Documente Academic
Documente Profesional
Documente Cultură
0999_03F8_c2 NW98_US_407
Agenda
Motivation
Threats and Attacks
Business Need
Design Implementation
Cisco Solutions
0999_03F8_c2 NW98_US_407
Security Threats
telnet foo.bar.org username: dan password:
m-y-p-a-s-s-w-o-r-d d-a-n
Loss of Privacy
Impersonation
Deposit $1000 Deposit $100
CPU
Customer
Bank
Denial of Service
Loss of Integrity
0999_03F8_c2 NW98_US_407
10.1.1.1
Good Bye
0999_03F8_c2 NW98_US_407
Common Attacks
Routing attacks
Wiretapping
Active content
ICMP attacks
quit
0999_03F8_c2 NW98_US_407
Password Cracking
0999_03F8_c2 NW98_US_407
Teardrop 2
The first fragment starts at offset 0 and the second fragment is within the TCP header
Land
Takes a SYN packet with source address and port are the same as the destination
0999_03F8_c2 NW98_US_407
Other Items
SNMP v1 strings CERT advisories X11, RPC, NIS, NFS, NTP, finger UDP high ports
10
Service Configuration
no service finger no service pad no service tcp-small-servers no service udp-small-servers no ip bootp server no ip source-route service password-encryption enable secret YellowMegaMan no enable password no ip redirect no ip directed-broadcast no ip proxy-arp
0999_03F8_c2 NW98_US_407
11
0999_03F8_c2 NW98_US_407
12
Traditional Business
Employees Customers
Partners
Enterprise
Suppliers
0999_03F8_c2 NW98_US_407
13
Open up internal operational systems and information to prospects, customers, partners, suppliers, and employees
0999_03F8_c2 NW98_US_407
14
Partners
Enterprise
Suppliers
0999_03F8_c2 NW98_US_407
15
Design: Policy
0999_03F8_c2 NW98_US_407
16
Networked Commerce
Internet Presence
Security Considerations
0999_03F8_c2 NW98_US_407
17
VTF SVF
+
V
RSF R +
WTF
+ +
T
+
RVF
STF
0999_03F8_c2 NW98_US_407
18
Threat
+
Risk
Value
+ Safeguard
0999_03F8_c2 NW98_US_407
Assurance
19
Internet Access
Internet
Applications
Web access and e-mail (using an external mail server) Streaming audio/video
Security issues
Protection of internal resources from outsiders Limiting external privileges of internal users Visibility of internal network addresses Auditing usage and possible attacks
0999_03F8_c2 NW98_US_407
20
Internet Presence
E-Mail WWW
21
Networked Commerce
Commerce Gateways
Internet
Internal Business Systems
Additional applications
Electronic commerce with controlled access to business systems for ordering, etc.
0999_03F8_c2 NW98_US_407
Remote Site
Internet
HQ
Additional applications
Private connections over public network Virtual Private Network (VPN)
23
Design: Architecture
0999_03F8_c2 NW98_US_407
24
What Is a Firewall?
I think it was Pope Urban that first attempted a definition in 1094. He enforced his definition in 1095-1099. Zangi, the Prince of Mosul refuted it in 1144 and Saladin was left to stave off Pope Eugenius III and St. Bernard between 1146 and 1148. And, as everyone knows, Richard the Lion Hearted debated the definition with Saladin between 1189 and 1192 without a resolution. All of this is to say that this can become a religious issue and many deaths will occur from it.
Chris Lonvick
0999_03F8_c2 NW98_US_407
25
Identity
Accurately identify network users and their privileges
USA
Integrity
UNIVERSAL PASSPORT
Network integrity through: Secure network perimeters Privacy and encryption Reliable operation
USA
Active Audit
Provide auditing, accounting and active detection and response
UNIVERSAL PASSPORT
0999_03F8_c2 NW98_US_407
26
Hosts offering public services/access are not secure Internal network hosts should not offer public services/access Private networks and hosts should not be visible
0999_03F8_c2 NW98_US_407
27
Network security cannot replace data security Detailed security and usage accounting
0999_03F8_c2 NW98_US_407
28
Response plan
0999_03F8_c2 NW98_US_407
29
Outside
30
31
Lock-and-Key
Situation: you want a subset of hosts on a network to access a host on a remote network protected by a firewall With lock-and-key access, you can enable only a desired set of hosts to gain access by having them authenticate through a TACACS+ server
0999_03F8_c2 NW98_US_407
32
Lock-and-Key Configuration
aaa authentication login lockkey tacacs+ enable access-list 101 dynamic telecommuter timeout 5 permit ip any any access-list 101 permit tcp any 10.1.1.1 eq 23 interface e0 ip address 10.1.1.1 255.255.255.0 ip access-group 101 in
33
Networked Commerce
Web
Outside
Encrypted Transaction
34
35
Internal Network
Standards compliance
IPSec AH/ESP encapsulated tunnels IKE key management
Fully interoperable
Cisco IOS , Firewalls, and other IPSec-compliant systems
Client support
Windows 95 and Windows NT 4.x (Cisco provided software) Windows NT 5.0 (Microsoft/Cisco partnership)
0999_03F8_c2 NW98_US_407
36
IPSec Modes
IP HDR Tunnel Mode Data
IP HDR
Data
May Be Encrypted
IP HDR
Data
Transport Mode
IP HDR IPsec HDR Data
May Be Encrypted
0999_03F8_c2 NW98_US_407
37
Clear
Encrypted
Clear
0999_03F8_c2 NW98_US_407
38
VPN Configuration
crypto ipsec transform-set first ah-md5-hmac mode tunnel crypto ipsec transform-set second ah-sha-hmac esp-des mode tunnel ! crypto isakmp policy 5 auth rsa-encr hash md5 lifetime 3600 ! crypto map toBob 10 ipsec-isakmp set peer 128.49.54.1 set transform-set first second match address 155 ! interface e0 ip address 128.49.48.1 255.255.255.0 crypto map toBob ! access-list 155 permit ip 128.49.48.1 0.0.0.255 128.49.54.1 0.0.0.255
Define IPsec policy: Two transform sets providing encryption and authentication Set IKE policy
Create a crypto map define negotiating peer prioritize IPsec policy match an access list Configure interface, assign crypto map Define access-list to encrypt all traffic
0999_03F8_c2 NW98_US_407
39
Design: Test
0999_03F8_c2 NW98_US_407
40
41
42
Logging
service timestamps debug datetime msec service timestamps log datetime msec
logging buffered 16384 logging trap debugging logging 169.222.32.1 logging source-interface loopback0
access-list 101 permit tcp any 10.1.1.1 eq 23 logging ip ftp source-interface loopback0 ip ftp username c7200 ip ftp password 7 8675309G exception protocol ftp exception dump 10.1.1.1
0999_03F8_c2 NW98_US_407
43
Review logs
Educate staff and users
0999_03F8_c2 NW98_US_407
44
0999_03F8_c2 NW98_US_407
45
Feature Set
PIX Firewall
Centri Firewall for Windows NT Cisco 1600/2500 with Cisco IOS FW Features
Performance
0999_03F8_c2 NW98_US_407
46
Supported Applications
Telnet, Web, FTP, and SMTP
RealAudio, RealVideo, and VDOLive
47
Content Filtering
Blocks Java, ActiveX, JavaScript and VBscript
0999_03F8_c2 NW98_US_407
48
Java Blocking
HTTP Request
N
Web Client
Inspect Server Reply Inspect Port Command No Java Signature Lets it Through Requests for Java Applet Java Signature Drops the Packet
Web Server
0999_03F8_c2 NW98_US_407
49
50
Alerts
Non-statistical events may trigger alerts Alerts set on groups of events or specific ones
DoS attacks, SMTP command attacks, or denied Java applet
Alerts are visual, email, and pager Thresholds limit the number of alerts issues when repeating in a given timeframe
0999_03F8_c2 NW98_US_407
51
53
PIX
PIX Checks if a Translation Exists or Not. If Not it Creates One Upon Verifying NAT, Global, Access Control and Authentication, if Any a Connection Is Also Created
6514 171.69.236.5 171.68.10.2 4005 23 3050 3124 Sync
TCP
PIX follows adaptive security algorithm (Src IP, src port, dest IP, dest port) check Sequence number check Translation check If the packet code bit was not syn-ack, packet would have been dropped and logged
54
Back Spoofing
PIX
3912 171.69.236.5 171.68.10.2 Since ACK Bit is 4005 Set, Connection and 23 Translation Entries 3151 Should Exist 132 1234 ACK 3111 171.68.10.2 10.0.0.16 23 4005 132 233 3311 ACK
0999_03F8_c2 NW98_US_407
55
PIX
2222 171.69.236.5 171.68.10.2 4005 23 3950 800 2222 FIN
Back Spoofing
PIX will only accept a packet with code-bit FIN-ACK All other packets dropped Any packet after this packet would also be dropped Connection released immediately Translation released after x-late time out
56
Conduit:
A conduit is a hole through the firewall allowing outside machines to initiate connections to inside machines. It is related to a static in that a static maps a global address to a local machine. Conduits are only as secure as you make them. They are used for service items.
0999_03F8_c2 NW98_US_407
57
Authorization
Telnet
Internet
Internet Joe DMZ DNS/Mail PIX Firewall Joe
User Profile
id=Joe Fail=0 Service=Shell Cmd=Telnet{ Permit Host A} Cmd=FTP{ Permit Host B}
Intranet
0999_03F8_c2 NW98_US_407
58
Protects session resources from being depleted Maintains high network reliability
0999_03F8_c2 NW98_US_407
59
SYN Floods
0999_03F8_c2 NW98_US_407
60
Content Filter
Mail Server
NOOP
Debug
OK
Inside
Outside
0999_03F8_c2 NW98_US_407
61
Internal Network
Standards compliance
IPSec AH/ESP encapsulated tunnel IKE key management
Wire-speed performance
Ethernet now Fast Ethernet late CY 98
Fully interoperable
Cisco IOS and other IPSec-compliant systems
0999_03F8_c2 NW98_US_407
62
On PIX manager: Click authentication Select TACACS+ server Click add Server IP address = 10.0.0.100 Encryption key: spackle Click OK
On PIX manager: Select authentication Select authenticate all internal hosts or whatever is desired. Assume pin = 1234 Passcode = 5551212
0999_03F8_c2 NW98_US_407
Click add
63
FTP prompt:
Connected to 172.16.50.87
Password:
230220 TS09B6F FTP server (version Cisco Micro WebServer) ready
331Hello root, send password 230Login user root OK 230
megaman 5551212
64
Internet
Public Network
Perimeter Network
FTP Server 192.168.0.3 WebServer 192.168.0.2
Private Network
10.0.0.100
0999_03F8_c2 NW98_US_407
65
66
0999_03F8_c2 NW98_US_407
Centri Firewall
Windows NT Firewall ICSA certified Version 4.0.2 now shipping! Evaluation software on the web at: http://www.cisco.com/centri
0999_03F8_c2 NW98_US_407
68
Ease of Use
Installation Wizard
Steps through initial configuration Predefined security policies
0999_03F8_c2 NW98_US_407
69
Private Network
Private Network
0999_03F8_c2 NW98_US_407
70
Reporting
Reports may be run on demand and scheduled to run at fixed times (e.g. Mondays at 2 a.m.) Reports are presented in HTML or Text and may be stored on the web server in the product (examiner) or sent to an e-mail address To view reports it is simple to use the imbedded browser in Centri though you may use another browser if desired (port 8080no authentication)
0999_03F8_c2 NW98_US_407
71
By Time of Day
By Application
0999_03F8_c2 NW98_US_407
72
Intercept architecture
Preservation of original network stack Firewall communication is also protected Capability of running servers on the firewall
0999_03F8_c2 NW98_US_407
73
NT Kernel
Kernel Proxy
Device Driver
Outside Interface
192.204.18.2
Inside Interface
10.0.0.1
0999_03F8_c2 NW98_US_407
74
Winsock
205.50.50.2
10.0.0.1
0999_03F8_c2 NW98_US_407
75
Winsock
205.50.50.2
10.0.0.1
10.0.0.2
0999_03F8_c2 NW98_US_407
76
Site-Based Model
Policy enforcement occurs when information passes between sites (intersite), not within the same site (intrasite) Rules are checked when information leaves one site for another
Policy Rules Checked
Trusted
Internet
Install creates two sites trusted and Internetwhich may be expanded upon post-install (e.g. adding an isolated service network [DMZ]) The local stack is tied by a virtual wire to a trusted site
0999_03F8_c2 NW98_US_407
77
FTP
Inline user authentication Non-transparent proxy mode Allowed action checks
ICMP
Message type
Telnet
Inline user authentication Non-transparent proxy mode Port check
TCP
Port check SYN flood prevention
HTTP
Inline user authentication URL filtering Java/ActiveX/Java Script Blocking Allowed action checks
UDP
Port check
SMTP
Nested routing blocking Minimal protocol set Similar to Mail Guard
0999_03F8_c2 NW98_US_407
78
Centri Summary
High-performance Kernel Proxy firewall
Uses four breakthroughs in firewall user interface design:
Natural network views
Bundled applications Policy builder
Integrates well into Microsoft environment Policies based on NT domains, groups, and users
0999_03F8_c2 NW98_US_407
79
Cisco IOS
Integrated security is not a new concept Existing Cisco IOS security technologies support:
Perimeter security and access control Identification and user authentication Denial of service (DoS) protection Virtual private networking Reporting
0999_03F8_c2 NW98_US_407
80
0999_03F8_c2 NW98_US_407
81
0999_03F8_c2 NW98_US_407
Control downloading of Java applets Denial of service detection and prevention Real-time alerts TCP/UDP transaction log Configuration and management
82
Benefits...
Integrated solutionaccess and security No new hardware requiredone box to manage Full routing functionality
83
84
SMTP
Java blocking BSD R-cmds
85
0999_03F8_c2 NW98_US_407
86
Sample Configuration
ip inspect name pri-net tcp ip inspect name pri-net udp ip inspect name pri-net ftp ip inspect name pri-net h323 ip inspect name pri-net realaudio ip inspect name pri-net streamworks ip inspect name pri-net vdolive ip inspect name pri-net cuseeme ip inspect name pri-net http java-list 10 interface e0 ip inspect pri-net in ip access-group 101 out access-list 10 permit 172.34.7.130 access-list 101 deny ip any any
0999_03F8_c2 NW98_US_407
87
CFMI
Common security management for enterprise infrastructure
88
Centri Firewall
High-performance, flexible, Windows NT-based security software with intuitive user-based policy rules. Easy to install, configure, and manage
PIX Firewall
Highest-performance, scalable, dedicated security appliance with most advanced features and application support, fault tolerance
0999_03F8_c2 NW98_US_407
89
References
www.cisco.com/univercd/cc/td/doc/product/ software/ios112/112cg_cr/2cbook/2cacclst.htm
Describes access lists and lock and key
www.cisco.com/warp/public/701/31.html
Increasing security on IP networks
www.cisco.com/warp/public/707/4.html
Strategies to protect against TCP SYN DoS attacks
www.cisco.com/univercd/cc/td/doc/product/ software/ios113ed/113t/113t_3/firewall.htm
Cisco IOS Firewall feature set docs
www.cisco.com/warp/public/458/41.html
NAT FAQ
0999_03F8_c2 NW98_US_407
90
0999_03F8_c2 NW98_US_407
91