CCNA Security 640-554 Quick Reference: Cisco IOS Firewalls
Firewall Fundamentals
The firewall should
- Be resistant to attacks.
- Be the only transit point.
- Enforce the access control policy of the organization.
Static Packet-Filtering Firewalls
These work at Layers 3 and 4, examining packets one at a time and are implemented on a Cisco router using access control lists (ACL).
Advantages of these firewalls include the following:
- Based on simple permit and deny sets
- Low impact on network performance
- Easy to implement
- Supported on most routers
- Initial security at a low network layer
- Perform most of what high-end firewalls do at a lower cost
Disadvantages of these firewalls include the following:
- Susceptible to IP spoofing.
- Packet filters do not filter fragmented packets well.
- Complex ACLs are difficult to implement and maintain correctly.
- Packet filters cannot dynamically filter certain services.
- Packet filters are stateless; they do not maintain any state information for added protection.
Application Layer Gateways
Application layer firewalls (also called proxy firewalls or application gateways) operate at Layers 3, 4, 5, and 7 of the OSI model. Proxy services are specific to the protocol that they are designed to forward and can provide increased access control, provide careful detailed checks for valid data, and generate audit records about the traffic they transfer. Sometimes, application layer firewalls support only a limited number of applications.
Application layer firewalls offer advantages:
- Authenticate individuals, not devices
- Make it harder for hackers to spoof and implement denial-of-service (DoS) attacks
- Can monitor and filter application data
- Can provide detailed logging
The disadvantages are as follows:
- Process packets in software
- Support a small number of applications
- Sometimes require special client software
- Are memory- and disk-intensive
Dynamic or Stateful Packet-Filtering Firewalls
Stateful inspection is a firewall architecture classified at the network layer; although, for some applications it can analyze traffic at Layers 4 and 5, too.
Unlike static packet filtering, stateful inspection tracks each connection traversing all interfaces of the firewall and confirms that they are valid. Stateful packet filtering maintains a state table and allows modification to the security rules dynamically. The state table is part of the internal structure of the firewall. It tracks all sessions and inspects all packets passing through the firewall.
Although this is the primary Cisco Firewall technology, it has some limitations:
- Cannot prevent application layer attacks.
- Not all protocols are stateful.
- Some applications open multiple connections.
- Does not support user authentication.
Other Types
Application inspection firewalls ensure the security of applications and services. Advantages include the following:
- Are aware of the state of Layer 4 and Layer 5 connections
- Check the conformity of application commands at Layer 5
- Can and affect Layer 7
- Can prevent more kinds of attacks than stateful firewalls can
Transparent firewalls (Cisco PIX and Cisco Adaptive Security Appliance Software Version 7.0) can deploy a security appliance in a secure bridging mode as a Layer 2 device to provide security services at Layer 2 through Layer 7.
Cisco Firewall Family
Cisco IOS Firewall features follow:
- Zone-based policy framework for intuitive policy management
- Application firewalling for web, e-mail, and other traffic
- Instant messenger and peer-to-peer application filtering
- VoIP protocol firewalling
- Virtual routing and forwarding (VRF) firewalling
- Wireless integration
- Stateful failover
- Local URL whitelist and blacklist support; remote server support, through Websense or SmartFilter
Cisco PIX 500 Series Security Appliance features follow:
- Advanced application-aware firewall services
- Market-leading VoIP and multimedia security
- Robust site-to-site and remote-access IP security (IPsec) VPN connectivity
- Award-winning resiliency
- Intelligent networking services
- Flexible management solutions
Cisco ASA 5500 Series Adaptive Security Appliance features follow:
- World-class firewall
- Voice and video security
- SSL and IPsec VPN
- IPS
- Content security
- Modular devices
- High scalability
Best Practices
Firewall best practices include the following:
- Position firewalls at key security boundaries.
- Firewalls are the primary security device, but it is unwise to rely exclusively on a firewall for security.
- Deny all traffic by default and permit only services that are needed.
- Ensure that physical access to the firewall is controlled.
- Regularly monitor firewall logs. Cisco Security Monitoring, Analysis, and Response System (MARS) is especially useful in monitoring firewall logs.
- Practice change management.
- Remember that firewalls primarily protect from technical attacks originating from the outside.