Presentation is loading. Please wait.

Presentation is loading. Please wait.

© 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—7-1 Lesson 7 Access Control Lists and Content Filtering.

Similar presentations


Presentation on theme: "© 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—7-1 Lesson 7 Access Control Lists and Content Filtering."— Presentation transcript:

1 © 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—7-1 Lesson 7 Access Control Lists and Content Filtering

2 © 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—7-2 Objectives

3 © 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—7-3 Objectives Upon completion of this lesson, you will be able to perform the following tasks: Configure and explain the function of ACLs. Configure and explain the function of Turbo ACLs. Configure and explain the function of NAT 0 ACLs. Configure active code filtering (ActiveX and Java applets). Configure the PIX Firewall for URL filtering. Configure the PIX Firewall for long URL filtering.

4 © 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—7-4 ACLs

5 © 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—7-5 Security Levels Revisited Security levels tag a PIX Firewall interface with a number, 0 being the least secure and 100 being the most secure. Security levels enable the PIX Firewall to identify whether a requested session is inbound or outbound: Inbound session is a session from a less secure to a more secure interface Outbound session is a session from a more secure to a less secure interface Outside security level 0 Inside security level 100 Internet More secure Less secure More secure Less secure Outbound Inbound

6 © 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—7-6 PIX Firewall ACL Configuration Outside Inside Internet ACL for inbound access ACL for outbound access No ACL - Outbound permitted by default - Inbound denied by default PIX Firewall configuration philosophy is interface based. Interface ACL permits or denies the initial packet incoming on that interface. ACL needs to describe only the initial packet of the application; no need to think about return traffic. If no ACL is attached to an interface, the following ASA policy applies: -Outbound packet is permitted by default. -Inbound packet is denied by default.

7 © 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—7-7 ACL Usage Guidelines Higher to lower security level: –Use an ACL to restrict outbound traffic. –The ACL source address is the actual (untranslated) address of the host or network. Lower to higher security level: –Use an ACL to enable inbound traffic. –Use an ACL to restrict inbound protocols. –The ACL destination address is the translated global IP address.

8 © 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—7-8 Inbound HTTP Traffic to DMZ Web Server 192.168.0.0 10.0.0.0 Public web server Internet DMZ Inside Outside.2.1 Inbound X By default, inbound access is denied — no ACL. To permit inbound traffic, complete the following steps: Configure static translation for WWW server address. Configure inbound access control list. Apply access control list to outside interface.

9 © 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—7-9 Create a Static Translation for Web Server 192.168.0.0 10.0.0.0 Public web server Internet DMZ Inside Outside.2.1 192.168.0.9 172.16.0.2 Map an inside private address to an outside public address pixfirewall(config)# static (DMZ,outside) 192.168.0.9 172.16.0.2 0 0

10 © 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—7-10 access-list Command 192.168.0.0 10.0.0.0 Public web server Internet DMZ Inside Outside.2.1 192.168.0.9 172.16.0.2 Permit inbound HTTP Permit outside HTTP access to public web server pixfirewall(config)# access-list aclout permit tcp any host 192.168.0.9 eq www pixfirewall(config)# access-list acl_ID line line-num {deny | permit} protocol source_addr source_mask [operator port[port]] destination_addr destination_mask [operator port [port]]

11 © 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—7-11 access-list Command 192.168.0.0 10.0.0.0 Public web server Internet DMZ Inside Outside.2.1 192.168.0.9 172.16.0.2 Permit inbound HTTP Permit outside HTTP access to public web server pixfirewall(config)# access-list aclout permit tcp any host 192.168.0.9 eq 80 pixfirewall(config)# access-list acl_ID line line-num {deny | permit} protocol source_addr source_mask [operator port[port]] destination_addr destination_mask [operator port [port]]

12 © 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—7-12 access-group Command 192.168.0.0 10.0.0.0 Public web server Internet DMZ Inside Outside.2.1 Apply ACL to outside interface pixfirewall(config)# access-group aclout in interface outside Apply access control list to interface pixfirewall(config)# access-group acl_ID in interface interface_name

13 © 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—7-13 show access-list Command chicago(config)# show access-list access-list ACLOUT; 4 elements access-list ACLOUT line 1 permit tcp 192.168.1.0 255.255.255.0 host 192.168.6.11 eq www (hitcnt=4) access-list ACLOUT line 2 permit tcp host 192.168.1.10 host 192.168.6.11 eq ftp (hitcnt=1) access-list ACLOUT line 3 permit tcp any host 192.168.6.10 eq www (hitcnt=4) access-list ACLOUT line 4 deny ip any any (hitcnt=0) access-list ICMPDMZ; 1 elements access-list ICMPDMZ line 1 permit icmp host bastionhost any echo-reply (hitcnt=12) access-list ACLIN; 1 elements access-list ACLIN line 1 deny tcp any any eq www (hitcnt=0) ICMPDMZ ACLINACLOUT Internet 192.168.6.0 192.168.1.10

14 © 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—7-14 ACL Line Number Insert ACE into existing ACL pixfirewall(config)# access-list aclout line 4 permit tcp any host 192.168.0.9 eq www access-list acl_ID line line-num deny | permit protocol source_addr source_mask [operator port[port]] destination_addr destination_mask operator port [port] pixfirewall(config)# show access-list access-list aclout line 2 permit tcp any host 192.168.0.7 eq www (hitcnt=0) access-list aclout line 3 permit tcp any host 192.168.0.8 eq www (hitcnt=0) access-list aclout line 4 permit tcp any host 192.168.0.10 eq www (hitcnt=0) access-list aclout line 5 permit tcp any host 192.168.0.11 eq www (hitcnt=0) Insert

15 © 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—7-15 ACL Comments ACL remark pixfirewall(config)# access-list outside line 1 remark web server http access-list pixfirewall(config)# access-list id [line line-num] remark text pixfirewall(config)# show access-list access-list aclout line 1 remark web server 1 http access-list access-list aclout line 2 permit tcp any host 192.168.0.8 eq www (hitcnt=0) access-list aclout line 3 remark web server 2 http access-list access-list aclout line 4 permit tcp any host 192.168.0.11 eq www (hitcnt=0)

16 © 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—7-16 ACL Logging Log option enabled for inbound ICMP to 192.168.1.1 pixfirewall(config)# access-list outside-acl permit icmp any host 192.168.1.1 log 7 interval 600 pixfirewall(config)# access-list acl_ID line line-num {deny | permit} protocol source_addr source_mask [operator port[port]] destination_addr destination_mask operator port [port] [log [[disable |default] | [level]]] [interval secs]] Syslog server ACL Syslog messages Internet

17 © 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—7-17 Inbound HTTP Access Solution Permit outside HTTP access to public web server pixfirewall(config)# static (DMZ,outside) 192.168.0.9 172.16.0.2 0 0 pixfirewall(config)# access-list aclout permit tcp any host 192.168.0.9 eq www pixfirewall(config)# access-group aclout in interface outside 192.168.0.0 10.0.0.0 Public WWW Server Internet DMZ Inside Outside.2.1 192.168.0.9 172.16.0.2 Inbound

18 © 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—7-18 Inbound HTTPS Access Solution Permit outside HTTPs access to e-banking web server pixfirewall(config)# static (DMZ,outside) 192.168.0.10 172.30.4.2 0 0 pixfirewall(config)# access-list aclout permit tcp any host 192.168.0.10 eq https pixfirewall(config)# access-group aclout in interface outside 192.168.0.0 10.0.0.0 E-Banking web server Internet DMZ InsideOutside.2.1 192.168.0.10 172.30.4.2 Inbound

19 © 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—7-19 NAT 0 Access Control List The NAT 0 access control list statement turns on identity NAT only for connections that match a permit statement of a specified access control list, such as branch office to corporate office. Internet 10.200.0.0 /24 VPN Branch office Corporate office 10.0.0.0/24.11

20 © 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—7-20 nat 0 access-list Command nat [(if_name)] 0 access-list acl_name [outside] pixfirewall(config)# pixfirewall(config)# access-list VPN-NO-NAT permit ip 10.0.0.0 255.255.255.0 10.200.0.0 255.255.255.0 pixfirewall(config)# nat (inside) 0 access-list VPN-NO- NAT Exempt traffic that is matched by an access-list command statement from NAT Internet 10.200.0.0 /24 (VPN) 10.0.0.0/24.11.3

21 © 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—7-21 Home Office—NAT 0 Access Control List Scenario SOHO(config)# access-list VPN-NO-NAT permit ip 10.100.1.0 255.255.255.0 10.10.0.0 255.255.255.0 SOHO(config)# nat (inside) 0 access-list VPN-NO-NAT SOHO(config)# nat (inside) 1 10.100.1.0 255.255.255.0 SOHO(config)# global (outside) 1 interface Internet 10.100.1.0 /24 NAT 0 (VPN) 10.10.0.0/24 Small office/ home office Web

22 © 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—7-22 Turbo ACLs Regular ACL processing ACL A Entry 1 Entry 2 Entry 3 Entry N Compiled data table Packet header value IndexACL Entry Bit Maps ACLs organized internally as linked lists Linear search to find matching entry to deny or permit packet Increased search time when ACL A contains large number of elements, which leads to performance degradation ACLs compiled into sets of lookup data tables Improved search time for large ACLs Required minimum of 2.1 MB of memory Turbo ACL processing ACL A

23 © 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—7-23 Configuring Turbo ACLs access-list compiled access-list acl_ID compiled pixfirewall(config)# Enables the Turbo ACL feature for a specific ACL Enables the Turbo ACL feature on all ACLs Turbo compiles all ACLs with 19 or more entries

24 © 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—7-24 Using ACLs

25 © 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—7-25 Deny Web Access to the Internet Denies web traffic on port 80 from the inside network to the Internet Permits all other IP traffic from the inside network to the Internet Web IP Internet 10.0.0.0 192.168.0.0 pixfirewall# write terminal... access-list acl_inside deny tcp any any eq www access-list acl_inside permit ip any any access-group acl_inside in interface inside nat (inside) 1 10.0.0.0 255.255.255.0 global (outside) 1 192.168.0.20-192.168.0.254 netmask 255.255.255.0...

26 © 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—7-26 Permit Web Access to the DMZ pixfirewall# write terminal... static (dmz,outside) 192.168.0.11 172.16.0.2 access-list acl_outside permit tcp any host 192.168.0.11 eq www access-group acl_outside in interface outside... The ACL acl_outside permits web traffic on port 80 from the Internet to the DMZ web server. The ACL acl_outside denies all other IP traffic from the Internet. Web server.2.1.2 172.16.0.0 10.0.0.0/24 192.168.0.0 Internet 192.168.0.11 172.16.0.2 Inbound HTTP only

27 © 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—7-27 Partner Web Access to DMZ and DMZ Access to Internal Mail The ACL acl_partner permits web traffic from the partner subnet 172.18.0.0 to the DMZ intranet web server. The ACL acl_dmz_in permits host 172.16.0.4 mail access to 10.0.0.4. Client 10.0.0.0/24 172.18.0.17 Mail server 10.0.0.4.4 Partnernet Internet 172.16.0.2 web only DMZ 172.16.0.11 SMTP only 172.18.0.0/24 pixfirewall# write terminal... nameif ethernet2 dmz sec50 nameif ethernet3 partnernet sec40 static (dmz,partnernet) 172.18.0.17 172.16.0.2 access-list acl_partner permit tcp 172.18.0.0 255.255.255.0 host 172.18.0.17 eq www access-group acl_partner in interface partnernet static (inside,dmz) 172.16.0.11 10.0.0.4 access-list acl_dmz permit tcp host 172.16.0.4 host 172.16.0.11 eq smtp access-group acl_dmz in interface dmz...

28 © 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—7-28 icmp Command Enables or disables pinging to an interface All ping requests denied at the outside interface, and all unreachable messages permitted at the outside interface pixfirewall(config)# icmp deny any echo outside pixfirewall(config)# icmp permit any unreachable outside pixfirewall(config)# icmp {permit | deny} src_addr src_mask [icmp-type] if_name Outside Inside Internet ICMP echo ICMP unreachable X

29 © 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—7-29 Malicious Active Code Filtering

30 © 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—7-30 Java Applet Filtering Java applet filtering enables an administrator to prevent the downloading of Java applets by an inside system. Java programs can provide a vehicle through which an inside system can be invaded. Java applets are executable programs that are banned within some security policies.

31 © 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—7-31 ActiveX Blocking ActiveX controls are applets that can be inserted in web pages or other applications. ActiveX controls can provide a way for someone to attack servers. The PIX Firewall can be used to block ActiveX controls.

32 © 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—7-32 filter activex | java Command Filters out ActiveX usage from outbound packets Filters out Java applets that return to the PIX Firewall from an outbound connection pixfirewall(config)# filter {activex | java} port [-port] local_ip mask foreign_ip mask

33 © 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—7-33 ActiveX filter Command pixfirewall(config)# filter activex 80 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 Specifies that the ActiveX blocking applies to web traffic on port 80 from any local host and for connections to any foreign host Engineering 10.0.11.010.0.12.010.0.14.0 Executive Marketing DMZ Internet Block ActiveX

34 © 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—7-34 URL Filtering

35 © 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—7-35 HTTP URL Filtering Websense and N2H2 HTTP URL-filtering applications used to block specific URLs responses URL filtering can be configured on PIX Firewall - Designate a URL-filtering server - Enable filtering URL-filtering server Request access to www.prohibited.com Deny access www.prohibited.com web server Internet X

36 © 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—7-36 pixfirewall(config)# url-server [(if_name)] [vendor websense] host local_ip [timeout seconds] [protocol {TCP | UDP} version [1 | 4]] Designate the URL-Filtering Server Designates a server that runs a Websense URL-filtering application pixfirewall(config)# url-server (dmz) vendor n2h2 host 172.16.0.3 protocol TCP pixfirewall(config)# url-server [(if_name)] vendor n2h2 host local_ip [port number][timeout seconds][protocol {TCP | UDP}] Designates a server that runs an N2H2 URL-filtering application URL-filtering server 172.16.0.3 TCP X

37 © 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—7-37 X Enable HTTP URL Filtering Prevents outbound users from accessing URLs that are designated with the URL-filtering application pixfirewall(config)# pixfirewall(config)# filter url http 0 0 0 0 allow filter url [http | port[-port]] local_ip local_mask foreign_ip foreign_mask [allow] URL-filtering server Filter HTTP— all hosts

38 © 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—7-38 HTTPS and FTP Filtering Prevents outbound users from accessing HTTPS and FTP URLs that are designated with the Websense-based URL-filtering application pixfirewall(config)# pixfirewall(config)# filter https 0 0 0 0 allow filter [ https | ftp ] dest-port local_ip local_mask foreign_ip foreign_mask [allow] URL-filtering server HTTPS and FTP filtering (Websense only) X

39 © 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—7-39 URL Filtering Configuration Example Designate URL server Enable filtering pixfirewall(config)# url-server (dmz) vendor websense host 172.16.0.3 timeout 10 protocol TCP version 4 pixfirewall(config)# filter url http 0 0 0 0 allow URL-filtering server Request access to www.prohibited.com Deny access www.prohibited.com web server 172.16.0.3 Internet X

40 © 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—7-40 Long URL Filtering pixfirewall(config)# url-server (inside) vendor websense host 10.0.0.30 timeout 5 protocol TCP version 1 pixfirewall(config)# filter url http 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 longurl-truncate cgi-truncate pixfirewall(config)# url-block url-mempool 1500 pixfirewall(config)# url-block url-size 4 url-block url-size long_url_size url-block url-mempool memory_pool_size pixfirewall(config)# Enables you to increase the maximum allowable length of a single URL Enables you to configure the maximum memory available for buffering long URLs and pending URLs

41 © 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—7-41 Summary

42 © 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—7-42 Summary ACLs enable you to determine which systems can establish connections through your PIX Firewall. Turbo ACLs improve search time for large ACLs. With ICMP ACLs, you can disable pinging to a PIX Firewall interface so that your PIX Firewall cannot be detected on your network. The PIX Firewall can be configured to filter malicious active code. The PIX Firewall can work with URL-filtering software to control and monitor Internet activity.

43 © 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—7-43 Lab Exercise

44 © 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—7-44 192.168.Q.0 192.168.P.0 Lab Visual Objective Student PC.2.1 Student PC PIX Firewall Web/FTP CSACS.1.2.1 PIX Firewall.1 Local: 10.0.P.11 Local: 10.0.Q.11 10.0.P.0 10.0.Q.0 RTS.100 RTS.100 Pods 1-5 Pods 6-10 172.26.26.0.150.50 Web FTP RBB.2 “bastionhost”: Web FTP 172.16.P.0172.16.Q.0 “bastionhost”: Web FTP.1


Download ppt "© 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—7-1 Lesson 7 Access Control Lists and Content Filtering."

Similar presentations


Ads by Google