270 likes | 323 Views
Pare-feu. QFP. Critères d'architecture & de choix de pare-feu. Objectifs généraux de sécurité Applique avec rigueur la stratégie de base du réseau à la périphérie du WAN et du site Flux de trafic entrants et sortants De/vers qui, les services, etc.
E N D
QFP Critères d'architecture & de choix de pare-feu • Objectifs généraux de sécurité • Applique avec rigueur la stratégie de basedu réseau à la périphérie du WAN et du site • Flux de trafic entrants et sortants • De/vers qui, les services, etc. • Site-WAN 1.0 Critères d'intégration et de sélection de pare-feu Périphérie du WAN privé Site WAN Privé
Internet Public WAN Collaborative Adaptive • Cross-solution feedback linkages • Common policy management • Endpoint posture and security policy enforcement • Passive and active fingerprinting • Cisco Security Agent IPS collaboration • Anomaly detection with in-production learning • Network behavioral analysis • Visibility and mitigation capabilities for blended content-based threats • Real-time security posture adjustment Places in the Network Cisco Integrated Services Routers Cisco ASAAdaptive Security Appliance Cisco Security Manager Cisco Security MARS Cisco Intrusion Prevention Systems Cisco Security Agent Cisco NAC Appliance Endpoint Security Policy and Posture Detect and Mitigate Content Security Threats Centralized Security Management Encrypted Secure Communications Targeted Attack Protection Integrated • Multivector protections at all points in the network and at desktop and server endpoints • Branch infrastructure security that enables end-to-end architecture
Stateful Inspection Firewalls - Advantages • Examines multiple levels • Very secure • Robust logging • Transparent • Maintains State • High performance Internet Permit traffic? State Table Existing connection? ü Web Server PC End User
Example Flow • Flow • SRC IP: 10.1.1.9 SRC Port: 11030 Protocol: TCP • DST IP: 198.133.219.25 DST Port: 80 • Interfaces • Source: Inside Destination: Outside Client: 10.1.1.9 Servers With the Flow Defined, Examination of Configuration Issues Boils Down to Just the Two Interfaces: Inside and Outside DMZ Inside Packet Flow Eng Accounting Hosting Partner Outside Server: 198.133.219.25
Stateful Firewall Packet Flow • Packet Arrives • Check Permissions: ACLs / Authentication • Addressing: NAT / PAT / Static • Create XLATE Object (addressing info) • Enter into Connections Table (ports + proto + flags + random seqNum)
Stateful Firewall • Provides “stateful” connection security • Tracks source and destination ports and addresses, TCP sequences, and additional TCP flags • TCP sequence numbers are randomized • Tracks UDP and TCP session state • Connections allowed out—allows return session back flow (TCP ACK bit) • Supports authentication, authorization, syslog accounting
Stateful Firewall Basic Rules • Allow TCP / UDP from inside • Permit TCP / UDP return packets • Drop and log connections from outside • Drop and log source routed IP packets • Deny ICMP packet • Drop and log all other packets from outside
Firewall Security Levels Public Network nameif ethernet0outside security0 0 50 Firewall DMZ 100 nameif ethernet1inside security100 nameif ethernet2DMZ security50 Private Network
The Default Rules Public Network Default Actions: • Higher to Lower:PERMIT • Lower to Higher:DENY • Between Same:DENY 0 50 DMZ 100 Private Network
2: user authentication 1: inside to outside; (Limit with ACL) AAA Only 3 Ways through the Firewall Public Network out side in side 3: Access List (outside to inside) Private Network
Inside LocalIP Address GlobalIP Pool 10.0.1.3 10.0.1.4 192.168.1.10 192.168.1.254 NAT Example Inside Outside Source Addr Source Addr 10.0.1.3 Destination Addr 192.168.1.10 200.200.200.10 Destination Addr 200.200.200.10 Source Port Source Port 23 Destination Port Destination Port 23 10.0.1.3 192.168.1.10 Internet 10.0.1.3 10.0.1.4 Translation table
Zone-Based Policy Firewall (ZFW) • Introduced in Cisco IOS 12.4(6)T • ZFW is the strategic solution going forward • Interfaces assigned to zones and inter-zone polices control access between zones • Similar in concept to security levels on ASA/PIX • Uses Class-Based Policy Language (CPL) • Cisco Classic Firewall (CBAC) • Introduced in Cisco IOS 12.0 • Cisco IOS Software Classic Firewall will be maintained in the future but will not significantly enhanced with new features
Zone-Based Policy Firewall (ZFW) • Features • Combines features of ACLs, CBAC, NBAR into one policy • Additional protocol support for deep packet inspection e.g. IM, IMAP and P2P application • More actions – inspect, drop, pass and police • Inspection action allows TCP Intercept like functionality e.g. max session limits, idle times, flood protection • Traffic to or initiated from the router allowed by default • Traffic between zones denied by default
Zone-Based Policy Firewall (ZFW) Sample Config – Basic Setup, 2 interfaces class-map type inspect match-any private-allowed-class match protocol tcp match protocol udp match protocol icmp class-map type inspect match-all http-class match protocol http ! policy-map type inspect private-allowed-policy class type inspect http-class inspect my-parameters class type inspect private-allowed-class inspect ! zone security private zone security public zone-pair security priv-pub source private destination public service-policy type inspect private-allowed-policy ! interface fastethernet 0 zone-member security public ! Interface VLAN 1 zone-member security private
Private WAN Internet IOS ZBFW Design: Typical Branch Branch VPN Zone Infrastructure Zone VPN WAN Zone Client Zone No CSM support for ZBFW planned till 3.3
QFP Private WAN SP1 Private WAN SP2 IOS ZBFW Design: Private WAN Edge VPN Zone Private WAN Edge VPN WAN Edge Zone WAN Zone
Username and Password Required PIX Firewall Enter username for CCO at www.com student User Name: 123@456 Password: OK Cancel Cut-Through Proxy Operation 1. User makes a request to an IS resource 2. Firewall intercepts connection Internal/ External User 3. Firewall prompts user for username and password, authenticates user and checks security policy on RADIUS or TACACS+ server 3. IS Resource CiscoSecure 4. Firewall initiates connection from Firewall to the destination IS resource 5. Firewall directly connects internal/external user to IS resource • Authenticates once at the application layer (OSI Layer 7) for each supported service • Connection is passed back to the firewall engine, while maintaining session state
100% Transparent • No proxy configuration required
User Authentication: Cut-Through-Proxy • Addressing and ACL must Exist! • FTP, HTTP, Telnet can be proxied • Other ports can be authorised after authentication • Watch Out: Timeout for authorisation! -> Other connections will be cut after primary timed out