Scribd Logo
Carica

Benvenuto in Scribd!

  • Implementing Secure Converged Wide Area Networks (ISCW)

    Caricato da

    Hebert Molina
    21 visualizzazioni11 pagine
    Firewall defines traffic interaction between "zones" or trust levels - e.g. ASA security-level Common zone definitions - Inside Most trusted network - Outside Least trusted network – DMZ Somewhere in between. Firewall Filtering Logic Allow traffic from trusted zones to untrusted zones - Return traffic should be okay - outside to DMZ allowed Return traffic okay - DMZ to inside / outside dropped Why would DMZ originate traffic?

    Descrizione originale:

    Titolo originale

    Iscw.ios.Firewall.1.00

    Copyright

    © Attribution Non-Commercial (BY-NC)

    Formati disponibili

    PDF o leggi online da Scribd

    Hai trovato utile questo documento?

    Questo contenuto è inappropriato?

    Segnala questo documento
    Firewall defines traffic interaction between "zones" or trust levels - e.g. ASA security-level Common zone definitions - Inside Most trusted network - Outside Least trusted network – DMZ Somewhere in between. Firewall Filtering Logic Allow traffic from trusted zones to untrusted zones - Return traffic should be okay - outside to DMZ allowed Return traffic okay - DMZ to inside / outside dropped Why would DMZ originate traffic?

    Copyright:

    Attribution Non-Commercial (BY-NC)
    Scarica in formato PDF o leggi online su Scribd
    Segnala contenuti inappropriati
    21 visualizzazioni11 pagine

    Implementing Secure Converged Wide Area Networks (ISCW)

    Caricato da

    Hebert Molina
    Firewall defines traffic interaction between "zones" or trust levels - e.g. ASA security-level Common zone definitions - Inside Most trusted network - Outside Least trusted network – DMZ Somewhere in between. Firewall Filtering Logic Allow traffic from trusted zones to untrusted zones - Return traffic should be okay - outside to DMZ allowed Return traffic okay - DMZ to inside / outside dropped Why would DMZ originate traffic?

    Copyright:

    Attribution Non-Commercial (BY-NC)
    Scarica in formato PDF o leggi online su Scribd
    Segnala contenuti inappropriati
    di 11

    www.INE.

    com

    Implementing Secure Converged Wide Area Networks (ISCW) Cisco IOS Firewall

    http://www.INE.com

    Firewall Design Overview Firewall defines traffic interaction between zones or trust levels
    e.g. ASA security-level

    Common zone definitions


    Inside
    Most trusted network

    Outside
    Least trusted network

    DMZ
    Somewhere in between
    Copyright 2009 Internetwork Expert, Inc www.INE.com

    Copyright 2009 Internetwork Expert

    www.INE.com

    Firewall Filtering Logic Allow traffic from trusted zones to untrusted zones
    Return traffic should be okay

    Block traffic from untrusted zones to trusted zones

    Copyright 2009 Internetwork Expert, Inc www.INE.com

    Two Zone Firewall Design

    Copyright 2009 Internetwork Expert, Inc www.INE.com

    Copyright 2009 Internetwork Expert

    www.INE.com

    Three Zone Firewall Design

    Copyright 2009 Internetwork Expert, Inc www.INE.com

    Three Zone Firewall Problems Which is the more trusted zone? Typical logic is
    Inside to outside allowed
    Return traffic okay

    Inside to DMZ allowed


    Return traffic okay

    Outside to DMZ allowed


    Return traffic okay

    DMZ to inside/outside dropped


    Why would DMZ originate traffic?
    Copyright 2009 Internetwork Expert, Inc www.INE.com

    Copyright 2009 Internetwork Expert

    www.INE.com

    Types of Firewalls Stateless packet filters Application Level Gateways (ALG) Stateful packet filter

    Copyright 2009 Internetwork Expert, Inc www.INE.com

    Stateless Packet Filters


    Statically configured filters
    e.g. extended ACLs

    Typically filter based on


    Layer 3
    Source & destination address Protocol number

    Layer 4
    Source & destination port Established flags

    Problems
    Management overhead Complex design not feasible
    e.g. three or more zones

    Copyright 2009 Internetwork Expert, Inc www.INE.com

    Copyright 2009 Internetwork Expert

    www.INE.com

    Application Level Gateways AKA Proxy Servers


    Client connects to proxy Proxy connects to destination on behalf of client

    Advantage
    Adds application level awareness to filtering

    Disadvantage
    Typically PPS limitations

    Copyright 2009 Internetwork Expert, Inc www.INE.com

    Stateful Firewalls Dynamic filtering based on session tracking


    What goes out must come back in

    State of flow typically tracked by


    Source & destination address Source & destination port Protocol flags
    e.g. SYN, ACK/SYN, FIN, RST

    Copyright 2009 Internetwork Expert, Inc www.INE.com

    Copyright 2009 Internetwork Expert

    www.INE.com

    Stateful Firewall Problems Not all protocols stateful


    UDP is connectionless

    Non-standard applications
    Outbound and inbound flows not mirror images e.g. HTTP (standard) vs. FTP (non-standard)

    Copyright 2009 Internetwork Expert, Inc www.INE.com

    IOS Firewall Feature Set IOS Firewall Authentication Proxy IOS Intrusion Prevention System (IPS)

    Copyright 2009 Internetwork Expert, Inc www.INE.com

    Copyright 2009 Internetwork Expert

    www.INE.com

    IOS Firewall
    Combination of multiple features to obtain ALG based stateful firewall Previously
    CBAC & ip inspect Reflexive ACLs before that

    Currently
    Zone Based Policy Firewall (ZBPF)

    Adds ALG support to state tracking


    e.g. I know FTP is different inbound vs. outbound

    Includes SYN flood protection


    Previously TCP Intercept
    Copyright 2009 Internetwork Expert, Inc www.INE.com

    Authentication Proxy Tracks inside to outside traffic flows Denied flows can trigger authentication request towards AAA If authentication successful, per-user ACL is downloaded from AAA
    Both TACACS+ and RADIUS support

    Scalable solution for what used to be Lock-and-Key


    AKA dynamic ACL
    Copyright 2009 Internetwork Expert, Inc www.INE.com

    Copyright 2009 Internetwork Expert

    www.INE.com

    IOS IPS Tracks traffic flows against signature database Takes action based on matches
    e.g. alarm, drop, reset, etc.

    More detail later

    Copyright 2009 Internetwork Expert, Inc www.INE.com

    Configuring Stateless Filters


    Standard ACLs
    Match only on source IP address

    Extended ACLs
    Match on
    IP protocol number Source address Destination address Protocol options
    TCP / UDP ports (eq, neq, lt, gt, range) ICMP Type Code

    Packet markings
    DSCP IP Precedence TOS

    ACL logging support


    Copyright 2009 Internetwork Expert, Inc www.INE.com

    Copyright 2009 Internetwork Expert

    www.INE.com

    Configuring CBAC
    Define inspection rule Define untrusted to trusted stateless filter
    CBAC exceptions Implicit/explicit deny

    Apply inspection rule


    Inside in Outside out

    Optional
    Audit rules SYN flood protection

    Verification and monitoring


    show ip inspect sessions
    Copyright 2009 Internetwork Expert, Inc www.INE.com

    Basic CBAC Configuration


    R6# ip inspect name CBAC tcp ip inspect name CBAC udp ip inspect name CBAC icmp ! ip access-list extended OUTSIDE_IN deny ip any any ! interface FastEthernet0/1 ip access-group OUTSIDE_IN in ip inspect CBAC out

    Copyright 2009 Internetwork Expert, Inc www.INE.com

    Copyright 2009 Internetwork Expert

    www.INE.com

    Zone Based Policy Firewall


    Uses ASA logic of application specific classmaps & policy-maps to match traffic and
    Inspect Drop Pass

    Allows complex designs to be more modular


    e.g. multiple DMZs

    Much more granular support for application inspection Configuration more cumbersome, but workflow more logical
    e.g. basic SDM config is 50+ lines
    Copyright 2009 Internetwork Expert, Inc www.INE.com

    Basic ZBPF Configuration


    R6# class-map type inspect match-any INSPECTIONS match protocol tcp match protocol udp match protocol icmp ! policy-map type inspect INSIDE_TO_OUTSIDE class type inspect INSPECTIONS inspect class class-default drop ! zone security INSIDE zone security OUTSIDE zone-pair security INSIDE_TO_OUTSIDE source INSIDE destination OUTSIDE service-policy type inspect INSIDE_TO_OUTSIDE ! interface FastEthernet0/0 zone-member security INSIDE ! interface FastEthernet0/1 zone-member security OUTSIDE

    Copyright 2009 Internetwork Expert, Inc www.INE.com

    Copyright 2009 Internetwork Expert

    10

    www.INE.com

    ZBPF Verification
    What are the zones?
    show zone security

    Where are they applied?


    show zone-pair security

    What is being inspected?


    show class-map type inspect

    How is it being inspected?


    show policy-map type inspect

    What are the overall statistics?


    show policy-map type inspect zone-pair

    What are the current sessions?


    show policy-map type inspect zone-pair sessions

    Copyright 2009 Internetwork Expert, Inc www.INE.com

    IOS Firewall Configuration Examples


    192.168.2.0/24

    Fa0/0
    192.168.2.100/24

    R2

    S0/0.102

    200.0.12.0/24

    S0/0.102
    20 1 1
    102 103

    30

    R1
    S0/0.103 Fa0/0
    200.0.16.0/24

    200.0.13.0/24

    Fa0/0

    R4

    Fa0/0
    172.16.34.0/24

    R3

    S1/0.301
    10.0.56.0/24

    Fa0/1

    Fa0/0

    R5

    Fa0/0.56
    10.0.0.0/24

    R6
    Fa0/0.10

    Copyright 2009 Internetwork Expert, Inc www.INE.com

    10.0.0.100/24

    Copyright 2009 Internetwork Expert

    11

    Potrebbero piacerti anche