Quản trị mạng - Chapter 4: Implementing firewall technologies

Chapter 4 - Implementing Firewall Technologies CCNA Security Objectives • Describe numbered and named, standard and extended IP ACLs. • Configure IP ACLs with IOS CLI and CCP. • Describe TCP established ACL functionality. • Describe and configure reflexive ACLs. • Describe and configure dynamic ACLs. • Describe and configure time-based ACLs. • Describe attack mitigation with ACLs. • Describe the major types of firewalls. • Describe and configure CBAC (IOS Staful Packet Inspection) with CLI. • Describe and configure Zone-Based Policy Firewall with CLI and CCP Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com ACL Topology and Types Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com ACL Topology and Types • Refer to 4.1.1.1 Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com Standard Numbered IP ACLs • The first value specifies the ACL number • The second value specifies whether to permit or deny the configured source IP address traffic Router(config)# access-list {1-99} {permit | deny} source-addr [source-mask] • The third value is the source IP address that must be matched • The fourth value is the wildcard mask to be applied to the previously configured IP address to indicate the range • All ACLs assume an implicit deny statement at the end of the ACL • At least one permit statement should be included or all traffic will be dropped once that ACL is applied to an interface Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com Extended Numbered IP ACLs • The first value specifies the ACL number • The second value specifies whether to permit or deny accordingly Router(config)# access-list {100-199} {permit | deny} protocol source-addr [source-mask] [operator operand] destination-addr [destination-mask] [operator operand] [established] • The third value indicates protocol type • The source IP address and wildcard mask determine where traffic originates. The destination IP address and wildcard mask are used to indicate the final destination of the network traffic • The command to apply the standard or extended numbered ACL: Router(config-if)# ip access-group number {in | out} Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com Extended Numbered IP ACLs Router(config)# access-list {100-199} {permit | deny} protocol source-addr [source-mask] [operator operand] destination-addr [destination-mask] [operator operand] [established] Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com ??? Named IP ACLs Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com Refer to 4.1.1.3 Named IP ACLs Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com Apply ACL to the virtual access • An ACL can also be used to permit or deny specific IP addresses from gaining virtual access. • Standard ACLs allow restrictions to be enforced on the originator source IP address or IP address range. • An extended ACL does the same but can also enforce the access protocol such as port 23 (Telnet) or port 22 (SSH). The access-class extended ACL only supports the any (???) keyword as the destination. • The access list must be applied to the vty port. • Router(config-line)# access-class {access-list-name | access-list-number} {in | out} • Or http line • Router(config)# ip http access-class {access-list-name | access-list-number} The log Parameter • R1(config) # access-list 101 permit tcp 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255 eq 22 log *May 1 22:12:13.243: %SEC-6-IPACCESSLOGP: list ACL-IPv4-E0/0- IN permitted tcp 192.168.1.3(1024) -> 192.168.2.1(22), 1 packet *May 1 22:17:16.647: %SEC-6-IPACCESSLOGP: list ACL-IPv4-E0/0- IN permitted tcp 192.168.1.3(1024) -> 192.168.2.1(22), 9 packets There are several pieces of information logged: • The action—permit or deny • The protocol—TCP, UDP, or ICMP • The source and destination addresses • For TCP and UDP—the source and destination port numbers • For ICMP—the message types Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com ACL Configuration Guidelines 1. ACLs are created globally and then applied to interfaces 2. ACLs filter traffic going through the router, or traffic to and from the router, depending on how it is applied 3. Only one ACL per interface, per protocol, per direction 4. Standard or extended indicates the information that is used to filter packets 5. ACLs are process top-down. The most specific statements must go at the top of the list 6. All ACLs have an implicit “deny all” statement at the end, therefore every list must have at least one permit statement to allow any traffic to pass Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com Using Standard IP ACLs • Use a standard ACL to block all traffic from 172.16.4.0/24 network, but allow all other traffic. r1(config)# access-list 1 deny 172.16.4.0 0.0.0.255 r1(config)# access-list 1 permit any r1(config)# interface ethernet 0 r1(config-if)# ip access-group 1 out Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com Using Extended IP ACLs • Use an extended ACL to block all FTP traffic from 172.16.4.0/24 network, but allow all other traffic. access-list 101 deny tcp 172.16.4.0 0.0.0.255 172.16.3.0 0.0.0.255 eq 21 access-list 101 deny tcp 172.16.4.0 0.0.0.255 172.16.3.0 0.0.0.255 eq 20 access-list 101 permit ip any any Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com Other CLI Commands • To ensure that only traffic from a subnet is blocked and all other traffic is allowed: access-list 1 permit any • To place an ACL on the inbound E1 interface: interface ethernet 1 ip access-group 101 in • To check the intended effect of an ACL: show ip access-list Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com Other CLI Commands Refer to 4.1.2.3 Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com Other CLI Commands Refer to 4.1.2.4 Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com Flow for Access Control Lists Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com Flow for Access Control Lists Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com Standard ACL placement Refer to 4.1.3.2 Standard ACLs should be placed as close to the destination as possible. Standard ACLs filter packets based on the source address only. If placed too close to the source, it can deny all traffic, including valid traffic. Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com Extended ACL placement Extended ACLs should be placed on routers as close as possible to the source that is being filtered. If placed too far from the source being filtered, there is inefficient use of network resources. Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com Using Nmap for Planning PC-A$ nmap --system-dns 192.168.20.0/24 Interesting ports on webserver.branch1.com (192.168.20.2): (The 1669 ports scanned but not shown below are in state: filtered) PORT STATE SERVICE 110 open pop3 Refer to 4.1.3.3 Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com Flow for Access Control Lists Refer to 4.1.3.4 Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com R1#terminal monitor // Copy debug output to the current terminal line R1#terminal no monitor // Disable monitor Configuring Standard and Extended ACLs with CCP Configure > Router > ACL Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com Refer to 4.1.4.1 Configuring Access Rules • Choose Configure > Router > ACL > ACL Summary Rule types: • Access Rules • NAT Rules • Ipsec Rules • NAC Rules • Firewall Rules • QoS Rules • Unsupported Rules • Externally Defined Rules • Cisco CP Default Rules Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com Configuring Standard Rules Using SDM 1. Choose Configure > Router > ACL > ACL Editor 2. Click Add 3. Enter a name or number 4. Choose Standard Rule Optionally, enter a description 6. Choose Permit or Deny 7. Choose an address type 5. Click Add 8. Complete this field based on the choice made in #7 9. (Option) Enter an optional description 10. (Optional) Check the Log matches against this entry 11. Click OK 12. Continue adding or editing rules Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com Applying a Rule to an Interface 2. Choose the interface 1. Click Associate 3. Choose a direction 4. An information box with options appears if a rule is already associated with that interface, that direction. Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com The Deliver Configuration • Click the check box next to Save running config. to device's startup config. Then click the Deliver button. Viewing Commands R1# show running-config ! hostname R1 enable secret 5 $1$MJD8$.1LWYcJ6iUi133Yg7vGHG/ crypto pki trustpoint TP-self-signed- 1789018390 enrollment selfsigned subject-name cn=IOS-Self-Signed- interface FastEthernet0/1 ip address 192.168.1.1 255.255.255.0 ip access-group Outbound in ! interface Serial0/0/0 ip address 10.1.1.1 255.255.255.252 clock rate 128000 ! no ip http server ip http secure-server Certificate-1789018390 revocation-check none rsakeypair TP-self-signed-1789018390 ! crypto pki certificate chain TP-self- signed-1789018390 certificate self-signed 01 3082023A 308201A3 A0030201 02020101 300D0609 2A864886 F70D0101 04050030 1BF29620 A084B701 5B92483D D934BE31 ECB7AB56 8FFDEA93 E2061F33 8356 quit ! ip access-list standard Outbound remark SDM_ACL Category=1 permit 192.168.1.3 ! access-list 100 remark SDM_ACL Category=16 access-list 100 deny tcp any host 192.168.1.3 eq telnet log access-list 100 permit ip any any ! ! Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com Types of ACLs • Standard IP ACLs • Extended IP ACLs • Extended IP ACLs using TCP established • Reflexive IP ACLs • Dynamic ACLs • Time-Based ACLs • Context-based Access Control (CBAC) ACLs Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com Configuring TCP Estblished and Reflexive ACLs The established keyword: • Forces a check by the routers to see if the ACK or RST TCP control Router(config)# access-list access-list-number {permit | deny} protocol source source-wildcard [operator port] destination destination-wildcard [operator port] [established] flags are set. If the ACK flag is set, the TCP traffic is allowed in. If not, it is assumed that the traffic is associated with a new connection initiated from the outside. • Does not implement a stateful firewall on a router • Hackers can take advantage of the open hole by using a packet generator or scanner, such as Nmap, to sneak TCP packets into a network by masquerading them as returning traffic. • Option does not apply to UDP or ICMP traffic Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com Configuring TCP Estblished and Reflexive ACLs Example Using TCP Established access-list 100 permit tcp any eq 443 192.168.1.0 0.0.0.255 established access-list 100 permit tcp any 192.168.1.3 eq 22 access-list 100 deny ip any any interface s0/0/0 ip access-group 100 in Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com Reflexive ACLs • Provide a truer form of session filtering • Much harder to spoof • Allow an administrator to perform actual session filtering for any type of IP traffic • Work by using temporary access control entries (ACEs) • Using extended named IP access-list only Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com Configuring a Router to Use Reflexive ACLs 1. Create an internal ACL that looks for new outbound sessions and creates temporary reflexive ACEs 2. Create an external ACL that uses the reflexive ACLs to examine return traffic 3. Activate the named ACLs on the appropriate interfaces Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com Configuring a Router to Use Reflexive ACLs • Router(config)# ip access-list extended internal_ACL_name • Router(config-ext-nacl)# permit protocol source-addr [source-mask] [operator operand] destination-addr [destination-mask] [operator operand] [established] reflect reflexive_ACL_name [timeout seconds] • Example: • R1(config)# ip access-list extended internal_ACL • R1(config-ext-nacl)# permit tcp any any eq 80 reflect web- only-reflexive-ACL • R1(config-ext-nacl)# permit udp any any eq 53 reflect dns- only-reflexive-ACL timeout 10 Configuring a Router to Use Reflexive ACLs • Router(config)# ip access-list extended external_ACL_name • Router(config-ext-nacl)# evaluate reflexive_ACL_name • Example: • R1(config)# ip access-list extended external_ACL • R1(config-ext-nacl)# evaluate web-only-reflexive-ACL • R1(config-ext-nacl)# evaluate dns-only-reflexive-ACL • R1(config-ext-nacl)# deny ip any any • R1(config)# interface s0/0/0 • R1(config-if)# description connection to the ISP. • R1(config-if)# ip access-group internal_ACL out • R1(config-if)# ip access-group external_ACL in Setting a Global Timeout Value • The default value is 300s Example: Reflexive ACLs Học viện mạng Bach Khoa - Website: www.bkacad.com 40 Configuring Dynamic ACLs • Available for IP traffic only • Dependent on Telnet connectivity, authentication, and extended ACLs • Security benefits include: 1. Use of a challenge mechanism to authenticate users 2. Simplified management in large internetworks 3. Reduction of the amount of router processing that is required for ACLs 4. Reduction of the opportunity for network break-ins by network hackers 5. Creation of dynamic user access through a firewall without compromising other configured security restrictions Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com Implementing a Dynamic ACL The router authenticates the connection Dynamic ACL entry added that grants Remote user opens a Telnet or SSH connection to the router. The router prompts the user for a username and password user access User can access the internal resources Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com Setting up a Dynamic ACL Router(config)# access-list ACL_# dynamic dynamic_ACL_name [timeout minutes] {deny | permit} IP_protocol source_IP_address src_wildcard_mask destination_IP_address dst_wildcard_mask [established] [log] Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com Setting up a Dynamic ACL Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com Example: Dynamic ACLs Học viện mạng Bach Khoa - Website: www.bkacad.com 45 Configuring Time-Based ACLs Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com Configuring Time-Based ACLs Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com Example Configuration Internet Perimeter(config)# time-range employee-time Perimeter(config-time)# periodic weekdays 12:00 to 13:00 Perimeter(config-time)# periodic weekdays 17:00 to 19:00 Perimeter(config-time)# exit Perimeter(config)# access-list 100 permit tcp any host 200.1.1.11 eq 25 Perimeter(config)# access-list 100 permit tcp any eq 25 host 200.1.1.11 established Perimeter(config)# access-list 100 permit udp any host 200.1.1.12 eq 53 Perimeter(config)# access-list 100 permit udp any eq 53 host 200.1.1.12 Perimeter(config)# access-list 100 permit tcp any 200.1.1.0 0.0.0.255 established time-range employee- 192.168.1.0/24 Serial 0/0/0 I can’t surf the web at 10:00 A.M. because of the time- based ACL! 10.1.1.1 R1 time Perimeter(config)# access-list 100 deny ip any any Perimeter(config)# interface ethernet 1 Perimeter(config-if)# ip access-group 100 in Perimeter(config-if)# exit Perimeter(config)# access-list 101 permit tcp host 200.1.1.11 eq 25 any Perimeter(config)# access-list 101 permit tcp host 200.1.1.11 any eq 25 Perimeter(config)# access-list 101 permit udp host 200.1.1.12 eq 53 any Perimeter(config)# access-list 101 permit udp host 200.1.1.12 any eq 53 Perimeter(config)# access-list 101 permit tcp 200.1.1.0 0.0.0.255 any time-range employee-time Perimeter(config)# access-list 100 deny ip any any Perimeter(config)# interface ethernet 1 Perimeter(config-if)# ip access-group 101 out Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com Troubleshooting Complex ACL Implementation Router# show access-lists [access-list-number | access-list-name] Router# debug ip packet [access-list-number] [detail] Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com Troubleshooting Complex ACL Implementation Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com Troubleshooting Complex ACL Implementation Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com Mitigating Attacks with ACLs 1. Mitigate IP address spoofing—inbound/outbound 2. Mitigate Denial of service (DoS) TCP synchronizes (SYN) attacks—blocking external attacks 3. Mitigate DoS TCP SYN attacks—using TCP intercept 4. Mitigate DoS smurf attacks 5. Filter Internet Control Message Protocol (ICMP) messages—inbound 6. Filter ICMP messages—outbound 7. Filter traceroute Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com Mitigating Attacks with ACLs • Inbound R1(config)#access-list 150 deny ip 0.0.0.0 0.255.255.255 any R1(config)#access-list 150 deny ip 10.0.0.0 0.255.255.255 any R1(config)#access-list 150 deny ip 127.0.0.0 0.255.255.255 any R1(config)#access-list 150 deny ip 172.16.0.0 0.15.255.255 any R1(config)#access-list 150 deny ip 192.168.0.0 0.0.255.255 any R1(config)#access-list 150 deny ip 224.0.0.0 15.255.255.255 any R1(config)#access-list 150 deny ip host 255.255.255.255 any Outbound R1(config)#access-list 105 permit ip 192.168.1.0 0.0.0.255 any Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com Allowing Common Services Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com Controlling ICMP Messages Refer to 4.1.9.4 Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com Mitigating Attacks with ACLs IPv6 ACLs Refer to 4.1.10 • IPv4 was designed without a number of modern-day network requirements such as: – Security - IPsec – Device roaming - Mobile IP – Quality of service - RSVP – Address scarcity - DHCP, NAT, CIDR, VLSM IPv6 ACLs • Router(config-if)# ipv6 traffic-filter access-list-name {in | out} IPv6 ACLs Using Object Groups in ACEs Refer to 4.1.11 • In large networks, ACLs can be large (hundreds of lines) and difficult to configure and manage, especially if the ACLs frequently change. • Object group-based ACLs are smaller, more readable, and easier to configure and manage than conventional ACLs. Using Object Groups in ACEs Using Object Groups in ACEs • Network Object Groups • A network object group is a group of any of the following objects: – Hostnames, IP addresses, or subnets – Ranges of IP addresses – Existing network object groups • To create a network group, enter the following commands: • Router(config)# object-group network nw_grp_id • Router(config-network-group)# description description-text | host {host-address | host-name} | network-address {/prefix- length | network-mask} | range host- address1 host-address2 | any | group-object nested-object-group-name Using Object Groups in ACEs • Service Object Groups • A service object group is a group of any of the following objects: – Top-level protocols (such as TCP, UDP, or ESP) – Source and destination protocol ports (such as Telnet or SNMP) – ICMP types (such as echo, echo-reply, or host-unreachable) – Existing service object groups • To create a service group, enter the following commands: • Router(config)# object-group service svc_grp_id • Router(config-service-group)# protocol | [tcp | udp | tcp-udp [source {{[eq]| lt | gt} port1 | range port1 port2}] [{[eq]| lt | gt} port1 | range port1 port2]] | icmp icmp-type Using Object Groups in ACEs Using Object Groups in ACEs Refer to 4.1.11.4 Securing Networks withs Firewall • A firewall is a system that enforces an access control policy between network • Common properties of firewalls: 1. The firewall is resistant to attacks 2. The firewall is the only transit point between networks 3. The firewall enforces the access control policy Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com Benefits of Firewalls • Firewalls prevent malicious data from being sent to servers and clients. • Properly configured firewalls make security policy enforcement simple, scalable, and robust. • A firewall reduces the complexity of security management by Refer: 4.2.1.2 • Prevents exposing sensitive hosts and applications to untrusted users • Prevent the exploitation of protocol flaws by sanitizing the protocol flow offloading most of the network access control to a couple of points in the network. Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com Benefits of Firewalls Refer: 4.2.1.2 Limitations of Firewalls • If misconfigured, a firewall can have serious consequences (single point of failure). • The data from many applications cannot be passed over firewalls securely. • Users might proactively search for ways around the firewall to receive blocked material, exposing the network to potential attack. • Network performance can slow down. • Unauthorized traffic can be tunneled or hidden as legitimate traffic through the firewall. Types of Firewalls Packet-filtering firewall —is typically a router that has the capability to filter on some of the contents of packets (examines Layer 3 and sometimes Layer 4 information) Refer: 4.2.2.1 Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com Types of Firewalls Stateful firewall —keeps track of the state of a connection: whether the connection is in an initiation, data transfer, or termination state Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com Types of Firewalls Application gateway firewall (proxy firewall) —filters information at Layers 3, 4, 5, and 7. Most of the firewall control and filtering done in software. Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com Types of Firewalls Network Address Translation (NAT) firewall —expands the number of IP addresses available and hides network addressing design. Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com Types of Firewalls • Other methods of implementing firewalls include: • Host-based (server and personal) firewall —a PC or server with firewall software running on it. • Transparent firewall —filters IP traffic between a pair of bridged interfaces. • Hybrid firewalls —some combination of the above firewalls. For example, an application inspection firewall combines a stateful firewall with an application gateway firewall. Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com Packet-Filtering Firewall Advantages • Are based on simple permit or deny rule set • Have a low impact on network performance • Are easy to implement • Are supported by most routers • Afford an initial degree of security at a low network layer • Perform almost all tasks of what higher-end firewalls do, at a much lower cost Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com Packet-Filtering Firewall Disadvantages • Packet filtering is susceptible to IP spoofing. • Packet filters do not filter fragmented packets well. • Complex ACLs are difficult to implement and maintain correctly. • Packet filters cannot dynamically filter certain services. • Packet filters are stateless. Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com Extra: Tiny Fragment Attack Học viện mạng Bách khoa - www.bkacad.com Stateful Firewall Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com Stateful Firewalls Advantages/Disadvantages Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com Cisco Systems Firewall Solutions • IOS Firewall – Zone-based policy framework for intuitive management – Instant messenger and peer-to-peer application filtering – VoIP protocol firewalling – Virtual routing and forwarding (VRF) firewalling – Wireless integration – Stateful failover – Local URL whitelist and blacklist support – Application inspection for web and e-mail traffic • PIX 500 Series • ASA 5500 Series Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com Cisco Systems Firewall Solutions Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com Cisco Systems Firewall Solutions Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com Firewall in Network Design Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com Layered Defense Scenario Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com Layered Defense Scenario • A network administrator must consider many factors when building a complete in-depth defense: • A significant number of intrusions come from hosts within the network. For example, firewalls often do little to protect against viruses that are downloaded through email. • Firewalls do not protect against rogue modem installations. Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com • Firewalls do not replace backup and disaster recovery mechanisms resulting from attack or hardware failure. An in-depth defense also includes offsite storage and redundant hardware topologies. • Most importantly, firewalls are no substitute for informed administrators and users. Firewall Best Practices 1. Position firewalls at security boundaries. 2. Firewalls are the primary security device. It is unwise to rely exclusively on a firewall for security. 3. Deny all traffic by default. Permit only services that are needed. 4. Ensure that physical access to the firewall is controlled. 5. Regularly monitor firewall logs. 6. Practice change management for firewall configuration changes. 7. Remember that firewalls primarily protect from technical attacks originating from the outside. Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com Firewall in Network Design Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com Context-Based Access Control Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com Context-Based Access Control • Filters TCP and UDP packets based on Application Layer protocol session information • Provides stateful Application Layer filtering • Examine supported connections for embedded NAT and PAT information and perform the necessary address translations. • CBAC can block peer-to-peer (P2P) connections, such as those used by the Gnutella and KaZaA applications • Provides four main functions: 1.Traffic Filtering 2.Traffic Inspection 3.Intrusion Detection 4.Generation of Audits and Alerts Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com CBAC Capabilities 1. Monitors TCP Connection Setup 2. Examines TCP Sequence Numbers 3. Inspects DNS Queries and Replies 4. Inspects Common ICMP Message Types Refer to 4.3.1.2 5. Supports Applications with Multiple Channels, such as FTP and Multimedia 6. Inspects Embedded Addresses 7. Inspects Application Layer Information Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com CBAC Operation Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com CBAC Operation Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com CBAC TCP Handling Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com CBAC UDP Handling Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com CBAC Example Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com CBAC Operation • When an attack is detected, the firewall can take several actions: – Generate alert messages – Protect system resources that could impede performance – Block packets from suspected attackers • Cisco IOS Firewall provides three thresholds against TCP-based DoS attacks: – Total number of half-opened TCP sessions – Number of half-opened sessions in a time interval – Number of half-opened TCP sessions per host • If a threshold for the number of half-opened TCP sessions is exceeded, the firewall has two options: – It sends a reset message to the endpoints of the oldest half-opened session, making resources available to service newly arriving SYN packets. – It blocks all SYN packets temporarily for the duration that the threshold value is configured. When the router blocks a SYN packet, the TCP three-way handshake is never initiated, which prevents the router from using memory and processing resources that valid connections need. Configuring CBAC Four Steps to Configure • Step 1: Pick an Interface- internal or external • Step 2: Configure IP ACLs at the Interface • Step 3: Define Inspection Rules • Step 4: Apply an Inspection Rule to an Interface Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com Step 1: Pick an Interface Two-Interface Three-Interface Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com Step 2: Configure IP ACLs at the Interface Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com Step 3: Define Inspection Rules – Router(config)# ip inspect name inspection_name protocol [alert {on | off}] [audit-trail {on | off}] [timeout seconds] Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com Step 4: Apply an Inspection Rule to an Interface Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com Verification and Troubleshooting of CBAC • Alerts and Audits • show ip inspect Parameters • debug ip inspect Parameters Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com Alerts and Audits *note: Alerts are enabled by default and automatically display on the console line of the router. If alerts have been disabled using the ip inspect alert-off command, the no form of that command, as seen above, is required to re-enable alerts. Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com Alerts and Audits Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com show ip inspect Parameters Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com debug ip inspect Parameters Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com Zone-Based Policy Firewall Characteristics Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com Zone-Based Policy Firewall Characteristics • The zone-based policy firewall (ZPF or ZBF or ZFW) inspection interface supports previous firewall features, including stateful packet inspection, application inspection, URL filtering, and DoS mitigation. • Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com Firewall policies are configured using the Cisco Common Classification Policy Language (C3PL), which uses a hierarchical structure to define network protocol inspection and allows hosts to be grouped under one inspection policy. Zone-Based Policy Firewall Characteristics • CBAC has these limitations: 1. Multiple inspection policies and ACLs on several interfaces on a router make it difficult to correlate the policies for traffic between multiple interfaces. 2. Policies cannot be tied to a host group or subnet with an ACL. All traffic through a given interface is subject to the same inspection. 3. The process relies too heavily on ACLs. Benefits Two Zones • Zone-based policy firewall is not dependent on ACLs • The router security posture is now “block unless explicitly allowed” • C3PL (Cisco Common Classification Policy Language) makes policies easy to read and troubleshoot • One policy affects any given traffic, instead of needing multiple ACLs and inspection actions. Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com CBAC or Zones ? • Important note: • Both configuration models can be enabled concurrently on a router. • The models cannot be combined on a single interface. • For example, an interface cannot be configured as a security zone member and configured for IP inspection simultaneously. The Design Process 1. Determine the Zones: – Internetworking infrastructure under consideration is split into well- documented separate zones with various security levels 2. Establish policies between zones: – For each pair of source-destination zones, the sessions that clients in source zones are allowed to open to servers in destination zones are defined. For traffic that is not based on the concept of sessions (for example, IPsec Encapsulating Security Payload [ESP]), the administrator must define unidirectional traffic flows from source to destination and vice versa. 3. Design the physical infrastructure: – The administrator must design the physical infrastructure, taking into account security and availability requirements. 4. Identify subset within zones and merge traffic requirements: – For each firewall device in the design, the administrator must identify zone subsets connected to its interfaces and merge the traffic requirements for those zones, resulting in a device-specific interzone policy. Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com Common Designs LAN-to-Internet Public Servers Redundant Firewalls Complex Firewall Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com Zones Simplify Complex Firewall Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com Actions when configured using CCP Inspect – This action configures Cisco IOS stateful packet inspection Drop – This action is analogous to deny in an ACL Pass – This action is analogous to permit in an ACL Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com Rules for Application Traffic *zone-pair must have different zone as source and destination Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com Rules for Router Traffic Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com Configuring a Zone-Based Policy Firewall with CLI 1. Create the zones for the firewall with the zone security command 2. Define traffic classes with the class-map type inspect command 3. Specify firewall policies with the policy-map type inspect command 4. Apply firewall policies to pairs of source and destination zones with zone-pair security 5. Assign router interfaces to zones using the zone-member security interface command Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com Step 1: Create the Zones FW(config)# zone security Inside FW(config-sec-zone)# description Inside network FW(config)# zone security Outside FW(config-sec-zone)# description Outside network Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com Step 2: Define Traffic Classes FW(config)# class-map type inspect FOREXAMPLE FW(config-cmap)# match access-group 101 FW(config-cmap)# match protocol tcp FW(config-cmap)# match protocol udp FW(config-cmap)# match protocol icmp FW(config-cmap)# exit FW(config)# access-list 101 permit ip 10.0.0.0 0.0.0.255 any Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com Step 3: Define Firewall Policies FW(config)# policy-map type inspect InsideToOutside FW(config-pmap)# class type inspect FOREXAMPLE FW(config-pmap-c)# inspect Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com Step 4: Assign Policy Maps to Zone Pairs and Assign Router Interfaces to Zones FW(config)# zone-pair security InsideToOutside source Inside destination Outside FW(config-sec-zone-pair)# description Internet Access FW(config-sec-zone-pair)# service-policy type inspect InsideToOutside FW(config-sec-zone-pair)# interface F0/0 FW(config-if)# zone-member security Inside FW(config-if)# interface S0/0/0.100 point-to-point FW(config-if)# zone-member security Outside Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com Final ZPF Configuration • policy-map type inspect InsideToOutside class class-default inspect • ! • zone security Inside description Inside network • zone security Outside description Outside network • zone-pair security InsideToOutside source Inside destination Outside • service-policy type inspect InsideToOutside • ! • interface FastEthernet0/0 zone-member security Inside • ! • interface Serial0/0/0.100 point-to-point zone- member security Outside Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com Configuring a Zone-Based Policy Firewall with CCP Wizard • Refer to 4.4.4 Configuring a Zone-Based Policy Firewall Manually with CCP • Refer to 4.4.5 CLI Generated Output • class-map type inspect match-any iinsprotocols • match protocol http • match protocol smtp • match protocol ftp ! • policy-map type inspect iinspolicy • class type inspect iinsprotocols • inspect • ! • zone security private List of services defined in the firewall policy Apply action (inspect = stateful inspection) Zones created • zone security internet • ! • interface fastethernet 0/0 • zone-member security private • ! • interface serial 0/0/0 • zone-member security internet • ! • zone-pair security priv-to-internet source private destination internet • service-policy type inspect iinspolicy • ! Interfaces assigned to zones Inspection applied from private to public zones Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com Troubleshooting Zone-Based Policy Firewall • Refer to 4.4.6 Troubleshooting Zone-Based Policy Firewall • Refer to 4.4.6 Summary • Standard and extended IP ACLs are the fundamental tools for basic network traffic filtering. • How standard and extended IP ACLs are created and applied depends on the type of traffic and where the source and destination of the traffic lies. • ACLs are linked to the flow of network traffic. The network topology determines how ACLs are cerated and applied • ACLs can be created and applied with SDM • The TCP established option and reflexive ACLs extend the function of ACLs to take into account the tow-way nature of the network traffic. Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com Summary • Firewalls provide perimeter security defining the inside and outside of a network. • There are many different types of firewall , with stateful firewall providing the greatest security. • Today, network design must take into account the selection of the type of firewall and its proper placement. • CBAC enables sophisticate stateful filtering of most forms of modern application traffic. • The operation of CBAC is quite complex, bulding and tearing down state entries for traffic flows. • CBAC configuration is very complex, relying on ACLs and inspection rules applied on appropriate interfaces. • CLI and SDM can be used to verify and troubleshoot CBAC Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com Summary • Zone-Based Policy Firewall (ZPF) , introduced in 2006, is the state of the art in modern firewalling. • ZPF operation centers around the creation of zones associated with various security levels. • Implementing ZPF with CLI is much more structured and easier to understand than CBAC . ZPF utilizes class maps and policy maps enabled by C3PL. • An SDM wizard for ZPF is avaiable. • Either CLI or SDM can be used to verify and troubleshoot ZPF. Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com