Ch.4 Implementing Firewall Tech

ID zone-pair and matchto a policy

s to identify a zone pair and associate that zone pair to a policy-map. Figure 2 shows the command syntax. Create a zone-pair with the zone-pair security command. Then use the service-policy type inspect command to attach a policy-map and its associated action to the zone-pair.

Benefits of ZPF

two config for cisco ios firewals,. classic firewall zpf - new config mode where interfaces are assigned to security zones and firewall policy is applied to traffic moving between zones. Mian reason to move to zpf is structure and eas e of use, structred appracoh is useful for documentation and comms., and makes network security easier to implement. Benefits of zpf - not dependent on acls - router security postrue is block unless allowed. - polcies are easier to read and TS with tghe cisco common classification policy. (C3PL) it is a structured method to make traffic policies based on events , conditions, and actions. can be scaled by one policy. both classic firewall and zpf can be enabled at the same time.

Define the ACtion

use policy map to find what action should be taken for traffic that is a member of class. aciton is specific function associated with traffic class

classic firewall config

1. choose external and internal interfaces. 2. config clas for each interface. 3. define inspection rules. - fwrule specs that raffice will be inspected for ssh connections. 4. apply an inspection rule to an interface.

Zpf Design

1. determine zones - admin seperates the nework into zones. 2. establish policies between zones. 3. design physical infrastructure. admin must account for physcial sycruty and avialbable reqs when designing the physcial infrastructure. 4. ID subset within zones and merge traffic reqs. must id subsets connected to its interfaces and merge the traffic. rqs.

ACL config guidelines

An ACL is made up of one or more access control entries (ACEs) or statements. When configuring and applying an ACL, be aware of the guidelines summarized in the figure.

Assign Zones to Interfaces

Associating a zone to an interface will immediately apply the service-policy that has been associated with the zone. If no service-policy is yet configured for the zone, all transit traffic will be dropped. Use the zone-member security comman

Benefits and limits of firewalls

Benefits - prevent expsoure of sensitive hosts, resources, and apps to unstrustsed users. sanaitize protocol flow, stops exploitation of prots. block malicious data reduce securty managment complexity. offlad msot of network access contro lto a few firewalls in the newrok. Limits misconfig Fws can cause issues and become single point of failure. data from alot of apps cant go thorugh fiewalls securely. users might proacitvely search for ways around the firewall. netowrk perofrmance slows down unaothorized traffic can be tuneled.

Firewalls

Firewalls are resistant to attacks. Firewalls are the only transit point between networks because all traffic flows through the firewall. Firewalls enforce the access control policy. Stateless filtering - inspects packets, and if they match the rules, they are permited tthorugh, each packet is filterd based on values of certain parameters. Similar to acls. Stateful firewall - s able to determine if a packet belongs to an existing flow of data. Static rules, as in packet filter firewalls, are supplemented with dynamic rules created in real time to define these active flows. Stateful firewalls help to mitigate DoS attacks that exploit active connections through a networking device.

Next Gen firewalls

Goes beyond stateful firewalls Granular identification, visibility, and control of behaviors within applications Restricting web and web application use based on the reputation of the site Proactive protection against Internet threats Enforcement of policies based on the user, device, role, application type, and threat profile Performance of NAT, VPN, and stateful protocol inspection (SPI) Use of an integrated intrusion prevention system (IPS)

Ohter firewall implementing methods

Host-based (server and personal) firewall - A PC or server with firewall software running on it. Transparent firewall - Filters IP traffic between a pair of bridged interfaces. Hybrid firewall - A combination of the various firewall types. For example, an application inspection firewall combines a stateful firewall with an application gateway firewall.

Rules for transit traffic

If neither interface is a zone member, then the resulting action is to pass the traffic. If both interfaces are members of the same zone, then the resulting action is to pass the traffic. If one interface is a zone member, but the other is not, then the resulting action is to drop the traffic regardless of whether a zone-pair exists. If both interfaces belong to the same zone-pair and a policy exists, then the resulting action is inspect, allow, or drop as defined by the policy.

ZPF actions

Inspect - Performs Cisco IOS stateful packet inspection. Drop - Analogous to a deny statement in an ACL. A log option is available to log the rejected packets. Pass - Analogous to a permit statement in an ACL. The pass action does not track the state of connections or sessions within the traffic.

firewall types

Packet filtering firewall - Typically a router with the capability to filter some packet content, such as Layer 3 and sometimes Layer 4 information (Figure 1). Stateful firewall - Monitors the state of connections, whether the connection is in an initiation, data transfer, or termination state (Figure 2). Application gateway firewall (proxy firewall) - Filters information at Layers 3, 4, 5, and 7 of the OSI reference model. Most of the firewall control and filtering is done in software (Figure 3). When a client needs to access a remote server, it connects to a proxy server. The proxy server connects to the remote server on behalf of the client. Therefore, the server only sees a connection from the proxy server.

ZPF config considerations

The router never filters the traffic between interfaces in the same zone. An interface cannot belong to multiple zones. To create a union of security zones, specify a new zone and appropriate policy map and zone pairs. ZPF can coexist with Classic Firewall although they cannot be used on the same interface. Remove the ip inspect interface configuration command before applying the zone-member security command.

Verify ZPF config

Verify a ZPF configuration by viewing the running configuration, as shown in Figure 1. Notice that the class-map is listed first. Then the policy-map makes use of the class-map. Also, notice the highlighted class class-default that will drop all other traffic that is not a member of the HTTP-TRAFFIC class.

Access control List

admins use to define and control classes of ttaffic on network devices to meet a set of security requirements. can be for layers 2-4 and 7 could be defined by number which range from 200-299 an acl in 700 - 799 range indicates the traff is classifed and controlled based on mac add. most acls use ipv4 or 6 and tcp/udp ports. standard and extended ipvr acls can be named or numberd. v6 must use names.

Create the zone

before making the zones ask What interfaces should be included in the zones? What will be the name for each zone? What traffic is necessary between the zones and in which direction?

applyin acl

can apply to interface or vty lines. log parameter messsges are sent when first packet match and then at fice minute intervals. show access-list to see how many packets have matched a statment. enable log on cisco router will affect performance, only use when net is under attack Applying ACLs to interfaces and lines is just one of the many possible uses. ACLs are also an integral part of other security configurations, such as zone-based firewalls, intrusion prevention systems, and virtual private networks.

mitigating snmp exploits

can be mitigated by adding interface acles to filter snmp packets form non authorized systems. but the an exploit may still be possible if the packet has been sourced from a spoofed IP address. Best features to mitigate is to disable snmp server on ios device use the no snmp-server to disable.

Editing existing ACLS

default is have numbering in increments of 10. and assigned to each ACE, after made ace can be edited, using the seqeunce numbers, can use to delete or add specifics. if not sequences, router atuo places entry at bototm of list and assigns an approp sequence number.

allowing needed traffic through firewall

effective strat to limit attacks is to explicitly permit only certin types of traffic. DNS, FTP, SMTP all need ot go thorugh firewalls. common to permit admins to remote acces thorugh firewalls. ssh, syslog, SNMP are exapmples of services the router may neeed to inlcude.

extnded acl config

extended acls- match based on layer 3 and 4 soruce and destin info. layer 4 incldues tcp, udp port info. beter flexibiliyt and control.

demilitarized zone

firewall design, one inside interface and one outside interface and one dmz interface. 1. traff from PriN is checked as it goes to public network, and allowed iwth little to no restrictions. inspected traff from the dmz or pubnet is permited. 2. traff from dmz and travelling to privnet is usually blocked. 3. traff from dmz going ot pubnet is selectibley permited based on service reqs. 4. traff from pubnet and going to dmz is selecgtibely permitted and inspected. traff type - dns http https. returning traff from dmz to pubnet is dynamically permitted. 5. traff from pub net and going to privnet is blocked.

Mitigating ICMP abuse.

hackers use ICMP echo packets to find subents and hosts on protected networks. they can rediret messages to alter host routing tables. icmp ehco and redirect should be blocked by inbound. icmp messages that hsould be alloed Echo reply - Allows users to ping external hosts. Source quench - Requests that the sender decrease the traffic rate of messages. Unreachable - Generated for packets that are administratively denied by an ACL. server icmps are needed for proper netowrk ops and should be allowed ot exit. Echo - Allows users to ping external hosts. Parameter problem - Informs the host of packet header problems. Packet too big - Enables packet maximum transmission unit (MTU) discovery. Source quench - Throttles down traffic when necessary. a rule is to blocka ll other icmp messages that are outbound.

config ipv6

has implicit deny ipv6 any and has implicit rules to enable ipv6 neighbor discovery. needs NA and NS if you config with deny ipv6 any without any other rules itll deny all ndps.

Configure ZPF

he sequence of steps is not required. However, some configurations must be completed in order. For instance, you must configure a class-map before you assign a class-map to a policy-map. Similarly, you cannot assign a policy-map to a zone-pair until you have configured the policy. If you try to configure a section that relies on another portion of the configuration that you have not yet configured

IPV6 acls

ipv4 designed iwth out security, device romaing, qos, and address scalability. attackes can leverage ipv4 to exploit ipv6 dual stacks. attackers can acccess using stealth attacks like turst exploition in dual stacked hosts, rogue NDP messgaes, and tunneling techinques like teredo tunneling. compromised hosts send rogue router adverts, this triggers the the dual stack to get an ipv6 addres.

Id traffic

is to use a class-map to identify the traffic. A class is a way of identifying a set of packets based on its contents using "match" conditions. Typically, you define a class so that you can apply an action to the identified traffic that reflects a policy. A class is defined with class-maps.

Classic Firewall operation

makes temp openings for traffic to return , make as inspected traf leaves netwprk.

Antispoofing ACL

mitigate netowrk threats like IP spoofing which most DOS attacks use. Ip spoofing is changing the normal packet making process and inserts a custom header iwth a diffierent source IP address. Well known classes of IP address that should never be a source IP address. example serial cord is attached to internet, inbound packets should never have all zeros broadcast addresses local host addressses(172.0.0.0/8) reserved private address (rfc 1918) ip multicast addres range (224.0.0.0/4)

STatfule firewalls

most versaitle, and most common firewall tech. give info by using connection info maintianed in a state table. The firewall examines information in the headers of Layer 3 packets and Layer 4 segments. For example, the firewall looks at the TCP header for synchronize (SYN), reset (RST), acknowledgment (ACK), finish (FIN), and other control codes to determine the state of the connection. Benefits - prmiary means of defense by fultering unwanted trafic strengthen packet filtering by providing more stringent control over security. Stateful firewalls improve performance over packet filters or proxy servers. Stateful firewalls defend against spoofing and DoS attacks by determining whether packets belong to an existing connection or are from an unauthorized source. Stateful firewalls provide more log information than a packet filtering firewall. limits Stateful firewalls cannot prevent Application Layer attacks because they do not examine the actual contents of the HTTP connection. Not all protocols are stateful. For example, UDP and ICMP do not generate connection information for a state table, and, therefore, do not garner as much support for filtering. It is difficult to track connections that use dynamic port negotiation. Some applications open multiple connections. This requires a whole new range of ports that must be opened to allow this second connection.

SEquencing nmber and standard ACLs

on standard ACLs cisco gives logic ot the interface, to config aces and veirfy acls, host statements with spceificed ipv4 adds are listed first. the ios puts host statemnts in a cerain order by a hashing function. this helps make the order the best it can be. not necessaryily in order of ipv4 adds.

Classic Firewalls

ormerly known as context-based access control (CBAC), is a stateful firewall feature added to the Cisco IOS prior to version 12.0. Classic Firewall provides four main functions: traffic filtering (shown in the figure), traffic inspection, intrusion detection, and generation of audits and alerts. Classic Firewall can also examine supported connections for embedded NAT and Port Address Translation (PAT) information and perform the necessary address translations. Classic Firewall can block peer-to-peer (P2P) connections, such as those used by the Gnutella and KaZaA applications. Instant messaging traffic, such as Yahoo!, AOL, and MSN, can be blocked.

Inside and Outside networks

outside network is the internet, and is untrusted and the private network is the inside, trusted usually fws with 2 interfaces are configed as follows 1. Traffic from the private net is permited and instpect on its way out. and traffic returning from the internet is inspected and permitted. 2. traffic orignate from public net andtravelling to priavte net is blocked.

Rules for Traffic to the Self Zone

self zone is the router the rules depend on whether the router is the source or the destination of the traffic the router is the source or the destination, then all traffic is permitted. The only exception is if the source and destination are a zone-pair with a specific service-policy. In that case, the policy is applied to all traffic.

ipv6 acl syntax

similar to v4 acls, lets filtering based upon source and destin addresses traveling inbound and outbound. to config ipv6 access-list to enter intov6 acl. apply acl to an interface with ipv6 traffic-filter

config numbered and named acls.

squential list of permit or deny statemetns caled aces. created to filter traf based on criteria - source add, destin add, protocol, nad port numbers. standard ACLs- match packets by soruce P in header. used to filter packets based on only layer 3 extended acls- match based on layer 3 and 4 soruce and destin info. layer 4 incldues tcp, udp port info. beter flexibiliyt and control.

id traffic syntax

syntax for the class-map command. There are several types of class-maps. For a ZPF configuration, use the inspect keyword to define a class-map. Determine how packets are evaluated when multiple match criteria exist. Packets must meet one of the match criteria (match-any) or all of the match criteria (match-all) to be considered a member of the class.

Layered Defense

uses diff tpes of Fws that combined in layers to add depth to security of an org. layered defnese is not the only approach Firewalls typically do not stop intrusions that come from hosts within a network or zone. Firewalls do not protect against rogue access point installations. Firewalls do not replace backup and disaster recovery mechanisms resulting from attack or hardware failure. Firewalls are no substitute for informed administrators and users.

ZPF

uses zones to give more flex, zone is a gorup of one or more interfaces that have sim funcitons or features. they help specify where firewalls should go. ex lan 1 and 2 can be goruped into a zone for Fw config. default traff between ints in the zone is not subject to any polic yand passes freely. all zone to zone traff is blocked. self zone is router itself and includs all router interface ip addresses. self zone includs managemnt and control plane traff like ssh, snmp and routing prots.

Packet filtering firewall bens and lmits

usually part of a router firewall. benefits - Packet filters implement simple permit or deny rule sets. Packet filters have a low impact on network performance. Packet filters are easy to implement, and are supported by most routers. Packet filters provide an initial degree of security at the network layer. Packet filters perform almost all the tasks of a high-end firewall at a much lower cost. limits - suspectible to ip spoofing, tas send arbitrary packets that meet acl critera and pass through filter. - dont reliabliy filter packets. all fragments afte rthe fist are passed autmoaticlaly. - used complex acls and can be diffult to make and maintain. cannt dynamically filter certain services. - are statelss examine each pacekt indivually rahter than in the context of hte state of connectin.