CCNA Security Chapter 4 - Implementing Firewall Technologies (Part 2 Firewalls)

 Chapter 4 - Implementing Firewall Technologies (part 1 ACLs)

To review: Transmission Control Protocol - Protocol operation
Syslog Server - 3cdaemon

The term firewall originally referred to a fireproof wall (usually made of stone or metal) that prevented flames from spreading to connected structures.
A firewall prevents undesirable traffic from entering prescribed areas within a network. 

Stateless filtering - occurs regardless of whether a packet is part of an existing flow of data.
Each packet is filtered based solely on the values of certain parameters in the packet header, similar to how ACLs filter packets.

Stateful firewalls filter packets on information stored in the firewall based on data flowing through the firewall. The stateful firewall is able to determine if a packet belongs to an existing flow of data.
 (Source and destination IP addresses, and port numbers and sequencing information associated with a particular session).

A flow is a stream of related packets that meet the same matching criteria and share the same characteristics.

Four types of firewalls:
 - Packet filtering firewall - (Layer 3,4) Typically is a router with the capability to filter some packet content .
 - Stateful firewall - (Layer 3,4,5) Monitors the state of connections, whether the connection is in an initiation, data transfer, or termination state.
 - Application gateway firewall (proxy firewall) - (Layer 3,4,5,7) A firewall that filters information at Layers 3, 4, 5, and 7 of the OSI reference model. Most of the firewall control and filtering is done in software.
 - Network address translation (NAT) firewall - (Layer 3,4) A firewall that expands the number of IP addresses available and hides network addressing design.

Cisco firewall solutions:
- IOS Firewall (Cisco IOS feature),
- the PIX Security Appliances (this product is now end of life), is a standalone device that delivers robust user and application policy enforcement, multivector attack protection, and secure connectivity services. Range from SOHO (PIX 501) to Service Provider (PIX 535).
- ASA (Adaptive Security Appliances) - are easy-to-deploy solutions that integrate firewall capabilities. Range from SOHO (ASA 5505) to Service Provider (ASA 5580).

DMZ (demilitarized zone) is a portion of a network bounded by a firewall or set of firewalls.
Some designs are as simple as designating an outside (public) network (public network=Internet) and inside (private) network, determined by two interfaces on a firewall. 

1) Simple DMZ (2 interfaces)
Typically a firewall with two interfaces is configured as follows:
 - Traffic originating from the private network is inspected as it traverses toward the public network, and is permitted with little or no restriction; inspected traffic returning from the public network, that is associated with traffic that originated from the private network, is permitted.
 - Traffic originating from the public network, and traveling to the private network, is generally blocked entirely.

2) More complicated DMZ designs (three or more interfaces on a firewall)
Typically one inside interface connected to the private network,
one outside interface connected to the public network, and one DMZ interface.

Typical firewall implementation is as follows:
 - Traffic originating from the private network is inspected as it traverses toward the public or DMZ network, and is permitted with little or no restriction; inspected traffic returning from the DMZ or public network to the private network is permitted.
 - Traffic originating from the DMZ network and traveling to the private network is generally blocked.
 - Traffic originating from the DMZ network and traveling to the public network is selectively permitted based on service requirements
 - Traffic originating from the public network and traveling toward the DMZ is selectively permitted and inspected. This type of traffic is typically email, DNS, HTTP, or HTTPS traffic. Return traffic from the DMZ to the public network is dynamically permitted.
 - Traffic originating from the public network and traveling to the private network is blocked. 

Typical security policy for a DMZ firewall configuration:
 - Traffic that originates from the DMZ interface is permitted to traverse the firewall to the outside interface with little or no restrictions.

Firewall Best Practices
 * Position firewalls at security boundaries.
 * Firewalls are a critical part of network security, but it is unwise to rely exclusively on a firewall for security.
 * Deny all traffic by default. Permit only services that are needed.
 * Ensure that physical access to the firewall is controlled.
 * Regularly monitor firewall logs.
 * Practice change management for firewall configuration changes.
 * Remember that firewalls primarily protect from technical attacks originating from the outside.

The firewall features on an IOS router have grown over the years. The older technology for implementing a firewall on IOS routers was called   context-based access control (CBAC) .
CBAC has been replaced with the more current Zone-Based Firewall on the IOS.
Context-based access control (CBAC) is a solution available within the Cisco IOS Firewall.

CBAC intelligently filters TCP and UDP packets based on Application Layer protocol session information. It provides stateful Application Layer filtering, including protocols that are specific to unique applications, as well as multimedia applications and protocols that require multiple channels for communication, such as FTP and H.323.
CBAC can block peer-to-peer (P2P) connections, such as those used by the Gnutella and KaZaA applications. Instant messaging traffic, such as Yahoo!, AOL, and MSN, can be blocked.

CBAC provides four main functions:
1) traffic filtering, 
2) traffic inspection (it can detect and prevent certain types of network attacks such as SYN-flooding, CBAC can also be configured to drop half-open connections, which require firewall processing and memory resources to maintain),
3) intrusion detection (CBAC provides a limited amount of intrusion detection to protect against specific SMTP attacks. When CBAC detects an attack based on those specific characteristics, it resets the offending connections and sends syslog information to the syslog server),
4) generation of audits and alerts (syslogs to track all network transactions and record timestamps, source and destination hosts, ports used, and the total number of transmitted bytes for advanced session-based reporting).

It is important to note that CBAC only provides filtering for those protocols that are specified by an administrator.
CBAC relies on a stateful packet filter that is application-aware.

How does CBAC work? 
CBAC creates openings in ACLs at firewall interfaces by adding a temporary ACL entry for a specific session. These openings are created when specified traffic exits the internal protected network through the firewall. The temporary openings allow returning traffic that would normally be blocked and additional data channels to enter the internal network back through the firewall. The traffic is allowed back through the firewall only if it is part of the same session and has the expected properties as the original traffic that triggered CBAC when exiting through the firewall. Without this temporary ACL entry, this traffic would be denied by the preexisting ACL. The state table dynamically changes and adapts with the traffic flow.

CBAC can also be configured to inspect traffic in two directions - in and out.

The timeout and threshold values are used to manage connection state information. These values help determine when to drop connections that do not become fully established or that time out.

Cisco IOS Firewall provides three thresholds against TCP-based DoS attacks:
- Total number of half-opened TCP sessions
- Number of half-opened sessions in a time interval
- Number of half-opened TCP sessions per host

If a threshold for the number of half-opened TCP sessions is exceeded, the firewall has two options:
- It sends a reset message to the endpoints of the oldest half-opened session, making resources available to service newly arriving SYN packets.
- It blocks all SYN packets temporarily for the duration that the threshold value is configured. When the router blocks a SYN packet, the TCP three-way handshake is never initiated, which prevents the router from using memory and processing resources that valid connections need.

Two parameters are tracked by CBAC for TCP traffic but not for UDP traffic:
 - sequence number,
 - SYN and ACK flags.

(config)# ip ?
inspect                 Context-based Access Control Engine

(config)# ip inspect ? 
  L2-transparent  Transparent Mode commands
  WAAS            Firewall and Cisco WAE interoperability configuration
  alert-off       Disable alert
  audit-trail     Enable the logging of session information (addresses and bytes)
  dns-timeout     Specify timeout for DNS
  hashtable-size  Specify size of hashtable
  log             Inspect packet logging
  max-incomplete  Specify maximum number of incomplete connections before clamping
  name            Specify an inspection rule
  one-minute      Specify one-minute-sample watermarks for clamping
  redundancy      Redundancy settings for firewall sessions
  tcp             Config timeout values for tcp connections
  udp             Config timeout values for udp flows

In addition to the criteria used by extended ACLs, what conditions are used by CBAC to filter traffic:
TCP/UDP source and destination port numbers

Configure CBAC:
Step 1. Pick an interface - internal or external.
Step 2. Configure IP ACLs at the interface.
Step 3. Define inspection rules.
Step 4. Apply an inspection rule to an interface.

The administrator must define inspection rules to specify which Application Layer protocols to inspect at an interface. 
Router(config)# ip inspect name <inspection_name> protocol_name [alert {on | off}] [audit-trail {on | off}] [timeout seconds]

Example 1
In this example, the IP inspection rule is named FWRULE. FWRULE inspects extended SMTP and FTP with alert and audit trails enabled. FWRULE has an idle timeout of 300 seconds.

ip inspect name FWRULE smtp alert on audit-trail on timeout 300
ip inspect name FWRULE ftp alert on audit-trail on timeout 300

Apply to interface
R3(config-if)# ip inspect FWRULE out
To remove CBAC from the router, use the global no ip inspect command.
Router(config)#no ip inspect
CBAC inspection supports two types of logging functions: alerts and audits. 

 - Alerts display messages concerning CBAC operation, such as insufficient router resources, DoS attacks, and other threats. Alerts are enabled by default and automatically display on the console line of the router. The administrator can globally disable alerts, although it is highly recommended that alerts are left enabled.
Router(config)#ip inspect alert-off
- Audits
Auditing keeps track of the connections that CBAC inspects, including valid and invalid access attempts.
Auditing is disabled by default, but can be enabled with the following command:
Router(config)#ip inspect audit-trail
To view information about CBAC inspections, use the show ip inspect command.
Router# show ip inspect [parameter]

R3#sh ip inspect sessions
Established Sessions
 Session 101208432 (>( SIS_OPEN
For detailed troubleshooting of CBAC, the administrator can use debug commands.
R3#show ip inspect config
Session audit trail is enabled
Session alert is enabled
one-minute (sampling period) thresholds are [unlimited : unlimited] connections
max-incomplete sessions thresholds are [unlimited : unlimited]
max-incomplete tcp connections per host is unlimited. Block-time 0 minute.
tcp synwait-time is 30 sec -- tcp finwait-time is 5 sec
tcp idle-time is 3600 sec -- udp idle-time is 30 sec
tcp reassembly queue length 16; timeout 5 sec; memory-limit 1024 kilo bytes
dns-timeout is 5 sec
Inspection Rule Configuration
 Inspection name icmp_telnet_http
    icmp alert is on audit-trail is on timeout 10
    http alert is on audit-trail is on timeout 3600
    telnet alert is on audit-trail is on timeout 3600

R3# show ip inspect interfaces
Interface Configuration
 Interface Serial0/0/1
  Inbound inspection rule is not set
  Outgoing inspection rule is icmp_telnet_http
    icmp alert is on audit-trail is on timeout 10
    http alert is on audit-trail is on timeout 3600
    telnet alert is on audit-trail is on timeout 3600
  Inbound access list is deny_all_outside
  Outgoing access list is not set
Router# debug ip inspect protocol parameterR3#
*Mar 01, 00:19:22.1919:  %FW-6-SESS_AUDIT_TRAIL_START: Start http session: initiator ( -- responder (
*Mar 01, 00:19:22.1919: CBAC: Finding pregen session for src_tableid:0, src_addr:, src_port:1035, dst_tableid:0, dst_addr:, dst_port:80
*Mar 01, 00:19:27.1919:  %FW-6-SESS_AUDIT_TRAIL_STOP: Stop http session: initiator ( -- responder (

Zone-Based Policy Firewall
The zone-based policy firewall feature is a replacement for CBAC.

In 2006, Cisco Systems introduced the zone-based policy firewall configuration model with Cisco IOS Release 12.4(6)T.
With this new model, interfaces are assigned to zones and then an inspection policy is applied to traffic moving between the zones.
A zone-based firewall allows different inspection policies to be applied to multiple host groups connected to the same router interface

The zone-based policy firewall (ZPF or ZBF or ZFW) inspection interface supports previous firewall features, including stateful packet inspection, application inspection, URL filtering, and DoS mitigation.
Interfaces are assigned to zones, and an inspection policy is applied to traffic moving between the zones.
Inter-zone policies offer considerable flexibility and granularity, so different inspection policies can be applied to multiple host groups connected to the same router interface.  

Firewall policies are configured using the Cisco Common Classification Policy Language (C3PL), which uses a hierarchical structure to define network protocol inspection and allows hosts to be grouped under one inspection policy.
C3PL allows you to create traffic policies based on events, conditions, and actions. SDM uses C3PL to create the policy maps and class maps that the following help topics describe.

By default, traffic is allowed to flow among interfaces that are members of the same zone

Implementing CBAC is complex and can be overwhelming. Unlike ZPF, CBAC does not utilize any dedicated hierarchical data structures to modularize the implementation.

CBAC has these limitations:
Multiple inspection policies and ACLs on several interfaces on a router make it difficult to correlate the policies for traffic between multiple interfaces.
Policies cannot be tied to a host group or subnet with an ACL. All traffic through a given interface is subject to the same inspection.
The process relies too heavily on ACLs.

Some of the benefits of ZPF include the following:
It is not dependent on ACLs.
The router security posture is to block unless explicitly allowed.
Policies are easy to read and troubleshoot with C3PL.
One policy affects any given traffic, instead of needing multiple ACLs and inspection actions.

CBAC or zones, can be enabled concurrently on a router. However, the models cannot be combined on a single interface.

Common ZPF designs are LAN-to-Internet firewall, a firewall with public servers, redundant firewalls, and complex firewalls.

The Cisco IOS zone-based policy firewall can take three possible actions when configured using CCP:
 - Inspect - Configures Cisco IOS stateful packet inspection. This action is equivalent to the CBAC ip inspect command. It automatically allows for return traffic and potential ICMP messages. For protocols requiring multiple parallel signaling and data sessions (for example, FTP or H.323), the inspect action also handles the proper establishment of data sessions.
 - Drop - Analogous to a deny statement in an ACL. A log option is available to log the rejected packets.
 - Pass - Analogous to a permit statement in an ACL. The pass action does not track the state of connections or sessions within the traffic. Pass allows the traffic only in one direction. A corresponding policy must be applied to allow return traffic to pass in the opposite direction.

Class-maps identifies traffic and traffic parameters for policy application based on three criteria:
1) access group
2) protocol
3) subordinate class map

Zone pair rules:
 - Whenever you filter traffic transiting the router, you control it with a zone-pair specifying an inside and an ouside zone.
 - The self zone controls traffic sent to the router itself or originated by the router.
 - Unless you specify a zone-pair combining self zone with another zone, all traffic from that zone sent to the router itself is allowed (the router is not protected)
 - To control traffic that the router can send into a zone use a zone-pair from self to another zone. Use inspect in the service-policy to allow the return traffic.
 - To filter the traffic that the router can accept, use a zone-pair from another zone to self. Only the packets accepted by this zone-pair's service-policy will be accepted by the router.

There are several steps for configuring ZPF with the CLI:
Step 1. Create the zones for the firewall with the zone security command.
Router(config)# zone security zone-name
Router(config-sec-zone)# description <line-of-description>
Step 2. Define traffic classes with the class-map type inspect command.
Router(config)# class-map type inspect [match-any | match-all] class-map-name
Router(config)# class-map type inspect protocol-name [match-any | match-all] class-map-name
Router(config-cmap)# match access-group {access-group | name access-group-name}
Router(config-cmap)# match protocol <protocol-name>
Router(config-cmap)# match class-map <class-map-name<-Nested class maps

The ability to create a hierarchy of classes and policies by nesting is one of the reasons that ZPF is such a powerful approach to creating Cisco IOS firewalls.
Step 3. Specify firewall policies with the policy-map type inspect command.
Router(config)# policy-map type inspect policy-map-name
Router(config-pmap)# class type inspect class-name
Router(config-pmap-c)# pass | inspect | drop [log] | police
Step 4. Apply firewall policies to pairs of source and destination zones using the zone-pair security command.
Router(config)# zone-pair security zone-pair-name [source source-zone-name | self] destination [self | destination-zone-name]
Router(config-pmap-c)# service-policy {h323 | http | im | imap | p2p | pop3 | sip | smtp | sunrpc | urlfilter} policy-map
Step 5. Assign router interfaces to zones using the zone-member security interface command.
Router(config-if)# zone-member security <zone-name>
ZPF does not change ACLs.
When using CCP, a zone-based policy firewall is created using the Basic or Advanced Firewall wizards.
CLI and CCP can be used to configure, verify, and troubleshoot ZPF.

Use the command to examine the active connections in the ZPF state table.
show policy-map type inspect zone-pair session
When configuring ZPF with the CLI, there are several factors to consider:
 - Only policy maps defined with type inspect can be used in the zone-pair security command.
 - Only class maps defined with type inspect can be used in policy maps with type inspect.
 - There can be no name overlap with other types of class maps or policy maps. For example, there cannot be a quality-of-service class map and an inspect class map with the same name.
 - A zone must be configured with the zone security global command before it can be used in the zone-member security interface configuration command.
 - An interface cannot belong to multiple zones. To create a union of security zones, specify a new zone and appropriate policy map and zone pairs.
 - The zone-based policy firewall feature is a replacement for CBAC. Remove the ip inspect interface configuration command before applying the zone-member security command.
 - The zone-based policy firewall can coexist with CBAC. The ip inspect command can still be used on interfaces that are not members of security zones.
 - Traffic can never flow between an interface assigned to a zone and an interface without a zone assignment. Applying the zone-member configuration command always results in temporary interruption of service.
 - The default interzone policy is to drop all traffic unless specified otherwise in the zone-pair configuration command.
 - The router never filters the traffic between interfaces in the same zone.
 - The zone-member command does not protect the router itself (traffic to and from the router is not affected) unless the zone- pairs are configured using the predefined self zone.

ZPF Example configuration:

R3(config)# zone security IN-ZONE
R3(config)# zone security OUT-ZONE

R3(config)#access-list 101 permit ip any

R3(config)#class-map type inspect match-all IN-NET-CLASS-MAP
R3(config-cmap)#match access-group 101

R3(config)#policy-map type inspect IN-2-OUT-PMAP
R3(config-pmap)#class type inspect IN-NET-CLASS-MAP
%No specific protocol configured in class IN-NET-CLASS-MAP for inspection. All protocols will be inspected

R3(config)#zone-pair security IN-2-OUT-ZPAIR source IN-ZONE destination OUT-ZONE
R3(config-sec-zone-pair)#service-policy type inspect IN-2-OUT-PMAP

R3(config)#int FastEthernet 0/1
R3(config-if)#zone-member security IN-ZONE
R3(config)#int S 0/0/1
R3(config-if)#zone-member security OUT-ZONE

1) No sessions
R3#show policy-map type inspect zone-pair sessions
 Zone-pair: IN-ZONE-OUT-ZONE
  Service-policy inspect : IN-2-OUT-PMAP
    Class-map: IN-NET-CLASS-MAP (match-all)
      Match: access-group 101
    Class-map: class-default (match-any)
      Match: any
      Drop (default action)
        0 packets, 0 bytes

2) Open Telnet Session
R3#show policy-map type inspect zone-pair sessions
 Zone-pair: IN-ZONE-OUT-ZONE
  Service-policy inspect : IN-2-OUT-PMAP
    Class-map: IN-NET-CLASS-MAP (match-all)
      Match: access-group 101
        Established Sessions
         Session 170052128 (>( :tcp SIS_OPEN
          Created 00:00:17, Last heard  00:00:03
          Bytes sent (initiator:responder) [0:0]
    Class-map: class-default (match-any)
      Match: any
      Drop (default action)
        0 packets, 0 bytes

Sample 2
 The firewall will automatically allow HTTP, HTTPS, and FTP traffic from fa0/0 to s0/0 and will track the connections. Tracking the connection allows only return traffic to be permitted through the firewall in the opposite direction.

Sample 3
 CCP generated ZPF rules for LOW Security Template (router with 2 interfaces)
1) ZPF Rules info
Note: Do not select the interface through which you accessed Cisco CP as the outside (untrusted) interface. If you do, you will not be able to launch Cisco CP from that interface after you complete the Firewall Wizard.
Inside(trusted) Interfaces:    FastEthernet0/0 (
Outside(untrusted) Interface:    FastEthernet0/1 (

Service Policy Configuration:
In-zone -> Out-zone:    Inspect TCP,UDP,H323,SIP,SCCP and other protocols
                                  Deny packets with invalid ip address as source
Self -> Out-zone:    Inspect router generated ICMP traffic
Out-zone -> Self:    Deny all other traffic.

2) ZPF config
access-list 100 remark CCP_ACL Category=128
access-list 100 permit ip host any
access-list 100 permit ip any
access-list 100 permit ip any
class-map type inspect match-any ccp-skinny-inspect
 match protocol skinny
class-map type inspect match-any ccp-cls-insp-traffic
 match protocol cuseeme
 match protocol dns
 match protocol ftp
 match protocol https
 match protocol icmp
 match protocol imap
 match protocol pop3
 match protocol netshow
 match protocol shell
 match protocol realmedia
 match protocol rtsp
 match protocol smtp extended
 match protocol sql-net
 match protocol streamworks
 match protocol tftp
 match protocol vdolive
 match protocol tcp
 match protocol udp
class-map type inspect match-all ccp-insp-traffic
 match class-map ccp-cls-insp-traffic
class-map type inspect match-any ccp-cls-icmp-access
 match protocol icmp
class-map type inspect match-all ccp-icmp-access
 match class-map ccp-cls-icmp-access
class-map type inspect match-any ccp-h225ras-inspect
 match protocol h225ras
class-map type inspect match-any ccp-sip-inspect
 match protocol sip
class-map type inspect match-all ccp-protocol-http
 match protocol http
class-map type inspect match-all ccp-invalid-src
 match access-group 100
class-map type inspect match-any ccp-h323-inspect
 match protocol h323
policy-map type inspect ccp-permit-icmpreply
 class type inspect ccp-icmp-access
  no drop
 class class-default
  no drop
policy-map type inspect ccp-inspect
 class type inspect ccp-invalid-src
  drop log
 class type inspect ccp-protocol-http
  no drop
 class type inspect ccp-insp-traffic
  no drop
 class type inspect ccp-h323-inspect
  no drop
 class type inspect ccp-h225ras-inspect
  no drop
policy-map type inspect ccp-permit
 class class-default
zone security in-zone
zone security out-zone
zone-pair security ccp-zp-self-out source self destination out-zone
 service-policy type inspect ccp-permit-icmpreply
zone-pair security ccp-zp-in-out source in-zone destination out-zone
 service-policy type inspect ccp-inspect
zone-pair security ccp-zp-out-self source out-zone destination self
 service-policy type inspect ccp-permit
interface FastEthernet0/1
 description $FW_OUTSIDE$
 zone-member security out-zone
interface FastEthernet0/0
 description $FW_INSIDE$
 zone-member security in-zone
ZPF GUI Config from CCP