860 likes | 1.04k Views
防火牆教育訓練. 2004/12/1. Firewalls. Firewall Technologies. Firewall operations are based on one of three technologies: Packet filtering Proxy server Stateful packet filtering. ACL. Packet Filtering. Limits information into a network based on destination and source address. Proxy Server.
E N D
防火牆教育訓練 2004/12/1
Firewall Technologies • Firewall operations are based on one of three technologies: • Packet filtering • Proxy server • Stateful packet filtering
ACL Packet Filtering • Limits information into a network based on destination and source address
Proxy Server • Requests connections between a client on the inside of the firewall and the Internet
Stateful Packet Filtering • Limits information into a network based not only on destination and source address, but also on packet data content
PIX Firewall 515 • Designed for small to medium businesses • 128,000 simultaneous connections • 147 Mbps cleartext throughput • 200 MHz processor • 64 MB RAM • Supports 6 interfaces • Supports failover • 10 Mbps 3DES throughput
The PIX Firewall 515 Front Panel LEDs Power LED Network LED Active Failover Unit
The PIX Firewall 515 100 MbpsLED 100 MbpsLED Failoverconnector LINKLED FDXLED LINKLED FDXLED LINK LED 10/100BaseTXEthernet 1(RJ-45) 10/100BaseTXEthernet 0(RJ-45) Consoleport (RJ-45) Power switch
PIX Firewall 515 Quad Card Using the quad card requires the PIX Firewall 515-UR license.
PIX Firewall 515 Two Single-Port Connectors Using two single-port connectors requires the PIX Firewall 515-UR license.
Access Modes • The PIX Firewall has four administrative access modes: • Unprivileged mode • Privileged mode • Configuration mode • Monitor mode
PIX Firewall Commands • enable, enable password, and passwd • write erase, write memory, and write term • show interface, show ip address, show memory, show version, and show xlate • exit and reload • hostname, ping, and telnet
enable Command pixfirewall> • Enables you to enter different access modes enable pixfirewall> enable password: pixfirewall# configure terminal pixfirewall(config)# pixfirewall(config)# exit pixfirewall#
enable password and passwd Commands • The enable password command is used to control access to the privileged mode. pixfirewall# enable password password pixfirewall# passwd password • The passwd command is used to set a Telnet password.
write Commands • The following are the write commands: • write net • write erase • write floppy • write memory • write standby • write terminal
telnet Commands pixfirewall(config)# telnet ip_address [netmask] [if_name] • Enables you to specify which hosts can access the PIX Firewall console via Telnet pixfirewall(config)# kill telnet_id • Terminates a Telnet session pixfirewall(config)# who [local_ip] • Enables you to view which IP addresses are currently accessing the PIX Firewall console via Telnet
http Commands • Enables you to specify the clients that are allowed to access the PIX Firewall’s HTTP server pixfirewall(config)# http ip_address [netmask] [if_name] pixfirewall(config)# http server enable • Enables the PIX Firewall HTTP server
hostname andping Commands pixfirewall(config)# hostname newname • hostname command pixfirewall (config)# hostname proteusproteus(config)# hostname pixfirewall pixfirewall(config)# ping [if_name] ip_address • ping command pixfirewall(config)# ping 10.0.0.3 10.0.0.3 response received -- 0Ms 10.0.0.3 response received -- 0Ms 10.0.0.3 response received -- 0Ms
show? show Commands • The following are show commands: • show history • show memory • show version • show xlate • show cpu usage
show interface Command pixfirewall# show interface interface ethernet0 “outside” is up, line protocol is up hardware is i82557 ethernet, address is 0060.7380.2f16 ip address 192.168.0.2, subnet mask 255.255.255.0 MTU 1500 bytes, BW 1000000 Kbit half duplex 1184342 packets input, 1222298001 bytes, 0 no buffer received 26 broadcasts, 27 runts, 0 giants 4 input errors, 0 crc, 4 frame, 0 overrun, 0 ignored, 0 abort 1310091 packets output, 547097270 bytes, 0 underruns 0 unicast rpf drops 0 output errors, 28075 collisions, 0 interface resets 0 babbles, 0 late collisions, 117573 deferred 0 lost carrier, 0 no carrier input queue (curr/max blocks): hardware (128/128) software (0/1) output queue (curr/max blocks): hardware (0/2) software (0/1)
show ip address Command pixfirewall# show ip address Building configuration…… System IP Addresses: ip address outside 192.168.0.2 255.255.255.0 ip address inside 10.0.0.1 255.255.255.0 ip address dmz 172.16.0.1 255.255.255.0 Current IP Addresses: ip address outside 192.168.0.2 255.255.255.0 ip address inside 10.0.0.1 255.255.255.0 ip address dmz 172.16.0.1 255.255.255.0
DMZ 192.168.0.0/24 .2 e0 e2 .2 .1 .1 e1 172.16.0.0/24 10.0.0.0/24 name Command pixfirewall(config)# • The use of this command configures a list of name-to-IP address mappings on the PIX Firewall name ip_address name • Configures a list of name-to-IP address mappings on the PIX Firewall Bastion host pixfirewall(config)# name 172.16.0.2 bastionhost
Functions of the Adaptive Security Algorithm • Implements stateful connection control through the PIX Firewall • Allows one-way (inside to outside) connections without an explicit configuration for each internal system and application • Monitors return packets to ensure they are valid • Randomizes the TCP sequence number to minimize the risk of attack
Outside network • e0 • Security level 0 • Interface name = outside Internet e0 Perimeter network PIX Firewall e2 • e2 • Security level 50 • Interface name = pix/intf2 e1 Inside network • e1 • Security level 100 • Interface name = inside ASA Security Level Example
PIX Firewall Primary Commands • There are six primary configuration commands for the PIX Firewall: • nameif • interface • ip address • nat • global • route
Command 1: nameif • The nameif command assigns a name to each perimeter interface on the PIX Firewall and specifies its security level. pixfirewall(config)# nameif hardware_id if_name security_level pixfirewall(config)# nameif ethernet2dmz sec50
Command 2: interface • The interface command configures the type and capability of each perimeter interface. pixfirewall(config)# interface hardware_id hardware_speed pixfirewall(config)# interface ethernet0 100full pixfirewall(config)# interface ethernet1 100full • The outside and inside interfaces are set for 100 Mbps Ethernet full-duplex communication.
Command 3: ip address • The ip address command assigns an IP address to each interface. pixfirewall(config)# ip address if_name ip_address [netmask] pixfirewall(config)# ip address dmz 172.16.0.1 255.255.255.0
Command 4: nat • The nat command shields IP addresses on the inside network from the outside network. pixfirewall(config)# nat [(if_name)] nat_id local_ip [netmask] pixfirewall(config)# nat (inside) 1 0.0.0.0 0.0.0.0
Inside LocalIP Address GlobalIP Pool 10.0.0.3 10.0.0.4 192.168.0.20 192.168.0.21 NAT Example Inside Outside Source addr Source addr 10.0.0.3 192.168.0.20 200.200.200.10 Destination addr Destination addr 200.200.200.10 49090 49090 Source port Source port 23 Destination port Destination port 23 10.0.0.3 192.168.0.20 Internet 10.0.0.3 10.0.0.4 Translation table
Command 5: global pixfirewall(config)# • global[(if_name)] nat_id {global_ip[-global_ip][netmask global_mask]} | interface • Works with the nat command to assign a registered or public IP address to an internal host when accessing the outside network through the firewall pixfirewall(config)# nat (inside) 1 0.0.0.0 0.0.0.0 pixfirewall(config)# global (outside) 1 192.168.0.20-192.168.0.254 • When internal hosts access the outside network through the firewall, they are assigned public addresses from the 192.168.0.20–192.168.0.254 range
Two Interfaces with NAT (Multiple Internal Networks) Internet Pod perimeter router .1 192.168.0.0/24 e0 outside .2 security level 0 PIX Firewall e1 inside .1 security level 100 10.0.0.0 /24 172.26.26.50 10.1.0.0 /24 Backbone, web, FTP, and TFTP server pixfirewall(config)# nat(inside) 1 10.0.0.0 255.255.255.0 pixfirewall(config)# nat (inside) 2 10.1.0.0 255.255.255.0 pixfirewall(config)# global(outside) 1 192.168.0.1-192.168.0.14 netmask 255.255.255.240 pixfirewall(config)# global(outside) 2 192.168.0.17-192.168.0.30 netmask 255.255.255.240 • All hosts on the inside networks can start outbound connections. • A separate global pool is used for each internal network.
Command 6: route • The route command defines a static or default route for an interface. pixfirewall(config)# route if_name ip_address netmask gateway_ip [metric] pixfirewall(config)# route outside 0.0.0.0 0.0.0.0 192.168.0.1 1
TCP • TCP is a connection-oriented, reliable-delivery, robust, and high performance transport layer protocol. • TCP features • Sequencing and acknowledgement of data • A defined state machine (open connection, data flow, retransmit, close connection) • Congestion management and avoidance mechanisms
TCP Initialization—Inside to Outside Private network Public network The PIX Firewall checks for a translation slot. If one is not found, it creates one after verifying NAT, global, access control, and authentication or authorization, if any. If OK, a connection is created. Source addr 10.0.0.3 192.168.0.20 Destination addr 172.30.0.50 172.30.0.50 Source port 1026 1026 Destination port 23 23 Initial sequence # 49091 49769 PIX Firewall Ack # 1 • # 2 Flag Syn Syn 10.0.0.3 172.30.0.50 Start the embryonic connection counter No data • # 3 # 4 172.30.0.50 172.30.0.50 • The PIX Firewall follows the Adaptive Security Algorithm: • (Src IP, Src Port, Dest IP, Dest Port ) check • Sequence number check • Translation check 10.0.0.3 192.168.0.20 23 23 1026 1026 IP header 92513 92513 TCP header 49092 49770 If the code bit is not syn-ack, PIX drops the packet. Syn-Ack Syn-Ack
TCP Initialization—Inside to Outside (cont.) Private network Public network Source addr 10.0.0.3 192.168.0.20 Reset the embryonic counter for this client. It then increments the connection counter for this host. Destination addr 172.30.0.50 172.30.0.50 Source port 1026 1026 Destination port 23 23 Initial sequence # 49092 49770 Ack 92514 92514 PIX Firewall # 5 • # 6 Flag Ack Ack 172.30.0.50 10.0.0.3 Strictly follows the Adaptive Security Algorithm Data flows IP header TCP header
UDP • Connectionless protocol • Efficient protocol for some services • Resourceful but difficult to secure
UDP (cont.) Private network Public network The PIX Firewall checks for a translation slot. If one is not found, it creates one after verifying NAT, global, access control, and authentication or authorization, if any. If OK, a connection is created. 192.168.0.20 Source addr 10.0.0.3 Destination addr 172.30.0.50 172.30.0.50 Source port 1028 1028 Destination port 45000 45000 PIX Firewall # 1 • # 2 10.0.0.3 172.30.0.50 All UDP responses arrive from outside and within UDP user-configurable timeout. (default=2 minutes) # 4 • # 3 172.30.0.50 172.30.0.50 • The PIX Firewall follows the Adaptive Security Algorithm: • (Src IP, Src Port, Dest IP, Dest Port ) check • Translation check 10.0.0.3 192.168.0.20 45000 45000 1028 1028 IP header TCP header
Port Address Translation PAT Global 192.168.0.15 Source addr Source addr 10.0.0.2 192.168.0.15 Destination addr 10.0.0.2 Destination addr 172.30.0.50 172.30.0.50 Source port 49090 Source port 2000 Destination port Destination port 23 23 Internet 10.0.0.3 Source addr Source addr 192.168.0.15 Destination addr Destination addr 172.30.0.50 172.30.0.50 Source port 49090 Source port 2001 10.0.0.3 Destination port 23 Destination port 23
Perimeter router 192.168.0.1 192.168.0.2 PIX Firewall Bastion host 10.0.0.1 172.16.0.2 Engineering Sales 10.0.2.0 10.0.1.0 Information systems PAT Example pixfirewall(config)#ip address (inside) 10.0.0.1 255.255.255.0 pixfirewall(config)#ip address (outside) 192.168.0.2 255.255.255.0 pixfirewall(config)#route (outside) 0.0.0.0 0.0.0.0 192.168.0.1 pixfirewall(config)#global (outside) 1 192.168.0.9 netmask 255.255.255.0 pixfirewall(config)#nat (inside) 1 10.0.0.0 255.255.255.0 • Assign a single IP address (192.168.0.9) to global pool • IP addresses are typically registered with InterNIC • Source addresses of hosts in network 10.0.0.0 are translated to 192.168.0.9 for outgoing access • Source port changed to a unique number greater than 1024
Perimeter router 192.168.0.1 192.168.0.2 PIX Firewall Bastion host 10.0.0.1 172.16.0.2 Engineering Sales 10.0.2.0 10.0.1.0 Information systems Mapping Subnets to PAT Addresses pixfirewall(config)#ip address (inside) 10.0.0.1 255.255.255.0 pixfirewall(config)#ip address (outside) 192.168.0.2 255.255.255.0 pixfirewall(config)#route (outside) 0.0.0.0 0.0.0.0 192.168.0.1 pixfirewall(config)#global (outside) 1 192.168.0.8 netmask 255.255.255.0 pixfirewall(config)# global (outside) 2 192.168.0.9 netmask 255.255.255.0 pixfirewall(config)#nat (inside) 1 10.0.1.0 255.255.255.0 pixfirewall(config)# nat (inside) 2 10.0.2.0 255.255.255.0 • Map different internal subnets to different PAT addresses.. • Source addresses of hosts in network 10.0.1.0 are translated to 192.168.0.8 for outgoing access. • Source addresses of hosts in network 10.0.2.0 are translated to 192.168.0.9 for outgoing access. • The source port is changed to a unique number greater than 1024.
Perimeter router 192.168.0.1 192.168.0.2 PIX Firewall 10.0.0.1 192.168.0.9 No Network Address Translation (nat 0) pixfirewall(config)#nat (inside) 0 192.168.0.9 255.255.255.255 pixfirewall(config)#show nat nat 0 192.168.0.9 will be non-translated • nat 0 ensures that 192.168.0.9 is not translated. • ASA remains in effect with nat 0.