Cisco Firewalls Book

Foreword

Introduction

Chapter 1: Firewalls and Network Security

Security Is a Must. But, Where to Start?

Firewalls and Domains of Trust

Firewall Insertion in the Network Topology

Routed Mode Versus Transparent Mode

Network Address Translation and Port Address Translation

Main Categories of Network Firewalls

Packet Filters

Circuit-Level Proxies

Application-Level Proxies

Stateful Firewalls

The Evolution of Stateful Firewalls

Application Awareness

Identity Awareness

Leveraging the Routing Table for Protection Tasks

Virtual Firewalls and Network Segmentation

What Type of Stateful Firewall?

Firewall Appliances

Router-Based Firewalls

Switch-Based Firewalls

Classic Topologies Using Stateful Firewalls

Stateful Firewalls and Security Design

Stateful Firewalls and VPNs

Stateful Firewalls and Intrusion Prevention

Stateful Firewalls and Specialized Security Appliances

Summary

Chapter 2: Cisco Firewall Families Overview

Overview of ASA Appliances

Positioning of ASA Appliances

Firewall Performance Parameters

Overview of ASA Hardware Models

Overview of the Firewall Services Module

Overview of IOS-Based Integrated Firewalls

Integrated Services Routers

Aggregation Services Routers

Summary

Chapter 3: Configuration Fundamentals

Device Access Using the CLI

Basic ASA Configuration

Basic Configuration for ASA Appliances Other Than 5505

Basic Configuration for the ASA 5505 Appliance

Basic FWSM Configuration

Remote Management Access to ASA and FWSM

Telnet Access

SSH Access

HTTPS Access Using ASDM

IOS Baseline Configuration

Configuring Interfaces on IOS Routers

Remote Management Access to IOS Devices

Remote Access Using Telnet

Remote Access Using SSH

Remote Access Using HTTP and HTTPS

Clock Synchronization Using NTP

Obtaining an IP Address Through the PPPoE Client

DHCP Services

Summary

Further Reading

Chapter 4: Learn the Tools. Know the Firewall

Using Access Control Lists Beyond Packet Filtering

Event Logging

Debug Commands

Flow Accounting and Other Usages of Netflow

Enabling Flow Collection on IOS

Traditional Netflow

Netflow v9 and Flexible Netflow

Enabling NSEL on an ASA Appliance

Performance Monitoring Using ASDM

Correlation Between Graphical Interfaces and CLI

Packet Tracer on ASA

Packet Capture

Embedded Packet Capture on an ASA Appliance

Embedded Packet Capture on IOS

Summary

Chapter 5: Firewalls in the Network Topology

Introduction to IP Routing and Forwarding

Static Routing Overview

Basic Concepts of Routing Protocols

RIP Overview

Configuring and Monitoring RIP

EIGRP Overview

Configuring and Monitoring EIGRP

EIGRP Configuration Fundamentals

Understanding EIGRP Metrics

Redistributing Routes into EIGRP

Generating a Summary EIGRP Route

Limiting Incoming Updates with a Distribute-List

EIGRP QUERY and REPLY Messages

EIGRP Stub Operation

OSPF Overview

Configuring and Monitoring OSPF

OSPF Configuration Fundamentals

OSPF Scenario with Two Areas

Configuring Authentication for Routing Protocols

Bridged Operation

Summary

Chapter 6: Virtualization in the Firewall World

Some Initial Definitions

Starting with the Data Plane: VLANs and VRFs

Virtual LANs

VRFs

VRF-Aware Services

Beyond the Data Plane—Virtual Contexts

Management Access to Virtual Contexts

Allocating Resources to Virtual Contexts

Interconnecting Virtual Elements

Interconnecting VRFs with an External Router

Interconnecting Two Virtual Contexts That Do Not Share Any Interface

Interconnecting Two FWSM Contexts That Share an Interface

Interconnecting Two ASA Contexts That Share an Interface

Issues Associated with Security Contexts

Complete Architecture for Virtualization

Virtualized FWSM and ACE Modules

Segmented Transport

Virtual Machines and the Nexus 1000V

Summary

Chapter 7: Through ASA Without NAT

Types of Access Through ASA-Based Firewalls

Additional Thoughts About Security Levels

Internet Access Firewall Topology

Extranet Topology

Isolating Internal Departments

ICMP Connection Examples

Outbound Ping

Inbound Ping

Windows Traceroute Through ASA

UDP Connection Examples

Outbound IOS Traceroute Through ASA

TCP Connection Examples

ASA Flags Associated with TCP Connections

TCP Sequence Number Randomization

Same Security Access

Handling ACLs and Object-Groups

Summary

Chapter 8: Through ASA Using NAT

Nat-Control Model

Outbound NAT Analysis

Dynamic NAT

Dynamic PAT

Identity NAT

Static NAT

Policy NAT

Static Policy NAT

Dynamic Policy NAT

Dynamic Policy PAT

NAT Exemption

NAT Precedence Rules

Address Publishing for Inbound Access

Publishing with the static Command

Publishing with Port Redirection

Publishing with NAT Exemption

Inbound NAT Analysis

Dynamic PAT for Inbound

Identity NAT for Inbound

NAT Exemption for Inbound

Static NAT for Inbound

Dual NAT

Disabling TCP Sequence Number Randomization

Defining Connection Limits with NAT Rules

Summary

Chapter 9: Classic IOS Firewall Overview

Motivations for CBAC

CBAC Basics

ICMP Connection Examples

UDP Connection Examples

TCP Connection Examples

Handling ACLs and Object-Groups

Using Object-Groups with ACLs

CBAC and Access Control Lists

IOS NAT Review

Static NAT

Dynamic NAT

Policy NAT

Dual NAT

NAT and Flow Accounting

CBAC and NAT

Summary

Chapter 10: IOS Zone Policy Firewall Overview

Motivations for the ZFW

Building Blocks for Zone-Based Firewall Policies

ICMP Connection Examples

UDP Connection Examples

TCP Connection Examples

ZFW and ACLs

ZFW and NAT

ZFW in Transparent Mode

Defining Connection Limits

Inspection of Router Traffic

Intrazone Firewall Policies in IOS 15.X

Summary

Chapter 11: Additional Protection Mechanisms

Antispoofing

Classic Antispoofing Using ACLs

Antispoofing with uRPF on IOS

Antispoofing with uRPF on ASA

TCP Flags Filtering

Filtering on the TTL Value

Handling IP Options

Stateless Filtering of IP Options on IOS

IP Options Drop on IOS

IP Options Drop on ASA

Dealing with IP Fragmentation

Stateless Filtering of IP Fragments in IOS

Virtual Fragment Reassembly on IOS

Virtual Fragment Reassembly on ASA

Flexible Packet Matching

Time-Based ACLs

Time-Based ACLs on ASA

Time-Based ACLs on IOS

Connection Limits on ASA

TCP Normalization on ASA

Threat Detection on ASA

Summary

Further Reading

Chapter 12: Application Inspection

Inspection Capabilities in the Classic IOS Firewall

Application Inspection in the Zone Policy Firewall

DNS Inspection in the Zone Policy Firewall

FTP Inspection in the Zone Policy Firewall

HTTP Inspection in the Zone Policy Firewall

IM Inspection in the Zone Policy Firewall

Overview of ASA Application Inspection

DNS Inspection in ASA

DNS Guard

DNS Doctoring

DNS Inspection Parameters

Some Additional DNS Inspection Capabilities

FTP Inspection in ASA

HTTP Inspection in ASA

Inspection of IM and Tunneling Traffic in ASA

Botnet Traffic Filtering in ASA

Summary

Further Reading

Chapter 13: Inspection of Voice Protocols

Introduction to Voice Terminology

Skinny Protocol

H.323 Framework

H.323 Direct Calls

H.323 Calls Through a Gatekeeper

Session Initiation Protocol (SIP)

MGCP Protocol

Cisco IP Phones and Digital Certificates

Advanced Voice Inspection with ASA TLS-Proxy

Advanced Voice Inspection with ASA Phone-Proxy

Summary

Further Reading

Chapter 14: Identity on Cisco Firewalls

Selecting the Authentication Protocol

ASA User-Level Control with Cut-Through Proxy

Cut-Through Proxy Usage Scenarios

Scenario 1: Simple Cut-Through Proxy (No Authorization)

Scenario 2: Cut-Through Proxy with Downloadable ACEs

Scenario 3: Cut-Through Proxy with Locally Defined ACL

Scenario 4: Cut-Through Proxy with Downloadable ACLs

Scenario 5: HTTP Listener

IOS User-Level Control with Auth-Proxy

Scenario 1: IOS Auth-Proxy with Downloadable Access Control Entries

Scenario 2: IOS Auth-Proxy with Downloadable ACLs

Scenario 3: Combining Classic IP Inspection (CBAC) and Auth-Proxy

User-Based Zone Policy Firewall

Establishing user-group Membership Awareness in IOS - Method 1

Establishing user-group Membership Awareness in IOS - Method 2

Integrating Auth-Proxy and the ZFW

Administrative Access Control on IOS

Administrative Access Control on ASA

Summary

Chapter 15: Firewalls and IP Multicast

Review of Multicast Addressing

Overview of Multicast Routing and Forwarding

The Concept of Upstream and Downstream Interfaces

RPF Interfaces and the RPF Check

Multicast Routing with PIM

Enabling PIM on Cisco Routers

PIM-DM Basics

PIM-SM Basics

Finding the Rendezvous Point on PIM-SM Topologies

Inserting ASA in a Multicast Routing Environment

Enabling Multicast Routing in ASA

Stub Multicast Routing in ASA

ASA Acting as a PIM-SM Router

Summary of Multicast Forwarding Rules on ASA

Summary

Further Reading

Chapter 16: Cisco Firewalls and IPv6

Introduction to IPv6

Overview of IPv6 Addressing

IPv6 Header Format

IPv6 Connectivity Basics

Handling IOS IPv6 Access Control Lists

IPv6 Support in the Classic IOS Firewall

IPv6 Support in the Zone Policy Firewall

Handling ASA IPv6 ACLs and Object-Groups

Stateful Inspection of IPv6 in ASA

Establishing Connection Limits

Setting an Upper Bound for Connections Through ASA

IPv6 and Antispoofing

Antispoofing with uRPF on ASA

Antispoofing with uRPF on IOS

IPv6 and Fragmentation

Virtual Fragment Reassembly on ASA

Virtual Fragment Reassembly on IOS

Summary

Further Reading

Chapter 17: Firewall Interactions

Firewalls and Intrusion Prevention Systems

Firewalls and Quality of Service

Firewalls and Private VLANs

Firewalls and Server Load Balancing

Firewalls and Virtual Machines

Protecting Virtual Machines with External Firewalls

Protecting Virtual Machines Using Virtual Firewall Appliances

Firewalls and IPv6 Tunneling Mechanisms

Firewalls and IPsec VPNs

Classic IPsec Site-to-Site for IOS

IPsec Site-to-Site Using a Virtual Tunnel Interface (VTI)

IPsec Site-to-Site Using a GRE Tunnel

NAT in the Middle of an IPsec Tunnel

Post-Decryption Filtering in ASA

Firewalls and SSL VPNs

Clientless Access

Client-Based Access (AnyConnect)

Firewalls and MPLS Networks

Borderless Networks Vision

Summary

Further Reading

Appendix A: NAT and ACL Changes in ASA 8.3

Index