Documente Academic
Documente Profesional
Documente Cultură
Implementacija
Firewall tehnologija
ITE PC v4.1
Chapter 1 2007 2010, Cisco Systems, Inc. All rights reserved. Cisco Public 1
Chapter 4: Cilj predmeta
In this chapter you will:
Configure standard and extended IPv4 ACLs using CLI.
Explain how Zone-Based Policy Firewalls are used to help secure a network.
4.4 Summary
Presentation_ID 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 5
Configuring Standard and Extended IPv4 ACLs with CLI
Introduction to Access Control Lists
Pristupne liste, Access Control
Lists (ACLs), predstavljaju jedan vid
filtriranja paketa (paketi se
proputaju ili odbojaju na osnovu
zadatih uslova u kreiranoj pristupnoj
listi)
Protocol Type
Log messages are generated on the first packet match and then at
five-minute intervals after that first packet match.
Order of statements
ACLs have a policy of first match; when a statement is matched, the list is
no longer examined.
Ensure that statements at the top of the ACL do not negate any
statements found lower.
Place specific ACL statements higher in the ACL and more general
statements near the end.
Presentation_ID 2008 Cisco Systems, Inc. All rights reserved. 16
Configuring Standard and Extended IPv4 ACLs with CLI
Access Control Entry Rules (Cont.)
Directional filtering
ACLs can be applied to inbound packets (toward the interface) or
outbound packets (away from the interface).
Double-check the direction of data that an ACL is filtering.
Special packets
Router-generated packets, such as routing table updates, are not subject
to outbound ACL statements on the source router.
If the security policy requires filtering these types of packets, inbound
ACLs on adjacent routers or other router filter mechanisms must be used.
The access list is edited, adding a new ACE and replacing ACE line 20:
Outbound traffic refers to traffic that entered the router and has
been processed by the router to determine where to forward that
data.
Placing standard ACLs that are too close to the source can deny
valid traffic.
Placing extended ACLs too far from the source is inefficient use
of network resources.
New entries are added to an ACL, and are always added to the bottom.
Starting with Cisco IOS 12.3, sequence numbers can be used to edit an
ACL.
Access list has been edited, which adds a new ACE and replaces ACE line
20.
Access list has been edited, which adds a new ACE that permits a specific IP
address.
Block all traffic coming from the Internet except for the TCP reply
traffic associated with established TCP traffic initiated from inside
network.
Set ACK or RST bits indicate that the packet is not the first
in the session, and therefore, that the packet belongs to an
established session.
R1(config)# access-list 100 permit tcp any eq 443 192.168.1.0 0.0.0.255 established
R1(config)# access-list 100 deny ip any any
R1(config)# interface s0/0/0
R1(config-if)# ip access-group 100 in
Unlike the TCP Established feature, which just used ACK and RST bits,
reflexive ACLS filter traffic were based on source, destination addresses,
and port numbers.
Also, reflexive access lists do not have the usual implicit deny all
traffic statement at the end of the list, because of the nesting.
Presentation_ID 2008 Cisco Systems, Inc. All rights reserved. 43
Configuring TCP Established and Reflexive ACLs
Reflexive ACLs (cont.)
Reflexive access lists do not work
with some applications that use port
numbers that change during a
session.
For example, if the port numbers for a
return packet are different from the
originating packet, the return packet will be
denied, even if the packet is actually part of
the same session.
The TCP application of FTP is an example
of an application with changing port numbers.
With reflexive access lists, if you start an FTP
request from within your network, the request
will not complete.
Instead, you must use Passive FTP when
originating requests from within your network.
This entry is added to the reflexive access list, which applies to inbound
traffic. The temporary entry has characteristics as described next:
The entry is always a permit entry.
The entry specifies the same protocol (TCP) as the original outbound TCP packet.
The entry specifies the same source and destination addresses as the original
outbound TCP packet, except the addresses are swapped (zamenile mesta, jer u
dolaznom saobraaju izvorna adresa je odredina i obrnuto).
The entry specifies the same source and destination port numbers as the original
outbound TCP packet, except the port numbers are swapped.
This entry characteristic applies only for TCP and UDP packets.
Other protocols, such as ICMP and IGMP, do not have port numbers, and
other criteria are specified. For example, for ICMP, type numbers are
used instead.)
Presentation_ID 45
2008 Cisco Systems, Inc. All rights reserved.
Temporary Access List Entry Characteristics
Dolazni TCP saobraaj se ispituje
na osnovu kreirane privremene
refleksivne access liste i njenog
sadraja (entry) sve dok entry u
pomenutoj listi postoji
You can specify the timeout for a particular reflexive access list when you
define the reflexive access list.
But if you do not specify the timeout for a given reflexive access list, the list will
use the global timeout value instead.
The global timeout value is 300 seconds by default. But, you can change the
global timeout to a different value at any time.
To change the global timeout value, use the following command in global
configuration mode:
R3(config-ext-nacl)#evaluate tcptraffic 1
R3(config-ext-nacl)#exit
172.16.1.254
Komentar: Notice that the reflexive access list does not appear in
this output. This is because before any TCP sessions have been 1
initiated, no traffic has triggered the reflexive access list, and the list is
empty (has no entries). When empty, reflexive access lists do not show 172.16.1.254
up in show access-list output.
So, you cannot create a nice summary range for them. You also need to
permit both web and email traffic to these 15 servers.
Presentation_ID 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 84
Defining Firewalls
Uopteno govorei, uloga firewall-a je da razdvoji dva
entiteta, kontroliui na specifian nain pristup izmeu tih
entiteta, tj. mrea.
U najveem broju sluaja komercijalni firewall-ovi mogu
da filtriraju pakete, vre pregledanje sadraja na
aplikativnom sloju, vre stateful packet filtriranje, NAT,
obezbeuju funkcije AAA i VPN (virtual private network)
servise.
Dobar primer ovakvog ureaja jeste Cisco Adaptive
Security Appliance (ASA), koji predstavlja namenski
kompleksan firewall ureaj
Mnoge gore navedene karakteristike mogu biti
implementirane softverski u IOS rutera ije licence, memorija
i CPU mogu to podrati.
Namenski firewall ureaj se smatra ureajem koji moe
obezbediti bolju bezbednost u raunarskoj mrei zbog ega
je poeljniji u odnosu na realizaciju firewall-a softverski na
ruteru.
Defense-in-depth pristup predlae implementaciju gore
navedenih bezbedonosnih karakteristika na vie ureaja u
mrei. 85
Presentation_ID 2008 Cisco Systems, Inc. All rights reserved.
Securing Networks with Firewalls
Defining Firewalls
Cisco has implemented some form of
firewall protection in their IOS for many years.
Stateful Firewall
NAT Firewall
Restricting web and web application use based on the reputation of the site
Enforcement of policies based on the user, device, role, application type, and threat profile
Use of an IPS
Presentation_ID 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 117
Zone-Based Policy Firewall Characteristics
Zone-Based Policy Firewalls
Zone-Based Policy Firewalls concept
podrazumeva kreiranje zona od strane
administratora, logikih oblasti u kojima svi
ureaji imaju isti nivo poverenja. Na primer,
kreiranje DMZ zone, u kojoj su smeteni
svi DMZ ureaji jedne organizacije.
Application inspection.
Packet filtering.
URL filtering.
A transparent firewall is implemented at Layer 2 but can still perform analysis of traffic at Layer 3 and
higher.
VRFs are virtual routing tables on a Cisco router that can be used to compartmentalize (divide into
discrete sections or categories) the routing tables on the router instead of keeping all the routes in the
global (primary) routing tables 122
Presentation_ID 2008 Cisco Systems, Inc. All rights reserved.
Zone-Based Policy Firewall Characteristics
Zone-Based Policy Firewalls Cont.
Zone-Based Policy Firewall-ovi ne zavise od access listi.
Za sve interfejse koji su pridrueni istoj kreiranoj zoni, saobraaj izmeu tih
interfejsa je podrazumevano dozvoljen.
Ukoliko se eli dozvoliti saobraaj izmeu dve zone (na primer izmeu
inside zone, tj. interfejsa koji je pridruen inside zoni, i outside zone, tj.
interfejsa preko koga se ostvaruje veza sa Internetom), neophodno je kreirati
polisu za saobraaj izmeu te dve zone. Drugim reima, formira se a zone
pair za eljenu polisu.
Then they would assign the inside interface to the inside zone, and
the outside interface to the outside zone.
A zone pair identifying traffic from the inside to the outside would
have the policy applied to it, letting it know that the stateful inspection
should be done.
Class maps:
Class maps se koristi za identifikaciju saobraaja koji je potrebno nadgledati i
proveriti inspected. Saobraaj koji se moe nadgledati i identifikovati je saobraaj
nivoa od 3 do 7 OSI modela (ukljuujui i 7. aplikativni sloj). Class maps moe da
obuhvata i pristupne liste - access control lists (ACL) radi identifikovanja saobraaja
ili ak pozivanja druge class maps.
Class map moe imati vie match statements (uslova za proveru i identifikaciju).
Class map moe specificirati da svi match statements moraju da se podudaraju, tj.
match (to predstavlja a match-all condition).
Pored toga, class map moe da specificira da poklapanje bilo kog uslova od svih
navedenih (statements) se smatra dovoljnim za identifikovanje saobraaja (or can
specify that matching any of the entries is considered a match - which is a match-
any condition).
A system-defined class map named class-default can be used that represents
all traffic not matched in a more specific (administratively configured) class map.
Presentation_ID 2008 Cisco Systems, Inc. All rights reserved. 129
Zone-Based Policy Firewall Characteristics
Putting the Pieces Together
Cisco koristi jezik Cisco Common Classification Policy
Language (C3PL) za implementaciju polisa na firewall-u. Ovaj
proces sadri tri osnovne komponente:
Policy maps:
Policy map definie akcije koje je potrebno preduzeti nad identifikovanim
saobraajem to je prethodno uinjeno uz pomo class maps.
Policy maps se pozivaju na class maps za klasifikaciju saobraaja.
Policy maps sa vie sections se procesiraju prethodno definisanim redom
Primarne akcije koje se mogu implementirati primenom policy map su: inspect
(which means that stateful inspection should happen), permit (which means that
traffic is permitted but not inspected), drop, or log.
Pass
Analogous to a permit statement in an ACL.
It does not track the state of connections or sessions within the traffic (traffic is
permitted but not inspected).
Pass allows the traffic only in one direction.
A corresponding policy must be applied to allow return traffic to pass in the opposite
direction.
Drop
Analogous to a deny statement in an ACL.
Presentation_ID
A log option is available to log the rejected packets.
2008 Cisco Systems, Inc. All rights reserved. 131
Zone-Based Policy Firewall Characteristics
Putting the Pieces Together
Cisco koristi jezik Cisco Common Classification Policy
Language (C3PL) za implementaciju polisa na firewall-u. Ovaj
proces sadri tri osnovne komponente:
A zone-pair that includes the self zone and associated policy, applies
to router generated or traffic destined to the router. It does not apply to
traffic traversing the router.
A policy can be defined using the self zone as either the source or the
destination zone.
The self zone is a system-defined zone.
Tabela 15-3 opisuje tok saobraaja koji se rutira izmeu interfejsa iz razliitih zona u zavisnosti od
ZBF konfiguracije.
Ingress definie paket koji nadolazi na interfejs rutera, dok egress definie paket koji se alje sa
interfejsa rutera.
In this example, this class map will match on either TELNET traffic or
any type of ICMP traffic
R3(config-cmap)# exit
In this example, this class map will match on either TELNET traffic or
any type of ICMP traffic Odreuje da je dovoljno samo jedan od vie tipova navedenih
saobraaja da bude detektovan i da se u tom sluaju aktivira
Komanda za kreiranje class map-a koji e definisati tip policy map, ovaj deo komande se primenjuje ako je navedeno
saobraaja koji e se potom nadgledati vie tipova saobraaja.
R3(config-cmap)# exit
Definisanje tipova
saobraaja koji treba da
budu detektovani kako bi
se aktivirao policy map
Specijalizovan mod kreiranog class
map-a u kome se dalje konfigurie
R3(config-pmap-c)# inspect
R3(config-pmap-c)# exit
R3(config-pmap)# exit
R3(config-sec-zone)# exit
R3(config-sec-zone)# exit
R3(config-sec-zone)# exit
R3(config-sec-zone)# exit
R3(config-sec-zone-pair)# exit
R3(config-if)# exit
R3(config-if)# exit
R3(config)#
R3(config-if)# exit
R3(config)#
Define traffic classes. These are used to identify traffic, such as traffic
that should be inspected. Traffic can be matched based on Layer 3
through Layer 7 of the OSI model, including application-based
matching.
class-map type inspect
Specify firewall policies. These are the actions that should be taken
on the traffic. Policy maps call on the class maps for the classification of
traffic. Policy maps with multiple sections are processed in order.
policy-map type inspect