Lesson 8

Firewall
 Outline
1. What is an intrusion?

2. Port security

3. DHCP snooping

4. WiFi Security

5. What are firewalls?

6. Types of Firewalls

7. Labs.
What is an intrusion?
● Intrusion can be defined as any set of actions that attempt to
compromise the integrity, confidentiality or availability of resource.

● In the context of info systems, intrusion refers to any unauthorized

access, unauthorized attempt to access or damage or malicious use
of info resources.
Port Security
● Secured ports restrict a port to a user-
defined group of stations.
Port Security
Interface :Port to secure.

Security :Enable port security on the port.

Trap :Issue a trap when an address-security violation occurs.

Shutdown Port :Disable the port when an address-security violation occurs .

Port Security
● Commands:

SW(config)#interface Fa0/1
SW(config-if)#switchport mode access
SW(config-if)#switchport port-security
SW(config-if)#switchport port-security maximum 1
SW(config-if)#switchport port-security mac-address H.H.H | Sticky
SW(config-if)#switchport port-security violation shutdown

SW(config)#errdisable detect cause all

SW(config)#errdisable recovery cause all
SW(config)#errdisable recovery interval 30
Lab 1: Port Security
DHCP Snooping
● To prevent a Man-in-the-middle DMZ
Web Server

attack on our network Firewall Gateway

Router

R1

● Fake DHCP Servers can respond Internet

E-Mail Server

to DHCPDISCOVER messages CoreSW

before the real server has time to Internal

VPN client

servers
respond.

● DHCP Snooping allows switches

on the network to trust the port a DHCP Server DNS Server

DHCP server is connected to (this

could be a trunk) and not trust the
other ports.
 DHCP Snooping
DMZ

● Commands: Web Server

Firewall Gateway
Router

SW(config)#ip dhcp snooping R1

Internet
E-Mail Server
SW(config)#ip dhcp snooping vlan 1
CoreSW

SW(config)#interface Fa0/1  connect to real DHCP server Internal

VPN client

servers

SW(config-if)#ip dhcp snooping trust

SW(config-if)#ip dhcp snooping limit rate 25

DHCP Server DNS Server

Verify the configuration:

SW#show ip dhcp snooping

Lab 2. DHCP Snooping
A Brief History of Wi-Fi Standards
Wireless Security Overview

● concerns for wireless security are similar to those found in a wired

environment

● security requirements are the same:

○ confidentiality, integrity, availability, authenticity, accountability

○ most significant source of risk is the underlying communications medium

Wireless Network Threats
identity theft
(MAC
spoofing)
man-in-the
middle
attacks
denial of
service
(DoS)
 Securing Wireless Transmissions
● principal threats are eavesdropping, altering or inserting messages, and
disruption

● countermeasures for eavesdropping:

○ signal-hiding techniques

○ encryption

● the use of encryption and authentication protocols is the standard method of

countering attempts to alter or insert transmissions
 Securing Wireless Networks

● the main threat involving wireless access points is unauthorized access to

the network

● principal approach for preventing such access is the IEEE 802.1X standard
for port-based network access control
○ provides an authentication mechanism for devices wishing to attach to a LAN or wireless
network

● use of 802.1X can prevent rogue access points and other unauthorized
devices from becoming insecure backdoors
Wireless Security Techniques

allow only specific

computers to access
use encryption your wireless
network

use anti-virus and

change your router’s
anti-spyware
pre-set password for
software and a
administration
firewall

change the identifier

turn off identifier
on your router from
broadcasting the default
MAC Address filtering
● Method of limiting/controlling WLAN access

● Media Access Control (MAC) address filtering

○ Used by nearby all wireless AP vendors

○ Permits or blocks devices based on MAC address

 WiFi Protect Access 2 (WPA2)

● Introduced in 2004

● Uses AES

● Support both PSK (personal) and 802.1x (enterprise) authentication

WPA3

● WPA3 is promising to improve security in multiple

ways, over WPA2
Firewalls

● A part of computer system or network designed to stop unauthorized traffic

flowing from one network to another.
● Separate trusted and untrusted components of a network.
● Differentiate networks within a trusted network.
● Main functionalities are filtering data, redirecting traffic and protecting against
network attacks.
Requirements of a firewall

● All the traffic between trust zones should pass through firewall.
● Only authorized traffic, as defined by the security policy, should be allowed to
pass through.
● The firewall itself must be immune to penetration, which implies using a
hardened system with secured Operating Systems.
Firewall Policy
● User control: Controls access to the data based on the role of the user who is
attempting to access it. Applied to users inside the firewall perimeter.
● Service control: Controls access by the type of service offered by the host.
Applied on the basis of network address, protocol of connection and port
numbers.
● Direction control: Determines the direction in which requests may be initiated
and are allowed to flow through the firewall. It tells whether the traffic is
“inbound” (From the network to firewall) or vice-versa “outbound”
Firewall actions
Accepted: Allowed to enter the connected network/host through the firewall.

Denied: Not permitted to enter the other side of firewall.

Rejected: Similar to “Denied”, but tells the source about this decision through
ICMP packet.

Ingress filtering: Inspects the incoming traffic to safeguard an internal

network and prevent attacks from outside.

Egress filtering: Inspects the outgoing network traffic and prevent the
users in the internal network to reach out to the outside network. For
example like blocking social networking sites in school
Types of filters
Depending on the mode of operation, there are three types of firewalls :

● Packet Filter Firewall

● Stateful Firewall
● Application/Proxy Firewall
Packet Filter Firewall
● Controls traffic
based on the
information in
packet headers,
without looking
into the payload
that contains
● Doesn’t pay attention to if the packet is a part of application data.
existing stream or traffic.
● Doesn’t maintain the states about packets. Also called
Stateless Firewall.
Stateful Firewall
● Tracks the state
of traffic by
monitoring all the
connection
interactions until
is closed.

● Connection state
● Example : Connections are only allowed through the table is
maintained to
ports that hold open connections.
understand the
context of
packets.
Application/Proxy Firewall
● Controls input,
output and
access from/to
an application or
service.
● The client’s connection terminates at the proxy and a
● Acts an
separate connection is initiated from the proxy to the
intermediary by
destination host.
impersonating
● Data on the connection is analyzed up to the application the intended
recipient.
layer to determine if the packet should be allowed or
rejected.
 Static routing Internet pool: 5.5.5.32/29
Web server: 192.168.100.111 – 5.5.5.33

Lab. FW
Web Server Mail Server: 192.168.100.222 – 5.5.5.34

DMZ Firewall Gateway Internet

.111 192.168.200.0/24 Router Web server
.1 .1 203.1.1.4/30
192.168.100.0/24 .200
.1
R1 ISP
.222 .1

E-Mail Server
10.10.10.0/24
Building 1 Internal
.2 Server-SW1 204.1.1.0/24
Zone: 172.16.0.0/16

Configuring FW
servers
.2
CoreSW
.1 10.50.50.0/24 .100
.1
Acc-SW1 .1

Inside, Outside, DMZ

t ru
Interface VLAN 10:

nk
172.16.10.1/24
.2 .254 .253 VPN client
.2
Interface VLAN 11: Area 0
172.16.11.1/24 DHCP Server DNS Server

Step1. Configure interface Interface VLAN 12:

172.16.12.1/24
trunk
tru
n
Interface VLAN 20: 172.20.20.1/24
Interface VLAN 13: k

k
Int Gi1/1 172.16.13.1/24 Acc-SW2

t ru
Interface VLAN 21: 172.20.21.1/24

tru
nk

nk
Interface VLAN 14:
tru
172.16.14.1/24 Interface VLAN 22: 172.20.22.1/24

nameif inside
Interface VLAN 15:
172.16.15.1/24 Acc-SW4 Interface VLAN 23: 172.20.23.1/24
Acc-SW5 Acc-SW6
Interface VLAN 16:
172.16.16.1/24 Area 2 Interface VLAN 24: 172.20.24.1/24

security-level 100
Acc-SW3
Interface VLAN 25: 172.20.25.1/24
Area 1
Interface VLAN 26: 172.20.26.1/24
….. OSPF Building 2 Zone: 172.20.0.0/16

Step 2. Routing: ASA(config)#route inside 172.16.0.0 255.255.0.0 10.10.10.2

Step 3. Rules
#access-list allow-all permit ip any any

#access-group allow-all in interface inside

#access-group allow-all in interface outside
#access-group allow-all in interface dmz