Network Authentication and Security Chapter 4

Benefits of using a firewall in a network

-Exposure of hosts and applications to untrusted users can be prevented -The protocol flow can be sanitized, preventing the exploitation of protocol flaws -Malicious data can be blocked from servers and clients. -Security policy enforcement can be made simple, scalable, and robust -Offloading most of the network access control to a few points in the network can reduce complexity

Types of Firewalls

-Packet filtering firewall -Stateful firewall -Application gateway firewall (proxy firewall) -Network address translation (NAT) firewall

Traffic filtering

Can be configured to permit specified TCP and UDP return traffic through a firewall when the connection is initiated from within the network -It accomplishes this by creating temporary openings in an ACL that would otherwise deny the traffic

When an Application Layer attack is detected what actions can the Cisco IOS firewall take?

Generate alert messages Protect system resources that could impede performance Block packets from suspected attackers

Network address translation (NAT) firewall

- A firewall that expands the number of IP addresses available and hides network addressing design.

Packet filtering firewall

- Typically is a router with the capability to filter some packet content, such as Layer 3 and sometimes Layer 4 information.

What Technologies are used in a firewall?

-ACLs Standard, extended, numbered and named ACLs -Advanced ACLs Stateful firewall - ACLs with the established keyword Reflexive (dynamic) ACLs, timed-based ACLs -Zone-Based Firewall Feature

Limitations of a firewall

-If misconfigured, a firewall can have serious consequences -Data from many applications cannot be passed over firewalls securely -Users might search for ways around the firewall, exposing the network -Network performance can slow down -Unauthorized traffic can be tunneled or hidden as legitimate traffic through the firewall.

The Cisco IOS zone-based policy firewall can take three possible actions when configured using CCP

-Inspect - Configures Cisco IOS stateful packet inspection. This action is equivalent to the CBAC ip inspect command. It automatically allows for return traffic and potential ICMP messages. For protocols requiring multiple parallel signaling and data sessions (for example, FTP or H.323), the inspect action also handles the proper establishment of data sessions. -Drop - Analogous to a deny statement in an ACL. A log option is available to log the rejected packets. -Pass - Analogous to a permit statement in an ACL. The pass action does not track the state of connections or sessions within the traffic. Pass allows the traffic only in one direction. A corresponding policy must be applied to allow return traffic to pass in the opposite direction.

Stateful firewall

-Monitors the state of connections, whether the connection is in an initiation, data transfer, or termination state. -Able to determine if a packet belongs to an existing flow of data. -They maintain a session table (state table) where they track all connections.

What criteria does a packet filtering firewall permit or deny based on traffic?

-Source IP address -Destination IP address -Protocol -Source port number -Destination port number -Synchronize/start (SYN) packet receipt

What do Dynamic ACLs depend on?

-Telnet connectivity -Authentication (local or remote) -Extended ACLs

Step 3. Define inspection rules

-The administrator must define inspection rules to specify which Application Layer protocols to inspect at an interface -An inspection rule should specify each desired Application Layer protocol to inspect, as well as generic TCP, UDP, or ICMP, if desired

Implementation/Example of Dynamic ACL

-Users who want to traverse the router are blocked by the ACL until they use Telnet to connect to the router and are authenticated. -Users authenticate using Telnet, and then dropped. -However, a single-entry dynamic ACL is added to the extended ACL that exists. -This permits traffic for a particular period; idle and absolute timeouts are possible.

When to use Dynamic ACLs?

-When you want a specific remote user or group of remote users to access a host within your network, connecting from their remote hosts via the Internet. -When you want a subset of hosts on a local network to access a host on a remote network that is protected by a firewall.

What does a Reflexive ACL do?

-reflexive ACLS filter traffic based on source, destination addresses, and port numbers. -Also, session filtering uses temporary filters that are removed when a session is over adding a time limit on a hacker's attack opportunity. -allow IP traffic for sessions originating from their network while denying IP traffic for sessions originating outside the network. -The router examines the outbound traffic and when it sees a new connection, it adds an entry to a temporary ACL to allow replies back in.

PIX Security Appliances (this product is now end of life)

-standalone device that delivers robust user and application policy enforcement, multivector attack protection, and secure connectivity services -can scale to meet a range of requirements and network sizes

What four main functions does CBAC provide?

-traffic filtering -traffic inspection -intrusion detection -generation of audits and alerts

Cisco IOS Firewall

An enterprise-class firewall for support of small and medium-sized business (SMB) and enterprise branch offices. Runs on a router.

Define the Layers of Defense in-Depth

Endpoint security: Provides identity and device security policy compliance. Endpoint security: Provides identity and device security policy compliance. Perimeter security: Secures boundaries between zones. Core network security: Protects against malicious software and traffic anomalies, enforces network policies, and ensures survivability. Disaster recovery: Achieved with offsite storage and redundant architecture.

Define a Firewall

Network firewalls separate protected from non-protected areas preventing unauthorized users from accessing protected network resources.

What is a Time-Based ACL?

Time-based ACLs allow for access control based on time. To implement time-based ACLs: Create a time range that defines specific times of the day and week. Identify the time range with a name and then refer to it by a function. The time restrictions are imposed on the function itself.

Cisco IOS Firewall provides three thresholds against TCP-based DoS attacks

Total number of half-opened TCP sessions Number of half-opened sessions in a time interval Number of half-opened TCP sessions per host

Application gateway firewall (proxy firewall)

- A firewall that filters information at Layers 3, 4, 5, and 7 of the OSI reference model. Most of the firewall control and filtering is done in software.

What other things must be considered in an in depth defense besides firewalls?

-A significant number of intrusions come from hosts within the network. For example, firewalls often do little to protect against viruses that are downloaded through email -Firewalls do not protect against rogue modem installations -Firewalls do not replace backup and disaster recovery -Rirewalls are no substitute for informed administrators and users.

Identify the ZPF Rules

-A zone must be configured before it can be assigned to a zone. -We can assign an interface to only one security zone. -If traffic is to flow between all interfaces in a router, each interface must be a member of a zone. -Traffic is implicitly allowed to flow by default among interfaces that are members of the same zone. -To permit traffic to and from a zone member interface, a policy allowing or inspecting traffic must be configured between that zone and any other zone. -Traffic cannot flow between a zone member interface and any interface that is not a zone member. -We can apply pass, inspect, and drop actions only between two zones. -Interfaces that have not been assigned to a zone function can still use a CBAC stateful packet inspection configuration. -If we do not want an interface to be part of the zone-based firewall policy, it might still be necessary to put that interface in a zone and configure a pass-all policy (also known as a dummy policy) between that zone and any other zone to which traffic flow is desired.

What do dynamic ACLS do? and What is it also called?

-Also called a lock-and-key ACL -Dynamic ACLs authenticate the user and then permits limited access through your firewall router for a host or subnet for a finite period.

CBAC or ZPF?

-Both CBAC and zones can be enabled concurrently on a router, just not on the same interface. -For example, an interface cannot be configured as a security zone member and configured for IP inspection simultaneously.

Generation of audits and alerts

-CBAC also generates real-time alerts and audit trails -Real-time alerts send syslog error messages to central management consoles upon detecting suspicious activity

Intrusion detection

-CBAC provides a limited amount of intrusion detection to protect against specific SMTP attacks -With intrusion detection, syslog messages are reviewed and monitored for specific attack signatures

What firewall solutions does Cisco Systems provide for network security professionals?

-Cisco IOS Firewall -PIX Security Appliances (this product is now end of life) -Adaptive Security Appliances

Adaptive Security Appliances

-Integrate firewall capabilities, Cisco Unified Communications (voice and video) security, Secure Sockets Layer (SSL) and IPsec VPN, IPS, and content security services -provides intelligent threat defense and secure communications services that stop attacks before they affect business continuity -designed to protect networks of all sizes

What is a Zone Based Policy Firewall?

-Interfaces are assigned to zones and then an inspection policy is applied to traffic moving between the zones -A zone-based firewall allows different inspection policies to be applied to multiple host groups connected to the same router interface -It also has the ability to prohibit traffic via a default deny-all policy between firewall zones

Step 1. Pick an interface - internal or external

-Internal and external refers to the direction of conversation -The interface in which sessions can be initiated must be selected as the internal interface. Sessions that originate from the external interface will be blocked

Traffic inspection

-It inspects packet sequence numbers in TCP connections to see if they are within expected ranges and drops any suspicious packets -CBAC can also be configured to drop half-open connections

What are some of the benefits of ZPF?

-It is not dependent on ACLs -The router security posture is to block unless explicitly allowed -Policies are easy to read and troubleshoot with C3PL -One policy affects any given traffic, instead of needing multiple ACLs and inspection actions

If a threshold for the number of half-opened TCP sessions is exceeded, the firewall has two options:

-It sends a reset message to the endpoints of the oldest half-opened session, making resources available to service newly arriving SYN packets -It blocks all SYN packets temporarily for the duration that the threshold value is configured. When the router blocks a SYN packet, the TCP three-way handshake is never initiated, which prevents the router from using memory and processing resources that valid connections need.

Implementing CBAC is complex and can be overwhelming. Unlike ZPF, CBAC does not utilize any dedicated hierarchical data structures to modularize the implementation. CBAC has these limitations:

-Multiple inspection policies and ACLs on several interfaces on a router make it difficult to correlate the policies for traffic between multiple interfaces -Policies cannot be tied to a host group or subnet with an ACL. All traffic through a given interface is subject to the same inspection -The process relies too heavily on ACLs

Generic list that can serve as a starting point for firewall security policy

-Position firewalls at critical security boundaries -It is unwise to rely exclusively on a firewall for security -Deny all traffic by default, and permit only services that are needed -Ensure that physical access to the firewall is controlled -Regularly monitor firewall logs -Practice change management for firewall configuration changes -Firewalls primarily protect from technical attacks originating from the outside. Inside attacks tend to be nontechnical in nature.

Common properties of a firewall

-Resistant to attacks -The only transit point between networks (all traffic flows through the firewall) -Enforces the access control policy

What does the TCP Established Keyword do?

-The TCP established keyword blocks all traffic coming from the Internet except for the TCP reply traffic associated with established TCP traffic initiated from the inside of the network. -The established keyword forces the router to check whether the TCP ACK or RST control flag is set. -If the ACK flag is set, the TCP traffic is allowed in. If not, it is assumed that the traffic is associated with a new connection initiated from the outside. -Not stateful

Step 4. Identify subset within zones and merge traffic requirements

For each firewall device in the design, the administrator must identify zone subsets connected to its interfaces and merge the traffic requirements for those zones, resulting in a device-specific interzone policy.

Step 2. Establish policies between zones

For each pair of source-destination zones, the sessions that clients in source zones are allowed to open to servers in destination zones are defined. For traffic that is not based on the concept of sessions (for example, IPsec Encapsulating Security Payload [ESP]), the administrator must define unidirectional traffic flows from source to destination and vice versa.

Step 2. Configure IP ACLs at the interface

Guidelines for configuring IP ACLs on a Cisco IOS Firewall: -Start with a basic configuration. A basic initial configuration allows all network traffic to flow from protected networks to unprotected networks while blocking network traffic from unprotected networks -Permit traffic that the Cisco IOS Firewall is to inspect -Use extended ACLs to filter traffic that enters the router from unprotected networks -Set up antispoofing protection by denying any inbound traffic (incoming on an external interface) from a source address that matches an address on the protected network -Deny broadcast messages with a source address of 255.255.255.255. This entry helps prevent broadcast attacks -By default, the last entry in an ACL is an implicit denial of all IP traffic that is not specifically allowed by other entries in the ACL

What is TCP Established?

In 1995, the first generation IOS traffic filtering solution based on the TCP established keyword for extended IP ACLs.

What does Context-based access control (CBAC) do?

Intelligently filters TCP and UDP packets based on Application Layer protocol session information. -It provides stateful Application Layer filtering, including protocols that are specific to unique applications, as well as multimedia applications and protocols that require multiple channels for communication Monitors TCP connection setup Tracks TCP sequence numbers Monitors UDP session information Inspects DNS queries and replies Inspects common ICMP message types Supports applications that rely on multiple connections Inspects embedded addresses Inspects Application Layer information

Step 1. Determine the Zones: Define

Internetworking infrastructure under consideration is split into well-documented separate zones with various security levels

TCP Established Example

R1(config)# access-list 100 permit tcp any eq 443 192.168.1.0 0.0.0.255 established R1(config)# access-list 100 deny ip any any R1(config)# interface s0/0/0 R1(config-if)# ip access-group 100 in

What command is used to remove CBAC from the router?

Router(config)#no ip inspect This command removes all CBAC commands, the state table, and all temporary ACL entries created by CBAC. It also resets all timeout and threshold values to their factory defaults

ACL Placement

Standard ACLs are placed as close to the destination as possible. Extended ACLs are placed on routers as close to the source as possible that is being filtered.

Steps to Configure a Reflexive ACL

Step 1. Create an internal ACL that looks for new outbound sessions and creates temporary reflexive ACEs. Step 2. Create an external ACL that uses the reflexive ACLs to examine return traffic. Step 3. Activate the Named ACLs on the appropriate interfaces.

What are the steps for configuring ZPF with the CLI?

Step 1. Create the zones for the firewall with the zone security command. Step 2. Define traffic classes with the class-map type inspect command. Step 3. Specify firewall policies with the policy-map type inspect command. Step 4. Apply firewall policies to pairs of source and destination zones using the zone-pair security command. Step 5. Assign router interfaces to zones using the zone-member security interface command.

Name the 4 steps of designing a ZPF

Step 1. Determine the Zones Step 2. Establish policies between zones Step 3. Design the physical infrastructure Step 4. Identify subset within zones and merge traffic requirements

What are the four steps to configure CBAC?

Step 1. Pick an interface - internal or external. Step 2. Configure IP ACLs at the interface. Step 3. Define inspection rules. Step 4. Apply an inspection rule to an interface.

Step 3. Design the physical infrastructure

The administrator must design the physical infrastructure.

Step 4. Apply an inspection rule to an interface

This is the command syntax used to activate an inspection rule on an interface: Router(config-if)# ip inspect inspection_name {in | out} There are two guiding principles for applying inspection rules and ACLs on the router: -On the interface where traffic initiates, apply the ACL in the inward direction that permits only wanted traffic and apply the rule in the inward direction that inspects wanted traffic -On all other interfaces, apply the ACL in the inward direction that denies all traffic, except traffic that has not been inspected by the firewall, such as GRE and ICMP traffic that is not related to echo and echo reply messages