9.

1 Secure Networks with

Firewalls

© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 1
Secure Networks with Firewalls
Firewalls

All firewalls share some common

properties:

• Firewalls are resistant to network

attacks.
• Firewalls are the only transit point
between internal corporate networks
and external networks because all
traffic flows through the firewall.
• Firewalls enforce the access control
policy.

Different types of firewalls have different

benefits and limitations.
© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 2
Secure Networks with Firewalls
Types of Firewalls
It is important to understand the different types of firewalls and their specific capabilities
so that the right firewall is used for each situation.
• Packet Filtering (Stateless) firewalls -
• These are usually part of a router firewall, which permits or denies traffic based
on Layer 3 and Layer 4 information.
• They are stateless firewalls that use a simple policy table look-up that filters
traffic based on specific criteria.
• Stateful firewalls –
• These are the most versatile and the most common firewall technologies in use.
• Stateful firewalls provide stateful packet filtering by using connection information
maintained in a state table.
• Stateful filtering is a firewall architecture at the network layer. It also analyzes
traffic at OSI Layer 4 and Layer 5.

© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 3
Secure Networks with Firewalls
Packet Filtering Firewall Benefits and Limitations
Benefits of Packet Filtering Firewalls:
• They implement simple permit or deny rule sets.
• They have a low impact on network performance.
• They are easy to implement and are supported by most routers.
• They provide an initial degree of security at the network layer.
• They perform many of the tasks of a high-end firewall at a much lower
cost.
Limitations of Packet Filtering Firewalls:
• They are susceptible to IP spoofing.
• They do not reliably filter fragmented packets.
• They use complex ACLs, which can be difficult to implement and maintain.
• They cannot dynamically filter certain services.
• For example, sessions that use dynamic port negotiations are difficult to filter without opening access to a
whole range of ports.
• Packet filters are stateless. They examine each packet individually rather than in the context of the state of a
connection. © 2021 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 4
Secure Networks with Firewalls
Stateful Firewall Benefits and Limitations

The table lists benefits and limitations of stateful firewalls.

Benefits Limitations

Primary means of defense by filtering unwanted, unnecessary, or No Application Layer inspection

undesirable traffic.

Strong packet filtering Limited tracking of stateless protocols

Improved performance over packet filters Difficult to defend against dynamic port negotiation

Defends against spoofing and DoS attacks No authentication support

provide more log information than a packet filtering firewall.

© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 5
Secure Networks with Firewalls
Types of Firewalls
• Application Gateway (Proxy) firewalls –
• These filter information at Layers 3, 4, 5, and
7. Most of the firewall control and filtering is
done in software.
• When a client needs to access a remote
server, it connects to a proxy server.
• The proxy server connects to the remote
server on behalf of the client. Therefore, the
server only sees a connection from the proxy
server.

© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 6
Secure Networks with Firewalls
Types of Firewalls

 Next Generation firewalls –

 Next-generation firewalls (NGFW) go
beyond stateful firewalls by providing:
 Integrated intrusion prevention
 Application awareness and control to
see and block risky apps
 Upgrade paths to include future
information feeds
 Techniques to address evolving
security threats

© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 7
9.2 Firewalls in Network
Design

© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 8
Firewalls in Network Design
Common Security Architectures

Firewall design is primarily about device interfaces permitting or denying traffic

based on the source, the destination, and the type of traffic.

Here are three common firewall designs:

• Private and Public

• Demilitarized Zone (DMZ)
• Zone-Based Policy

© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 9
Firewalls in Network Design
Common Security Architectures (Cont.)
Private and Public - The public network (or outside network) is untrusted, and the private network (or inside
network) is trusted.

Typically, a firewall with two interfaces is configured as follows:

 Traffic originating from the private network is permitted and inspected as it travels toward the public
network. Inspected traffic returning from the public network and associated with traffic that originated
from the private network is permitted.
 Traffic originating from the public network and traveling to the private network is generally blocked.

© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 10
Firewalls in Network Design
Common Security Architectures (Cont.)
Demilitarized Zone (DMZ) - This is a firewall design where there is typically one inside interface connected to the
private network, one outside interface connected to the public network, and one DMZ interface.

© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 11
Firewalls in Network Design
Common Security Architectures
Zone-Based Policy - Zone-based policy firewalls (ZPFs) use the concept of zones to provide additional flexibility.
A zone is a group of one or more interfaces that have similar functions or features. Zones help you specify where
a Cisco IOS firewall rule or policy should be applied.

 In the figure, security policies for LAN 1 and

LAN 2 are similar and can be grouped into a
zone for firewall configurations.
 By default, the traffic between interfaces in
the same zone is not subject to any policy
and passes freely.
 However, all zone-to-zone traffic is blocked.
 In order to permit traffic between zones, a
policy allowing or inspecting traffic must be
configured.

© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 12
Firewalls in Network Design
Layered Defense
A layered defense uses different types of firewalls that are combined in layers to add depth to the
security of an organization. Policies can be enforced between the layers and inside the layers. The
following example shows four layers of security.

1. Network Core security - Protects against malicious software

and traffic anomalies, enforces network policies, and ensures
survivability
2. Perimeter security - Secures boundaries between zones
3. Communications security - Provides information assurance
4. Endpoint security - Provides identity and device security
policy compliance

© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 13
Firewalls in Network Design
Layered Defense (Cont.)
This partial list of best practices can serve as a starting point for a firewall security policy:

• Position firewalls at security boundaries. Firewalls are a critical part of network security, but it is
unwise to rely exclusively on a firewall for security.
• Deny all traffic by default.
• Permit only services that are needed.
• Ensure that physical access to the firewall is controlled.
• Regularly monitor firewall logs.
• Practice change management for firewall configuration changes.
• Remember that firewalls primarily protect from technical attacks originating from the outside.

© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 14
Firewalls in Network Design
Packet Tracer - Identify Packet Flow

In this Packet Tracer activity, you will observe packet flow in a LAN and WAN topology. You will also
observe how the packet flow path may change when there is a change in the network topology.

© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 15
9.3 Firewall Technologies
Summary

© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 16
Firewall Technologies Summary
What Did I Learn in this Module?

• Packet filtering (stateless) firewalls provide Layer 3 and sometimes Layer 4 filtering.
• A stateful inspection firewall allows or blocks traffic based on state, port, and protocol.
• Application gateway firewalls (proxy firewall) filter information at Layers 3, 4, 5, and 7.
• Next-generation firewalls provide additional services beyond application gateways, such as integrated
intrusion prevention, application awareness, and techniques to address evolving security threats.
• Some firewall designs are as simple as designating an outside network and inside network which are
determined by two interfaces on a firewall.
• Networks that require public access to services will often include a DMZ that the public can access, while
strictly blocking access to the inside network.
• ZPFs use the concept of zones to provide additional flexibility.
• A layered security approach uses firewalls and other security measures to provide security at different
functional layers of the network.

© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 17
Firewall Technologies
New Terms and Commands
• firewall
• packet filtering (stateless) firewall
• stateful firewall
• application gateway (proxy) firewall
• next generation firewall
• Zone-Based Policy firewall (ZPF)
• layered defense

© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 18