Cisco CCIE Security 350-701 Topic: Firewalls
December 16, 2022

1. Cisco Statefull Firewalls – IOS – ASA

Probably in this video, we’ll learn what a firewall is and then try to understand why we need one. And then we’ll also talk about modem firewall design. So definition-wise, a firewall is a system or a group of systems that manages the access between two or more different networks. A “firewall” is technically a device that manages traffic between two or more networks. As an example, consider the wall and the file shown below. Now the wall actually refers to the structure that is going to control what traffic is allowed to pass through. For example, you have a firewall here, and I have the user in my LAN. So this is my LAN-located network, and it is also connecting to my internet, which is my outside network. There are also some DMZs where I technically place my FTP or HTTP servers.

So my rule is that what I want is to make sure that the user sitting on the land should be able to access the internet. That’s what I want. At the same time, the user sitting on the internet should not be able to access anything on my land. This means that traffic from the internet to land should be limited. At the same time, I want the user sitting on the internet to also be able to access my service. Perhaps the traffic from the servers will reach the Internet, and land users should be able to use the service as well. That’s how I feel. So I want to define some specific rules, and the traffic should flow between these different networks based on the rules. And that’s exactly what the wall job is—it’s going to control what traffic is allowed. We are going to define what traffic is allowed and what traffic should not be allowed. We’ll control that. At the same time, this wall is having an effect; it’s like saying fire is nothing, but technically, we say all traffic moving between my land and the internet, or anything coming from anywhere, is inspected.

Inspected means examined in accordance with certain policies. So we’ll also configure some secretary policies, and based on the secretary policies, the traffic is allowed or denied. So all the traffic is inspected. For example, I want to ensure that the user sitting in the land sends a request to my HTTP server, which is somewhere on the internet, perhaps Google or Yahoo. At the same time, written traffic should be coming, but at the same time, if an attacker is trying to initiate traffic, it should be denied. So this firewall is going to ensure that because there are two types of traffic coming from the outside. One is initiated by the attacker, and the other is written traffic. So the firewall should have the capability to inspect which traffic is return traffic and which traffic is initiated by the attacker. So it’s going to do that based on some kind of security policy that will apply, and it also maintains some other information. We’ll talk about that in detail in the next few topics.

So firewalls are generally configured between trusted and untrusted boundaries, especially from the Lamb to the internet, because any traffic coming from the internet is typically referred to as “untrusted traffic” because we don’t trust anything coming from the internet. And the traffic that is initiated by or comes from the lamb is considered trusted traffic because we trust the traffic in the lamp. So whatever is coming and going between this traffic should probably be monitored or inspected. So we need a firewall between that and the Internet, and the main scope of the firewall is to control the traffic coming from the Internet, especially from the Internet. We want to restrict what traffic should be allowed and what traffic should not be allowed into the land or into the DMZ network like that.

So the next thing is to explain the reasons. There are multiple reasons for confirming the firewall. So every organisation requires a firewall because security is the most important thing in general, apart from maintaining the networks. So all your internal networks must be secured because we need to make sure that any traffic coming from the internet should not be vulnerable. So any attacker should not be able to initiate any kind of traffic or access anything on the land or on the DMZ. Any unauthorised access should be restricted. The firewall restricts that based on some policies that we configure, and of course, everyone is watching you and the traffic because the internet is a dangerous place with all the criminals, competing companies, ex-employees, and spies. So, in order to prevent the attacker from launching any kind of denial-of-service attack, the attacker can actually launch a denial-of-service attack against my server, bringing my server, router, or any other service down. In addition, any illegal or unauthorised modification of your data, such as unauthorised access to my network, is prohibited. Now, most of the firewall designs, generally the basic design, include three components, like three segments.

We can say there are three different networks. Everyone connected in the land is accessing some services from the service, similar to the first, which is an internal LAN where all of your end users are connected. And the second one, which we typically refer to as the “inside network,” It is also known as “LAN,” “just in,” or “trusted network.” Any names we can use, typically the most common name, are included, but they are not required. inside. And then “outside network” is typically referring to the Internet, which is an untouched network. So this is referred to as my outside network, the landline is always referred to as your inside network, and the DMG is a place where you are going to place some service.

And because DMG is like a place where you want the user to sit on the internet, maybe the user sitting here on the internet should be able to access the service. Maybe you’re hosting some FTP servers or some kind of mail service on the internet because, technically, it’s not good to place your server in the land because, if you place the server in the land and you want the user sitting on the internet to access their server, he must enter the land. So, while accessing the server, he can also launch some other attacks in the land. As a result, it’s always best to keep your servers on a separate network, a separate VLAN, or a separate network segment where users can access them. So if any kind of attack happens, it will impact only this one not. So the attacker cannot initiate any attacks on the land because most of the traffic from the internet to the land will be generous.

2. ASA Supported Features _ PART1

Now the common firewall technologies Now most firewalls support almost all of these features, like statewide packet filtering or stateless packet filtering, application-level gateways, and next-generation firewalls. So all these features may be supported by some vendors, and some mental may support two to three features; it depends on individual firewalls. But basically, these are the common technologies that are supported by almost all firewalls, including Cisco. So the first thing is that we’ll try to understand what packet filtering is. Now, packet filtering is nothing but the ACLs. ACLs were covered in the basic CCNA routing and switching course.

So it’s a method where the traffic actually moves through the device. It can be a router or maybe a firewall. Any device. and it’s going to filter the packets. Check the packets, check the source, check the destination, or check the actual protocol, like TCP or UDP, or check the source. or destination port numbers, whether it is port number 80, port number 23, or port number 4, and various other parameters as it moves through that networking device. And based on the rules, whatever we define as “permit,” once it matches as per the rules, if you say “permit,” it is going to allow the packet to pass through. If you configure them as a deny, it’s going to simply deny the packet. So the packet building is nothing more than checking the packet, inspecting the packets, and inspecting the data as it goes through the device, packet by packet. And it’s generally accomplished by using ACLs on the routers or the multilayer switches.

Now the ACL is nothing but a set of rules that we are going to write on the device, and based on those rules, either it will permit or deny the Harvey, and this packet filtering can be either stateless or stateful. Now the basic difference between the stateless andthe stateful is first let’s see what isstateful packet inspection before we understand what isstateless packet filtering or stateful packet filtering.

Now the state of full packet inspection is nothing more than allowing the connections originating from the inside interfaces and dropping the connections from the outside. So it’s nothing, but suppose I want a user in my country to be able to initiate traffic to my internet service, say Yahoo or Google. At the same time, I want to make sure that whatever traffic is listed in the back should be allowed, which means I’m sending a request to HTTPWWD.COM. The request goes out, and the reply comes back that this is something I want to allow, maybe on the router or maybe a firewall, on any device. You can also configure the router as a firewall.

Also, at the same time, I want to make sure that any traffic that is initiated from the outside, maybe by an attacker trying to access the resources on my land, should be denied. So stateful package inspection means maintaining the state tables. Similarly, traffic from the land to the server should be allowed, and hidden traffic should be allowed to return, implying that I’m sending a request to Yahoo and Yahoo is responding. At the same time, if the traffic originated on an untrusted outside interface or network, it should be dropped. But now the question is how the router or firewall will be able to differentiate whether it is returning traffic or initiating traffic. So most of the firewalls support stateful packet inspection, which is going to keep track of whether the traffic coming from the internet is returning traffic or originating traffic. So based on some tables, we call it a state table.

So what exactly the firewalls will do is, whenever a user initiates a request like this, sends a request saying that www.dot.yahoo.com is the URL, the request goes to the firewall, and the firewall is going to check the permit truth, because here we will also implement some kind of policy. And based on the policies, let’s say if I tell the firewall to allow this user to be able to access the Yahoo server, it’s going to check that permit rule and see whether that packet is allowed or denied. If the rule is to deny, it will fall there. But if the rule is permitted, it will allow the packet to pass through the firewall and reach the internet. But while it is sending, it is going to add session entries. So nothing. However, it will record in the session table that the source is ten or one to one destined for 51-1, which is the Yahoo server port number; let’s say some random port number 2050, something on port 80. The request was sent, and apart from that, some other sequence numbers and other things will be written down.

And when the packet is returning, like the Yahoo server is replying back, it reaches the firewall, and the firewall will check whether this packet is part of the existing session or not. So that means it’s going to confirm whether this packet is returning traffic or originating traffic. So, if it is returning traffic, it must match these session entries where the source is and the destination is the 100 network, and the source code number is 80, the destination port number is 2050, and the sequence number and other parameters must match. So if it matches this session entry, then it is going to allow that particular traffic to pass through, and if it does not match, then it is going to simply discard the traffic. So this is how the firewall is going to keep track of the packets, whether they are written or whether they are initiated on the internet. Because the firewall or router in general has this special feature, we call this stateful packet filtering. Of course, we can configure the iOS firewall so that we can use a router as a firewall.

Now it’s going to keep track of the traffic that’s leaving for the Internet. So that’s what we call it, “monitor the state of the active connections,” and it’s going to use that information to determine what packets are allowed and analyse based on that. And based on that, it will allow our block. So we call this stateful packet building. Again, the same thing that I just discussed As I said, when the user initiates a request, the request goes with the source address, destination address, the actual data and then the protocol and other information and the nit is going to write down that entries in the session table and when the traffic is turning back it should match this session session entries. So firewalls can track all of the traffic that is permitted on the internet in the state table, which will identify the state session state, and based on this, they can determine whether the attacker is attempting to initiate traffic as a server. 

3. ASA Supported Features _ PART2

The next thing is stateless packet filtering. The stateless packet filtering is almost opposite to the statehood packet filtering, which we discussed in the previous session. The statehood packet filtering will keep session state information or a state table, and based on that, it will be able to differentiate what traffic is, whether it is written traffic or traffic initiated by the attacker or spoof traffic. So based on that, it can keep track because it’s going to maintain a session state, or the state table, with all the likesources, nation protocol, port numbers, and all this other information.

However, because there is no mention of a state table in stateless, fire filtering is similar to a standard ACL, which is what we use on this router or firewall. I’m going to set up an ACL so that the user sitting here, let’s say on a tendon network, can send traffic to a dual network. If it is, let’s say http, the traffic comes to the device, like in my case, it comes to the firewall or the router, and based on the rule, it is going to allow the traffic, but while it is alone, it is not going to keep track of the permit or the session state, actually. And then it will be allowed. So just allow the fire to travel, and once it is playing back, depending upon the firewall rule, depending upon the ACL that you have configured here, or based on that, it will either allow or deny the packet. So it depends. So it doesn’t do state-full packet inspection, just the exact opposite of state-full packet inspection.

And the simple example of stateless packet filtering is ACLs, and it is going to do that based on the source, address, protocol, port numbers, and some other parameters that can also be used. We now have various types of ACLs, such as those that can be implemented on routers or firewalls and work entirely on Layer 3. Based on the third layer of information, we can filter the traffic as it moves through that particular device. We can also use some other ACLs, like VLAN ACS. VLAN ACLs are specifically configured on the switches at the VLAN level, so when the traffic is moving from one VLAN to another, we can actually deny or permit the traffic as it moves into a different VLAN. And we can filter based on the layer three address or based on the layer two address, like a Mac address. And the same thing We can also configure some ACLs at the port level, for the physical interfaces and any traffic entering that interface. We can filter based on a selected source or based on the Mac address applied in the layered interfaces. Now, each type of ACLs works differently.

4. ASS Compare Models

The next thing is stateless packet filtering. The stateless packet filtering is almost opposite to the statehood packet filtering, which we discussed in the previous session. The statehood packet filtering will keep session state information or a state table, and based on that, it will be able to differentiate what traffic is, whether it is written traffic or traffic initiated by the attacker or spoof traffic. So based on that, it can keep track because it’s going to maintain a session state, or the state table, with all the likesources, nation protocol, port numbers, and all this other information. However, because there is no mention of a state table in stateless, fire filtering is similar to a standard ACL, which is what we use on this router or firewall. I’m going to set up an ACL so that the user sitting here, let’s say on a tendon network, can send traffic to a dual network.

If it is, let’s say http, the traffic comes to the device, like in my case, it comes to the firewall or the router, and based on the rule, it is going to allow the traffic, but while it is alone, it is not going to keep track of the permit or the session state, actually. And then it will be allowed. So just allow the fire to travel, and once it is playing back, depending upon the firewall rule, depending upon the ACL that you have configured here, or based on that, it will either allow or deny the packet. So it depends. So it doesn’t do state-full packet inspection, just the exact opposite of state-full packet inspection. And the simple example of stateless packet filtering is ACLs, and it is going to do that based on the source, address, protocol, port numbers, and some other parameters that can also be used. We now have various types of ACLs, such as those that can be implemented on routers or firewalls and work entirely on Layer 3. Based on the third layer of information, we can filter the traffic as it moves through that particular device.

We can also use some other ACLs, like VLAN ACS. VLAN ACLs are specifically configured on the switches at the VLAN level, so when the traffic is moving from one VLAN to another, we can actually deny or permit the traffic as it moves into a different VLAN. And we can filter based on the layer three address or based on the layer two address, like a Mac address. And the same thing We can also configure some ACLs at the port level, for the physical interfaces and any traffic entering that interface. We can filter based on a selected source or based on the Mac address applied in the layered interfaces. Now, each type of ACLs works differently. 

Leave a Reply

How It Works

img
Step 1. Choose Exam
on ExamLabs
Download IT Exams Questions & Answers
img
Step 2. Open Exam with
Avanset Exam Simulator
Press here to download VCE Exam Simulator that simulates real exam environment
img
Step 3. Study
& Pass
IT Exams Anywhere, Anytime!