Firewalls

o Firewall Services
 Static
 Circuit Level
 Proxy Server
 Application Server
o Firewall Technologies
 Static Packet Filtering
 First Generation
 OSI: 3
 ACL's
 Can filter packets based on protocols, the domain name of the
source and a few other attributes.
 Circuit Level
 Second Generation
 OSI: 5
 Monitor TCP handshaking between hosts to make sure a session is
legitimate and are used to validate whether a packet is either a connection
request, or a data packet belonging to an established connection or virtual
circuit.
 Application Level
 Third Generation
 OSI: 3-5, 7
 Proxy
 Anonymous and Transparent proxy servers
 transparent proxy server tells the remote computer the IP
address of your computer
 Advantages:
 Authenticate Individuals
 Detect DoS
 Monitor / Filter App Data
 Malformed ULR's
 Buffer Overflow
 Detailed Logging
 Make IP Spoofing difficult
 Limitations
 Processor / Memory Intensive
 Logging
 Mitated with:
 Context Transfer Protocol (CXTP)
 Monitor only key applications
 Do not support all applications
 May require client software
 Manual updates for new or modified application protocols
 Every protocol must have a proxy in order for the firewall to be
completely effective
 Slower at passing information than other firewalls, because of the
proxy applications.
 Not transparent to end users and require manual configuration of
each client computer
 OSI: 3 ----> 4 ----> <---- 5 <---- 7
  Dynamic Packet-Filtering / Stateful
 Fourth Generation
 OSI: 3-5
 Dyanmic Filtering
 Most versatile/Common
 Maintains State Table
 Cisco IOS Firewall is a Stateful firewall
 Creates Connection Object on:
 S/D IP
 S/D Port
 TCP SEQ
 TCP/UDP Fields
 Limitations
 Internal IP may be exposed
 Mitigated with Proxy and NAT
 No prevention of Application Layer Attacks
 Not all protocols are Stateful (UDP and ICMP)
 Applications that open multiple ports
 User Authentication not supported
 Slower than Packet-Filtering
 Uses:
 Primary means of Defense
 Cost Effective
 Defense against DoS and Spoofing
 Allowing only connections in table
o Other:
 Transparent Firewalls
 L2
 Can run in single and multiple context
 Bridged from one VLAN to other instead of routing
 MAC lookups are used rather than routing tables
o Application Inspection Firewalls / DPI
 Aware of L4 and L5 connection states
 Check conformity of application commands on L5
 Check and affect L7 (Java, P2P)
 Prevents more types of attacks than stateful
 Uses NAT
 Monitors sessions for secondary port numbers
 Inspection Behavior
 Transport Layer: Acts like a stateful firewall by examining information in
the headers of Layer 3 packets and Layer 4 segments. The application inspection
firewall looks at the TCP header for SYN, RST, ACK, FIN, and other control codes
to determine the state of the connection, for example.
 Session Layer: Checks the conformity of commands within a known
protocol. For example, when it checks Simple Mail Transfer Protocol (SMTP), only
acceptable message types on Layer 5 are allowed (DATA, HELO, MAIL, NOOP,
QUIT, RCPT, RSET). It also checks whether the command attributes that are used
conform to the internal rules.
 Application Layer: Rarely supported. Application layer firewalls may
provide protocol support for HTTP, and they can determine whether the content is
really an HTML website or a tunneled application. If it were a tunneled application,
 the application inspection firewall would block the content or terminate the
connection.
 Limitations
 Few inspections engines currently available that support L7 content
 Alone, does not support User authentication
 Increased operating costs due to increased processor/memory
requirements
 Common Firewalls can't run
 Uses:
 Secondary means of defense
 More stringent control over security than stateful filtering
o Zone-Based Firewall
 Includes
 Stateful Inspection
 URL Filtering
 IOS 12.4(6)T
 Does not include:
 Authentication Proxy
 IPv6 Stateful Inspection
 Supports Application Inspection for:
 IM POP3 SMTP HTTP SunRPC IMAP