Classic Screened Subnet Breaks Routing

A notable feature of the classic approach is in its routing design. As no traffic can flow directly between the inside and outside perimeter, no routing needs to be set up to support it. The architecture assumes that all connections will terminate inside the DMZ, therefore only limited routing is needed On the outside router, only a default route to the outside and a directly connected route to the DMZ are needed On the inside of the router, only a route to the inside networks and a directly...

Clean Solution

The combination of both an ACL and an inspection ruleset for each interface results in a very clear and simple solution. Additionally such CBAC configurations are easy to verify hence the chance to leave backdoors is minimized. ip inspect name name fragment maximum n timeout t Non-initial fragments are dropped until the first CBAC remembers the IP ID to pass the rest of the Can cause problems with some IP stacks (Linux) Less robust than PIX virtual reassembly 2003, Cisco Systems, Inc. All...

A part of the network which you want to isolate in a security incident

Consequence Firewalls cannot enforce 2003, Cisco Systems, Inc. All rights reserved. DPP 1.0-4-1-6 A good, basic definition of a perimeter is that a perimeter is a clearly defined part of the network, which a firewall will perform access control to or from. A perimeter connects to a firewall network interface. The firewall controls all traffic flow to or from that perimeter, to the other perimeters connected to the same firewall. Alternative definitions of perimeters include A perimeter is a...

A value of 1 is recommended if enough CPU is available

All rights reserved. DPP 1.0-5-2-27 Setting connection limits to any translation should only be done after application business analysis to determine the actual needs. Setting the value too high (0 is default) may make the destination stations more vulnerable. Setting the value too low (1 as in example) may increase the CPU load of the PIX too high. 1 is the recommended limit for embryonic connections in typical networks. The amount of traffic through a network or to...

A wide translation rule can make routing ambiguous

When a packet arrives at the DMZ interface, should it be translated to the inside or routed to the outside This can happen especially with too wide network statics 2003, Cisco Systems, Inc. All rights reserved. Routing and NAT information can sometimes interfere, when the NAT statement is too generous. In this example, the static translation rule maps the 10.0.0.0 8 network from the inside to the DMZ. Any packets destined to the 10.0.0.0 8 network from the DMZ will be identity-translated to...

Access Rules Outside PIX

minimi minimi ds Access rules on outside interface access-list OUTSIDE deny 127.0.0.0 255.0.0.0 any access-list OUTSIDE deny 10.0.0.0 255.0.0.0 any access-list OUTSIDE deny 172.16.0.0 255.240.0.0 any access-list OUTSIDE deny 192.168.0.0 255.255.0.0 any access-list OUTSIDE deny 200.1.1.0 255.255.255.0 any access-list OUTSIDE permit icmp any 200.1.1.0 2 55.255.255.0 unreachable access-group OUTSIDE in interface outside Access rules on dmz-www interface access-list DMZ-WWW deny ip any any...

Access Rules Outside PIX Cont

Access-list DMZ-DNS deny udp host 172.30.2. access-list DMZ-DNS deny udp host 172.30.2. access-list DMZ-DNS permit udp host 172.30. access-group DMZ-DNS in interface dmz-dns Access rules on dmz-ebanking interface access-list DMZ-EBANKING permit tcp 172.30. access-group DMZ-EBANKING in interface dmz- Access rules on inside interface - basic access-list INSIDE permit ip 10.0.0.0 255.0 access-list INSIDE permit ip 172.16.0.0 255. access-group INSIDE in interface inside The configuration lines are...

Accessing an Outside Server via Hostname

This figure illustrates the translations involved for a DNS request issued by the local host 10.1.1.1 for the outside host y.bar.com Step 1 The NAT router maintains a static translation slot for the outside DNS server so that an outbound DNS request is mapped from the outside local address 192.168.1.253 to the outside global address 35.1.1.42. Step 2 The A records of the DNS reply are translated into an outside local address, that is from 16.10.20.2 to 192.168.1.5. Step 3 The enterprise host...

Activation of a Local ACL

The second method of PIX user authorization is the activation of a local per-user ACL in addition to the existing ACL on the interface. It uses RADIUS to indicate which ACL should be activated, as part of RADIUS authentication. The RADIUS attribute 11 will indicate the name of the ACL that is to be used for the authenticated user. The ACL is modified based on the source IP of the authenticated user. The benefit of such authentication is that it is scalable as long as a single firewall is used....

Add Policy Routing

Using policy routing commands the classic ACL capabilities can be greatly augmented as traffic can be forced to take a predefined path. This example shows two layers of traffic separation. ACLs and policy routing work in concert to prevent traffic flowing between business partners. Policy routing is a simple and nice defense-in-depth mechanism to prevent configuration mistakes.

Adding Value

NAT becomes more powerful when combined with modern packet filtering and security enhancements as implemented in Cisco IOS and PIX Firewalls. Of course, additional functionality increases complexity and an administrator must be aware of side effects and order of operation. Note An inside-to-outside translation occurs after routing that is, translation is not performed if there no valid route is found. Similarly, an outside-to-inside translation occurs before routing that is, any output access...

Additional Features Inside PIX

Authentication of incoming HTTP HTTPS web-based aaa authentication match AUTHACL outside TACACS+ describe services which require authentication access-list AUTHACL permit tcp any host 10.1.1 access-list AUTHACL permit tcp any host 10.1.1 Automatic anti-spoofing rules are deployed ip verify reverse-path interface outside ip verify reverse-path interface dmz-proxy ip verify reverse-path interface dmz-ebanking ip verify reverse-path interface inside Additional security tweaks which are nice to...

ALG Deployment Guidelines

In modern networks, ALGs are deployed when the following policy requirements need to be addressed Filtering inside the application protocol is required to either protect trusted clients from untrusted servers, or to filter data from untrusted clients to trusted servers. With regard to application protocol filtering, ALGs can easily inspect application-layer data in detail. For example, when tight control over mobile code is desired, an ALG is used to pass and analyze data between perimeters....

ALG Evaluation

ALGs can be evaluated against the criteria for firewall technology evaluation, which includes Robustness of filtering High. ALGs have very robust filters. They sanitize the network and transport protocols, and as they speak to the application protocol, they have the ability to block any suspicious protocol messages between the endpoints. Granularity of filtering High. ALGs can theoretically filter on any aspect of the application protocol. Flexibility of filtering Low. Each application requires...

ALG Features

From the perspective of a firewall designer, an ALG-based firewall has the following features As all application sessions terminate on the ALG, the ALG's TCP IP stack can protect against network and transport-layer attacks (for example, TCP Loopback DoS Attack land.c , source routing and TCP SYN flooding) Ability to filter and sanitize the application protocol, to prevent the majority of protocol-level attacks, and to resist basic attempts of tunneling Ability to filter data inside the...

ALG Handling of DNS Queries

An ALG for the DNS protocol can be a specialized software package, running in the context of a larger product, or an off-the-shelf caching name server, such as BIND or Cisco Network Registrar (CNR). The ALG passes DNS traffic over the firewall by posing as a DNS server to the inside clients, accepting their requests, and forwarding those requests to outside DNS servers. The outside DNS servers send their replies to the ALG, which inspects the reply on the application layer, and creates a new...

ALG Handling of Exchange Client Server

To handle Exchange client-server communication, several options exist Native client-server protocol Hard to filter securely using classic packet filters or SPFs. The same recommendations apply as with MTA-MTA communication. Microsoft Outlook uses this protocol by default. POP3 or IMAP4 protocols Simple single-session TCP protocols. Outlook Web Access A web front-end for Exchange mailboxes. This is the simplest, and the recommended method, for handling Exchange client access from untrusted...

ALG Handling of FTP

In a FTP, the ALG acts as a broker between the original FTP client, and the original FTP server, acting as an FTP server to the client, and as an FTP client to the server. The gateway terminates two control sessions one with the client, and one with the server. Over the control session with the client, the gateway receives FTP commands and passes them, possibly changed, to the server. Because FTP ALGs implement the full FTP protocol to relay between the client and server, they can filter on...

ALG Handling of Generic Tcpudp Services

Each application should have its own ALG, which can filter on all aspects of its operation. Often however, ALG-based-firewall vendors have only developed a few ALGs, as the number of applications exploded with the Internet's expansion. Because of this, a significant percentage of applications were difficult or even impossible to proxy. Examples of these are complex multimedia protocols. For such applications, ALG-based firewalls often resort to two solutions Usage of port-forwarding TCP or UDP...

ALG Handling of HTTP

This figure illustrates an HTTP ALG used in the context of a firewall. Step 1 A client in the protected network opens an HTTP session to the proxy and submits a HTTP request. For example, the client might submit the uniform resource identifier (URI) to the ALG, expecting the ALG to retrieve the object for the client. Step 2 The ALG examines the request, verifies its validity and conformance to the HTTP protocol, it then contacts the destination server (www.cisco.com), and retrieves the object...

ALG Limitations

The ALG approach has the following major weaknesses A relatively small number of ALGs exist to support modern applications, forcing a designer to make unwelcome compromises. ALGs are frequently not used to their full potential, as many applications are too complex to describe their details to the ALG. For example, it would be beneficial for an ALG protecting a custom web application, to check all sensitive parameters passed between the client and the server. However, this would require...

ALG Operation

When using an ALG to pass application-layer traffic Step 1 The client connects to the ALG and submits an application-layer request, indicating the true destination of the request, and the request data itself. Step 2 The ALG analyzes the request and may filter or change its contents, and then opens a session to the destination server, posing as the client. Step 3 The destination server replies to the ALG. Step 4 The ALG passes the response, which may be filtered and changed, back to the client....

Alternative Firewall Technologies

Besides filtering of IP applications, other technologies can easily be classified as firewalls, if they perform any access control between networks. Examples of such technologies include Filtering of Layer 2 (L2) frames, using a L2 device such as a dedicated switch or bridged router interfaces Setting of static ARP entries or switch CAM entries, which effectively only enables communication between selected hosts Filtering of voice data calls on a PBX Filtering of incoming ISDN data calls based...

Alternatively a user can telnet TO the PIX to authenticate himself virtual telnet

All rights reserved. DAP 1.0-3-2-48 The PIX can be configured to require user authentication for any session across the PIX, as specified in the aaa authentication commands. However, to authenticate the user, only telnet, FTP, or HTTP sessions can be intercepted, and the user authenticated. The PIX caches user credentials in the uauth cache, which expires after an idle or absolute timeout, forcing the user to reauthenticate. After the timer expires, existing sessions...

Alternatively such a firewall can be built in a more distributed fashion

Pll rights reserved. This figure shows the same firewall system, built in a more distributed fashion using several dedicated systems to achieve the same goals. The advantages of distributed systems are better security as each piece of the system is less complex in itself, and there is less possibility of unexpected interaction between components, as well as better performance. The disadvantage of distributed systems is primarily the non-centralized management.

An outbound session is a session from a more secure to a less secure interface

All rights reserved. EDSPAPS 21.0-5-52-35 The configuration of every PIX default to an inside interface with a level of 100 and an outside interface with a level of 0. There's nothing more secure than the internal net, and nothing less secure than the external net. On PIX operating system 6.0 and later, the default interface names can actually be modified, but generally there is no reason to. Additional interfaces will be configured with separate security levels...

Analyzing Security Requirements

When researching an organization's security requirements, the designer should first and foremost analyze the organization's security policy and understand how it applies to the organization's network. The designer should also be aware of the extent to which the policy has been implemented and verify that the current security measures actually implement the policy requirements. If the organization does not have a policy already developed and enforced, it is possible that they require help with...

Application and Protocol Requirements

The application and protocol requirements in the firewall are the following An electronic banking solution is built using HTTPS, CORBA, and Oracle (three-tier) Hosting of public WWW and DNS servers is needed SMTP email is exchanged with the Internet Only HTTP is allowed to the Internet, active content must be filtered Upper management must read email from the Internet The limitations for the design are The firewall can be designed from scratch VPNs are not an option at this time RSA SecurID...

Application filtering can be bypassed in some cases

All rights reserved. SPFs provide additional inspection by being session aware, they can also track session state and protect against spoofed packets by checking TCP sequence numbers. Some SPFs have some insight in the HTTP application layer, as they can peek into the contents of individual packets. In this way, an SPF can look for specific commands or patterns in the application stream, and perform some basic application-layer access control, such as Java or ActiveX...

Application Handling Options

Popular options for passing applications over firewalls include Direct connections between source and destination host over a firewall, where the firewall simply permits the connection between the endpoints and relays the protocol between them. Using an application gateway between the client and the server. This application gateway can be built into the application-layer gateway (ALG) firewall, or implemented as a multi-tiered application, where the server is split into multiple tiers. The...

Application Layer Filtering

Additional filtering tools can be used for HTTP connections, although additional processing of packets may yield performance hits. The PIX Firewall has some application-layer insight into packets by examining application layer payloads to filter a protocol, or manipulate with application-layer data. All implemented mechanisms involve payload scanning, and can have an impact on performance, if bulk traffic is subject to application inspection (such as URL or ActiveX filtering scenarios). Some of...

Auto Route Injection Link Failure

All rights reserved. 2003, Cisco Systems, Inc. All rights reserved. Step 3 When ISP A does not advertise B-prefixes any longer, the left border router advertises to ISP A both A-prefixes and B-prefixes. Although strictly an implementation detail, determining the outstanding prefixes can potentially be a costly operation for a large set of routes. An alternate solution is to Step 1 Use a selected single, or more, address prefix received from an ISP (the ISP's backbone...

Backup Solutions

There are three commonly used backup solutions. First, hot standby systems can be employed that enable a native failover in very short times using the Virtual Router Redundancy Protocol (VRRP) or the Hot Standby Routing Protocol (HSRP). Second, multiple systems can be used running in active mode, which requires symmetric routing or state sharing. And third, cold standby systems, which requires manual intervention to solve the problem of a failure. This lesson assumes failures of security...

Calculation of Authentication Header AH hash includes the whole IP header

NAT breaks packet authentication integrity Encapsulation Security Payload (ESP) Transport mode Outer IP header is not protected, but encrypted payload might break NAT with NAT- unfriendly applications Tunnel mode Outer IP header is not protected, addressing is hidden inside tunnel no problems with NAT 2003, Cisco Systems, Inc. All rights reserved. 2003, Cisco Systems, Inc. All rights reserved. IPSec supports two types of headers the authentication header (AH) and the Encapsulated Security...

Can be turned off

All rights reserved. DPP 1.0-2-1-24 The Domain Name System (DNS) protocol is perhaps the most important example of an L7 protocol that NAT has to intercept. Because DNS resolves hostnames into addresses, there are many situations where simple NAT might confuse the communication. Such examples include overlapping network addresses inside and outside, and scenarios with an internal DNS server that responses to external requests. Cisco IOS and PIX Firewall NAT...

CBAC and Fragments

Since CBAC is context aware, non-initial fragments are dropped until the first fragment arrives. When the first fragment arrives, CBAC remembers the IP identification number to pass the rest of the fragments inside. However this is not enabled by default because some IP stacks for example the Linux IP stack cause problems with this handling. The best method is still the PIX virtual reassembly method. 2003, Cisco Systems, Inc. All rights reserved.

Cisco IOS Reflexive ACLs Example Scenario Cont

Ip access-group ACL-OUTSIDE in interface Ethernet0 0 ip access-group ACL-OUTSIDE in interface Ethernet0 0 permit tcp any host 200.1.1.1 eq http reflect INBOUND permit tcp any eq ftp-data 200.1.1.0 0.0.0.255 gt 1023 permit icmp any 200.1.1.0 0.0.0.255 packet-too-big deny ip any any log permit tcp any host 200.1.1.1 eq http reflect INBOUND permit tcp any eq ftp-data 200.1.1.0 0.0.0.255 gt 1023 permit icmp any 200.1.1.0 0.0.0.255 packet-too-big deny ip any any log ip access-list extended...

Citrix ICA and Windows Terminal Server

Citrix ICA and Microsoft Windows Terminal server are both remote display protocols used to access Microsoft Windows servers. Citrix ICA is a dynamic application, similar to Oracle SQL*net as it opens a TCP session to a well-known port, and immediately negotiates a new server port and reconnects to it. This behavior makes it packet filter-unfriendly, while SPFs and ALGs may support it. Windows Terminal Server uses a single-channel TCP session for each display connection. Therefore, any firewall...

Commercial dedicated application gateways available filtering inside the CORBA protocol

All rights reserved. The CORBA relies on the Internet Inter-Orb Protocol (IIOP) to access distributed objects on a network. UNIX environments often use CORBA as an equivalent to Windows-based DCOM. Various E-commerce and network management products use CORBA, often running over firewalls. The protocol itself is simple in terms of sessions (a single TCP channel), but is NAT-unfriendly. Special application gateways for CORBA exist, which can provide granular CORBA...

Compartmentalization

In general, the more the designer compartmentalizes a network, the more granular the access policy can be that is deployed between the compartments (perimeters). However, do not overdo compartmentalization only divide the network into as many perimeters as necessary. A policy requirement that identifies the subjects to be grouped together and treated as a single entity in access control determines this division. Compartmentalization also increases management complexity (more firewall...

Configuration Example

BGP exchange over firewalls requires a full IBGP mesh between all the BGP speakers. This example only illustrates a configuration to pass a single BGP session over a PIX Firewall. In reality, each site would have two routers on each side of the firewall, and all routers on both sites need to peer using iBGP. This results in six iBGP sessions that need to be configured and permitted over the firewalls. Note Transporting BGP with authentication over the PIX Firewall requires that the firewall...

Content Engines and Authentication

Additionally to filtering capabilities, content engines can also be used for HTTP user authentication. Here the content engine acts as proxy for NT Domains, LDAP servers, or RADIUS servers. The authentication is verified via user credentials that are bound to the source IP address as it is done by the PIX, hereby simulating a transparent mode. If configured in non-transparent mode, the browser is aware of the proxy, and the user credentials are resubmitted by the browser and do not need to be...

Conventions

Four terms are central to NAT and unfortunately many people, and also some documents, confuse them. In order to understand all the mechanisms around NAT it is very important to know the exact meaning of these terms Interfaces, and associated IP addresses, can be located inside or outside a network boundary. The inside area is typically an enterprise's network, while the outside area is identical with the Internet or any other network not considered private. Addresses have either local or global...

Course Objectives cont

Compare several common firewall technologies with respect to access control and identify their features, benefits, and limitations. Compare different basic firewall architectures and to select the proper architecture for an organization's requirements. Select an appropriate firewall technology for an organization's application needs. Design an abstract firewall system, enforcing a defined security policy, and using best practice design methods. Design a firewall system supporting...

Customizing ASA

The established command allows additional connections to be opened through a PIX Firewall, if an already established connection is present in the PIX Firewall connection table. In the command syntax, the first protocol, destination port, and optional source port specified are for the initial outbound connection. The permitto and permitfrom options refine the return inbound connection. The permitto option lets you specify a new protocol or port for the return connection at the PIX Firewall. The...

Database Access Protocols Refresher

Database access protocols are used in two basic scenarios Used by end users (PC clients) to directly access database servers Used in multi-tiered (E-commerce) applications between application servers and database servers The risks associated with database access are Direct access by untrusted clients exposes possible server bugs, possibly allowing direct access to the database Break-in into an application server might give unlimited access to the database, if the application server runs with...

Day

Lesson 11 Understanding PIX Firewall NAT Lesson 12 Understanding PIX Firewall ASA Lesson 13 Cisco IOS Software Access Control Features Lesson 14 Content Engines 2003, Cisco Systems, Inc. All rights reserved. DPS 1.0 1-1-8 Participate in lab exercises 2003, Cisco Systems, Inc. All rights reserved.

Define a Traffic

Using a QoS policy map a normal traffic mix can be configured, so that each traffic class is not allowed to possess more than an allocated share of the total queuing resources. This is accomplished through rate limiting using policing. policy-map MYLIMITS class WORMTRAFFIC drop Drop (or police to zero) all HTTP traffic which looks like a web worm * This can be a NBAR performance issue, if the worm is aggressive 2003, Cisco Systems, Inc. All rights reserved. DPP 1.0-5-3-50

Definition

All addresses are either inside or outside and either local or global. The NAT router is responsible for translating global addresses to local ones and vice versa. Following is a generic example a host in the inside network, with a configured IP address of 10.1.1.1, wants to send packets to a host in the outside network, with a configured IP address of The outside host has a global (from outside) view of the inside host it will send packets to the inside global destination address. If the NAT...

Demanding Protocols

Several application layer protocols, for example, Simple Network Management Protocol (SNMP) and H.323, hide address information by using ASN.1 as a presentation layer. In addition, depending on the number of Management Information Bases (MIBs), there may be a large number of different SNMP messages. There is no single format for SNMP requests, so responses are processed in a general fashion. SNMP trap messages are always inbound UDP packets and occur at unpredictable times. Sometimes these...

Denialof Service Mitigation

The network perimeter is often the place to deploy countermeasures for a wide variety of denial-of-service (DoS) attacks, as they are usually launched from external networks. Such protection involves Protection of hosts and applications to ensure their availability This involves protection against flooding attacks (for example, TCP Intercept or SYN Cookies to guard against SYN flooding) and protection against poisonous data, such as malformed Layer 2 (L2), Layer 3 (L3) or Layer 4 (L4) packets...

Design Example Scenario

An organization has a more complex firewall, which connects it to the Internet, over which a intranet VPN is set up, as well to some WAN connections, over which the organization connects to its business partners. This environment has some specific addressing needs The sites reachable over the VPN (in the 10.254.0.0 16 range) should always be visible with their real (internal) IP addresses. Some business partners (see picture) have address spaces overlapping with the company address space....

Designing NAT in Active Active Load Balancing Using Routing Protocols

Step 1 Provide configuration guidelines on how to configure NAT to provide symmetric flow of traffic over the active-active PIX Firewall pair. Change the basic design of the firewall system, if necessary. Answer NAT should be configured to provide the translation of client addresses inside users for outbound connections, and outside users for inbound connections. The two firewalls must use different NAT global pools, which are routed to respective firewalls. BGP should be able to detect...

Direct Client Server Outbound Access

The simplest case of outbound access is where the inside client talks directly to an outside server. The outside server is under the control of another party, and might be compromised to send malicious data to the client. Use this method for applications where malicious data is not a major risk, and where performance is of the utmost importance. Examples of this include terminal sessions and multimedia applications such as voice.

Direct Inbound Client Server Connectivity

Direct inbound client-server connectivity is used when directly relaying an application session from an outside client to an inside server. This is usually done when the clients are trusted, therefore no additional protection of the server is needed, and the server is only reachable to trusted clients (that is, not exposed to the untrusted network all the time). Strong firewall authentication that enables outside trusted users to connect to the server, only after they have authenticated to the...

DNS and Web services are connected to the outside firewall filter least trusted DMZs

To provide initial defense-in-depth, two filtering elements will be deployed to perform access control. This will simplify their individual configurations, and provide back-up in the case that access control fails on one of the filtering elements. The rules of building DMZs will be Each inbound service should terminate it its own DMZ Less trusted services will be placed more outside compared to more trusted services E-commerce application tiers will be...

DNS Fixup

DNS is one of the protocols that embeds source destination addresses within PDU's higher than layer 3. Translation takes place for UDP DNS traffic only. The PIX also knows that DNS queries are a one-request, one-answer conversation, so the connection slot is released immediately after an answer is received. With the alias command or dnat configuration, the PIX may translate DNS answers of the destination.

Downside Two possible paths to the secure perimeter

Pll rights reserved. This figure illustrates firewall filters, which can also be deployed in parallel. This can be desired, when two functionally different areas of the firewall need to be separated for management simplicity. For example, a bank might want to separate its residential and corporate Internet banking solutions into two systems, which are managed by different teams. This makes each individual firewall part less complex to configure and maintain, thus...

Dynamic PAT Usage Guidelines

PAT is usually the preferred method of providing outbound connectivity, because it is simple to configure, and enhances security a bit, because of it's unidirectional nature. PAT can in some cases break the communication - for example with DNS server-to-server queries, or with applications which expect a fixed client port to be available. In this case use NAT instead. Many PAT pools can be active on an interface, which enables the operator to distinguish multiple groups of inside users on the...

Effective clientcomforting with content scanning

All rights reserved. HTTP-to-FTP protocol translation, which is supported by most HTTP proxies, is another option for application-layer proxying of FTP. In this case Step 1 The client opens a connection to the ALG over HTTP Step 2 The client specifies that a FTP URL should be opened by the gateway Step 3 The gateway starts a FTP connection to the destination site Step 4 The gateway transfers the file Step 5 The gateway returns the file to the client over the HTTP...

Encryption of the Address Information

NAT cannot translate payload address information if the payload is encrypted. Secure Socket Layer (SSL) and Secure Shell (SSH) are implemented as encrypted TCP payload, but the TCP header is not encrypted. Thus, NAT can handle SSL and SSH without problems. However, problems may occur with Kerberos, X-Windows, Session Initiation Protocol (SIP), remote shell (RSH), and other NAT-sensitive protocols.

Enhance existing firewall to support realtime multimedia traffic

The organization access policy is that all communication is denied by default, and only specific applications are permitted. The internal network is a single perimeter, which also hosts sensitive data on its servers. The exposed web server only serves public information, and does not talk to any back-end application. The policy specifies the following applications should be supported outbound HTTP, FTP, DNS, and SMTP. The firewall should also support multimedia traffic in the near future.

Evaluation of Current Security Policy Enforcement

The identification process might involve a process to determine how the current protection mechanisms implement the desired policy. This can be performed in two, often-complementary ways Performing a network audit using internal or external (tiger team) testing Sometimes called the black box approach, the auditor simply observes the network's response to the penetration attempts. Interesting results can be obtained from this approach, but it depends heavily on the source of audit and network...

Even total failure of access control does not allow an attacker to directly reach a sensitive network if no routing

The least privilege principle should also apply to routing inside the firewall. The firewall system should only provide paths to networks, which should be reachable to ensure the minimum required connectivity. This prevents direct connections to sensitive systems, which are not communicating over the firewall and are unreachable, as far as the firewall is concerned. Alternatively, configure devices inside or near the firewall with fake routing information to unnecessary sensitive hosts on...

Example

For example, a network might also be segmented on the inside. A large enterprise network might be divided into security zones (or perimeters), each zone containing a particular part of the network, where access control needs to be enforced. Examples of security zones (perimeters) include server farms, individual branch offices, IT labs and classrooms, different departments (engineering, finance, HR) all require policies for access control. That said, perimeter security and connectivity...

Example 1

This figure illustrates a configuration example for manual ACL optimization. Lines, which are often matched, are moved to the top of the ACL, but great care must be taken no to change the ACL meaning. In this example, the line, which permits established traffic can be pushed up in the ruleset, as it is usually the most frequently matched. However, it can only overtake lines, which are completely independent of it (i.e. if both ACLs could never match the same packet). Here, it can be inserted in...

Example Description

The picture illustrates an example of how to use the PIX NAT commands. The hosts on the inside network are numbered with a 10.1.1 24 prefix. Any packets to the outside world should be translated to the inside global prefix 193.9.9 24. Both a static and a dynamic configuration example are given for both Cisco IOS routers and Cisco PIX Firewalls. The nat (inside) 1 0 0 permits all inside users to start outbound connections using the translated IP addresses from a global pool. Sometimes it is...

Example Scenario

This example scenario focuses on a large bank, which needs to deploy public services, such as electronic banking, over the Internet. The bank has an existing firewall, but is not comfortable with integrating a new, complex service in the firewall with a very high level of security, as is required. Also, high availability is a primary need for all connectivity and security functionality in the upcoming solution. The bank has claimed to have a security policy, but close examination has shown that...

Example Scenario Basic Filter Design and Placement

Again the direction of traffic flows is fundamental for configuration considerations. Using reflexive ACLs, the inside ACL permits the outbound flow. The outside ACL reflects outgoing flows matched by the inside ACL and allows return traffic. In this example, the outbound packet traffic will be filtered using the packet filtering ACL (ACL-Inside), applied inbound on the inside interface. All inbound packet traffic will be filtering using the packet filtering ACL (ACL-Outside) on the outside...

Example Scenario Configuration

This figure illustrates a configuration example for extended inbound and outbound ACLs. Note that the most frequent-used rules are specified at the beginning. The ruleset ACL-OUTSIDE permitting inbound traffic (from the untrusted to the trusted network), applied inbound to the outside (untrusted) interface, needs to deny spoofed addresses using layer-3 filters permit established TCP traffic (return traffic of outgoing sessions) permit inbound sessions to the internal HTTP server permit inbound...

Example Scenario Know Your Directions

Again the direction of traffic flows is fundamental for configuration considerations. Remember the general rules that are always set up, such as the ingress and egress filtering, and the protection of the router itself. In this example, the outbound packet traffic will be filtered using the packet filtering ACL (ACL-Inside), applied inbound on the inside interface. All inbound packet traffic will be filtering using the packet filtering ACL (ACL-Outside) on the outside router interface. The...

Examples

Many firewall tunneling examples exist, and for several of them software is freely available. This figure illustrates two such possibilities of tunneling Running the Point-to-Point Protocol (PPP) over an outbound telnet session. This establishes a point-to-point IP link between the perimeters (such as a leased line), while the firewall only sees a telnet session. Using specially crafted Domain Name System (DNS) servers and resolvers, where a terminal session is hidden in the DNS payload (for...

Examples 2 and

This figure illustrates configuration examples for TurboACLs (top) and ACL using NetFlow (bottom). Netflow acceleration should be used to accelerate ACLs in relatively low connection-rate environments, if software routers are used. Note that NetFlow itself might cause a DoS vulnerability on some platforms, as the first packet of the flow is heavily processed (the Cisco 7500 platform is a prime example, where the packet is copied from the VIP two times to system buffers in main memory), if a...

Extremely conservative rules only permit the required protocols

All rights reserved. DPS 1.0-4-1-55 The three-tier e-commerce application handles very sensitive data. The external server is open to the Internet, so we host it on the external firewall. Its DMZ is more trusted than all other DMZs on the outside firewall, as that server handles the most sensitive data of all public servers. If an attacker would break into one of the other public servers, the access rules on all DMZs should prevent any further access. The least...

Extremely granular access control is possible between perimeters

This figure illustrates a well-known use of perimeters in a screened-subnet firewall architecture. Any screened subnet attached to a firewall filter is a standalone perimeter, whose purpose is to host exposed services, or connect an external network to the firewall over its own interface. In this case, intrusions can often be isolated to a particular perimeter, especially if the firewall enforces least-privilege access control, making it difficult to enter other perimeters. Additionally, the...

Facts

Different vendors of PAT solutions have implemented different port assignment strategies. The Cisco PAT strategy is to keep the same port value during translation where possible. When N inside hosts use the same source port numbers the PAT-routers will increase N-1 of these identical source port numbers to the next free values. The 16-bit port number used in the TCP or UDP header limits the maximum number of sessions per IP address. Therefore, each IP address can handle up to 65,535 sessions....

Failover Guidelines for the SIX Firewall

Designing a PIX Firewall failover should take the following guidelines into account Mates must be able to talk to each other over all interfaces in order to maximize the reliability of the connectivity. After a switchover, the MAC and IP addresses do not change. When a device changes state from standby to active, or from active to standby, a gratuitous ARP is sent to each network interface to rebroadcast the new IP and MAC addresses. The failover poll is used to monitor network activity,...

Failover Routing Issues

The long distance high availability (HA) routing solutions require running a routing protocol over a firewall. The firewall does not need to speak to the routing protocol but it must be aware of it. Using BGP provides maximum flexibility because the configuration is independent from technical metrics. Alternatively, use interior gateway routing protocols such as OSPF and RIPv2. This availability relies on correct routing tables. Ensure the routing protocol uses an authentication mechanism when...

Failure Detection

To determine the failure of the active components several methods can be implemented. The IOS firewall can use the HSRP, which can be tuned to fail over in less than 1 second. However, if using a PIX Firewall, configure a simple native cable failover. A LAN failover is possible. Both methods achieve switching times below 15 seconds. The failover cable is the only additional hardware required to support PIX failover. In PIX 6.2 and later, a failover can be achieved with or without a failover...

Fault Redundancy for ALGs

ALGs require a completely different high availability consideration. Use either content switching or native standby protocols such as the Web Cache Communication Protocol (WCCP) to design a quick failover. Developed by Cisco Systems, the WCCP specifies interactions between one or more routers or Layer 3 (L3) switches, and one or more webcaches. The purpose of the interaction is to establish and maintain the transparent redirection of selected types of traffic flowing through a group of routers....

Features and Limitations

The features of the screening router architecture include Simplicity in design. Multiple perimeters are separated by a single device, which enforces access control. Availability in existing software sets, therefore no upgrade is necessary and the functionality is available anywhere. Robust access control, if application aware (stateful) filtering is used. The limitations of the screening router architecture include The filtering device is a single point of failure, should a bug or...

FFSFinal Step

Finally, the previously defined inspection rules and ACLs are applied inbound or outbound on an interface. ip inspect OUTSIDE in ip access-group OUTSIDEACL in ip inspect OUTSIDE in ip access-group OUTSIDEACL in interface FastEthernet0 1 ip inspect DMZ in ip access-group DMZACL in ip inspect INSIDE in ip access-group INSIDEACL in The simplest, clearest, and easy-to-verify configuration results when both an ACL and an inspection ruleset are applied inbound on an interface 2003, Cisco Systems,...

FFSFirst Step

Identify inspection rulesets that specify which application protocols need to be inspected on an interface. Generic TCP and UDP inspections are used for simple single-channel applications, for example Telnet and DNS. permit tcp any host 200.1.2.1 eq 25 permit tcp any host 200.1.2.2 eq 80 permit icmp any any packet-too-big deny ip any any log ip access-list extended INSIDEACL permit tcp any any eq 80 permit icmp any any packet-too-big deny ip any any log permit icmp any any packet-too-big deny...

FFSSecond Step

The specified ACLs are applied on interfaces to specify which applications are permitted between endpoints. Note the advantage that no return traffic or additional sessions need to be configured similar to PIX access lists. ip inspect OUTSIDE in ip access-group OUTSIDEACL in interface FastEthernet0 1 ip inspect DMZ in ip access-group DMZACL in ip inspect INSIDE in ip access-group INSIDEACL in

File Transfer Protocols Refresher

The risks of file transfer are twofold Exposed file servers might be buggy, allowing an attackers to access more that they should be allowed. In addition, the tight integration of file serving with the operating system might enable an attacker to escalate his privileges quickly. Files transferred between the application endpoints may contain malicious content, and may compromise the client, if executed. Some file transfer file access protocols are hard to filter by some firewall technologies....

Filters suspicious characters in email addresses

The SMTP Fixup allows only certain SMTP commands to be utilized, thereby protecting SMTP servers from many types of attacks. For this reason, some devices using ESMTP and needing it to function, may not run correctly. When configured, Mailguard allows only the seven SMTP minimum-required commands as described in Section 4.5.1 of RFC 821. These seven minimum-required commands are HELO, MAIL, RCPT, DATA, RSET, NOOP, and QUIT. Other commands, such as KILL, WIZ, and so forth, are intercepted by the...

Firewall Examples

There are many network access technologies that can be used to build a firewall. These include Simple wire cutters Complex systems integrating tens of hosts into a firewall system This figure presents some implementations of the firewall concept all of the systems can be easily classified as firewalls A simple router, protecting a small network by enforcing access control for packets inbound incoming from the Internet A LAN switch separating the voice and data network A system interconnecting...

Firewall Features

By performing network access control, a firewall can be used as a protective measure against Exposure of sensitive hosts and applications to untrusted users A firewall hides most of a host's functionality and only permits the minimum required connectivity to a host. Complexity is thus reduced, and many possible vulnerabilities are not exposed. Exploitation of protocol flaws A firewall can be programmed to inspect protocol messages and verify their compliance with the protocol, be it Layer 3...

Firewall Limitations in Application Security

This figure illustrates the concept of application security, when firewalls are used. A firewall can protect a vulnerable web server, but all the firewall might do is pass all web sessions to the server, and deny all other sessions. An attacker can compromise the exposed host if the permitted web sessions contain malicious data. The firewall may limit data flow on the application layer, but most firewalls on the Internet do not. While some firewalls are able to filter traffic with fine...

Firewall Limitations with Blind Trust

The firewall's trust of the inside network can also be abused by software masquerading as a trusted inside user. An inside user can download malicious code (a Trojan Horse), which secretly opens connections to the untrusted network, masquerading as the user. The Trojan Horse then accepts and executes instructions, performing malicious actions on the user's system. Firewall authentication of users might reduce this risk somewhat, or at least reduce the window of exploitation.

Firewall Performance Improvements

The simplest, but most expensive performance improvement, is buying a bigger box to provide a faster CPU and a hardware-based inspection engine. A designer can achieve performance improvement by simply using lower layer inspection techniques, which work much faster, but offers a slightly lower degree of security. A redesign of the firewall may also help. The most elegant solution is to distribute the load over multiple firewalls. This can keep the performance and degree of security on a high...

Firewalls and Security Policies

A network access policy defines which network connectivity is allowed under the security policy of an organization. Under the umbrella of connectivity, many aspects of communication are covered, including Network sessions between clients and servers Applications using the network sessions Data that is transported inside the application sessions A more technical definition of a firewall can be stated as a system that enforces network access control in a network. The firewall, depending on its...

Fundamental Ios Nat Commands

The ip nat command marks interfaces identifying whether they are on the inside or the outside. Only packets arriving on a marked interface are subject to translation. The ip nat pool command defines a pool of addresses using the start address, end address, and netmask. These addresses will be allocated as needed. The ip nat inside source command enables dynamic translation. Packets from addresses that match those on the simple access list are translated using global addresses allocated from...

Fundamental Pix Nat Commands

The static command creates a permanent mapping between a local IP address local_ip and a The internal_if_name is the inside (higher security level) network interface name. The external_if_name is the outside (lower security level) network interface name. The network_mask pertains to both global_ip and local_ip. For host addresses, use 255.255.255.255, except when subnetting is in effect for example, 255.255.255.128. For network addresses, use the appropriate class mask for example, for Class A...

General Technology Guidelines

Modern firewalls are usually built as hybrids using packet filtering, application-layer gateways, and stateful packet filtering. The core technology that provides basic access control is often stateful packet filtering. It is the most extensible and simple-to-use method, and offers the most flexibility and room to grow in the future. Application-layer gateways are used to augment basic access control. Traffic, which needs application-layer inspection, is redirected to the ALGs. Packet filters...

Guidelines

NAT is usually used to translate packets, which are tunneled inside an IPSec connection. The simplest method for NAT to work inside an IPSec VPN is to terminate IPSec before initiating NAT. The general recommendations are Enable NAT and IPSec upon the same gateway, then the operating system (IOS or PIX OS) will take care for a proper order of processing the packets Perform NAT outside the IPSec tunnel on a dedicated device, so that the incoming IPSec tunnel is terminated before packets are...

Guidelines for Dynamic NAT

The example configuration illustrated consists of the following basic steps Step 1 Use the command ip nat pool to define an inside global address pool. Step 2 Use the command ip nat pool to define an outside local address pool. Step 3 Use the command ip nat inside source to enable inside NAT. Specify an access list, defining the inside local addresses to be translated using the predefined inside-pool Step 4 Use the command ip nat outside source to enable outside NAT. Specify an access list,...

Guidelines for Long Distance High Availability

When designing a high availability firewall setup using long distance failover connections, the best solution is to use routing protocols for the failover connections. This method is the most cost-effective solution as there is no expensive LAN connectivity required between the sites. One issue to consider is that the PIX does not support any routing protocol, so the routing protocol of the network border routers must run over the PIX. A simple solution is to use BGP, which is based on TCP....

Guidelines for Physical Design

Several locations can be considered for content engine locations Place the content engine as close as possible to the inside-clients This method provides a good performance but lowers a precise connection control on the firewall. Place the content engine on a DMZ This solution is good for a detailed logging functionality but lowers the firewall performance. Place the content engine outside the firewall This is the least optimal solution from a performance and security point of view. The only...

Guidelines for Static NAT

The example configuration illustrated consists of the following basic steps Step 1 Use the ip nat outside source static command to define the static outside NAT to be applied to inbound packets, originated by the outside host with the overlapping address. Specify the single outside global address to be translated with the single outside local address. Step 2 Use the ip nat inside source static command to define the static inside NAT to be applied to outbound packets, originated by the inside...