Introduction to Firewalls

Hi @lagapidis, Why do we need another zone (DMZ) ? Why cant we keep the servers inside and apply firewall rules to permit the traffic from outside?

Thanks,
Nihar

Hello Nihar

Enterprise networks that host their own Internet-facing services, such as web servers for example, will typically use a DMZ. This is because the security features required to protect internal hosts are generally different than those required to protect internet-facing servers. Because of this difference, it is generally more convenient to separate these types of hosts into two different regions, specifically, the inside network and the DMZ.

Specifically, the internal network contains hosts that:

• are end-user devices (PCs, laptops, IP phones, tablets, smartphones etc…)
• require access to the internet
• have extensive filtering to regulate what content from the internet is accessible by the hosts
• block all access from the internet to the inside hosts

Conversely, devices in the DMZ are hosts that:

• must be accessible from the internet
• have much fewer filtering rules, but still maintain some level of filtering for security

Because of these differences, it is much more convenient to apply these rules to whole subnets/network segments (inside and DMZ) and segregate them rather than applying these rules on an IP by IP address basis.

In addition, if a server in the DMZ does become compromised by an attack, any such attack will be confined to the DMZ and will not affect the Internal network. If the servers were on the same subnet as the end-users, then any attack may also affect other devices on the subnet.

Although it is possible to have all devices be on the inside network, for the reasons mentioned, it is best practice to segregate your network into the DMZ and the internal network. It is easier to manage and more secure.

I hope this has been helpful!

Laz

Rene

Can an Internal Firewall have more than 1 outside Interfaces ? I am talking about Internal Firewall Not Perimeter Firewall where you can have more than 1 ISP connections .

In which Network Topology the above scenario is deployed and how would the internal Firewall Configurations gets impacted by this Topology aka Network Topology?

Hello Surendra

Yes, it is possible to set up more than one OUTSIDE interface, and it is possible to set up more the one INSIDE interface as well. This can be done on any ASA firewall, regardless of its location in the network topology.

Whether you set this up on a firewall on the edge of your network, or on a firewall within your network, the results are the same. There are no specialized configurations necessary. If your network topology needs a firewall to have two or more outside interfaces, simply create them. Is there a more specific scenario that you had in mind about which you’d like to ask a more specific question? Let us know!

I hope this has been helpful!

Laz

Thanks Laz for Quick Turnaround

I have one more Question .

In OSPF , if any Interface goes down in any specific area , there will be reclculation of SPF and withdrawl of the earlier route from ABR and Internal Routers in all the other Areas .

What effect will this have on the FIREWALL Configuration Per Se ?

What i mean is what kind of cascading effects the Network Topology OR any other Changes in the Underlying Network has on the Firewall Rules and Its Configuration.

Why i am asking this Q is because i more of a SECURITY guy than a Networking Specialist trying to get CROSS skilled !!!

Hello Surendra

If an interface goes down on a router running OSPF, and the network on that interface was being advertised using OSPF, then yes, OSPF must reconverge. This is because:

1. The network on that interface is removed from the OSPF database within the local router
2. Advertising updates are sent to all neighboring routers stating that this network is no longer reachable
3. In addition, any networks that were reachable via that interface are also removed, and update requests are sent to other neighboring OSPF routers to find alternative paths to those destinations.

Now, by default route summarization between OSPF areas on ABRs is not employed. If that is the case then each prefix within an OSPF area will have an LSA reach the ABR and be advertised into the neighboring area. This means that any changes to the OSPF area that take place will also update routing information in neighboring areas. If route summarization is employed at the ABR, then such updates into other areas can be avoided, thus reducing OSPF convergence time. For more info about OSPF summarization, take a look at this lesson:

What effect will this have on a firewall configuration? Well, to be honest, not much. If a firewall is participating in OSPF, it is subject to the same rules as a router would be in the same situation. There are no direct security implications for firewalls that I can think of that arise from such a scenario.

I hope this has been helpful!

Laz

I use to use ASA in my GNS3 as I have Licenses via VIRL and my job. However, this last time I installed GNS3 and installed the ASA does not seem to load up. I even got my palo alto to work but not the ASA which is annoying. You came across any information on this as my wife is not very fond of the 32U rack I have and so its already been taken apart and moved to the garage with a pile of cisco equipment.

Hello Brian

I’m not sure what the problem may be without more details. However, I think your best bet is to search the GNS3 forum for others that have faced similar situations. One thread that you may find useful is this one:

https://gns3.com/community/featured/asa-9-0-not-starting-in-gns3

Let us know how you get along, and if you do find the solution, we’d be happy to hear about it!

I hope this has been helpful!

Laz

Ok so I fixed this. Not sure which item fixed it but will list everything I did.

1. I saw my VMWARE workstation 16 pro had upgrade and so I upgraded it first
2. Saw new GNS3 was out 2.2.29 so upgraded GNS3 to newest version from 2.2.26
3. I then upgraded the VMWARE work station 16 pro Very easy see following link if ever need to: https://www.sysnettechsolutions.com/en/upgrade-gns3-vm/
4. After everything upgraded I went in and loaded up my CiscoASA992.qcow2-1 image
5. I then followed instructions I found:

The appliance is available in the firewall category.

There is no default password and enable password. A default configuration is present. ASAv goes through a double-boot before becoming active. This is normal and expected.

Remember on ASA you boot it up let it reboot then once its up you shut down vnc and then turn off firewall then you right click and go configure and change console type from VNC to telnet.

Then you go back start ASA and you start it up

This seemed to fix it. Fact is I am not sure if upgrading firmware fixed it or if I didnt read the directions close enough to see it has to reboot twice then you have to shut down and then right click and configure to use Telnet instead of VNC. I cannot remember now but good news is that it is working and if someone had trouble and the directions did not work perhaps they could upgrade or reinstall and it would resolve!

On my job Security teams and Data center teams (not really me as I am on a WAN Team) will use ASA to create IPSEC VPNs to customer sites and then my company NATs are private IPs (which is used for monitoring devices like Sevone etc…) to subnet we choose for the NAT and it reaches the clients subnets over the VPN so we can reach their servers and networking equipment from what we call Bastions (Jump boxes).

However, I get annoyed because I dont do this stuff just for a pay check only I want to learn it all and how to do it!!! I consider myself more of a scientist just passionate about learning and knowledge. So I want to be able to do the data center and security teams parts as well dang it.

So anyway now I can maybe figure out a template to do just that. Maybe a router then Cisco ASA and then another firewall cisco ASA maybe Palo Alto which I have image for as well. (I still need to get a FortiGate image as those are popular with my company as well as the other two) and then back into a router (router)—(ASA) —ipsec VPN—(ASA)—(router)–(Switches) that should be easy enough to do on GNS3 then I can still learn all the parts as I dont like to be siloed into just LAN and WAN routing and switching.

Hello Brian

Thanks for sharing the steps you took and the resulting success of your actions. It doesn’t really matter which action actually resolved the issue, as GNS3 can get fidgety with various issues. In any case, the steps you took should/would have been done eventually as new updates are available for the various components of the system. This info can be helpful for those facing similar issues.

It’s really refreshing to see networking professionals like yourself be interested in much more than just a paycheck. That’s what makes a career fulfilling, when you love what you do, and when you share that love with other like-minded people as you do on this forum. Keep loving it, and you’ll learn quickly and enjoyably! Putting together such templates and playing around with them in an emulator will go a long way in helping you learn quickly and effectively.

As always, thanks for your contribution!

Laz

thank you Rene for this course but I have a problem: you mentioned in the course that only data from the safe zone can be accepted to the unsafe zone, so I would like to know how we can access data from a network of this kind being foreign to the local network; give me a clear and practical example of daily life

Hello Berthol

When creating various security zones, such as INSIDE, OUTSIDE, and DMZ as shown in the lesson, the default behavior is the following:

• Traffic from a “high” security level to a “lower” security level is permitted.
• Traffic from a “low” security level to a “higher” security level is denied.

However, in order to make a network function correctly, there must be cases where there are exceptions to this default rule. You can create exceptions using access lists. In the lesson, Rene mentions that:

To ensure traffic from the OUTSIDE is able to reach the servers in the DMZ, we will use an access-list that only permits traffic to the IP address (and port numbers) that the servers in the DMZ use. This setup is very secure, if one of your servers in the DMZ gets hacked, your INSIDE network will still be secure.

For more information on how you can create “exceptions” to the default rule, take a look at these lessons:

I hope this has been helpful!

Laz

Thank you for the explanation

Hello Kevin

First of all, for reference for our other readers, you are talking about the command included as part of the following lesson:

I went into the CML 2.5 lab, and I tried this command out and it seems to work fine. I’m using the following ASAv version:

Cisco Adaptive Security Appliance Software Version 9.18(2) 
SSP Operating System Version 2.12(0.438)
Device Manager Version 7.18(1)152

In any case, even if it doesn’t work out for you, this is just one command, and it’s a command that you can actually skip safely, or simply make the changes you need to the device manually. The vast majority of other commands for the ASA will be available to you, so using your ASAv should be more than enough for all of the lessons from here on. If there are any commands that are not available, just let us know so that we can make a note and see if we can inform users in the future.

I hope this has been helpful!

Laz

Hello,
I have a server in my dmz and a laptop in my inside network. I can ping the server, but I cannot access it via vmware vsphere client as I would do if directly connected. Not sure how to check the rules. Can anyone point me in the right direction? Thanks. I have ASA version 9.1.2, ASDM version 7.1.3.

Thanks for any help.

Hello Ken

I’m not completely clear on where your VMware Vshpere client is within the topology you describe, so I don’t have an informed suggestion as to why you see this behavior. However, an excellent tool that will help you determine why packets are being dropped and where is the Packet Tracer feature of the ASA. This is not to be confused with Cisco’s Packet Tracer network emulator, that’s a whole different thing.

You can find out more about the packet tracer feature on a Cisco ASA at the following lesson, in the Packet Tracer section:

Using it you will be able to see your packet enter the ASA and also you will see what actions the ASA applies to the packet, and which action in particular actually drops the packet. Using this you should be able to determine why you’re not seeing connectivity. Let us know how you get along.

I hope this has been helpful!

Laz

Thanks. I will use this tool to find the issue.
Ken

Hello, everyone!

What’s the difference between an IPS and AMP (antimalware)? As far as I know, they both scan the received network traffic, compare it with a database of signatures and then determine whether the traffic is malicious or not, so where exactly does their function differ?

Thank you.

David

Hello David

You’re correct that both IPS and AMP systems scan network traffic and compare it with a database of known threat signatures. However, they differ in the types of threats they are designed to detect and prevent.

An IPS is a network security/threat prevention technology that examines network traffic flows to detect and prevent vulnerability exploits, which are typically in the form of malicious inputs to a target application or service. They aim to identify threats like hacking and denial-of-service attacks, and then take action to stop these threats from damaging the network or systems.

On the other hand, AMP is specifically designed to detect, prevent, and remove malware, including viruses, worms, trojans, ransomware, and spyware. AMP not only uses signature-based detection, but also other techniques like heuristic analysis (behavior-based detection), sandboxing, and machine learning to detect both known and unknown threats.

While there is some overlap, IPS is more focused on network threats while AMP is more focused on software-based threats, particularly malware. Both are crucial aspects of a comprehensive network security strategy.

I hope this has been helpful!

Laz