Đang tải... (xem toàn văn)
This chapter explains the two Cisco Firewall solutions: Cisco IOS Zone-Based Policy Firewalls and Cisco Adaptive Security Appliance. It describes in detail Cisco IOS Zone-Based Policy Firewall, and how the solution uses the Cisco Common Classification Policy Language (C3PL) for creating firewall policies. The chapter then presents the Cisco ASA firewall, identifying key supported features and the building blocks of its configuration using ASDM.
Cisco Firewalling Solutions: Cisco IOS Zone-Based Firewall and Cisco ASA © 2012 Cisco and/or its affiliates All rights reserved Contents At the end of this chapter, you will be able to the following: • Introduce and describe the function, operational framework, and building blocks of Cisco IOS Zone-Based Firewalls • Describe the functions of zones and zone pairs, as well as their relationship in hierarchical policies • Describe Cisco Common Classification Policy Language for creating zone-based firewall policies • List the default policies for the different combinations of zone types • Demonstrate the configuration and verification of zone-based firewalls using Cisco Configuration Professional and the CLI • Demonstrate the configuration of NAT services for zone-based firewalls • Describe the Cisco ASA family of products, identifying key supported features • Describe the building blocks of Cisco ASA configuration © 2012 Cisco and/or its affiliates All rights reserved Cisco Firewall Solutions Cisco offers multiple different firewall solutions, each geared to a different environment Currently, Cisco Firewall offerings include • Cisco IOS Firewall • Cisco ASA 5500 Adaptive Security Appliances • Cisco ASA 1000V Cloud Firewall • Cisco Virtual Security Gateway for Nexus 1000V Series Switch • Cisco Catalyst 6500 Series ASA Services Module • Cisco Catalyst 6500 Series Firewall Services Module • Cisco Small Business SA500 Series Security Appliances © 2012 Cisco and/or its affiliates All rights reserved Cisco IOS Zone-Based Policy Firewall © 2012 Cisco and/or its affiliates All rights reserved Zone-Based Policy Firewall Overview To demonstrate this model, the figure shows three zones: • Untrusted: Represents the Internet • DMZ: Demilitarized zone, which contains the corporate servers accessed by the public • Trusted: Represents the inside network © 2012 Cisco and/or its affiliates All rights reserved Interzone Policies The interzone policies in a Figure are as follows: • Public-DMZ: DMZ policy that sets the rules for traffic originating from the untrusted zone with the DMZ as destination • DMZ-Private: Private policy that sets the rules for the traffic originating from the DMZ with the trusted zone as destination • Private-DMZ: DMZ policy that sets the rules for the traffic originating from the trusted zone with the DMZ as destination • Private-Public: Pubic policy that sets the rules for the traffic originating from the trusted zone with the untrusted zone as destination © 2012 Cisco and/or its affiliates All rights reserved Cisco IOS Zone-Based Policy Firewalls support the following features • Stateful inspection • Application inspection • URL filtering • Per-policy parameter • Transparent firewall ã Virtual routing and forwarding aware firewall â 2012 Cisco and/or its affiliates All rights reserved Benefits Key benefits of zone-based policy firewall are as follows: • It is not dependent on ACLs • The router security posture is restrictive (which means block unless explicitly allowed) • C3PL makes policies easy to read and troubleshoot • One policy affects any given traffic instead of needing multiple ACL and inspection actions © 2012 Cisco and/or its affiliates All rights reserved Zones and Zone Pairs Interfaces Belong to Zone © 2012 Cisco and/or its affiliates All rights reserved Zone-Based Topology Examples Simple Firewall Topology with Two Security Domains Medium-Sized Organization with Three Zones © 2012 Cisco and/or its affiliates All rights reserved 10 Step 2: Run the Startup Wizard from Cisco ASDM You can start Cisco ASDM using either of two methods • ASDM-IDM Launcher (Windows only): The Launcher is an application (downloaded from the Cisco ASA using a web browser) that you can use to connect to any Cisco ASA IP address You not need to re-download the Launcher if you want to connect to other Cisco ASAs The Launcher also lets you run a virtual Cisco ASDM in Demo Mode using files that are downloaded locally • Java Web Start: For each Cisco ASA that you manage, you need to © 2012 Cisco and/or its affiliates All rights reserved 71 Starting the Cisco ASDM Startup Wizard and the First Screen © 2012 Cisco and/or its affiliates All rights reserved 72 Second Screen of the Cisco ASDM Startup Wizard © 2012 Cisco and/or its affiliates All rights reserved 73 Interface Selection from Cisco ASDM Startup Wizard © 2012 Cisco and/or its affiliates All rights reserved 74 Switch Port Selection from Cisco ASDM Startup Wizard (Cisco ASA 5505 Only) © 2012 Cisco and/or its affiliates All rights reserved 75 Interface IP Address Configuration from Cisco ASDM Startup Wizard © 2012 Cisco and/or its affiliates All rights reserved 76 DHCP Server Configuration from Cisco ASDM Startup Wizard © 2012 Cisco and/or its affiliates All rights reserved 77 NAT and PAT Configuration from Cisco ASDM Startup Wizard © 2012 Cisco and/or its affiliates All rights reserved 78 Administrative Access Configuration from Cisco ASDM Startup Wizard © 2012 Cisco and/or its affiliates All rights reserved 79 Step 3: Verify the Configuration Created by the Cisco ASDM Startup Wizard Verifying Access Rules Verifying NAT Rules © 2012 Cisco and/or its affiliates All rights reserved 80 Adding a Static Route Using Cisco ASDM © 2012 Cisco and/or its affiliates All rights reserved 81 Step 4: Verify Firewall Activity Using the Packet Tracer Tool This tool lets you the following: • Debug all packet drops in a production network • Verify that the configuration is working as intended • Show all rules applicable to a packet, along with the CLI commands that caused the rule addition • Show a timeline of packet changes in a data path • Inject tracer packets into the data path © 2012 Cisco and/or its affiliates All rights reserved 82 Packet Tracer Tool To open the Packet Tracer, perform the following steps: Step In the main Cisco ASDM application window, navigate to Tools > Packet Tracer Step The Cisco ASDM Packet Tracer dialog box opens Step Choose the source interface for the packet trace from the Interface drop-down list Step Specify the protocol type for the packet trace Available protocol types include TCP, UDP, ICMP, and IP © 2012 Cisco and/or its affiliates All rights reserved 83 References Cisco ASA 5500 Series Configuration Guide Using ASDM, 6.4 and 6.6, http://www.cisco.com/en/US/docs/security/asa/asa84/asdm64/configuratio n_guide/asdm_64_config.html Getting Started with Cisco Configuration Professional, http://www.cisco.com/en/US/docs/net_mgmt/cisco_configuration_professio nal/v2_5/guides/getting_start/ccp_gsg.html Zone-Based Policy Firewall Design and Application Guide, http://www.cisco.com/en/US/products/sw/secursw/ps1018/products_tech_ note09186a00808bc994.shtml Other Resources Beaver, K “Firewall Best Practices” (2009), http://www.principlelogic.com/docs/Firewall_Best_Practices.pdf Hucaby, D., Garneau, D., and Sequeira, A CCNP Security FIREWALL 642-618 Official Cert Guide (Cisco Press, 2012) CCP and ASDM Demo Mode Tutorials McKillip, Doug “Cisco Configuration Professional Demo Mode – Part I,” © 2012 Cisco and/or its affiliates All rights reserved 84 ... environment Currently, Cisco Firewall offerings include • Cisco IOS Firewall • Cisco ASA 5500 Adaptive Security Appliances • Cisco ASA 1000V Cloud Firewall • Cisco Virtual Security Gateway for... 41 ASA Models ASA 5585 SSP-60 (40 Gbps, 350K cps) ASA 5585 SSP-40 Performance and Scalability Multi-Service (Firewall/ VPN and IPS) (20 Gbps, 240K cps) ASA 5585 SSP-20 (10 Gbps, 140K cps) ASA. .. 2012 Cisco and/ or its affiliates All rights reserved 18 Zone-Based Policy Firewall: Rules for Router Traffic © 2012 Cisco and/ or its affiliates All rights reserved 19 Designing Cisco IOS Zone-Based