Upload
salman-ilyas-awan
View
225
Download
0
Embed Size (px)
Citation preview
8/8/2019 Network Firewalls 1
http://slidepdf.com/reader/full/network-firewalls-1 1/12
Why Firewall Required:
As we all know, the universal presence of the Internet has completely changed networking as we
know it. Networks that were once completely isolated are now connected to the world. This universal
connectivity allows companies to achieve things never before imaginable. At the same time though, there is
a dark side. The Internet is a haven for cyber criminals who use the connectivity to launch an
unprecedented number of attacks against companies.
When the Internet first started to gain popularity, companies started to realize that they needed to
implement firewalls in an effort to prevent attacks against them. Firewalls work by blocking unused TCP
and UDP ports. Although firewalls are effective at blocking some types of attacks, they have one major
weakness: You simply can't close all of the ports. Some ports are necessary for things like HTTP, SMTP
and POP3 traffic. Ports corresponding to these common services must remain open in order for those
services to function properly.
Difference between IPS and IDS
The difference between IPS and IDS systems comes in their handling of alerts. Pure IDS systems
simply inform the administrator that suspicious activity took place. IPS systems, on the other hand, havethe ability to block the suspicious traffic from entering the network. In fact, the two technologies have
already converged for all intents and purposes. Most intrusion detection products have the ability to run in
either IPS or IDS mode depending upon the user's configuration
In other words, IDS cannot respond to an attack until it is already there, but IPS can stop it before
it happens. Like the police---they cannot stop a person from committing a crime until they actually commit
the crime.
Types of IDS and IPS SystemsCriteria Type Description
Approach
to
identify
malicioustraffic
Signature-based• Vendor provides a signature database.
• Signatures should be customized.
Policy-based• Policy definition and description is
created.
Anomaly-based•
‘Normal’ and ‘abnormal’ traffic isdefined.
Honeypot• Sacrificial host is set up to lure the
attacker.
Coverage
scope Network-based
• Network sensors scan traffic destined
to many hosts.
8/8/2019 Network Firewalls 1
http://slidepdf.com/reader/full/network-firewalls-1 2/12
Host-based• Host agent monitors all operations
within an operating system.
Signature-Based IDS and IPS
1. Observe, and block or alarm if a known malicious event is detected.
2. Requires a database of known malicious patterns.
3. The database must be continuously updated.
Policy-Based IDS and IPS
• Observes, and blocks or alarms if an event outside the configured policy is detected
• Requires a policy database
8/8/2019 Network Firewalls 1
http://slidepdf.com/reader/full/network-firewalls-1 3/12
• Observe, and block or alarm if an event outside known normal behavior is detected.
• Statistical versus nonstatistical anomaly detection
• Requires a definition of “normal”
Honeypot
Observe a special system, and alarm if any activity is directed at it.
• The special system is a trap for attackers and not used for anything else.
• The special system is well-isolated from its environment.
• Typically used as IDS, not IPS.
Network-Based and Host-Based IPS
NIPS: Sensor appliances are connected to network segments to monitor
many hosts.
HIPS: Centrally managed software agents are installed on each host.
– Cisco Security Agents (CSAs) defend the protected
hosts and report to the central management console.
– HIPS provides individual host detection and protection
– HIPS does not require special hardware.
8/8/2019 Network Firewalls 1
http://slidepdf.com/reader/full/network-firewalls-1 4/12
Network-Based vs. Host-Based IPS
NIPS Features
• Sensors are network appliances tuned for intrusion detection analysis.
– The operating system is “hardened.”
– The hardware is dedicated to intrusion detection analysis.
• Sensors are connected to network segments. A single sensor can monitor many hosts.
• Growing networks are easily protected.
– New hosts and devices can be added without adding sensors.
– New sensors can be easily added to new networks.
• Application-level encryption protection
• Policy enhancement (resource control)
• Web application protection
• Buffer overflow
• Network attack and reconnaissance
prevention
• DoS Prevention
8/8/2019 Network Firewalls 1
http://slidepdf.com/reader/full/network-firewalls-1 5/12
NIDS and NIPS Deployment
Exploit Signatures
OSI Layer Exploit Signatures
Application layer • DNS reconnaissance and DoS
• Worms, viruses, Trojan horses, adware, malware
Transport layer • Port sweeps
• TCP SYN attack
Network layer • Fragmentation attacks
• IP options
• ICMP reconnaissance and DoS
8/8/2019 Network Firewalls 1
http://slidepdf.com/reader/full/network-firewalls-1 6/12
Cisco IOS IPS SDFs
• A Cisco IOS router acts as an in-line intrusion prevention sensor.
• Signature databases:
– Built-in (100 signatures embedded in Cisco IOS software)
– SDF files (can be downloaded from Cisco.com):
• Static (attack-drop.sdf)
• Dynamic (128MB.sdf, 256MB.sdf)—based on installed RAM
• Configuration flexibility:
– Load built-in signature database, SDF file, or even merge signatures to increase
coverage
– Tune or disable individual signatures
Firewall Technologies
Firewalls use three technologies:
• Packet filtering
• Application layer gateway
• Stateful packet filtering
Packet Filtering
8/8/2019 Network Firewalls 1
http://slidepdf.com/reader/full/network-firewalls-1 7/12
• Packet filtering limits traffic into a network based on the destination and source addresses and ports
Application Layer Gateway
• The ALG intercepts and establishes connections to the Internet hosts on behalf of th
client.
ALG Firewall Device
8/8/2019 Network Firewalls 1
http://slidepdf.com/reader/full/network-firewalls-1 8/12
Stateful Packet Filtering
• Stateless ACLs filter traffic based on source and destination IP addresses, TCP and UDP port numbers, TCP flags, ICMP types and codes.
• Stateful inspection then remembers certain details, or the state of that
request.
How Cisco IOS Firewall Design & Works
8/8/2019 Network Firewalls 1
http://slidepdf.com/reader/full/network-firewalls-1 9/12
Cisco IOS Firewall TCP Handling
Cisco IOS Firewall UDP Handling
8/8/2019 Network Firewalls 1
http://slidepdf.com/reader/full/network-firewalls-1 10/12
Access Lists and Their Application
As a network grows, it becomes more important to manage the increased traffic going
across the network. Access lists help limit traffic by filtering traffic based on packet
characteristics. Access lists define a set of rules used by routers to identify particular types otraffic. Access lists can be used to filter both incoming and outgoing traffic on a router’s
interface. An access list applied to a router specifies rules for only traffic going through the
router. Traffic originating from a router is not affected by that router’s access lists. (It is subject
to access lists within other routers as it passes through them.)
Packet Filtering
Access lists can be configured to permit or deny incoming and outgoing packets on an interface.
By following a set of conventions, the network administrator can exercise greater control overnetwork traffic by restricting network use by certain users or devices.
Application of an IP Access List
To establish an access list, you must define a sequential list of permit and deny conditions that
apply IP addresses or IP protocols. Access lists filter only traffic going through the router; they
do not filter traffic originated from the router. Access lists can also filter Telnet traffic in to or
out of the router’s vty ports.
8/8/2019 Network Firewalls 1
http://slidepdf.com/reader/full/network-firewalls-1 11/12
Types of Access Lists
There are two general types of access lists:
Standard access lists check the source address of packets. Standard access lists
permit or deny output for an entire protocol suite based on the source
network/subnet/host IP address.
Extended IP access lists check both source and destination packet addresses.
Extended lists specify protocols, port numbers, and other parameters, giving
administrators more flexibility and control.
8/8/2019 Network Firewalls 1
http://slidepdf.com/reader/full/network-firewalls-1 12/12
Example:
A(config)#access-list 101 deny tcp 192.168.14.0 0.0.0.255 any eq 80
A(config)#access-list 101 permit ip any any
a. At the FastEthernet 0 interface mode prompt type:
A(config-if)#ip access-group 101 in ------------- Deny incoming traffic of port 80