Internet Firewall Technology Tutorial - Cisco.ppt

internetfirewalltechnologytutorial 0999 03f8 c2nw98 us 407 agenda motivationthreatsandattacksbusinessneeddesignandtestprinciplespolicyarchitecturedesignimplementationciscosolutions motivation securitythreatsandcommonnetworkattacks securitythreats bob impersonation bank customer deposit 1000 deposit 100 lossofintegrity cpu denialofservice lossofprivacy telnetfoo bar orgusername danpassword m y p a s s w o r dd a n i mbob sendmeallcorporatecorrespondencewithcisco exploithostweaknesses 10 1 1 1 goodbye commonattacks routingattackswiretappingactivecontenticmpattacksdenialofserviceattackstcpsequenceattacks sendmailattacks grabbingthe etc passwordfileinjectingafileorrunningascript mailfrom bin mailme etc passwd 250 bin mailme etc passwd senderokrcptto mickeymouse550mickeymouse userunknowndata354entermail endwith onalinebyitself250mailacceptedquit passwordcracking features graphicalbruteforcing crackingntpasswords networksession newerinternetattacks teardrop1afragmentationattackthatworksbyexploitingareassemblybugwithoverlappingfragments andcausesthetargetedsystemtocrashorhangteardrop2thefirstfragmentstartsatoffset0andthesecondfragmentiswithinthetcpheaderlandtakesasynpacketwithsourceaddressandportarethesameasthedestination otheritems snmpv1stringscertadvisoriesx11 rpc nis nfs ntp fingerudphighportstcphighports serviceconfiguration noservicefingernoservicepadnoservicetcp small serversnoserviceudp small serversnoipbootpservernoipsource routeservicepassword encryptionenablesecretyellowmegamannoenablepasswordnoipredirectnoipdirected broadcastnoipproxy arp motivation businessneed traditionalbusiness employees partners customers suppliers enterprise theneedtobenetworked anewmodelofinformationtechnologybeingconnectedisnotenough electroniccommerceisnotenoughyouneedtobenetworkedtoallyourimportantconstituenciesopenupinternaloperationalsystemsandinformationtoprospects customers partners suppliers andemployees theglobalnetworkedbusiness employees customers partners suppliers enterprise design policy whatarethebusinessproblemsyouaretryingtosolve internetbusinessneed securityconsiderations internetaccess internetpresence networkedcommerce vpnandextranets whataretheirrisks rsf risk safeguardfactorrvf risk valuefactorstf safeguard threatfactor r risks safeguardt threatv valuew weakness svf rsf vtf wtf rvf svf safeguard valuefactorvtf value threatfactorwtf weakness threatfactor r t v s w stf 18 0999 03f8 c2nw98 us 407 simplifiedcausaldiagram weakness risk value assurance safeguard threat threat hazardsfacingtheinformation attacks time weakness vulnerabilityoftheprocessing attack safeguard methodsofprotection time value dollarvalueofinformation assurance confidencefactor time internetaccess applicationswebaccessande mail usinganexternalmailserver streamingaudio videosecurityissuesprotectionofinternalresourcesfromoutsiderslimitingexternalprivilegesofinternalusersvisibilityofinternalnetworkaddressesauditingusageandpossibleattacks internet internetpresence additionalapplicationse mailservermanagedlocallywebserveradditionalsecurityissuesprotectionofpublicresourcesseparationofpublicandinternalnetworksauthenticationofremoteusers e mail www internet networkedcommerce additionalapplicationselectroniccommercewithcontrolledaccesstobusinesssystemsforordering etc additionalsecurityissuessecuregateway internalcommunicationclient commercegatewayencryptionstrongapplicationauthenticationofclient commercegateways internalbusinesssystems internet vpnandextranets additionalapplicationsprivateconnectionsoverpublicnetworkvirtualprivatenetwork vpn additionalsecurityissuesencryptionbetweenremoteusers sitesandhqverystrongnetworkauthenticationofclient hq remotesite mobileandhomeusers extranetpartner internet design architecture whatisafirewall ithinkitwaspopeurbanthatfirstattemptedadefinitionin1094 heenforcedhisdefinitionin1095 1099 zangi theprinceofmosulrefuteditin1144andsaladinwaslefttostaveoffpopeeugeniusiiiandst bernardbetween1146and1148 and aseveryoneknows richardthelionhearteddebatedthedefinitionwithsaladinbetween1189and1192withoutaresolution allofthisistosaythatthiscanbecomeareligiousissueandmanydeathswilloccurfromit chrislonvick 25 0999 03f8 c2nw98 us 407 securitytechnologytaxonomy identityaccuratelyidentifynetworkusersandtheirprivilegesintegritynetworkintegritythrough securenetworkperimetersprivacyandencryptionreliableoperationactiveauditprovideauditing accountingandactivedetectionandresponse universalpassport firewalldesigncriteria one whereisyourpolicy implementithostsofferingpublicservices accessarenotsecureinternalnetworkhostsshouldnotofferpublicservices accessprivatenetworksandhostsshouldnotbevisible firewalldesigncriteria two knowyournetworksecurityformultipleinternetaccesspointsmanagementandoperationcomfortnetworksecuritycannotreplacedatasecuritydetailedsecurityandusageaccounting firewalldesigncriteria three arobustfirewallistypicallynotonedevicelayeredtopology defenseindepthredundancyandfailoverresponseplan internetaccessfirewalltopology outside reasonablefeaturesandperformanceatalowcostusuallyarouterwithfirewallcapabilities internetpresencefirewalltopology dedicatedfirewallplatformsmultipleinterfaces layersmanyfeatures highperformance outside demilitarizedzones dmzs publicaccessserver publicaccessserver lock and key situation youwantasubsetofhostsonanetworktoaccessahostonaremotenetworkprotectedbyafirewallwithlock and keyaccess youcanenableonlyadesiredsetofhoststogainaccessbyhavingthemauthenticatethroughatacacs server lock and keyconfiguration aaaauthenticationloginlockkeytacacs enableaccess list101dynamictelecommutertimeout5permitipanyanyaccess list101permittcpany10 1 1 1eq23interfacee0ipaddress10 1 1 1255 255 255 0ipaccess group101intacacs serverhost1 1 1 1tacacs serverkeyciscolinevty04password7telecommuterloginauthenticationlockkeyautocommandaccess enabletimeout2 networkedcommerce coupledgatewayandapplicationserversencryptionandauthentication outside web encryptedtransaction vpnsandextranets strongencryption authenticationrouters firewalls endsystems internet internalnetwork ipsec standardforvpnencryption standardscomplianceipsecah espencapsulatedtunnelsikekeymanagementfullyinteroperableciscoios firewalls andotheripsec compliantsystemsclientsupportwindows 95andwindowsnt4 x ciscoprovidedsoftware windowsnt5 0 microsoft ciscopartnership encryptedip ipsecmodes iphdr maybeencrypted iphdr data ipsechdr data iphdr data ipsechdr iphdr newiphdr maybeencrypted data tunnelmode transportmode virtualprivatenetworkexample 128 49 48 1 clear clear encrypted 128 49 54 1 vpnconfiguration cryptoipsectransform setfirstah md5 hmacmodetunnelcryptoipsectransform setsecondah sha hmacesp desmodetunnel cryptoisakmppolicy5authrsa encrhashmd5lifetime3600 cryptomaptobob10ipsec isakmpsetpeer128 49 54 1settransform setfirstsecondmatchaddress155 interfacee0ipaddress128 49 48 1255 255 255 0cryptomaptobob access list155permitip128 49 48 10 0 0 255128 49 54 10 0 0 255 defineipsecpolicy twotransformsetsprovidingencryptionandauthentication setikepolicy createa cryptomap definenegotiatingpeerprioritizeipsecpolicymatchanaccesslist configureinterface assigncryptomap defineaccess listtoencryptalltraffic 39 0999 03f8 c2nw98 us 407 design test firewalltestcriteria one whereisyourpolicy whocontrolsrouters whocontrolsfirewalls whomakesupthesecurityteam checkpolicyandwell knownholesscanthenetworktestthefirewallandtheservicesbehindituseverificationandidstools firewalltestcriteria two dothingsworkasexpected scanfirewallscandmzandservicesscaninternalnetwork invert policyrulesonsnifferloganddocumenteverything logging servicetimestampsdebugdatetimemsecservicetimestampslogdatetimemsecloggingbuffered16384loggingtrapdebugginglogging169 222 32 1loggingsource interfaceloopback0access list101permittcpany10 1 1 1eq23logging ipftpsource interfaceloopback0ipftpusernamec7200ipftppassword78675309gexceptionprotocolftpexceptiondump10 1 1 1 firewalltestcriteria three testingneverendsknowyournetworkreviewlogseducatestaffanduserskeeprevisionsuptodate implementation ciscosolutions ciscofirewallproductline performance featureset cisco1600 2500withciscoiosfwfeatures centri firewallforwindowsnt pix firewall supportedapplications telnet web ftp andsmtprealaudio realvideo andvdolivelotusnotes imap andldapdnsresolvesandzonetransfersrpc r commandsothergenericip tcp andudp contentfiltering blocksjava activex javascriptandvbscripturlloggingandblockingsmtpcommandfilteringblocksmtpcommandsblockexcessroutingcharacters inspectportcommand dropsthepacket httprequest javasignature serverreply requestsforjavaapplet nojavasignature letsitthrough inspect webserver webclient javablocking attackdetectionandprevention events monitorsthefollowingstatisticsandconditions totalembryonicconnectionsperminuteincomingnewconnectionratetimerfortcpconnectionstoreachestablishedstatepacketcountforduplicatesynpacketspacketsequencenumbers alerts non statisticaleventsmaytriggeralertsalertssetongroupsofeventsorspecificonesdosattacks smtpcommandattacks ordeniedjavaappletalertsarevisual email andpagerthresholdslimitthenumberofalertsissueswhenrepeatinginagiventimeframeemailisbasedonmapi installmessaging beeperisbasedontapi remotefirewallmanagement encryption managementconsole vpn internet adaptivesecurityalgorithm asa provides stateful connectionpolicyconnectionsallowedout allowsreturnsessionbackflow incomingconnectionsmustbeexplicitlyenabledinitialtcpsequencenumberrandomizedtrackssourceanddestinationports addresses tcpsequences andadditionaltcpflagsaccesscontrollist acl policysupportudp tcpsessionstatetcp finbitudp oneminutedefaulttimer exceptfordns assumedatalength 100octets checksumismodifiednotrecalculated tcpconnections insidetooutsideinitializationphase pixchecksifatranslationexistsornot ifnotitcreatesoneuponverifyingnat global accesscontrolandauthentication ifanyaconnectionisalsocreated backspoofing sender 7363 10 0 0 14 171 68 10 2 4005 23 100 4512 sync data checksum destinationport checksum code acknowledge pix 6514 171 69 236 5 171 68 10 2 4005 23 3050 3124 sync ipspoofing connection receiverandresponder 3214 171 68 10 2 171 69 236 5 23 4005 31 4321 3151 ip tcp sourceipaddress destinationipaddress sourceport sequencenumber 54 0999 03f8 c2nw98 us 407 tcpconnections insidetooutsidedatatransfer 171 68 10 2 171 69 236 5 171 69 236 5 sinceackbitisset connectionandtranslationentriesshouldexist sender 4512 10 0 0 14 171 68 10 2 4005 23 201 3412 ack data 132 checksum sourceipaddress destinationipaddress sourceport destinationport sequencenumber checksum code acknowledge pix 3912 171 68 10 2 4005 23 3151 1234 ack 3111 171 68 10 2 10 0 0 16 23 4005 132 3311 ack 233 receiverandresponder 2216 23 4005 132 2222 3252 asachecksagain 132 ack assumedatalength 100octets checksumismodifiednotrecalculated tcpconnections insidetooutsideterminationphase 171 68 10 2 171 69 236 5 171 68 10 2 171 68 10 2 171 68 10 2 171 69 236 5 backspoofing sender 1111 10 0 0 14 4005 23 1000 2222 fin data 8000 pix 2222 4005 23 3950 2222 fin 1111 10 0 0 14 23 4005 800 1111 fin ack 1101 receiverandresponder 4512 23 4005 800 2121 4051 pixwillonlyacceptapacketwithcode bitfin ackallotherpacketsdroppedanypacketafterthispacketwouldalsobedroppedconnectionreleasedimmediatelytranslationreleasedafterx latetimeout 800 fin ack checksum sourceipaddress destinationipaddress sourceport destinationport sequencenumber checksum code acknowledge staticvs conduit staticastaticmapsaglobal outside addresstoaninside local address anyaccesstotheglobalgoestothemappedinsideaddress thisgivesaninsidemachinewithanillegaladdressapresenceontheoutsidewithalegaladdress astaticissecure protected conduit aconduitisaholethroughthefirewallallowingoutsidemachinestoinitiateconnectionstoinsidemachines itisrelatedtoastaticinthatastaticmapsaglobaladdresstoalocalmachine conduitsareonlyassecureasyoumakethem theyareusedforserviceitems internet intranet dns mail dmz authorization joe insidehosta pixfirewall internet ciscosecure synflooddefender throttlesbothinternalandexternalmaximumsessionsinbound controlssynflooding denialofservice outbound limitsmaximumsessions controlsapplicationssuchasmicrosoft sinternetexplorer protectssessionresourcesfrombeingdepletedmaintainshighnetworkreliability synfloods allallowedcommands outside inside mailserver internet smtp tryingtokillmailserver pixlimit2 contentfilter allallowedcommands mailserver internet smtp debug ok noop tryingtogetinfo outside inside clientvpn pixravlinipsec standardscomplianceipsecah espencapsulatedtunnelikekeymanagementwire speedperformanceethernetnowfastethernetlatecy 98fullyinteroperableciscoiosandotheripsec compliantsystems internet internalnetwork encryptedip pixwithotpconfiguration configurationonthepixmanager gotopixmanager url 10 0 0 0 100 8080username pixadminpassword ciscoonpixmanager clickauthenticationselecttacacs serverclickaddserveripaddress 10 0 0 100encryptionkey spackleclickokonpixmanager selectauthenticationclickaddselectauthenticateallinternalhostsorwhateverisdesired clickok clicksave assumepin 1234passcode 5551212 pixwithotpsession pixwiththreeinterfaces awebserverfortheinsidenetwork accessallowedonlyfrom172 28 0 0and172 16 50 0 publicnetwork internet perimeternetwork privatenetwork ftpserver192 168 0 3 webserver192 168 0 2 10 0 0 100 192 168 0 1 10 0 0 3 pixwiththreeinterfaces nameifethernet0outsidesecurity0nameifethernet1insidesecurity100nameifethernet2dmzsecurity50enablepassword8ry2yjiyt7rrxu24encryptedpasswd2kfqnbnidi 2kyouencryptedhostnamepixfirewallfailovernamesname192 168 0 2webservername192 168 0 3ftpserverpagerlines24syslogoutput20 3nosyslogconsoleinterfaceethernet0autointerfaceethernet1autointerfaceethernet2autoipaddressoutside172 16 50 3255 255 255 0ipaddressinside10 0 0 3255 0 0 0ipaddressdmz172 168 0 1255 255 255 0arptimeout14400global outside 1172 16 50 76 172 16 50 85global dmz 1192 168 0 90 192 168 0 99nat inside 110 0 0 0255 0 0 0nat dmz 1192 168 0 0255 255 255 0static dmz outside 172 16 50 76webserver200200static dmz outside 172 16 50 77ftpserver pixwiththreeinterfaces static inside outside 172 16 50 8010 0 0 110conduit dmz outside 172 16 50 7680tcp0 0 0 00 0 0 0conduit dmz outside 172 16 50 7721tcp0 0 0 00 0 0 0conduit inside outside 172 16 50 8021tcp172 28 0 0255 255 0 0conduit inside outside 172 16 50 8080tcp172 28 0 0255 255 0 0conduit inside outside 172 16 50 8021tcp172 16 50 0255 255 255 0conduit inside outside 172 16 50 8080tcp172 16 50 0255 255 255 0age10ripoutsidepassivenoripoutsidedefaultripinsidepassiveripinsidedefaultnoripdmzpassiveripdmzdefaultrouteoutside0 0 0 00 0 0 0172 16 50 11timeoutxlate24 00 00conn12 00 00udp0 02 00timeoutrpc0 10 00h3230 05 00uauth0 05 00tacacs serverhost10 0 0 100abcaaaauthenticationanyinbound0 0 0 00 0 0 0tacacs nosnmp serverlocationnosnmp servercontactsnmp servercommunitypublictelnet10 0 0 100255 255 255 255mtuoutside1500mtuinside1500mtudmz1500 end centrifirewall windowsntfirewallicsacertifiedversion4 0 2nowshipping evaluationsoftwareonthewebat easeofuse installationwizardstepsthroughinitialconfigurationpredefinedsecuritypoliciesgraphicalpolicymanagerdrag and dropsecuritypoliciessecureremoteadministration secureremoteadministration ispnetwork privatenetwork privatenetwork privatenetwork internet secureremoteadminmsauthenticatedrpccentri sasymmetricauthenticationfromtrustedoruntrustedsides reporting reportsmayberunondemandandscheduledtorunatfixedtimes e g mondaysat2a m reportsarepresentedinhtmlortextandmaybestoredonthewebserverintheproduct examiner orsenttoane mailaddresstoviewreportsitissimpletousetheimbeddedbrowserincentrithoughyoumayuseanotherbrowserifdesired port8080 noauthentication therearethreetypesofreports warning securityissuesandproductoddities service statisticaldetailsperservice noaggregates connection pollsforopenconnectionsperservice noaggregates flexiblesecuritypolicies 161 44 75 12byipaddress byntusername byapplication securitypolicy open restrictive closed bytimeofday kernelproxiesimplementedinwindowsntkernelcustomtcp ipstackpacket filteringspeedproxyfunctionalityprotectsagainstcommonvulnerabilitiesinwindowsnt winnuke netbiosholes etc interceptarchitecturepreservationoforiginalnetworkstackfirewallcommunicationisalsoprotectedcapabilityofrunningserversonthefirewall centrifirewallarchitecture internet centrifirewalldesign virtualinterface10 0 0 2 microsofttcp ipstack kernelproxy 3rd partyapps dns web e mail outsideinterface insideinterface 192 204 18 2 10 0 0 1 contentfiltering authentication devicedriver ntkernel applicationlayer otherservices applicationspace kernelspace localcommunicationchannel internalprotocolstack centriagents e g authentication 205 50 50 2 10 0 0 1 winsock centrivirtualadapter winsockapplications e g web dns mailservers 10 0 0 2 trustedserver kernelproxy sampleinbounddataflow interceptor securityverificationengine externalprotocolstack centrivirtualadapter applicationspace kernelspace localcommunicationchannel trustednetworkadapter interceptor securityverificationengine externalprotocolstack centriagents e g authentication 205 50 50 2 10 0 0 1 winsock winsockapplications e g web dns mailservers 10 0 0 2 kernelproxy samplenativestackdataflow internalprotocolstack untrustednetworkadapter site basedmodel policyenforcementoccurswheninformationpassesbetweensites intersite notwithinthesamesite intrasite rulesarecheckedwheninformationleavesonesiteforanotherinstallcreatestwosites trustedandinternet whichmaybeexpandeduponpost install e g addinganisolatedservicenetwork dmz the localstack istiedbyavirtualwiretoatrustedsite policyruleschecked isolatedservicenetwork internet trusted eightkernelproxies ipsource destinationchecksping of deathpreventionipspoofpreventionicmpmessagetypetcpportchecksynfloodpreventionudpportchecksmtpnestedroutingblockingminimalprotocolsetsimilartomailguard ftpinlineuserauthenticationnon transparentproxymodeallowedactioncheckstelnetinlineuserauthenticationnon transparentproxymodeportcheckhttpinlineuserauthenticationurlfilteringjava activex javascriptblockingallowedactionchecks centris