760 likes | 911 Views
Perimeter Protection (Firewalls). Before installing a firewall you must have a firm grasp on reality. Reality is, it won’t stop all attacks but you’ll sleep better knowing its there. Objectives (1 of 2). Explain the basics of a firewall Describe the different types of firewalls
E N D
Perimeter Protection (Firewalls) Before installing a firewall you must have a firm grasp on reality. Reality is, it won’t stop all attacks but you’ll sleep better knowing its there.
Objectives (1 of 2) • Explain the basics of a firewall • Describe the different types of firewalls • Define the following types of Access Control Lists: • Standard ACLs • Extended ACLs • Reflexive ACLs • Implement Access Control Lists on a router.
Objectives (2 of 2) • Describe additional components that can be used to enhance the firewall’s capabilities • Explain firewall placement on a network • Implement a Cisco ASA5510 firewall • Implement a DMZ on a Cisco ASA5510 firewall
Firewall Basics (1 of 6) A firewall is a hardware or software based gateway that acts as a buffer between any “trusted” network and a “lesser-trusted” network. • When most of us think of a firewall we picture a device that sits between the corporate (internal) network and the internet (public network).
Firewall Basics (2 of 6) • However, today we often don’t see a single firewall implementation unless we are dealing with a small network. • Most corporate implementations use a multi-firewall approach to provide successive protection from the internet, to the DMZ, to the internal user network, to the internal secure network.
Firewall Basics (3 of 6) An older (or basic) implementation of a single firewall solution
Firewall Basics (4 of 6) • Firewalls are primarily designed to address the threats that are directed, intentionally and unintentionally, at an organization’s network. • The most basic firewalls address these threats by permitting only valid inbound (reply) traffic to reach the internal network.
Firewall Basics (5 of 6) • Identifying valid traffic is not as easy as it seems. • Many of today’s newer attacks are much better at forging what appears to be valid traffic. • These newer attacks can defeat many of the older, simpler firewall systems and router ACLs.
Firewall Basics (6 of 6) • There are also several pre-attack applications that perform intelligence gathering functions • These allow the attackers to craft better packets that are designed to defeat the weaknesses in the devices (firewalls and ACL configured routers) that were identified by the pre-attack applications.
Firewall Types (1 of 9) Firewalls are often classified under three different categories, which are based on their method of packet inspection. • Packet filtering and stateless filtering • Stateful filtering • Deep packet layer inspection
Firewall Types (2 of 9) • Packet filtering firewalls are basically access-control lists that are configured on a router. • These firewalls are easily defeated today and there are several applications that can be used to determine if a router has an ACL running on it (even traceroute can provide us with a hint to this).
Firewall Types (3 of 9) • Stateless filtering firewalls are not much better than packet filtering ACLs and they permit only the receipt of packets that are based on the source IP Address and ports from other “trusted” networks. • If you defined the Internet as a trusted network you’re really not providing yourself with much protection. • The only real benefit to this type of firewall over the packet filtering ACLs is it provides more flexibility and scalability.
Firewall Types (4 of 9) Packet filtering and Stateless filtering firewalls only operate from Layer 1 to Layer 3 of the OSI model.
Firewall Types (5 of 9) • Stateful filtering firewalls provide a greater range of filtering capabilities over stateless filtering firewalls. • Filtering can be performed on: • Source and destination IP Addresses • Source and destination TCP/UDP ports • Protocol anomalies such as illegal TCP flag combinations • Limited basic payload content filtering
Firewall Types (6 of 9) Stateful filtering firewalls operate up to Layer 4 of the OSI Model
Firewall Types (7 of 9) • Deep packet layer inspection is another step up in packet filtering capability. • Including all the filtering offered by the Stateful filtering firewall it can also filter on: • Protocol conformance • Packet specification conformance • Application-based attacks • Payload integrity
Firewall Types (8 of 9) • These functions have traditionally been reserved or found only in IDS solutions. • The result of mixing a firewall and an IDS together the deep packet layer inspection firewalls are historically only found as hardware appliances, but that is changing. • This type of inspection requires the speed of a hardware-based solution in order to prevent the firewall from becoming the network’s primary bottleneck.
Firewall Types (9 of 9) Deep packet layer inspection firewalls operate on all layers of the OSI model
Access Control Lists (1 of 2) Access lists are used as filters to decide which packets are permitted and which packets are denied. • The entries for this are referred to as Access Control Entries (ACEs) and the routers security is highly dependant on them • This is really the first line of defense on your perimeter routers and should be carefully and thought out when implemented
Access Control Lists (2 of 2) There are three different categories of Access Control Lists. • Standard IP Access Lists • Can filter IP packets based on source IP address only • Extended Access Lists • Can filter IP based on several attributes • Enhanced Access Lists • Requirement dependant to help secure the router and its networks better
Standard Access Control Lists (1 of 3) Standard IP ACLs • Router(config)#access-list ? <1-99> IP standard access list <100-199> IP extended access list <1000-1099> IPX SAP access list <1100-1199> Extended 48-bit MAC address access list <1200-1299> IPX summary address access list <1300-1999> IP Standard Access List (Expanded range) <200-299> Protocol type-code access list <2000-2699> IP extended access list (expanded range) <300-399> DECnet access list <600-699> AppleTalk access list <700-799> 48-bit MAC address access list <800-899> IPX standard access list <900-999> IPX extended access list
Standard Access Control Lists (2 of 3) Standard ACLs (Cont) • Command structure access-list access-list-number {deny | permit} source [source-wildcard] Where: • access-list-number is the number of the access list • deny drops all packets matching the specific source address • permit allows all packets matching the specified IP address through • Source specifies the IP address of a host • source-wildcard specifies a group of hosts or subnet
Standard Access Control Lists (3 of 3) Standard ACLs (Cont) • Standard ACLs support the following keywords • any – specifies any host • host – specifies an exact host • log – enables the logging of packets
Extended Access Control Lists (1 of 7) Extended Access Lists are much more flexible and should be used to provide a much clearer definition of what packets should be allowed or denied. They allow you to choose from: • IP source or destination addresses • Protocols • Source and destination port numbers • Some protocol-dependant functions
Extended Access Control Lists (2 of 7) Extended IP ACLs • Router(config)#access-list ? <1-99> IP standard access list <100-199> IP extended access list <1000-1099> IPX SAP access list <1100-1199> Extended 48-bit MAC address access list <1200-1299> IPX summary address access list <1300-1999> IP Standard Access List (Expanded range) <200-299> Protocol type-code access list <2000-2699> IP extended access list (expanded range) <300-399> DECnet access list <600-699> AppleTalk access list <700-799> 48-bit MAC address access list <800-899> IPX standard access list <900-999> IPX extended access list
Extended Access Control Lists (3 of 7) Extended ACLs (Cont) • Command structure access-list access-list-number {deny | permit}{protocol-number | protocol-keyword}{source [source-wildcard] | any | host}operator {source-port}{destination destination-wildcard | any | host}operator {destination-port}[established] [log | log-input]
Extended Access Control Lists (4 of 7) Where: • access-list-number is the number of the access list • deny denies access if conditions are matched • permit permits access if conditions are matched • protocol-number specifies a protocol number • protocol-keyword an IP protocol such as • eigrp, gre, icmp, igmp, igrp, ip, ipinip, nos, ospf, pim, tcp, udp • source represents the number of the network or host from which the packet is being sent • source-wildcard represents the wildcards bits to be applied to the host
Extended Access Control Lists (5 of 7) Where: (Cont) • source-port specifies the port from which the packet originated • destination represents the number of the network or host to which the packet is being sent • destination-wildcard represents the wildcard bits to be applied to the destination • destination-port specifies the port to which the packet is being sent
Extended Access Control Lists (6 of 7) Where: (Cont) • operator logical operator that compares source or destination ports • if positioned after the source it must match the source port • if positioned after the destination and destination-wildcard it must match the destination port • possible operands include: • lt – less than • gt – greater than • eq – equal • neq – not equal • range – inclusive between two provided port numbers
Extended Access Control Lists (7 of 7) Where: (Cont) • established Used only for TCP protocol to indicate an established connection • A match occurs if the ACK, FIN, PSH, RST, or URG bits are set (i.e. a connection is established) • A match doesn’t occur if the SYN bit is set (i.e. a connection is being initiated) • log causes a logging entry to be sent to the console • log-input includes the input interface and source MAC or VC in the logging output • any specifies any host • host specifies and exact host match
Named Access Control Lists (1 of 3) Named ACLs • Introduced by Cisco in IOS 11.2 to allow users to identify the access list easier • Can be used for both standard and extended ACLs • The command syntax is slightly different however, all other keywords such as any, host and log work in the same way.
Named Access Control Lists (2 of 3) Standard ACL Command Syntax access-list access-list-number {deny | permit} source [source-wildcard] Standard Named ACL Command Syntax ip access-list standard access-list-name {deny | permit} source [source-wildcard]
Named Access Control Lists (3 of 3) Extended ACL Command Syntax access-list access-list-number {deny | permit} {protocol-number | protocol-keyword} {source [source-wildcard] | any | host} operator {source-port} {destination destination-wildcard | any | host} operator {destination-port} [established] [log | log-input] Extended Named ACL Command Syntax ip access-list extended access-list-name {deny | permit} {protocol-number | protocol-keyword} {source [source-wildcard] | any | host} operator {source-port} {destination destination-wildcard | any | host} operator {destination-port} [established] [log | log-input]
Enhanced Access Control Lists (1 of 6) Enhanced ACLs were designed to secure routers and networks better. Selection of an Enhanced ACL is dependant on the security need. • The current Enhanced ACL set includes: • Dynamic access lists • Time-based access lists • Reflexive access lists
Enhanced Access Control Lists (2 of 6) Dynamic Access Lists • These are also referred to as “lock-and-key” • They create a specific, temporary opening (security hole) in response to user authentication • User ID and Password can be entered on the router but it is best to use with a TACACS+ server
Enhanced Access Control Lists (3 of 6) Time-based Access Lists • Like Dynamic ACLs, these also create a temporary opening (security hole) based on a configured time period • For example the Time-based ACL can be configured to allow incoming users to have web access from 8:00 AM to 6:00 PM from Monday to Friday.
Enhanced Access Control Lists (4 of 6) Reflexive Access Lists • These are automatically populated, temporary, session-based filters • Basically, if a router permits a session to be initiated from within an internal network to an external host, the reflexive access list permits the return session traffic • This is similar to the “established” keyword of the Extended ACLs
Enhanced Access Control Lists (5 of 6) Reflexive Access Lists (cont) • When a session is initiated from within a network a reflexive ACL is populated with information taken from the initial packet • The source and destination IP addresses and port numbers are swapped, and the upper layer protocol type (TCP, UDP) is recorded • These are all included as a permit statement for the temporary ACL
Enhanced Access Control Lists (6 of 6) Reflexive Access Lists (cont) • These temporary ACLs remain active until: • there is no longer any traffic for a session and the time-out expires • two FIN-flagged packets are received for the session • the RST flag is set on a TCP packet for that session
Firewall Enhancements (1 of 17) Today, there are four primary enhancements that can be added to most firewalls, including: • NAT • Proxy services • Content filtering • Anti-virus (malware) software
Firewall Enhancements (2 of 17) NAT • NAT’s primary function is to hide the internal IP Address range from the external “untrusted” networks. • A packet coming from an internal workstation to the internet will arrive at the firewall. • The firewall will strip off the internal workstation address and replace it with its own external IP Address.
Firewall Enhancements (3 of 17) • It keeps track of these outbound packets in a table and waits for the replys from the remote system. • When it receives an inbound packet it does a lookup on its table to see if it has a matching record. • If there is a match it will strip off its external IP address and replace it with the originating host address and forwards the packet on. • If there is no matching entry it drops the packet and possibly alerts the administrator.
Firewall Enhancements (4 of 17) • Advantages of NAT: • Allows organizations to use Private IP address ranges internally on their network. • Hides the internal address range from external view. • Internet access can be provided to the entire protected user base without the need to change IP Addresses.
Firewall Enhancements (5 of 17) • Disadvantages of NAT: • NAT is very CPU processing power intensive, which can interfere with multimedia applications that are also CPU processing intensive. • The Layer 3 header and IP Address changes as the packet passes through the NAT system, this can cause some problems with VPNs and some applications which require packets to come directly from a host.
Firewall Enhancements (6 of 17) Proxy Services • Proxy services provide multiple functions. • Hides the internal addresses from the external (Internet) network. • Perform information caching. • Perform website filtering/blocking.
Firewall Enhancements (7 of 17) • Protecting the internal addresses. • The proxy server acts as an intermediate device between the internal host and the remote internet server. • The proxy server actually makes the information request on behalf of the internal host. • When it receives the information it forwards it onto the internal host.
Firewall Enhancements (8 of 17) • Caching information • Because the proxy server makes the requests on behalf of the internal hosts, it can cache this information for use by others. • This actually improves the web surfing performance for all of the internal clients. • The information is cached for a set period of time (e.g. 8 hours). • All internal clients that request the same information, get it from the local proxy server and not the actual web server.
Firewall Enhancements (9 of 17) • Filtering web access. • This can be a benefit and a detractor. • Organizations can use the feature of the proxy server to prevent access to certain websites and/or content. • While this blocking may be appropriate, it can be an administrative nightmare to configure and maintain. • Blocking based on the keyword “jobs” could prevent HR from accessing jobsites looking for potential employees, or from even looking at the daily paper online.
Firewall Enhancements (10 of 17) Content Filters • The content filtering discussed in the book really refers to URL-based content filtering. • URL-based content filtering can be performed in a couple of ways. • Deny access to the URLs in the list. • Allow access to the URLs in the list.
Firewall Enhancements (11 of 17) • There are some problems with URL-based content filtering. • Even large web search engines such as google and altavista have about half of the actual web URLs in existence. • New URLs are created everyday which means you have to update your filters everyday. • Even creating an allow-only list can be quite cumbersome to maintain for a large organization.