Chapter 10: Cisco Firewalling Solutions: Cisco IOS Zone-Based Firewall and Cisco ASA

Cisco Firewalling Solutions: Cisco IOS Zone-Based Firewall and Cisco ASAAt the end of this chapter, you will be able to do the following:• Introduce and describe the function, operational framework, and building blocks of Cisco IOS Zone-Based Firewalls• Describe the functions of zones and zone pairs, as well as their relationship in hierarchical policies• Describe Cisco Common Classification Policy Language for creating zone-based firewall policies• List the default policies for the different combinations of zone types• Demonstrate the configuration and verification of zone-based firewalls using Cisco Configuration Professional and the CLI• Demonstrate the configuration of NAT services for zone-based firewalls• Describe the Cisco ASA family of products, identifying key supported features• Describe the building blocks of Cisco ASA configuration• Describe the navigation options, features, and requirements of Cisco ASDM• Describe the use of access control lists on Cisco ASA• Describe the deployment of policies using the Cisco Modular Policy Framework• Describe the configuration procedure to deploy basic outbound access control on Cisco ASA using Cisco ASDMContentsCisco offers multiple different firewall solutions, each geared to a different environment. Currently, Cisco Firewall offerings include• Cisco IOS Firewall• Cisco ASA 5500 Adaptive Security Appliances• Cisco ASA 1000V Cloud Firewall• Cisco Virtual Security Gateway for Nexus 1000V Series Switch• Cisco Catalyst 6500 Series ASA Services Module• Cisco Catalyst 6500 Series Firewall Services Module• Cisco Small Business SA500 Series Security AppliancesCisco Firewall SolutionsCisco IOS Zone-Based Policy FirewallTo demonstrate this model, the figure shows three zones:• Untrusted: Represents the Internet• DMZ: Demilitarized zone, which contains the corporate servers accessed by the public• Trusted: Represents the inside networkZone-Based Policy Firewall OverviewThe interzone policies in a Figure are as follows:• Public-DMZ: DMZ policy that sets the rules for traffic originating from the untrusted zone with the DMZ as destination• DMZ-Private: Private policy that sets the rules for the traffic originating from the DMZ with the trusted zone as destination• Private-DMZ: DMZ policy that sets the rules for the traffic originating from the trusted zone with the DMZ as destination.• Private-Public: Pubic policy that sets the rules for the traffic originating from the trusted zone with the untrusted zone as destinationInterzone Policies• Stateful inspection• Application inspection• URL filtering• Per-policy parameter• Transparent firewall• Virtual routing and forwarding aware firewallCisco IOS Zone-Based Policy Firewalls support the following featuresKey benefits of zone-based policy firewall are as follows:• It is not dependent on ACLs.• The router security posture is restrictive (which means block unless explicitly allowed).• C3PL makes policies easy to read and troubleshoot.• One policy affects any given traffic instead of needing multiple ACL and inspection actions.BenefitsInterfaces Belong to ZoneZones and Zone PairsZone-Based Topology ExamplesSimple Firewall Topology with Two Security DomainsMedium-Sized Organization with Three ZonesTo create firewall policies, complete the following tasks:Step 1. Define a match criterion (class map).Step 2. Associate actions to the match criteria (policy map).Step 3. Attach the policy map to a zone pair (service policy).Introduction to Cisco Common Classification Policy LanguageComponents of Cisco Common Classification Policy LanguageCisco Common Classification Policy Language policies are modular, object oriented, and hierarchical in nature:• Modular and object oriented: These traits give the firewall administrator the flexibility to create building-block objects such as class maps and policy maps, and reuse them within a given policy and across policies.• Hierarchical: This feature results in powerful policies that can be expanded to include customized inspection, application layer rules, and advanced inspection featuresC3PL: If-Then-Else StructureModular Object-Oriented Configuration Design• Class maps that analyze Layer 3 and Layer 4 traffic sort the traffic based on the following criteria:• Access-group• Protocol• Class-map• The match type defines how multiple match statements are processed to match the class:• If match-any is specified, traffic must meet any one of the match criteria in the class map.• If match-all is specified, traffic must match all of the class map criteria to belong to that particular class.Characteristics of class map objectsThe Cisco IOS Zone-Based Policy Firewall can take three possible actions when you configure it using CCP or the CLI:• inspect: This action configures Cisco IOS stateful packet inspection.• drop: This action is analogous to deny in an ACL. An additional log option can be added to drop to log dropped packets.• pass: This action is analogous to permit in an ACL. The pass action does not track the state of connections or sessions within the traffic; pass allows the traffic only in one direction. A corresponding policy must be applied to allow return traffic to pass in the opposite direction.Zone-Based Policy Firewall ActionsThe membership of the router network interfaces in zones is subject to several rules governing interface behavior, as is the traffic moving between zone member interfaces:• A zone must be configured before you can assign interfaces to the zone.• You can assign an interface to only one security zone.• Traffic is implicitly allowed to flow by default among interfaces that are members of the same zone.• To permit traffic to and from a zone member interface, a policy allowing or inspecting traffic must be configured between that zone and any other zone.• Traffic cannot flow between a zone member interface and any interface that is not a zone member. You can apply pass, inspect, and drop actions only between two zones.• Interfaces that have not been assigned to a zone function as classical router ports and might still use classical stateful inspection (CBAC) configuration.• If you do not want an interface on the router to be part of the zone-based firewall policy, it might still be necessary to put that interface in a zone and configure a “pass all” policy (sort of a dummy policy) between that zone and any other zone to which traffic flow is desired.• From the preceding rules it follows that if traffic is to flow among all the interfaces in a router, all the interfaces must be part of the zoning model (each interface must be a member of a zone).Zone-Based Policy Firewall: Default Policies, Traffic Flows, and Zone InteractionZone-Based Policy Firewall: Rules for Application TrafficZone-Based Policy Firewall: Rules for Router TrafficThe following considerations should be weighted when designing Cisco IOS Zone-Based Policy Firewalls:• An interface can be assigned to one zone and one zone only.• An interface pair can be assigned one policy and one policy only.• Consider default traffic flows for interfaces without zones, traffic flows between zones, and traffic flows to or from the router interfaces themselves.• Inspection actions cannot be applied to the class-default class.• The default policy action for unclassified traffic is drop.Designing Cisco IOS Zone-Based Policy FirewallsConfiguring Basic Interzone Policies Using CCP and the CLIStep 1. Start the Basic Firewall wizard.Step 2. Select trusted and untrusted interfaces.Step 3. Review and verify the resulting policies.Step 4. (Optional) Enable logging.Step 5. View firewall status and activity.Step 6. (Optional) Modify basic policy objects.Step 7. Verify CLI configuration.Cisco IOS Zone-Based Firewall Configuration ScenarioStep 1: Start the Basic Firewall Wizard• Outside (untrusted) interface: Select the router interface that is connected to the Internet or to your organization’s WAN.• Inside (trusted) interfaces: Check the physical and logical interfaces connecting to the LAN. You can select multiple interfaces.Step 2: Select Trusted and Untrusted InterfacesThree levels are available, implementing the following policies:• High Security• The router identifies inbound and outbound instant messaging and peer-to-peer traffic and drops it.• The router checks inbound and outbound HTTP traffic and email traffic for protocol compliance, and drops noncompliant traffic.• The router returns traffic for other TCP and UDP applications if the session was initiated inside the firewall.• Choose this option if you want to prevent use of these applications on the network.• Medium Security• The router identifies inbound and outbound instant messaging and peer-to-peer traffic, and checks inbound and outbound HTTP traffic and email traffic for protocol compliance.• The router returns TCP and UDP traffic on sessions initiated inside the firewall.• Choose this option if you want to track use of these applications on the network.• Low Security• The router does not identify application-specific traffic.• The router returns TCP and UDP traffic on sessions initiated inside the firewall.• Choose this option if you do not need to track use of these applications on the network.Three levelsDefining Security Levels for the PolicyStep 3: Review and Verify the Resulting PoliciesVerifying and Tuning the ConfigurationStep 4: Enabling LoggingStep 5: Verifying Firewall Status and ActivityStep 6: Modifying Zone-Based Firewall Configuration ObjectsThe following list shows the sequence of what is created and referenced:1. ACL to identify the traffic2. Zones3. Class map4. Policy map (actions can be inspect, pass, and drop, and dropped traffic can also be logged)5. Zone pair (policy map + zones)General Steps to Create ZBFclass-map type inspect match-any OUTBOUND-PROTOCOLS match protocol http match protocol smtp match protocol ftp!policy-map type inspect ACCESS-POLICY class type inspect OUTBOUND-PROTOCOLS inspect!zone security PRIVATEzone security INTERNET!interface fastethernet 0/0 zone-member security PRIVATE!interface serial 0/0/0 zone-member security INTERNET!zone-pair security PRIV-TO-INTERNET source PRIVATE destination INTERNET service-policy type inspect ACCESS-POLICYStep 7: Verifying the Configuration Using the CLIConfiguring NAT Services for Zone-Based FirewallsThere are three main steps to configure a NAT with Cisco IOS zone-based firewall:Step 1. Run the Basic NAT wizard.Step 2. Select NAT interfaces:• Outside interface with global IP address• Inside interface with original IP addressStep 3. Verify the configuration.NAT with ZBF Configuration ScenarioBasic NATAdvance NATStep 1: Run the Basic NAT WizardStep 2: Select NAT Inside and Outside InterfacesFinishing the WizardNAT CLI Configurationip nat inside source list 1 interface FastEthernet0/0 overloadaccess-list 1 permit 10.10.0.0 0.0.0.255Step 3: Verify NAT with CCP and the CLIRouter# show ip nat translationsPro Inside global Inside local Outside local Outside globalTCP 200.200.1.51:1050 10.10.10.20:1050 75.75.75.750:23 172.16.100.10:23TCP 200.200.1.52:1776 10.10.10.10:1776 150.150.1.40:25 150.150.1.40:25Current Translation for Live TrafficCisco ASA FirewallASA ModelsMulti-Service (Firewall/VPN and IPS)Performance and ScalabilityCampusBranch OfficeSOHOInternet EdgeASA 5585 SSP-60(40 Gbps, 350K cps)ASA 5585 SSP-40(20 Gbps, 240K cps)ASA 5585 SSP-20(10 Gbps, 140K cps)ASA 5585 SSP-10(4 Gbps, 65K cps)ASA 5540 (650 Mbps,25K cps)ASA 5520 (450 Mbps,12K cps)ASA 5510 (300 Mbps, 9K cps) ASA 5505 (150 Mbps, 4000 cps)ASA 5550 (1.2 Gbps, 36K cps)ASA SM(16 Gbps, 300K cps)Data Center* Mbps and Gbps = maximum throughput * cps = maximum connection per secondThe Cisco ASA security appliance is fundamentally a stateful packet filter with application inspection and controlA rich set of additional integrated software and hardware features that enable you to expand its functionality beyond those fundamental filtering mechanisms.The heart of the Cisco ASA is an application-aware stateful packet inspection algorithm, which controls flows between networks that are controlled by the security applianceStateful Packet Filtering and Application AwarenessState Table Created for All Inspected TrafficSome of those additional servicesNetwork Address TranslationDHCP serverRoutingNetwork Services Offered by the Cisco ASA 5500 SeriesThese different varieties of NAT allow for flexible deployment of NAT services:• Inside and outside NAT• Dynamic NAT and PAT• Static NAT and PAT• Policy NAT• NAT exemptionIn addition to the translation table kept by the Cisco ASA, which you can look at with the show xlate commandNetwork Address TranslationThe Cisco ASA can provide a DHCP server or DHCP relay services to DHCP clients attached to Cisco ASA interfaces. The DHCP server provides network configuration parameters directly to DHCP clients. DHCP relay passes DHCP requests received on one interface to a DHCP server located behind a different interface. DHCP relay takes a DHCP broadcast and forwards it to the DHCP server located on a different network as a unicast.The Cisco ASA security appliance supports RIP, OSPF, and EIGRP dynamic routing protocols to integrate into existing routing infrastructures. Where dynamic routing is not available, the Cisco ASA security appliance can use static routing instead.Additional Network Services• Stateful inspection and application level controls• Threat control and containment• Network integrationCisco ASA Security Technologies• ACL packet filtering• Object groups• Application Inspection and Control (AIC)• User-based access control (cut-through proxy)• Identity firewall• Session auditingStateful inspection and application level controls• IPS via Cisco ASA Advanced Inspection and Prevention Security Services Module (AIP-SSM) and Advanced Inspection and Prevention Security Services Card (AIP-SSC)• Botnet traffic filtering• Category-based URL filtering• Threat detection (basic, advanced, scanning)Threat control and containment• Virtualization• Security modules• IPv6 and multicast support• NAT and DHCP services• Site-to-site and remote-access IPsec and SSL VPNs• Transparent firewall mode• IP routing• High-availability failoverNetwork integrationIn that sense, traffic flows are defined as inbound or outbound like this:• Inbound traffic: Travels from a less trusted interface to a more trusted interface; that is, from a lower security level to a higher security level• Outbound traffic: Travels from a more trusted interface to a less trusted interface; that is, from a higher security level to a lower security levelCisco ASA Configuration FundamentalsNetworks on a FirewallHigh to low, good to go. Low to high, must die• Network access• Inspection engines• NetBIOS inspection engine: Applied only for outbound connections.• SQL*Net inspection engine: If a control connection for the SQL*Net (formerly OraServ) port exists between a pair of hosts, then only an inbound data connection is permitted through the Cisco ASA.• FilteringSecurity level controlsThe appliance provides five configuration modes, similar to Cisco IOS devices:• ROM monitor mode• User EXEC mode• Privileged EXEC mode• Global configuration mode• Specific configuration modesManaging the Cisco ASA Using the CLICisco ASA PromptsCisco ASA 5505• Physical switch ports• Logical VLAN interfaces Cisco ASDM is to the Cisco ASA what Switch Database Management (SDM) or CCP is to Cisco IOS routersWith a factory default configuration, you can connect to Cisco ASDM using the following interface and network settings:• The management interface depends on your model:• Cisco ASA 5505: The switch port to which you connect to Cisco ASDM can be any port, except for Ethernet 0/0.• Cisco ASA 5510 and later: The interface to which you connect to Cisco ASDM is Management 0/0.• The default management address is 192.168.1.1.• The clients that are allowed to access Cisco ASDM must be on the 192.168.1.0/24 network.Cisco ASDMCisco ASDM Features and MenusCisco ASDM Interface ElementsThe Cisco ASA supports two types of ACLs:• Ingress: Ingress ACLs apply to traffic as it enters an interface. An ingress ACL can bind an ACL to a specific interface or apply a global rule on all interfaces.• Egress: Egress ACLs apply to traffic as it exits an interface. An egress ACL is useful, for example, if you want to allow only certain hosts on the inside networks to access a web server on the outside network. Rather than creating multiple ingress ACLs to restrict access, you can create a single egress ACL that allows only the specified hosts. The egress ACL prevents any other hosts from reaching the outside network.Example of Stateful Packet Filtering on Cisco ASACisco ASA Interface Access Rules Configured with Cisco ASDMCisco MPF uses these three configuration objects to define modular, object-oriented, hierarchical policies:• Class maps: Define a match criterion to identify qualifying traffic• Policy maps: Associate actions to the match criteria• Service policies: Attach the policy map to an interface, or globally to all interfaces of the applianceThese features, among others, use Cisco MPF:• Hardware modules: Traffic is redirected granularly from the Cisco ASA to the modules using Cisco MPF.• Advanced Inspection and Control: Traffic can be classified at Layers 5 through 7 for application layer inspection.• Rate limiting and quality of service (QoS) features.Cisco Modular Policy FrameworkCisco ASA and Modular Policy FrameworkThe list includes these criteria for matching information at Layers 3 and 4:• Access list• Any packet• Default inspection traffic• IP differentiated services code point (DSCP)• IP flow• TCP and UDP ports• IP precedence• Real-Time Transport Protocol (RTP) port numbers• VPN tunnel groupClass Map: Identifying Traffic on Which a Policy Will Be EnforcedThe list of possible actions includes• Sending traffic to the Advanced Inspection and Prevention Security Services Module (AIP-SSM) or the Trend Micro InterScan for Cisco CSC-SSM• Sending NetFlow information• Prioritizing, policing, or shaping traffic (QoS)• Configuring advanced connection settings (such as maximum number of simultaneous embryonic connections per client)• Application inspection (such as preparing for dynamic port for FTP sessions)Service Policy: Activating the PolicyThe service policy, defined in the policy map configuration, will be applied to an interface or globally. You can apply only one service policy per interface. However, a service policy might contain multiple policy maps, and thus different actions to be applied on different flows of traffic.Policy Map: Configuring the Action That Will Be Applied to the TrafficCisco ASA Modular Policy Framework: Simple ExampleThree map classes have been created:• Internet: Traffic that has port 80 listed in its TCP header will be classified as Internet traffic.• Engineers: Traffic with IP subnet 10.66.0.0 will be classified as Engineers traffic.• Voice: Traffic with Layer 3 DSCP bits set to decimal value 46 will be recognized as VoIP traffic and will be classified as Voice traffic.Example of How Modular Policy Framework Can Be Used on Cisco ASAThe configuration steps are as follows:Step 1. Prepare Cisco ASA for Cisco ASDM access via the CLI.Step 2. Run the interactive setup dialog in Cisco ASDM.Step 3. Verify the configuration.Step 4. Verify firewall activity using the Packet Tracer tool.Configuration Scenario for Outbound Traffic Control on Cisco ASAStep 1: Prepare Cisco ASA for Cisco ASDM Access Using the CLISpecifying the Cisco ASDM File to Useasa5505(config)# asdm image disk0:/asdm-641.binVerifying and Understanding the Setup Configuration of a Cisco ASAYou can start Cisco ASDM using either of two methods• ASDM-IDM Launcher (Windows only): The Launcher is an application (downloaded from the Cisco ASA using a web browser) that you can use to connect to any Cisco ASA IP address. You do not need to re-download the Launcher if you want to connect to other Cisco ASAs. The Launcher also lets you run a virtual Cisco ASDM in Demo Mode using files that are downloaded locally.• Java Web Start: For each Cisco ASA that you manage, you need to connect with a web browser and then save or launch the Java Web Start application. You can optionally save the application to your PC. However, you need separate applications for each Cisco ASA IP address.Step 2: Run the Startup Wizard from Cisco ASDMStarting the Cisco ASDM Startup Wizard and the First ScreenSecond Screen of the Cisco ASDM Startup WizardInterface Selection from Cisco ASDM Startup WizardSwitch Port Selection from Cisco ASDM Startup Wizard (Cisco ASA 5505 Only)Interface IP Address Configuration from Cisco ASDM Startup WizardDHCP Server Configuration from Cisco ASDM Startup WizardNAT and PAT Configuration from Cisco ASDM Startup WizardAdministrative Access Configuration from Cisco ASDM Startup Wizard Step 3: Verify the Configuration Created by the Cisco ASDM Startup WizardVerifying Access Rules Verifying NAT Rules Adding a Static Route Using Cisco ASDMThis tool lets you do the following:• Debug all packet drops in a production network• Verify that the configuration is working as intended• Show all rules applicable to a packet, along with the CLI commands that caused the rule addition• Show a timeline of packet changes in a data path• Inject tracer packets into the data pathStep 4: Verify Firewall Activity Using the Packet Tracer ToolTo open the Packet Tracer, perform the following steps:Step 1. In the main Cisco ASDM application window, navigate to Tools > Packet Tracer.Step 2. The Cisco ASDM Packet Tracer dialog box opens.Step 3. Choose the source interface for the packet trace from the Interface drop-down list.Step 4. Specify the protocol type for the packet trace. Available protocol types include TCP, UDP, ICMP, and IP.Step 5. Enter the source address for the packet trace in the Source IP Address field.Step 6. Choose the source port for the packet trace from the drop-down list.Step 7. Enter the destination IP address for the packet trace in the Destination IP Address field.Step 8. Choose the destination port for the packet trace from the drop-down list.Step 9. Click Start to trace the packet.Packet Tracer Tool Cisco ASA 5500 Series Configuration Guide Using ASDM, 6.4 and 6.6, Started with Cisco Configuration Professional, Policy Firewall Design and Application Guide, ResourcesBeaver, K. “Firewall Best Practices” (2009), D., Garneau, D., and Sequeira, A. CCNP Security FIREWALL 642-618 Official Cert Guide (Cisco Press, 2012)CCP and ASDM Demo Mode TutorialsMcKillip, Doug. “Cisco Configuration Professional Demo Mode – Part I,” Doug. “Cisco Configuration Professional Demo Mode – Part II,” Doug. “ASDM Demo Mode Tour,”