Embed Size (px)
Citation preview
Perimeter Protection (Firewalls)
Before installing a firewall you must have a firm grasp on reality. Reality is,
it won’t stop all attacks but you’ll sleep better knowing its there.
Objectives (1 of 2)
Explain the basics of a firewall Describe the different types of firewalls Define the following types of Access
Control Lists: Standard ACLs Extended ACLs Reflexive ACLs
Implement Access Control Lists on a router.
Objectives (2 of 2)
Describe additional components that can be used to enhance the firewall’s capabilities
Explain firewall placement on a network
Implement a Cisco ASA5510 firewall Implement a DMZ on a Cisco
ASA5510 firewall
Firewall Basics (1 of 6)
A firewall is a hardware or software based gateway that acts as a buffer between any “trusted” network and a “lesser-trusted” network.
When most of us think of a firewall we picture a device that sits between the corporate (internal) network and the internet (public network).
Firewall Basics (2 of 6)
However, today we often don’t see a single firewall implementation unless we are dealing with a small network. Most corporate implementations use a
multi-firewall approach to provide successive protection from the internet, to the DMZ, to the internal user network, to the internal secure network.
Firewall Basics (3 of 6)
An older (or basic) implementation of a single firewall solution
Firewall Basics (4 of 6)
Firewalls are primarily designed to address the threats that are directed, intentionally and unintentionally, at an organization’s network. The most basic firewalls address these
threats by permitting only valid inbound (reply) traffic to reach the internal network.
Firewall Basics (5 of 6)
Identifying valid traffic is not as easy as it seems. Many of today’s newer attacks are
much better at forging what appears to be valid traffic.
These newer attacks can defeat many of the older, simpler firewall systems and router ACLs.
Firewall Basics (6 of 6)
There are also several pre-attack applications that perform intelligence gathering functions These allow the attackers to craft
better packets that are designed to defeat the weaknesses in the devices (firewalls and ACL configured routers) that were identified by the pre-attack applications.
Firewall Types (1 of 9)
Firewalls are often classified under three different categories, which are based on their method of packet inspection.
Packet filtering and stateless filtering
Stateful filtering Deep packet layer inspection
Firewall Types (2 of 9)
Packet filtering firewalls are basically access-control lists that are configured on a router. These firewalls are easily defeated
today and there are several applications that can be used to determine if a router has an ACL running on it (even traceroute can provide us with a hint to this).
Firewall Types (3 of 9)
Stateless filtering firewalls are not much better than packet filtering ACLs and they permit only the receipt of packets that are based on the source IP Address and ports from other “trusted” networks. If you defined the Internet as a trusted network
you’re really not providing yourself with much protection.
The only real benefit to this type of firewall over the packet filtering ACLs is it provides more flexibility and scalability.
Firewall Types (4 of 9)
Packet filtering and Stateless filtering firewalls only operate from Layer 1 to
Layer 3 of the OSI model.
Firewall Types (5 of 9)
Stateful filtering firewalls provide a greater range of filtering capabilities over stateless filtering firewalls. Filtering can be performed on:
Source and destination IP Addresses Source and destination TCP/UDP ports Protocol anomalies such as illegal TCP flag
combinations Limited basic payload content filtering
Firewall Types (6 of 9)
Stateful filtering firewalls operate up to Layer 4 of the OSI Model
Firewall Types (7 of 9)
Deep packet layer inspection is another step up in packet filtering capability. Including all the filtering offered by the
Stateful filtering firewall it can also filter on:
Protocol conformance Packet specification conformance Application-based attacks Payload integrity
Firewall Types (8 of 9)
These functions have traditionally been reserved or found only in IDS solutions. The result of mixing a firewall and an IDS
together the deep packet layer inspection firewalls are historically only found as hardware appliances, but that is changing.
This type of inspection requires the speed of a hardware-based solution in order to prevent the firewall from becoming the network’s primary bottleneck.
Firewall Types (9 of 9)
Deep packet layer inspection firewalls operate on all layers of the OSI model
Access Control Lists (1 of 2)
Access lists are used as filters to decide which packets are permitted and which packets are denied.
The entries for this are referred to as Access Control Entries (ACEs) and the routers security is highly dependant on them This is really the first line of defense on your
perimeter routers and should be carefully and thought out when implemented
Access Control Lists (2 of 2)
There are three different categories of Access Control Lists.
Standard IP Access Lists Can filter IP packets based on source IP
address only Extended Access Lists
Can filter IP based on several attributes Enhanced Access Lists
Requirement dependant to help secure the router and its networks better
Standard Access Control Lists (1 of 3)
Standard IP ACLs Router(config)#access-list ?
<1-99> IP standard access list <100-199> IP extended access list <1000-1099> IPX SAP access list <1100-1199> Extended 48-bit MAC address access list <1200-1299> IPX summary address access list <1300-1999> IP Standard Access List (Expanded range) <200-299> Protocol type-code access list <2000-2699> IP extended access list (expanded range) <300-399> DECnet access list <600-699> AppleTalk access list <700-799> 48-bit MAC address access list <800-899> IPX standard access list <900-999> IPX extended access list
Standard Access Control Lists (2 of 3)
Standard ACLs (Cont) Command structure
access-list access-list-number {deny | permit} source [source-wildcard]
Where: access-list-number is the number of the access list deny drops all packets matching the
specific source address permit allows all packets matching the specified IP
address through Source specifies the IP address of a host source-wildcard specifies a group of hosts or subnet
Standard Access Control Lists (3 of 3)
Standard ACLs (Cont) Standard ACLs support the following
keywords any – specifies any host host – specifies an exact host log – enables the logging of packets
Extended Access Control Lists (1 of 7)
Extended Access Lists are much more flexible and should be used to provide a much clearer definition of what packets should be allowed or denied.
They allow you to choose from: IP source or destination addresses Protocols Source and destination port numbers Some protocol-dependant functions
Extended Access Control Lists (2 of 7)
Extended IP ACLs Router(config)#access-list ?
<1-99> IP standard access list <100-199> IP extended access list <1000-1099> IPX SAP access list <1100-1199> Extended 48-bit MAC address access list <1200-1299> IPX summary address access list <1300-1999> IP Standard Access List (Expanded range) <200-299> Protocol type-code access list <2000-2699> IP extended access list (expanded range) <300-399> DECnet access list <600-699> AppleTalk access list <700-799> 48-bit MAC address access list <800-899> IPX standard access list <900-999> IPX extended access list
Extended Access Control Lists (3 of 7)
Extended ACLs (Cont) Command structure
access-list access-list-number {deny | permit}{protocol-number | protocol-keyword}{source [source-wildcard] | any | host}operator {source-port}{destination destination-wildcard | any | host}operator {destination-port}[established] [log | log-input]
Extended Access Control Lists (4 of 7)
Where: access-list-number is the number of the access list deny denies access if conditions are matched permit permits access if conditions are matched protocol-number specifies a protocol number protocol-keyword an IP protocol such as
eigrp, gre, icmp, igmp, igrp, ip, ipinip, nos, ospf, pim, tcp, udp
source represents the number of the network or host from which the packet is being sent
source-wildcard represents the wildcards bits to be applied to the host
Extended Access Control Lists (5 of 7)
Where: (Cont) source-port specifies the port from which the
packet originated destination represents the number of the
network or host to which the packet is being sent destination-wildcard represents the wildcard bits
to be applied to the destination destination-port specifies the port to which the
packet is being sent
Extended Access Control Lists (6 of 7)
Where: (Cont) operator logical operator that compares source
or destination ports if positioned after the source it must match the
source port if positioned after the destination and destination-
wildcard it must match the destination port possible operands include:
lt – less than gt – greater than eq – equal neq – not equal range – inclusive between two provided port
numbers
Extended Access Control Lists (7 of 7)
Where: (Cont) established Used only for TCP protocol to
indicate an established connection A match occurs if the ACK, FIN, PSH, RST, or URG
bits are set (i.e. a connection is established) A match doesn’t occur if the SYN bit is set (i.e. a
connection is being initiated) log causes a logging entry to be sent to the
console log-input includes the input interface and
source MAC or VC in the logging output any specifies any host host specifies and exact host match
Named Access Control Lists (1 of 3)
Named ACLs Introduced by Cisco in IOS 11.2 to allow
users to identify the access list easier Can be used for both standard and
extended ACLs The command syntax is slightly different
however, all other keywords such as any, host and log work in the same way.
Named Access Control Lists (2 of 3)
Standard ACL Command Syntax
access-list access-list-number {deny | permit} source [source-wildcard]
Standard Named ACL Command Syntax
ip access-list standard access-list-name {deny | permit} source [source-wildcard]
Named Access Control Lists (3 of 3)
Extended ACL Command Syntaxaccess-list access-list-number {deny | permit} {protocol-number |
protocol-keyword} {source [source-wildcard] | any | host} operator {source-port} {destination destination-wildcard | any | host} operator {destination-port} [established] [log | log-input]
Extended Named ACL Command Syntaxip access-list extended access-list-name {deny | permit}
{protocol-number | protocol-keyword} {source [source-wildcard] | any | host} operator {source-port} {destination destination-wildcard | any | host} operator {destination-port} [established] [log | log-input]
Enhanced Access Control Lists (1 of 6)
Enhanced ACLs were designed to secure routers and networks better.
Selection of an Enhanced ACL is dependant on the security need.
The current Enhanced ACL set includes: Dynamic access lists Time-based access lists Reflexive access lists
Enhanced Access Control Lists (2 of 6)
Dynamic Access Lists These are also referred to as “lock-
and-key” They create a specific, temporary
opening (security hole) in response to user authentication
User ID and Password can be entered on the router but it is best to use with a TACACS+ server
Enhanced Access Control Lists (3 of 6)
Time-based Access Lists Like Dynamic ACLs, these also create
a temporary opening (security hole) based on a configured time period
For example the Time-based ACL can be configured to allow incoming users to have web access from 8:00 AM to 6:00 PM from Monday to Friday.
Enhanced Access Control Lists (4 of 6)
Reflexive Access Lists These are automatically populated,
temporary, session-based filters Basically, if a router permits a session to
be initiated from within an internal network to an external host, the reflexive access list permits the return session traffic
This is similar to the “established” keyword of the Extended ACLs
Enhanced Access Control Lists (5 of 6)
Reflexive Access Lists (cont) When a session is initiated from
within a network a reflexive ACL is populated with information taken from the initial packet The source and destination IP addresses
and port numbers are swapped, and the upper layer protocol type (TCP, UDP) is recorded
These are all included as a permit statement for the temporary ACL
Enhanced Access Control Lists (6 of 6)
Reflexive Access Lists (cont) These temporary ACLs remain
active until: there is no longer any traffic for a
session and the time-out expires two FIN-flagged packets are received
for the session the RST flag is set on a TCP packet for
that session
Firewall Enhancements (1 of 17)
Today, there are four primary enhancements that can be added to most firewalls, including:
NAT Proxy services Content filtering Anti-virus (malware) software
Firewall Enhancements (2 of 17)
NAT NAT’s primary function is to hide the
internal IP Address range from the external “untrusted” networks. A packet coming from an internal
workstation to the internet will arrive at the firewall.
The firewall will strip off the internal workstation address and replace it with its own external IP Address.
Firewall Enhancements (3 of 17)
It keeps track of these outbound packets in a table and waits for the replys from the remote system.
When it receives an inbound packet it does a lookup on its table to see if it has a matching record.
If there is a match it will strip off its external IP address and replace it with the originating host address and forwards the packet on.
If there is no matching entry it drops the packet and possibly alerts the administrator.
Firewall Enhancements (4 of 17)
Advantages of NAT: Allows organizations to use Private IP
address ranges internally on their network.
Hides the internal address range from external view.
Internet access can be provided to the entire protected user base without the need to change IP Addresses.
Firewall Enhancements (5 of 17)
Disadvantages of NAT: NAT is very CPU processing power
intensive, which can interfere with multimedia applications that are also CPU processing intensive.
The Layer 3 header and IP Address changes as the packet passes through the NAT system, this can cause some problems with VPNs and some applications which require packets to come directly from a host.
Firewall Enhancements (6 of 17)
Proxy Services Proxy services provide multiple
functions. Hides the internal addresses from the
external (Internet) network. Perform information caching. Perform website filtering/blocking.
Firewall Enhancements (7 of 17)
Protecting the internal addresses. The proxy server acts as an
intermediate device between the internal host and the remote internet server.
The proxy server actually makes the information request on behalf of the internal host.
When it receives the information it forwards it onto the internal host.
Firewall Enhancements (8 of 17)
Caching information Because the proxy server makes the
requests on behalf of the internal hosts, it can cache this information for use by others.
This actually improves the web surfing performance for all of the internal clients.
The information is cached for a set period of time (e.g. 8 hours).
All internal clients that request the same information, get it from the local proxy server and not the actual web server.
Firewall Enhancements (9 of 17)
Filtering web access. This can be a benefit and a detractor.
Organizations can use the feature of the proxy server to prevent access to certain websites and/or content.
While this blocking may be appropriate, it can be an administrative nightmare to configure and maintain.
Blocking based on the keyword “jobs” could prevent HR from accessing jobsites looking for potential employees, or from even looking at the daily paper online.
Firewall Enhancements (10 of 17)
Content Filters The content filtering discussed in
the book really refers to URL-based content filtering. URL-based content filtering can be
performed in a couple of ways. Deny access to the URLs in the list. Allow access to the URLs in the list.
Firewall Enhancements (11 of 17)
There are some problems with URL-based content filtering. Even large web search engines such as
google and altavista have about half of the actual web URLs in existence.
New URLs are created everyday which means you have to update your filters everyday.
Even creating an allow-only list can be quite cumbersome to maintain for a large organization.
Firewall Enhancements (12 of 17)
A better solution would be to download a blocking list that is maintained by a third party. This is not a perfect solution as you
may or may not be able to edit or control what the creators of this list deem “blockable” material.
This still requires a significant commitment of time for the administrator to manage these lists.
Firewall Enhancements (13 of 17)
Newer forms of content filtering now block on keywords such as “drugs”, “hate”, profanity, etc. This means creating and maintaining a
valid list of keywords, including all of the “slang” used on the web today.
Again your best bet here may be to go to a third party and download an “editable” list of appropriate keywords.
Firewall Enhancements (14 of 17)
Content filtering can be a powerful tool and an ever-increasing headache. Properly implemented content filtering
can be applied as needed, with some users not blocked at all, and others blocked to all but a few sites.
Maintaining this function can be a real nightmare for the administrator.
Firewall Enhancements (15 of 17)
No matter how its implemented, it must be based on a policy that has been appropriately developed by the organization. Care must also be given to ensure that
the filtering also does not infringe on an individuals personal freedoms, religious values, or appear as prejudicial in any way.
Firewall Enhancements (16 of 17)
Anti-malware Anti-malware functions are being
integrated more and more into software-based firewall solutions. This is even more prevalent in the
personal firewall market place where personal firewalls and antivirus are bundled together as one solution.
Firewall Enhancements (17 of 17)
Reality is… this is a good thing! Where better to block a virus or a
Trojan trying to compromise your organization’s system, than at the first possible place it can get it in – your perimeter’s ingress point.
The flip side of the coin is that we need to ensure that the anti-malware solution doesn’t again cause the firewall to become our bottleneck.
Firewall Placement (1 of 6)
In this section we are going to look at three different locations that we can (should) implement a firewall. This is not to state that firewalls should
only be implemented in the locations discussed.
We will discuss some of the reasons these three different locations.
Firewall Placement (2 of 6)
Location #1: Between the ingress router and DMZ
Location #1
This is our initial and primary perimeter ingress point. It gives us our first opportunity to stop an attack and block bad/invalid traffic. It is also the first chance we get to raise an alarm based on any attacks.
Firewall Placement (3 of 6)
Location #1: Between the ingress router and DMZ
Location #1
This should be a hardware-based solution, as we need to ensure that we have the processing power, memory and functionality needed to support both our DMZ’s inbound traffic and our internal network’s outbound/inbound traffic.
Firewall Placement (4 of 6)Location #2: Between the DMZ and the internal user
network
Location #2
This can be a hardware or software based system, but must not be the same as the firewall at Location #1. While the Location #1 firewall must allow inbound DMZ and internal traffic through, this firewall is configured strictly for internal traffic.
Firewall Placement (5 of 6)Location #2: Between the DMZ and the internal user
network
Location #2
Most of the traffic that passes through this firewall is initiated from the inside. However, VPN traffic may be authenticated at this point or at a device directly behind it. This firewall’s main purpose is to protect the internal network from external and DMZ launched attacks.
Firewall Placement (6 of 6)Location #2: Between the DMZ and the internal user
network
Location #3
This firewall can be hardware or software based (hardware recommended). The primary purpose of this firewall is to protect an internal secure network from an attacked launched from the internal user network.
Cisco PIX Firewall (1 of 6)
Hardware device that will protect an inside network from one or more “untrusted” outside networks. Optionally, can also protect perimeter
networks / devices that are placed in the DMZ.
Hardened OS for better security. Outbound traffic is controlled by
Access control Lists.
Cisco PIX Firewall (2 of 6)
Cisco PIX firewalls use an “Adaptive Security Algorithm” for a stateful approach to security. Every packet is checked against the
algorithm and connection state information.
ASA allows one way (inside to outside) connections without an explicit configuration for each internal system and application.
Cisco PIX Firewall (3 of 6)
ASA follows some basic rules: No packets can traverse the firewall without a
connection and state. Outbound connections or states are allowed,
except those specifically denied by access control lists.
Inbound connections or states are denied, except those specifically allowed.
All ICMP packets are denied unless specifically permitted.
All attempts to circumvent the previous rules are dropped and a message is sent to syslog.
Cisco PIX Firewall (4 of 6)
PIX devices provide for 2 or more Ethernet interfaces with pre-assigned Security Levels. “Inside” interface assigned a security
level of 100. “Outside” interface assigned a security
level of 0. DMZ interface(s) assigned incremental
(and changeable) security levels
Cisco PIX Firewall (5 of 6)
Use the “show nameif” command to view security levelspixfirewall# show nameif
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 intf2 security10pixfirewall#
Cisco PIX Firewall (6 of 6)
Cisco PIX offers additional features (dependant on the IOS running on the system) NAT/PAT Site to Site and Remote Client Access
VPN Cut-through Proxy AAA with TACACS+ Access Control Lists
Cisco ASA Firewall (1 of 7)
The Cisco ASA 5500 series adaptive security appliances are purpose-built solutions that combine: advanced stateful firewall functionality VPN concentrator functionality integrated Intrusion Prevention
functionality IPS functionality is provided through add-
on modules called an AIM-SSP or CCM-SSP
Cisco ASA Firewall (2 of 7)
Firewall Functionality is broken into three different sub-category areas Security Policies
Security policies are used to determine which traffic is allowed to pass through the firewall to access another network.
By default, the security appliance allows traffic to flow freely from an inside network (higher security level) to an outside network (lower security level).
Cisco ASA Firewall (3 of 7)
Firewall Mode There are two different firewall modes the
appliance can be set to run in. Routed mode: the ASA is considered to
be a router hop in the network. Transparent mode: the ASA acts like a
stealth firewall and is not considered a router hop.
Cisco ASA Firewall (4 of 7)
Stateful Inspection Mode All traffic that goes through the ASA
devices is inspected by the Adaptive Security Algorithm (same as the PIX FW)
The Adaptive Security Algorithm takes into consideration the state of the packet, for instance:
Is this a new connection? Is it an established connection? Is it UDP? Is there Layer 7 protocol data that
requires content inspection?
Cisco ASA Firewall (5 of )
VPN Functionality: Will be covered in Section 4 of the
course. Intrusion Prevention:
We do not currently have the AIP-SSP modules to cover the Intrusion Prevention functions of the ASA device however, you already know all of the IDS/IPS stuff anyway… right?
Cisco ASA Firewall (6 of 7)
Configuration of the ASA device (and PIX Firewalls) is performed through a combination of the CLI and the ASDM (Adaptive Security Device Manager) application. Initial setups and recovery operations need
access to the CLI features on the console port. Once the management interface functions are
setup then most configuration, maintenance, upgrading and routine changes will be handled through the ASDM.
Cisco ASA Firewall (7 of 7)
