Foundation Topics Advanced Security Concepts

A wealth of security concepts have been covered and now some of the techniques used in areas of your network will be covered that are vulnerable to attacks, in particular, the Demilitarized Zone (DMZ).

The DMZ is defined as an isolated part of the network that is easily accessible to hosts outside of the network, such as the Internet.

Figure 7-1 displays a typical network design where a DMZ is defined with a number of bastion hosts (first line of defense or hosts that can be scarified in case of a network attack or attacks).

Figure 7-1 DMZ Design

Figure 7-1 displays a typical perimeter network where the DMZ is separated by a firewall. Firewalls are network devices such as Private Internet Exchange (PIX), which are discussed later in this chapter. Firewalls are designed to protect the internal (or private) parts of a network from the public domain.

Figure 7-1 displays a typical perimeter network where the DMZ is separated by a firewall. Firewalls are network devices such as Private Internet Exchange (PIX), which are discussed later in this chapter. Firewalls are designed to protect the internal (or private) parts of a network from the public domain.

The aim of all firewalls is to accomplish the following:

• Serve as a traffic point—The traffic from inside and outside the network must pass through the traffic point.

• Authorize traffic—Permits only authorized traffic.

• Designed to be immune from penetration—Firewalls are designed to be immune from attacks. Firewalls are still often devices that are attacked by outside hosts.

• Invisibility—Ensures that the private network is invisible to the outside world.

As shown in Figure 7-1, the perimeter router sits between the DMZ and the public domain. Typically, a high performance router or routers will be located here, performing a number of duties including the following:

• Ensuring that access to the Internet Protocol (IP) is restricted using access lists

• Restricting Transmission Control Protocol (TCP) services

• Preventing attacks on firewall systems

• Preventing Denial of Service (DoS) attacks on bastion hosts and the private network

• Permitting only authorized traffic to the bastion hosts

• Logging all network events to external or internal systems

• Performing Address translation (NAT/PAT)

• Running static or dynamic routing protocols; Cisco PIX is limited to RIP and static routing.

NOTE Proxy servers are designed to shield internal devices from outside intruders by replacing the internal hosts' IP addresses with its own IP address. Most new vendors now allow routers to act as proxy servers. Proxy servers have scalability and speed issues, as all packets must be examined and IP headers modified for packet delivery.

Firewalls and perimeter routers have the additional function of packet filtering. A packet filter is a device that inspects all incoming and outgoing packets based on IP source address, destination IP address, and protocol type, such as TCP or UDP. Based on configurable options, the filter decides whether to reject or allow traffic to pass through the device.

Table 7-1 summarizes the main functions of a perimeter and firewall router.

Table 7-1 Perimeter/Firewall Router Functions

Protection Service

Method

Sniffer or snooping capabilities

Control eavesdropping with the TCP/IP service and network layer encryption (IPSec).

Control unauthorized access

Use authentication, authorization, accounting (AAA), and Cisco Secure. Also, access-list filtering and PIX Firewall.

Controlling session replay

Control what TCP/IP sessions are authorized.

Block SNMP, IP source routing, and finger services to outside hosts.

Controlling inbound connections

Filter internal address as the source from the outside world. Filter all private addresses.

Filter Bootp, Trivial File Transfer Protocol (TFTP), and trace route commands.

Allow TCP connections established from the inside network. Permit inbound traffic to DMZ only.

Controlling outbound connections

Allow only valid IP addresses to the outside world and filter remaining illegal addresses.

Packet filtering

Use predefined access lists that control the transmission of packets from any given interface, controlling Virtual Terminal lines, VTY, and access, and ensuring that routing updates are authenticated.

Cisco IOS routers can filter TCP or UDP protocol types. Example 7-1 displays the number of TCP services you can filter on a Cisco IOS router using extended access lists.

Example 7-1 TCP Services Filtered on Cisco IOS Routers

R1(config)#access-list 100 permit tcp any any eq ?

<0-65535>

Port number

bgp

Border Gateway Protocol (179)

chargen

Character generator (19)

cmd

Remote commands (rcmd, 514)

daytime

Daytime (13)

discard

Discard (9)

domain

Domain Name Service (53)

echo

Echo (7)

exec

Exec (rsh, 512)

finger

Finger (79)

ftp

File Transfer Protocol (21)

ftp-data

FTP data connections (used infrequently, 20)

gopher

Gopher (70)

hostname

NIC hostname server (101)

ident

Ident Protocol (113)

irc

Internet Relay Chat (194)

klogin

Kerberos login (543)

kshell

Kerberos shell (544)

Example 7-1 TCP Services Filtered on Cisco IOS Routers (Continued)

login

Login (rlogin, 513)

lpd

Printer service (515)

nntp

Network News Transport Protocol

(119)

pim-auto-rp

PIM Auto-RP (496)

pop2

Post Office Protocol v2 (109)

pop3

Post Office Protocol v3 (110)

smtp

Simple Mail Transport Protocol

(25)

sunrpc

Sun Remote Procedure Call

(111)

syslog

Syslog (514)

tacacs

TAC Access Control System

(49)

talk

Talk (517)

telnet

Telnet (23)

time

Time (37)

uucp

Unix-to-Unix Copy Program

(540)

whois

Nicname (43)

www

World Wide Web (HTTP, 80)

Example 7-2 displays the extended access list when filtering services based on the UDP protocol suite of services.

Example 7-2 UDP Services Filtered on Cisco IOS Routers

R1(config)#access-list 101 permit udp any any eq ?

<0-65535>

Port number

biff

Biff (mail notification, comsat, 512)

bootpc

Bootstrap Protocol (BOOTP) client (68)

bootps

Bootstrap Protocol (BOOTP) server (67)

discard

Discard (9)

dnsix

DNSIX security protocol auditing (195)

domain

Domain Name Service (DNS, 53)

echo

Echo (7)

isakmp

Internet Security Association and Key Management

Protocol (500)

mobile-ip

Mobile IP registration (434)

nameserver

IEN116 name service (obsolete, 42)

netbios-dgm

NetBios datagram service (138)

netbios-ns

NetBios name service (137)

netbios-ss

NetBios session service (139)

ntp

Network Time Protocol (123)

pim-auto-rp

PIM Auto-RP (496)

rip

Routing Information Protocol (router, in.routed,

520)

snmp

Simple Network Management Protocol (161)

snmptrap

SNMP Traps (162)

sunrpc

Sun Remote Procedure Call (111)

syslog

System Logger (514)

tacacs

TAC Access Control System (49)

talk

Talk (517)

tftp

Trivial File Transfer Protocol (69)

time

Time (37)

who

Who service (rwho, 513)

xdmcp

X Display Manager Control Protocol (177)

Examples 7-1 and 7-2 clearly allow a network administrator flexibility when designing perimeter security based on particular port numbers, as defined in RFC 1700.

Was this article helpful?

0 0

Post a comment