1 / 136

Implementing Secure Converged Wide Area Networks (ISCW)

Implementing Secure Converged Wide Area Networks (ISCW). Module 6: Cisco IOS Threat Defense Features. Module 6: Cisco IOS Threat Defense Features. Lesson 6.1: Introducing the Cisco IOS Firewall. Objectives. Explain the purpose of the Demilitarized Zone (DMZ).

madeson-buchanan
Download Presentation

Implementing Secure Converged Wide Area Networks (ISCW)

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Implementing Secure Converged Wide Area Networks (ISCW) Module 6: Cisco IOS Threat Defense Features

  2. Module 6: Cisco IOS Threat Defense Features Lesson 6.1: Introducing the Cisco IOS Firewall

  3. Objectives • Explain the purpose of the Demilitarized Zone (DMZ). • Describe various DMZ topologies and design options. • Describe firewall operations and implementation technologies. • Compare and contrast various firewall implementation options. • Describe the security features available in the Cisco Firewall Feature Set IOS.

  4. DMZ • A DMZ is established between security zones. • DMZs are buffer networks that are neither the Inside nor the Outside network.

  5. Layered Defense Features • Access control is enforced on traffic entering and exiting the buffer network to all security zones by: • Classic routers • Dedicated firewalls • DMZs are used to host services: • Exposed public services are served on dedicated hosts inside the buffer network. • The DMZ may host an application gateway for outbound connectivity. • A DMZ blocks and contains an attacker in the case of a break-in.

  6. Multiple DMZs Three Separate DMZs • Multiple DMZs provide better separation and access control: • Each service can be hosted in a separate DMZ. • Damage is limited and attackers contained if a service is compromised.

  7. Modern DMZ Design • Various systems (a stateful packet filter or proxy server) can filter traffic. • Proper configuration of the filtering device is critical.

  8. Traffic flows on private VLANs: • RED and YELLOW can communicate with BLUE • RED and YELLOW cannot communicate with each other Secondary VLANs Primary VLANs Private VLAN

  9. Host 1 (FTP) Secondary VLAN Ports Host 2 (HTTP) Promiscuous Port Host 3 (Admin) Promiscuous Port

  10. Firewall Technologies • Firewalls use three technologies: • Packet filtering • Application layer gateway (ALG) • Stateful packet filtering

  11. Packet Filtering • Packet filtering limits traffic into a network based on the destination and source addresses, ports, and other flags that you compile in an ACL.

  12. Packet Filtering Example Router(config)# access-list 100 permit tcp any 16.1.1.0 0.0.0.255 establishedRouter(config)# access-list 100 deny ip any any logRouter(config)# interface Serial0/0Router(config-if)# ip access-group 100 inRouter(config-if)# end

  13. Application Layer Gateway • The ALG intercepts and establishes connections to the Internet hosts on behalf of the client.

  14. ALG Firewall Device

  15. Stateful Packet Filtering • Stateless ACLs filter traffic based on source and destination IP addresses, TCP and UDP port numbers, TCP flags, and ICMP types and codes. • Stateful inspection then remembers certain details, or the state of that request.

  16. Stateful Firewalls • Also called “stateful packet filters” and “application-aware packet filters.” • Stateful firewalls have two main improvements over packet filters: • They maintain a session table (state table) where they track all connections. • They recognize dynamic applications and know which additional connections will be initiated between the endpoints. • Stateful firewalls inspect every packet, compare the packet against the state table, and may examine the packet for any special protocol negotiations. • Stateful firewalls operate mainly at the connection (TCP and UDP) layer.

  17. Stateful Packet Filtering Example • All network packets associated with an authentication session are processed by an application running on the firewall host. Authentication daemons Application space Kernel space • If a packet satisfies all of the packet filter rules, then depending on whether it is destined for the firewall or a remote host, the packet either propagates up the network stack for future processing or gets forwarded to the network host. Accepted new packets Networkstack • Based on information contained within each packet, each packet is associated with additional static information. Outgoing network packet Dynamic rules Ordered list of rules Packet filters • Dynamic rules are added and removed based on a combination of the data contained within the network packet and the static information. Incoming network packet • All incoming packets are compared against defined rules composed from a very limited command set for one or more low-level protocols, such as IP, TCP, and ICMP. Packets are either denied and dropped here, or they are accepted and passed to the network stack for delivery.

  18. Stateful Firewall Handling of Different Protocols

  19. The Cisco IOS Firewall Feature Set • The Cisco IOS Firewall Feature Set contains these features: • Standard and extended ACLs • TCP intercept • Cisco IOS Firewall • Cisco IOS Firewall IPS • Authentication proxy • Port-to-Application Mapping (PAM) • NAT • IPsec network security • Event logging • User authentication and authorization

  20. Cisco IOS Firewall • Packets are inspected when entering the Cisco IOS firewall if the packets are not specifically denied by an ACL. • Cisco IOS Firewall permits or denies specified TCP and UDP traffic through a firewall. • A state table is maintained with session information. • ACLs are dynamically created or deleted. • Cisco IOS Firewall protects against DoS attacks.

  21. Cisco IOS Authentication Proxy • HTTP, HTTPS, FTP, and Telnet authentication • Provides dynamic, per-user authentication and authorization via TACACS+ and RADIUS protocols

  22. Cisco IOS IPS • Acts as an inline intrusion prevention sensor—traffic goes through the sensor • When an attack is detected, the sensor can perform any of these actions: • Alarm: Send an alarm to SDM or syslog server. • Drop: Drop the packet. • Reset: Send TCP resets to terminate the session. • Block: Block an attacker IP address or session for a specified time. • Identifies 700+ common attacks

  23. Cisco IPS Signature Actions

  24. Cisco IOS ACLs Revisited • ACLs provide traffic filtering by these criteria: • Source and destination IP addresses • Source and destination ports • ACLs can be used to implement a filtering firewall leading to these security shortcomings: • Ports opened permanently to allow traffic, creating a security vulnerability. • The ACLs do not work with applications that negotiate ports dynamically. • Cisco IOS Firewall addresses these shortcomings of ACLs.

  25. Cisco IOS Firewall TCP Handling

  26. Cisco IOS Firewall UDP Handling

  27. How Cisco IOS Firewall Works

  28. Timeout and Threshold Values

  29. Regardless of the application layer protocol, Cisco IOS Firewall will inspect: All TCP sessions All UDP connections Enhanced stateful inspection of application layer protocols Cisco IOS Firewall Supported Protocols Outgoing requests to the Internet, and responses from the Internet are allowed. X Incoming requests from the Internet are blocked.

  30. Alerts and Audit Trails • Cisco IOS Firewall generates real-time alerts and audit trails. • Audit trail features use syslog to track all network transactions. • With Cisco IOS Firewall inspection rules, you can configure alerts and audit trail information on a per-application protocol basis.

  31. Summary • The Cisco IOS Firewall software offers a full set of security features that can be implemented to provide security for a network. • The DMZ is an ideal place to host services to enable inside users to connect to the outside perimeter. The DMZ approach is the most popular and commonly used modern architecture. • Firewalls can be based on packet filtering, application layer gateways or stateful packet filtering. • The Cisco IOS Firewall Feature Set is a security-specific option for Cisco IOS software that is available in select security Cisco IOS images. • The Cisco IOS Firewall Feature Set integrates robust firewall functionality, authentication proxy, and intrusion prevention.

  32. Q and A

  33. Resources • Cisco IOS Firewall Design Guide • http://www.cisco.com/en/US/partner/products/sw/secursw/ps1018/products_implementation_design_guide09186a00800fd670.html

  34. Module 6: Cisco IOS Threat Defense Features Lesson 6.2: Implementing Cisco IOS Firewalls

  35. Objectives • Describe the steps needed to configure a network firewall using Cisco IOS. • Explain how to determine which interfaces should be configured with firewall commands. • Explain where to place Access Control Lists in order to filter traffic. • Describe how to configure inspection rules for application protocols. • Describe how to verify and troubleshoot firewall configurations.

  36. Cisco IOS Firewall Configuration Tasks Using the CLI • Pick an interface: internal or external. • Configure IP ACLs at the interface. • Define inspection rules. • Apply inspection rules and ACLs to interfaces. • Test and verify.

  37. Internal Network External Network Traffic exiting Traffic entering Serial 1 Internet Configuring an External Interface Simple Topology — Configuring an External Interface

  38. Web Server DNS Server Traffic exiting Traffic entering Configuring an Internal Interface Internal Network External Network Internet Ethernet 0 Access allowed DMZ Simple Topology — Configuring an Internal Interface

  39. Host B Access Control Lists Filter Traffic Host A X Human Resources Network Research and Development Network

  40. IP ACL Configuration Guidelines

  41. Set Audit Trails and Alerts Router(config)# ip inspect audit-trail • Enables the delivery of audit trail messages using syslog Router(config)# no ip inspect alert-off • Enables real-time alerts Router(config)#logging on Router(config)#logging host 10.0.0.3 Router(config)#ip inspect audit-trail Router(config)#no ip inspect alert-off

  42. Define Inspection Rules for Application Protocols Router(config)# ip inspect name inspection-nameprotocol [alert {on|off}] [audit-trail {on|off}] [timeout seconds] • Defines the application protocols to inspect • Will be applied to an interface: • Available protocols are tcp, udp, icmp, smtp, esmtp, cuseeme, ftp, ftps, http, h323, netshow, rcmd, realaudio, rpc, rtsp, sip, skinny, sqlnet, tftp, vdolive, and so on. • Alert,audit-trail,and timeout are configurable per protocol and override global settings. Router(config)#ip inspect name FWRULE smtp alert on audit-trail on timeout 300 Router(config)#ip inspect name FWRULE ftp alert on audit-trail on timeout 300

  43. ip inspect name Parameters

  44. Inspection Rules for Application Protocols ip inspect name PERMIT_JAVA http java-list 10 access-list 10 permit 144.224.10.0 0.0.0.255 access-list 10 any • Example 1: • Users on access list 10 are allowed to download Java applets: • Example 2: • Telling Cisco IOS Firewall what to inspect: ip inspect name in2out rcmd ip inspect name in2out ftp ip inspect name in2out tftp ip inspect name in2out tcp timeout 43200 ip inspect name in2out http ip inspect name in2out udp

  45. ip inspect Parameters and Guidelines Router(config-if)# ip inspect inspection-name {in | out} • Applies the named inspection rule to an interface • On the interface where traffic initiates: • Apply ACL on the inward direction that permits only wanted traffic. • Apply rule on the inward direction that inspects wanted traffic. • On all other interfaces, apply ACL on the inward direction that denies all unwanted traffic.

  46. Example: Two-Interface Firewall ip inspect name OUTBOUND tcp ip inspect name OUTBOUND udp ip inspect name OUTBOUND icmp ! interface FastEthernet0/0 ip access-group OUTSIDEACL in ! interface FastEthernet0/1 ip inspect OUTBOUND in ip access-group INSIDEACL in ! ip access-list extended OUTSIDEACL permit icmp any any packet-too-big deny ip any any log ! ip access-list extended INSIDEACL permit tcp any any permit udp any any permit icmp any any

  47. Example: Three-Interface Firewall interface FastEthernet0/0 ip inspect OUTSIDE in ip access-group OUTSIDEACL in ! interface FastEthernet0/1 ip inspect INSIDE in ip access-group INSIDEACL in ! interface FastEthernet0/2 ip access-group DMZACL in ! ip inspect name INSIDE tcp ip inspect name OUTSIDE tcp ! ip access-list extended OUTSIDEACL permit tcp any host 200.1.2.1 eq 25 permit tcp any host 200.1.2.2 eq 80 permit icmp any any packet-too-big deny ip any any log ! ip access-list extended INSIDEACL permit tcp any any eq 80 permit icmp any any packet-too-big deny ip any any log ! ip access-list extended DMZACL permit icmp any any packet-too-big deny ip any any log

  48. Verifying Cisco IOS Firewall Router# show ip inspect name inspection-name show ip inspect config show ip inspect interfaces show ip inspect session [detail] show ip inspect statistics show ip inspect all • Displays inspections, interface configurations, sessions, and statistics Router#show ip inspect session Established Sessions Session 6155930C (10.0.0.3:35009)=>(172.30.0.50:34233) tcp SIS_OPEN Session 6156F0CC (10.0.0.3:35011)=>(172.30.0.50:34234) tcp SIS_OPEN Session 6156AF74 (10.0.0.3:35010)=>(172.30.0.50:5002) tcp SIS_OPEN

  49. Troubleshooting Cisco IOS Firewall Router# debug ip inspect function-trace debug ip inspect object-creation debug ip inspect object-deletion debug ip inspect events debug ip inspect timers debug ip inspect detail • General debug commands Router# debug ip inspect protocol • Protocol-specific debug

  50. Summary • The main feature of the Cisco IOS Firewall has always been its stateful inspection. • An ACL can allow one host to access a part of your network and prevent another host from accessing the same area. • Use access lists in "firewall" routers that you position between your internal network and an external network such as the Internet. You can also use access lists on a router positioned between two parts of your network, to control traffic entering or exiting a specific part of your internal network. • An inspection rule should specify each desired application layer protocol that the Cisco IOS Firewall will inspect, as well as generic TCP, UDP, or Internet Control Message Protocol (ICMP), if desired. • Use the ip inspect name command in global configuration mode to define a set of inspection rules.

More Related