FIRWALL!
What is Firewall?
Firewall can protect the network from hostile intrusion and sits at the junctions point or gateway between the two network that is private (also called LAN) and public (also called INTERNET/WAN).
Firewall also controls the traffic permitting and denying according to predefined policy.
What Can Firewall do?
Firewall can do
Firewall can do
- Network Address Translation (NAT)
- Content Security.
- Authentication.
- Load Balancing
- Logging Network Activity.
- VPN etc.
What is Demilitarized Zone (DMZ)?
See Generally Firewall needs minimum two interfaces to connect two different network.The Third Interface is added to separate public servers.This is referred to as DMZ.
Why Do we Separate Public servers?
Because Even if the public servers are attacked then the private LAN still remains secured.
Types of Firewall :There are two types of firewall.
- Transparent Mode
- Routed Mode
Let us go through Routed mode First then Transparent Mode
Routed Mode : Usually,Firewall runs ASA(Adaptive Security Algorithms) Algorithms on the both PIX(Private Internet Exchange/ASA) Cisco Devices.
ASA/PIX FIREWALL:No packet is allowed without connection or state and all inbound traffic is allowed by default unless explicitly denied by an ACL and All outbound traffic is denied by default unless implicitly allowed by an ACL.
Firewall Security Levels There are security levels in the firewall.
- Security Level 100 is Assigned to inside interface.
- Security Level 0 is Assigned to outside interface.
- Between 0 to 100 are assigned to DMZ interface.
How is packet inspected by the firewall?
Firewall inspects the packet in order-wise let us see
- Initial Checking:As a packet arrives at a firewall interface.They are checked for basic integrity.one of the most important is packet Source Address.
- XlATE Look up:XLATE maintains XLATE table that has many parameters
- Protocols used (TCP,UDP,ICMP)
- Local and global Interface.
- Local and global IP.
- local and global ports(TCP or UDP)
- Flags (Type of xlate)
- Absolute Time(incremented since XLATE entry was created)
- Idle Timer .
- Connections using XLATE entry (number of connection,embryonic connections,a list of active connections)
- CONN Look up :As soon as connection is initiated and a CONN table entry is created. Traffic from the Source to the Destination is allowed to pass.As well as the Returned traffic for the connections is allowed back through the firewall towards the source.It has many parameters
- Protocols used (TCP,UDP,ICMP)
- Local and global Interface.
- Local and global IP.
- local and global ports(TCP or UDP)
- Flags for connections state
- Idle Timer .
- Byte Counter(Total Traffic Volume using connection)
- Local and Foreign TCP Sequence.
- ACL Look up:ACLs' are not used to inspect a connections stat rather.they are used only to permit or deny packet.
- UAUTH Look up:It maintains each authenticated users along with source ip address,the authorization ACL name (if any) and session timer value after a user authenticates with the firewall,he can use and create new connections until absolute time expires.
- Inspections engine: firewall inspects each connections according to the protocol being used.
- TCP OR
- UDP OR
- ICMP
How is TCP packet inspected through the firewall?
Well TCP is a connection-oriented protocol before two hosts exchange TCP traffic,they must perform three way handshake to establish a TCP session.TCP connections are inspected through the use of the XLATE,ACLS and CONN table entries.
Suppose PC1 initiates the TCP connection by sending a SYN bit in the packet to PC2. The firewall expects PC2 to reply with a packet that has the SYN and ACK bits set. Finally,PC1 must also send ACK bit set.If this handshake is properly followed,the firewall begins allowing TCP packet to flow through the firewall.
How is UDP packet inspected through the firewall?
UDP is connection less protocol even though UDP is connection less protocol,the firewall creates XLATE,CONN and ACL table to deal with UDP packets.Let us take same above diagram when PC1 begins session by sending UDP packet to PC2,firewall looks ACL if permits this interface,the firewall defines UDP connection to forward the traffic.It creates XLATE table entry with the first packet in the session,the firewall creates a new connection in the conn table.
How is ICMP packet inspected through the firewall?
ICMP is a connection-less oriented protocol because it allows one host to send another host a message without expecting a reply.The Firewall creates XLATE table and ACL table but no conn entries are created for ICMP packet.
How to configure ASA Firewall interfaces?
Let us have understand some basic concept before going to configure interfaces.
Initial Configuration:
We have to connect to Security Appliance such as Firewall ASA 5520 Model through console port using an RJ-45 Rollover Cable. So we have to bring up hyperterminal
Command Line Interface:
UDP is connection less protocol even though UDP is connection less protocol,the firewall creates XLATE,CONN and ACL table to deal with UDP packets.Let us take same above diagram when PC1 begins session by sending UDP packet to PC2,firewall looks ACL if permits this interface,the firewall defines UDP connection to forward the traffic.It creates XLATE table entry with the first packet in the session,the firewall creates a new connection in the conn table.
How is ICMP packet inspected through the firewall?
ICMP is a connection-less oriented protocol because it allows one host to send another host a message without expecting a reply.The Firewall creates XLATE table and ACL table but no conn entries are created for ICMP packet.
How to configure ASA Firewall interfaces?
Let us have understand some basic concept before going to configure interfaces.
Initial Configuration:
We have to connect to Security Appliance such as Firewall ASA 5520 Model through console port using an RJ-45 Rollover Cable. So we have to bring up hyperterminal
- User Mode > : It offers a limited set of commands
- Privilege Mode # : This mode allows execution of all command.
- Configuration mode (config()#): This allows us to configure and also to use all user mode & privilege mode commands.
- ROMMON(Read-only-memory monitor mode):when it doesn't find bootable image or when an Administrator forces to enter into that mode.In ROMMON mode, we can use TFTP server to load a system image such as asa847-k8.bin into security appliance and also is used to recover the firewall device password.
Let us configure firewall interfaces according to the requirements of an organization so here we will configure interfaces using ASA-5520 Firewall Cisco's Model as an example seeing the below diagram
Ciscoasa>en
Ciscoasa#config t
Ciscoasa(config)#hostname ASA
ASA(config)#activation-key 0x4a3ec071 0x0d86fbf6 0x7cb1bc48 0x8b48b8b0 0xf317c0b5
ASA(config-if)#security-level 100
ASA(config-if)#ip address 10.0.0.1 255.255.255.0
ASA(config-if)#no shut
ASA(config-if)#description "inside network i,e private network or secure network connected to g1 interface with 10.0.0.0/24 ip address"
ASA(config-if)#exit
ASA(config-if)#security-level 50
ASA(config-if)#ip address 172.16.0.1 255.255.255.0
ASA(config-if)#no shut
ASA(config-if)#description "g2 interface is connected to dmz network with 172.16.0.0/24 ip address"
ASA(config-if)#exit
Ciscoasa>en
Ciscoasa#config t
Ciscoasa(config)#hostname ASA
ASA(config)#activation-key 0x4a3ec071 0x0d86fbf6 0x7cb1bc48 0x8b48b8b0 0xf317c0b5
or
activation-key 0xb23bcf4a 0x1c713b4f 0x7d53bcbc 0xc4f8d09c 0x0e24c6b6
ASA(config)#reload
ASA(config)#enable password abcd@123
ASA(config-if)#name-if insideASA(config)#enable password abcd@123
Configuring Interfaces
LAN Network Interface
ASA(config)#int g1ASA(config-if)#security-level 100
ASA(config-if)#ip address 10.0.0.1 255.255.255.0
ASA(config-if)#no shut
ASA(config-if)#description "inside network i,e private network or secure network connected to g1 interface with 10.0.0.0/24 ip address"
ASA(config-if)#exit
DMZ(Demilitarized Zone) interface
ASA(config)#int g2
ASA(config-if)#name-if dmzASA(config-if)#security-level 50
ASA(config-if)#ip address 172.16.0.1 255.255.255.0
ASA(config-if)#no shut
ASA(config-if)#description "g2 interface is connected to dmz network with 172.16.0.0/24 ip address"
ASA(config-if)#exit
WAN(Wide Area Network) interface
ASA(config)#int g0
ASA(config-if)#name-if outside
ASA(config-if)#security-level 0
ASA(config-if)#ip address 192.168.0.1 255.255.255.0
ASA(config-if)#no shut
ASA(config-if)#description "g0 interface is connected to outside network i,e internet or public network with 192.168.0.0/24 ip address"
ASA(config-if)#exit
ASA(config)#http server enable
ASA(config)#http 10.0.0.0 255.255.255.0 inside
ASA(config)#aaa authentication http console LOCAL
ASA(config-if)#name-if outside
ASA(config-if)#security-level 0
ASA(config-if)#ip address 192.168.0.1 255.255.255.0
ASA(config-if)#no shut
ASA(config-if)#description "g0 interface is connected to outside network i,e internet or public network with 192.168.0.0/24 ip address"
ASA(config-if)#exit
Assigning access to TELNET,SSH,HTTP AND CONSOLE
Assigning access to HTTP
Assigning access to HTTP
ASA(config)#http 10.0.0.0 255.255.255.0 inside
ASA(config)#aaa authentication http console LOCAL
Assigning access to TELNET
ASA(config)#telnet 10.0.0.0 255.255.255.0 inside
ASA(config)#aaa authentication telnet console LOCAL
Assigning access to SSH
ASA(config)#domain-name fz.com
ASA(config)#crypto key generate rsa modulus 1024
ASA(config)#ssh version 2
ASA(config)#ssh timeout 10
ASA(config)#ssh 10.0.0.0 255.255.255.0 inside
ASA(config)#aaa authentication ssh console LOCAL
ASA(config)#aaa authentication serial console LOCAL ASA(config)#ssh version 2
ASA(config)#ssh timeout 10
ASA(config)#ssh 10.0.0.0 255.255.255.0 inside
ASA(config)#aaa authentication ssh console LOCAL
Assigning access to CONSOLE
ASA(config)#console 10.0.0.0 255.255.255.0 inside
Please wait........................................................
This page is Still under processing.