Introduction - 123seminarsonly.com · INTRODUCTION The Cisco IOS ... security capabilities, such as...

Seminar Report ’03 Cisco IOS Firewall

Dept. of IT MESCE, Kuttippuram -1-

INTRODUCTION

The Cisco IOS Firewall, provides robust, integrated

firewall and intrusion detection functionality for every perimeter

of the network. Available for a wide range of Cisco IOS

software-based routers, the Cisco IOS Firewall offers

sophisticated security and policy enforcement for connections

within an organization (intranet) and between partner networks

(extranets), as well as for securing Internet connectivity for

remote and branch offices.

A security-specific, value-add option for Cisco IOS

Software, the Cisco IOS Firewall enhances existing Cisco IOS

security capabilities, such as authentication, encryption, and

failover, with state-of-the-art security features, such as stateful,

application-based filtering (context-based access control),

defense against network attacks, per user authentication and

authorization, and real-time alerts.

The Cisco IOS Firewall is configurable via Cisco

ConfigMaker software, an easy-to-use Microsoft Windows 95,

98, NT 4.0 based software tool.



CHAPTER ONE

FIREWALL BASICS

Definition Of FireWall

A FireWall is a network security device that ensures that

all communications attempting to cross it meet an organization’s

security policy.FireWalls track and control communications

deciding whether to allow ,reject or encrypt communications.

FireWalls are used to connect a corporate’s local network

to the Internet and also within networks.In otherwords they

stand in between the trusted network and the untrusted

network.

Design and Implementation issues

Basic Design Decisions in a FireWall

The first and most important decision reflects the policy of

how your company or organization wants to operate the system.

Is the firewall in place to explicitly deny all services except those

critical to the mission of connecting to the net, or is the firewall

is in place to provide a metered and audited method of

‘Queuing’ access in a non-threatening manner. The second is

what level of monitoring, reducing and control do you want?

Having established the acceptable risk level you can form a



checklist of what should be monitored, permitted and denied.

The third issue is financial.

Implementation methods

Two basic methods to implement a firewall are

1.As a Screening Router:

A screening router is a special computer or an electronic

device that screens (filters out) specific packets based on the

criteria that is defined. Almost all current screening routers

operate in the following manner.

a. Packet Filter criteria must be stored for the ports of the

packet filter device. The packet filter criteria are called

packet filter ruler.

b. When the packets arrive at the port, the packet header is

parsed. Most packet filters examine the fields in only the

IP, TCP and UDP headers.

c. The packet filter rules are stored in a specific order. Each

rule is applied to the packet in the order in which the

packet filter is stored.

d. If the rule blocks the transmission or reception of a packet

the packet is not allowed.

e. If the rule allows the transmission or reception of a packet

the packet is allowed.

f. If a packet does not satisfy any rule it is blocked.



2. As a Proxy Server:

A Proxy Server is an application that mediates traffic

between a protected network and the Internet. Proxies are often

used instead of router-based traffic controls, to prevent traffic

from passing directly between networks. Proxy servers are

application specific. In order to support a new protocol via a

proxy, a proxy must be developed for it. Here there is no direct

connection between the local network and the untrusted

network. The Proxy Server transfers an isolated copy of each

approved packet from one network to the other network. No

information about the local network is available to untrusted

networks.

Realization of FireWall

1. Buying an off-the shell firewall product:

A commercial firewall product is brought and configured

to meet an organization’s security policy. Some products are

available as free ,others may cost up to $100000.

2.Building a custom firewall:

Organizations that have programming talent and

financial resources often prefer to use a ‘roll your own’

approach. This involves building custom firewall solution to

protect the organizations network. If implemented properly this

is the most effective approach.



CHAPTER TWO

CISCO IOS FIREWALL

As network security becomes increasingly critical to

securing business transactions, businesses must integrate

security into the network design and infrastructure itself.

Security policy enforcement is most effective when it is an

inherent component of the network.

The Cisco IOS Firewall is a security-specific option for

Cisco IOS Software. It integrates robust firewall functionality

and intrusion detection for every network perimeter. It adds

greater depth and flexibility to existing Cisco IOS security

solutions (i.e., authentication, encryption, and failover), by

delivering state-of-the-art security features: stateful, application-

based filtering; dynamic per-user authentication and

authorization; URL Filtering and others. When combined with

Cisco IOS IPSec and Cisco IOS Technologies such as L2TP

tunneling and Quality of Service (QoS), Cisco IOS Firewall

provides a complete, integrated virtual private network (VPN)

solution.

Router-Based Firewall Functionality

Cisco IOS Firewall is available on a wide range of Cisco

IOS Software releases. It offers sophisticated security and



policy enforcement for connections within an organization

(intranet) and between partner networks (extranets), as well as

for securing Internet connectivity for remote and

branch offices.The Cisco IOS Firewall is the best choice for

integrating multiprotocol routing with security policy enforcement

and enabling managers to configure a Cisco router as a firewall.

It scales to allow customers to choose a router platform based

on bandwidth, LAN/WAN density, and multiservice

requirements; simultaneously, it benefits from advanced

security.

Key Benefits

The Cisco IOS Firewall interoperates seamlessly with

Cisco IOS Software, providing outstanding value and benefits:

Flexibility—Installed on a Cisco router, Cisco IOS Firewall is

an all-in-one, scalable solution that performs multiprotocol

routing, perimeter security, intrusion detection, VPN

functionality, and per-user authentication and authorization.

Investment protection—Integrating firewall functionality into

a multiprotocol router leverages an existing router

investment, without the cost and learning curve associated

with a new platform.

VPN support—Deploying Cisco IOS Firewall with Cisco IOS

encryption and QoS VPN features enables secure, low-cost

transmissions over public networks. It ensures that mission-

critical application traffic receives high-priority delivery.



Scalable deployment— Cisco IOS Firewall is available for a

wide variety of router platforms. It scales to meet the

bandwidth and performance requirements of any network.

Easier provisioning—Combining the Cisco IE2100 and the

Cisco IOS XML application enables a network administrator

to drop ship any Cisco router with little or no pre-

configuration to a given destination. The router pulls the

most current Cisco IOS Software release router

configuration and its security policy configuration for the

Firewall when it is connected to the Internet.

Cisco IOS Firewall is supported on a majority of Cisco

routers platforms, thus delivering important benefits that include

multiservice integration (data/voice/video/dial), advanced

security for dialup connections. On the Cisco 7100, 7200 and

7400 Series Routers, additional benefits include integrated

routing and security at the Internet gateway for large enterprises

and service provider customer premise equipment (CPE).

Cisco IOS Firewall Highlights

Stateful IOS Firewall inspection engine—provides internal

users with secure, per-application-based access control for

all traffic across perimeters, such as perimeters between

private enterprise networks and the Internet. Also known as

Context-Based Access Control (CBAC).

Intrusion Detection—Inline deep packet inspection service

that provides real-time monitoring, interception, and



response to network misuse with a broad set of the most

common attack and information-gathering intrusion

detection signatures. Now supports 102 signatures!

Firewall Voice Traversal—Provided by application-level

intelligence of the protocol as to the call flow and

associated channels that are opened. Voice protocols that

are currently supported are H.323v2 and SIP (Q1CY03).

ICMP Inspection—Allow responses to ICMP packets (i.e.,

ping and traceroute) originating from inside the Firewall,

while still denying other ICMP traffic. Available in Q1 of

2003.

Authentication Proxy—Enables dynamic, per-user

authentication and authorization for LAN-based, http and

dial-in communications; authenticates users against

industry-standard. Support of SSL secured userid and

passwords for http (HTTPS) provides greater

confidentiality. TACACS+ and RADIUS authentication

protocols enable network administrators to set individual,

per-user security policies. HTTPS (SSL secured http) will

be supported in Q1 of 2003.

Destination URL Policy Management—Several mechanisms

that support local caching of previous requests,

predetermined static URL permission and denial tables, as

well as use of external server databases provided by

Websense Inc. and N2H2 Inc. This is better known as URL

Filtering. This will be available on all platforms after Q1 of

2003.



Per User Firewalls—Enables Service Providers to provide a

managed Firewall solution in the broadband market by

downloading unique Firewall, ACLs, and other settings on a

per user basis, using the AAA server profile storage after

authentication.

Cisco IOS Router and Firewall Provisioning—Zero (0) touch

provisioning of the router, versioning and security policies

such as Firewall rules.

Denial of Service Detection and Prevention—Defends and

protects router resources against common attacks, checks

packet headers, and drops suspicious packets.

Dynamic Port Mapping—Allows Firewall-supported

applications on nonstandard ports.

Java Applet Blocking—Defends against unidentified,

malicious Java applets.

VPNs, IPSec Encryption, and QoS Support—

o Operates with Cisco IOS Software encryption, tunneling,

and QoS features to secure VPNs

o Provide scalable encrypted tunnels on the router while

integrating strong perimeter security, advanced bandwidth

management, intrusion detection, and service-level

validation

o Standards based for interoperability

Real-Time Alerts—Log alerts for denial-of-service attacks or

other pre-configured conditions. This is now configurable on

a per-application, per-feature basis.

Audit Trail—Details transactions, and records time stamp,

source host, destination host, ports, duration and total



number of bytes transmitted for detailed reporting. This is

now configurable on a per-application, per-feature basis.

Integration with Cisco IOS Software—Interoperates with

Cisco IOS Software features, integrating security policy

enforcement into the network.

Basic and Advanced Traffic Filtering—

o Standard and extended access control lists (ACLs)—apply

access controls to specific network segments and define

which traffic passes through a network segment.

o Lock and Key—dynamic ACLs grant temporary access

through firewalls upon user identification

(username/password).

Policy-Based Multi-Interface Support—Provides ability to

control user access by IP address and interface, as

determined by the security policy.

Network Address Translation (NAT)—Hides internal network

from the outside for enhanced security.

Time-Based Access Lists—Defines security policy based on

the time of day and day of week.

Peer Router Authentication—Ensures that routers receive

reliable routing information from trusted sources.



CHAPTER THREE

CISCO IOS FIREWALL FEATURE SET

New Firewall Features and Benefits

New Feature Description

Context-based access control (CBAC)

Provides internal users secure, per-application-based access control for all traffic across perimeters, e.g. between private enterprise networks and the Internet

Java blocking Protects against unidentified, malicious Java applets

Denial of Service detection/prevention

Defends and protects router resources against common attacks; checks packet headers and drops suspicious packets

Audit trail Details transactions; records time stamp, source host, destination host, ports, duration and total number of bytes transmitted

RealTime alerts Logs alerts in case of denial-of-service attacks or other pre-configured conditions.

ConfigMaker support A Win95/WinNT—Wizard based network configuration tool that offers step-by-step guidance through network design, addressing and Firewall feature set implementation.



Previously released Cisco IOS firewall features are:

Basic and Advanced Traffic Filtering

o Standard and Extended Access Control Lists (ACLs): apply

controls over access to specific network segments, and

defines which traffic passes through a network segment

o Lock and Key—Dynamic ACLs: grant temporary access

through firewalls upon user identification

(username/password)

Policy-based Multi-interface Support: provides ability to

control user access by IP address and interface as

determined by the security policy

Network Address Translation (NAT): enhances network

privacy by hiding internal addresses from public view; also

reduces cost of Internet access by enabling conservation of

registered IP addresses

Peer Router Authentication: ensures that routers receive

reliable routing information from trusted sources

Event Logging: allows administrators to track potential

security breaches or other nonstandard activities on a real-

time basis by logging output from system error messages to

a console terminal or syslog server, setting severity levels,

and recording other parameters

Virtual Private Networks (VPNs): provide secure data

transfer over public lines (such as the Internet); reduce

implementation and management costs for remote branch

offices and extranets; enhance quality of service and



reliability; standards-based for interoperability, using any of

the following protocols:

o Generic Routing Encapsulation (GRE) Tunneling

o Layer 2 Forwarding (L2F)

o Layer 2 Tunneling Protocol (L2TP): when it becomes

available

o Quality of Service (QoS) controls: prioritize applications and

allocate network resources to ensure delivery of mission-

critical application traffic

Cisco encryption technology: a network-layer encryption

capability that prevents eavesdropping or tampering with

data across the network during transmission



CHAPTER FOUR

APPLICATION OVERVIEWS

1. Corporate Internet Perimeter

Corporations deploy Cisco IOS Firewall-enabled routers

at the perimeter of their networks. The firewall is configured to

protect against unauthorized access from the untrusted Internet

to the corporation's private network, and to prevent

unauthorized access from the internal private network to

untrusted sites. As part of their business, many corporations

need to administer their own Web, file transfer, mail, and DNS

services, and to make those services available over the

Internet. Because of the dangers of running servers inside

private networks, a Demilitarized Zone (DMZ) network is

deployed as part of the corporate network infrastructure to

provide a safe, relatively neutral "drop area" for communication

between inside and outside systems. A firewall policy is created

to deny connections from the untrusted Internet to the private

network. Internet users can connect to servers on the DMZ

network to access public corporate information and all other

services that the corporation wishes to offer to outside users.

Outgoing connections from the DMZ network into the private

network and the Internet are also prohibited by the firewall

policy. This restriction prevents attackers from penetrating the

DMZ server and using it as a tool to cause damage to internal

services and to attack other public sites.



Authentication, Authorization, and Accounting

With the Cisco IOS Firewall authentication proxy feature,

connections can be made based on the security policies

configured for each user. A per-user policy is downloaded

dynamically to the router from an authentication, authorization,

and accounting (AAA) server when the user attempts to make a

connection to the Internet, DMZ network, or the internal

network. Access will be granted only when the user has the

appropriate access privilege based on his or her individual

security profile. Besides using the authentication proxy, the

administrator of the corporate network can use the accounting

capability of the AAA server for security, billing, resource

allocation, and management of any users who use the

authentication proxy service. See Figure 1 for an illustration of a

corporate Internet perimeter deployment scenario.

Figure 1 Corporate Internet Perimeter Deployment Scenario



Destination URL Policy Management

Corporations can also manage resources and avoid

productivity drains with Destination URL Policy Management, a

key feature of the Cisco IOS Firewall. With Destination URL

Policy Management, system administrators of the corporate

network decide the allowable URL categories, users that have

access to content, as well as when that content can be

accessed. The Cisco IOS Firewall-enabled router maintains a

local list of URL policies to be managed, granting or denying

permission to URL connection requests. For additional policies

not available on the router, it forwards HTTP requests for a URL

destination to the external policy management server in order to

get permission. Currently, Cisco supports two URL Policy

Management server implementations, WebSense Inc. and

N2H2 Inc.

Event Monitoring and Logging

When suspicious activity is detected on the corporate

network, real-time alerts send syslog error messages to the

central management console, allowing administrators to track

and respond to potential security breaches or other undesirable

events in real time.



2.Corporate Intranet

A corporation typically has many departments that are

each responsible for different pieces of mission-critical

information. Employees working for various organizations within

a corporation do not have equal access privileges to all

corporate information and services. The corporate intranet

deployment scenario offers protection of mission-critical servers

such as human resource (HR), enterprise resource planning

(ERP), customer relationship management (CRM), and

accounting systems against security breaches from within the

organization. It also effectively manages internal resources to

help increase productivity.

The firewall policy for the corporate intranet is designed

to restrict traffic and access to information between various

departments within the corporation. Employees are subject to

authentication and authorization before they are granted access

to servers and services on the corporate network. Destination

URL Policy Management also controls access to internal Web

site and Web applications. In addition, suspicious activities are

monitored by administrators with real-time alerts and log

messages. See Figure 2 for an illustration.



Figure 2 Corporate Intranet Scenario

3. Regional/Branch Office Perimeter

Regional or branch offices can also deploy a Cisco IOS

Firewall-enabled router at the perimeter of their network. Data

and voice traffic between the regional or branch office and the

corporate headquarters is transported via the virtual private

network (VPN) connection. A separate, direct connection to the

Internet from the regional or branch location is also available for

access to public servers and information available on the Web.

With this firewall deployment scenario, the firewall policy

created for the corporate internet perimeter deployment

scenario works in conjunction with the firewall policy at the

regional or branch office perimeter. No connections are

permitted from the untrusted Internet to the regional or branch

office network; instead, Internet users connect to servers on the

corporate DMZ network to access public corporate information.

The DMZ network provides all the services that the corporation

wishes to offer to outside users.



To better manage individual access from the regional

office location to the Internet and internal resources, AAA and

URL Policy Management servers are deployed at the regional

location. Access to services and resources will be granted to

employees only when they have the appropriate access

privilege based on their individual security profiles. A syslog

server is also made available for the regional office

administrator to track and respond to potential attacks and

nonstandard activities. For smaller branch office locations

without system administration resources, centralized firewall

policy management can be provided remotely by the resources

on the main corporate network.

Figure 3 Regional/Branch Office Perimeter



4. Telecommuter/Home Office

Corporate telecommuters and home office workers

similarly maintain a LAN network in the home with several

computers connected to it (Figure 4). Both worker types

subscribe to an ISP service that provides connectivity to the

Internet. The home office worker, typically an independent

contractor or an individual who runs a business out of a home,

is always connected to an ISP. The home office worker relies on

the ISP for services such as Web hosting, domain service, e-

mail, and DNS. In a slightly different scenario, the telecommuter

network is an extension of the corporate network. A

telecommuter's access to work resources and shared

information is subject to the corporate firewall security profile

created for the individual. Similar to the branch office

deployment scenario, a telecommuter is connected to the

corporate network via a VPN tunnel for data and voice

communication. The telecommuter can also directly access the

Internet via an ISP. Business resources for the telecommuter

such as e-mail, confidential information, server access, and

more, reside on the corporate network.

Because business resources reside on a network

external to home, the telecommuter and home office worker

need not accept any incoming connections from the Internet to

the home office LAN. The Cisco IOS Firewall enabled router at

the perimeter of a telecommuter/home office permits only



outgoing connections. The computers on the home LAN can

connect to the Internet via the ISP network, but the firewall

policy does not allow outside initiated sessions to the private

LAN. The work-at-home individual can view Web pages, send

e-mail, pick up incoming e-mail from a corporate network or

ISP, retrieve software via FTP, connect remotely using Telnet,

and join in multimedia conferences, all without exposing any

services on his or her own LAN network.

Authentication proxy service and URL Policy

management with the Cisco IOS Firewall are not necessary for

a telecommuter or home office. Once again, the telecommuter,

when on the corporate network, is subject to the firewall policy

created for the individual. A syslog server can be deployed if the

work-at-home individual is willing to act as the system

administrator and be notified immediately when there is a

potential intrusion of the private network.



Figure 4 Telecommuter/Home Office Scenario

5. Corporate Extranet

As corporations establish tighter relationships with their

business partners, the need to share resources among

companies increases. Sometimes, access to the partner's

internal networks is necessary to improve productivity and

efficiency. A Cisco IOS Firewall deployed at the perimeter of the

corporate network and partner network can help to restrict

confidential information access to the few privileged individuals.



With authentication proxy, a user entering the corporate

network and the partner network from the expected source

network is authenticated before access is granted. A security

policy for the individual is dynamically downloaded from the

AAA server, allowing the user only the services permitted by the

security profile. Syslog servers are maintained at both ends of

the network to track alarming activities. (See Figure 5.)



Figure 5 Corporate extranet



CHAPTER FIVE

CISCO FIREWALL FAMILY

The Cisco PIX Firewall and Cisco IOS Firewall

The Cisco PIX Firewall is the world’s leading dedicated

firewall appliance. It has received the highest level of security

certification granted to any firewall product. The Cisco PIX

Firewall is a turnkey appliance with unmatched performance

and unparalleled features. Integration of third-party content

solutions, such as NetPartner’s WebSENSE URL management

software, further enhances the industry-leading capabilities of

the Cisco PIX Firewall. For IP-based network security, the Cisco

PIX Firewall is the clear choice for those requiring dedicated

firewall appliances. When combined with IP Security (IPsec),

Cisco PIX Firewall provides an integrated virtual private network

(VPN) solution.The Cisco IOS Firewall integrates robust firewall

and intrusion detection technology into the Cisco IOS Software.

The Cisco IOS Firewall enhances existing Cisco IOS Software

by including stateful, application-based filtering, dynamic per-

user authentication and authorization, and real-time alerts.

When combined with Cisco IOS IPsec software, the Cisco IOS

Firewall provides an integrated VPN solution.

Available with a wide range of Cisco routers, the Cisco

IOS Firewall is the best choice for integrating multiprotocol

routing with security policy enforcement.



The figure below shows an application that employs both

types of firewall.



Leading-Edge Capabilities of Cisco PIX Firewalls and Cisco

IOS Firewalls

Both the Cisco PIX Firewall Series and the Cisco IOS

Firewall incorporate leading-edge firewall technology. Table 1

outlines advanced features common to both firewalls.

Although both firewalls provide excellent security

solutions, each excels in different environments and at sites

with distinct requirements. Table 2 describes when to choose

the Cisco PIX Firewall and Table 3 describes when to choose



the Cisco IOS Firewall. In many instances, the best security

solution is a combination of both.



SUMMARY

The Cisco IOS Firewall offers integrated network security

through Cisco IOS software. A robust security policy entails

more than perimeter control or firewall setup and

management—security policy enforcement must be an inherent

component of the network. Cisco IOS Software, with many

advanced security features such as a firewall, firewall-IDS,

IPSec/VPN, and quality of service (QoS) is an ideal vehicle for

implementing a global security policy. Building an end-to-end

Cisco solution allows managers to enforce security policies

throughput the network as they grow.



REFERENCES

a. Internet Firewalls and network security

by Karanjit siyan,Chris Hare

b. Building Internet Firewalls

by D.Brent Chapman and Elizabeth D



ACKNOWLEDGMENT

I express my sincere gratitude to Prof. M.N Agnisarman

Namboothiri ( Head Of Department ,Information Technology ) and

Mr. Zaheer P.C, Ms. Deepa ( Staff in charge ) for their kind

cooperation for the seminar presentation.

I am also grateful to all other faculty members of

Information Technology Department and my colleagues for their

guidance and encouragement .



ABSTRACT

The Cisco IOS (Internet Operating System) FireWall is a

commercial FireWall Product that comes as a security specific

option with the Cisco IOS Software. Unlike other FireWalls a

dedicated appliance is not needed for this FireWall. It could be

installed on the router itself. Since most of the routers in the Web

employ Cisco IOS software for security purposes(such as

authentication ,encryption etc)addition of Cisco IOS FireWall to the

set yields better results.

It integrates robust firewall functionality and intrusion

detection for every network perimeter and enriches existing Cisco

IOS security capabilities. It adds greater depth and flexibility to

existing Cisco IOS security solutions—such as authentication,

encryption, and failover—by delivering state-of-the-art security

features such as stateful, application-based filtering; dynamic per-

user authentication and authorization; defense against network

attacks; Java blocking; and real-time alerts.



CONTENTS

I. Introduction 01

II. FireWall Basics 02

Definition of FireWall.

Design and Implementation issues.

Realization of FireWall.

III. Cisco IOS FireWall 05

Router based FireWall Functionality

Key Benefits

HighLights

IV. Feature set 11

New FireWall Features

Previously released features

V. Application Overviews 14

Corporate Internet Perimeter

Corporate Intranet

Regional/Branch office Perimeter

Telecommuter/Home Office

Corporate Extranet

VI. Cisco FireWall Family 24

Cisco PIX FireWall

Comparisons between PIX and IOS

VII. Summary 28

VIII. References 29

Introduction - 123seminarsonly.com · INTRODUCTION The Cisco IOS ... security capabilities, such as...

Documents

Transcript of Introduction - 123seminarsonly.com · INTRODUCTION The Cisco IOS ... security capabilities, such as...