Cisco IOS Firewall And Security Appliances

1y ago
29 Views
4 Downloads
5.43 MB
54 Pages
Last View : 3d ago
Last Download : 8m ago
Upload by : Abby Duckworth
Transcription

Cisco IOS Firewall and Security .cfmHome Live Cisco Racks Members Forum Tell a Friend Text Size Whitepapers Search LogoutCisco IOS Firewall and Security AppliancesCisco IOS Firewall and Security AppliancesThe Cisco IOS Firewall set feature provides a single point of protection at the network perimeter, makingsecurity policy enforcement and inherent component of the network. The IINS exam objectives covered in thischapter are:Describe the operational strengths and weaknesses of the different firewall technologiesExplain Stateful firewall operations and the function of the state tableImplement Zone Based Firewall using SDMThis chapter is broken up into the following sections:Cisco IOS Firewall OverviewTypes of FirewallsHardware versus Software FirewallsCisco Security AppliancesContext-Based Access ControlCisco Zone-Based Policy FirewallIINS Exam ObjectiveSection(s) CoveredDescribe the operational strengths andweaknesses of the different firewalltechnologiesCisco IOS Firewall OverviewTypes of FirewallsHardware versus Software FirewallsExplain stateful firewall operations and thefunction of the state tableTypes of FirewallsCisco Security AppliancesImplement Zone Based Firewall using SDMCisco Zone-Based Policy FirewallOther Related TopicsContext-Based Access ControCisco IOS Firewall and Security Appliances next lesson Home Search Contact Us Tell a Friend Text Size 2006-2010 HowtoNetwork.net All Rights Reserved. Reproduction without permission prohibited.This site is powered by MemberGate membership site software1z131.08.2010 19:05

Cisco IOS Firewall int.cfmhttp://www.howtonetwork.netCisco IOS Firewall OverviewCisco IOS Firewall OverviewThe Cisco IOS Firewall set provides network security with integrated, inlinesecurity solutions. The Cisco IOS Firewall set is comprised of a suite ofservices that allow administrators to provision a single point of protection atthe network perimeter. The Cisco IOS Firewall set is a Stateful inspectionfirewall engine with application-level inspection. This provides dynamic controlto allow or deny traffic flows, thereby providing enhanced security. Statefulinspection will be described in detail later in this chapter.In its most basic form, the principal function of any firewall is to filter andmonitor traffic. Cisco IOS routers can be configured with the IOS Firewallfeature set in the following scenarios:As a firewall router facing the InternetAs a firewall router to protect the internal network from external networks,e.g. partnersAs a firewall router between groups of networks in the internal networkAs a firewall router that provides secure connection to remote offices orbranchesThe Cisco IOS Firewall provides an extensive set of security features that allowadministrators to design customized security solutions to tailor to the specificneeds of their organization. The Cisco IOS Firewall is comprised of thefollowing functions and technologies:Cisco IOS Stateful Packet InspectionContext-Based Access ControlIntrusion Prevention SystemAuthentication ProxyPort-to-Application MappingNetwork Address TranslationZone-Based Policy Firewall1z331.08.2010 19:06

Cisco IOS Firewall int.cfmCisco IOS Stateful Packet InspectionCisco IOS Stateful Packet Inspection, or SPI, provides firewall capabilitiesdesigned to protect networks against unauthorized traffic and to controllegitimate business-critical data.Cisco IOS SPI maintains state information and counters of connections, as wellas the total connection rate through the firewall and intrusion preventionsoftware. Stateful Packet Inspection will be described in detail later in thischapter.Context-Based Access ControlContext-Based Access Control, or CBAC, is a Stateful inspection firewall enginethat provides dynamic traffic filtering capabilities. CBAC, which is also knownas the Classic Firewall, will be described in detail later in this chapter.Intrusion Prevention SystemThe Cisco IOS Intrusion Prevention System, or IPS, is an inline intrusiondetection and prevention sensor that scans packets and sessions flowing throughthe router to identify any of the Cisco IPS signatures that protect the networkfrom internal and external threats. Cisco IPS solutions will be described indetail in the following chapter.Authentication ProxyThe Authentication Proxy feature, also known as Proxy Authentication, allowsadministrators to enforce security policy on a per-user basis. With thisfeature, administrators can authenticate and authorize users on a per-userpolicy with access control customized to an individual level. AuthenticationProxy configuration and detailed knowledge is beyond the scope of the IINScourse requirements and will not be described in detail in this guide.Port-to-Application MappingPort-to-Application Mapping, or PAM, allows administrators to customize TCP orUDP ports numbers for network services or applications to non-standard ports.For example, administrators could use PAM to configure standard HTTP traffic,which uses TCP port 80 by default, to use TCP port 8080. PAM is also used byCBAC, which uses this information to examine non-standard Application Layer2z331.08.2010 19:06

Cisco IOS Firewall int.cfmprotocols. PAM configuration and detailed knowledge is beyond the scope of theIINS course requirements and will not be described in detail in this guide.Network Address TranslationNetwork Address Translation, or NAT, is used to hide internal addresses, whichare typically private address (i.e. RFC 1918 addresses) from networks that areexternal to the firewall. The primary purpose of NAT is address conservation fornetworks that use RFC 1918 addressing due to the shortage of globally routableIP (i.e. public) address space. NAT provides a lower level of security by hidingthe internal network from the outside world. NAT configuration and detailedknowledge is beyond the scope of the IINS course requirements and will not bedescribed in detail in this guide.Zone-Based Policy FirewallZone-Based Policy Firewall, or ZPF, is a new Cisco IOS Firewall feature designedto replace and address some of the limitations of CBAC, the Classic Firewall.ZPF allows Stateful inspection to be applied on a zone-based model, whichprovides greater granularity, flexibility, scalability, and ease-of-use over theClassic Firewall. ZPF is described in detail later in this chapter. previous lesson Cisco IOS Firewall and Security Appliances next lesson 2006-2010 HowtoNetwork.net All Rights Reserved. Reproduction without permission prohibited.3z331.08.2010 19:06

Types of rint.cfmhttp://www.howtonetwork.netTypes of FirewallsTypes of FirewallsA firewall protects networked computers from intentional hostile intrusion thatcould compromise confidentiality or result in data corruption or denial ofservice. Firewalls may be dedicated hardware-based devices, or evensoftware-based programs that run on a secure computer or server. Firewalls musthave at least two network interfaces, one for the network it is intended toprotect, and one for the network it is exposed to. Basic firewalls consist oftwo main mechanisms.The first mechanism is designed to block traffic. This could be trafficoriginating from external networks, such as the Internet, or internally, such asfrom restricted users and hosts. The second mechanism is designed to allowtraffic. This traffic could be internally originated traffic, e.g. internalusers accessing the Internet, or external traffic, e.g. Internet users accessinga company owned web server. Firewalls fall into five broad categories:1.Static or Network-Level Packet Filters2.Circuit Level Gateways3.Application Level Firewalls or Gateways4.Stateful Inspection FirewallsAs is the case with any technology, firewalling capabilities have evolved as themethods of attacks used by intruders have evolved. Currently, there are fourgenerations of firewall technology. First generation firewalls were the firsttypes of firewalls used to secure computer networks. These firewalls providedbasic filtering capabilities at Layer 3 as well as Layer 4 of the OSI Model.Second generation firewalls were introduced to provide further firewallingcapabilities into the network. These firewalls allowed network securityadministrators to provide network security by monitoring traffic at Layer 3,Layer 4, and Layer 5 the OSI Model.Third generation firewalls superseded second generation firewalls and providedfirewalling capabilities at Layer 3, Layer 4, Layer 5 and Layer 7 of the OSIModel. And finally, the most recent (or the latest generation of) firewalls arefourth generation firewalls. These firewalls operate at Layer 3, Layer 4, Layer5 and Layer 7 of the OSI Model, and use a concept referred to as Statefulinspection, which allows them to offer greater security than that offered bythird generation firewalls. Stateful inspection is described in detail later inthis chapter.Despite their generational differences, it is important to understand and keepin mind that different generations of firewalls can be used in conjunction witheach other, as is often the case, to enhance network security. For example,first generation firewalls can be used in conjunction with fourth generationfirewalls to provide additional security within a network.1z931.08.2010 19:07

Types of rint.cfmStatic or Network-Level Packet FiltersStatic or Network-Level Packet Filters are first-generation firewalls. Thesefirewalls work at the Network Layer of the OSI Model by inspecting packetheaders and filtering traffic based on the IP address of the source and thedestination, the port and the service. Static packet filters can also filterpackets based on protocols, the domain name of the source and a few otherattributes, depending on the software capabilities of the platforms they areimplemented on.Static packet filters are fast and relatively easy to implement. Cisco IPextended ACLs are examples of static packet filters that are supported in CiscoIOS routers and switches as well as Cisco PIX and ASA firewalls. While staticpacket filters provide relatively advanced capabilities, they provide limitedsecurity capabilities in that they do not understand languages like HTML andXML, and they are not capable of decoding SSL-encrypted packets to examine theircontent, for example. As a result, static packet filters cannot validate userinputs or detect maliciously modified parameters in an URL request, which leavesthe network vulnerable to threats.The following diagram illustrates how static packet filters, e.g. IP extendedACLs can be used to protect internal networks from outside threats:The static packet filter illustrated in this diagram in an IP extended ACLconfigured and applied to the Serial0/0 interface of Internet-facing R1. Thisfilter allows only WWW connections to the web server with the IP address200.1.1.2/29 and allows only TCP packets that were originated by internal hostson the 200.1.2.0/24 subnet to be permitted inbound on the Serial0/0 interface.2z931.08.2010 19:07

Types of rint.cfmNetwork administrators could also configure network-level filters to control theflow of traffic between the internal user subnet (200.1.2.0/24) and the companyweb server, for example. The advantages of packet filtering firewalls are theirlow cost, in monetary terms, and their relatively low impact on networkperformance. Most routers support packet filtering. Even if other firewalls areused within the network, implementing packet filtering at the router levelprovides networks with an additional level of security, albeit a relatively lowone.Circuit Level GatewaysCircuit level gateways are second-generation firewalls. These firewalls work atthe Session Layer of the OSI model, or the TCP layer of TCP/IP Model. Circuitlevel gateways monitor TCP handshaking between hosts to make sure a session islegitimate and are used to validate whether a packet is either a connectionrequest, or a data packet belonging to an established connection or virtualcircuit.Information passed to remote computer through a circuit level gateway appears tohave originated from the gateway and not from the actual internal host. This isuseful for hiding information about internal (protected) networks. While circuitlevel gateways are relatively inexpensive and have the advantage of hidinginformation about the private network they protect, it is important to know thatthey provide relatively limited enhanced network security capabilities due tothe fact that they do not filter individual packets. Circuit level gateways areconsidered obsolete and have all but disappeared from the networks of today.Application Level Firewalls or GatewaysApplication Level Gateways, or ALGs, are third-generation firewalls. Thesefirewalls evaluate packets for valid data at the Application Layer beforeallowing a connection. ALGs, which are also referred to as proxies, also havethe ability to looking more deeply into the Application Layer data going throughtheir filters, and as such, can also filter at Layer 3, 4, and 5, in addition totheir Layer 7 filtering capabilities. The two main functions of ApplicationLevel Firewalls are to keep machines behind them anonymous and to speed upaccess to a resource via caching. Keep inmind that Application Level Gateway and Application Level Firewall areinterchangeable terms; either can be used and they both refer to the same thing.By considering the context of client requests and application responses, thesefirewalls attempt to enforce correct application behavior, block maliciousactivity, and help organizations ensure the safety of sensitive information andsystems. They can log user activity too. Application level filtering may includeprotection against spam and viruses as well, and be able to block undesirableWeb sites based on content rather than just their IP address. The followingdiagram illustrates the basic operation of an ALG:3z931.08.2010 19:07

Types of rint.cfmIn the diagram illustrated above, the internal host is attempting to connect tothe web server belonging towww.howtonetwork.net.Because the host has been configured to use a proxy, this request is forwardedto 200.1.1.254, as illustrated in step 1. The ALG, or proxy, receives therequest from the internal host and in turn contacts the Internet server onbehalf of the host, as illustrated in step 2.The Internet server receives a request from 200.1.1.254 (the ALG) and, assumingall defaults, sends the web page to the proxy, as illustrated in step 3.Finally, in step 4, the proxy then proceeds and forwards the page to thecomputer on the intranet, i.e. the internal host. The user is now connected towww.howtonetwork.netvia the ALG.There are many different types of proxies. Some of the most common ones are:File Transfer Protocol (FTP) proxiesSOCKS proxiesHypertext Transfer Protocol (HTTP) proxiesNetwork Address Translation (NAT) proxiesSecure Sockets Layer (SSL) proxiesNOTE:You are not required to demonstrate detailed knowledge on each of thesedifferent types of proxies. However, the following section provides a briefdescription of each type.FTP proxies are used to relay and cache FTP traffic. SOCKS proxies allow for therelaying of far more different types of data, which could be TCP or UDP data.SOCKS is an Internet protocol that facilitates the routing of network packetsbetween client-server applications via a proxy. SOCKS performs at Layer 5 of theOSI model. SOCKS uses a handshake protocol to inform the proxy software aboutthe connection that the client is trying to make.HTTP proxies are used to provide a one way request to retrieve web pages. An4z931.08.2010 19:07

Types of rint.cfmHTTP proxy analyses the HTTP headers sent through it in order to deduce theaddress of the server and therefore may only be used for HTTP traffic. NATproxies allow for the redirection of all packets without a program having tosupport a proxy server.And finally, SSL proxies are an extension that was created to the HTTP proxyserver which allows for the relaying of TCP data similar to a Socks proxyserver. This is performed mainly to allow encryption of web page requests. SSLis a cryptographic protocol that provides security and data integrity forcommunications over networks such as the Internet. SSL encrypts the segments ofnetwork connections at the Transport Layer end-to-end.Furthermore, a Proxy Server can be split into anonymous and transparent proxyservers. Anonymous proxy servers block the remote computer from knowing theidentity of the computer using the proxy server to make requests. This issimilar to the operation of Network Address Translation, which hides internal IPaddresses from external users; however, it is important to keep in mind thatthese two technologies are distinctly different.A transparent proxy server tells the remote computer the IP address of yourcomputer. This provides no privacy as internal addresses are exposed to externalusers. Anonymous proxies can further be broken down into two more categories,which are elite and disguised.An elite proxy is not identifiable to the remote computer as a proxy in any way.In other words, the remote host does not know that the originating host is usinga proxy server.However, a disguised proxy gives the remote host enough information to let itknow that it is a proxy; however, it is still considered secure because it doesnot give away the IP of the host that it is relaying information for. Thedestination host knows that it is talking to a proxy server, however, it doesnot know the IP address of the originating host. Application Layer firewallsprovide the following advantages:They enhance network security by hiding internal networks. Proxies makeconnection requests on behalf of their clients, masking or hiding the IPaddresses of those clients to external networks and devices.They authenticate individuals and not devices. Application Layer firewalls allowconnection requests to be authenticated before traffic is passed to internal orexternal resources. This allows administrators to authenticate the user makingthe connection request instead of the device on which the connection request ismade.They make it more difficult for attackers to perform IP spoofing attacks. Byperforming NAT-like functions, and breaking up the end-to-end IP connection,proxies can prevent most spoofing attacks.They can be used to mitigate against DoS attacks. Application Layer firewallscan detect DoS attacks and reduce the burden on internal resources, such asrouters, etc. However, it should be noted that the proxy itself could fallvictim to a DoS attack.They can monitor and filter application data, such as web addresses. Proxieshave the ability to detect attacks such as malformed URLs, buffer overflow5z931.08.2010 19:07

Types of rint.cfmattempts and unauthorized access. A Uniform Resource Locator (URL) is a subsetof the Uniform Resource Identifier (URI) that specifies where an identifiedresource is available and the mechanism for retrieving it. A URI is commonlyreferred to as a web address. For example, JPEG files could be blocked basedmatches, or language filters could dynamically detect unwanted programminglanguage. If the content is rejected, the proxy returns an HTTP fetch error.They can provide detailed logging for security audits. ALGs have the capabilityto produce detailed logging information, as well as allow administrators tomonitor the actual data an individual is sending across the connection.However, despite these advantages, Application level firewalls also h

Cisco IOS Firewall Overview Cisco IOS Firewall Overview The Cisco IOS Firewall set provides network security with integrated, inline security solutions. The Cisco IOS Firewall set is comprised of a suite of services that allow administrators to provisi