Firewalls

Lionel Hunt
Systems Engineer
Global Enterprise Theatre

Branch-WAN 1.0 Solution Overview

2008 Cisco Systems, Inc. All rights reserved.

Cisco Confidential

Firewall Design Criteria & Selection

General Firewall Security Objectives

Private WAN Edge

Enforce basic network policy at WAN edge and

Branch edge
Traffic flows in and out
To/from who, services, etc.

Branch-WAN 1.0 Firewall Integration Criteria & Selection

Private WAN Edge

Firewall integrated in Unified

WAN Services platform

IOS FW in ASR

Typical Branch Edge

Most cost-effective

IOS FW in ISR

Branch

Private WAN

High Performance
Branch Edge
NetOps and SecOps
administrative domain
separation

ASA 5520 Appliance

QFP

Branch-WAN 1.0 Solution Overview

2008 Cisco Systems, Inc. All rights reserved.

Cisco Confidential

Places in the Network

Cisco Security Cisco NAC
Agent
Appliance
Endpoint Security
Policy and Posture

Cisco
Integrated
Services
Routers

Cisco ASA
Adaptive Security
Appliance

Cisco Intrusion
Prevention
Systems

Detect and Mitigate

Content Security Threats

Targeted Attack
Protection

Cisco
Security
Manager

Cisco
Security
MARS

Centralized Security
Management

Internet Encrypted Secure

Communications

Public WAN

Integrated
Multivector protections at all
points in the network and at
desktop and server endpoints
Branch infrastructure security
that enables end-to-end
architecture

Adaptive
Anomaly detection with inproduction learning
Network behavioral analysis
Visibility and mitigation
capabilities for blended contentbased threats
Real-time security posture
adjustment

Branch-WAN 1.0 Solution Overview

2008 Cisco Systems, Inc. All rights reserved.

Cisco Confidential

Collaborative
Cross-solution feedback linkages
Common policy management
Endpoint posture and security
policy enforcement
Passive and active fingerprinting
Cisco Security Agent IPS
collaboration
3

Stateful Inspection Firewalls - Advantages

Examines multiple
levels

Internet

Permit traffic?

State Table
Existing

Very secure

connection?

Robust logging

Transparent
Maintains State
High performance
Branch-WAN 1.0 Solution Overview

2008 Cisco Systems, Inc. All rights reserved.

PC

Cisco Confidential

Web Server
End User

Example Flow
Flow
SRC IP: 10.1.1.9
DST IP: 198.133.219.25

SRC Port: 11030

DST Port: 80

Protocol: TCP

Interfaces
Source: Inside

Destination: Outside

In
si

Packet Flow

de

Servers

Client: 10.1.1.9

Eng

With the Flow

Defined, Examination

Accounting

er
n
t
r

Outside

Pa

DM

Ho

st
in

of Configuration
Issues Boils Down
to Just the Two
Interfaces: Inside
and Outside

Server: 198.133.219.25
Branch-WAN 1.0 Solution Overview

2008 Cisco Systems, Inc. All rights reserved.

Cisco Confidential

Stateful Firewall Packet Flow

1.

Packet Arrives

2.

Check Permissions: ACLs / Authentication

3.

Addressing: NAT / PAT / Static

4.

Create XLATE Object (addressing info)

5.

Enter into Connections Table (ports + proto + flags +

random seqNum)

Branch-WAN 1.0 Solution Overview

2008 Cisco Systems, Inc. All rights reserved.

Cisco Confidential

Stateful Firewall
Provides stateful connection security
Tracks source and destination ports and addresses, TCP sequences,
and additional TCP flags
TCP sequence numbers are randomized
Tracks UDP and TCP session state
Connections allowed outallows return session back flow (TCP ACK bit)
Supports authentication, authorization, syslog accounting

Branch-WAN 1.0 Solution Overview

2008 Cisco Systems, Inc. All rights reserved.

Cisco Confidential

Stateful Firewall Basic Rules

Allow TCP / UDP from inside
Permit TCP / UDP return packets
Drop and log connections from outside
Drop and log source routed IP packets
Deny ICMP packet
Drop and log all other packets from outside

Branch-WAN 1.0 Solution Overview

2008 Cisco Systems, Inc. All rights reserved.

Cisco Confidential

Firewall Security Levels

Public
Network

nameif ethernet0
outside security0

0
50

Firewall

DMZ

100

nameif ethernet1
inside security100

nameif ethernet2
DMZ security50
Private
Network

Branch-WAN 1.0 Solution Overview

2008 Cisco Systems, Inc. All rights reserved.

Cisco Confidential

The Default Rules

Default Actions:

Higher to Lower:
PERMIT

Public
Network
0

Lower to Higher:
DENY

50

Between Same:
DENY

DMZ

100

Private
Network
Branch-WAN 1.0 Solution Overview

2008 Cisco Systems, Inc. All rights reserved.

Cisco Confidential

10

Only 3 Ways through the Firewall

1:
inside to
outside;
(Limit with
ACL)

Public
Network
out side

user
authentication
AAA

in side

3:
Private
Network

Branch-WAN 1.0 Solution Overview

2:

2008 Cisco Systems, Inc. All rights reserved.

Access List
(outside to inside)
Cisco Confidential

11

NAT

Branch-WAN 1.0 Solution Overview

2008 Cisco Systems, Inc. All rights reserved.

Cisco Confidential

12

NAT Example
Inside

Source Addr

Outside
Source Addr

10.0.1.3

Destination Addr

Source Port 200.200.200.10

23

Destination Port

10.0.1.3

Destination
SourceAddr
Port

200.200.200.10
200.200.200.10

Destination Port

23
23

192.168.1.10

10.0.1.3

10.0.1.4
Translation table

Branch-WAN 1.0 Solution Overview

2008 Cisco Systems, Inc. All rights reserved.

192.168.1.10
192.168.1.10

Internet

Inside Local
IP Address

Global
IP Pool

10.0.1.3

192.168.1.10

10.0.1.4

192.168.1.254

Cisco Confidential

13

IOS Firewall

Branch-WAN 1.0 Solution Overview

2008 Cisco Systems, Inc. All rights reserved.

Cisco Confidential

14

Zone-Based Policy Firewall (ZFW)

Introduced in Cisco IOS 12.4(6)T
ZFW is the strategic solution going forward
Interfaces assigned to zones and inter-zone polices
control access between zones
Similar in concept to security levels on ASA/PIX
Uses Class-Based Policy Language (CPL)

Cisco Classic Firewall (CBAC)

Introduced in Cisco IOS 12.0
Cisco IOS Software Classic Firewall will be maintained
in the future but will not significantly enhanced with new
features
Branch-WAN 1.0 Solution Overview

2008 Cisco Systems, Inc. All rights reserved.

Cisco Confidential

15

Zone-Based Policy Firewall (ZFW)

Features
Combines features of ACLs, CBAC, NBAR into one policy
Additional protocol support for deep packet inspection e.g. IM, IMAP
and P2P application
More actions inspect, drop, pass and police
Inspection action allows TCP Intercept like functionality e.g. max
session limits, idle times, flood protection
Traffic to or initiated from the router allowed by default
Traffic between zones denied by default

Branch-WAN 1.0 Solution Overview

2008 Cisco Systems, Inc. All rights reserved.

Cisco Confidential

16

Zone-Based Policy Firewall (ZFW)

Sample Config Basic Setup, 2 interfaces
class-map type inspect match-any private-allowed-class
match protocol tcp
match protocol udp
match protocol icmp
class-map type inspect match-all http-class
match protocol http
!
policy-map type inspect private-allowed-policy
class type inspect http-class
inspect my-parameters
class type inspect private-allowed-class
inspect
!
zone security private
zone security public
zone-pair security priv-pub source private destination public
service-policy type inspect private-allowed-policy
!
interface fastethernet 0
zone-member security public
!
Interface VLAN 1
Branch-WAN 1.0 Solution
Overview private
zone-member
security

2008 Cisco Systems, Inc. All rights reserved.

Cisco Confidential

17

IOS ZBFW Design: Typical Branch

WAN
WAN

VPN

Infrastructure

Clients

Deny

Deny

Deny

Permit

Permit

VPN

Deny

Infrastructure

Deny

Permit

Clients

Deny

Permit

Permit
Deny

Branch

VPN Zone

Private WAN

Infrastructure Zone

VPN

Internet
WAN Zone
Client Zone
No CSM support for ZBFW planned till 3.3
Branch-WAN 1.0 Solution Overview

2008 Cisco Systems, Inc. All rights reserved.

Cisco Confidential

18

IOS ZBFW Design: Private WAN Edge

WAN
WAN
VPN

Deny

WAN Edge

Deny

VPN

WAN Edge

Deny

Deny
Permit

Permit

VPN Zone

Private WAN Edge

Private WAN
SP1

VPN

QFP

Private WAN
SP2

WAN Edge Zone

WAN Zone

Branch-WAN 1.0 Solution Overview

2008 Cisco Systems, Inc. All rights reserved.

Cisco Confidential

19

Cut-through Proxy

Branch-WAN 1.0 Solution Overview

2008 Cisco Systems, Inc. All rights reserved.

Cisco Confidential

20

Cut-Through Proxy Operation

1. User makes a request
to an IS resource

Internal/

2. Firewall intercepts
connection
3. Firewall prompts user for
username and password,
authenticates user and
checks security policy on
RADIUS or TACACS+ server

External
3.User
Username and Password Required

PIX Firewall

Enter username for CCO at www.com

User Name:

student

Password:

123@456
OK

Cisco
Secure
Cancel

IS Resource
4. Firewall initiates
connection
from Firewall to the
destination IS resource

5. Firewall directly connects

internal/external user to IS resource
Authenticates once at the application layer (OSI Layer 7) for each supported service
Connection is passed back to the firewall engine, while maintaining session state
Branch-WAN 1.0 Solution Overview

2008 Cisco Systems, Inc. All rights reserved.

Cisco Confidential

21

100% Transparent

No proxy configuration required

Branch-WAN 1.0 Solution Overview

2008 Cisco Systems, Inc. All rights reserved.

Cisco Confidential

22

User Authentication:
Cut-Through-Proxy

Addressing and ACL must Exist!

FTP, HTTP, Telnet can be proxied
Other ports can be authorised after authentication
Watch Out: Timeout for authorisation! -> Other
connections will be cut after primary timed out

Branch-WAN 1.0 Solution Overview

2008 Cisco Systems, Inc. All rights reserved.

Cisco Confidential

23

Branch-WAN 1.0 Solution Overview

2008 Cisco Systems, Inc. All rights reserved.

Cisco Confidential

24