Presentation is loading. Please wait.

Presentation is loading. Please wait.

Firewalls & Network Monitoring Advanced Registry Operations Curriculum.

Published byLucy Price Modified over 8 years ago

Similar presentations

Presentation on theme: "Firewalls & Network Monitoring Advanced Registry Operations Curriculum."— Presentation transcript:

1 Firewalls & Network Monitoring Advanced Registry Operations Curriculum

2 Contradiction of requirements Need to monitor services Neet to protect network services Remember Basic Security Principles –Confidentiality –Integrity –Availability If you don’t monitor services, availability suffers

3 Our Basic Premise We need to allow access to: Terminal (SSH) or port 22 Web and Web-SSL or ports 80 and 443 DNS or port 53 via UDP and TCP Verify availability of server, router or switch, i.e. ping (ICMP type 8)

4 Don’t block Ping Please! “It’s an essential tool to verify the health and availability of your network, servers and services. Without ping it is very difficult to solve problems and you often cannot ask for help from others.”

5 More formally what we mean is… Don’t block all forms of ICMP. Allow ICMP Echo Request Type 8 (OS firewalls). If you use ACLs on your routers consider allowing outbound and/or inbound: ICMP unreachable ICMP Time exceeded ICMP Echo reply In addition, for path MTU discovery issues: ICMP Parameter problem ICMP Source quench

6 Some examples: IPTables iptables –F iptables -P INPUT DROP iptables -P FORWARD DROP iptables -A INPUT -i lo -j ACCEPT iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A INPUT -p tcp --dport 22 -j ACCEPT iptables -A INPUT -p tcp --dport 80 -j ACCEPT iptables -A INPUT -p tcp --dport 443 -j ACCEPT iptables -A INPUT -p udp --dport 53 -j ACCEPT iptables -A INPUT -p tcp --dport 53 -j ACCEPT iptables -A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT iptables -A INPUT -j REJECT iptables -A FORWARD -j REJECT

7 Some Examples: Cisco ACLs access-list 101 remark [ ] access-list 101 permit icmp any any unreachable access-list 101 permit icmp any any time-exceeded access-list 101 permit icmp any any echo-reply access-list 101 permit icmp any any parameter-problem access-list 101 permit icmp any any source-quench ! interface Ethernet1 ip access-group 101 in Etc…

8 Some examples: Cisco ASA interface Ethernet0/0 nameif outside security-level 0 ip address 60.25.45.10 255.255.255.0 ! interface Ethernet0/1 nameif inside security-level 100 ip address 10.0.0.250 255.255.255.0 ! access-list IN extended permit tcp any host 60.25.45.10 eq 22 access-list IN extended permit tcp any host 60.25.45.10 eq 80 access-list IN extended permit tcp any host 60.25.45.10 eq 443 access-list IN extended permit tcp any host 60.25.45.10 eq 53 access-list IN extended permit udp any host 60.25.45.10 eq 53 ! static (inside,outside) 60.25.45.10 10.0.0.4 netmask 255.255.255.255 0 0 access-group IN in interface outside

9 In summary Without access you cannot monitor Without monitoring you cannot know state Without knowing state you cannot: -Guarrantee availability of services -Efficiently diagnose and resolve failures

Download ppt "Firewalls & Network Monitoring Advanced Registry Operations Curriculum."

Similar presentations

© 2006 Cisco Systems, Inc. All rights reserved. Implementing Secure Converged Wide Area Networks (ISCW) Module 6: Cisco IOS Threat Defense Features.

© 2006 Cisco Systems, Inc. All rights reserved. Implementing Secure Converged Wide Area Networks (ISCW) Module 6: Cisco IOS Threat Defense Features.
Basic IP Traffic Management with Access Lists

Basic IP Traffic Management with Access Lists
Ipchains and Iptables Linux operating system natively supports packet-filtering rules: Kernel versions 2.2 and earlier support the ipchains command. Kernel.

Ipchains and Iptables Linux operating system natively supports packet-filtering rules: Kernel versions 2.2 and earlier support the ipchains command. Kernel.
© 2006 Cisco Systems, Inc. All rights reserved. ICND v2.3—4-1 Managing IP Traffic with ACLs Configuring IP ACLs.

© 2006 Cisco Systems, Inc. All rights reserved. ICND v2.3—4-1 Managing IP Traffic with ACLs Configuring IP ACLs.
NESCOT CATC1 Access Control Lists CCNA 2 v3 – Module 11.

NESCOT CATC1 Access Control Lists CCNA 2 v3 – Module 11.
Standard, Extended and Named ACL.  In this lesson, you will learn: ◦ Purpose of ACLs  Its application to an enterprise network ◦ How ACLs are used to.

Standard, Extended and Named ACL.  In this lesson, you will learn: ◦ Purpose of ACLs  Its application to an enterprise network ◦ How ACLs are used to.
Access Lists 1 Network traffic flow and security influence the design and management of computer networks Access lists are permit or deny statements that.

Access Lists 1 Network traffic flow and security influence the design and management of computer networks Access lists are permit or deny statements that.
Implementing Standard and Extended Access Control List (ACL) in Cisco Routers.

Implementing Standard and Extended Access Control List (ACL) in Cisco Routers.
CCNA2 Routing Perrine modified by Brierley Page 18/6/2015 Module 11 Access Control 172.16.3.0172.16.4.0 Non-172.16.0.0 e0e1 s0 172.16.4.13 server.

CCNA2 Routing Perrine modified by Brierley Page 18/6/2015 Module 11 Access Control Non e0e1 s server.
1 Semester 2 Module 11 Access Control Lists (ACLs) Yuda college of business James Chen

1 Semester 2 Module 11 Access Control Lists (ACLs) Yuda college of business James Chen
© 2012 Cisco and/or its affiliates. All rights reserved. 1 Classic IOS Firewall using CBACs.

© 2012 Cisco and/or its affiliates. All rights reserved. 1 Classic IOS Firewall using CBACs.
CISCO PIX FIREWALL Configuration for DCSL Tuan Anh Nguyen CSCI 5234 University of Houston Clear Lake Fall Semester, 2005.

CISCO PIX FIREWALL Configuration for DCSL Tuan Anh Nguyen CSCI 5234 University of Houston Clear Lake Fall Semester, 2005.
Chapter 8 PIX Firewall. Adaptive Security Algorithm (ASA)  Used by Cisco PIX Firewall  Keeps track of connections originating from the protected inside.

Chapter 8 PIX Firewall. Adaptive Security Algorithm (ASA)  Used by Cisco PIX Firewall  Keeps track of connections originating from the protected inside.
Internet Control Message Protocol ICMP. ICMP has two major purposes: –To report erroneous conditions –To diagnose network problems ICMP has two major.

Internet Control Message Protocol ICMP. ICMP has two major purposes: –To report erroneous conditions –To diagnose network problems ICMP has two major.
ICND2 – OSPF – Mark Lab Reset for lab 4 Configure 2 loopback interfaces on both routers –RTR1 – 10.X.X.2/32 and 10.X.X.3/32 (area X) –RTR2 – 10.X.X.4/32.

ICND2 – OSPF – Mark Lab Reset for lab 4 Configure 2 loopback interfaces on both routers –RTR1 – 10.X.X.2/32 and 10.X.X.3/32 (area X) –RTR2 – 10.X.X.4/32.
07/11/2012 www.eej.ulst.ac.uk/~ian/modules/COM342/COM342_L10.ppt L10/1/63 COM342 Networks and Data Communications Ian McCrumRoom 5B18 Tel: 90 366364 voice.

07/11/ L10/1/63 COM342 Networks and Data Communications Ian McCrumRoom 5B18 Tel: voice.
Day 4 Security ( ACL ) , Standard Access Lists , Extended Access Lists, Named ACLs Network Address Translation (NAT), Static NAT , Dynamic NAT , PAT (Overloading)

Day 4 Security ( ACL ) , Standard Access Lists , Extended Access Lists, Named ACLs Network Address Translation (NAT), Static NAT , Dynamic NAT , PAT (Overloading)
1 Version 3.1 modified by Brierley Module 8 TCP/IP Suite Error and Control Messages.

1 Version 3.1 modified by Brierley Module 8 TCP/IP Suite Error and Control Messages.
Network Certification Preparation. Module - 5 Basic troubleshooting of IP addressing issues Basic troubleshooting of RIP and IGRP Basic troubleshooting.

Network Certification Preparation. Module - 5 Basic troubleshooting of IP addressing issues Basic troubleshooting of RIP and IGRP Basic troubleshooting.
© 2002, Cisco Systems, Inc. All rights reserved..

© 2002, Cisco Systems, Inc. All rights reserved..

Similar presentations

Ads by Google