This essay has been submitted by a student. This is not an example of the work written by our professional essay writers.
A firewall is a software and/or hardware-based mechanism that is utilized to secure a particular network system from a particular type of data traffic. This report provides details of various types of security functionalities performed by a typical firewall. In particular, it takes Cisco ASA series firewall to explain these functionalities. Furthermore, the report provides a mechanism to install the Cisco ASA 5500 series firewall, as a case-study to elaborate the complete configuration of firewall installation procedures.
Keywords: Firewalls, Internet security, Networks, Cisco Firewalls, Installation, Configurations.
In general, a firewall is a mechanism-based on hardware, software, or a combination of both-that connect two or more networks together and restrict the flow of information between two or more networks based on configured rules. These rules are configured based on business requirements which define what type of flow of information need to allow or restrict.
Firewalls are used to create security checkpoints at the boundaries of private networks. At those checkpoints, firewalls inspect all packets passing between the private network and the internet and determine whether to pass or drop the packets depending on how they match the policy rules programmed into the firewall .
Basically Firewalls protects a trusted network from untrusted computer or Network by filtering traffic according to its specified policy.
For a typical organization, firewalls help to enforce a particular security policy, which is achieved by employing various implementation methods. Generally, these methods include the filtering of data traffic at a particular layer, such as transport, application, data link, or network layers, on the TCP/IP model. Additionally, new techniques and mechanisms are being developed, such as creating distributed firewalls and normalizing the protocols.
Furthermore, a firewall requires a specific set of rules to filter the data traffic, which is normally decided by the managers in an organization. Once the rules are decided, then the technological teams collaborate together to implement them in both hardware and software. For this purpose, many abstract level languages are being developed to standardize the whole process. After the specification and implementation stages, a firewall must be verified using various test cases and scenarios. In a nutshell, the process of specifying and implementing an accurate and efficient firewall can become extremely complicated, which can involve many individuals, ranging from managers to technical engineers. In recent times, many new technologies, such as Virtual Private Networks (VPN) and torrents provide additional challenges to develop efficient firewall policies.
Firewalls perform two basic security functions:
Packet filtering: a firewall must be able to determine whether to pass or deny the passage of packets of digital information, according to its given security policy.
Application proxy: In some cases, a firewall may provide network services to users while shielding individual host computers by breaking the IP flow between the both communicating networks.
There are many reasons for enforcing such filters in an organization's network. They include insecure configuration of operating systems, limiting access to information, and disallowing information leaks. For instance, some operating systems allow file sharing by default, which can be exploited by hackers. Similarly, certain organizational managers want their employs to avoid access to their social media accounts, hence blocking their URLs. Moreover, some organizations do not want to allow access to their propriety information; hence enforcing the respective filters.
Previously, many overview articles have been written to highlight the importance of firewalls. Some of the significant survey and overview articles can be found in . They generally provide the history and significance of firewalls, and various policies developed over the years. Moreover, they discuss the future challenges in this research area. In this report, we provide the details of many aspects of the security policies performed by a typical firewall, taking Cisco ASA series firewall as an example test case. Furthermore, the report discusses installation procedures to implement the Cisco ASA 5500 series firewall, to elaborate the complete configuration of firewall installation procedures.
The remainder of this report contains the following sections. Section 2 explains the characteristics of Cisco Firewalls. Section 3 gives a detail procedure on the installation of a Cisco ASA 5500 series Firewall. Section 4 concludes this report by providing a short summary.
2 The Characteristics of Cisco Firewalls
Cisco security appliances protect trusted zones from untrusted zones and helps protect against three categories of attacks:
Reconnaissance Attacks: used to document and map a network's infrastructure, including vulnerabilities.
Access Attacks: used to gain unauthorized access to data or systems.
Denial of Service (DoS) Attacks: used to disrupt access to services, often by crashing or overloading a system.
There are three different type of firewalls and they are based on following technologies.
Packet Filtering: Permits or denies traffic based on source/destination IP addresses, or TCP/UDP port numbers. Packet filter based on access control list(ACL) which define what traffic can or cannot traverse through the interface.
Stateful Packet Inspection: tracks TCP and UDP sessions in a flow table, using the Adaptive Security Algorithm.
Proxy Servers : It plays as a "middle-man" for communication, it authenticates user and allows data request according to the configured rules based on the business policy.
Cisco has a popular IP firewall appliance called PIX (Private Internet eXchange). It uses PIX OS and it is classified a network layer firewall with stateful inspection.
By default it allows inside traffic for outbound and allowed inbound response or allowed ruled defined in access control list (ACL)
PIX was announced end of sale in 2008. Now Cisco introduced a newer Adaptive Security Appliance (ASA) and some of the PIX features are included.
Both Cisco routers and multilayer switches support the IOS firewall set and provides security functionality. Additionally, Cisco offers dedicated security appliances:
Cisco has a large variety of firewalls available in Adaptive Security Appliances Series according to the performances and sizes of any company to provide as better as possible security to the networks. Here we are going to discuss only ASA firewalls and its installation. There are two categories in ASA series of Cisco firewalls.
ASA 5500 Series
ASA 5500-X Series
Cisco has divided these two series into three main classes according to the business sizes and product models.
Small office and branch office:
5505, 5510, 5512-X and 5515X
5520, 5525-X, 5540, 5545X, 5550 and 5555-X
Enterprise Data Centre:
5585-X with SSP10, SSP20, SSP40 and SSP60
Higher-end ASA models support faster processors and increased port density. Additionally, the higher-end models support a larger number of total connections, memory, IPSEC tunnels, and overall throughput. ASA firewalls all operate PIX OS 7.0 or higher all ASA firewalls have Integrated VPN acceleration.
We will focus here on ASA 5510 security plus which is best for Small businesses as its not only works as a firewall but also provides better protection for content security, intrusion detection and also provides VPN connections within the following limits.
300 Mbps firewall throughput
250 VPN user sessions
3 x 10/100 interface ports (With different type of license can support to 5 interface)
Since we are focusing on ASA 5510 in this report, the following steps must be considered before choosing a product according to the needs and requirement of real environment.
The current structure of the network
Applications in use
Special user requirements
Existing security policies
After above planning completeness and before going ahead for installation, the following steps must be considered:
We need to configure the firewall.
Need to check firewall environmental settings specific to the location.
Need to ensure the most current firmware release is being used.
Need to define network settings for the LAN, WAN and DMZ port.
Implement network filters and access services.
Need to enable the function for user management, encryption and event logging.
Security Policy options for enable/disable test filtering.
Firewall checks/uncheck features based on firewall policy.
Firewall configuration and firmware backup at the end.
3 Installation of a Cisco ASA 5500 series Firewall
Following are essential external components of an ASA 5510 firewall, need to verify all before going ahead for installation.
Figure 1: External components despatched with the ASA firewall
ASA 5510 Chassis
2 Yellow Ethernet Cables
4 10-32 Phillips Screws
4 12-24 Phillips Screws
Blue Console Cable PC Terminal Adapter
Power Cable (US Shown)
4 Rubber Feet
Documentation and Software CD
First of all after unboxing the firewall, need to figure out which one is firewall WAN and LAN port on this firewall. After Switching ON through power cable if status light is solid green its mean ASA firewall has passed the Power-on diagnostics.
Figure 2 : Attaching Eathernet cable with management PC
Connect this firewall to a management PC with an Ethernet console cable on Ethernet management 0/0 interface. Launch a web browser and open the following URL:
It will automatically start an ASDM web page.
Figure 3 : ASDM wizard
Adaptive Security Device Manager (ASDM) is a graphical user interface through which we can configure basic and advance features for this firewall. First thing we
need to do in ASDM is to check ASDM and ASA firmware if it needs to be upgrade before installation. It can be done through signing in to the cisco SMARTNET account after verifying new version`s compatibility with the existing hardware.
Then through ASDM setup wizard we can modify the default configuration to customized configuration according to the firewall policy. We can customize the following:
Hostname Domain name Administration passwords
Interfaces IP Addresses NAT Rules
DHCP Server Static Routes
After choosing modify existing configuration, ASDM start-up wizard is very simple and straightforward but a few things worth to check at this stage. First step is configuring initial interface IP address. It's most likely the untrusted or outer network IP address. Then configure the rest of the interfaces or at least one internal interface, so that we can connect to through our trusted network. Start-up wizard can be configured by following ten steps as shows in the above figure.
Click on ASDM/HTTPS to open Graphical User interface for ASDM.
In the IP address field, type 192.168.12.0 to allow access to this network.
Subnet Mask will be 255.255.255.0.
This all configuration can be n in the following figure.
Figure 4:Device Access configuration on ASDM graphical User Interface
Then ok on add Device Access Configuration dialogue box and apply on the bottom
Next step is to specify static routes obviously it depends on our entire network structure`s firewall policy and IP addressing we have already chosen for these interfaces. Setup involved following steps:
Figure 5: Configuring interfaces.
Add static route.
Choose interfaces to decide which one to be inside and outside interface and allocate static ip addresses to both interfaces. As shown in above figure.
Give the network name and type from Network window (ex Kats IT)
Enter network address (ex.192.168.1.12) and type if for description if needed. And click OK.
In network window, need to choose the network we have already mentioned above, this action will populate the network field.
Configure the firewall`s gateway IP address, depends on the network, it could be simply a router interface IP address or dedicated static IP address allocated by ISP.
Figure 5: Configure ACL rules.
Third step is to define ACL to allow or deny traffic according to your required business policy.
After performing above mentioned steps for adding routes and configuring interfaces, the firewall is ready to be deployed on Network and rest of the configuration can be done on network.
After this step now we will be able to access this device from all added subnets or networks.
A few more optional wizards can be run according to the network structure and business needs and requirements.
Allowing Access to Public Servers behind the ASA
DMZ (demilitarized zone) is a computer host or small network separated as a "neutral zone" between a company's private network and the outside public network. It prevents outside users from getting direct access to a server that has company data. A DMZ is an optional and more secure approach to a firewall and effectively acts as a proxy server as well. Any attacks launched against the public servers do not affect your inside networks.
In the ASDM window, click on configuration, firewall and public servers.
Click add to to enter public server settings into add public server dialogue box.
Click ok and then apply to submit the information to ASA firewall.
Figure 6: Adding Public server on demilitarised Zone
The following optional wizards can also be run on ASDM:
A few real time configurations from a running firewall ASA 5510.
Result of the command: "show running-config"
ASA Version 8.2(2)
enable password E3Lcy/NWj2QSBTXV encrypted
passwd E3Lcy/NWj2QSBTXV encrypted
description Port that connects to ISP
ip address 184.108.40.206 255.255.255.240
description Port that connects to LAN Cisco switch/router
ip address 10.1.0.253 255.255.255.0
boot system disk0:/asa822-k8.bin
ftp mode passive
clock timezone GMT/BST 0
clock summer-time GMT/BDT recurring last Sun Mar 1:00 last Sun Oct 2:00
dns domain-lookup outside
dns domain-lookup inside
dns domain-lookup backup
dns server-group DefaultDNS
access-list outside_access_in remark Access rule to allow inbound SMTP to email server
access-list outside_access_in extended permit tcp any host SMTP_mail_gateway eq smtp
access-list outside_access_in extended permit tcp any host SMTP_mail_gateway eq https
access-list outside_access_in extended permit tcp any host SMTP_mail_gateway eq www
access-list outside_access_in extended permit tcp any host SMTP_mail_gateway eq imap4
access-list inside-out extended deny tcp any any eq www
access-list inside-out extended deny tcp any any eq https
access-list inside-out extended deny tcp any any eq ftp
access-list inside-out extended permit ip any any
global (outside) 10 NAT-Out
nat (inside) 0 access-list nonat
nat (inside) 10 192.168.50.0 255.255.255.0
nat (inside) 10 Inside-Network 255.0.0.0
nat (backup) 0 access-list backup_nat0_outbound
route outside 0.0.0.0 0.0.0.0 220.127.116.11 1
route backup 0.0.0.0 0.0.0.0 10.253.0.228 254
route inside IT_subnet 255.255.255.0 Internal_Gateway 1
route inside 10.1.2.0 255.255.255.0 Internal_Gateway 1
route inside Abb-Subnet 255.255.255.0 Internal_Gateway 1
aaa authorization command LOCAL
aaa authentication secure-http-client
http server enable
http server idle-timeout 30
http Management_subnet 255.255.255.0 management
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
policy-map type inspect dns migrated_dns_map_1
message-length maximum client auto
message-length maximum 512
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email firstname.lastname@example.org
destination transport-method http
After the firewall has been installed and tested for connectivity, we will begin an external security assessment of the firewall. During this assessment we will:
Scan the firewall for port openings and closures.
Test remote management functionality (if required).
Ensure all requirements specified during the installation planning have been met.
From time to time it will be necessary to reconfigure the firewall to enable new services or to prevent new threats.
4 Summary and Conclusions
In this report, we defined the firewall security and discussed various scenarios in this respect. We elaborated on a particular case-study of Cisco firewalls to analyze the firewall security mechanisms. We provided a detailed procedure to install an instance of a Cisco firewall mechanism, and determined various features of this firewall.