1. Firewall Basics:A firewall is a device that connects
two or more networks together and restricts the flow of information between the
two or more networks according to rules configured in firewall rule base.
Three types of firewall technologies are using.
· Packet
Filtering
· Proxy
Server
· Stateful
Packet Filtering
2. Interfaces and security levels
Each physical or logical (VLANed from ver 6.3) interface has
a security level assigned.
There are two interfaces whose names cannot be changed and
are present by default in any system:
Outside interface is always defined as interface no. 0 (ie
ethernet0) and has the security level 0 assigned (the least secure)
Inside interface is always defined as interface no. 1 (ie ethernet1)
and has the security level 100 assigned (the most secure)
Other interfaces can be defined and named as desired and must have a security level between 1
and 99.
3. Naming convention
Outbound data flow: initiated from a higher security
interface toward a lower security interface.
Inbound data flow: initiated from a lower security interface
toward a higher security interface.
Inbound and outbound concepts are used in the logging
messages generated by the firewall.
4. Default security mechanism
PIX firewall allows by default any sessions or data flows to
pass from a higher security interface to a lower security interface without
restrictions. This approach is no longer a valid feature in today’s security
developments when an already compromised host may initiate outbound sessions
and infect other hosts. It is strongly recommended to disable this feature by
using access-list on all interfaces and define the legitimate traffic while dropping anything else.
5. Defining and enforcing the security policy
The default security policy ensures that the packets originating from higher security interfaces
are allowed to flow through lower security interfaces and any packets
originating from lower security interfaces are not allowed to flow through
higher security interfaces.
Packet Flow Sequence:
When a packet passes through an appliance configured for
address translation, the following sequence of events occurs:
Ø The packet arrives at the
ingress interface from the end host.
Ø The security appliance
checks the packet against the inbound ACL.
Ø If the packet is allowed in,
the security appliance consults the routing table to determine the outbound
physical interface.
Ø If address translation is
enabled and the packet matches the translation criteria, the security appliance
creates a translation for the host.
Ø The security appliance
creates a stateful connection entry for the TCP and UDP packets. The security
appliance can, optionally, create a stateful connection entry for the ICMP
traffic if ICMP inspection is turned on.
Ø The packet is routed to the
egress interface and is checked against the outbound ACL.
Ø If allowed, the packet is
transmitted.
ACE (Access Control Entry):
Each permit or deny statement in the ACL is called an access
control entry (ACE).
Types of ACLs
The security appliance supports five different types of ACLs
to provide a flexible and scalable solution to filter unauthorized packets into
the network:
Standard ACLs:
Standard ACLs are used to identify packets based on the
destination IP addresses. These ACLs, however, cannot be applied on an
interface to filter packets. In routed mode, the Cisco ASA routes packets from
one subnet to another subnet by acting as an extra layer 3 hop in the network.
Extended ACLs:
An extended ACL can be used for interface packet filtering,
QoS packet classification, packet identification for NAT and VPN encryption.
These ACLs can be set up on the security appliance in the routed and the
transparent mode.
· Source and
destination IP addresses
· Layer 3
protocols
· Source
and/or destination TCP and UDP ports
·
Destination ICMP type for ICMP packets
Advanced ACL Features:Cisco ASA provides many advanced
packet-filtering features to suit any network environments. These features
include:
NAT:
It defines a one-to-one address mapping when a packet passes
through the security appliance and matches criteria for translation. The
security appliance either assigns a static IP address (static NAT) or allocates
an address from a pool of addresses (dynamic NAT).
Cisco ASA supports the following five types of address
translation, each of which is configured uniquely:
·
NAT exemption when multiple NAT types/rules are set up, the security appliance
tries to match traffic against the ACL in the NAT exemption rules. If there are
overlapping entries in the ACL, the security appliance analyzes the ACEs until
a match is found.
·
Static NAT: If there is no match found in the NAT exemption rules, the security
appliance analyzes the static NAT entries in sequential order to determine a
match.
·
Static PAT: If the security appliance does not find a match in NAT exemption or
static NAT entries, it goes through the static PAT entries until it locates a
match.
·
Policy NAT/PAT: The security appliance evaluates the policy NAT entries if it
is still not able to find a match on the packet flow.
·
Identity NAT: The security appliance tries to find a match using the identity
NAT statement, if one is set up to do so.
·
Dynamic NAT: If the security appliance fails to find a match using the first
five rules, it checks to see if the packets need to be translated using dynamic
NAT.
·
Dynamic PAT: The packets are checked against the dynamic PAT rules as the last
resort, if all the previously mentioned rules fail.
Few more questions:
1. What is a firewall?
2. Describe, genrally, how to manage a firewall
3. What is a Denial of Service attack?
4. What is a “spoofed” packet?
5. What is a SYN Flood?
6. What do you do if you are a victim of a DoS?
7. What is GPG/PGP?
8. What is SSH?
9. What is SSL? How do you create certificates?
10. What would you do if you discovered a UNIX or Network
device on your network has been compromised?
11. What would you do if you discovered a Windows system on
your network has been comrpromised?
12. What is DNS Hijacking?
13. What is a log host?
14. What is IDS or IDP, and can you give me an example of
one?
15. Why are proxy servers useful?
16. What is web-caching
17. Explain packet flow in a firewall
18. Basic configuration required in a firewall to allow data
to pass through.
19. What is Nat0?
20. What is natting?
21. What is PAT?
22. Explain intial configuration in firewalls
23. Explain difference between IPSec and GRE tunneling.