Introduction

Firewalls have ample recognition as key elements in the field of protecting networks. Even though this is not a new subject, many important concepts and resources that could be helpful to designing a secure network are often overlooked or even ignored.

This book is targeted at unveiling the potential of Cisco Firewall functionalities and products and how they can be grouped on a structured manner to build security solutions.

The motivation for writing this book is associated with a simple axiom assumed: The better you understand individual features, the better you can use them for design purposes. After all, producing better security designs is the aim of anyone truly committed to security.

“Happy is he who transfers what he knows and learns what he teaches.”—Cora Coralina, Brazilian poet

Goals and Methods

Typical firewall books are developed around two distinct philosophies:

• Configuration guides and handbooks focus on the set of commands to put a certain feature in place. These books have their importance but normally ignore the discussion of the value of each functionality and the motivation for use of a certain feature, and they do not contribute that much to building knowledge of the power of specific resources.

• There are the conceptual-only books that mainly talk about categories of firewalls in a more generic fashion, not paying particular attention to the materialization of the “functionalities on specific platforms” and not establishing the connection between theoretical and practical worlds.

Linking theory and practice aids in the understanding of main concepts and significantly contributes to the production of better designs. This perception comes from a mathematics and engineering background: investing time in learning theory and, in understanding how to derive the fundamental theorems, is key for succeeding in actual problem solving.

It is also worth mentioning that troubleshooting is frequently relegated to an appendix, in a position totally disconnected from the main text. This book proposes a completely different approach. The tools historically used for troubleshooting are employed in this book to illustrate how firewall features operate, thus establishing the linkages between theory and practice. After becoming familiar with these tools, you will consistenly revisit them to reinforce the theoretical concepts presented in each chapter. This not only helps with the learning process but also contributes to avoid an eventual troubleshooting stage in your practical deployments.

Who Should Read This Book?

This book talks about firewall functionalities available on Cisco products and security design from the standpoint of the firewall devices. From beginners to seasoned engineers, there is useful content for everyone interested in the subject of Cisco Firewalls. The target audiences are summarized as the following:

• Security engineers and architects who design and implement firewall solutions

• Security administrators and operators who want to get a thorough understanding of the functionalities they are in charge of deploying

• Professional Services engineers and TAC engineers who need to support Cisco Network Firewalls

• People preparing for certifications in the Cisco security curriculum (CCNA Security, CCNP Security, and the Security CCIE exam)

Although this book contains a lot of configuration-related content, it by no means aims to be a configuration guide. It privileges the understanding of functionalities behavior and the best ways to use firewall features, be it individually or integrated on security design.

How This Book Is Organized

This book can be read cover-to-cover or moving between chapters. There are some ASAcentric and IOS-specific chapters, but overall the chapters deal with both families at the same time. One of the benefits of this approach is the possibility of easily contrasting the resources available on each family and selecting the implementation that best fits your needs. Another advantage is that the theoretical concepts are covered only once (instead of being repeated for each platform):

• Chapter 1, “Firewalls and Network Security.” After reviewing the importance of a high-level security policy, this chapter presents the classic types of network firewalls and the possibilities for their insertion in a network environment. The discussion then centers on stateful firewalls and how they have evolved to adapt to the demands of complex environments.

• Chapter 2, “Cisco Firewall Families Overview.” This chapter is aimed at presenting an overview of Cisco hardware platforms that host stateful firewall solutions. An important discussion about the performance parameters that needs to be taken into account when selecting a firewall solution is also presented.

• Chapter 3, “Configuration Fundamentals.” This chapter presents the initial configuration tasks for the Cisco Firewall families. Topics such as access via the command-line interface (CLI), boot process, IP addressing options, and remote management methods are covered. If you are an experienced user of Cisco devices, you can skip this chapter.

• Chapter 4, “Learn the Tools. Know the Firewall.” This chapter is the cornerstone for the approach adopted in this book and, therefore, highly recommended even for advanced readers. The set of tools presented are used throughout the book to detail the operations of Cisco Firewalls and provide the linkages between theory and practice.

• Chapter 5, “Firewalls in the Network Topology.” Before providing the security services they are designed for, firewalls need to be inserted in the network topology either using a Layer 3 or a Layer 2 connectivity model. This chapter covers bridging, static routing, and relevant concepts about dynamic routing protocols such as OSPF, EIGRP, and RIP. The way in which the chapter is organized makes it a useful reference for those security focused professionals that are not so familiar with the deployment of routing and bridging solutions.

• Chapter 6, “Virtualization in the Firewall World.” This chapter examines the typical meanings of virtualization in the networking arena and how some building blocks (VLANs, VRFs, virtual contexts, and the like) can be combined to deliver a robust and secure virtualization architecture.

• Chapter 7, “Through ASA Without NAT.” This ASA-centric chapter starts the actual discussion about security features. Important concepts such as security levels, connection setup and teardown, handling of ACLs, and object-groups are presented and largely exemplified.

• Chapter 8, “Through ASA Using NAT.” This chapter is the natural follow-up to Chapter 7, because it details Network Address Translation (NAT) concepts and illustrates the various NAT options for ASA-based firewalls. The often confused topic of NAT precedence rules is carefully analyzed. Chapters 7 and 8 are later complemented by Appendix A, “NAT and ACL Changes in ASA 8.3.”

• Chapter 9, “Classic IOS Firewall Overview.” This chapter covers the IOS Context Based Access Control (CBAC) feature set, which is now known as the Classic IOS Firewall. Other important topics such as NAT, ACL, and object-group handling are introduced and exemplified for IOS-based devices.

• Chapter 10, “IOS Zone Policy Firewall Overview.” This chapter introduces the Zone Policy Firewall (ZFW), the main option for Cisco IOS-based Firewall deployments. The chapter presents the building blocks for ZFW policy construction and is centered on security functionality that goes up to Layer 4 (generic inspection).

• Chapter 11, “Additional Protection Mechanisms.” This chapter focuses on protection resources that act up to Layer 4 and can add significant value to stateful inspection functionality. Features such as antispoofing, TCP normalization, connection limiting, and IP fragmentation handling are covered.

• Chapter 12, “Application Inspection.” This chapter presents the application-layer inspection capabilities for all the families of Cisco network Firewalls. This type of functionality is employed by Cisco Firewalls to adapt to the particularities of application protocols that are not well behaved when crossing stateless packet filters or stateful firewalls that are limited to Layer 4. This application knowledge may also be directed to more sophisticated filtering activities.

• Chapter 13, “Inspection of Voice Protocols.” This chapter builds upon the application inspection knowledge introduced in Chapter 12 to promote a detailed analysis of classic IP telephony protocols such as SCCP, H.323, SIP, and MGCP. The chapter goes a bit further by analyzing advanced ASA functionality (TLS-proxy and Phone-proxy) that permit the use of voice confidentiality solutions without losing the benefits of stateful inspection. For those security professionals who are not familiar with IP telephony terminology, this chapter can provide a good starting point.

• Chapter 14, “Identity on Cisco Firewalls.” This chapter analyzes how the concept of identity can be leveraged to produce user-based stateful functionality in all the Cisco Firewall families. The chapter also discusses the AAA architecture and contrasts the RADIUS and TACACS+ protocols, clearly establishing which one is more suitable for each type of task: controlling access through the firewall or to the firewall (administrative access control).

• Chapter 15, “Firewalls and IP Multicast.” This chapter introduces important theoretical aspects pertaining to IP multicast routing and forwarding tasks and later details how multicast traffic is handled through firewalls. The chapter was conceived to serve as a useful reference for readers who are not familiar with the topic.

• Chapter 16, “Cisco Firewalls and IPv6.” As the available IPv4 addresses deplete, a careful look at the next-generation Internet Protocol (IP version 6) becomes more compelling. The chapter introduces important IPv6 concepts and presents the IPv6 security features that exist on Cisco Firewall families.

• Chapter 17, “Firewall Interactions.” This chapter is centered on security design. Information about the typical interactions of firewall functionality with other features (or systems) that may add value to the overall security practice is presented. In some cases, the definition of “interaction” has more to do with the challenges that should be taken into account when deploying firewalls in some specific environments.

• Appendix A, “NAT and ACL Changes in ASA 8.3.” This appendix is aimed at highlighting the changes in the NAT deployment models introduced by ASA 8.3 and, in this sense, is a natural companion of Chapter 8. The new possibility of defining global ACLs is also covered.