Application Layer Filtering

Application proxy firewalls are the most intelligent firewall architecture. By intelligent, we mean that an application proxy firewall can perform the most detailed inspection on data before making a filtering decision. An application proxy firewall can decode and process at the application layer the data contained in packets. Consequently, application proxy firewalls can filter based on the actual application data content. For example, with a packet-filtering firewall, the firewall can merely...

Overview of IDS

Intrusion detection is an aspect of security whereby a device detects the fingerprint of an attack within the network. Modern IDSs use a variety of techniques to ensure that the alarms they raise are of actual attacks being conducted rather than a false alarm. Many IDSs connect to the network through a port on a switch, and the interface that connects to that port captures traffic to a particular system or subnet, as shown in Figure 14-2. As firewall hardware has become more and more powerful,...

The IP Packet Header

The IP packet header is what tells an IP-based host what to do with the packet that was received. Think of it as an instruction manual that contains the how to process this packet information. Therefore, an attacker wanting to generate malicious traffic will frequently modify the IP packet header in such a way as to instruct the receiving host to do something harmful with the packet, or to instruct the host to do something it is not capable of doing in hopes that it causes the host to generate...

Deciphering Port Numbers

Like IP addresses, port numbers are not an absolute guarantee of what application or service may have been running. For example, many applications can run on any port that is configured, allowing things such as peer-to-peer file sharing to use a port such as TCP port 80 for communications, which will frequently allow the application to bypass most packet filtering firewalls (but not necessarily application proxy or application-aware inspection) because TCP port 80 is frequently permitted...

Microsoft ISA Server 2004 Features

Microsoft ISA Server 2004 consists of two editions Standard Edition and Enterprise Edition. The predominant differences between the Standard and Enterprise editions relate to scalability. Table 8-summarizes the differences between the Standard and Enterprise editions. Table 8-1. Comparison of ISA Server 2004 Standard and Enterprise Editio Table 8-1. Comparison of ISA Server 2004 Standard and Enterprise Editio Unlimited, with the additio of enterprise networks (networks that can be app to any...

Updating the Firewall Software

The final topic to consider when managing firewalls is updating the firewall software. There are two update the software. One reason is to take advantage of new capabilities added to newer software v reason is the need to fix bugs and vulnerabilities in the software. Like all software, firewall software contains many lines of code. The code in the firewall may have been rigorously tested, but there wil that the software developers did not consider or just outright overlooked. A corner case is a...

Configuring the ACLs

Controlling traffic is the cornerstone of all firewalls, and the PIX ASA controls the flow of traffic through the firewall by implementing ACLs. PIX ASA ACLs are essentially linked lists of values known as ACL entries (ACEs) that are parsed in a top-down manner with entries at the top of the ACL being processed before entrees further down the ACL are processed. This processing is performed in a first-match manner, which means that as soon as the data being processed by an ACL is matched to an...

Configuring NAT Settings for Outbound Access

After the default route has been set, the PIX ASA is almost ready to pass traffic between the inside, higher-security interface and the outside, lower-security interface. In most situations, to provide for this outbound traffic functionality you need to configure NAT because the firewall will typically be hiding the internal network IP addresses from the external network resources using NAT. This is not a requirement, however (although it is generally recommended), and the PIX ASA 7.0 in...

How Net Filter Works

NetFilter, or more commonly known by the name of the manipulation utility, iptables, works, on the surface, similarly to the ipchains firewall code of earlier Linux kernels. The first thing you need to understand about NetFilter is the concept of tables, chains, and rules. Tables are used to provide certain types of functionality, which are defined in more detail through this chapter. Chains define the path in which a packet can travel. The chains are made up of rules, which define what action...

The OSI Model

The OSI model is a layered model that has been standardized for defining network communications. The OSI model breaks the complex process of network communications into seven distinct layers, each with it own distinct responsibilities. As shown in Figure 3-1, the seven layers of the OSI model are as follows The application layer (Layer 7) Primarily responsible for interfacing with the end user The presentation layer (Layer 6) Primarily responsible for translating the data from something the...

Initial Configuration

The initial configuration of a firewall requires several items of information. This information includes and external interface IP addresses (or the use of DHCP on one of those interfaces), the next-hop g an administrative password. The first three items are discussed in the following paragraphs. A discu administrative passwords was provided earlier in the Default Passwords section. Most small office home office (SOHO) firewalls have only two interfaces. On enterprise firewalls, the half dozen...

Figure 121 Delivery of Syslog Messages Across the Network

The syslog client is then configured to deliver syslog messages to the syslog server. For example, you can configure a Cisco Secure PIX Firewall to use syslog by running the following basic commands. For Cisco Secure PIX Firewalls running versions of the PIX OS other than 7.0, the commands are as follows logging trap information logging host inside ip-address For Cisco Secure PIX Firewalls running version 7.0 or later, you need to run the following commands from the configuration mode In...

Stateful Inspection

Stateful packet inspection lies at the heart of how PIX ASA firewalls function. This functionality is provided through a process known as the Cisco adaptive security algorithm (ASA). The ASA uses a stateful approach to security. Every inbound packet is checked exhaustively against the ASA and against connection state information in memory. The ASA applies the following default rules (although this is by far not an exhaustive list) to traffic coming into the PIX Allow any traffic connections...

Cisco Secure PIX Firewall Syslog Event Baseline

The following syslog events constitute a good baseline of events that should be monitored and paid attention to in most environments. In essence, this list is here to answer this question What specifi events should I look for It is not meant to be an exhaustive list of all syslog message IDs or the on message IDs that you should be filtering for. You can use this information to help build filtering rules for your particular logging softwarefor exam identify the messages that administrators...

What to Look for in Firewall Logs

After you have collected the firewall logs and begun the process of analyzing the logs, determine the you should be looking for in the logs. With that said, it is important to remember not to fall into the looking in your firewall logs only for bad events. Yes, firewall logs can be the key element in discov incidents and compromises, but that is only one of the reasons for analyzing your logs. You also war to use the log information to assist in defining the baselines and normal operations of...