Presentation is loading. Please wait.

Presentation is loading. Please wait.

© 2006 Cisco Systems, Inc. All rights reserved. Implementing Secure Converged Wide Area Networks (ISCW) Module 6: Cisco IOS Threat Defense Features.

Published byBrian McDowell Modified over 9 years ago

Similar presentations

Presentation on theme: "© 2006 Cisco Systems, Inc. All rights reserved. Implementing Secure Converged Wide Area Networks (ISCW) Module 6: Cisco IOS Threat Defense Features."— Presentation transcript:

1 © 2006 Cisco Systems, Inc. All rights reserved. Implementing Secure Converged Wide Area Networks (ISCW) Module 6: Cisco IOS Threat Defense Features

2 © 2006 Cisco Systems, Inc. All rights reserved. Module 6: Cisco IOS Threat Defense Features Lesson 6.1: Introducing the Cisco IOS Firewall

3 © 2006 Cisco Systems, Inc. All rights reserved. Objectives  Explain the purpose of the Demilitarized Zone (DMZ).  Describe various DMZ topologies and design options.  Describe firewall operations and implementation technologies.  Compare and contrast various firewall implementation options.  Describe the security features available in the Cisco Firewall Feature Set IOS.

4 © 2006 Cisco Systems, Inc. All rights reserved. DMZ  A DMZ is established between security zones.  DMZs are buffer networks that are neither the Inside nor the Outside network.

5 © 2006 Cisco Systems, Inc. All rights reserved. Layered Defense Features  Access control is enforced on traffic entering and exiting the buffer network to all security zones by: Classic routers Dedicated firewalls  DMZs are used to host services: Exposed public services are served on dedicated hosts inside the buffer network. The DMZ may host an application gateway for outbound connectivity.  A DMZ blocks and contains an attacker in the case of a break-in.

6 © 2006 Cisco Systems, Inc. All rights reserved. Multiple DMZs  Multiple DMZs provide better separation and access control: Each service can be hosted in a separate DMZ. Damage is limited and attackers contained if a service is compromised. Three Separate DMZs

7 © 2006 Cisco Systems, Inc. All rights reserved. Modern DMZ Design  Various systems (a stateful packet filter or proxy server) can filter traffic.  Proper configuration of the filtering device is critical.

8 © 2006 Cisco Systems, Inc. All rights reserved. Private VLAN Traffic flows on private VLANs: RED and YELLOW can communicate with BLUE RED and YELLOW cannot communicate with each other Secondary VLANs Primary VLANs

9 © 2006 Cisco Systems, Inc. All rights reserved. Promiscuous Port Secondary VLAN Ports Host 1 (FTP) Host 2 (HTTP) Host 3 (Admin)

10 © 2006 Cisco Systems, Inc. All rights reserved. Firewall Technologies  Firewalls use three technologies: Packet filtering Application layer gateway (ALG) Stateful packet filtering

11 © 2006 Cisco Systems, Inc. All rights reserved. Packet Filtering  Packet filtering limits traffic into a network based on the destination and source addresses, ports, and other flags that you compile in an ACL.

12 © 2006 Cisco Systems, Inc. All rights reserved. Packet Filtering Example Router(config)# access-list 100 permit tcp any 16.1.1.0 0.0.0.255 established Router(config)# access-list 100 deny ip any any log Router(config)# interface Serial0/0 Router(config-if)# ip access-group 100 in Router(config-if)# end

13 © 2006 Cisco Systems, Inc. All rights reserved. Application Layer Gateway  The ALG intercepts and establishes connections to the Internet hosts on behalf of the client.

14 © 2006 Cisco Systems, Inc. All rights reserved. ALG Firewall Device

15 © 2006 Cisco Systems, Inc. All rights reserved. Stateful Packet Filtering  Stateless ACLs filter traffic based on source and destination IP addresses, TCP and UDP port numbers, TCP flags, and ICMP types and codes.  Stateful inspection then remembers certain details, or the state of that request.

16 © 2006 Cisco Systems, Inc. All rights reserved. Stateful Firewalls  Also called “stateful packet filters” and “application- aware packet filters.”  Stateful firewalls have two main improvements over packet filters: They maintain a session table (state table) where they track all connections. They recognize dynamic applications and know which additional connections will be initiated between the endpoints.  Stateful firewalls inspect every packet, compare the packet against the state table, and may examine the packet for any special protocol negotiations.  Stateful firewalls operate mainly at the connection (TCP and UDP) layer.

17 © 2006 Cisco Systems, Inc. All rights reserved. Stateful Packet Filtering Example 1.All incoming packets are compared against defined rules composed from a very limited command set for one or more low-level protocols, such as IP, TCP, and ICMP. Packets are either denied and dropped here, or they are accepted and passed to the network stack for delivery. 3.Dynamic rules are added and removed based on a combination of the data contained within the network packet and the static information. 2.Based on information contained within each packet, each packet is associated with additional static information. 4.If a packet satisfies all of the packet filter rules, then depending on whether it is destined for the firewall or a remote host, the packet either propagates up the network stack for future processing or gets forwarded to the network host. 5.All network packets associated with an authentication session are processed by an application running on the firewall host. Authentication daemons Packet filters Dynamic rules Ordered list of rules Outgoing network packet Application space Kernel space Network stack Accepted new packets Incoming network packet

18 © 2006 Cisco Systems, Inc. All rights reserved. Stateful Firewall Handling of Different Protocols TCP Sessions–Keeping track of a TCP connection is easy (check flow information and check TCP sequence numbers against state table entry). UDP Connections–There are no flags or sequence numbers; hard to robustly track. –Only flow information is checked against; timeouts are used to delete state table entries. Other Connectionless Services (GRE, IPsec) –These are usually handled like a stateless packet filter. Dynamic Applications–These are handled automatically by snooping on application negotiation channels.

19 © 2006 Cisco Systems, Inc. All rights reserved. The Cisco IOS Firewall Feature Set  The Cisco IOS Firewall Feature Set contains these features: Standard and extended ACLs TCP intercept Cisco IOS Firewall Cisco IOS Firewall IPS Authentication proxy Port-to-Application Mapping (PAM) NAT IPsec network security Event logging User authentication and authorization

20 © 2006 Cisco Systems, Inc. All rights reserved. Cisco IOS Firewall  Packets are inspected when entering the Cisco IOS firewall if the packets are not specifically denied by an ACL.  Cisco IOS Firewall permits or denies specified TCP and UDP traffic through a firewall.  A state table is maintained with session information.  ACLs are dynamically created or deleted.  Cisco IOS Firewall protects against DoS attacks.

21 © 2006 Cisco Systems, Inc. All rights reserved. Cisco IOS Authentication Proxy  HTTP, HTTPS, FTP, and Telnet authentication  Provides dynamic, per-user authentication and authorization via TACACS+ and RADIUS protocols

22 © 2006 Cisco Systems, Inc. All rights reserved. Cisco IOS IPS  Acts as an inline intrusion prevention sensor—traffic goes through the sensor  When an attack is detected, the sensor can perform any of these actions: Alarm: Send an alarm to SDM or syslog server. Drop: Drop the packet. Reset: Send TCP resets to terminate the session. Block: Block an attacker IP address or session for a specified time.  Identifies 700+ common attacks

23 © 2006 Cisco Systems, Inc. All rights reserved. Cisco IPS Signature Actions ActionDescription AlarmGenerates an alert that can be logged to the logging destinations or via Security Device Event Exchange (SDEE) DropDrops the packet ResetResets the TCP connection by sending TCP RST packets to both the sender and receiver Block attackerBlocks all communications from the offending IP address for a specified time Block connectionBlocks the offending TCP or UDP session for a specified time

24 © 2006 Cisco Systems, Inc. All rights reserved. Cisco IOS ACLs Revisited  ACLs provide traffic filtering by these criteria: Source and destination IP addresses Source and destination ports  ACLs can be used to implement a filtering firewall leading to these security shortcomings: Ports opened permanently to allow traffic, creating a security vulnerability. The ACLs do not work with applications that negotiate ports dynamically.  Cisco IOS Firewall addresses these shortcomings of ACLs.

25 © 2006 Cisco Systems, Inc. All rights reserved. Cisco IOS Firewall TCP Handling

26 © 2006 Cisco Systems, Inc. All rights reserved. Cisco IOS Firewall UDP Handling

27 © 2006 Cisco Systems, Inc. All rights reserved. How Cisco IOS Firewall Works

28 © 2006 Cisco Systems, Inc. All rights reserved. Timeout and Threshold Values ValueDescription Timeout values for TCP and UDP sessions Helps prevent DoS attacks by freeing system resources. Timeouts can be set separately for TCP and UDP. Threshold values for TCP sessions Helps prevent DoS attacks by controlling the number of half-opened sessions, limiting the amount of system resources that are applied to half-opened sessions. When a session is dropped, the firewall sends a reset message to the devices at both endpoints (source and destination) of the session. When the system under DoS attack receives a reset command, the system releases, or frees processes and resources that are related to that incomplete session. Thresholds are configured only for TCP.

29 © 2006 Cisco Systems, Inc. All rights reserved. Cisco IOS Firewall Supported Protocols  Regardless of the application layer protocol, Cisco IOS Firewall will inspect: All TCP sessions All UDP connections  Enhanced stateful inspection of application layer protocols X Incoming requests from the Internet are blocked. Outgoing requests to the Internet, and responses from the Internet are allowed.

30 © 2006 Cisco Systems, Inc. All rights reserved. Alerts and Audit Trails  Cisco IOS Firewall generates real-time alerts and audit trails.  Audit trail features use syslog to track all network transactions.  With Cisco IOS Firewall inspection rules, you can configure alerts and audit trail information on a per- application protocol basis.

31 © 2006 Cisco Systems, Inc. All rights reserved. Summary  The Cisco IOS Firewall software offers a full set of security features that can be implemented to provide security for a network.  The DMZ is an ideal place to host services to enable inside users to connect to the outside perimeter. The DMZ approach is the most popular and commonly used modern architecture.  Firewalls can be based on packet filtering, application layer gateways or stateful packet filtering.  The Cisco IOS Firewall Feature Set is a security-specific option for Cisco IOS software that is available in select security Cisco IOS images.  The Cisco IOS Firewall Feature Set integrates robust firewall functionality, authentication proxy, and intrusion prevention.

32 © 2006 Cisco Systems, Inc. All rights reserved. Q and A

33 © 2006 Cisco Systems, Inc. All rights reserved. Resources  Cisco IOS Firewall Design Guide http://www.cisco.com/en/US/partner/products/sw/secursw/ps10 18/products_implementation_design_guide09186a00800fd670. html

34 © 2006 Cisco Systems, Inc. All rights reserved.

Download ppt "© 2006 Cisco Systems, Inc. All rights reserved. Implementing Secure Converged Wide Area Networks (ISCW) Module 6: Cisco IOS Threat Defense Features."

Similar presentations

Firewalls By Tahaei Fall 2012. What is a firewall? a choke point of control and monitoring interconnects networks with differing trust imposes restrictions.

Firewalls By Tahaei Fall What is a firewall? a choke point of control and monitoring interconnects networks with differing trust imposes restrictions.
IUT– Network Security Course 1 Network Security Firewalls.

IUT– Network Security Course 1 Network Security Firewalls.
CSCI 530 Lab Firewalls. Overview Firewalls Capabilities Limitations What are we limiting with a firewall? General Network Security Strategies Packet Filtering.

CSCI 530 Lab Firewalls. Overview Firewalls Capabilities Limitations What are we limiting with a firewall? General Network Security Strategies Packet Filtering.
Network Security Topologies Chapter 11. Learning Objectives Explain network perimeter’s importance to an organization’s security policies Identify place.

Network Security Topologies Chapter 11. Learning Objectives Explain network perimeter’s importance to an organization’s security policies Identify place.
Principles of Information Security, 2nd Edition1 Firewalls and VPNs.

Principles of Information Security, 2nd Edition1 Firewalls and VPNs.
Firewalls and Intrusion Detection Systems

Firewalls and Intrusion Detection Systems
© 2006 Cisco Systems, Inc. All rights reserved. Implementing Secure Converged Wide Area Networks (ISCW) Module 6: Cisco IOS Threat Defense Features.

© 2006 Cisco Systems, Inc. All rights reserved. Implementing Secure Converged Wide Area Networks (ISCW) Module 6: Cisco IOS Threat Defense Features.
FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 6 Packet Filtering By Whitman, Mattord, & Austin© 2008 Course Technology.

FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 6 Packet Filtering By Whitman, Mattord, & Austin© 2008 Course Technology.
Implementing Standard and Extended Access Control List (ACL) in Cisco Routers.

Implementing Standard and Extended Access Control List (ACL) in Cisco Routers.
CCNA2 Routing Perrine modified by Brierley Page 18/6/2015 Module 11 Access Control 172.16.3.0172.16.4.0 Non-172.16.0.0 e0e1 s0 172.16.4.13 server.

CCNA2 Routing Perrine modified by Brierley Page 18/6/2015 Module 11 Access Control Non e0e1 s server.
1 Semester 2 Module 11 Access Control Lists (ACLs) Yuda college of business James Chen

1 Semester 2 Module 11 Access Control Lists (ACLs) Yuda college of business James Chen
1 Lecture 20: Firewalls motivation ingredients –packet filters –application gateways –bastion hosts and DMZ example firewall design using firewalls – virtual.

1 Lecture 20: Firewalls motivation ingredients –packet filters –application gateways –bastion hosts and DMZ example firewall design using firewalls – virtual.
FIREWALL TECHNOLOGIES Tahani al jehani. Firewall benefits  A firewall functions as a choke point – all traffic in and out must pass through this single.

FIREWALL TECHNOLOGIES Tahani al jehani. Firewall benefits  A firewall functions as a choke point – all traffic in and out must pass through this single.
1 © 2005 Cisco Systems, Inc. All rights reserved. 111 © 2004, Cisco Systems, Inc. All rights reserved.

1 © 2005 Cisco Systems, Inc. All rights reserved. 111 © 2004, Cisco Systems, Inc. All rights reserved.
Implementing Secure Converged Wide Area Networks (ISCW)

Implementing Secure Converged Wide Area Networks (ISCW)
Firewalls CS432. Overview  What are firewalls?  Types of firewalls Packet filtering firewalls Packet filtering firewalls Sateful firewalls Sateful firewalls.

Firewalls CS432. Overview  What are firewalls?  Types of firewalls Packet filtering firewalls Packet filtering firewalls Sateful firewalls Sateful firewalls.
CS426Fall 2010/Lecture 361 Computer Security CS 426 Lecture 36 Perimeter Defense and Firewalls.

CS426Fall 2010/Lecture 361 Computer Security CS 426 Lecture 36 Perimeter Defense and Firewalls.
Packet Filtering. 2 Objectives Describe packets and packet filtering Explain the approaches to packet filtering Recommend specific filtering rules.

Packet Filtering. 2 Objectives Describe packets and packet filtering Explain the approaches to packet filtering Recommend specific filtering rules.
Why do we need Firewalls? Internet connectivity is a must for most people and organizations  especially for me But a convenient Internet connectivity.

Why do we need Firewalls? Internet connectivity is a must for most people and organizations  especially for me But a convenient Internet connectivity.
FIREWALL Mạng máy tính nâng cao-V1.

FIREWALL Mạng máy tính nâng cao-V1.

Similar presentations

Ads by Google