Firewall Fundamentals and Network
Address Translation

© 2012 Cisco and/or its affiliates. All rights reserved.

1


Ethics
• The information security profession has a number of formalized codes:
–

International Information Systems Security Certification Consortium, Inc
(ISC)2 Code of Ethics

–

Computer Ethics Institute (CEI)

–

Internet Activities Board (IAB)

–

Generally Accepted System Security Principles (GASSP)

© 2012 Cisco and/or its affiliates. All rights reserved.

2

Contents
This chapter teaches firewall concepts, technologies, and design
principles. At the end of this chapter, you will be able to do the following:
• Explain the operations of the different types of firewall technologies
• Describe firewall technologies that historically have played, and still play,
a role in network access control and security architectures
• Introduce and describe the function and building blocks of Network
Address Translation
• List design considerations for firewall deployment
• Describe guidelines for firewall ruleset creation

© 2012 Cisco and/or its affiliates. All rights reserved.

3


Introducing Firewall Technologies
• A firewall protects network devices from intentional, hostile intrusions

that could threaten information assurance (availability, confidentiality,
and integrity) or lead to a denial-of-service (DoS) attack.
• A firewall can protect a hardware device or a software program running

on a secure host computer.
• This chapter introduces the firewall technologies that Cisco uses in

routers and security appliances.

© 2012 Cisco and/or its affiliates. All rights reserved.


4


Firewall Fundamentals
A firewall is a pair of mechanisms that perform these two separate
functions, which are set by policies:
• One mechanism blocks bad traffic.
• The second mechanism permits good traffic.

Firewall: Enforcing Access Control

© 2012 Cisco and/or its affiliates. All rights reserved.

5


Common properties
• Must be resistant to attacks
• Must be the only transit point between networks
• Enforces the access control policy of an organization
Protective measure against the following :
• Exposure of sensitive hosts and applications to untrusted users
• Exploitation of protocol flaws
• Malicious data

© 2012 Cisco and/or its affiliates. All rights reserved.

6



Firewalls in a Layered Defense Strategy

© 2012 Cisco and/or its affiliates. All rights reserved.

7


Static Packet-Filtering Firewalls

How Static Packet Filters Map to the OSI Model
© 2012 Cisco and/or its affiliates. All rights reserved.

8


Static Packet Filter in Action

© 2012 Cisco and/or its affiliates. All rights reserved.

9


Application Layer Gateways

© 2012 Cisco and/or its affiliates. All rights reserved.

10



Application layer firewalls
Application layer firewalls provide several advantages:
• Application layer firewalls authenticate individuals, not devices
• Application layer firewalls make it is harder for hackers to spoof and
implement DoS attacks
• Application layer firewalls can monitor and filter application data
• Application layer firewalls can provide detailed logging

© 2012 Cisco and/or its affiliates. All rights reserved.

11


Proxy Server Communication Process

© 2012 Cisco and/or its affiliates. All rights reserved.

12


Dynamic or Stateful Packet-Filtering
Firewalls

© 2012 Cisco and/or its affiliates. All rights reserved.

13


Stateful Packet Filtering


© 2012 Cisco and/or its affiliates. All rights reserved.

14


Advanced
Stateful packet-filtering firewalls are good to use for the following
applications:
• As a primary means of defense
• As an intelligent first line of defense
• As a means of strengthening packet filtering
• To improve routing performance
• As a defense against spoofing and DoS attacks

© 2012 Cisco and/or its affiliates. All rights reserved.

15


Limited
Stateful firewalls have the following limitations:
• Stateful firewalls cannot prevent application layer attacks
• Not all protocols have a state
• Some applications open multiple connections
• Stateful firewalls do not authenticate users by default

© 2012 Cisco and/or its affiliates. All rights reserved.

16



Other Types of Firewalls
• Application Inspection Firewalls, aka Deep Packet Inspection
• An application inspection firewall behaves in different ways according to

each layer:
• Transport layer mechanism
• Application layer mechanism

There are several advantages of an application inspection firewall:
• Application inspection firewalls are aware of the state of Layer 4 and
Layer 5 connections.
• Application inspection firewalls check the conformity of application
commands.
• Application inspection firewalls have the capability to check and affect
Layer 7.
• Application inspection firewalls can prevent more kinds of attacks than
stateful firewalls can.
© 2012 Cisco and/or its affiliates. All rights reserved.

17


Transparent Firewalls (Layer 2 Firewalls)

Transparent Firewalling:
Firewall Interfaces All in
the Same Subnet

• Cisco IOS routers, Cisco ASA Adaptive Security Appliance Software,


Cisco Firewall Services Module, and Cisco ASA Services Module offer
the capability to deploy a security appliance in a secure bridging mode
as a Layer 2 device to provide rich Layer 2 through 7 security services
for the protected network

© 2012 Cisco and/or its affiliates. All rights reserved.

18


NAT Fundamentals

Example of Network Address Translation

© 2012 Cisco and/or its affiliates. All rights reserved.

19


NAT table
Cisco defines the following list of NAT terms:
• Inside local address
• Inside global address
• Outside local address
• Outside global address

© 2012 Cisco and/or its affiliates. All rights reserved.

20



Example of Port Address Translation
(aka NAT Overload) on Cisco IOS Router

© 2012 Cisco and/or its affiliates. All rights reserved.

21


Translating Inside Source Address

© 2012 Cisco and/or its affiliates. All rights reserved.

22


Static Translation

© 2012 Cisco and/or its affiliates. All rights reserved.

23


NAT Deployment Choices
The deployment modes in NAT operations are as follows:
• Static NAT
• Dynamic NAT
• Dynamic PAT (NAT overload)
• Policy NAT

• Static PAT

© 2012 Cisco and/or its affiliates. All rights reserved.

24


Firewall Designs
Best practices documents are a composite effort of security practitioners.
This partial list of best practices is generic and serves only as a starting
point for your own firewall security policy:
• Position firewalls at key security boundaries, separating security domains
with different levels of trust.
• Firewalls are the primary security device, but it is unwise to rely
exclusively on a firewall for security.
• Deny all traffic by default and permit only services that are needed.
• Implement various firewall technologies, matching your application mix
and security policy requirements.
• Ensure that physical access to the firewall is controlled.
• Regularly monitor firewall logs. Cisco Security Manager and other Cisco
management tools are available for this purpose.
• Practice change management for firewall configuration changes.
© 2012 Cisco and/or its affiliates. All rights reserved.

25