Solved: How does Firewall work ?

Kuldeep singh · ‎10-30-2012

Hi Experts,

I have worked with lot of firewalls but i did not understand the actual use of this.

I know only one defination for Firewall => The firewall restricts unauthorized access

from the outside, it protects from Hacker and crackers.

It is only for example to understand :

SSL = it works on encryption algorithm like DSA, AES, DES

1) In above example, SSL works on Encryption Algo, in the same way

Firewall works on which Method / protocol / feature through which

it protect from unauthorised outsider ? Which is a feature of Firewall,

seeing that we can say is that it works on ?

2) what is actual use of firewall in any network ?

3) is firewall is good device to prevent from unauthorised access or Hacker.

if no, then which device need to buy ? i heard about IDS/IPS

4) In my sight, Cisco Router (specific models) and Cisco ASA firewall functionality

seems to be same. Some IOS of Router provide same features like NAT/PAT,

ACL, IPS/IDS, Content filter. i have checked through Cisco Navigation tool.

if i am wrong plz correct me ?

KS

Julio Carvajal · ‎10-30-2012

Hello,

1) The firewall could use SSL for traffic to the box ( this mean will be encrypted so if an outside user intercept the traffic will not be able to understand what the client is doing with the ASA)

A deep packet inspection firewall can also inspect SSL sessions..

2) There are different uses for example: VPN termination device, as a proxy server, allows traffic across the network using stateful inspection and ACL;s, performs NAT, allow traffic based on signatures or the behavior of your network ( anomaly detection,etc)

3) Yes, it is a great device to prevent this, of course there is no device that will protect you from all the different attacks, that is why Cisco encourage you to use different devices at different places on your network ( an IPS will always be great)

4) You are correct, the IOS router can be configured as a firewall or IDS/IPS. ASA is more flexible as it was built as a security device but the IOS router can be as secure as the ASA.

Regards,

Remember to rate all of the helfpul post ( If you do not know how to do it, just let me know, I will teach you)

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

View solution in original post

Julio Carvajal · ‎10-30-2012

Hello,

1) The firewall could use SSL for traffic to the box ( this mean will be encrypted so if an outside user intercept the traffic will not be able to understand what the client is doing with the ASA)

A deep packet inspection firewall can also inspect SSL sessions..

2) There are different uses for example: VPN termination device, as a proxy server, allows traffic across the network using stateful inspection and ACL;s, performs NAT, allow traffic based on signatures or the behavior of your network ( anomaly detection,etc)

3) Yes, it is a great device to prevent this, of course there is no device that will protect you from all the different attacks, that is why Cisco encourage you to use different devices at different places on your network ( an IPS will always be great)

4) You are correct, the IOS router can be configured as a firewall or IDS/IPS. ASA is more flexible as it was built as a security device but the IOS router can be as secure as the ASA.

Regards,

Remember to rate all of the helfpul post ( If you do not know how to do it, just let me know, I will teach you)

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

Kuldeep singh · ‎10-30-2012

Hi Julio,

Thanks for reply...

1) How to use SSL with Cisco ASA......

is cisco ASA cli or gui based ? plz send me screenshot-based url

Julio Carvajal · ‎10-30-2012

Hello,

You can do it on both ways:

ASDM:

http://ciscogeek.org/activate-asdm-as-gui-interface-for-cisco-asapix-firewall/

http://www.net-gyver.com/?p=1419

Anyconnect:

http://www.tech21century.com/how-to-configure-anyconnect-ssl-vpn-on-cisco-asa-5500/

Regards,

Remember to rate all of the helfpul post ( If you do not know how to do it, just let me know, I will teach you)

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

Kuldeep singh · ‎10-30-2012

Hi Julio,

1) i am not talking about SSL for VPN....

I simply want to know that how can we configure firewall

so it restrict the unauthorized outside user ? That's it

Julio Carvajal · ‎10-30-2012

Hello,

So you mean, you have an inside HTTP server and you want to restrict SSL access to that server.

Simple. just configure an ACL and applied to the outside interface of the asa

acces-list OUTSIDE_IN permit tcp host 4.2.2.2 host 8.8.8.8 eq 443

acces-list OUTSIDE_IN permit tcp deny any host 8.8.8.8 eq 443

access-group OUTSIDE_IN in interface outside

With this you will restrict the SSL access across your network from intruders on the outside

Remember to rate all of the helfpul post ( If you do not know how to do it, just let me know, I will teach you)

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

Kuldeep singh · ‎10-30-2012

Hi Julio,

Let's forget SSL in my case.......

My main concern is to restrict unauthorized person from outside.

so what configuration will be needed in ASA ?

Second question, it is related to access list command which you sent me:

acces-list OUTSIDE_IN permit tcp deny any host 8.8.8.8 eq 443

can we use permit and deny keyword in same command ?

Julio Carvajal · ‎10-30-2012

Hello Kuldeep,

You can use ACL's, Intrusion prevention mechanism, Unicast Reverse path checks,etc.

Yes, can be done using ACL's. No on the same line. My bad ( typo)

It got to be permit or deny

As an example!

acces-list OUTSIDE_IN deny tcp any host 8.8.8.8 eq 443

acces-list OUTSIDE_IN deny tcp any host 8.8.8.8 eq 25

acces-list OUTSIDE_IN permit tcp any any

Regards,

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

Kuldeep singh · ‎10-30-2012

Hi Julio,

One more question related to your ACL :

acces-list OUTSIDE_IN permit tcp host 4.2.2.2 host 8.8.8.8 eq 443

what does mean of this access list command ? Generally we uses

private ip address for LAN but you are using ip like 4.2.2.2 and

8.8.8.8. why ?

Julio Carvajal · ‎10-30-2012

Hello,

It's just an example.

I am using public ip addresses as we are applying the ACL to the outside interface and on that interface is usually the internet edge so it will have public ip addresses.

Now you said you have on your internal network 192.x.x.x ( as an example), how would you acces that IP over the internet?? Using NAT right ( a public ip address) That is why on the ACL we make reference to the public IP address:

Regards,

Remember to rate all of the helfpul post ( If you do not know how to do it, just let me know, I will teach you)

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

Kuldeep singh · ‎11-01-2012

Hi Julio,

I am confuse with Access list configuration with Cisco ASA/PIX.

Plz see given below example which is same as your example.

access-list Outside-In permit tcp any host 45.115.215.1 eq 3389

access-list Outside-In permit tcp any host 33.115.215.1 eq 80

1) is it named ACL type or else ? there are some types

of access list as we all knows 1. Standard 2. Extended 3. Named

but in above Named access list, there is no extended or standard keyword

used.

2) can i use numbered access list with ASA or not ?

Julio Carvajal · ‎11-01-2012

Hello Kuldeep,

1) By default on the ASA the ACL's will be extended, if you want a standard you will need to call it

Example: access-list test standard permit 4.2.2.0 255.255.255.0

2) Yes, you can.

Kuldeep remember to rate all of the helpful posts, if you do not know how to rate a post, just let me know ...I will let you know how.

Regards,

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

Kuldeep singh · ‎11-01-2012

Hi Julio,

2) can you plz send me link where i can see ASA configured

with numbered access list.....

Julio Carvajal · ‎11-01-2012

Hello, Kuldeep,

asa(config)# access-list 123 permit ip any any

Remember to rate all of the helpful posts

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

Javier Portuguez · ‎11-01-2012

Kuldeep,

Please find more information about ACLs here:

How to configure ACLs on the Cisco ASA

Fundamentals of Cisco ASA Security Appliance Access Control Lists

HTH.

Portu.

Please rate any helpful posts