Embed Size (px)
Citation preview
© 2006 Cisco Systems, Inc. All rights reserved.
Implementing Secure Converged Wide Area Networks (ISCW)
Module 6: Cisco IOS Threat Defense Features
© 2006 Cisco Systems, Inc. All rights reserved.
Module 6: Cisco IOS Threat Defense Features
Lesson 6.3: Basic and Advanced Firewall Wizards
© 2006 Cisco Systems, Inc. All rights reserved.
Objectives Describe the Security Device Manager (SDM) and how
it is used in firewall configuration.
Describe using the Basic and Advanced Firewall wizard in SDM to configure a firewall.
Explain how to review and modify the configuration generated by the SDM.
Explain how to enable logging in order to view firewall activity within SDM.
© 2006 Cisco Systems, Inc. All rights reserved.
Basic and Advanced Firewall Wizards SDM offers configuration wizards to simplify Cisco IOS
Firewall configuration.
Two configuration wizards exist:Basic Firewall Configuration wizard:
Supports two interface types (inside and outside)
Applies predefined rules
Advanced Firewall Configuration wizard:
Supports more interfaces (Inside, Outside, and DMZ)
Applies predefined or custom rules
© 2006 Cisco Systems, Inc. All rights reserved.
Configuring a Basic Firewall
1
2
3
4
© 2006 Cisco Systems, Inc. All rights reserved.
Basic Firewall Interface Configuration
© 2006 Cisco Systems, Inc. All rights reserved.
Basic Firewall Configuration Summary and Deployment
© 2006 Cisco Systems, Inc. All rights reserved.
Reviewing the Basic Firewall for the Originating Traffic
© 2006 Cisco Systems, Inc. All rights reserved.
Reviewing the Basic Firewall for the Returning Traffic
© 2006 Cisco Systems, Inc. All rights reserved.
Resulting Basic Firewall Inspection Rule Configuration
Router#show running-config | include ip inspect nameip inspect name SDM_LOW cuseemeip inspect name SDM_LOW dnsip inspect name SDM_LOW ftpip inspect name SDM_LOW h323ip inspect name SDM_LOW httpsip inspect name SDM_LOW icmpip inspect name SDM_LOW imapip inspect name SDM_LOW pop3ip inspect name SDM_LOW netshowip inspect name SDM_LOW rcmdip inspect name SDM_LOW realaudioip inspect name SDM_LOW rtspip inspect name SDM_LOW esmtpip inspect name SDM_LOW sqlnetip inspect name SDM_LOW streamworksip inspect name SDM_LOW tftpip inspect name SDM_LOW tcpip inspect name SDM_LOW udpip inspect name SDM_LOW vdolive
© 2006 Cisco Systems, Inc. All rights reserved.
Resulting Basic Firewall ACL Configuration
Router#show running-config | include access-listaccess-list 100 remark autogenerated by SDM firewall configurationaccess-list 100 remark SDM_ACL Category=1access-list 100 deny ip 200.0.0.0 0.0.0.3 anyaccess-list 100 deny ip host 255.255.255.255 anyaccess-list 100 deny ip 127.0.0.0 0.255.255.255 anyaccess-list 100 permit ip any anyaccess-list 101 remark autogenerated by SDM firewall configurationaccess-list 101 remark SDM_ACL Category=1access-list 101 deny ip 10.1.1.0 0.0.0.255 anyaccess-list 101 permit icmp any host 200.0.0.1 echo-replyaccess-list 101 permit icmp any host 200.0.0.1 time-exceededaccess-list 101 permit icmp any host 200.0.0.1 unreachableaccess-list 101 deny ip 10.0.0.0 0.255.255.255 anyaccess-list 101 deny ip 172.16.0.0 0.15.255.255 anyaccess-list 101 deny ip 192.168.0.0 0.0.255.255 anyaccess-list 101 deny ip 127.0.0.0 0.255.255.255 anyaccess-list 101 deny ip host 255.255.255.255 anyaccess-list 101 deny ip host 0.0.0.0 anyaccess-list 101 deny ip any any log
© 2006 Cisco Systems, Inc. All rights reserved.
Resulting Basic Firewall Interface Configuration
Router#show running-config | begin interfaceinterface FastEthernet0/0 description $FW_INSIDE$ ip address 10.1.1.1 255.255.255.0 ip access-group 100 in!interface Serial0/0/0 description $FW_OUTSIDE$ ip address 200.0.0.1 255.255.255.252 ip access-group 101 in ip verify unicast reverse-path ip inspect SDM_LOW out!<...rest of output removed...>
© 2006 Cisco Systems, Inc. All rights reserved.
Configuring Interfaces on an Advanced Firewall
2
3
4
1
© 2006 Cisco Systems, Inc. All rights reserved.
Advanced Firewall Interface Configuration
© 2006 Cisco Systems, Inc. All rights reserved.
Advanced Firewall DMZ Service Configuration
© 2006 Cisco Systems, Inc. All rights reserved.
Advanced Firewall DMZ Service Configuration: TCP
© 2006 Cisco Systems, Inc. All rights reserved.
Advanced Firewall DMZ Service Configuration: UDP
© 2006 Cisco Systems, Inc. All rights reserved.
Advanced Firewall DMZ Service Configuration: Configured Services
© 2006 Cisco Systems, Inc. All rights reserved.
Advanced Firewall Security Policy
© 2006 Cisco Systems, Inc. All rights reserved.
Advanced Firewall Protocols and Applications
© 2006 Cisco Systems, Inc. All rights reserved.
Advanced Firewall Protocols and Applications (Cont.)
© 2006 Cisco Systems, Inc. All rights reserved.
Advanced Firewall Protocols and Applications (Cont.)
© 2006 Cisco Systems, Inc. All rights reserved.
Advanced Firewall Inspection Parameters
© 2006 Cisco Systems, Inc. All rights reserved.
Advanced Firewall Security Policy Selection
© 2006 Cisco Systems, Inc. All rights reserved.
Advanced Firewall Configuration Summary and Deployment
© 2006 Cisco Systems, Inc. All rights reserved.
Resulting Advanced Firewall Inspection Rule Configuration
Router#show running-config | include ip inspect nameip inspect name appfw_100 tcp audit-trail onip inspect name appfw_100 udpip inspect name appfw_100 ftpip inspect name dmzinspect tcpip inspect name dmzinspect udp
© 2006 Cisco Systems, Inc. All rights reserved.
Resulting Advanced Firewall ACL Configuration
Router#show running-config | include access-listaccess-list 100 remark autogenerated by SDM firewall configurationaccess-list 100 remark SDM_ACL Category=1access-list 100 deny ip 200.0.0.0 0.0.0.3 anyaccess-list 100 deny ip 192.168.0.0 0.0.0.255 anyaccess-list 100 deny ip host 255.255.255.255 anyaccess-list 100 deny ip 127.0.0.0 0.255.255.255 anyaccess-list 100 permit ip any anyaccess-list 101 remark autogenerated by SDM firewall configurationaccess-list 101 remark SDM_ACL Category=1access-list 101 deny ip any any logaccess-list 102 remark autogenerated by SDM firewall configurationaccess-list 102 remark SDM_ACL Category=1access-list 102 deny ip 192.168.0.0 0.0.0.255 anyaccess-list 102 deny ip 10.1.1.0 0.0.0.255 anyaccess-list 102 permit icmp any host 200.0.0.1echo-replyaccess-list 102 permit icmp any host 200.0.0.1 time-exceededaccess-list 102 permit icmp any host 200.0.0.1 unreachableaccess-list 102 permit tcp any host 192.168.0.2 eq wwwaccess-list 102 permit udp any host 192.168.0.3 eq isakmpaccess-list 102 deny ip 10.0.0.0 0.255.255.255 anyaccess-list 102 deny ip 172.16.0.0 0.15.255.255 anyaccess-list 102 deny ip 192.168.0.0 0.0.255.255 anyaccess-list 102 deny ip 127.0.0.0 0.255.255.255 anyaccess-list 102 deny ip host 255.255.255.255 anyaccess-list 102 deny ip host 0.0.0.0 anyaccess-list 102 deny ip any any log
© 2006 Cisco Systems, Inc. All rights reserved.
Resulting Advanced Firewall Interface Configuration
Router#show running-config | begin interfaceinterface FastEthernet0/0 description $FW_INSIDE$ ip address 10.1.1.1 255.255.255.0 ip access-group 100 in ip inspect appfw_100 in! interface FastEthernet0/1 description $FW_DMZ$ ip address 192.168.0.1 255.255.255.0 ip access-group 101 in ip inspect dmzinspect out!interface Serial0/0/0 description $FW_OUTSIDE$ ip address 200.0.0.1 255.255.255.252 ip access-group 102 in ip verify unicast reverse-path!<...rest of the output removed...>
© 2006 Cisco Systems, Inc. All rights reserved.
Preparing for Firewall Activity Viewing
1
2
3
5
6
4
© 2006 Cisco Systems, Inc. All rights reserved.
Viewing Firewall Log
1
2
© 2006 Cisco Systems, Inc. All rights reserved.
Summary Cisco Security Device Manager (SDM), a configuration
and management tool for Cisco IOS routers that use a GUI, offers a simple method to set up the Cisco IOS Firewall.
The Basic Firewall Configuration wizard applies default access rules to both inside and outside interfaces, applies default inspection rules to the outside interface, and enables IP unicast reverse path forwarding (uRPF) on the outside interface.
The Advanced Firewall Configuration wizard applies default or custom access rules, as well as default or custom inspection rules, to inside, outside, and DMZ interfaces. The Advanced Firewall Configuration wizard also enables IP unicast reverse-path forwarding on the outside interface.
© 2006 Cisco Systems, Inc. All rights reserved.
Q and A
© 2006 Cisco Systems, Inc. All rights reserved.
Resources Cisco Router and Security Device Manager Introduction
http://cisco.com/en/US/partner/products/sw/secursw/ps5318/index.html
Cisco Router and Security Device Manager Supporthttp://cisco.com/en/US/partner/products/sw/secursw/ps5318/tsd_products_support_series_home.html
Cisco Router and Security Device Manager User Guides
http://cisco.com/en/US/partner/products/sw/secursw/ps5318/products_user_guide_list.html
© 2006 Cisco Systems, Inc. All rights reserved.
