This is my first Security Post regarding Cisco PIX/ASA firewalls. To begin with, what is a firewall? Literally, in the real world, a firewall as part of a building, is used to you guessed it: protect the building from fire. 🙂 The same applies in the networking world. A firewall is a device that prevents unauthorized access and permits authorized access to a network. A firewall may function for packet filtering, proxy server and stateful packet filtering. Cisco PIX/ASA devices function as stateful packet filtering devices, which builds a stateful connection table to verify the connections.
A firewall prevents access from the untrusted network to the trusted network. An interface of the firewall may belong to the untrusted or the trusted. The interface that belongs to the trusted network is often called the inside interface and the untrusted one is the outside interface. Security-levels from 0-100 indicates the level of trust for an interface. The higher the number the more trusted the interface. The rule in security-level is that a higher security level can have access to a lower security level, the lower security level doesn’t have access to a higher security level and is blocked by default. Interfaces with the same security levels are blocked as well.
Let’s configure interfaces and lets see how security-levels are applied automatically and manually. I am using a PIX firewall.
First lets configure an outside interface.
petesfirewall(config)# interface ethernet0
petesfirewall(config-if)# nameif outside
INFO: Security level for “outside” set to 0 by default.
The “nameif” command is basically used to name an interface. Very obvious isn’t it?:) Notice that once we named the interface “outside”, Cisco automatically set the security-level to 0 meaning its untrusted. Next we configure an inside interface.
petesfirewall(config-if)# interface ethernet1
petesfirewall(config-if)# nameif inside
INFO: Security level for “inside” set to 100 by default.
The PIX now configures the security level by 100 which means its a trusted interface. For this reason, traffic from ethernet1 to ethernet0 is permitted by default but traffic from ethernet0 to ethernet1 is not. This is where inbound access-list comes in to allow traffic from an untrusted interface to a trusted one.
Let us now configure an interface named “webservers”. You can use any name you like by the way. Let’s give it a security-level of 60.
petesfirewall(config-if)# interface ethernet2
petesfirewall(config-if)# nameif webservers
INFO: Security level for “webservers” set to 0 by default.
petesfirewall(config-if)# security-level 60
Notice that any interface name other than “inside” is automatically given a 0 security-level value. The “security-level” command is used to specify manually a security level to an interface. Ethernet2 by default can access Ethernet0 but can’t access Ethernet1, because the latter has a higher security-level than the former. The “show nameif” command is a very useful command to display the names of the interfaces including the security-levels.
petesfirewall(config)# show nameif
Interface Name Security
Ethernet0 outside 0
Ethernet1 inside 100
Ethernet2 webservers 60
As you can see, in the PIX firewall the show command is accepted unlike in the routers which doesn’t accept show commands in the global-configuration mode. For those have been configuring routers, adapting to configuring firewalls would be easy. After all, its still Cisco. 🙂
Finally, sometimes there is a need to allow access to interfaces with the same security-level. The command below, will allow such access.
petesfirewall(config)# same-security-traffic permit inter-interface