Upload
sandra4211
View
919
Download
2
Tags:
Embed Size (px)
DESCRIPTION
Citation preview
Copyright Entellus Technology Group, Inc. XI - 1Firewalls Page
Firewalls
Risks and ControlsBy
Mr. Frank W. LyonsEntellus Technology Group Inc
Copyright Entellus Technology Group, Inc. XI - 2Firewalls Page
Module Objectives
What You Will Learn During This Seminar
1. Introduction to Firewalls
2. Packet Filtering Firewalls
3. Proxy Firewalls
4. Virtual Firewalls
5. Firewall for Electronic Commerce
6. Summary
Copyright Entellus Technology Group, Inc. XI - 3Firewalls Page
Firewalls Have Evolved
Simple packet-filtering
Multipurpose devices
Ability to examine traffic for intrusion detection
Scan for viruses in java and activeX scripts
Filter web traffic based on content
Provide IP address translation
And more
Copyright Entellus Technology Group, Inc. XI - 4Firewalls Page
The INTERNET is a global collaboration of data networks that are connected to each other, using common protocols (e.g., TCP/IP) to provide instant access to an almost indescribable wealth of information and access to computers around the world
What Is The INTERNET?
Copyright Entellus Technology Group, Inc. XI - 5Firewalls Page
Stealing passwords Computer software bugs Authentication failures Protocol failures Information leakage Denial of service
INTERNET Security Risks
Copyright Entellus Technology Group, Inc. XI - 6Firewalls Page
Collection of components placed between two networks that have the following properties:
All traffic from inside to outside, and vice-versa, must pass through the firewall
Only authorized traffic, as defined by the local security policy, will be allowed to pass
The firewall itself should be immune to penetration
Definition of a Firewall
Copyright Entellus Technology Group, Inc. XI - 7Firewalls Page
Router Router
TrustedNetwork XXX
LAN LAN
UntrustedNetwork YYY
FIREWALL
Purpose of a Firewall
Protect a network from an untrusted network
Copyright Entellus Technology Group, Inc. XI - 8Firewalls Page
Firewalls Shapes
Perimeter router
Look at weaknesses in TCP/IP protocols like SNMP, TCP and others
Traffic content for something like pornography
Combinations
Simply put, a firewall allows you to control traffic between two networks
Copyright Entellus Technology Group, Inc. XI - 9Firewalls Page
Firewall Selection Depends
Functions that you need in a firewall
Find a product that meets or exceeds these abilities
For instance• How many devices do you need to protect?
• How many segments need to be directly connected to the firewall
• What resources do you need to protect your network?
• What applications do your users use?
• What internal resources do your users need access to?
• How much traffic will the firewall have to handle?
• Do you need to protect data between different sites?
Copyright Entellus Technology Group, Inc. XI - 10Firewalls Page
Firewall Selection Depends
More• Will you be using private addresses in your network, and do you need address translation?
• Are you concerned about weaknesses in the TCP/IP protocol stack?
• Do you worry about your users’ productivity and how surfing the Internet will affect this?
• Are you concerned about the content of material that your users will download to their desktops?
• Does your network have to support multimedia traffic?
• Do you need to authenticate users before allowing them access into or out of your network?
• How many firewalls do you need?
Copyright Entellus Technology Group, Inc. XI - 11Firewalls Page
Recommendations
PIX
Nokia
Checkpoint
Maybe with a router to filter
A firewall does not have be a single device
It may be a group of devices but should include Perimeter router
Main firewall
Virtual private network (VPN)
Intrusion detection system (IDS)
Copyright Entellus Technology Group, Inc. XI - 12Firewalls Page
System Vulnerabilities Unauthorized Access
User Logins
Privileged User Logins
Object Access
Data Integrity Vulnerabilities
Trojan Horses
Logic Bombs
Viruses
Application Vulnerabilities
Audit Vulnerabilities
Copyright Entellus Technology Group, Inc. XI - 13Firewalls Page
Trojan Horses
Programs that appear to perform one function but actually perform another:
Renaming or replacing
executables files
Replacing librariesDynamic Link Libraries
Shared Libraries
Copyright Entellus Technology Group, Inc. XI - 14Firewalls Page
What Is a Network?
Two or more systems connected (i.e., Data is transferred or shared) via a communications medium
Copyright Entellus Technology Group, Inc. XI - 15Firewalls Page
Limited geographic coverage
Generally owned and administered by one group
Limited number of users
No common carrier communications
LAN
Copyright Entellus Technology Group, Inc. XI - 16Firewalls Page
Networking and Communications
SWITCHES
Internet
Mainframe
Workstation
FileServer
BackplaneSpeedHas ACLs
Copyright Entellus Technology Group, Inc. XI - 17Firewalls Page
Wider geographic coverage
Integrated voice/data network
Often uses common carrier lines
Interconnection of LANs
WAN
Copyright Entellus Technology Group, Inc. XI - 18Firewalls Page
Network Topologies
Copyright Entellus Technology Group, Inc. XI - 19Firewalls Page
Bus or Switched Network Topology
File ServerFile
Server
Copyright Entellus Technology Group, Inc. XI - 20Firewalls Page
Ethernet
BUS topology
Broadcast LAN - transmissions from one station are received at all stations
Unless switched and then only during overloads of the switch
“Pull and plug” - very easy to connect a new station to the Ethernet, usually without LAN administrator
HostHostHostHost
HostHost HostHost HostHost
Copyright Entellus Technology Group, Inc. XI - 21Firewalls Page
Protocols - FTP
HostHost
Host 2Host 2
Host 3Host 3 HostHost
HostHost
File to sendto Host 3
Copyright Entellus Technology Group, Inc. XI - 22Firewalls Page
No access control
Undetectable presence of listening devices
Denial of service
Is someone listening?
Do you send clear text over the network
Security Issues for “Pull and Plug”
Copyright Entellus Technology Group, Inc. XI - 23Firewalls Page
Denial of Service
HostHost HostHost HostHost
Host 2Host 2 HostHost
Copyright Entellus Technology Group, Inc. XI - 24Firewalls Page
““NO!!”NO!!”
Denial of Service
Prevention
Detection
Recovery
Copyright Entellus Technology Group, Inc. XI - 25Firewalls Page
Packet-Switched Network
• Source• Destination• Sequence number• CRC check sum total
Copyright Entellus Technology Group, Inc. XI - 26Firewalls Page
Layer 7Layer 7
Layer 6Layer 6
Layer 5Layer 5
Layer 4Layer 4
Layer 3Layer 3
Layer 2Layer 2
Layer 1Layer 1
Layer 7Layer 7
Layer 6Layer 6
Layer 5Layer 5
Layer 4Layer 4
Layer 3Layer 3
Layer 2Layer 2
Layer 1Layer 1
The OSI Model
Copyright Entellus Technology Group, Inc. XI - 27Firewalls
OSI Model - 7 Layers
7
Layer
6
5
4
3
2
1
Provides means of transmitting data units across any type of network.
Application
Presentation
Session
Transport
Network
Data Link
Physical
Provides end user and application processes access to the network and OSI environment.Provides message transformation and formatting services.Provides logical session initiation, maintenance and termination services between end users.Ensures that data units are delivered error free, in sequence, with no loss or duplication.
Provides for the transfer of data across the physical link.Concerned with establishing, maintaining, and terminating the physical link.
Copyright Entellus Technology Group, Inc. XI - 28Firewalls Page
Networking and Communications
REPEATER
Presentation
Application
Session
Transport
Network
Data Link
Physical
System A System B
Physical Media
Repeater work at the physical layer and there isnot too much excitement with these type of products.
They just regenerate the signal as its goes across the network
Copyright Entellus Technology Group, Inc. XI - 29Firewalls Page
Networking and Communications
BRIDGE
Presentation
Application
Session
Transport
Network
Data Link
Physical
System A System B
Physical Media
Bridges work at the physicaladdress layer of the protocol.
They are called learning bridges
They can isolate traffic betweentwo local area networks
They can also set up filtersor Access Control Lists (ACL)
Copyright Entellus Technology Group, Inc. XI - 30Firewalls Page
Networking and Communications
ROUTER
Presentation
Application
Session
Transport
Network
Data Link
Physical
System A System B
Physical Media
Routers are very powerful asthey can determine which patha message needs to take to goto the destination address.
They work on the network address level
They also have ACLs and aresometimes used as a Firewall
Copyright Entellus Technology Group, Inc. XI - 31Firewalls Page
Networking and Communications
GATEWAY
Presentation
Application
Session
Transport
Network
Data Link
Physical
System A System B
Physical Media
Copyright Entellus Technology Group, Inc. XI - 32Firewalls Page
Why Firewalls? Because
Weaknesses in the TCP/IP protocol stack
Enforcement of your company’s business and security policies
Copyright Entellus Technology Group, Inc. XI - 33Firewalls Page
Perimeter Router Function
Provide connection to the Internet: Translating the data link layer media types from LAN to WAN.
It might also perform more functions, like packet filtering, BGP routing, or VPN connections
Copyright Entellus Technology Group, Inc. XI - 34Firewalls Page
Main Firewall Function
Controlling traffic between two networks
Can be to the external world or between divisions and/or departments.
Copyright Entellus Technology Group, Inc. XI - 35Firewalls
Packet Filter
INSIDE OUTSIDE
Network Layer
IP Filter
X
Host “C”
AuthorizedHost “A”
UnauthorizedHost “B”
Packet from “A”
Packet from “B”
Packet from “A”
Host “D”
X
Copyright Entellus Technology Group, Inc. XI - 36Firewalls Page
VPN
Remote offices
A VPN allows you to protect your traffic from eavesdroppers
All external communications should go through a VPN
Copyright Entellus Technology Group, Inc. XI - 37Firewalls Page
IDS Major component of a firewall
Intrusion detection
The main firewall component will control traffic (filtering) based on the policy rules
To deal with new security threats you need to understand what traffic is being sent into your network and its intentions
May auto reconfigure your firewall system to block strange acting traffic
Copyright Entellus Technology Group, Inc. XI - 38Firewalls Page
Latest Firewalls
Other services
DHCP
WINS server address
DNS server address
Content filtering• Email for viruses
• Web downloads for Java or ActiveX scripts and filters them
• But if the content is encrypted then no content search maybe (Web Sense)
Copyright Entellus Technology Group, Inc. XI - 39Firewalls Page
Firewall Weaknesses Even the best firewall has weakness
No completely secured network
Weaknesses• People who administer it
• Next is the configuration of the firewall
• KISS keep it simple otherwise mistakes will be made
• Not using multiple components or devices
– Onion approach to security or layered
Copyright Entellus Technology Group, Inc. XI - 40Firewalls Page
Understand Your Data
Classify your data
Use firewalls to protect the sensitive data form external and internal users
Internal user have cause the most dollar losses
Copyright Entellus Technology Group, Inc. XI - 41Firewalls Page
OSI Layers Firewall layers of activity
The application, presentation and session layers are typically integrated into the application itself.
The transport, network, data link, and physical layers affect the transmission of traffic between devices.
Copyright Entellus Technology Group, Inc. XI - 42Firewalls Page
OSI Mode l - 7 Layers
7
Layer
6
5
4
3
2
1
Provides means of transmitting data units across any type of network.
Application
Presentation
Session
Transport
Network
Data Link
Physical
Provides end user and application processes access to the network and OSI environment.Provides message transformation and formatting services.Provides logical session initiation, maintenance and termination services between end users.Ensures that data units are delivered error free, in sequence, with no loss or duplication.
Provides for the transfer of data across the physical link.Concerned with establishing, maintaining, and terminating the physical link.
Copyright Entellus Technology Group, Inc. XI - 43Firewalls Page
Packet Filtering Firewalls Most prolific form of a firewall
Filters at layer 3
Sometimes layer 4
Example is an router which has ACLs
Functions
Filters on • Source IP address
• Destination IP address
• IP protocol type, like ICMP, TCP, UDP and others
• Protocol specific information like ICMP (echo, echo reply, destination unreachable, and etc) which allow for identification of DoS attacks.
Copyright Entellus Technology Group, Inc. XI - 44Firewalls Page
Packet Filtering Firewalls Functions
Layer 4 • Port numbers of applications for TCP and UDP
• Port number 23 for telnet
• Port number 25 for email
• Port number 80 for web
Works on a specific interfaces on a firewall or router like inbound or outbound
Copyright Entellus Technology Group, Inc. XI - 45Firewalls Page
Packet Filtering Firewalls Advantages
Quick
Filtering policy definitions are very flexible
Copyright Entellus Technology Group, Inc. XI - 46Firewalls Page
Filtering Strategy
Filters
First match
Most restrictive
Any match
Filters are processed top down
If no match then it drops the packet with implicit deny
If it find a match then it execute the policy defined and either permit or deny.
• When denying a packet a firewall has two options:
– It can drop the packet silently
– Or notify the source that the packet has been dropped
Copyright Entellus Technology Group, Inc. XI - 47Firewalls Page
Location of a Packet Filtering Firewall Because of packet filtering
Perimeter or boundary
With another firewall inside the network handle more advanced filtering functions
Copyright Entellus Technology Group, Inc. XI - 48Firewalls Page
Packet Filter
INSIDE OUTSIDE
X
Host “C”
Host “D”
AuthorizedHost “A”
UnauthorizedHost “B”
X
e-mail connection
finger connection
e-mail connection
FTP connection
TRANSFORTLAYER FILTER
Copyright Entellus Technology Group, Inc. XI - 49Firewalls Page
Packet Filtering Firewalls Disadvantages
Cannot prevent application threats and attacks
No user authentication
Limited logging abilities
Vulnerable to certain TCP/IP protocol weaknesses• IP spoofing attacks
• DoS attack on three way handshake by flooding your network with TCP SYNs (with no intention of completing the connection)
Can be complex to configure
Copyright Entellus Technology Group, Inc. XI - 50Firewalls Page
Detect
Deter
Reveal
Reconstruct
Audit Trail Purpose
Copyright Entellus Technology Group, Inc. XI - 51Firewalls Page
Stateful Firewalls Filter traffic at layers 3 and 4
Sounds like a Packet Filtering Firewall
But it adds “awareness” at layer 4
Maintain information
About the connection• It looks at the packet to see if it is part of a process that is setting up, maintaining, or tearing down a connection
Copyright Entellus Technology Group, Inc. XI - 52Firewalls Page
Stateful Firewall Example Filter
Drop traffic if source is 2 on inbound
But 1 wants a file from 2 in response to a request
Packet Filtering Firewalls cannot perform this type activity because they do not look at the nature of the connection
Stateful
Adds a temporary filtering policy to the specific port to allow 1 to communicate with 2
It only allows traffic for the existing connection with the original IP address and original port – any deviation and by 2 will cause the connection to be dropped.
Copyright Entellus Technology Group, Inc. XI - 53Firewalls Page
Stateful Firewall Uses a “connection state table”
Once the connection is idle for a maximum period of time the connection entry is removed
Use 2 could try and fool the firewall afterward but the connection entry is gone
Disadvantage
Process and maintain more information
Cost More than a Packet Filtering Firewall
Copyright Entellus Technology Group, Inc. XI - 54Firewalls Page
Authentication
Communications Integrity
Copyright Entellus Technology Group, Inc. XI - 55Firewalls Page
Application Gateways (Proxy Firewalls)
Combine
Filtering with layer 7 access control
User must authenticate for each session
Also called “dedicated proxy” firewalls• Email proxy
• Web proxy
• FTP proxy
• Telnet proxy
• DNS proxy
• Finger proxy
• LDAP proxy
• Usenet News proxy
Copyright Entellus Technology Group, Inc. XI - 56Firewalls Page
Authentication Methods
Methods
User account name and password
Source address authentication
Hardware/software-based token card authentication
Biometric authentication
Copyright Entellus Technology Group, Inc. XI - 57Firewalls Page
Digital signature
Communications Integrity
Copyright Entellus Technology Group, Inc. XI - 58Firewalls Page
Types of Application Gateway Firewalls
Connection
User authentication and application privileges both are verified
Advantage• Work also at layer 7 as well as 3 and 4
• Detail logging and filtering of application data
• Every command or keystroke
• Content filtering
• Web pages
• Java or ActiveX filtering
• FTP but only to certain directory structures
Copyright Entellus Technology Group, Inc. XI - 59Firewalls Page
Keystroke Monitoring
Copyright Entellus Technology Group, Inc. XI - 60Firewalls Page
Connection Gateways Very slow in processing
Limited typically to a specific application or small number of applications
Sometimes require special software to be loaded on the clients
Copyright Entellus Technology Group, Inc. XI - 61Firewalls Page
Cut-Through Gateway Firewalls Almost the same as a connection firewall
User must authenticate
If user is successful• Then they connect to the application
• Or the gateway builds the second half of the connect and binds it to the first half
• Now there is a single process that the cut-through gateway can then process at layer 3 or 4 of the gateway
• After authenticating at layer 7 it can process at layer 3 or 4 and improve throughput
• Plus it can authenticate the user on layer 7 for many more applications
• Plus maybe no modifications needed to the clients
Copyright Entellus Technology Group, Inc. XI - 62Firewalls Page
Cut-Through Downside
Better throughput but loses application layer 7 filtering
Cannot capture as detailed logging information
Copyright Entellus Technology Group, Inc. XI - 63Firewalls Page
Address Translation Firewalls Problems
Handling a shortage of IP addresses
Hiding network addressing schemes
Network Class
A 10.0.0.0 – 10.255.255.255
B 172.16.0.0 – 172.31.255.255
C 192.168.0.0 – 192.168.255.255
Copyright Entellus Technology Group, Inc. XI - 64Firewalls Page
Address Translation Firewalls - Terms Inside
• Networks located on the inside of your company that will have their addresses translated
Outside• Networks located outside of your network with valid public address
Inside local IP address• An inside device with an assigned private IP address
Inside global IP address• An inside device with a registered public IP address
Outside global IP address•An outside device with an registered public IP address
Copyright Entellus Technology Group, Inc. XI - 65Firewalls Page
Network Address Translation - NAT NAT
Static• Maps a single IP address to a different IP address
• Typically from the outside to the inside on the destination address
Dynamic• Static each one must be configured
• With dynamic it assigns a public pool of addresses to the local machine
Copyright Entellus Technology Group, Inc. XI - 66Firewalls Page
Port Address Translation - PAT NAT
Only provide one to one translation
PAT Address overloading
Share the IP address
But port number are changed
When the translation table is built it contains four entries• Inside local IP address – Private
• Inside local port number (original port number)
• Inside global IP address – Public
• Inside global port number (new port number)
Copyright Entellus Technology Group, Inc. XI - 67Firewalls Page
Address Translation Firewalls PAT
Used to allow your inside users access to the Internet
Static NAT
Used to assign public IP addresses to services that Internet users will be addressing
Copyright Entellus Technology Group, Inc. XI - 68Firewalls Page
Security Address Translation
Protect or hide your network infrastructure
Traffic must pass through the firewall itself
Disadvantages
Adds a delay to packet streams
Makes troubleshooting more difficult
Does not work with all applications
Copyright Entellus Technology Group, Inc. XI - 69Firewalls Page
Host-Based Firewalls Protects
Contents of the computer
Also protects the operating system itself
Disadvantages Less filtering
Less loggings
More administration
Advantages Harden the operating system as well as the applications and data on the
computer
Cable modems is one example
Copyright Entellus Technology Group, Inc. XI - 70Firewalls Page
Consider Security
Hybrid Firewalls
Set security policy first
Use onion defense
Protect against insider threats too
KISS principle
Copyright Entellus Technology Group, Inc. XI - 71Firewalls Page
DMZ Demilitarized Zone
A DMZ is an area in your network that creates a buffer between the public network and your internal network
Typically services that you want the public to access are placed within the DMZ
• FTP
• DNS
Copyright Entellus Technology Group, Inc. XI - 72Firewalls Page
Measures taken to protect communications transmission from interception and exploitation by means other than crypto analysis.
Transmission Security
Copyright Entellus Technology Group, Inc. XI - 73Firewalls Page
““NO!!”NO!!”
Denial of Service
Prevention
Detection
Recovery
Copyright Entellus Technology Group, Inc. XI - 74Firewalls Page
Sniffer Attacks
Sniffer
Router
Internet
Packet with password
Router Router Router
Router
Copyright Entellus Technology Group, Inc. XI - 75Firewalls Page
INSIDE OUTSIDE
Packet Filter
Host “C”
Host “D”
Host “A”
Host “B”
Auditing/MonitoringServices
Auditing/MonitoringServices
Auditing/Monitoring Services
Copyright Entellus Technology Group, Inc. XI - 76Firewalls Page
Security Assessment
Overall Security Assessment External
Internet Exposure Points
Points of Entry
InternalNetwork FirewallOperating Systems Policies/ProceduresDatabase Systems Change Control
Workstations Disaster PlanningWeb/Proxy Servers Security LogsSecurity Administration Communication ServersWireless/Voice SecurityASPs
Physical SecurityApplications
Copyright Entellus Technology Group, Inc. XI - 77Firewalls Page
Security Monitoring
Internal MonitoringEstablishment of an effective Security Command center to monitor and control external and internal threats using staff personnel
Outsourced MonitoringPartnering with a Managed Security Monitoring company focused on protecting your critical information resources
Copyright Entellus Technology Group, Inc. XI - 78Firewalls
MSM ArchitectureDetection and Response
Network Intelligence
Service Agreement
SOCRATES
Business Assets
Engineering
IDS
Router
Firewall
ServerCustomers
NetworkEvents
ForwardedEvents
AnalyzedExpert
Response Contact
Team of Security Analysts
Intellectual Properties
Customer Data
Business Plans
Sentry
Copyright Entellus Technology Group, Inc. XI - 79Firewalls Page
Audit Trails Must be Protected!Audit Trails Must be Protected!
Audit Trail Security
Copyright Entellus Technology Group, Inc. XI - 80Firewalls Page
Summary Understand and implement password controls on Cisco
routers
Understand and implement IP access control lists and filtering services on Cisco routers
Understand remote authentication mechanisms supported by Cisco routers
Copyright Entellus Technology Group, Inc. XI - 81Firewalls Page
Router
Controlling Access to Cisco Routers
Router
AnalogTelephone
Line
WAN• X.25• ISDN• SMDS• Frame Relay Console Port
Router to othernetworks
Local Network
Telnet fromremote sites
Clients dialingto access network
Telnet to routerfrom local network
Serialinterface
router >
Asynchronousinterface
Local workstationsand servers
Copyright Entellus Technology Group, Inc. XI - 82Firewalls Page
Establishing Password Protection
For each access method, you can allow:
Nonprivileged mode access
Privileged mode access
Intermediate level access
Copyright Entellus Technology Group, Inc. XI - 83Firewalls Page
Controlling Console Access
Restrict access to console port
Cisco Router (config) # line console 0
Cisco Router (config-line) # login
Cisco Router (config) # password
Restrict access to auxiliary ports
Cisco Router (config) # line aux 0
Cisco Router (config-line) # login
Cisco Router (config) # password
Copyright Entellus Technology Group, Inc. XI - 84Firewalls Page
The Enable Secret Password
Uses a non-reversible MD5 encryption algorithm
Once set, it will always be required
Set an enable secret password:
Cisco Router (config) # enable-secret password
Gain privileged mode access:
Accessed the same as enable password
Cisco Router > enable
Password: XXXXX
Cisco Router #
Copyright Entellus Technology Group, Inc. XI - 85Firewalls Page
Defining Level Command Access
New levels will have normal user exec mode access by default
To define access privileges for a level, use the following command:
Cisco Router (config) # privilege command_mode level command
Example:
Cisco Router (config) # privilege exec level 5 ping
Cisco Router (config) # privilege exec level 5 trace
Copyright Entellus Technology Group, Inc. XI - 86Firewalls Page
Cisco Password Hacks
Programs are readily available on the Internet which are capable of decrypting user passwords on Cisco routers
Not capable of decrypting enable secret
Can decrypt passwords using the standard Cisco encryption scheme
It is very important to maintain strict control of configuration files
16
Copyright Entellus Technology Group, Inc. XI - 87Firewalls Page
Standard IP Access List Commands
First, set the parameters defining test conditions:Cisco Router (config) # access-list access-list-number {permit | deny} address [wildcard-mask]
Example: Cisco Router (config) # access-list 1 permit 172.16.0.0 0.0.255.255
Cisco Router (config) # access-list 1 permit 199.245.180.0 0.0.0.255
This can be done using several statements
Second, configure an interface to be part of a group that uses the specified access list:Cisco Router (config-if) # ip access-group access-list-number {in | out}
Example: Cisco Router (config) # interface ethernet 0
Cisco Router (config-if) # ip access group 1 out
Copyright Entellus Technology Group, Inc. XI - 88Firewalls Page
Network Authentication Options
Authentication mechanisms supported by Cisco
TACACS
Extended TACACS
AAA/TACACS+
RADIUS
30
Copyright Entellus Technology Group, Inc. XI - 89Firewalls Page
Local Security Database
Cisco 2511Security Database
Stored Locally
UNIX Server
Windows Server
Small network with only one dial-in access server
Small numberof dial-in ports
Copyright Entellus Technology Group, Inc. XI - 90Firewalls Page
Remote Security Database
Router
Provides centralizedsecurity database to
all dial-in access servers
UNIX Server
Windows Server
Large network with many dial-in access servers
Large numberof Access Serversand dial-in ports
ServerTACAS+ or
RADIUS server
Copyright Entellus Technology Group, Inc. XI - 91Firewalls Page
Check List
Auditor check list
Reference for more material
Csrc.nist.gov/publications/nistpubs/800-41/sp800-41.pdf