Presentation is loading. Please wait.

Presentation is loading. Please wait.

Access Control Configuration and Content Filtering

Published byEverett Porter Modified over 6 years ago

Similar presentations

Presentation on theme: "Access Control Configuration and Content Filtering"— Presentation transcript:

1 Access Control Configuration and Content Filtering
Chapter 9 Access Control Configuration and Content Filtering

2 Objectives Upon completion of this chapter, you will be able to perform the following tasks: Understand and configure ACL. Understand remote configuration using SSH. Configure active code filtering (ActiveX and Java applets). Configure Websense for URL filtering with the PIX Firewall.

3 Access Control Through the PIX Firewall

4 Access Control List An ACL enables you to determine what traffic will be allowed or denied through the PIX Firewall. ACLs are applied per interface—Traffic is analyzed inbound relative to an interface. The access-list and access-group commands are used to create an ACL. The access-list and access-group commands are an alternative for the conduit and outbound commands.

5 ACL Usage Guidelines Higher to lower security level
Use an ACL to restrict outbound traffic. The PIX Firewall requires a dynamically translated address for the source address. Lower to higher security level Use an ACL to restrict inbound traffic. The PIX Firewall requires a statically mapped address for the destination address. The ACL destination address is the “global ip” assigned in the static command.

6 access-list Command pixfirewall(config)# access-list acl_name [deny | permit] protocol src_addr src_mask operator port dest_addr dest_mask Enables you to create an ACL ACLs associated with IPSec are known as “crypto” ACLs pixfirewall(config)# access-list dmz1 deny tcp host lt 1025 ACL “dmz1” denies access from the network to TCP ports less than 1025 on host

7 access-group Command access-group acl_name in interface interface_name
pixfirewall(config)# access-group acl_name in interface interface_name Binds an ACL to an interface The ACL is applied to traffic inbound to an interface pixfirewall(config)# access-group dmz1 in interface dmz ACL “dmz1” is bound to interface “dmz”

8 Deny Web Access to the Internet
pixfirewall(config)# write terminal ... nameif ethernet0 outside sec0 nameif ethernet1 inside sec100 access-list acl_out deny tcp any any eq www access-list acl_out permit ip any any access-group acl_out in interface inside nat (inside) global (outside) netmask Denies web traffic on port 80 from the inside network to the Internet Permits all other IP traffic from the inside network to the Internet WWW Internet IP Internet

9 Permit Web Access to the DMZ
Internet pixfirewall(config)# write terminal ... nameif ethernet0 outside sec0 nameif ethernet1 inside sec100 nameif ethernet2 dmz sec50 ip address outside ip address inside ip address dmz static (dmz,outside) access-list acl_out_dmz permit tcp any host eq www access-list acm__out_dmz deny ip any any access-group acl_out_dmz in interface outside /24 .2 Web server .2 .1 Purpose: Describe the PIX and its e2 interface to a protected DMZ and its servers. Emphasize: The PIX supports multiple interfaces, with the third and other additional interfaces available to create one or more secured DMZ areas. The two major advantages of using multiple perimeter interfaces are that PIX enhances the extensibility of servers to other platforms and that the PIX is a major element for enforcing the network security policy. Configure the interfaces with the following commands: nameif interface ip address Refer to the SG text for guidelines to present with this figure. Transition: The next section covers the integration of AAA services with the PIX. .1 /24 /24 The ACL acl_out_dmz permits web traffic on port 80 from the Internet to the DMZ Web server The ACL acl_out_dmz denies all other IP traffic from the Internet

10 Partner Web Access to the DMZ Client and to Internal Mail
pixfirewall(config)# write terminal ... nameif ethernet0 outside sec0 nameif ethernet1 inside sec100 nameif ethernet2 dmz sec50 nameif ethernet3 partnernet sec40 static (dmz,partnernet) static (inside,dmz) access-list acl_partner permit tcp host eq www access-group acl_partner in interface partnernet access-list acl_dmz_in permit tcp host host eq smtp access-group acl_dmz_in in interface dmz DMZ /28 /24 WWW server .2 .2 Partnernet .1 .1 Purpose: Describe the PIX and its e2 interface to a protected DMZ and its servers. Emphasize: The PIX supports multiple interfaces, with the third and other additional interfaces available to create one or more secured DMZ areas. The two major advantages of using multiple perimeter interfaces are that PIX enhances the extensibility of servers to other platforms and that the PIX is a major element for enforcing the network security policy. Configure the interfaces with the following commands: nameif interface ip address Refer to the SG text for guidelines to present with this figure. Transition: The next section covers the integration of AAA services with the PIX. Client .1 .4 /24 The ACL acl_partner permits WWW traffic from the partner subnet /28 to the DMZ intranet Web server The ACL acl_dmz_in permits host mail access to Mail server .4

11 VPN Solution: Dual DMZ and VPN Concentrator
pixfirewall(config)# write terminal ... static (dmz,outside) netmask static (inside,dmz2) netmask route dmz access-list IPSEC permit tcp any host eq 443 access-list IPSEC permit esp any host access-list IPSEC permit udp any host P.12 eq isakmp access-group IPSEC in interface outside access-list WEB permit tcp host eq www access-group WEB in interface dmz2 Server /24 VPN Client Internet /24 .1 /24 outside Pub dmz Pool dmz2 Priv inside /24 Server

12 icmp Command pixfirewall(config)# icmp permit | deny [host] src_addr [src_mask] [type] int_name Enables or disables pinging to an interface pixfirewall(config)# icmp deny any echo-reply outside pixfirewall(config)# icmp permit any unreachable outside 1. Syntax Description permit | deny - Permit or deny the ability to ping a PIX Firewall interface. src_addr - Address that is either permitted or denied ability to ping an interface. Use host src_addr to specify a single host. src_mask - Network mask. Specify if a network address is specified. type - ICMP message type as described in Table 5-7. int_name - Interface name that can be pinged. Enable or disable pinging to an interface. With pinging disabled, the PIX Firewall cannot be detected on the network. The new icmp command implements this feature. This feature is also referred to as configurable proxy pinging. To use the icmp command, configure an access-list command statement that permits or denies ICMP traffic that terminates at the PIX Firewall unit. If the first matched entry is a permit entry, the ICMP packet continues to be processed. If the first matched entry is a deny entry or an entry is not matched, PIX Firewall discards the ICMP packet and generates the %PIX syslog message. An exception is when an ICMP access-list command statement is not configured; then, permit is assumed. 4. Cisco recommends that you grant permission for ICMP unreachable message type (type 3). Denying ICMP unreachable messages disables ICMP Path MTU discovery, which can halt IPSec and PPTP traffic. All ping requests are denied at the outside interface, and all unreachable messages are permitted at the outside interface

13 SSH ssh ip_address[netmask][interface_name]
SSH client .50 Username: pix password: TelnetPassword /24 pixfirewall(config)# ssh ip_address[netmask][interface_name] /24 .2 Specifies the host or network authorized to initiate an SSH connection to the PIX Firewall /24 pixfirewall(config)# ca generate rsa key 1024 pixfirewall(config)# ssh outside Host is authorized to initiate an SSH connection to the PIX Firewall

14 Malicious Active Code Filtering

15 Java Applet Filtering Java applet filtering enables an administrator to prevent the downloading of Java applets by an inside system. Java programs can provide a vehicle through which an inside system can be invaded. Java applets are executable programs that are banned within some security policies.

16 filter java Command pixfirewall(config)# filter java port[-port] local_ip mask foreign_ip mask The filter java command filters out Java applets that return to the PIX Firewall from an outbound connection. Some Java applets can contain malicious code that can manipulate data on the internal network.

17 ActiveX Blocking ActiveX controls are applets that can be inserted in web pages or other applications. ActiveX controls can provide a way for someone to attack servers. The PIX Firewall can be used to block ActiveX controls.

18 filter activex Command
pixfirewall(config)# filter activex port local_ip mask foreign_ip mask Filters out ActiveX usage from outbound packets

19 ActiveX filter Command
Internet pixfirewall(config)# filter activex Specifies that the ActiveX blocking applies to web traffic on port 80 from any local host and for connections to any foreign host DMZ Engineering Marketing Executive TACACS+ server RADIUS server

20 URL Filtering with Websense

21 Websense Websense is used for any organization that needs to provide Internet access, but is concerned with access to unauthorized sites. Websense enables you to control or monitor Internet activity. With Websense, organizations can guard against user downtime caused by employees surfing sites that are not work-related and misusing network resources. Websense works on Windows NT, Windows 2000, and Solaris.

22 URL Filtering Internet Websense server Prohibited web site
Local Websense server nightly downloads the latest list pixfirewall(config)# url-server (dmz) host timeout 10 protocol TCP version 4 pixfirewall(config)# filter url http allow User wants to go to Websense enterprise Deny access

23 Designate the Websense Server
pixfirewall(config)# url-server [(if_name)] host ip_address [timeout seconds] [protocol [TCP | UDP] version [1 | 4]] The url-server command designates a server that runs Websense. pixfirewall(config)# url-server (dmz) host protocol TCP version 4 With version 4 option, the PIX performs a username lookup, and then the Websense server handles URL filtering and username logging. With the version 1 option, everything works the same as in previous PIX Firewall versions. Username logging tracks username, group, and domain name on the Websense server. Username lookup enables the PIX Firewall to use the user authentication table to map the host's IP address to the username. The Websense host is on the dmz interface at IP address The PIX Firewall performs a username lookup and then the Websense server handles URL filtering and username logging.

24 Configure the PIX Firewall to Work with Websense
pixfirewall(config)# filter url http [local_ip local_mask foreign_ip foreign_mask][allow] Prevents outbound users from accessing WWW URLs that are designated with the Websense filtering application. pixfirewall(config)# filter url http allow Use the filter url command to tell the PIX Firewall how to filter requests.

25 Getting Started with Websense
Install Websense Enterprise. Add the Websense server to Websense Manager. Connect the Websense server to Websense Manager. Enter the registration key. Download the Master Database. Edit the global policy to define your filtering strategies. Add clients as needed. Create additional policies as needed. Assign policies to any clients you have added.

26 Websense Manager

27 Configure the Server

28 Server Configuration Tabs
Six tabs are used to configure the Websense server: Download Logging Block Messages Directory Services Misc

29 Configure Policies

30 Edit Policies

31 Add Clients

32 Assign Policies

33 Configure Custom URLs

34 Summary This section covers additional PIX information.

35 Summary ACLs enable you to determine which systems can establish connections through your PIX Firewall. With ICMP ACLs, you can disable pinging to a PIX Firewall interface so that your PIX Firewall cannot be detected on your network. The PIX Firewall can be configured remotely using SSH. The PIX Firewall can be configured to filter malicious active codes. The PIX Firewall can work with Websense software to control and monitor Internet activity. Use this slide to summarize the chapter. Note that MTBF stands for mean time between failure. PIX is very reliable.

36 Configure ACLs in the PIX Firewall
Lab Configure ACLs in the PIX Firewall

37 web, Websense and FTP server
Lab Visual Objective Internet Pod perimeter router .1 P.0/24 e0 outside .2 P.0/24 .2 PIX Firewall e2 dmz .1 e1 inside .1 Bastion host web and FTP server Explain that the bastion host is connected to the “dirty” DMZ with an IP address of P.3 through lab 6, and is connected to the PIX DMZ interface with an IP address of (P+10).3 for lab 7 and later labs. 10.0.P.0 /24 .3 Backbone server web, FTP, and TFTP server Inside host web, Websense and FTP server

Download ppt "Access Control Configuration and Content Filtering"

Similar presentations

Enabling Secure Internet Access with ISA Server

Enabling Secure Internet Access with ISA Server
DMZ (De-Militarized Zone)

DMZ (De-Militarized Zone)
DMZ (De-Militarized Zone)

DMZ (De-Militarized Zone)
Firewalls By Tahaei Fall 2012. What is a firewall? a choke point of control and monitoring interconnects networks with differing trust imposes restrictions.

Firewalls By Tahaei Fall What is a firewall? a choke point of control and monitoring interconnects networks with differing trust imposes restrictions.
Guide to Network Defense and Countermeasures Second Edition

Guide to Network Defense and Countermeasures Second Edition
1 © 2005 Cisco Systems, Inc. All rights reserved. 111 © 2004, Cisco Systems, Inc. All rights reserved.

1 © 2005 Cisco Systems, Inc. All rights reserved. 111 © 2004, Cisco Systems, Inc. All rights reserved.
FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 6 Packet Filtering By Whitman, Mattord, & Austin© 2008 Course Technology.

FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 6 Packet Filtering By Whitman, Mattord, & Austin© 2008 Course Technology.
Implementing Standard and Extended Access Control List (ACL) in Cisco Routers.

Implementing Standard and Extended Access Control List (ACL) in Cisco Routers.
1 Enabling Secure Internet Access with ISA Server.

1 Enabling Secure Internet Access with ISA Server.
Cisco PIX 515E Firewall. Overview What a PIX Firewall can do Adaptive Security Algorithm Address Translation Cut-Through Proxy Access Control Network.

Cisco PIX 515E Firewall. Overview What a PIX Firewall can do Adaptive Security Algorithm Address Translation Cut-Through Proxy Access Control Network.
Chapter 8 PIX Firewall. Adaptive Security Algorithm (ASA)  Used by Cisco PIX Firewall  Keeps track of connections originating from the protected inside.

Chapter 8 PIX Firewall. Adaptive Security Algorithm (ASA)  Used by Cisco PIX Firewall  Keeps track of connections originating from the protected inside.
Packet Filtering. 2 Objectives Describe packets and packet filtering Explain the approaches to packet filtering Recommend specific filtering rules.

Packet Filtering. 2 Objectives Describe packets and packet filtering Explain the approaches to packet filtering Recommend specific filtering rules.
© 2006 Cisco Systems, Inc. All rights reserved. Network Security 2 Module 8 – PIX Security Appliance Contexts, Failover, and Management.

© 2006 Cisco Systems, Inc. All rights reserved. Network Security 2 Module 8 – PIX Security Appliance Contexts, Failover, and Management.
TCOM 515 Lecture 6.

TCOM 515 Lecture 6.
Chapter 6: Packet Filtering

Chapter 6: Packet Filtering
Cisco PIX firewall Set up 3 security zones ***CS580*** John Trafecanty Jules R. Nya Baweu August 23, 2005.

Cisco PIX firewall Set up 3 security zones ***CS580*** John Trafecanty Jules R. Nya Baweu August 23, 2005.
Page 1 NAT & VPN Lecture 8 Hassan Shuja 05/02/2006.

Page 1 NAT & VPN Lecture 8 Hassan Shuja 05/02/2006.
Objectives Configure routing in Windows Server 2008 Configure Routing and Remote Access Services in Windows Server 2008 Network Address Translation 1.

Objectives Configure routing in Windows Server 2008 Configure Routing and Remote Access Services in Windows Server 2008 Network Address Translation 1.
Access Control List ACL. Access Control List ACL.

Access Control List ACL. Access Control List ACL.
1 © 2005 Cisco Systems, Inc. All rights reserved. 111 © 2004, Cisco Systems, Inc. All rights reserved.

1 © 2005 Cisco Systems, Inc. All rights reserved. 111 © 2004, Cisco Systems, Inc. All rights reserved.

Similar presentations

Ads by Google