© 2006 Cisco Systems, Inc. All rights reserved.ISCW v Cisco IOS Threat Defense Features Introducing the Cisco IOS Firewall

© 2006 Cisco Systems, Inc. All rights reserved.ISCW v Layered Defense Strategy

© 2006 Cisco Systems, Inc. All rights reserved.ISCW v DMZ A DMZ is established between security zonesDMZ's are buffer networks which are neither inside nor outside.

© 2006 Cisco Systems, Inc. All rights reserved.ISCW v Layered Defense Features Access control is enforced on traffic entering and exiting the buffer network to all security zones by: –Classic routers –Dedicated firewalls DMZs are used to host services: –Exposed public services are served on dedicated hosts inside the buffer network. –The DMZ may host an application gateway for outbound connectivity. A DMZ contains an attacker in the case of a break-in. A DMZ is the most useful and common modern architecture.

© 2006 Cisco Systems, Inc. All rights reserved.ISCW v Multiple DMZs Multiple DMZs provide better separation and access control: Each service can be hosted in its own DMZ. Damage is limited and attackers contained if a service is compromised.

© 2006 Cisco Systems, Inc. All rights reserved.ISCW v Modern DMZ Design Various systems (stateful packet filter, proxy server) can filter traffic. Proper configuration of the filtering device is critical.

© 2006 Cisco Systems, Inc. All rights reserved.ISCW v Firewall Technologies

© 2006 Cisco Systems, Inc. All rights reserved.ISCW v Firewall Technologies Firewalls use three technologies: Packet filtering Application layer gateway Stateful packet filtering

© 2006 Cisco Systems, Inc. All rights reserved.ISCW v Packet Filtering Packet filtering limits traffic into a network based on the destination and source addresses, ports, and other flags compiled in an ACL.

© 2006 Cisco Systems, Inc. All rights reserved.ISCW v Packet Filtering Example Router(config)# access-list 100 permit tcp any established Router(config)# access-list 100 deny ip any any log Router(config)# interface Serial0/0 Router(config-if)# ip access-group 100 in Router(config-if)# end

© 2006 Cisco Systems, Inc. All rights reserved.ISCW v Application Layer Gateway The ALG intercepts and establishes connections to the Internet hosts on behalf of the client.

© 2006 Cisco Systems, Inc. All rights reserved.ISCW v ALG Firewall Device

© 2006 Cisco Systems, Inc. All rights reserved.ISCW v Stateful Packet Filtering Stateless ACLs filter traffic based on source and destination IP addresses, TCP and UDP port numbers, TCP flags, ICMP types and codes. Stateful inspection then remembers certain details, or the state of that request.

© 2006 Cisco Systems, Inc. All rights reserved.ISCW v Stateful Firewall Operation

© 2006 Cisco Systems, Inc. All rights reserved.ISCW v Stateful Firewalls Also called Stateful packet filters and Application-aware packet filters. Stateful firewalls have two main improvements over packet filters: –They maintain a session table (state table), where they track all connections. –They recognize dynamic applications and know which additional connections will be initiated between the endpoints. Stateful firewalls inspect every packet, compare it against the state table, and may examine the packet for any special protocol negotiations. Stateful firewalls operate mainly at the connection (TCP and UDP) layer.

© 2006 Cisco Systems, Inc. All rights reserved.ISCW v Stateful Firewall Handling of Different Protocols TCP SessionsKeeping track of a TCP connection is easy (check flow information, check TCP sequence numbers against state table entry) UDP ConnectionsNo flags or sequence numbers, hard to robustly track Only flow information is checked against, timeouts are used to delete state table entries Other Connectionless Services (GRE, IPsec) Usually handled like a stateless packet filter Dynamic ApplicationsHandled automatically by snooping on application negotiation channels

© 2006 Cisco Systems, Inc. All rights reserved.ISCW v Introducing the Cisco IOS Firewall Feature Set

© 2006 Cisco Systems, Inc. All rights reserved.ISCW v The Cisco IOS Firewall Feature Set The Cisco IOS Firewall Feature Set contains three main features: Cisco IOS Firewall Authentication proxy IPS

© 2006 Cisco Systems, Inc. All rights reserved.ISCW v Cisco IOS Firewall Packets are inspected entering the Cisco IOS firewall if they are not specifically denied by an ACL. Cisco IOS Firewall permits or denies specified TCP and UDP traffic through a firewall. A state table is maintained with session information. ACLs are dynamically created or deleted. Cisco IOS Firewall protects against DoS attacks.

© 2006 Cisco Systems, Inc. All rights reserved.ISCW v Cisco IOS Authentication Proxy HTTP, HTTPS, FTP, and Telnet authentication Provides dynamic, per-user authentication and authorization via TACACS+ and RADIUS protocols

© 2006 Cisco Systems, Inc. All rights reserved.ISCW v Cisco IOS IPS Acts as an inline intrusion prevention sensortraffic goes through the sensor When an attack is detected, the sensor can perform any of these actions: –Alarm: Send an alarm to SDM or syslog server. –Drop: Drop the packet. –Reset: Send TCP resets to terminate the session. –Block: Block an attacker IP address or session for a specified time. Identifies 700+ common attacks

© 2006 Cisco Systems, Inc. All rights reserved.ISCW v Cisco IOS Firewall Functions

© 2006 Cisco Systems, Inc. All rights reserved.ISCW v Cisco IOS ACLs Revisited ACLs provide traffic filtering by these criteria: –Source and destination IP addresses –Source and destination ports ACLs can be used to implement a filtering firewall leading to these security shortcomings: –Ports opened permanently to allow traffic, creating a security vulnerability –Do not work with applications that negotiate ports dynamically Cisco IOS Firewall addresses these shortcomings of ACLs.

© 2006 Cisco Systems, Inc. All rights reserved.ISCW v Cisco IOS Firewall TCP Handling

© 2006 Cisco Systems, Inc. All rights reserved.ISCW v Cisco IOS Firewall UDP Handling

© 2006 Cisco Systems, Inc. All rights reserved.ISCW v Cisco IOS Firewall Process

© 2006 Cisco Systems, Inc. All rights reserved.ISCW v How Cisco IOS Firewall Works

© 2006 Cisco Systems, Inc. All rights reserved.ISCW v Supported Protocols TCP (single channel) UDP (single channel) RPC FTP / FTPS TFTP Telnet / SSH UNIX R-commands (such as rlogin, rexec, and rsh) SMTP HTTP / HTTPS ICMP SNMP Kazaa SQL*Net RTSP (such as Real Networks) Tacacs+ / Radius Signalling –H.323 –Skinny –SIP Other multimedia: –Microsoft NetShow –StreamWorks –VDOLive BGP And many others

© 2006 Cisco Systems, Inc. All rights reserved.ISCW v Alerts and Audit Trails Cisco IOS Firewall generates real-time alerts and audit trails. Audit trail features use syslog to track all network transactions. With Cisco IOS Firewall inspection rules, you can configure alerts and audit trail information on a per-application protocol basis.

© 2006 Cisco Systems, Inc. All rights reserved.ISCW v Summary Layered defense strategy enhances security by providing buffer networks with filtering capabilities. There are three main firewall technologies: packet filtering, application proxy, and stateful packet filtering. The Cisco IOS Feature Set contains three main features: Cisco IOS Firewall, authentication proxy, and IPS. Cisco IOS Firewall intelligently filters TCP and UDP packets based on session and application layer protocol information. The Cisco IOS authentication proxy is used to apply specific security policies on a per-user basis. The Cisco IOS IPS identifies attacks using signatures to detect patterns of misuse in network traffic.

© 2006 Cisco Systems, Inc. All rights reserved.ISCW v