Home > Articles > Cisco Network Technology > General Networking > Network Security First-Step: Firewalls

Network Security First-Step: Firewalls

  • Sample Chapter is provided courtesy of Cisco Press.
  • Date: Feb 8, 2012.

Chapter Description

This chapter dissects a firewall’s duties to understand what makes a firewall operate and how it does its job.

From the Book

Network Security First-Step

Network Security First-Step, 2nd Edition

$29.59 (Save 20%)

Case Studies

This chapter presented several interesting aspects of how firewalls operate and how they can be deployed in networks. The introduction of this information needs to be reinforced with some real-world case studies that provide some answers to questions you might still have and clarify the important aspects of what has already been covered.

Case Study: To DMZ or Not to DMZ?

Carpathian Corporation has grown and is in need of increased security and additional capacity in the form of a new firewall; this time it wants to use a dedicated DMZ. If the Carpathian Corporation wants to continue with its proposed plan for self-hosting, it needs to consider the security-related issues relevant to the suggested DMZ solution. It is taking the right steps by asking what security ramifications should be addressed prior to making the purchase. The Carpathian IT staff needs to take a good look at the risk factors involved with providing for its own Internet services (web servers) and where the pitfalls might occur:

  • Question/Security Issue #1: Can Internet traffic travel to servers on the private network, or is there another solution?

    Answer: The web and mail servers will be attached to the DMZ segment. They will not be dual homed or have conflicts of security in its implementation because they will be physically separated from inside hosts.

  • Question/Security Issue #2: How can the IT staff ensure that inbound network traffic will stay confined to the segment containing the web and mail servers?

    Answer: The DMZ interface rule set will not allow external traffic to reach the private network, by nature of configured connectivity rules. This will keep the inbound Internet traffic confined to the DMZ segment only.

  • Question/Security Issue #3: What measures can be taken to hide the private network from the inbound network traffic?

    Answer: The DMZ interface will not have routes or dual-homed NIC cards that would normally enable this to occur.

The Carpathian IT staff is in the “If we self-host, we must use a DMZ” frame of mind. This frame of mind is correct, and that should be obvious at this point: Use a firewall with a DMZ interface—always!! A DMZ is another layer of security and defense for your network, as shown in Figure 7-4.

Figure 7-4

Figure 7-4 Firewall Deployment with Web Server in a DMZ

Cisco lists a variety of configuration settings when viewing their devices’ configuration files. Example 7-2 shows several configuration files for clarity purposes. To illustrate the case study, comments are made surrounding key configuration entries; however, not every command is discussed because that is beyond the scope of this book. You can find additional information at Cisco.com.

Example 7-2 Firewall with Self-Hosted Internal Web Server (No DMZ)

Cyberwall(config)# sh run

: Saved

ASA Version 8.5

!

hostname CyberWall

domain-name CarpathianCorp.com

enable password <ChangeMe> encrypted

passwd <ChangeMe> encrypted

names

!

!

interface Vlan1

 description SECURE INSIDE LAN [do not change]

 nameif INSIDE

 security-level 100

 ip address 192.168.0.1 255.255.255.0

!

interface Vlan2

 description OUTSIDE UPLINK TO SERVICE PROVIDER [do not change]

nameif OUTSIDE

 security-level 0

 ip address 209.164.3.2 255.255.255.0

!

interface Vlan3

 description DMZ INTERFACE FOR INTERNET FACING SERVERS [alter with care]

nameif DMZ

 security-level 50

 ip address 10.10.10.1 255.255.255.0

!

!--- These commands name and set the security level for each vlan or interface, the

ASA 5505 uses vlans to assign inside and outside whereas all other models have

physical interfaces. Through these commands, the firewall knows which interface is

considered untrusted (outside), trusted (inside) and DMZ. Notice the numeric values in

this configuration example. Here we have the least secure interface outside assigned a

security value of 0, as it should be. The inside interface is considered secure, so it

has a value of 100, with the DMZ being somewhere in between at 50.

!

interface Ethernet0/0

 description OUTSIDE INTERFACE [do not change]

 switchport access vlan 2

!

interface Ethernet0/1

 description INTERFACE FOR THE DMZ WEB SERVER [do not change]

 switchport access vlan 3

!

interface Ethernet0/2

 description RESERVED FOR INTERNAL HOST [alter with care]

!

interface Ethernet0/3

 description RESERVED FOR INTERNAL HOST [alter with care]

!

interface Ethernet0/4

 description RESERVED FOR INTERNAL HOST [alter with care]

!

interface Ethernet0/5

 description RESERVED FOR INTERNAL HOST [alter with care]

!

interface Ethernet0/6

 description RESERVED FOR INTERNAL HOST [alter with care]

!

interface Ethernet0/7

 description RESERVED FOR INTERNAL HOST [alter with care]

!

!--- An access list is created called "OUTSIDE" allowing WWW (http) traffic from

anywhere on the Internet to the host at 10.10.10.212 (the web servers REAL IP address

on the DMZ). Add additional lines to this access list as required if there is a email

or DNS Server. This is the first step in creating a rule set that permits traffic into

our network if it is destined for a specific IP Address.

!

access-list OUTSIDE extended permit tcp any host 10.10.10.212 eq www

!

! --- For purposes of this example we are not going to add anything else. Any

additional entries needing to be placed in the access list must be specified here. If

the server in question is not WWW, replace the occurrences of WWW with SMTP, DNS,

POP3, or whatever else might be required, like the ability to ping the server from the

Internet.

!

logging enable

logging timestamp

!

<<<output omitted for brevity>>>

!

! --- The following NAT commands specify that any traffic originating inside from the

ASA on the 192.168.0.0 /24 network will be NAT'd (via PAT because of the dynamic

interface command) to the ASAs public IP address that is assigned to the OUTSIDE

interface.

!

! --- The ASA NAT rules changed completely the new way is to define the subnets you

wish to NAT using object groups, the next four lines we have defined them as needed

for the INSIDE corporate as well as the DMZ.

!

object network OBJ_NAT_CORP

 description inside "corporate" subnet that must have internet access

 subnet 192.168.0.0 255.255.255.0

!

object network OBJ_NAT_DMZ

 description DMZ subnet that must have internet access

 subnet 10.10.10.0 255.255.255.0

!

! --- Once the subnets are defined in an object group we assign the type of NAT we

wish to perform as well as the direction. In the following examples we are permitting

the INSIDE and DMZ subnets to access the Internet using PAT via the ASAs outside

interface IP Address for both. This is shown in the command NAT (source interface,

destination interface) dynamic interface. The dynamic keyword means PAT to the ASA.

One of my favorite ways to check if this is working after configuring it open a web

browser and go to www.ipchicken.com this website will tell you the public IP Address

you are coming which should be the ASAs outside IP Address. Yes I know it's a goofy

name but that's what makes it easy to remember plus it makes people smile when you

tell them it.

!

object network OBJ_NAT_CORP

 nat (INSIDE,OUTSIDE) dynamic interface

!

object network OBJ_NAT_DMZ

 nat (DMZ,OUTSIDE) dynamic interface

!

! --- The last remaining NAT we must perform is for the Internet accessible Web server that is on our DMZ.
Once again we create an object group but this time we specify a single host, which is the real IP address of
 the web server.

!

object network OBJ_NAT_WEBSERVER

 description real ip address assigned on the web servers nic card

 host 10.10.10.212

!

! --- Now that the object group is created identifying the servers real IP Address we assign a NAT in the same
format as we previously did with the difference being after the direction (inside,outside) we define this as
a STATIC NAT and give the public IP Address to use. In practice what will happen is as packets
reach the ASA if they pass the access-list the ASA will check what their destination IP Address is.
Should the destination address be 209.164.3.5 (web server public IP Address) the ASA will NAT those
packets to the real IP Address of the server of 10.10.10.212 and forward them to the server on the DMZ.

!

object network OBJ_NAT_WEBSERVER

 nat (INSIDE,OUTSIDE) static 209.164.3.5

!

!

access-group OUTSIDE in interface outside

!

! --- There is only one access list allowed per interface per direction (for example,

inbound from the Internet on the outside interface) as we have shown here.

!

route outside 0.0.0.0 0.0.0.0 209.164.3.1

!

!--- Set the default route to be via the WAN routers Ethernet interface

!

<<<output omitted for brevity>>>

!

dhcpd dns 192.168.0.10 192.168.0.11

dhcpd domain mydomain.com

dhcpd address 192.168.0.2-192.168.0.125 inside

dhcpd enable inside

!

<<<output omitted for brevity>>>

!

! --- The last major functionality of an ASA show in its configuration is that of the

"inspects". Generally an inspect statement in the following section represents a

protocol that the ASA will be taking extra steps on the packets the statement

represents. For example many attacks are based on altering DNS replies so the ASA has

been configured to inspect DNS packets to help protect your network. Two inspects that

might be of importance to you are "inspect esmtp" and "inspect sip", depending on your

email server configuration and version the presence of esmtp may cause user issues

with emails, try removing it if this occurs. Regarding SIP when NATing a SIP

connection to an internal voice gateway you will want this statement as it provides

functionality that enables NAT to be done correctly and SIP to work, gotcha is it

depends on the provider. Inspects are very helpful and can be adjusted to offer very

granular security, please see www.cisco.com for more information.

!

policy-map type inspect dns preset_dns_map

 parameters

  message-length maximum client auto

  message-length maximum 512

!

policy-map global_policy

 class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect rsh

  inspect rtsp

  inspect esmtp

  inspect sqlnet

  inspect skinny

  inspect sunrpc

  inspect xdmcp

  inspect sip

  inspect netbios

  inspect tftp

  inspect icmp

  inspect icmp error

  inspect ip-options

!

service-policy global_policy global

prompt hostname context

Cryptochecksum:88251e3c18c7d99dfa33f70b90228b63

: end

Cyberwall(config)#
7. Firewall Limitations | Next Section Previous Section

Cisco Press Promotional Mailings & Special Offers

I would like to receive exclusive offers and hear about products from Cisco Press and its family of brands. I can unsubscribe at any time.

Overview

Pearson Education, Inc., 221 River Street, Hoboken, New Jersey 07030, (Pearson) presents this site to provide information about Cisco Press products and services that can be purchased through this site.

This privacy notice provides an overview of our commitment to privacy and describes how we collect, protect, use and share personal information collected through this site. Please note that other Pearson websites and online products and services have their own separate privacy policies.

Collection and Use of Information

To conduct business and deliver products and services, Pearson collects and uses personal information in several ways in connection with this site, including:

Questions and Inquiries

For inquiries and questions, we collect the inquiry or question, together with name, contact details (email address, phone number and mailing address) and any other additional information voluntarily submitted to us through a Contact Us form or an email. We use this information to address the inquiry and respond to the question.

Online Store

For orders and purchases placed through our online store on this site, we collect order details, name, institution name and address (if applicable), email address, phone number, shipping and billing addresses, credit/debit card information, shipping options and any instructions. We use this information to complete transactions, fulfill orders, communicate with individuals placing orders or visiting the online store, and for related purposes.

Surveys

Pearson may offer opportunities to provide feedback or participate in surveys, including surveys evaluating Pearson products, services or sites. Participation is voluntary. Pearson collects information requested in the survey questions and uses the information to evaluate, support, maintain and improve products, services or sites; develop new products and services; conduct educational research; and for other purposes specified in the survey.

Contests and Drawings

Occasionally, we may sponsor a contest or drawing. Participation is optional. Pearson collects name, contact information and other information specified on the entry form for the contest or drawing to conduct the contest or drawing. Pearson may collect additional personal information from the winners of a contest or drawing in order to award the prize and for tax reporting purposes, as required by law.

Newsletters

If you have elected to receive email newsletters or promotional mailings and special offers but want to unsubscribe, simply email information@ciscopress.com.

Service Announcements

On rare occasions it is necessary to send out a strictly service related announcement. For instance, if our service is temporarily suspended for maintenance we might send users an email. Generally, users may not opt-out of these communications, though they can deactivate their account information. However, these communications are not promotional in nature.

Customer Service

We communicate with users on a regular basis to provide requested services and in regard to issues relating to their account we reply via email or phone in accordance with the users' wishes when a user submits their information through our Contact Us form.

Other Collection and Use of Information

Application and System Logs

Pearson automatically collects log data to help ensure the delivery, availability and security of this site. Log data may include technical information about how a user or visitor connected to this site, such as browser type, type of computer/device, operating system, internet service provider and IP address. We use this information for support purposes and to monitor the health of the site, identify problems, improve service, detect unauthorized access and fraudulent activity, prevent and respond to security incidents and appropriately scale computing resources.

Web Analytics

Pearson may use third party web trend analytical services, including Google Analytics, to collect visitor information, such as IP addresses, browser types, referring pages, pages visited and time spent on a particular site. While these analytical services collect and report information on an anonymous basis, they may use cookies to gather web trend information. The information gathered may enable Pearson (but not the third party web trend services) to link information with application and system log data. Pearson uses this information for system administration and to identify problems, improve service, detect unauthorized access and fraudulent activity, prevent and respond to security incidents, appropriately scale computing resources and otherwise support and deliver this site and its services.

Cookies and Related Technologies

This site uses cookies and similar technologies to personalize content, measure traffic patterns, control security, track use and access of information on this site, and provide interest-based messages and advertising. Users can manage and block the use of cookies through their browser. Disabling or blocking certain cookies may limit the functionality of this site.

Do Not Track

This site currently does not respond to Do Not Track signals.

Security

Pearson uses appropriate physical, administrative and technical security measures to protect personal information from unauthorized access, use and disclosure.

Children

This site is not directed to children under the age of 13.

Marketing

Pearson may send or direct marketing communications to users, provided that

  • Pearson will not use personal information collected or processed as a K-12 school service provider for the purpose of directed or targeted advertising.
  • Such marketing is consistent with applicable law and Pearson's legal obligations.
  • Pearson will not knowingly direct or send marketing communications to an individual who has expressed a preference not to receive marketing.
  • Where required by applicable law, express or implied consent to marketing exists and has not been withdrawn.

Pearson may provide personal information to a third party service provider on a restricted basis to provide marketing solely on behalf of Pearson or an affiliate or customer for whom Pearson is a service provider. Marketing preferences may be changed at any time.

Correcting/Updating Personal Information

If a user's personally identifiable information changes (such as your postal address or email address), we provide a way to correct or update that user's personal data provided to us. This can be done on the Account page. If a user no longer desires our service and desires to delete his or her account, please contact us at customer-service@informit.com and we will process the deletion of a user's account.

Choice/Opt-out

Users can always make an informed choice as to whether they should proceed with certain services offered by Cisco Press. If you choose to remove yourself from our mailing list(s) simply visit the following page and uncheck any communication you no longer want to receive: www.ciscopress.com/u.aspx.

Sale of Personal Information

Pearson does not rent or sell personal information in exchange for any payment of money.

While Pearson does not sell personal information, as defined in Nevada law, Nevada residents may email a request for no sale of their personal information to NevadaDesignatedRequest@pearson.com.

Supplemental Privacy Statement for California Residents

California residents should read our Supplemental privacy statement for California residents in conjunction with this Privacy Notice. The Supplemental privacy statement for California residents explains Pearson's commitment to comply with California law and applies to personal information of California residents collected in connection with this site and the Services.

Sharing and Disclosure

Pearson may disclose personal information, as follows:

  • As required by law.
  • With the consent of the individual (or their parent, if the individual is a minor)
  • In response to a subpoena, court order or legal process, to the extent permitted or required by law
  • To protect the security and safety of individuals, data, assets and systems, consistent with applicable law
  • In connection the sale, joint venture or other transfer of some or all of its company or assets, subject to the provisions of this Privacy Notice
  • To investigate or address actual or suspected fraud or other illegal activities
  • To exercise its legal rights, including enforcement of the Terms of Use for this site or another contract
  • To affiliated Pearson companies and other companies and organizations who perform work for Pearson and are obligated to protect the privacy of personal information consistent with this Privacy Notice
  • To a school, organization, company or government agency, where Pearson collects or processes the personal information in a school setting or on behalf of such organization, company or government agency.

Links

This web site contains links to other sites. Please be aware that we are not responsible for the privacy practices of such other sites. We encourage our users to be aware when they leave our site and to read the privacy statements of each and every web site that collects Personal Information. This privacy statement applies solely to information collected by this web site.

Requests and Contact

Please contact us about this Privacy Notice or if you have any requests or questions relating to the privacy of your personal information.

Changes to this Privacy Notice

We may revise this Privacy Notice through an updated posting. We will identify the effective date of the revision in the posting. Often, updates are made to provide greater clarity or to comply with changes in regulatory requirements. If the updates involve material changes to the collection, protection, use or disclosure of Personal Information, Pearson will provide notice of the change through a conspicuous notice on this site or other appropriate way. Continued use of the site after the effective date of a posted revision evidences acceptance. Please contact us if you have questions or concerns about the Privacy Notice or any objection to any revisions.

Last Update: November 17, 2020