Lesson 2a © 2005 Cisco Systems, Inc. All rights reserved. SNPA v4.0—2-1 Firewall Technologies and...
21
Lesson 2a © 2005 Cisco Systems, Inc. All rights reserved. SNPA v4.0—2-1 Firewall Technologies and the Cisco Security Appliance
-
Upload
kristopher-lloyd -
Category
Documents
-
view
218 -
download
0
description
© 2005 Cisco Systems, Inc. All rights reserved. SNPA v4.0—1-3 What Is a Firewall? A firewall is a system or group of systems that manages access between two or more networks. Outside Network DMZ Network Inside Network Internet
Transcript of Lesson 2a © 2005 Cisco Systems, Inc. All rights reserved. SNPA v4.0—2-1 Firewall Technologies and...
Lesson 2a
© 2005 Cisco Systems, Inc. All rights reserved. SNPA v4.0—2-1
Firewall Technologies and the Cisco Security Appliance
Firewall
© 2005 Cisco Systems, Inc. All rights reserved. SNPA v4.0—2-2
© 2005 Cisco Systems, Inc. All rights reserved. SNPA v4.0—1-3
What Is a Firewall?
A firewall is a system or group of systems that manages access between two or more networks.
Outside Network
DMZ Network
Inside Network
Internet
© 2005 Cisco Systems, Inc. All rights reserved. SNPA v4.0—1-4
Firewall Technologies
Firewall operations are based on one of three technologies:• Packet filtering• Proxy server• Stateful packet filtering
© 2005 Cisco Systems, Inc. All rights reserved. SNPA v4.0—1-5
Packet Filtering
Limits information that is allowed into a network based on the destination and source address
Data A B
Data A C
Internet
DMZ:Server B
Inside:Server CHost A
AB-YesAC-No
© 2005 Cisco Systems, Inc. All rights reserved. SNPA v4.0—1-6
Proxy Server
Requests connections on behalf of a client that is inside the firewall and the Internet
Outside Network
ProxyServer
Inside Network
Internet
© 2005 Cisco Systems, Inc. All rights reserved. SNPA v4.0—1-7
Stateful Packet Filtering
Data HTTP A B
Internet
DMZ:Server B
Inside:Server CHost A
172.16.0.50
10.0.0.11
1026
80
49091
Syn
172.16.0.50
192.168.0.20
49769
Syn
1026
80Source port
Destination addressSource address
Initial sequence #Destination port
FlagAck
State Table
Limits information that is allowed into a network based not only on the destination and source addresses, but also on the packets state table content
Security Appliance Overview
© 2005 Cisco Systems, Inc. All rights reserved. SNPA v4.0—2-8
© 2005 Cisco Systems, Inc. All rights reserved. SNPA v4.0—1-9
Security Appliances: What Are They?
Cisco security appliances deliver enterprise-class security for small-to-medium-sized business and enterprise networks in a modular, purpose-built appliance. Some features of Cisco security appliances are:• Proprietary operating system• Stateful packet inspection• User-based authentication• Protocol and application inspection• Modular policy• Virtual private networking• Security contexts (virtual firewalls)• Stateful failover capabilities• Transparent firewalls• Web-based management solutions
© 2005 Cisco Systems, Inc. All rights reserved. SNPA v4.0—1-10
Proprietary Operating System
Eliminates the risks associated with general-purpose operating systems
© 2005 Cisco Systems, Inc. All rights reserved. SNPA v4.0—1-11
Stateful Packet Inspection
• The stateful packet inspection algorithm provides stateful connection security:– It tracks source and destination ports and addresses, TCP
sequence numbers, and additional TCP flags.– It randomizes the initial TCP sequence number of each new
connection.• By default, the stateful packet inspection algorithm allows
connections originating from hosts on inside (higher security level) interfaces.
• By default, the stateful packet inspection algorithm drops connection attempts originating from hosts on outside (lower security level) interfaces.
• The stateful packet inspection algorithm supports authentication, authorization, and accounting.
© 2005 Cisco Systems, Inc. All rights reserved. SNPA v4.0—1-12
Cut-Through Proxy Operation
Internal orExternal
User
ISP
1. The user makes a request to an ISP. 2. The security appliance
intercepts the connection.
3. At the application layer, the security appliance prompts the user for a username and password. It then authenticates the user against a RADIUS or TACACS+ server and checks the security policy.
5. The security appliance directly connects theinternal or external user to the ISP via the security appliance. Communication then takes place at a lower level of the OSI model.
4. The security appliance initiates a connection from the security appliance to the
destination ISP.
CiscoSecure
Security ApplianceUsername and Password Required
Enter username for CCO at www.com
User Name:
Password:
OK Cancel
student123@456
3.
© 2005 Cisco Systems, Inc. All rights reserved. SNPA v4.0—1-13
Application-Aware Inspection
• Protocols such as FTP, HTTP, H.323, and SQL*Net need to negotiate connections to dynamically assigned source or destination ports through the firewall.
• The security appliance inspects packets above the network layer.• The security appliance securely opens and closes negotiated ports for
legitimate client-server connections through the firewall.
FTPServer Client
ControlPort2008
DataPort2010
DataPort20
ControlPort21
Data - Port 2010
Port 2010 OK
Data
© 2005 Cisco Systems, Inc. All rights reserved. SNPA v4.0—1-14
Modular Policy
HeadquartersSystem Engineer
Internet
Site B
Executives
Site C
T1
Internet
SEexec
S2S S2S
Construction of flow-based policies:• Identify specific flows.• Apply services to that flow.
Class MapTraffic flow
DefaultInternet
System EngineerExecutivesSite to Site
Policy MapServicesInspect
IPSPolicePriority
Service PolicyInterface/Global
GlobalOutside
© 2005 Cisco Systems, Inc. All rights reserved. SNPA v4.0—1-15
Virtual Private Network
B A N K
B A N K
Site to Site
Remote Access
IPSec VPNSSL VPN
Internet
© 2005 Cisco Systems, Inc. All rights reserved. SNPA v4.0—1-16
Security Context (Virtual Firewall)
Internet Internet
Four Physical Firewalls One Physical FirewallFour Virtual Firewalls
• Ability to create multiple security contexts (virtual firewalls) within a single security appliance
© 2005 Cisco Systems, Inc. All rights reserved. SNPA v4.0—1-17
Failover Capabilities: Active/Standby, Active/Active, and Stateful Failover
• Failover protects the network should the primary go offline.– Active/standby—Only one unit can be actively processing traffic; the other is
hot standby.– Active/Active—Both units can process traffic and serve as backup units.
• Stateful failover maintains operating state during failover.
Primary: Failed Firewall
Internet
Secondary: Active Firewall
Secondary: Active/Active
Primary: Failed/Standby
Failover:Active/Standby
Internet
Failover:Active/Active
2 1 2
Contexts
1
© 2005 Cisco Systems, Inc. All rights reserved. SNPA v4.0—1-18
Transparent Firewall
• Has the ability to deploy a security appliance in a secure bridging mode
• Provides rich Layers 2 through 7 security services as a Layer 2 device
Internet
192.168.1.2
192.168.1.5
© 2005 Cisco Systems, Inc. All rights reserved. SNPA v4.0—1-19
Web-Based Management Solutions
Adaptive Security Device Manager
© 2005 Cisco Systems, Inc. All rights reserved. SNPA v4.0—1-20
Summary
• There are three firewall technologies: packet filtering, proxy server, and stateful packet filtering.
• Features of the Cisco PIX Firewall Security Appliances and ASA Security Appliances features include the following: proprietary operating system, stateful packet inspection, cut-through proxy, stateful failover, modular policy, VPNs, transparent firewall, security contexts, web-based management, and stateful packet filtering.
