Transcript Cisco IOS Firewall

Implementing Secure
Converged Wide Area
Networks (ISCW)
Module 6: Cisco IOS Threat Defense Features
© 2006 Cisco Systems, Inc. All rights reserved.
Module 6: Cisco IOS
Threat Defense
Features
Lesson 6.1: Introducing the Cisco IOS Firewall
© 2006 Cisco Systems, Inc. All rights reserved.
Objectives
 Explain the purpose of the Demilitarized Zone (DMZ).
 Describe various DMZ topologies and design options.
 Describe firewall operations and implementation
technologies.
 Compare and contrast various firewall implementation
options.
 Describe the security features available in the Cisco
Firewall Feature Set IOS.
© 2006 Cisco Systems, Inc. All rights reserved.
DMZ
 A DMZ is established between security zones.
 DMZs are buffer networks that are neither the Inside nor the
Outside network.
© 2006 Cisco Systems, Inc. All rights reserved.
Layered Defense Features
 Access control is enforced on traffic entering and
exiting the buffer network to all security zones by:
Classic routers
Dedicated firewalls
 DMZs are used to host services:
Exposed public services are served on dedicated hosts inside
the buffer network.
The DMZ may host an application gateway for outbound
connectivity.
 A DMZ blocks and contains an attacker in the case of a
break-in.
© 2006 Cisco Systems, Inc. All rights reserved.
Multiple DMZs
Three Separate DMZs
 Multiple DMZs provide better separation and access control:
Each service can be hosted in a separate DMZ.
Damage is limited and attackers contained if a service is compromised.
© 2006 Cisco Systems, Inc. All rights reserved.
Modern DMZ Design
 Various systems (a stateful packet filter or proxy server) can filter
traffic.
 Proper configuration of the filtering device is critical.
© 2006 Cisco Systems, Inc. All rights reserved.
Private VLAN
Traffic flows on private
VLANs:
• RED and YELLOW can
communicate with BLUE
• RED and YELLOW cannot
communicate with each
other
Secondary VLANs
© 2006 Cisco Systems, Inc. All rights reserved.
Primary VLANs
Promiscuous Port
Host 1 (FTP)
Secondary VLAN Ports
Host 2 (HTTP)
Promiscuous Port
Host 3 (Admin)
© 2006 Cisco Systems, Inc. All rights reserved.
Firewall Technologies
 Firewalls use three technologies:
Packet filtering
Application layer gateway (ALG)
Stateful packet filtering
© 2006 Cisco Systems, Inc. All rights reserved.
Packet Filtering
 Packet filtering limits traffic into a network based on the destination
and source addresses, ports, and other flags that you compile in
an ACL.
© 2006 Cisco Systems, Inc. All rights reserved.
Packet Filtering Example
Router(config)# access-list 100 permit tcp any 16.1.1.0
0.0.0.255 established
Router(config)# access-list 100 deny ip any any log
Router(config)# interface Serial0/0
Router(config-if)# ip access-group 100 in
Router(config-if)# end
© 2006 Cisco Systems, Inc. All rights reserved.
Application Layer Gateway
 The ALG intercepts and establishes connections to the Internet
hosts on behalf of the client.
© 2006 Cisco Systems, Inc. All rights reserved.
ALG Firewall Device
© 2006 Cisco Systems, Inc. All rights reserved.
Stateful Packet Filtering
 Stateless ACLs filter traffic based on source and destination IP
addresses, TCP and UDP port numbers, TCP flags, and ICMP
types and codes.
 Stateful inspection then remembers certain details, or the state of
that request.
© 2006 Cisco Systems, Inc. All rights reserved.
Stateful Firewalls
 Also called “stateful packet filters” and “applicationaware packet filters.”
 Stateful firewalls have two main improvements over
packet filters:
They maintain a session table (state table) where they track all
connections.
They recognize dynamic applications and know which
additional connections will be initiated between the endpoints.
 Stateful firewalls inspect every packet, compare the
packet against the state table, and may examine the
packet for any special protocol negotiations.
 Stateful firewalls operate mainly at the connection (TCP
and UDP) layer.
© 2006 Cisco Systems, Inc. All rights reserved.
Stateful Packet Filtering Example
5.
All network packets associated with an authentication session are processed by an
application running on the firewall host.
Authentication daemons
Application space
Kernel space
4.
Accepted new
packets
2.
Network
stack
Based on information
contained within each
packet, each packet is
associated with
additional static
information.
Packet filters
Incoming
network packet
1.
If a packet satisfies all of the packet filter
rules, then depending on whether it is
destined for the firewall or a remote host,
the packet either propagates up the
network stack for future processing or gets
forwarded to the network host.
Outgoing
network packet
Dynamic
rules
Ordered
list of
rules
3.
Dynamic rules are added and removed
based on a combination of the data
contained within the network packet
and the static information.
All incoming packets are compared against defined rules composed from a very limited
command set for one or more low-level protocols, such as IP, TCP, and ICMP. Packets
are either denied and dropped here, or they are accepted and passed to the network
stack for delivery.
© 2006 Cisco Systems, Inc. All rights reserved.
Stateful Firewall Handling of Different
Protocols
TCP Sessions
– Keeping track of a TCP connection is easy
(check flow information and check TCP
sequence numbers against state table entry).
UDP Connections
– There are no flags or sequence numbers; hard
to robustly track.
– Only flow information is checked against;
timeouts are used to delete state table entries.
Other Connectionless
Services (GRE, IPsec)
– These are usually handled like a stateless
packet filter.
Dynamic Applications
– These are handled automatically by snooping
on application negotiation channels.
© 2006 Cisco Systems, Inc. All rights reserved.
The Cisco IOS Firewall Feature Set
 The Cisco IOS Firewall Feature Set contains these
features:
Standard and extended ACLs
TCP intercept
Cisco IOS Firewall
Cisco IOS Firewall IPS
Authentication proxy
Port-to-Application Mapping (PAM)
NAT
IPsec network security
Event logging
User authentication and authorization
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco IOS Firewall
 Packets are inspected when entering the Cisco IOS firewall if the
packets are not specifically denied by an ACL.
 Cisco IOS Firewall permits or denies specified TCP and UDP traffic
through a firewall.
 A state table is maintained with session information.
 ACLs are dynamically created or deleted.
 Cisco IOS Firewall protects against DoS attacks.
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco IOS Authentication Proxy
 HTTP, HTTPS, FTP, and Telnet authentication
 Provides dynamic, per-user authentication and authorization via
TACACS+ and RADIUS protocols
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco IOS IPS
 Acts as an inline intrusion prevention sensor—traffic goes through the
sensor
 When an attack is detected, the sensor can perform any of these actions:
Alarm: Send an alarm to SDM or syslog server.
Drop: Drop the packet.
Reset: Send TCP resets to terminate the session.
Block: Block an attacker IP address or session for a specified time.
 Identifies 700+ common attacks
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco IPS Signature Actions
Action
Description
Alarm
Generates an alert that can be logged to the logging
destinations or via Security Device Event Exchange
(SDEE)
Drop
Drops the packet
Reset
Resets the TCP connection by sending TCP RST
packets to both the sender and receiver
Block attacker
Blocks all communications from the offending IP
address for a specified time
Block connection
Blocks the offending TCP or UDP session for a
specified time
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco IOS ACLs Revisited
 ACLs provide traffic filtering by these criteria:
Source and destination IP addresses
Source and destination ports
 ACLs can be used to implement a filtering firewall
leading to these security shortcomings:
Ports opened permanently to allow traffic, creating a security
vulnerability.
The ACLs do not work with applications that negotiate ports
dynamically.
 Cisco IOS Firewall addresses these shortcomings of
ACLs.
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco IOS Firewall TCP Handling
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco IOS Firewall UDP Handling
© 2006 Cisco Systems, Inc. All rights reserved.
How Cisco IOS Firewall Works
© 2006 Cisco Systems, Inc. All rights reserved.
Timeout and Threshold Values
Value
Description
Timeout values for TCP
and UDP sessions
Helps prevent DoS attacks by freeing system
resources. Timeouts can be set separately for TCP
and UDP.
Threshold values for TCP
sessions
• Helps prevent DoS attacks by controlling the
number of half-opened sessions, limiting the
amount of system resources that are applied to
half-opened sessions.
• When a session is dropped, the firewall sends a
reset message to the devices at both endpoints
(source and destination) of the session.
• When the system under DoS attack receives a
reset command, the system releases, or frees
processes and resources that are related to that
incomplete session. Thresholds are configured
only for TCP.
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco IOS Firewall Supported Protocols
 Regardless of the application layer protocol, Cisco IOS Firewall
will inspect:
All TCP sessions
All UDP connections
 Enhanced stateful inspection of application layer protocols
Outgoing requests to the Internet, and responses
from the Internet are allowed.
X
Incoming requests from the
Internet are blocked.
© 2006 Cisco Systems, Inc. All rights reserved.
Alerts and Audit Trails
 Cisco IOS Firewall generates real-time alerts and audit
trails.
 Audit trail features use syslog to track all network
transactions.
 With Cisco IOS Firewall inspection rules, you can
configure alerts and audit trail information on a perapplication protocol basis.
© 2006 Cisco Systems, Inc. All rights reserved.
Summary
 The Cisco IOS Firewall software offers a full set of security
features that can be implemented to provide security for a network.
 The DMZ is an ideal place to host services to enable inside users
to connect to the outside perimeter. The DMZ approach is the most
popular and commonly used modern architecture.
 Firewalls can be based on packet filtering, application layer
gateways or stateful packet filtering.
 The Cisco IOS Firewall Feature Set is a security-specific option for
Cisco IOS software that is available in select security Cisco IOS
images.
 The Cisco IOS Firewall Feature Set integrates robust firewall
functionality, authentication proxy, and intrusion prevention.
© 2006 Cisco Systems, Inc. All rights reserved.
Q and A
© 2006 Cisco Systems, Inc. All rights reserved.
Resources
 Cisco IOS Firewall Design Guide
http://www.cisco.com/en/US/partner/products/sw/secursw/ps10
18/products_implementation_design_guide09186a00800fd670.
html
© 2006 Cisco Systems, Inc. All rights reserved.
© 2006 Cisco Systems, Inc. All rights reserved.