david7eagle
Member
Posts:
160
Joined:
Fri Sep 24, 2010 4:13 pm
Certs:
A+, Security+, MCP, CCENT, CCNA, and CCNA Security

Chapter 10 - Additional Notes/Questions

Thu Aug 18, 2011 11:47 am

The first half of Chapter 10 is a slam dunk description of firewall technologies, their characteristics, and applications, as well as a review of ACLs. In quick review:

Five Types of Firewalls: transparent, static, circuit-level, application layer, and dynamic.

Characteristics:
Transparent Firewalls:
• Layer 2 stealth firewall
• Two interfaces, each in a separate vlan
• Packets are bridged, addressing is performed using MAC lookups

Static Packet Filtering Firewall:
• 1st generation operates at layer 3, aware of layer 4.
• Filters based on rules that check information in the layer 3 and 4 headers
• Implemented in ACLs
• Severely limited by the fact that it does not examine end-to-end connections

Circuit-level firewall
• 2nd generation firewall operating validated that a packet is part of a valid virtual circuit between two peers.

Application Layer Firewall
• 3rd generation firewall operating at layers 3-5 and 7
• Application layer filtering validates state and formatting information
• Proxy can filter and act on behalf of client
• Provides individual authentication, spoofing protection, data validation, and advanced logging

Dynamic Stateful Packet-Filtering Firewall:
• 4th generation firewall operating at layer 3-5
• Keeps track of connections in a state table. Packets matching the characteristics in the state table are permitted.
• Dynamically creates rules that applies to connection sessions.
• Provides primary, intelligent, strong, and fast filtering solution with spoofing and DoS protection.
• Limited by the fact that there is no upper layer filtering, not all protocols are Stateful, applications that create multiple connections cannot be tracked, and there is no native user authentication.

ACL Quick Review:
• Turbo ACLs: access-list compiled is used to compile turbo ACLs
• ACLs should be created to prevent spoofing by blocking outbound traffic with source addresses other than valid subnets and inbound traffic with internal source addresses.

Other basics of ACLs such as ranges for standard (1-99, 1300-1999) and extended (200-299, 2000-2699), placement (standard- close to destination, extended – close to source), syntax and filtering fields were well learned in CCNA.

Know to the part I have questions about. Correct me if I am wrong in any of the below.

SPI was implemented as a feature of Context-Based Access Control (CBAC). CBAC has evolved over the years and Cisco has added additional features such as more protocol inspection and application filtering.

When packets flow through a device running CBAC SPI and ACLs, the packet must first pass through any outbound ACLs before being examined by the SPI. If allowed through, the SPI will record the connection information in the state table. The SPI will also add a dynamic entry at the top of the inbound ACL on the outside interface to allow return traffic. Once the connection is finished, this dynamic entry is removed.

Zone Based Firewalls: Cisco IOS 12.4(6) introduces Zone-Based Firewall Configuration. Zone-Based firewalls incorporate Stateful and application inspection with VPN aware handling, URL filtering and DoS protection.

ZFW works with security zones that contain interfaces that belong to zones. Policies are applied between zones. Additional characteristics:
• Zones must be configured before interfaces can be assigned; interfaces may only be applied to one zone.
• Inter zone traffic is allowed by default while extra zone traffic is denied by default
• In order to allow traffic, a policy must be created and applied between two zones.
• Traffic to the Self Zone is allowed by default. Any traffic to a router interface is permitted until explicitly denied.
• All interfaces must be part of a zone for traffic to flow on all router interfaces. Traffic will not flow between zone and non zone members; non zone member interfaces will retain their previous CBAC configurations.

By default zone traffic will flow under three circumstances:
• Traffic between interfaces on the same router
• Traffic in the same zone
• Traffic originating from or going directly to a router interfaces address that is part of a zone (Self Zone).

Defining Zones: The zone security name command is used to define a zone.

Zone Pairs: The zone-pare security command is used to define the interaction between two different zones. The direction of traffic is specified by defining the source and destination zone.

Security Zone Firewall Policies:
• Class map: Defines the traffic that will be acted upon. Created with the class-map command.
• Policy map: Defines the action to be taken on traffic identified in a class
• Parameter map: Defines additional parameters that may be matched, including URL and protocol-specific parameters.

Verifying:
• show zone security
• show zone-pair security
• show policy-map type inspect

--
Chapter 11 to follow within several hours
Last edited by david7eagle on Thu Aug 18, 2011 12:21 pm, edited 1 time in total.

User avatar
ristau5741
Post Whore
Posts:
10618
Joined:
Tue Aug 21, 2007 2:15 pm
Certs:
Instanity

Re: Chapter 10 - Additional Notes/Questions

Thu Aug 18, 2011 12:16 pm

david7eagle wrote:
Four Types of Firewalls: transparent, static, circuit-level, application layer, and dynamic.



there are 5 in your list....

david7eagle
Member
Posts:
160
Joined:
Fri Sep 24, 2010 4:13 pm
Certs:
A+, Security+, MCP, CCENT, CCNA, and CCNA Security

Re: Chapter 10 - Additional Notes/Questions

Thu Aug 18, 2011 12:20 pm

ristau5741 wrote:
david7eagle wrote:
Four Types of Firewalls: transparent, static, circuit-level, application layer, and dynamic.



there are 5 in your list....

You are right. I am considering a transparent firewall as a separate device. I'll connect the numbering, however.

david7eagle
Member
Posts:
160
Joined:
Fri Sep 24, 2010 4:13 pm
Certs:
A+, Security+, MCP, CCENT, CCNA, and CCNA Security

Re: Chapter 10 - Additional Notes/Questions

Thu Aug 18, 2011 3:23 pm

Quick correction: as you know, the initial range for extended access lists is 100-199.

'

Return to david7eagle - CCNA Security

Who is online

Users browsing this forum: No registered users and 3 guests

      cron