The Complete Guide to Network Firewall 2019

Introduction to Hardware and Software Firewall

A firewall is a network security system which controls and monitors incoming and outgoing network traffic. Firewalls have two types, the first one is Hardware Firewalls and another one is Software firewalls. Hardware firewalls have separate hardware with their own Operating System, CPU, RAM and different types of interfaces (ports). Software Firewall, basically a software that can install in other operating systems like Windows, Linux, and MAC. However, we have to write policies on both of them. Firewall’s behaviors always depend upon written policies. In firewalls, we have to write Inbound and Outbound rules, every packet which try to cross the boundary (Inbound to Outbound or Outbound to inbound), first checked by the written policies. If the packet marks as allowed in firewall policies list then it can cross the Firewall, otherwise the firewall drops that packet.

IP Address and Domain Name

To know the firewall in details, we must first understand how networking works. The IP address plays a vital role in networking. We have two types of IP address one is IPv4 another one is IPv6. In this world, every small computer, networking devices and servers have a unique IP address. We have DNS (Domain Name Server), which converts, IP address to Domain Name. Human beings, usually use domain name instant of IP address, because he can easily remember and understand domain name like “https://www.gns3network.com“, in comparison of IP address 104.31.89.207.

Network Port and Protocols

Ports and protocols, both play an essential role in networking. In computer Networking, Ports are a virtual path from source to destination. So, whenever, a user request for service’s to server’s, their system itself adds a source port number and destination port number. Ports have three types Well Knows, Registered and PrivateInternet Assigned Numbers Authority manages all ports numbers and protocols.

  • Well Known:  From 0-1023 ( used by commonly used protocols. )
  • Registered: 1024 to 49151
  • Private: 49152 to 65 535 ( Also, known as dynamic Ports )

Protocols are the set of rules, which follow by every computer, in order to communicate with another computer. For example, we have protocols like FTP, DNS, HTTP, TELNET, SSH, HTTPS, etc. All these protocols are use port from Well Known Ports.

Now, if we have to block a service then we have to directly block the access to that protocol’s port. Some common Protocols and their Port numbers are mentioned below :

Serial NoProtocolPort Number
1FTP20/21
2Secure Shell (SSH)22
3TELNET23
4Telnet24
5DNS53
6DHCP67/68
7TFTP69
8HTTP80
9POP325/110
10HTTPS443

Firewall Zones [Inside, Outside and DMZ]

Firewall interfaces (ports), always keep into various zones. Just, for example, most of the time, network designer called them Inside, Outside and Demilitarized Zone. In Inside zone, we have various switches and routers. Most of the end-users are there and working for an organization. In the Outside Zone, there is the Global Internet. This zone is also known as the “World of Hackers”. In the Demilitarized zone, we have our servers like Web Server, FTP Server. This zone is commonly known as DMZ. People’s from outside internet can access our DMZ  Servers like Web Server. In the Cisco ASA firewall, we have to define a security level for each interface. Higher the security level, higher is the trust on that side network.

In this picture, Router is in Inside, Web Server is in DMZ, and ISP is in the Outside zone.

firewall-with-dmz-zone-1
Cisco ASA Firewall with DMZ zone

Firewall Configuration

Although, firewalls are manufactured by many vendors. So, their configurations are also different. In this session, we are going to configure our Cisco ASA firewall using Telnet. First, we have to configure a management port with an IP address as shown below configuration :

ciscoasa# configure terminal 
ciscoasa(config)# interface management 0/0
ciscoasa(config-if)# ip address 192.168.1.1 255.255.255.0
ciscoasa(config-if)# nameif management
ciscoasa(config-if)# security-level 100
ciscoasa(config-if)# no shut
ciscoasa(config-if)# exit
ciscoasa(config)# telnet 0 0 management
ciscoasa(config)# aaa authentication telnet console LOCAL
asa-firewall-configuration-using-telnet
ASA Firewall configurations with Telnet and ASDM

Now, we are open the terminal/cmd in our PC and connect to the ASA Firewall using telnet. An output of the command is showing below :

networking@firewall$ telnet 192.168.1.1
Trying 192.168.1.1…
Connected to 192.168.1.1.
Escape character is ‘^]’.
User Access Verification
Username: vicky
Password: *****
Type help or ‘?’ for a list of available commands.
ciscoasa> en
ciscoasa> enable
Password:
ciscoasa#
ciscoasa#

Now, we have to configure different interfaces of the firewall. Here, I will configure two interfaces, one is in the inside zone and another one is in the outside zone. Also, the name of both of the interfaces will be inside and outside. Security level on both of the interfaces will be “100” and “0” respectively. If we give zone name “inside” to any interface, the firewall set security level “100” by default. Also, if any interface in “outside” zone, then firewall set security level “0” by default. One interesting thing is that if we are not given any subnet mask after the IP address, firewall by default set it to the default subnet mask of that class.

Firewall Interface Configuration

Inside Interface Configuration

ciscoasa# configure terminal
ciscoasa(config)# interface GigabitEthernet 0/0
ciscoasa(config-if)# ip address 192.168.20.1 255.255.255.0
ciscoasa(config-if)# nameif inside
INFO: Security level for “inside” set to 100 by default.
ciscoasa(config-if)# security-level 100
ciscoasa(config-if)# no shutdown
ciscoasa(config-if)#

Outside Interface Configuration

ciscoasa(config)# configure terminal
ciscoasa(config)# interface GigabitEthernet 0/1
ciscoasa(config-if)# ip address 101.1.1.1 255.255.255.248
ciscoasa(config-if)# nameif outside
INFO: Security level for “outside” set to 0 by default.
ciscoasa(config-if)# security-level 0
ciscoasa(config-if)# no shut
ciscoasa(config-if)# no shutdown
ciscoasa(config-if)# exit

Traffic, which is from Higher Security Level to Lower Security Level is by default allowed in CISCO ASA Firewall. However, the network traffic from Lower Security Level to Higher Security level is set to deny by default. So, if we have to allow traffic from Lower Security Level to Higher Security level, then we can write ACL (Access Control List).

By default, the hostname is set to “ciscoasa” in CISCO ASA Firewall, we can change it by using the following commands :

ciscoasa# configure terminal
ciscoasa(config)# hostname networking-firewall
networking-firewall(config)#

You can add credentials of users with a unique username and password with their Privilege Levels (0 to 15 ) in Cisco ASA. You can follow the following guide to add users credentials in Firewall :

ciscoasa# configure terminal 
ciscoasa(config)# username networking password firewall privilege 15

How to setup ASDM on CISCO ASA

ASDM (Adaptive Security Device Manager) is a GUI (Graphical User Interface) application, which is used to configure Cisco ASA in graphical way instant of Command-Line. To access ASA in graphical mode, you need to install Java Webstart on your PC. You can access ASDM using below command guide.

networking-firewall# configure terminal 
networking-firewall(config)# http server enable
networking-firewall(config)# http 0 0 Management
networking-firewall(config)# aaa authentication http console LOCAL

In the above configuration, I have enabled HTTP Server(Web Server) on Cisco ASA Firewall. Then we have to provide access to this HTTP Server to users which are part of Management Network (using wildcard bits). At last, the configuration line, I enable the authentication for HTTP console. Every user’s which are part of the “LOCAL” database can access ASDM of CISCO ASA firewall using their credentials.

After, the above configuration, you can open your web browser and hit the address of Cisco ASA firewall (https://192.168.1.1) in this case. Also, if you are using a Linux Operating System then you can execute the following command in the terminal to open ASDM :

networking@firewall$ javaws https://192.168.1.1/admin/public/asdm.jnlp 

ASDM-IDM-Login-using-javaw
Access to ASA ASDM using Java Webstart

Summary

Guys, In this article, we learn about Firewalls. First of all, we learn a basic of IP addresses and Domain Names. We also studied Network Ports and Protocols. After that, we studied Firewall Zones. Finally, we took an example of a Cisco ASA Firewall and configured it from the beginning.

References

Feel free to ask your queries. We will try to address your questions as soon as possible. Thanks!

 

Leave a Reply

Your email address will not be published. Required fields are marked *