Quản trị mạng - Chapter 4: Implementing firewall technologies
Zone-Based Policy Firewall (ZPF) , introduced in 2006, is
the state of the art in modern firewalling.
• ZPF operation centers around the creation of zones
associated with various security levels.
• Implementing ZPF with CLI is much more structured and
easier to understand than CBAC . ZPF utilizes class maps
and policy maps enabled by C3PL.
• An SDM wizard for ZPF is avaiable.
• Either CLI or SDM can be used to verify and troubleshoot
ZPF
132 trang |
Chia sẻ: nguyenlam99 | Lượt xem: 950 | Lượt tải: 0
Bạn đang xem trước 20 trang tài liệu Quản trị mạng - Chapter 4: Implementing firewall technologies, để xem tài liệu hoàn chỉnh bạn click vào nút DOWNLOAD ở trên
Chapter 4 - Implementing Firewall
Technologies
CCNA Security
Objectives
• Describe numbered and named, standard and extended IP
ACLs.
• Configure IP ACLs with IOS CLI and CCP.
• Describe TCP established ACL functionality.
• Describe and configure reflexive ACLs.
• Describe and configure dynamic ACLs.
• Describe and configure time-based ACLs.
• Describe attack mitigation with ACLs.
• Describe the major types of firewalls.
• Describe and configure CBAC (IOS Staful Packet Inspection)
with CLI.
• Describe and configure Zone-Based Policy Firewall with CLI and
CCP
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
ACL Topology and Types
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
ACL Topology and Types
• Refer to 4.1.1.1
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
Standard Numbered IP ACLs
• The first value specifies the ACL number
• The second value specifies whether to permit or deny the configured
source IP address traffic
Router(config)# access-list {1-99} {permit | deny}
source-addr [source-mask]
• The third value is the source IP address that must be matched
• The fourth value is the wildcard mask to be applied to the previously
configured IP address to indicate the range
• All ACLs assume an implicit deny statement at the end of the ACL
• At least one permit statement should be included or all traffic will be
dropped once that ACL is applied to an interface
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
Extended Numbered IP ACLs
• The first value specifies the ACL number
• The second value specifies whether to permit or deny accordingly
Router(config)# access-list {100-199} {permit | deny}
protocol source-addr [source-mask] [operator operand]
destination-addr [destination-mask] [operator operand]
[established]
• The third value indicates protocol type
• The source IP address and wildcard mask determine where traffic
originates. The destination IP address and wildcard mask are used to
indicate the final destination of the network traffic
• The command to apply the standard or extended numbered ACL:
Router(config-if)# ip access-group number {in | out}
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
Extended Numbered IP ACLs
Router(config)# access-list {100-199} {permit | deny}
protocol source-addr [source-mask] [operator operand]
destination-addr [destination-mask] [operator operand]
[established]
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
???
Named IP ACLs
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
Refer to 4.1.1.3
Named IP ACLs
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
Apply ACL to the virtual access
• An ACL can also be used to permit or deny specific IP addresses from
gaining virtual access.
• Standard ACLs allow restrictions to be enforced on the originator
source IP address or IP address range.
• An extended ACL does the same but can also enforce the access
protocol such as port 23 (Telnet) or port 22 (SSH). The access-class
extended ACL only supports the any (???) keyword as the destination.
• The access list must be applied to the vty port.
• Router(config-line)# access-class {access-list-name |
access-list-number} {in | out}
• Or http line
• Router(config)# ip http access-class {access-list-name
| access-list-number}
The log Parameter
• R1(config) # access-list 101 permit tcp 192.168.1.0 0.0.0.255
192.168.2.0 0.0.0.255 eq 22 log
*May 1 22:12:13.243: %SEC-6-IPACCESSLOGP: list ACL-IPv4-E0/0-
IN permitted tcp 192.168.1.3(1024) -> 192.168.2.1(22), 1 packet
*May 1 22:17:16.647: %SEC-6-IPACCESSLOGP: list ACL-IPv4-E0/0-
IN permitted tcp 192.168.1.3(1024) -> 192.168.2.1(22), 9 packets
There are several pieces of information logged:
• The action—permit or deny
• The protocol—TCP, UDP, or ICMP
• The source and destination addresses
• For TCP and UDP—the source and destination port numbers
• For ICMP—the message types
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
ACL Configuration Guidelines
1. ACLs are created globally and then applied to
interfaces
2. ACLs filter traffic going through the router, or
traffic to and from the router, depending on how it
is applied
3. Only one ACL per interface, per protocol, per
direction
4. Standard or extended indicates the information
that is used to filter packets
5. ACLs are process top-down. The most specific
statements must go at the top of the list
6. All ACLs have an implicit “deny all” statement at
the end, therefore every list must have at least
one permit statement to allow any traffic to pass
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
Using Standard IP ACLs
• Use a standard ACL to block all traffic from 172.16.4.0/24 network, but
allow all other traffic.
r1(config)# access-list 1 deny
172.16.4.0 0.0.0.255
r1(config)# access-list 1 permit any
r1(config)# interface ethernet 0
r1(config-if)# ip access-group 1 out
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
Using Extended IP ACLs
• Use an extended ACL to block all FTP traffic from 172.16.4.0/24
network, but allow all other traffic.
access-list 101 deny tcp 172.16.4.0 0.0.0.255
172.16.3.0 0.0.0.255 eq 21
access-list 101 deny tcp 172.16.4.0 0.0.0.255
172.16.3.0 0.0.0.255 eq 20
access-list 101 permit ip any any
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
Other CLI Commands
• To ensure that only traffic from a subnet is blocked
and all other traffic is allowed:
access-list 1 permit any
• To place an ACL on the inbound E1 interface:
interface ethernet 1
ip access-group 101 in
• To check the intended effect of an ACL:
show ip access-list
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
Other CLI Commands
Refer to 4.1.2.3
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
Other CLI Commands
Refer to 4.1.2.4
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
Flow for Access Control Lists
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
Flow for Access Control Lists
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
Standard ACL placement
Refer to 4.1.3.2
Standard ACLs should be placed as close to the destination as possible.
Standard ACLs filter packets based on the source address only. If placed
too close to the source, it can deny all traffic, including valid traffic.
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
Extended ACL placement
Extended ACLs should be placed on routers as close as possible to the
source that is being filtered. If placed too far from the source being
filtered, there is inefficient use of network resources.
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
Using Nmap for Planning
PC-A$ nmap --system-dns 192.168.20.0/24
Interesting ports on webserver.branch1.com (192.168.20.2):
(The 1669 ports scanned but not shown below are in state: filtered)
PORT STATE SERVICE
110 open pop3
Refer to 4.1.3.3
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
Flow for Access Control Lists
Refer to 4.1.3.4
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
R1#terminal monitor // Copy debug output to the current terminal line
R1#terminal no monitor // Disable monitor
Configuring Standard and Extended ACLs with CCP
Configure > Router > ACL
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
Refer to 4.1.4.1
Configuring Access Rules
• Choose Configure > Router > ACL > ACL Summary
Rule types:
• Access Rules
• NAT Rules
• Ipsec Rules
• NAC Rules
• Firewall Rules
• QoS Rules
• Unsupported Rules
• Externally Defined Rules
• Cisco CP Default Rules
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
Configuring Standard Rules Using SDM
1. Choose Configure > Router > ACL > ACL Editor
2. Click Add
3. Enter a name or number
4. Choose Standard Rule
Optionally, enter a description
6. Choose Permit or Deny
7. Choose an address type
5. Click Add 8. Complete this field based
on the choice made in #7
9. (Option) Enter an optional description
10. (Optional) Check the Log matches against this entry
11. Click OK
12. Continue adding or editing rules
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
Applying a Rule to an Interface
2. Choose the interface
1. Click Associate
3. Choose a direction
4. An information box with options
appears if a rule is already
associated with that interface,
that direction.
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
The Deliver Configuration
• Click the check box next to Save running config. to
device's startup config. Then click the Deliver button.
Viewing Commands
R1# show running-config
!
hostname R1
enable secret 5
$1$MJD8$.1LWYcJ6iUi133Yg7vGHG/
crypto pki trustpoint TP-self-signed-
1789018390
enrollment selfsigned
subject-name cn=IOS-Self-Signed-
interface FastEthernet0/1
ip address 192.168.1.1 255.255.255.0
ip access-group Outbound in
!
interface Serial0/0/0
ip address 10.1.1.1 255.255.255.252
clock rate 128000
!
no ip http server
ip http secure-server
Certificate-1789018390
revocation-check none
rsakeypair TP-self-signed-1789018390
!
crypto pki certificate chain TP-self-
signed-1789018390
certificate self-signed 01
3082023A 308201A3 A0030201 02020101
300D0609 2A864886 F70D0101
04050030
1BF29620 A084B701 5B92483D D934BE31
ECB7AB56 8FFDEA93 E2061F33 8356
quit
!
ip access-list standard Outbound
remark SDM_ACL Category=1
permit 192.168.1.3
!
access-list 100 remark SDM_ACL
Category=16
access-list 100 deny tcp any host
192.168.1.3 eq telnet log
access-list 100 permit ip any any
!
!
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
Types of ACLs
• Standard IP ACLs
• Extended IP ACLs
• Extended IP ACLs using TCP established
• Reflexive IP ACLs
• Dynamic ACLs
• Time-Based ACLs
• Context-based Access Control (CBAC) ACLs
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
Configuring TCP Estblished and Reflexive ACLs
The established keyword:
• Forces a check by the routers to see if the ACK or RST TCP control
Router(config)# access-list access-list-number
{permit | deny} protocol source source-wildcard
[operator port] destination destination-wildcard
[operator port] [established]
flags are set. If the ACK flag is set, the TCP traffic is allowed in. If not, it
is assumed that the traffic is associated with a new connection initiated
from the outside.
• Does not implement a stateful firewall on a router
• Hackers can take advantage of the open hole by using a packet
generator or scanner, such as Nmap, to sneak TCP packets into a
network by masquerading them as returning traffic.
• Option does not apply to UDP or ICMP traffic
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
Configuring TCP Estblished and Reflexive ACLs
Example Using TCP Established
access-list 100 permit tcp any eq 443 192.168.1.0 0.0.0.255
established
access-list 100 permit tcp any 192.168.1.3 eq 22
access-list 100 deny ip any any
interface s0/0/0 ip access-group 100 in
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
Reflexive ACLs
• Provide a truer form of
session filtering
• Much harder to spoof
• Allow an administrator
to perform actual
session filtering for any
type of IP traffic
• Work by using
temporary access
control entries (ACEs)
• Using extended named
IP access-list only
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
Configuring a Router to Use Reflexive ACLs
1. Create an internal
ACL that looks for new
outbound sessions
and creates temporary
reflexive ACEs
2. Create an external
ACL that uses the
reflexive ACLs to
examine return traffic
3. Activate the named
ACLs on the
appropriate interfaces
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
Configuring a Router to Use Reflexive ACLs
• Router(config)# ip access-list extended
internal_ACL_name
• Router(config-ext-nacl)# permit protocol source-addr
[source-mask] [operator operand] destination-addr
[destination-mask] [operator operand] [established] reflect
reflexive_ACL_name [timeout seconds]
• Example:
• R1(config)# ip access-list extended internal_ACL
• R1(config-ext-nacl)# permit tcp any any eq 80 reflect web-
only-reflexive-ACL
• R1(config-ext-nacl)# permit udp any any eq 53 reflect dns-
only-reflexive-ACL timeout 10
Configuring a Router to Use Reflexive ACLs
• Router(config)# ip access-list extended external_ACL_name
• Router(config-ext-nacl)# evaluate reflexive_ACL_name
• Example:
• R1(config)# ip access-list extended external_ACL
• R1(config-ext-nacl)# evaluate web-only-reflexive-ACL
• R1(config-ext-nacl)# evaluate dns-only-reflexive-ACL
• R1(config-ext-nacl)# deny ip any any
• R1(config)# interface s0/0/0
• R1(config-if)# description connection to the ISP.
• R1(config-if)# ip access-group internal_ACL out
• R1(config-if)# ip access-group external_ACL in
Setting a Global Timeout Value
• The default value is 300s
Example: Reflexive ACLs
Học viện mạng Bach Khoa - Website: www.bkacad.com 40
Configuring Dynamic ACLs
• Available for IP traffic only
• Dependent on Telnet connectivity, authentication, and extended
ACLs
• Security benefits include:
1. Use of a challenge mechanism to authenticate users
2. Simplified management in large internetworks
3. Reduction of the amount of router processing that is
required for ACLs
4. Reduction of the opportunity for network break-ins by
network hackers
5. Creation of dynamic user access through a firewall
without compromising other configured security
restrictions
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
Implementing a Dynamic ACL
The router
authenticates the
connection
Dynamic ACL entry
added that grants
Remote user opens a Telnet or
SSH connection to the router.
The router prompts the user for
a username and password
user access
User can access the
internal resources
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
Setting up a Dynamic ACL
Router(config)# access-list ACL_# dynamic dynamic_ACL_name [timeout
minutes] {deny | permit} IP_protocol source_IP_address src_wildcard_mask
destination_IP_address dst_wildcard_mask [established] [log]
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
Setting up a Dynamic ACL
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
Example: Dynamic ACLs
Học viện mạng Bach Khoa - Website: www.bkacad.com 45
Configuring Time-Based ACLs
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
Configuring Time-Based ACLs
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
Example Configuration
Internet
Perimeter(config)# time-range employee-time
Perimeter(config-time)# periodic weekdays 12:00 to 13:00
Perimeter(config-time)# periodic weekdays 17:00 to 19:00
Perimeter(config-time)# exit
Perimeter(config)# access-list 100 permit tcp any host
200.1.1.11 eq 25
Perimeter(config)# access-list 100 permit tcp any eq 25
host 200.1.1.11 established
Perimeter(config)# access-list 100 permit udp any host
200.1.1.12 eq 53
Perimeter(config)# access-list 100 permit udp any eq 53
host 200.1.1.12
Perimeter(config)# access-list 100 permit tcp any
200.1.1.0 0.0.0.255 established time-range employee-
192.168.1.0/24
Serial 0/0/0
I can’t surf the
web at 10:00
A.M. because
of the time-
based ACL!
10.1.1.1
R1
time
Perimeter(config)# access-list 100 deny ip any any
Perimeter(config)# interface ethernet 1
Perimeter(config-if)# ip access-group 100 in
Perimeter(config-if)# exit
Perimeter(config)# access-list 101 permit tcp host
200.1.1.11 eq 25 any
Perimeter(config)# access-list 101 permit tcp host
200.1.1.11 any eq 25
Perimeter(config)# access-list 101 permit udp host
200.1.1.12 eq 53 any
Perimeter(config)# access-list 101 permit udp host
200.1.1.12 any eq 53
Perimeter(config)# access-list 101 permit tcp 200.1.1.0
0.0.0.255 any time-range employee-time
Perimeter(config)# access-list 100 deny ip any any
Perimeter(config)# interface ethernet 1
Perimeter(config-if)# ip access-group 101 out
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
Troubleshooting Complex ACL Implementation
Router# show access-lists [access-list-number |
access-list-name]
Router# debug ip packet [access-list-number]
[detail]
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
Troubleshooting Complex ACL Implementation
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
Troubleshooting Complex ACL Implementation
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
Mitigating Attacks with ACLs
1. Mitigate IP address spoofing—inbound/outbound
2. Mitigate Denial of service (DoS) TCP
synchronizes (SYN) attacks—blocking external
attacks
3. Mitigate DoS TCP SYN attacks—using TCP
intercept
4. Mitigate DoS smurf attacks
5. Filter Internet Control Message Protocol (ICMP)
messages—inbound
6. Filter ICMP messages—outbound
7. Filter traceroute
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
Mitigating Attacks with ACLs
• Inbound
R1(config)#access-list 150 deny ip 0.0.0.0 0.255.255.255 any
R1(config)#access-list 150 deny ip 10.0.0.0 0.255.255.255 any
R1(config)#access-list 150 deny ip 127.0.0.0 0.255.255.255 any
R1(config)#access-list 150 deny ip 172.16.0.0 0.15.255.255 any
R1(config)#access-list 150 deny ip 192.168.0.0 0.0.255.255 any
R1(config)#access-list 150 deny ip 224.0.0.0 15.255.255.255 any
R1(config)#access-list 150 deny ip host 255.255.255.255 any
Outbound
R1(config)#access-list 105 permit ip 192.168.1.0 0.0.0.255 any
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
Allowing Common Services
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
Controlling ICMP Messages
Refer to 4.1.9.4
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
Mitigating Attacks with ACLs
IPv6 ACLs
Refer to 4.1.10
• IPv4 was designed without a number of modern-day network requirements
such as:
– Security - IPsec
– Device roaming - Mobile IP
– Quality of service - RSVP
– Address scarcity - DHCP, NAT, CIDR, VLSM
IPv6 ACLs
• Router(config-if)# ipv6 traffic-filter access-list-name {in | out}
IPv6 ACLs
Using Object Groups in ACEs
Refer to 4.1.11
• In large networks, ACLs can be large (hundreds of lines) and difficult to
configure and manage, especially if the ACLs frequently change.
• Object group-based ACLs are smaller, more readable, and easier to
configure and manage than conventional ACLs.
Using Object Groups in ACEs
Using Object Groups in ACEs
• Network Object Groups
• A network object group is a group of any of the following objects:
– Hostnames, IP addresses, or subnets
– Ranges of IP addresses
– Existing network object groups
• To create a network group, enter the following commands:
• Router(config)# object-group network
nw_grp_id
• Router(config-network-group)# description
description-text | host {host-address |
host-name} | network-address {/prefix-
length | network-mask} | range host-
address1 host-address2 | any | group-object
nested-object-group-name
Using Object Groups in ACEs
• Service Object Groups
• A service object group is a group of any of the following objects:
– Top-level protocols (such as TCP, UDP, or ESP)
– Source and destination protocol ports (such as Telnet or SNMP)
– ICMP types (such as echo, echo-reply, or host-unreachable)
– Existing service object groups
• To create a service group, enter the following commands:
• Router(config)# object-group service
svc_grp_id
• Router(config-service-group)# protocol |
[tcp | udp | tcp-udp [source {{[eq]| lt |
gt} port1 | range port1 port2}] [{[eq]| lt
| gt} port1 | range port1 port2]] | icmp
icmp-type
Using Object Groups in ACEs
Using Object Groups in ACEs
Refer to 4.1.11.4
Securing Networks withs Firewall
• A firewall is a system that
enforces an access control
policy between network
• Common properties of
firewalls:
1. The firewall is resistant to
attacks
2. The firewall is the only
transit point between
networks
3. The firewall enforces the
access control policy
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
Benefits of Firewalls
• Firewalls prevent malicious data
from being sent to servers and
clients.
• Properly configured firewalls make
security policy enforcement
simple, scalable, and robust.
• A firewall reduces the complexity
of security management by
Refer: 4.2.1.2
• Prevents exposing sensitive hosts
and applications to untrusted users
• Prevent the exploitation of protocol
flaws by sanitizing the protocol flow
offloading most of the network
access control to a couple of
points in the network.
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
Benefits of Firewalls
Refer: 4.2.1.2
Limitations of Firewalls
• If misconfigured, a firewall can have serious
consequences (single point of failure).
• The data from many applications cannot be
passed over firewalls securely.
• Users might proactively search for ways around
the firewall to receive blocked material, exposing
the network to potential attack.
• Network performance can slow down.
• Unauthorized traffic can be tunneled or hidden as
legitimate traffic through the firewall.
Types of Firewalls
Packet-filtering firewall —is typically a
router that has the capability to filter on
some of the contents of packets (examines
Layer 3 and sometimes Layer 4
information)
Refer: 4.2.2.1
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
Types of Firewalls
Stateful firewall —keeps track of the state
of a connection: whether the connection is
in an initiation, data transfer, or termination
state
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
Types of Firewalls
Application gateway firewall (proxy
firewall) —filters information at Layers 3,
4, 5, and 7. Most of the firewall control and
filtering done in software.
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
Types of Firewalls
Network Address Translation (NAT)
firewall —expands the number of IP
addresses available and hides network
addressing design.
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
Types of Firewalls
• Other methods of implementing firewalls include:
• Host-based (server and personal) firewall —a PC or
server with firewall software running on it.
• Transparent firewall —filters IP traffic between a pair of
bridged interfaces.
• Hybrid firewalls —some combination of the above
firewalls. For example, an application inspection firewall
combines a stateful firewall with an application gateway
firewall.
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
Packet-Filtering Firewall Advantages
• Are based on simple permit or deny rule set
• Have a low impact on network performance
• Are easy to implement
• Are supported by most routers
• Afford an initial degree of security at a low
network layer
• Perform almost all tasks of what higher-end
firewalls do, at a much lower cost
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
Packet-Filtering Firewall Disadvantages
• Packet filtering is susceptible to IP spoofing.
• Packet filters do not filter fragmented packets
well.
• Complex ACLs are difficult to implement and
maintain correctly.
• Packet filters cannot dynamically filter certain
services.
• Packet filters are stateless.
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
Extra: Tiny Fragment Attack
Học viện mạng Bách khoa - www.bkacad.com
Stateful Firewall
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
Stateful Firewalls Advantages/Disadvantages
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
Cisco Systems Firewall Solutions
• IOS Firewall
– Zone-based policy framework for intuitive management
– Instant messenger and peer-to-peer application filtering
– VoIP protocol firewalling
– Virtual routing and forwarding (VRF) firewalling
– Wireless integration
– Stateful failover
– Local URL whitelist and blacklist support
– Application inspection for web and e-mail traffic
• PIX 500 Series
• ASA 5500 Series
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
Cisco Systems Firewall Solutions
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
Cisco Systems Firewall Solutions
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
Firewall in Network Design
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
Layered Defense Scenario
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
Layered Defense Scenario
• A network administrator must consider many factors when building a
complete in-depth defense:
• A significant number of intrusions come from hosts
within the network. For example, firewalls often do little to
protect against viruses that are downloaded through email.
• Firewalls do not protect against rogue modem
installations.
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
• Firewalls do not replace backup and disaster recovery
mechanisms resulting from attack or hardware failure.
An in-depth defense also includes offsite storage and
redundant hardware topologies.
• Most importantly, firewalls are no substitute for
informed administrators and users.
Firewall Best Practices
1. Position firewalls at security boundaries.
2. Firewalls are the primary security device. It is
unwise to rely exclusively on a firewall for
security.
3. Deny all traffic by default. Permit only services
that are needed.
4. Ensure that physical access to the firewall is
controlled.
5. Regularly monitor firewall logs.
6. Practice change management for firewall
configuration changes.
7. Remember that firewalls primarily protect from
technical attacks originating from the outside.
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
Firewall in Network Design
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
Context-Based Access Control
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
Context-Based Access Control
• Filters TCP and UDP packets based on Application Layer protocol session
information
• Provides stateful Application Layer filtering
• Examine supported connections for embedded NAT and PAT information and
perform the necessary address translations.
• CBAC can block peer-to-peer (P2P) connections, such as those used by the
Gnutella and KaZaA applications
• Provides four main functions:
1.Traffic Filtering
2.Traffic Inspection
3.Intrusion Detection
4.Generation of Audits and Alerts
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
CBAC Capabilities
1. Monitors TCP Connection Setup
2. Examines TCP Sequence Numbers
3. Inspects DNS Queries and Replies
4. Inspects Common ICMP Message Types
Refer to 4.3.1.2
5. Supports Applications with Multiple Channels, such
as
FTP and Multimedia
6. Inspects Embedded Addresses
7. Inspects Application Layer Information
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
CBAC Operation
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
CBAC Operation
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
CBAC TCP Handling
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
CBAC UDP Handling
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
CBAC Example
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
CBAC Operation
• When an attack is detected, the firewall can take several actions:
– Generate alert messages
– Protect system resources that could impede performance
– Block packets from suspected attackers
• Cisco IOS Firewall provides three thresholds against TCP-based DoS attacks:
– Total number of half-opened TCP sessions
– Number of half-opened sessions in a time interval
– Number of half-opened TCP sessions per host
• If a threshold for the number of half-opened TCP sessions is exceeded, the
firewall has two options:
– It sends a reset message to the endpoints of the oldest half-opened
session, making resources available to service newly arriving SYN
packets.
– It blocks all SYN packets temporarily for the duration that the
threshold value is configured. When the router blocks a SYN packet,
the TCP three-way handshake is never initiated, which prevents the
router from using memory and processing resources that valid
connections need.
Configuring CBAC
Four Steps to Configure
• Step 1: Pick an Interface- internal or external
• Step 2: Configure IP ACLs at the Interface
• Step 3: Define Inspection Rules
• Step 4: Apply an Inspection Rule to an
Interface
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
Step 1: Pick an Interface
Two-Interface
Three-Interface
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
Step 2: Configure IP ACLs at the Interface
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
Step 3: Define Inspection Rules
– Router(config)#
ip inspect name inspection_name protocol [alert {on | off}] [audit-trail
{on | off}] [timeout seconds]
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
Step 4: Apply an Inspection Rule to an Interface
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
Verification and Troubleshooting of CBAC
• Alerts and Audits
• show ip inspect Parameters
• debug ip inspect Parameters
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
Alerts and Audits
*note: Alerts are enabled by default and automatically display on the
console line of the router. If alerts have been disabled using the ip
inspect alert-off command, the no form of that command, as
seen above, is required to re-enable alerts.
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
Alerts and Audits
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
show ip inspect Parameters
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
debug ip inspect Parameters
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
Zone-Based Policy Firewall Characteristics
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
Zone-Based Policy Firewall Characteristics
• The zone-based policy firewall (ZPF or ZBF or
ZFW) inspection interface supports previous
firewall features, including stateful packet
inspection, application inspection, URL
filtering, and DoS mitigation.
•
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
Firewall policies are configured using the Cisco
Common Classification Policy Language
(C3PL), which uses a hierarchical structure to
define network protocol inspection and allows
hosts to be grouped under one inspection policy.
Zone-Based Policy Firewall Characteristics
• CBAC has these limitations:
1. Multiple inspection policies and ACLs on several interfaces on a
router make it difficult to correlate the policies for traffic
between multiple interfaces.
2. Policies cannot be tied to a host group or subnet with an ACL.
All traffic through a given interface is subject to the same
inspection.
3. The process relies too heavily on ACLs.
Benefits
Two Zones
• Zone-based policy firewall is not dependent on ACLs
• The router security posture is now “block unless explicitly
allowed”
• C3PL (Cisco Common Classification Policy Language) makes
policies easy to read and troubleshoot
• One policy affects any given traffic, instead of needing multiple
ACLs and inspection actions.
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
CBAC or Zones ?
• Important note:
• Both configuration models can be enabled
concurrently on a router.
• The models cannot be combined on a single interface.
• For example, an interface cannot be configured as a
security zone member and configured for IP inspection
simultaneously.
The Design Process
1. Determine the Zones:
– Internetworking infrastructure under consideration is split into well-
documented separate zones with various security levels
2. Establish policies between zones:
– For each pair of source-destination zones, the sessions that clients in
source zones are allowed to open to servers in destination zones are
defined. For traffic that is not based on the concept of sessions (for
example, IPsec Encapsulating Security Payload [ESP]), the administrator
must define unidirectional traffic flows from source to destination and vice
versa.
3. Design the physical infrastructure:
– The administrator must design the physical infrastructure, taking into
account security and availability requirements.
4. Identify subset within zones and merge traffic requirements:
– For each firewall device in the design, the administrator must identify zone
subsets connected to its interfaces and merge the traffic requirements for
those zones, resulting in a device-specific interzone policy.
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
Common Designs
LAN-to-Internet Public Servers
Redundant Firewalls Complex Firewall
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
Zones Simplify Complex Firewall
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
Actions when configured using CCP
Inspect – This
action configures
Cisco IOS stateful
packet inspection
Drop – This action is
analogous to deny in
an ACL
Pass – This action is
analogous to permit
in an ACL
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
Rules for Application Traffic
*zone-pair must have different zone as source and destination
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
Rules for Router Traffic
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
Configuring a Zone-Based Policy Firewall with CLI
1. Create the zones for the firewall
with the zone security
command
2. Define traffic classes with the
class-map type inspect
command
3. Specify firewall policies with
the policy-map type
inspect command
4. Apply firewall policies to pairs of
source and destination zones with
zone-pair security
5. Assign router interfaces to zones using the zone-member security
interface command
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
Step 1: Create the Zones
FW(config)# zone security Inside
FW(config-sec-zone)# description Inside network
FW(config)# zone security Outside
FW(config-sec-zone)# description Outside network
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
Step 2: Define Traffic Classes
FW(config)# class-map type inspect FOREXAMPLE
FW(config-cmap)# match access-group 101
FW(config-cmap)# match protocol tcp
FW(config-cmap)# match protocol udp
FW(config-cmap)# match protocol icmp
FW(config-cmap)# exit
FW(config)# access-list 101 permit ip 10.0.0.0
0.0.0.255 any
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
Step 3: Define Firewall Policies
FW(config)# policy-map type inspect InsideToOutside
FW(config-pmap)# class type inspect FOREXAMPLE
FW(config-pmap-c)# inspect
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
Step 4: Assign Policy Maps to Zone Pairs and Assign Router Interfaces to
Zones
FW(config)# zone-pair security InsideToOutside source
Inside destination Outside
FW(config-sec-zone-pair)# description Internet Access
FW(config-sec-zone-pair)# service-policy type inspect
InsideToOutside
FW(config-sec-zone-pair)# interface F0/0
FW(config-if)# zone-member security Inside
FW(config-if)# interface S0/0/0.100 point-to-point
FW(config-if)# zone-member security Outside
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
Final ZPF Configuration
• policy-map type inspect InsideToOutside class
class-default inspect
• !
• zone security Inside description Inside network
• zone security Outside description Outside
network
• zone-pair security InsideToOutside source Inside
destination Outside
• service-policy type inspect InsideToOutside
• !
• interface FastEthernet0/0 zone-member security
Inside
• !
• interface Serial0/0/0.100 point-to-point zone-
member security Outside
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
Configuring a Zone-Based Policy Firewall with CCP Wizard
• Refer to 4.4.4
Configuring a Zone-Based Policy Firewall Manually with CCP
• Refer to 4.4.5
CLI Generated Output
• class-map type inspect match-any iinsprotocols
• match protocol http
• match protocol smtp
• match protocol ftp
!
• policy-map type inspect iinspolicy
• class type inspect iinsprotocols
• inspect
• !
• zone security private
List of services
defined in the
firewall policy
Apply action (inspect =
stateful inspection)
Zones created
• zone security internet
• !
• interface fastethernet 0/0
• zone-member security private
• !
• interface serial 0/0/0
• zone-member security internet
• !
• zone-pair security priv-to-internet source private destination internet
• service-policy type inspect iinspolicy
• !
Interfaces assigned to
zones
Inspection applied
from private to public
zones
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
Troubleshooting Zone-Based Policy Firewall
• Refer to 4.4.6
Troubleshooting Zone-Based Policy Firewall
• Refer to 4.4.6
Summary
• Standard and extended IP ACLs are the fundamental tools
for basic network traffic filtering.
• How standard and extended IP ACLs are created and
applied depends on the type of traffic and where the
source and destination of the traffic lies.
• ACLs are linked to the flow of network traffic. The network
topology determines how ACLs are cerated and applied
• ACLs can be created and applied with SDM
• The TCP established option and reflexive ACLs extend the
function of ACLs to take into account the tow-way nature of
the network traffic.
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
Summary
• Firewalls provide perimeter security defining the inside and
outside of a network.
• There are many different types of firewall , with stateful
firewall providing the greatest security.
• Today, network design must take into account the selection
of the type of firewall and its proper placement.
• CBAC enables sophisticate stateful filtering of most forms
of modern application traffic.
• The operation of CBAC is quite complex, bulding and
tearing down state entries for traffic flows.
• CBAC configuration is very complex, relying on ACLs and
inspection rules applied on appropriate interfaces.
• CLI and SDM can be used to verify and troubleshoot
CBAC
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
Summary
• Zone-Based Policy Firewall (ZPF) , introduced in 2006, is
the state of the art in modern firewalling.
• ZPF operation centers around the creation of zones
associated with various security levels.
• Implementing ZPF with CLI is much more structured and
easier to understand than CBAC . ZPF utilizes class maps
and policy maps enabled by C3PL.
• An SDM wizard for ZPF is avaiable.
• Either CLI or SDM can be used to verify and troubleshoot
ZPF.
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
Các file đính kèm theo tài liệu này:
- ccna_security_chapter_4_implementing_firewall_technologies_811_6857.pdf