Interes 10 Firewalls
of 10
Transcript of Interes 10 Firewalls
-
8/9/2019 Interes 10 Firewalls
1/24
© 2008 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialBranch-WA !.0 Sol"tion #vervie$ !
%ire$alls
&ionel '"ntSystems (ngineer )lo*al (nter+rise heatre
-
8/9/2019 Interes 10 Firewalls
2/24
2© 2008 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialBranch-WA !.0 Sol"tion #vervie$
Firewall Design Criteria & Selection
)eneral %ire$all Sec"rity #*ectives
(nforce *asic net$or +olicy at WA edge andBranch edge
raffic flo$s in and o"t
o/from $ho, services, etc.
Branch-WA !.0 %ire$all Integration Criteria Selection
Private WAN Edge Typical Branch EdgeHigh Peror!ance
Branch Edge
• Firewall integrated in "niiedWAN Services plator!
• #ost cost$eective• Net%ps and Sec%ps
ad!inistrative do!ain
separation
%S FW in AS' %S FW in S' ASA (()* Appliance
+FP
Private WAN
Private WAN Edge
Branch
-
8/9/2019 Interes 10 Firewalls
3/24
-
8/9/2019 Interes 10 Firewalls
4/24
3© 2008 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialBranch-WA !.0 Sol"tion #vervie$
State,l nspection Firewalls $ Advantages
Internet
We* Server
(nd 4ser 5C
5ermit traffic6 State a*le(7isting
connection6
(7amines m"lti+lelevels
Very sec"re
o*"st logging
rans+arent 9aintains State
'igh +erformance
-
8/9/2019 Interes 10 Firewalls
5/24
:© 2008 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialBranch-WA !.0 Sol"tion #vervie$
Acco,nting
E2a!ple Flow
%lo$
S'C P3 4*545456 S'C Port3 44*7* Protocol3 TCP
DST P3 46854775)465)( DST Port3 8*
Interfaces
So,rce3 nside Destination3 %,tside
With the FlowDeined9 E2a!ination
o Conig,rationss,es Boils Downto :,st the Twonteraces3 nsideand %,tside
Eng
Client3 4*545456
Server3 46854775)465)(
& n s i d e
S e
r v
e r
s D # ;
P a r t n
e r %
, t s
i d e
H o s t i n g
5acet %lo$
-
8/9/2019 Interes 10 Firewalls
6/24
;© 2008 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialBranch-WA !.0 Sol"tion #vervie$
State,l Firewall Pac-et Flow
!. 5acet Arrives
2. Chec 5ermissions< AC&s / A"thentication
1. Addressing< A / 5A / Static
3. Create =&A( #*ect >addressing info?
:. (nter into Connections a*le >+orts @ +roto @ flags @random se"m?
-
8/9/2019 Interes 10 Firewalls
7/24
-
8/9/2019 Interes 10 Firewalls
8/248© 2008 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialBranch-WA !.0 Sol"tion #vervie$
State,l Firewall Basic ',les
Allo$ C5 / 4F5 from inside
5ermit C5 / 4F5 ret"rn +acets
Fro+ and log connections from o"tside
Fro+ and log so"rce ro"ted I5 +acets Feny IC95 +acet
Fro+ and log all other +acets from o"tside
-
8/9/2019 Interes 10 Firewalls
9/24© 2008 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialBranch-WA !.0 Sol"tion #vervie$
Firewall Sec,rity
-
8/9/2019 Interes 10 Firewalls
10/24!0© 2008 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialBranch-WA !.0 Sol"tion #vervie$
The Dea,lt ',les
5rivate
et$or
5"*licet$or
F9J
Fefa"lt Actions<
'igher to &o$er <
5(9I &o$er to 'igher<
F(K
Bet$een Same<
F(K
0
:0
!00
-
8/9/2019 Interes 10 Firewalls
11/24!!© 2008 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialBranch-WA !.0 Sol"tion #vervie$
%nly 7 Ways thro,gh the Firewall
5rivateet$or
5"*licet$or
!<
inside too"tsideL
>&imit $ith AC&?
2<
"sera"thentication AAA
o"t side
in side
1< Access &ist
>o"tside to inside?
-
8/9/2019 Interes 10 Firewalls
12/24© 2008 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialBranch-WA !.0 Sol"tion #vervie$ !2
A
-
8/9/2019 Interes 10 Firewalls
13/24!1© 2008 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialBranch-WA !.0 Sol"tion #vervie$
23
NAT E2a!ple
10.0.1.3
Source Port
Destination Addr
Source Addr
Destination Port
200.200.200.10Source PortDestination Addr
Source Addr
Destination Port
192.168.1.10
200.200.200.10
23
Inside Outside
Inside LocalIP Address
GlobalIP Pool
10.0.1.3
10.0.1.4
192.168.1.10
192.168.1.254
Internet10.0.1.3
10.0.1.4
Translation table
10.0.1.3 192.168.1.10
-
8/9/2019 Interes 10 Firewalls
14/24© 2008 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialBranch-WA !.0 Sol"tion #vervie$ !3
I#S %ire$all
-
8/9/2019 Interes 10 Firewalls
15/24!:© 2008 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialBranch-WA !.0 Sol"tion #vervie$
Jone-Based 5olicy %ire$all >J%W?
Introd"ced in Cisco I#S !2.3>;?
J%W is the strategic sol"tion going for$ard
Interfaces assigned to Eones and inter-Eone +olicescontrol access *et$een Eones
Similar in conce+t to sec"rity levels on ASA/5I=4ses Class-Based 5olicy &ang"age >C5&?
Cisco Classic %ire$all >CBAC?
Introd"ced in Cisco I#S !2.0
Cisco I#S Soft$are Classic %ire$all $ill *e maintainedin the f"t"re *"t $ill not significantly enhanced $ith ne$feat"res
-
8/9/2019 Interes 10 Firewalls
16/24!;© 2008 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialBranch-WA !.0 Sol"tion #vervie$
Jone-Based 5olicy %ire$all >J%W?
%eat"res
Com*ines feat"res of AC&s, CBAC, BA into one +olicy
Additional +rotocol s"++ort for dee+ +acet ins+ection e.g. I9, I9A5
and 525 a++lication9ore actions M ins+ect, dro+, +ass and +olice
Ins+ection action allo$s C5 Interce+t lie f"nctionality e.g. ma7session limits, idle times, flood +rotection
raffic to or initiated from the ro"ter allo$ed *y defa"ltraffic *et$een Eones denied *y defa"lt
-
8/9/2019 Interes 10 Firewalls
17/24!© 2008 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialBranch-WA !.0 Sol"tion #vervie$
Jone-Based 5olicy %ire$all >J%W?
Sam+le Config M Basic Set"+, 2 interfacesclass-ma+ ty+e ins+ect match-any +rivate-allo$ed-class
match +rotocol tc+
match +rotocol "d+
match +rotocol icm+
class-ma+ ty+e ins+ect match-all htt+-class
match +rotocol htt+
N
+olicy-ma+ ty+e ins+ect +rivate-allo$ed-+olicy
class ty+e ins+ect htt+-class
ins+ect my-parameters
class ty+e ins+ect +rivate-allo$ed-class
ins+ect
N
Eone sec"rity +rivate
Eone sec"rity +"*licEone-+air sec"rity +riv-+"* so"rce +rivate destination +"*lic
service-+olicy ty+e ins+ect +rivate-allo$ed-+olicy
N
interface fastethernet 0
Eone-mem*er sec"rity +"*lic
N
Interface O&A !
Eone-mem*er sec"rity +rivate
-
8/9/2019 Interes 10 Firewalls
18/24!8© 2008 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialBranch-WA !.0 Sol"tion #vervie$
WAN /PN nrastr,ct,re Clients
WAN Deny Deny Deny
/PN Deny Per!it Per!it
nrastr,ct,re Deny Per!it Per!it
Clients Deny Per!it Deny
%S ;BFW Design3 Typical Branch
Private WAN
Branch
nternet
/PN
nrastr,ct,re ;one
Client ;one
/PN ;one
WAN ;one
No CS# s,pport or ;BFW planned till 757
-
8/9/2019 Interes 10 Firewalls
19/24!© 2008 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialBranch-WA !.0 Sol"tion #vervie$
WAN /PN WAN Edge
WAN Deny Deny
/PN Deny Per!it
WAN Edge Deny Per!it
Private WAN Edge
%S ;BFW Design3 Private WAN Edge
Private WAN
SP4
Private WANSP)
/PN
+FP
/PN ;one
WAN ;one
WAN Edge ;one
-
8/9/2019 Interes 10 Firewalls
20/24© 2008 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialBranch-WA !.0 Sol"tion #vervie$ 20
C"t-thro"gh 5ro7y
-
8/9/2019 Interes 10 Firewalls
21/242!© 2008 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialBranch-WA !.0 Sol"tion #vervie$
C,t$Thro,gh Pro2y %peration
A"thenticates once at the a++lication layer >#SI &ayer ? for each s"++orted service
Connection is +assed *ac to the fire$all engine, $hile maintaining session state
Internal/
External
User
IS Resource
1.User makes a requestto an IS resource
2.Firewall interceptsconnection
3.Firewall prompts user forusername and password,authenticates user andchecks security policy onRADIUS or TACACS+ server
5.Firewall directly connectsinternal/external user to IS resource
4.Firewall initiatesconnectionfrom Firewall to thedestination IS resource
CiscoSecure
PIX Firewall
Username and Password Required
Enter username for CCO at www.com
User Name:
Password:
OK Cancel
student
123@456
3.
-
8/9/2019 Interes 10 Firewalls
22/2422© 2008 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialBranch-WA !.0 Sol"tion #vervie$
4**= Transparent
o +ro7y config"ration re"ired
-
8/9/2019 Interes 10 Firewalls
23/24
-
8/9/2019 Interes 10 Firewalls
24/24
