Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
First we have to understand the concept of SECURITY in general. SECURITY may be define as safe guarding of our assets or important good. The degree of security provide to our assets is based on nature of importance and its need for us.
SECURITY
Family Security Social Security Home/ Internal Security National Security International Security IT/Networking Security
IT/Network Security
The Computer Security Institute (CSI) has produced many reports on security. IT Security deals with every terms used in Information Technology including N/W Security. Network Security deals with only component utilized in networking (Internet/Intranet) including manipulation of Internet Protocols. Internet protocols (TCP/UDP/ICMP/IGMP) are customized by the Networking administrator as per the security policies of the company.
NETWORKING SECURITY
N/W Security involves securing the Network from internal or external threats. It also involves finding the balance between open and evolving network and protecting companys private data. In brief, we can say that Networking security is a process to counter any unauthorized access or illegal intrusion in to the network.
Motivation :
The Range of Adversarys motivation are : To gathering or stealing information (competing companies and criminals To Denial of Services (Terrorist, Other counties and criminals) To Challenge (Hackers)
Class of Attacks : Adversaries can employ five types of attacks : Passive Active Distributed Insider Close-in
A FIREWALL IS A SYSTEM OF HARDWARE OR SOFTWARE THAT CONTORLS ACCESS BETWEEN TWO OR MORE NETWORKS. THE PERFORMANCE OF THE FIREWALL IS SIMILAR TO THAT OF A PHYSICAL WALL THAT HELPS TO KEEP FIRE FROM SREADING. HERE WE CAN SAY FOR EASY OF UNDERSTANDING THAT : FIRE MEANS Illegal Intrusion or unauthorized access of system or network AND WALL MEANS Protection or Policies to counter unauthorized access
FUNCTION OF FIREWALL
The firewall has only two major functions : a. To permit the traffic b. To deny the traffic All firewalls perform above functions of examine the network traffic and directing that traffic based on the rules set (may be predefine in system or may be defined by Administrator as per the Companies network policies.
1. Packet Filtering :
- Oldest and most commonly used Firewall Technology. - Inspecting only the traffic occurs at L3 and L4 layer. - Analyze IP packets and compare them to the set of establish rules called ACL - Following elements are inspected for this method : a. Source & Destination IP Address b. Source & Destination Port. c. Protocols (Used by name or number)
2. Proxy Service:
When information from the Internet is retrieved by the Firewall and then it is sent to the system for the host who had requested the same. Proxy works on behalf of the host on the protected network segment. The protected host never actually make any connection with the out side world.
Proxy Server
3. State-full Inspection: In this method , certain parts of packet are compared to a database of trusted information. Firewall maintain state table for each traffic passing through the Firewall from Inside Network and allow response for traffic that generated from Inside. This arrangement is inbuilt in Firewall Algorithm.
1. 2. 3. 4.
Source & destination TCP & UDP port nos. TCP sequence numbering TCP flags UDP traffic tracking based on timers
TYPES OF FIREWALL
a. Packet Filtering - Static Filtering - Dynamic Filtering - State full Inspection b. Circuit Gateway c. Application Proxy d. Hybrid PC Firewall, SOHO Firewall, F/W Application, Large Enterprise Firewall
COMPONENT OF FIREWALL
Consol : Logs :
Provides constant updates of Network traffic - contain Status of Security Level & Application Firewall maintain three types of logs
a) Security Logs It records potential threatening activities such as port scanning, DoS etc. The logged event consist date & time of event, No. of attacks, Severity, direction (Inbound/outbound) b) System Logs : It records operational changes such as S/w execution error, S/W modification, Start/ending services etc. Systems logs are useful for troubleshooting because they carry information about error & warnings.
c) Traffic & Packet Logs : It allow to capture & record all the data that enter or leave from computer or network. It gives information about traffic passes through the firewall , blocked traffic at F/W, Time/Date, Type of traffic, No. of event occur during certain period, IP address of attempted attacks, name of the host computer and IP address of user.
Application List :
It is the list of running Application and displays all application and services. User is able to make changes to the list by restricting access to some application and giving permission to others
It allows the user to set up configuration and contains log files, Network browsing rights, password protection and notification for attacks.
These rules are apply to all application. Administrator sets these rules as per Networks policies
Positioning of Firewall
Some of the basic guidelines for positioning of a firewall are as follows:1. Topological location of the firewall: It is often a good idea to place a firewall on the periphery of a private network, as close to the final exit and the initial entry point into the network.
In most cases firewalls shouldnt be placed in parallel to other network devices such as routers. This can cause firewall to be bypassed.
Positioning of Firewall
2. Accessibility & Security Zones: If there are servers that need to be accessed from the public network, such as Web servers, it is often a good idea to put them in demilitarized zone (DMZ) A DMZ allows publicly accessible servers to be placed in an area that is physically separate from the private network, forcing the attackers who have somehow gained control over these servers to go through the firewall again to gain access to the private network.
Positioning of Firewall
3. Layering Firewalls:
In networks where a high degree of security is desired, often two or more firewalls can be deployed in series. If the first firewalls fails, the second one can continue to function.
This technique is often used as a safeguard against network attacks that exploit bugs in a firewalls software, if one firewall software is vulnerable to an attack, hopefully the software of the second firewall sitting behind it will not be.
Firewalls from different vendors are often used in these setups.
SOHO Small Office Home Office ROBO-Remote office Branch Office SMB Small/ Medium Size Business SP Service provider
The Cisco Adaptive Security Appliances are purpose-built solutions that combine the most effective security and VPN services with the innovative Cisco Adaptive Identification and Mitigation (AIM) architecture. Additionally, the adaptive security appliance software supports Cisco Adaptive Security Device Manager (ASDM). ASDM delivers world-class security management and monitoring through an intuitive, easy-to-use web-based management interface. Bundled with the adaptive security appliance, ASDM accelerates adaptive security appliance deployment with intelligent wizards, robust administration tools, and versatile monitoring services that complement the advanced integrated security and networking features offered by the market-leading suite of the adaptive security appliance
ASA FIREWALL
Outside Int.
The interface sitting on the private network has a security level of 100, i.e., Inside int. (most secure).
2.
3.
CONNECTION TEBLE
Inside IP Add 192.168.1.1 IP Protocol Inside IP Port Outside IP Add TCP 11500 201.201.201.1 Outside Port 80
2 Internal Network
STATEFULL FIREWALL
Internet 3
PC- A 192.168.1.1
STATEFUL INSPECTION
WebServer 201.201.201.1
1. A user PC-A located in Inside Network perform HTML request to a Web Server Outside your network. 2. As the request reaches the Statefull Firewall, the Firewall store the user information (Src & Dst Address, Protocol and Port information) in State or Connection Table. 3. The Firewall forward the users HTTP request to the destination Web Server.
CONNECTION TEBLE
Inside IP Add 192.168.1.1 IP Protocol Inside IP Port Outside IP Add TCP 11500 201.201.201.1 Outside Port 80
2 Internal Network
STATEFULL FIREWALL
Internet 1
2A 2B
Web Server 201.201.201.1 1. The HTTP request received by Destination Web Server and it sends the corresponding web page to the user PC-A 2. The Firewall intercepts the connection response and compare with the entries that it had in its State table. A. If a match found in Connection Table, the returning packets are permitted. B. If match is not found in Connection Table , the returning packets are dropped.
PC- A 192.168.1.1
A State-full Firewall maintains this Connection Table. If it sees a connection teardown request between the source and destination, the state-full firewall removes the corresponding entry. If a connection entry is idle for a period, the entry will time out and the State-full Firewall will remove the entry from connection table.
STATEFULL INSPECTION
YES
If connection is new
NO
1.Perform ACL Check 2.Route Look up 3.Allocate NAT (Xlate Table) Establish session in Fast Path
NO YES
FAST PATH
1.IP Checksum Verification 2.Session look up 3.TCP Sequence No Check 4.NAT Based in existing Session 5.L3/L4 header adjustment
Some Packets that required L7 inspections are pass through Control Plane Path. L7 inspection Required for protocol that have Two or more channels -Data Channel Known ports -Control Channels- Unknown Ports
Connection Established
Connection Dropped
The Security Appliances SNR feature address this problem by randomizing the TCP Sequence Number.
CONNECTION TEBLE
Inside TCP Sequence Number SNR Sequence Number
600
910
Internal Network
600
910 Internet
601
STATEFULL FIREWALL
911
PC- A 192.168.1.1
TCP Segment passes through ASA where the Sequence Number is 600 in the segment. The SNR feature in ASA change this Sequence number to a random number 910 and place it in state table and forward the TCP segment to destination. Destination in not aware of this change and acknowledge to source the receipt of Segment, using ack number 911. The ASA receive the reply, compare with state table, undoes the SNR process by changing the 911 to 601, so that the source device is not confused.
CUT-THROUGH PROXY
CTP Feature of ASA is to enhance the Security
CTP allows the appliances to intercept incoming / outgoing connection and authenticate them before they are permitted.
CTP is used where the end-servers the user is connecting to can not perform authentication itself. The user connection are not typically authenticated by the ASA itself, but by an external security server, such as the CISCO Secure Access Control Server (CSACS). CISCO supports both , the TACACS+ and RADIUS protocols for Authentication. The CTP feature on an ASA can authenticate the following connection type : a. FTP b. HTTP and HTTPS c. Telnet
CUT-THROUGH PROXY
CISCO ACS Server
Authentication Table
Allowed User A B Allowed Application HTTP to 100.100.100.1 FTP to 100.100.100.2
User B
4
Internal Network 4A
3 2 Internet ASA
4B
1
User A
1.User A initiate an FTP request to 100.100.100.2 2. The ASA intercept the connection and compare for an entry in its connection table. If entry exist , the ASA permits the connection (4A). In this case, the user is previously authenticated. 3. If ASA does not found an entry in Connection Table, it will prompt the User A for a username and password and forward the information to Security Server for authentication. 4. The Security Server examine its internal authentication table for the username and password and what service this user is allowed access to the Security Server sends an allow or deny message to ASA - If Security Server sends allow message after checking user credentials, It add the users connection information to the connection table and permit the connection. - If the ASA receives deny message, it drops the users connection, or possibly, re -prompt the user for another username/password combination
Internal Context
G 0/1.10
2. Adaptive Security Device Manager (ADSM) : GUI Based Interface 3. CISCO Security Manager (CSM) : GUI Based Interface with more mgmt tools
Rommon>
Used for password recovery, low level T/shooting and to recover from a lost or corrupt Operating system
____________________________________________________________
Two create virtual device (Security Context), ASA has two mode. a. Single Mode - Act as single device b. Multiple Mode Act as multiple device (Based on the license)
ASA
e1 e2 e0
f0/0
30.1.1.6
ASA Interfaces are classified by two names to distinguish them : 1. Physical Name : It is used when we configure the physical properties of an interface. They begin with the name ethernet . ethernet 0 in PIX and ethernet 0/number (e0/0,e0/1) in ASA
2. Logical Name : Two common names used are Inside (connected to Internal N/W) & outside (connected to external or public N/W). Security Levels : Ranging from 0 to 100. 0 is least secure and 100 is most secure. The Security Algorithm uses the Security level to enforce its security policy. The rules that SA used are as under : Traffic from higher to lower Security level is permitted by-default unless restricted with an ACL. This is called an outbound connection. Traffic from lower to higher Security level is denied by-default unless explicitly permitted it by ACL. This is called inbound connection Traffic from same security level to same level is denied by-default.
ASA
e1 e2 e0
f0/0
30.1.1.6
ciscoasa (config) # interface e0 ciscoasa (config-if)# nameif <inside/outside/dmz> ciscoasa (config-if)# ip address < ip address & subnet mask> ciscoasa (config-if)#security-level <number 0-100> ciscoasa (config-if)#speed <10/100/1000/auto/nonnegotiate> ciscoasa (config-if)#dulpex <auto/full/half> ciscoasa (config-if)#no shutdown ciscoasa# show interface ip brief ciscoasa (config)# same-security-traffic permit inter-interface
- physical interface - to assign logical name to the interface - to assign the IP Address - to assign security level as required - to set the speed - to set type - to enable the interface - to see the configuration of interfaces - to allow the traffic between interface with same security level
Method of assigning IP Address to ASA i. Mannually ii. By DHCP iii. PPP over Ethernet (PPPoE)
Routing Protocol Supported by ASA : a. b. c. d. Static & Dynamic RIP EIGRP OSPF