The Complete Guide to Network Firewall 2024

firewall-with-dmz-zone-1

A firewall is a network security system that controls and monitors incoming and outgoing network traffic. Firewalls have two types, the first one is Hardware Firewalls and another one is Software firewalls. Hardware firewalls have separate hardware with their Operating System, CPU, RAM, and different types of interfaces (ports). Software Firewall is software that can be installed in other operating systems like Windows, Linux, and MAC.

However, we have to write policies on both of them. Firewall behaviors always depend upon written policies. In firewalls, we have to write Inbound and Outbound rules, every packet that tries to cross the boundary (Inbound to Outbound or Outbound to inbound), is first checked by the written policies. If the packet is marked as allowed in the firewall policies list then it can cross the Firewall, otherwise, the firewall drops that packet.

IP Address and Domain Name

To know the firewall in detail, we must first understand how networking works. The IP address plays a vital role in networking. We have two types of IP addresses one is IPv4 the other is IPv6. In this world, every small computer, networking device, and server has a unique IP address. We have DNS (Domain Name Server), which converts, IP addresses to Domain Name. Human beings, usually use domain names instead of IP addresses, because they can easily remember and understand domain names like “https://www.gns3network.com“, in comparison to IP address 104.31.89.207.

Network Port and Protocols

Ports and protocols, both play an essential role in networking. In computer Networking, Ports are a virtual path from source to destination. So, whenever, a user requests services from servers, their system itself adds a source port number and destination port number. Ports have three types Well Knows, Registered, and PrivateInternet Assigned Numbers Authority manages all port numbers and protocols.

  • Well Known:  From 0-1023 ( used by commonly used protocols. )
  • Registered: 1024 to 49151
  • Private: 49152 to 65 535 ( Also, known as dynamic Ports )

Protocols are the set of rules, which follow by every computer, to communicate with another computer. For example, we have protocols like FTP, DNS, HTTP, TELNET, SSH, HTTPS, etc. All these protocols use ports from Well Known Ports.

Now, if we have to block a service then we have to directly block the access to that protocol port. Some common Protocols and their Port numbers are mentioned below :

Serial NoProtocolPort Number
1FTP20/21
2Secure Shell (SSH)22
3TELNET23
4Telnet24
5DNS53
6DHCP67/68
7TFTP69
8HTTP80
9POP325/110
10HTTPS443

Firewall Zones [Inside, Outside, and DMZ]

Firewall interfaces (ports) are always kept in various zones. Just, for example, most of the time, network designers called them Inside, Outside, and Demilitarized Zone. In the Inside zone, we have various switches and routers. Most of the end-users are there and working for an organization. In the Outside Zone, there is the Global Internet. This zone is also known as the “World of Hackers”. In the Demilitarized zone, we have our servers like Web Server and FTP Server. This zone is commonly known as DMZ. People from outside the internet can access our DMZ  Servers like Web Server. In the Cisco ASA firewall, we have to define a security level for each interface. The higher the security level, the higher the trust on that side network.

In this picture, the Router is Inside, the Web Server is in DMZ, and the ISP is in the Outside zone.

firewall-with-dmz-zone-1
Cisco ASA Firewall with DMZ

Firewall Configuration

Although, firewalls are manufactured by many vendors. So, their configurations are also different. In this session, we are going to configure our Cisco ASA firewall using Telnet. First, we have to configure a management port with an IP address as shown below configuration:

Now, we open the terminal/cmd in our PC and connect to the ASA Firewall using telnet. An output of the command is shown below :

Now, we have to configure different interfaces of the firewall. Here, I will configure two interfaces, one is in the inside zone and another one is in the outside zone. Also, the name of both of the interfaces will be inside and outside. The security level on both of the interfaces will be “100” and “0” respectively. If we give the zone name “inside” to any interface, the firewall sets the security level “100” by default. Also, if any interface is in the “outside” zone, then the firewall sets the security level “0” by default. One interesting thing is that if we are not given any subnet mask after the IP address, the firewall by default sets it to the default subnet mask of that class.

Firewall Interface Configuration

Inside Interface Configuration

Outside Interface Configuration

Traffic, which is from Higher Security Levels to Lower Security Levels is by default allowed in CISCO ASA Firewall. However, the network traffic from the Lower Security Level to the Higher Security level is set to deny by default. So, if we have to allow traffic from the Lower Security Level to the Higher Security level, then we can write ACL (Access Control List).

By default, the hostname is set to “ciscoasa” in CISCO ASA Firewall, we can change it by using the following commands:

You can add the credentials of users with a unique username and password with their Privilege Levels (0 to 15 ) in Cisco ASA. You can follow the following guide to add user credentials to the Firewall:

How to set ASDM on CISCO ASA

ASDM (Adaptive Security Device Manager) is a GUI (Graphical User Interface) application, which is used to configure Cisco ASA in a /graphical way instant of Command-Line. To access ASA in graphical mode, you need to install Java Webstart on your PC. You can access ASDM using the below command guide.

In the above configuration, I have enabled the HTTP Server(Web Server) on the Cisco ASA Firewall. Then we have to provide access to this HTTP Server to users who are part of the Management Network (using wildcard bits). At last, in the configuration line, I enable the authentication for the HTTP console. Every user who is part of the “LOCAL” database can access the ASDM of the CISCO ASA firewall using their local credentials.

After, the above configuration, you can open your web browser and hit the address of the Cisco ASA firewall (https://192.168.1.1) in this case. Also, if you are using a Linux Operating System then you can execute the following command in the terminal to open ASDM :

ASDM-IDM-Login-using-javaw
Access to ASA ASDM using Java Webstart

Summary

Guys, In this article, we learn about Firewalls. First of all, we learn the basics of IP addresses and Domain Names. We also studied Network Ports and Protocols. After that, we studied Firewall Zones. Finally, we took an example of a Cisco ASA Firewall and configured it from the beginning.

Related Articles

References

Feel free to ask your queries. Share us on social media like facebook and shows us some love 🙂

You May Also Like

About the Author: Vikash Kaushik

Leave a Reply

Your email address will not be published. Required fields are marked *

Share via
Copy link