© 2006 Cisco Systems, Inc. All rights reserved. SND v2.0#-1 Configuring a Cisco IOS Firewall Introducing Firewall Technologies

© 2006 Cisco Systems, Inc. All rights reserved. SND v Outline Overview What Is a Firewall? Evolution of Firewall Technologies Static Packet Filtering Firewalls Circuit Level Firewalls Application Layer or Proxy Firewalls Dynamic or Stateful Packet Filtering Firewalls Cut-Through Proxy Process Implementing NAT on a Firewall Application Inspection Firewall Firewalls in a Layered Defense Strategy Summary

© 2006 Cisco Systems, Inc. All rights reserved. SND v What Is a Firewall? Static packet filtering Circuit level firewalls Proxy server Application server A firewall is a set of related programs located at a network gateway server that protects the resources of a private network from users on other networks. Good Traffic Bad Traffic

© 2006 Cisco Systems, Inc. All rights reserved. SND v Evolution of Firewall Technologies Dynamic Packet Filtering Firewalls Application Layer Firewalls Circuit Level Firewalls Static Packet Filtering Firewalls Cisco Acquires PIX Technology. 1995

© 2006 Cisco Systems, Inc. All rights reserved. SND v Static Packet Filtering Firewalls OSI Model Application Presentation Session Transport Network Data Link Physical Traffic is filtered based on specified rules. Unknown traffic is only allowed to Layer 3. Static packet filtering works at Layer 3.

© 2006 Cisco Systems, Inc. All rights reserved. SND v Static Packet Filtering Example Allows all outgoing TCP connections Allows incoming DNS, SMTP, and FTP connections and return traffic Denies all other services EO DNS Server Mail Server X Internet x SO ACL 101 applies to outgoing traffic ACL 102 applies to incoming traffic FTP Server Other Servers x

© 2006 Cisco Systems, Inc. All rights reserved. SND v Advantages and Disadvantages of Packet Filters Advantages: Based on simple permit or deny rule sets Low impact on network performance Easy to implement Supported by most routers Afford an initial degree of security at a low network layer Perform 90 percent of what higher-end firewalls do, but at a much lower cost Disadvantages: Susceptible to IP spoofing Do not filter fragmented packets well Complex ACLs difficult to implement and maintain correctly Cannot filter certain services

© 2006 Cisco Systems, Inc. All rights reserved. SND v Circuit Level Firewall OSI Model Application Presentation Session Transport Network Data Link Physical Rules are based on: Destination and source IP addresses and ports Time of day Protocol User ID and password Advantage: Defends against IP spoofing Disadvantage: Requires reprogramming of transport handling programs (WinSock)

© 2006 Cisco Systems, Inc. All rights reserved. SND v Application Layer Firewall OSI Model Application Presentation Session Transport Network Data Link Physical Also called: Proxy firewalls Application gateways

© 2006 Cisco Systems, Inc. All rights reserved. SND v Application Layer Proxy Firewall PhysicalLayer 1 Data LinkLayer 2 NetworkLayer 3 TransportLayer 4 SessionLayer 5 PresentationLayer 6 ApplicationLayer 7 An application layer firewall operates on OSI Layers 3, 4, 5, and 7. Advantages of application layer proxy firewalls: –This firewall authenticates individuals, not devices. –Hackers have a harder time with spoofing and implementing DoS attacks. –This firewall can monitor and filter application data. –This firewall can provide detailed logging.

© 2006 Cisco Systems, Inc. All rights reserved. SND v Application Level Proxy Firewall Other HTTP FTP Bindings IP TCP Proxy Gateway Controller Software Other HTTP FTP Bindings IP TCP Inside Network Internet

© 2006 Cisco Systems, Inc. All rights reserved. SND v Proxy Server Communication Process The proxy server requests connections between a client on the inside of the firewall and the Internet. Client requests are filtered on the basis of Layer 5 and Layer 7 information. Internet 1. Request 4. Repackaged Response 2. Repackaged Request 3. Response Client Proxy Server: Dedicated Application Layer Filter (Proxy) for HTTP Web Server

© 2006 Cisco Systems, Inc. All rights reserved. SND v Limitations and Uses of Application Layer Firewalls Limitations of application layer firewalls: Process packets in software Support a small number of applications Sometimes require special client software Are memory and disk space (logging) intensive Uses for application layer firewalls: Use only for key applications where performance can be sacrificed for security

© 2006 Cisco Systems, Inc. All rights reserved. SND v Stateful or Dynamic Packet Filtering OSI Model Application Presentation Session Transport Network Data Link Physical Internet Stateful Inspection Stateful Session Flow Tables

© 2006 Cisco Systems, Inc. All rights reserved. SND v Stateful Filtering Stateful Firewall Inside ACL (Incoming Traffic) Outside ACL (Incoming Traffic) Permit ip any Dynamic: Permit tcp host eq 80 host eq 1500 Permit esp any any Permit udp any any eq 500 Deny ip any any src port 1500dest port 80

© 2006 Cisco Systems, Inc. All rights reserved. SND v Limitations and Uses of Stateful Firewalls Use stateful firewalls: As a primary means of defense As an intelligent first line of defense As a means of strengthening packet filtering To improve routing performance As a defense against spoofing and DoS attacks Limitations: Stateful firewalls cannot prevent application layer attacks. Not all protocols contain state information (for example, UDP and ICMP). Some applications open multiple connections, some of which use dynamic port numbers for the additional connections. Stateful firewalls do not support user authentication of connections.

© 2006 Cisco Systems, Inc. All rights reserved. SND v Cut-Through Proxy Firewall Communication Process UserDestination Action Richard Permit Internet Step 1: Authentication InboundStep 2: Add Filtering Rule SourceDestination ProtocolAction TCP 80Permit Step 3: Process Traffic at Layer 3 and Layer 4 Workgroup Switch Web Server Outside User Richard

© 2006 Cisco Systems, Inc. All rights reserved. SND v Implementing NAT on a Firewall NAT operates at OSI Layer 3 and Layer 4. Advantages of implementing NAT on a firewall: NAT hides your network addressing design. NAT controls the traffic entering and leaving your network. NAT allows for the use of private addressing. Physical Layer 1 Data LinkLayer 2 NetworkLayer 3 Transport Layer 4 SessionLayer 5 PresentationLayer 6 ApplicationLayer 7

© 2006 Cisco Systems, Inc. All rights reserved. SND v SA Internet SA NAT SA SA Network Address Translation Inside Local IP Address Inside Global IP Address NAT translates the source address of a device inside a network to a public source address (SA in the figure).

© 2006 Cisco Systems, Inc. All rights reserved. SND v SA :1024 Internet NAT SA :1506 SA :2048 SA :2056 Port Address Translation PAT extends NAT from 1 to 1 to many to 1 by associating the source port with each flow. Inside Local IP Address Inside Global IP Address : : : :2056

© 2006 Cisco Systems, Inc. All rights reserved. SND v Configuring NAT with Cisco SDM 1. In Cisco SDM, choose Configure. 2. Choose the NAT wizard on the task bar. 3. Choose Basic NAT or Advanced NAT. 4. Click the Launch the Selected Task button

© 2006 Cisco Systems, Inc. All rights reserved. SND v Limitations and Uses of NAT Uses: When you have a private IP addressing scheme in your internal network When you need to separate two or more networks Limitations: Delay is introduced because of packet manipulations. Some applications do not work with address translation. Using multiple layers of NAT is complicated. Tracing and troubleshooting become more difficult.

© 2006 Cisco Systems, Inc. All rights reserved. SND v Application Inspection Firewall An application inspection firewall operates on OSI Layers 3, 4, 5, and 7. Application inspection firewalls are essentially stateful firewalls with intrusion detection system capabilities. Application inspection firewalls: Are aware of the Layer 5 state of a connection Check the conformity of application commands on Layer 5 Are able to check and affect Layer 7 (for example, Java applet or peer-to-peer filtering) Prevent more kinds of attacks than stateful firewalls PhysicalLayer 1 Data LinkLayer 2 NetworkLayer 3 TransportLayer 4 SessionLayer 5 PresentationLayer 6 ApplicationLayer 7

© 2006 Cisco Systems, Inc. All rights reserved. SND v Application Inspection Firewall Operation Inspection engines: protocol support trough firewalls conformity of commands through checks Web Server Inspect Outgoing TrafficInspect Incoming Traffic Session Initiation Protocol To: INVITE SIP/2.0 From: ;tag=4c101d Media Port: HTTP GET / HTTP/1.1\r\n Host: Filtered Java Applet SourceDestination ProtocolAction TCP 5060Permit SourceDestinationProtocolAction UDP 33005Permit Pre-FSIP Server

© 2006 Cisco Systems, Inc. All rights reserved. SND v Limitations and Uses of Application Inspection Firewalls Limitations: Able to prevent simple application layer attacks Usually do not support user authentication of connections Size of state table Uses: As a secondary means of defense Where more stringent controls over security than packet filtering are needed

© 2006 Cisco Systems, Inc. All rights reserved. SND v Content Filtering Using Websense 1. End user sends HTTP request. 2. Cisco IOS firewall forwards the request to the web server and sends a look up request of the requested URL to the Websense server. 3. The Websense server compares the URL to its database. It returns a permit or deny status via a look up response to the Cisco IOS Firewall. 4. If permitted, the user receives an http request. If denied, the user is directed to an internal web server on the Websense server. Internet Cisco IOS Firewall End User Web Server Websense URL Filtering Server (UFS)

© 2006 Cisco Systems, Inc. All rights reserved. SND v Firewalls in a Layered Defense Strategy Endpoint security: Provides identity and device security policy compliance Core network security: Protects against malicious software and traffic anomalies, enforces network policies, and ensures survivability Network Core Disaster recovery: Offsite storage and redundant architecture Communications security: Provides information assurance Perimeter security: Secures boundaries between zones

© 2006 Cisco Systems, Inc. All rights reserved. SND v Summary A firewall is a pair of mechanisms: one mechanism blocks traffic, and the second mechanism permits traffic There are four firewall technologies: packet filtering, proxy server, dynamic packet filtering and application inspection, each with strengths and weaknesses. Static packet filters provide an effective firewall capability in a layered defense architecture by examining source, destination, port, and service details. A circuit level firewall validates that a packet is either a connection request or a data packet belonging to a connection or virtual circuit between two peer transport layers. Proxy firewalls and servers provide additional security by inspecting the contents of packets.

© 2006 Cisco Systems, Inc. All rights reserved. SND v Summary (Cont.) Stateful firewalls are more efficient than static filters and proxies. The Cisco IOS Firewall cut-through proxy feature helps alleviate performance issues inherent in proxy server design. NAT hides internal IP addresses from users outside the network. Application inspection firewalls ensure the security of applications and services for applications that embed IP addressing information in the user data packet or that open secondary channels on dynamically assigned ports. Firewalls are part of a layered defense strategy and are deployed throughout the network.

© 2006 Cisco Systems, Inc. All rights reserved. SND v