Internet Firewall Technology TutorialCisco

1、1 0999_03f8_c2 nw98_us_407 internet firewall technology tutorial 0999_03f8_c2 nw98_us_407 2 0999_03f8_c2 nw98_us_407 agenda motivation threats and attacks business need design and test principles policy architecture design implementation cisco solutions 3 0999_03f8_c2 nw98_us_407 motivation: securit

2、y threats and common network attacks 4 0999_03f8_c2 nw98_us_407 security threats bob impersonation bankcustomer deposit $1000deposit $100 loss of integritydenial of service loss of privacy telnet username: dan password: m-y-p-a-s-s-w-o-r-d d-a-n im bob, send me all corporate corresponden

3、ce with cisco 5 0999_03f8_c2 nw98_us_407 exploit host weaknesses good bye 6 0999_03f8_c2 nw98_us_407 common attacks routing attacks wiretapping active content icmp attacks denial of service attacks tcp sequence attacks 7 0999_03f8_c2 nw98_us_407 send mail attacks grabbing the/etc/password f

4、ile injecting a file or running a script 8 0999_03f8_c2 nw98_us_407 password cracking 9 0999_03f8_c2 nw98_us_407 newer internet attacks teardrop 1 a fragmentation attack that works by exploiting a reassembly bug with overlapping fragments, and causes the targeted system to crash or hang teardrop 2 t

5、he first fragment starts at offset 0 and the second fragment is within the tcp header land takes a syn packet with source address and port are the same as the destination 10 0999_03f8_c2 nw98_us_407 other items snmp v1 strings cert advisories x11, rpc, nis, nfs, ntp, finger udp high ports tcp high p

6、orts 11 0999_03f8_c2 nw98_us_407 service configuration no service finger no service pad no service tcp-small-servers no service udp-small-servers no ip bootp server no ip source-route service password-encryption enable secret yellowmegaman no enable password no ip redirect no ip directed-broadcast n

7、o ip proxy-arp 12 0999_03f8_c2 nw98_us_407 motivation: business need 13 0999_03f8_c2 nw98_us_407 traditional business 14 0999_03f8_c2 nw98_us_407 the need to be networked a new model of information technology being connected is not enough, electronic commerce is not enough you need to be networked t

8、o all your important constituencies open up internal operational systems and information to prospects, customers, partners, suppliers, and employees 15 0999_03f8_c2 nw98_us_407 the global networked business 16 0999_03f8_c2 nw98_us_407 design: policy 17 0999_03f8_c2 nw98_us_407 what are the business

9、problems you are trying to solve? internet business need security considerations internet access internet presence networked commerce vpn and extranets what are their risks? rsf: risk-safeguard factor rvf: risk-value factor stf: safeguard-threat factor svf rsf vtf wtf rvf svf: safeguard-value factor

10、 vtf: value-threat factor wtf: weakness-threat factor rtvsw stf 18 0999_03f8_c2 nw98_us_407 19 0999_03f8_c2 nw98_us_407 simplified causal diagram weakness riskvalue assurancesafeguard threat hazards facing the information (attacks/time) vulnerability of the processing ($/attack) methods of protectio

11、n ($/time) dollar value of information ($) confidence factor ($/time) 20 0999_03f8_c2 nw98_us_407 internet access applications web access and e-mail (using an external mail server) streaming audio/video security issues protection of internal resources from outsiders limiting external privileges of i

12、nternal users visibility of internal network addresses auditing usage and possible attacks internet 21 0999_03f8_c2 nw98_us_407 internet presence additional applications e-mail server managed locally web server additional security issues protection of public resources separation of public and intern

13、al networks authentication of remote users e-mail www internet 22 0999_03f8_c2 nw98_us_407 networked commerce additional applications electronic commerce with controlled access to business systems for ordering, etc. additional security issues secure gateway-internal communication client-commerce gat

14、eway encryption strong application authentication of client commerce gateways internal business systems internet 23 0999_03f8_c2 nw98_us_407 vpn and extranets additional applications private connections over public network virtual private network (vpn) additional security issues encryption between r

15、emote users/sites and hq very strong network authentication of client hq remote site mobile and home users extranet partner internet 24 0999_03f8_c2 nw98_us_407 design: architecture what is a firewall? chris lonvick 25 0999_03f8_c2 nw98_us_407 26 0999_03f8_c2 nw98_us_407 security technology taxonomy

16、 accurately identify network users and their privileges network integrity through: secure network perimeters privacy and encryption reliable operation provide auditing, accounting and active detection and response usa usa 27 0999_03f8_c2 nw98_us_407 firewall design criteria where is your policy? imp

17、lement it hosts offering public services/access are not secure internal network hosts should not offer public services/access private networks and hosts should not be visible 28 0999_03f8_c2 nw98_us_407 firewall design criteria know your network security for multiple internet access points managemen

18、t and operation comfort network security cannot replace data security detailed security and usage accounting 29 0999_03f8_c2 nw98_us_407 firewall design criteria a robust firewall is typically not one device layered topology; defense in depth redundancy and failover response plan 30 0999_03f8_c2 nw9

19、8_us_407 internet access firewall topology outside reasonable features and performance at a low cost usually a router with firewall capabilities 31 0999_03f8_c2 nw98_us_407 internet presence firewall topology dedicated firewall platforms multiple interfaces/layers many features, high performance out

20、side public access server public access server 32 0999_03f8_c2 nw98_us_407 lock-and-key situation: you want a subset of hosts on a network to access a host on a remote network protected by a firewall with lock-and-key access, you can enable only a desired set of hosts to gain access by having them a

21、uthenticate through a tacacs+ server 33 0999_03f8_c2 nw98_us_407 lock-and-key configuration aaa authentication login lockkey tacacs+ enable access-list 101 dynamic telecommuter timeout 5 permit ip any any access-list 101 permit tcp any eq 23 interface e0 ip address ip

22、 access-group 101 in tacacs-server host tacacs-server key cisco line vty 0 4 password 7 telecommuter login authentication lockkey autocommand access-enable timeout 2 34 0999_03f8_c2 nw98_us_407 networked commerce coupled gateway and application servers encryption and authentication outside 3

23、5 0999_03f8_c2 nw98_us_407 vpns and extranets strong encryption, authentication routers, firewalls, end systems 36 0999_03f8_c2 nw98_us_407 internet internal network ipsec: standard for vpn encryption standards compliance ipsec ah/esp encapsulated tunnels ike key management fully interoperable cisco

24、 ios , firewalls, and other ipsec-compliant systems client support windows 95 and windows nt 4.x (cisco provided software) windows nt 5.0 (microsoft/cisco partnership) encrypted ip 37 0999_03f8_c2 nw98_us_407 ipsec modes may be encrypted may be encrypted tunnel mode transport mode 38 0999_03f8_c2 nw

25、98_us_407 virtual private network example clearclearencrypted vpn configuration crypto ipsec transform-set first ah-md5-hmac mode tunnel crypto ipsec transform-set second ah-sha-hmac esp-des mode tunnel ! crypto isakmp policy 5 auth rsa-encr hash md5 lifetime 3600 ! crypto ma

26、p tobob 10 ipsec-isakmp set peer set transform-set first second match address 155 ! interface e0 ip address crypto map tobob ! access-list 155 permit ip 55 55 define ipsec policy: two transform sets providing encryption and

27、authentication set ike policy create a “crypto map” define negotiating peer prioritize ipsec policy match an access list configure interface, assign crypto map define access-list to encrypt all traffic 39 0999_03f8_c2 nw98_us_407 40 0999_03f8_c2 nw98_us_407 design: test 41 0999_03f8_c2 nw98_us_407 f

28、irewall test criteria where is your policy? who controls routers? who controls firewalls? who makes up the security team? check policy and well-known holes scan the network test the firewall and the services behind it use verification and ids tools 42 0999_03f8_c2 nw98_us_407 firewall test criteria

29、do things work as expected? scan firewall scan dmz and services scan internal network “invert” policy rules on sniffer log and document everything 43 0999_03f8_c2 nw98_us_407 logging service timestamps debug datetime msec service timestamps log datetime msec logging buffered 16384 logging trap debug

30、ging logging logging source-interface loopback0 access-list 101 permit tcp any eq 23 logging ip ftp source-interface loopback0 ip ftp username c7200 ip ftp password 7 8675309g exception protocol ftp exception dump 44 0999_03f8_c2 nw98_us_407 firewall test criteria test

31、ing never ends know your network review logs educate staff and users keep revisions up to date 45 0999_03f8_c2 nw98_us_407 implementation: cisco solutions 46 0999_03f8_c2 nw98_us_407 cisco firewall product line performance feature set cisco 1600/2500 with cisco ios fw features centri firewall for wi

32、ndows nt pix firewall 47 0999_03f8_c2 nw98_us_407 supported applications telnet, web, ftp, and smtp realaudio, realvideo, and vdolive lotus notes, imap, and ldap dns resolves and zone transfers rpc, r-commands other generic ip, tcp, and udp 48 0999_03f8_c2 nw98_us_407 content filtering blocks java,

33、activex, javascript and vbscript url logging and blocking smtp command filtering block smtp commands block excess routing characters 49 0999_03f8_c2 nw98_us_407 inspect port command n web server web client java blocking 50 0999_03f8_c2 nw98_us_407 attack detection and prevention events monitors the

34、following statistics and conditions: total embryonic connections per minute incoming new connection rate timer for tcp connections to reach established state packet count for duplicate syn packets packet sequence numbers 51 0999_03f8_c2 nw98_us_407 alerts non-statistical events may trigger alerts al

35、erts set on groups of events or specific ones dos attacks, smtp command attacks, or denied java applet alerts are visual, email, and pager thresholds limit the number of alerts issues when repeating in a given timeframe email is based on mapi (install messaging) beeper is based on tapi 52 0999_03f8_

36、c2 nw98_us_407 remote firewall management encryption management console vpn internet 53 0999_03f8_c2 nw98_us_407 adaptive security algorithm (asa) provides “stateful” connection policy connections allowed outallows return session backflow; incoming connections must be explicitly enabled initial tcp

37、sequence number randomized tracks source and destination ports + addresses, tcp sequences, and additional tcp flags access control list (acl) policy support udp + tcp session state tcpfin bit udpone minute default timer (except for dns) assume data length = 100 octets; checksum is modified not recal

38、culated tcp connectionsinside to outside pix checks if a translation exists or not. if not it creates one upon verifying nat, global, access control and authentication, if any a connection is also created back spoofing sender checksum destination port checksum code acknowledge pix ip spoofing connec

39、tion receiver and responder ip tcp pix follows adaptive security algorithm (src ip, src port, dest ip, dest port) check sequence number check translation check if the packet code bit was not syn-ack, packet would have been dropped and logged source ip address destination ip address source port seque

40、nce number 54 0999_03f8_c2 nw98_us_407 55 0999_03f8_c2 nw98_us_407 tcp connectionsinside to outside since ack bit is set, connection and translation entries should exist sender checksum source ip address destination ip address source port destination port sequence number checksum code acknowledge pi

41、x receiver and responder asa checks again 56 0999_03f8_c2 nw98_us_407 assume data length = 100 octets; checksum is modified not recalculated tcp connectionsinside to outside back spoofing senderpix receiver and responder pix will only accept a packet with code-bit fin-ack all other packets dropped a

42、ny packet after this packet would also be dropped connection released immediately translation released after x-late time out checksum source ip address destination ip address source port destination port sequence number checksum code acknowledge 57 0999_03f8_c2 nw98_us_407 static vs. conduit static

43、a static maps a global (outside) address to an inside (local) address. any access to the global goes to the mapped inside address. this gives an inside machine with an illegal address a presence on the outside with a legal address. a static is secure (protected). conduit: a conduit is a hole through

44、 the firewall allowing outside machines to initiate connections to inside machines. it is related to a static in that a static maps a global address to a local machine. conduits are only as secure as you make them. they are used for service items. 58 0999_03f8_c2 nw98_us_407 authorization telnet int

45、ernet id=joe fail=0 service=shell cmd=telnet permit host a cmd=ftp permit host b 59 0999_03f8_c2 nw98_us_407 syn flood defender throttles both internal and external maximum sessions inboundcontrols syn flooding (denial of service) outboundlimits maximum sessions (controls applications such as micros

46、ofts internet explorer) protects session resources from being depleted maintains high network reliability 60 0999_03f8_c2 nw98_us_407 syn floods all allowed commands outsideinside mail server internet smtp pix limit 2 61 0999_03f8_c2 nw98_us_407 content filter all allowed commands mail server intern

47、et smtp outsideinside 62 0999_03f8_c2 nw98_us_407 client vpnpix ravlin ipsec standards compliance ipsec ah/esp encapsulated tunnel ike key management wire-speed performance ethernet now fast ethernet late cy 98 fully interoperable cisco ios and other ipsec-compliant systems internet internal network

48、 encrypted ip 63 0999_03f8_c2 nw98_us_407 pix with otp configuration go to pix manager:url= .100:8080 username = pixadminpassword = cisco on pix manager: click select tacacs+ server click server ip address = 00 encryption key: spackleclick on pix manager: select authentication click

49、select authenticate all internal hosts or whatever is desired. click . click . assume pin = 1234 passcode = 5551212 64 0999_03f8_c2 nw98_us_407 pix with otp session username: megaman enter passcode: 5551212 you need a password to access this page resource http authentication username megaman passwor

50、d 5551212 username and password required enter username for http authentication at 7 user name megaman password 5551212 connected to 7 220ftp authentication 220 user (7: 331enter passcode: 331 230220 ts09b6f ftp server (version cisco micro webserver) ready 331hello r

51、oot, send password 230login user root ok 230 65 0999_03f8_c2 nw98_us_407 pix with three interfaces a web server for the inside network. access allowed only from and public network internet perimeter network private network ftp server webserver 0

52、0 66 0999_03f8_c2 nw98_us_407 pix with three interfaces nameif ethernet0 outside security0 nameif ethernet1 inside security100 nameif ethernet2 dmz security50 enable password 8ry2yjiyt7rrxu24 encrypted passwd 2kfqnbnidi.2kyou encrypted hostname pixfirewall failover names name 19

53、 webserver name ftpserver pager lines 24 syslog output 20.3 no syslog console interface ethernet0 auto interface ethernet1 auto interface ethernet2 auto ip address outside ip address inside ip address dmz arp

54、 timeout 14400 global (outside) 1 6-5 global (dmz) 1 0-9 nat (inside) 1 nat (dmz) 1 static (dmz,outside) 6 webserver 200 200 static (dmz,outside) 7 ftpserver 67 0999_03f8_c2 nw98_us_407 pix

55、 with three interfaces static (inside,outside) 0 10 conduit (dmz,outside) 6 80 tcp conduit (dmz,outside) 7 21 tcp conduit (inside,outside) 0 21 tcp conduit (inside,outside) 0 80 tcp

56、 conduit (inside,outside) 0 21 tcp conduit (inside,outside) 0 80 tcp age 10 rip outside passive no rip outside default rip inside passive rip inside default no rip dmz passive rip dmz default route outsid

57、e 1 timeout xlate 24:00:00 conn 12:00:00 udp 0:02:00 timeout rpc 0:10:00 h323 0:05:00 uauth 0:05:00 tacacs-server host 00 abc aaa authentication any inbound tacacs+ no snmp-server location no snmp-server contact snmp-server community public telnet

58、00 55 mtu outside 1500 mtu inside 1500 mtu dmz 1500 : end 68 0999_03f8_c2 nw98_us_407 centri firewall windows nt firewall icsa certified version 4.0.2 now shipping! evaluation software on the web at: http:/ 69 0999_03f8_c2 nw98_us_407 ease of use installation wizard steps throug

59、h initial configuration predefined security policies graphical policy manager drag-and-drop security policies secure remote administration 70 0999_03f8_c2 nw98_us_407 secure remote administration isp network private network private network private network internet secure remote admin ms authenticate

60、d rpc centris asymmetric authentication from trusted or untrusted sides 71 0999_03f8_c2 nw98_us_407 reporting reports may be run on demand and scheduled to run at fixed times (e.g. mondays at 2 a.m.) reports are presented in html or text and may be stored on the web server in the product (examiner)