CCNAS CH3-4
Types of Firewalls
-Packet filtering firewall -Stateful firewall -Application gateway firewall (proxy firewall) -Network address translation (NAT) firewall
Common properties of a firewall
-Resistant to attacks -The only transit point between networks (all traffic flows through the firewall) -Enforces the access control policy
Describe Cisco ACS
Cisco ACS is a single solution that offers AAA services using TACACS+ or RADIUS.
Traffic filtering
Can be configured to permit specified TCP and UDP return traffic through a firewall when the connection is initiated from within the network -It accomplishes this by creating temporary openings in an ACL that would otherwise deny the traffic
When an Application Layer attack is detected what actions can the Cisco IOS firewall take?
Generate alert messages Protect system resources that could impede performance Block packets from suspected attackers
Network address translation (NAT) firewall
- A firewall that expands the number of IP addresses available and hides network addressing design.
Application gateway firewall (proxy firewall)
- A firewall that filters information at Layers 3, 4, 5, and 7 of the OSI reference model. Most of the firewall control and filtering is done in software.
Packet filtering firewall
- Typically is a router with the capability to filter some packet content, such as Layer 3 and sometimes Layer 4 information.
What other things must be considered in an in depth defense besides firewalls?
-A significant number of intrusions come from hosts within the network. For example, firewalls often do little to protect against viruses that are downloaded through email -Firewalls do not protect against rogue modem installations -Firewalls do not replace backup and disaster recovery -Rirewalls are no substitute for informed administrators and users.
Identify the ZPF Rules
-A zone must be configured before it can be assigned to a zone. -We can assign an interface to only one security zone. -If traffic is to flow between all interfaces in a router, each interface must be a member of a zone. -Traffic is implicitly allowed to flow by default among interfaces that are members of the same zone. -To permit traffic to and from a zone member interface, a policy allowing or inspecting traffic must be configured between that zone and any other zone. -Traffic cannot flow between a zone member interface and any interface that is not a zone member. -We can apply pass, inspect, and drop actions only between two zones. -Interfaces that have not been assigned to a zone function can still use a CBAC stateful packet inspection configuration. -If we do not want an interface to be part of the zone-based firewall policy, it might still be necessary to put that interface in a zone and configure a pass-all policy (also known as a dummy policy) between that zone and any other zone to which traffic flow is desired.
What Technologies are used in a firewall?
-ACLs Standard, extended, numbered and named ACLs -Advanced ACLs Stateful firewall - ACLs with the established keyword Reflexive (dynamic) ACLs, timed-based ACLs -Zone-Based Firewall Feature
What do dynamic ACLS do? and What is it also called?
-Also called a lock-and-key ACL -Dynamic ACLs authenticate the user and then permits limited access through your firewall router for a host or subnet for a finite period.
CBAC or ZPF?
-Both CBAC and zones can be enabled concurrently on a router, just not on the same interface. -For example, an interface cannot be configured as a security zone member and configured for IP inspection simultaneously.
Generation of audits and alerts
-CBAC also generates real-time alerts and audit trails -Real-time alerts send syslog error messages to central management consoles upon detecting suspicious activity
Intrusion detection
-CBAC provides a limited amount of intrusion detection to protect against specific SMTP attacks -With intrusion detection, syslog messages are reviewed and monitored for specific attack signatures
What firewall solutions does Cisco Systems provide for network security professionals?
-Cisco IOS Firewall -PIX Security Appliances (this product is now end of life) -Adaptive Security Appliances
Benefits of using a firewall in a network
-Exposure of hosts and applications to untrusted users can be prevented -The protocol flow can be sanitized, preventing the exploitation of protocol flaws -Malicious data can be blocked from servers and clients. -Security policy enforcement can be made simple, scalable, and robust -Offloading most of the network access control to a few points in the network can reduce complexity
Limitations of a firewall
-If misconfigured, a firewall can have serious consequences -Data from many applications cannot be passed over firewalls securely -Users might search for ways around the firewall, exposing the network -Network performance can slow down -Unauthorized traffic can be tunneled or hidden as legitimate traffic through the firewall.
Benefits of AAA
-Increased flexibility and control of access configuration Scalability -Multiple backup systems -Standardized authentication methods
The Cisco IOS zone-based policy firewall can take three possible actions when configured using CCP
-Inspect - Configures Cisco IOS stateful packet inspection. This action is equivalent to the CBAC ip inspect command. It automatically allows for return traffic and potential ICMP messages. For protocols requiring multiple parallel signaling and data sessions (for example, FTP or H.323), the inspect action also handles the proper establishment of data sessions. -Drop - Analogous to a deny statement in an ACL. A log option is available to log the rejected packets. -Pass - Analogous to a permit statement in an ACL. The pass action does not track the state of connections or sessions within the traffic. Pass allows the traffic only in one direction. A corresponding policy must be applied to allow return traffic to pass in the opposite direction.
Adaptive Security Appliances
-Integrate firewall capabilities, Cisco Unified Communications (voice and video) security, Secure Sockets Layer (SSL) and IPsec VPN, IPS, and content security services -provides intelligent threat defense and secure communications services that stop attacks before they affect business continuity -designed to protect networks of all sizes
What is a Zone Based Policy Firewall?
-Interfaces are assigned to zones and then an inspection policy is applied to traffic moving between the zones -A zone-based firewall allows different inspection policies to be applied to multiple host groups connected to the same router interface -It also has the ability to prohibit traffic via a default deny-all policy between firewall zones
Step 1. Pick an interface - internal or external
-Internal and external refers to the direction of conversation -The interface in which sessions can be initiated must be selected as the internal interface. Sessions that originate from the external interface will be blocked
Traffic inspection
-It inspects packet sequence numbers in TCP connections to see if they are within expected ranges and drops any suspicious packets -CBAC can also be configured to drop half-open connections
What are some of the benefits of ZPF?
-It is not dependent on ACLs -The router security posture is to block unless explicitly allowed -Policies are easy to read and troubleshoot with C3PL -One policy affects any given traffic, instead of needing multiple ACLs and inspection actions
If a threshold for the number of half-opened TCP sessions is exceeded, the firewall has two options:
-It sends a reset message to the endpoints of the oldest half-opened session, making resources available to service newly arriving SYN packets -It blocks all SYN packets temporarily for the duration that the threshold value is configured. When the router blocks a SYN packet, the TCP three-way handshake is never initiated, which prevents the router from using memory and processing resources that valid connections need.
Stateful firewall
-Monitors the state of connections, whether the connection is in an initiation, data transfer, or termination state. -Able to determine if a packet belongs to an existing flow of data. -They maintain a session table (state table) where they track all connections.
Implementing CBAC is complex and can be overwhelming. Unlike ZPF, CBAC does not utilize any dedicated hierarchical data structures to modularize the implementation. CBAC has these limitations:
-Multiple inspection policies and ACLs on several interfaces on a router make it difficult to correlate the policies for traffic between multiple interfaces -Policies cannot be tied to a host group or subnet with an ACL. All traffic through a given interface is subject to the same inspection -The process relies too heavily on ACLs
Generic list that can serve as a starting point for firewall security policy
-Position firewalls at critical security boundaries -It is unwise to rely exclusively on a firewall for security -Deny all traffic by default, and permit only services that are needed -Ensure that physical access to the firewall is controlled -Regularly monitor firewall logs -Practice change management for firewall configuration changes -Firewalls primarily protect from technical attacks originating from the outside. Inside attacks tend to be nontechnical in nature.
What criteria does a packet filtering firewall permit or deny based on traffic?
-Source IP address -Destination IP address -Protocol -Source port number -Destination port number -Synchronize/start (SYN) packet receipt
What do Dynamic ACLs depend on?
-Telnet connectivity -Authentication (local or remote) -Extended ACLs
What does the TCP Established Keyword do?
-The TCP established keyword blocks all traffic coming from the Internet except for the TCP reply traffic associated with established TCP traffic initiated from the inside of the network. -The established keyword forces the router to check whether the TCP ACK or RST control flag is set. -If the ACK flag is set, the TCP traffic is allowed in. If not, it is assumed that the traffic is associated with a new connection initiated from the outside. -Not stateful
Step 3. Define inspection rules
-The administrator must define inspection rules to specify which Application Layer protocols to inspect at an interface -An inspection rule should specify each desired Application Layer protocol to inspect, as well as generic TCP, UDP, or ICMP, if desired
Steps to AAA authorization
-User has authenticated and a session has been established to the AAA server. -When the user attempts to enter privileged EXEC mode command, the router requests authorization from a AAA server to verify that the user has the right to use it. -The AAA server returns a "PASS/FAIL" response.
Implementation/Example of Dynamic ACL
-Users who want to traverse the router are blocked by the ACL until they use Telnet to connect to the router and are authenticated. -Users authenticate using Telnet, and then dropped. -However, a single-entry dynamic ACL is added to the extended ACL that exists. -This permits traffic for a particular period; idle and absolute timeouts are possible.
When to use Dynamic ACLs?
-When you want a specific remote user or group of remote users to access a host within your network, connecting from their remote hosts via the Internet. -When you want a subset of hosts on a local network to access a host on a remote network that is protected by a firewall.
What does a Reflexive ACL do?
-reflexive ACLS filter traffic based on source, destination addresses, and port numbers. -Also, session filtering uses temporary filters that are removed when a session is over adding a time limit on a hacker's attack opportunity. -allow IP traffic for sessions originating from their network while denying IP traffic for sessions originating outside the network. -The router examines the outbound traffic and when it sees a new connection, it adds an entry to a temporary ACL to allow replies back in.
PIX Security Appliances (this product is now end of life)
-standalone device that delivers robust user and application policy enforcement, multivector attack protection, and secure connectivity services -can scale to meet a range of requirements and network sizes
What four main functions does CBAC provide?
-traffic filtering -traffic inspection -intrusion detection -generation of audits and alerts
Steps for server-based AAA authentication
1. The client establishes a connection with the router. 2. The AAA router prompts the user for a username and password. 3. The router authenticates the username and password using a remote AAA server. 4. The user is authorized to access the network based on information on the remote AAA Server.
Packet Mode
A user sends a request to establish a connection through the router with a device on the network.
Character Mode
A user sends a request to establish an EXEC mode process with the router for administrative purposes
Accounting and auditing
Accounting records what the user does, including what is accessed, the amount of time the resource is accessed, and any changes that were made
Authorization
After the user is authenticated, authorization services determine which resources the user can access and which operations the user is allowed to perform.
Cisco IOS Firewall
An enterprise-class firewall for support of small and medium-sized business (SMB) and enterprise branch offices. Runs on a router.
AAA
Authentication, Authorization and Accounting
Chapter 3
Begin
Chapter 4
Begin
Define the Layers of Defense in-Depth
Endpoint security: Provides identity and device security policy compliance. Endpoint security: Provides identity and device security policy compliance. Perimeter security: Secures boundaries between zones. Core network security: Protects against malicious software and traffic anomalies, enforces network policies, and ensures survivability. Disaster recovery: Achieved with offsite storage and redundant architecture.
Step 4. Identify subset within zones and merge traffic requirements
For each firewall device in the design, the administrator must identify zone subsets connected to its interfaces and merge the traffic requirements for those zones, resulting in a device-specific interzone policy.
Step 2. Establish policies between zones
For each pair of source-destination zones, the sessions that clients in source zones are allowed to open to servers in destination zones are defined. For traffic that is not based on the concept of sessions (for example, IPsec Encapsulating Security Payload [ESP]), the administrator must define unidirectional traffic flows from source to destination and vice versa.
Step 2. Configure IP ACLs at the interface
Guidelines for configuring IP ACLs on a Cisco IOS Firewall: -Start with a basic configuration. A basic initial configuration allows all network traffic to flow from protected networks to unprotected networks while blocking network traffic from unprotected networks -Permit traffic that the Cisco IOS Firewall is to inspect -Use extended ACLs to filter traffic that enters the router from unprotected networks -Set up antispoofing protection by denying any inbound traffic (incoming on an external interface) from a source address that matches an address on the protected network -Deny broadcast messages with a source address of 255.255.255.255. This entry helps prevent broadcast attacks -By default, the last entry in an ACL is an implicit denial of all IP traffic that is not specifically allowed by other entries in the ACL
What is TCP Established?
In 1995, the first generation IOS traffic filtering solution based on the TCP established keyword for extended IP ACLs.
What does Context-based access control (CBAC) do?
Intelligently filters TCP and UDP packets based on Application Layer protocol session information. -It provides stateful Application Layer filtering, including protocols that are specific to unique applications, as well as multimedia applications and protocols that require multiple channels for communication Monitors TCP connection setup Tracks TCP sequence numbers Monitors UDP session information Inspects DNS queries and replies Inspects common ICMP message types Supports applications that rely on multiple connections Inspects embedded addresses Inspects Application Layer information
Step 1. Determine the Zones: Define
Internetworking infrastructure under consideration is split into well-documented separate zones with various security levels
Name the two types of AAA Authentification
Local AAA Server Based AAA
Local AAA Authentication
Local AAA uses a local database for authentication. This method stores usernames and passwords locally in the Cisco router, and users authenticate against the local database. This database is the same one required for establishing role-based CLI. Local AAA is ideal for small networks.
Define a Firewall
Network firewalls separate protected from non-protected areas preventing unauthorized users from accessing protected network resources.
TCP Established Example
R1(config)# access-list 100 permit tcp any eq 443 192.168.1.0 0.0.0.255 established R1(config)# access-list 100 deny ip any any R1(config)# interface s0/0/0 R1(config-if)# ip access-group 100 in
Diameter Protocol
Planned replacement for RADIUS. Diameter uses a new transport protocol called Stream Control Transmission Protocol (SCTP) and TCP instead of UDP.
Difference between TACACS+ and RADIUS
Refer to Slide#18 CCNAS_3 PPT#2
Critical factors for RADIUS include:
Remote Authentication Dial-In User Services -Uses RADIUS proxy servers for scalability -Combines RADIUS authentication and authorization as one process -Encrypts only the password -Utilizes UDP -Supports remote-access technologies, 802.1X, and Session Initiation Protocol (SIP)
What command is used to remove CBAC from the router?
Router(config)#no ip inspect This command removes all CBAC commands, the state table, and all temporary ACL entries created by CBAC. It also resets all timeout and threshold values to their factory defaults
ACL Placement
Standard ACLs are placed as close to the destination as possible. Extended ACLs are placed on routers as close to the source as possible that is being filtered.
Steps to Configure a Reflexive ACL
Step 1. Create an internal ACL that looks for new outbound sessions and creates temporary reflexive ACEs. Step 2. Create an external ACL that uses the reflexive ACLs to examine return traffic. Step 3. Activate the Named ACLs on the appropriate interfaces.
Steps to configuring AAA services to authenticate administrator access
Step 1. Add usernames and passwords to the local router database for users that need administrative access to the router. Step 2. Enable AAA globally on the router. Step 3. Configure AAA parameters on the router. Step 4. Confirm and troubleshoot the AAA configuration.
What are the steps for configuring ZPF with the CLI?
Step 1. Create the zones for the firewall with the zone security command. Step 2. Define traffic classes with the class-map type inspect command. Step 3. Specify firewall policies with the policy-map type inspect command. Step 4. Apply firewall policies to pairs of source and destination zones using the zone-pair security command. Step 5. Assign router interfaces to zones using the zone-member security interface command.
Name the 4 steps of designing a ZPF
Step 1. Determine the Zones Step 2. Establish policies between zones Step 3. Design the physical infrastructure Step 4. Identify subset within zones and merge traffic requirements
Steps to configure server-based authentication:
Step 1. Globally enable AAA to allow the use of all AAA elements. This step is a prerequisite for all other AAA commands. Step 2. Specify the Cisco Secure ACS that will provide AAA services for the router. This can be a TACACS+ or RADIUS server. Step 3. Configure the encryption key needed to encrypt the data transfer between the network access server and Cisco Secure ACS. Step 4. Configure the AAA authentication method list to refer to the TACACS+ or RADIUS server. For redundancy, it is possible to configure more than one server.
What are the four steps to configure CBAC?
Step 1. Pick an interface - internal or external. Step 2. Configure IP ACLs at the interface. Step 3. Define inspection rules. Step 4. Apply an inspection rule to an interface.
Critical factors for TACACS+ include
Terminal Access Control Access Control Server Plus -Is incompatible with its predecessors TACACS and XTACACS -Separates authentication and authorization -Encrypts all communication -Utilizes TCP port 49
Step 3. Design the physical infrastructure
The administrator must design the physical infrastructure.
Server-based AAA Authentication
The server-based method uses an external database server resource that leverages RADIUS or TACACS+ protocols. Examples include Cisco Secure Access Control Server (ACS) for Windows Server, Cisco Secure ACS Solution Engine, or Cisco Secure ACS Express. If there are multiple routers, server-based AAA is more appropriate.
Step 4. Apply an inspection rule to an interface
This is the command syntax used to activate an inspection rule on an interface: Router(config-if)# ip inspect inspection_name {in | out} There are two guiding principles for applying inspection rules and ACLs on the router: -On the interface where traffic initiates, apply the ACL in the inward direction that permits only wanted traffic and apply the rule in the inward direction that inspects wanted traffic -On all other interfaces, apply the ACL in the inward direction that denies all traffic, except traffic that has not been inspected by the firewall, such as GRE and ICMP traffic that is not related to echo and echo reply messages
What is a Time-Based ACL?
Time-based ACLs allow for access control based on time. To implement time-based ACLs: Create a time range that defines specific times of the day and week. Identify the time range with a name and then refer to it by a function. The time restrictions are imposed on the function itself.
Cisco IOS Firewall provides three thresholds against TCP-based DoS attacks
Total number of half-opened TCP sessions Number of half-opened sessions in a time interval Number of half-opened TCP sessions per host
Authentication
Users and administrators must prove that they are who they say they are
To configure command authorization, use the aaa authorization {network | exec | commands level} {default | list-name} method1...[method4] command. The service type can specify the types of commands or services
commands level - for exec (shell) commands exec - for starting an exec (shell) network - for network services (PPP, SLIP, ARAP)