255.248
hostname pixfirewall
nat (inside) 0 209.165.201.8 255.255.255.248
static (dmz,outside) 209.165.201.5 209.165.201.19
netmask 255.255.255.248
access-list acl_out permit tcp any host 209.165.201.5
access-group acl_out in interface outside
route outside 0.0.0.0 0.0.0.0 209.165.201.1 1
Three Interfaces with NAT
The network has the following IP addresses and network masks:

•Outside network interface address: 209.165.201.4, network

mask: 255.255.255.224

•Allowable global and static addresses on the outside network:

209.165.201.5-209.165.201.30, network mask: 255.255.255.224

•Inside network interface address: 10.0.0.3, network mask:

255.0.0.0

•DMZ network interface address: 192.168.0.1, network mask:

255.255.255.0
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 dmz security50
ip address outside 209.165.201.4 255.255.255.224
ip address inside 10.0.0.3 255.0.0.0
ip address dmz 192.168.0.1 255.255.255.0
hostname pixfirewall
route outside 0.0.0.0 0.0.0.0 209.165.201.1 1
…
…
global (outside) 1 209.165.201.10-209.165.201.30
global (outside) 1 209.165.201.5
global (dmz) 1 192.168.0.10-192.168.0.20
nat (inside) 1 10.0.0.0 255.0.0.0
nat (dmz) 1 192.168.0.0 255.255.255.0
name 192.168.0.2 webserver
static (dmz,outside) 209.165.201.6 webserver
access-list acl_out permit tcp any host 209.165.201.6
eq 80
access-group acl_out in interface outside
 Exercise

Cisco PIX configuration for:

Only 10.1.6.0 network can access to the outside

and only for browsing

Allowing untrusted hosts (outside) to access

to the internal webserver (your-org.com) only for browsing

The untrusted host 199.199.199.24 can access

the webserver with FTP
 Failover

Failover lets you connect a second PIX Firewall unit to your

network to protect your network if the first unit go off line.
If you use Stateful Failover, you can maintain operating state for
the TCP connection during the failover from the primary unit to the
standby unit.

When failover occurs, each unit changes state. The unit that
activates assumes the IP and MAC addresses of the previously
active unit and begins accepting traffic.

Because network devices see no change in these addresses, no ARP

entries change or time out anywhere on the network.

Once you configure the primary unit and attach the necessary
cabling, the primary unit automatically copies the configuration
over to the standby unit.
Cabling the two PIX Firewall units together requires a high-speed
serial cable when using cable-based failover, or a dedicated
Ethernet connection to a dedicate switch/hub (or VLAN) when
using LAN-based failover.

If you are using Stateful Failover, a separate dedicate full-duplex

100 Mbps or Gigabit Ethernet connection is required when running
cable-based failover and is recommended when running LAN-
based failover.
Step 1   Connect the failover cable to the primary PIX Firewall unit
ensuring that the end of the cable marked "Primary" attaches to the
primary unit and that the end marked "Secondary" connects to the
secondary unit.

Step 2   Only configure the primary unit. Changes made to the

standby unit are not copied to the primary unit and are lost during
the next reboot. When you are done configuring the PIX Firewall
and enter the write memory command to save the configuration to
Flash memory, the primary unit automatically updates the
secondary unit.

Step 3   Use the failover command statement to enable failover on

the primary unit.

Step 4   Use the show failover command to verify that the primary
unit is enabled
Configuring LAN-Based Failover

PIX Firewall version 6.2 introduces support for LAN-based

failover so a special Failover cable is no longer required to
connect the primary and secondary PIX Firewalls.

LAN-based failover overcomes the distance limitations

imposed by the six-foot length of the Failover cable.

Note   A dedicated LAN interface and a dedicated switch/hub

(or VLAN) is required to implement LAN-based failover.
With LAN-based failover, failover messages may be
transmitted over Ethernet connections that are relatively
less secure than the dedicated Failover cable used in
previous versions of the PIX Firewall.

For LAN-based failover, PIX Firewall version 6.2 provides

message encryption and authentication using a manual pre-
shared key.

For failover, both PIX Firewall units should be the same

model number, have at least as much RAM, have the same
Flash memory size, and be running the same software
version.
Unused or for statefull fo !
Primary unit

nameif ethernet0 outside security0

nameif ethernet1 inside security100
nameif ethernet2 stateful security10
nameif ethernet3 lanfover security20
hostname pixfirewall
interface ethernet0 100full
interface ethernet1 100full
interface ethernet2 100full
interface ethernet3 100full
ip address outside 209.165.201.1 255.255.255.224
ip address inside 192.168.2.1 255.255.255.0
ip address lanfover 192.168.254.1 255.255.255.0
ip address statefull 192.168.253.1 255.255.255.252
failover !--- Start the failover process.
failover ip address outside 209.165.201.2
failover ip address inside 192.168.2.2
failover ip address stateful 192.168.254.2
failover ip address lanfover 192.168.253.2
failover link stateful
failover lan unit primary !--- This unit is primary
failover lan interface lanfover !--- This interface is used for LAN
failover.
failover lan key 12345678 !--- The Pre-shared key.
failover lan enable !--- Enables failover.
global (outside) 1 209.165.201.3 netmask 255.255.255.224
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) 209.165.201.5 192.168.2.5 netmask
255.255.255.255 0 0
access-list acl_out permit tcp any 209.165.201.5 eq 80
access-group acl_out in interface outside
Secondary unit (minimum)

nameif ethernet3 stateful security20

interface ethernet3 100full
ip address lanfover 192.168.253.2 255.255.255.252
failover ip address lanfover 192.168.254.1
failover lan unit secondary
failover lan interface lanfover
failover lan key 12345678
failover lan enable
failover