PIX Firewall An example of a stateful packet filter. Can also work on higher layers of protocols (FTP, RealAudio, etc.) Runs on its own OS.

Slides:



Advertisements
Similar presentations
Fred P. Baker CCIE, CCIP(security), CCSA, MCSE+I, MCSE(2000)
Advertisements

IUT– Network Security Course 1 Network Security Firewalls.
CCNA – Network Fundamentals
Firewalls and Intrusion Detection Systems
PIX Firewall. Stateful Packet Filter Runs on its own Operating System Assigning varying security levels to interfaces (0 – 100) Access Control Lists Extensive.
FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 6 Packet Filtering By Whitman, Mattord, & Austin© 2008 Course Technology.
Chapter 2 Networking Overview. Figure 2.1 Generic protocol layers move data between systems.
1 Lecture 20: Firewalls motivation ingredients –packet filters –application gateways –bastion hosts and DMZ example firewall design using firewalls – virtual.
© 2006 Cisco Systems, Inc. All rights reserved. Implementing Secure Converged Wide Area Networks (ISCW) Module 6: Cisco IOS Threat Defense Features.
IOS Firewall IOS: Cisco’s Internetwork Operating System (the primary system running on Cisco’s routers) IOS Firewall: a stateful packet-filter firewall.
ASA 5500 series adaptive security appliances Has replaced Cisco’s PIX firewalls since 2008 Security services Source:
FIREWALL TECHNOLOGIES Tahani al jehani. Firewall benefits  A firewall functions as a choke point – all traffic in and out must pass through this single.
Cisco PIX 515E Firewall. Overview What a PIX Firewall can do Adaptive Security Algorithm Address Translation Cut-Through Proxy Access Control Network.
Chapter 8 PIX Firewall. Adaptive Security Algorithm (ASA)  Used by Cisco PIX Firewall  Keeps track of connections originating from the protected inside.
Firewalls CS432. Overview  What are firewalls?  Types of firewalls Packet filtering firewalls Packet filtering firewalls Sateful firewalls Sateful firewalls.
A Brief Taxonomy of Firewalls
1 Figure 5-4: Drivers of Performance Requirements: Traffic Volume and Complexity of Filtering Performance Requirements Traffic Volume (Packets per Second)
Packet Filtering. 2 Objectives Describe packets and packet filtering Explain the approaches to packet filtering Recommend specific filtering rules.
FIREWALL Mạng máy tính nâng cao-V1.
Sales Kickoff - ARCserve
© 2006 Cisco Systems, Inc. All rights reserved. Network Security 2 Module 8 – PIX Security Appliance Contexts, Failover, and Management.
January 2009Prof. Reuven Aviv: Firewalls1 Firewalls.
Chapter 6: Packet Filtering
Cisco PIX firewall Set up 3 security zones ***CS580*** John Trafecanty Jules R. Nya Baweu August 23, 2005.
Page 1 NAT & VPN Lecture 8 Hassan Shuja 05/02/2006.
Firewall and Internet Access Mechanism that control (1)Internet access, (2)Handle the problem of screening a particular network or an organization from.
Firewalls, etc.. Network Security2 Outline Intro Various firewall technologies: –Static Packet Filtering (or nonstateful packet filter) –Dynamic Packet.
© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.0 OSI Transport Layer Network Fundamentals – Chapter 4.
1 CHAPTER 3 CLASSES OF ATTACK. 2 Denial of Service (DoS) Takes place when availability to resource is intentionally blocked or degraded Takes place when.
Packet Filtering Chapter 4. Learning Objectives Understand packets and packet filtering Understand approaches to packet filtering Set specific filtering.
Beginning Network Security Monitor and control flow into and out of the LAN Ingress Egress Only let in the good guys Only let out the corp. business.
Fundamentals of Proxying. Proxy Server Fundamentals  Proxy simply means acting on someone other’s behalf  A Proxy acts on behalf of the client or user.
Network Security. 2 SECURITY REQUIREMENTS Privacy (Confidentiality) Data only be accessible by authorized parties Authenticity A host or service be able.
© 2006 Cisco Systems, Inc. All rights reserved. Cisco IOS Threat Defense Features.
1 © 2005 Cisco Systems, Inc. All rights reserved. 111 © 2004, Cisco Systems, Inc. All rights reserved. CNIT 221 Security 1 ver.2 Module 6 City College.
1 Firewalls Types of Firewalls Inspection Methods  Static Packet Inspection  Stateful Packet Inspection  NAT  Application Firewalls Firewall Architecture.
Verify that timestamps for debugging and logging messages has been enabled. Verify the severity level of events that are being captured. Verify that the.
1 © 2005 Cisco Systems, Inc. All rights reserved. 111 © 2004, Cisco Systems, Inc. All rights reserved. CNIT 221 Security 2 ver.2 Module 8 City College.
Configuring the PIX Firewall Presented by Drew Spesard.
Security fundamentals Topic 10 Securing the network perimeter.
Chapter 8 Network Security Thanks and enjoy! JFK/KWR All material copyright J.F Kurose and K.W. Ross, All Rights Reserved Computer Networking:
Overview of Firewalls. Outline Objective Background Firewalls Software Firewall Hardware Firewall Demilitarized Zone (DMZ) Firewall Types Firewall Configuration.
Firewall Matthew Prestifilippo, Bill Kazmierski, Pat Sparrow.
© 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—10-1 Lesson 10 Attack Guards, Intrusion Detection, and Shunning.
© 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—6-1 Lesson 6 Translations and Connections.
© 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—3-1 Lesson 3 Cisco PIX Firewall Technology and Features.
Lesson 2a © 2005 Cisco Systems, Inc. All rights reserved. SNPA v4.0—2-1 Firewall Technologies and the Cisco Security Appliance.
Page 12/9/2016 Chapter 10 Intermediate TCP : TCP and UDP segments, Transport Layer Ports CCNA2 Chapter 10.
Firewalls. Overview of Firewalls As the name implies, a firewall acts to provide secured access between two networks A firewall may be implemented as.
Chapter 8.  Upon completion of this chapter, you should be able to:  Understand the purpose of a firewall  Name two types of firewalls  Identify common.
© 2001, Cisco Systems, Inc. CSPFA 2.0—5-1 Chapter 5 Cisco PIX Firewall Translations.
© 2006 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.0 Access Control Lists Accessing the WAN – Chapter 5.
Polytechnic University Firewall and Trusted Systems Presented by, Lekshmi. V. S cos
Security fundamentals
PIX Firewall An example of a stateful packet filter.
Only Two Ways through the PIX Firewall
Cisco IOS Firewall Context-Based Access Control Configuration
Computer Data Security & Privacy
Firewall – Survey Purpose of a Firewall Characteristic of a firewall
Introduction to Networking
Introduction to Networking
Chapter 4: Access Control Lists (ACLs)
* Essential Network Security Book Slides.
Firewalls Purpose of a Firewall Characteristic of a firewall
POOJA Programmer, CSE Department
CS580 Special Project: IOS Firewall Setup using CISCO 1600 router
PIX Firewall An example of a stateful packet filter.
Firewalls Chapter 8.
Session 20 INST 346 Technologies, Infrastructure and Architecture
Implementing Firewalls
Presentation transcript:

PIX Firewall An example of a stateful packet filter. Can also work on higher layers of protocols (FTP, RealAudio, etc.) Runs on its own OS

Firewalls.ppt 2 Outline The Adaptive Security Algorithm (ASA) Basic Features of PIX Advanced Features Case studies

Firewalls.ppt 3 Adaptive Security Algorithm An algorithm that defines how PIX examines traffic passing through it, and applies various rules to it. Basic concept: -Keep track of the connections being formed from the networks behind the PIX to the public network -Based on info about these connections, ASA allows packets to come back into the private network through the firewall. -All other traffic destined for the private network is blocked by the firewall (unless specifically allowed).

Firewalls.ppt 4 ASA ASA defines how the state and other information is used to track the sessions passing through the PIX. ASA keeps track of the following information: –Source and destination info of IP packets –TCP Sequence numbers and TCP flags –UDP packet flow and timers

Firewalls.ppt 5 ASA and TCP TCP is connection-oriented, and provides most of the information the firewall needs. The firewall keeps track of each session being formed, utilized, and terminated. ASA only allows for the packets confirming to the state of a session to go through. All other packets are dropped. However, TCP has inherent weakness, which requires ASA to perform additional work managing the sessions  SYN flood, session hijacking

Firewalls.ppt 6 ASA and TCP SYN flooding –“The SYN flood attack sends TCP connections requests faster than a machine can process them.” (Internet Security Systems, ) –SYN flood (as fefined in the Wikipedia, ) –Illustration: next

Firewalls.ppt 7 DOS via Syn Flood A: the initiator; B: the destination T he three-way TCP handshake: –A: SYN to initiate –B: SYN+ACK to respond –A: ACK gets agreement

Firewalls.ppt 8 ASA vs Syn Flood (Beginning in version 5.2 and later) –When the number of incomplete connections through the PIX reaches a pre-configured limit (the limit on embryonic connections), ASA turns the PIX into a proxy for connection attempts (SYNs) to servers or other resources sitting behind it. PIX responds to SYN requests with SYN ACKs and continues proxying the connection until the three-way TCP handshake is complete. Only when the three-way handshake is complete would the PIX allow the connection through to the server or resource on the private or DMZ network. –Benefit: Limits the exposure of the servers behind the PIX to SYN floods

Firewalls.ppt 9 ASA and TCP Problem with the ISN: The initial sequence number (ISN) of TCP is not really random!  possible TCP session hijacking attack case study: Kevin Metnick’s attack on Tsutomu Shimomura’s computers in Six steps (pp ): 1.an initial reconnaissance attack: gather info about the victim 2.a SYN flood attack: disable the login server; a DOS attack 3.A reconnaissance attack: determine how one of the x-term generated its TCP sequence numbers 4.Spoof the server’s identity, and establish a session with the x- term (using the sequence number the x-term must have sent)  result: a one-way connection to the x-term 5.modify the x-term’s.rhosts file to trust every host 6.Gain root access to the x-term

Firewalls.ppt 10 ASA and TCP TCP session hijacking attack (cont.) ASA’s solution  “proxy” the sequence number in an outgoing packet a.create a new, more random sequence number; b.use the new number as the sequence number in the outgoing packet, and store the difference between the new and the original number; c.When return traffic for that packet is received, ASA restores the sequence number before forwarding the packet to the destination on the inside network. Illustration: Figures 8-1 (initialization) and 8-2 (termination)

Firewalls.ppt 11 PIX: Basic Features ASA’s stateful inspection of traffic Assigning varying security levels to interfaces ACL Extensive logging Basic routing capability (including RIP) NAT Failover and redundancy Traffic authentication

Firewalls.ppt 12 PIX: Basic Features - ASA’s stateful inspection of traffic PIX uses a basic set of rules to control traffic flow: –No packets can traverse the PIX w/o a translation, connection, and state. –Outbound connections are allowed, except those specifically denied by the ACLs. –Inbound connections are denied, except for those specifically allowed. –All ICMP packets are denied unless specifically permitted. –All attempts to circumvent the rules are dropped, and a message is sent to syslog. To tighten or relax some of these default rules: next few slides

Firewalls.ppt 13 PIX: Basic Features Assigning varying security levels to interfaces –PIX allows varying security levels to be assigned to its various interfaces, creating the so called security zones. –A PIX may have 2 to 10 interfaces. –Each i/f can be assigned a level from 0 (least secure, usually the Internet) to 100 (most secure, usually the internal private network). –Default rules: oTraffic from a higher security zone can enter a lower security zone.  PIX keeps track of the connections for this traffic and allows the return traffic through. oTraffic from a lower security zone is not allowed to enter a higher security zone, unless explicitly permitted (such as using ACLs).

Firewalls.ppt 14 PIX: Basic Features ACL –Mainly used to allow traffic from a less-secure portion of the network to enter a more-secure portion of the network. –Information used in ACLs: Source address Destination address Protocol numbers Port numbers –Examples: To allow connections to be made to web or mail servers sitting on the DMZ of the PIX from the public network To allow a machine on a DMZ network to access the private network behind the DMZ –Use of ACLs must be governed by the network security policy. (Only use them when necessary)

Firewalls.ppt 15 PIX: Basic Features Extensive logging –System logs are sent and recorded in a central location (for example, the syslog server). –PIX records the following types of syslog messages: Connection events, AAA events, Failover events, FTP/URL events, Mail Guard/SNMP events, PIX Firewall management events, Routing errors –8 syslog logging levels: 0 (emergency), 1 (alert), 2 (critical condition), …, 7 (debug message, log FTP command, etc.) –A subset of the syslog messages may be displayed on the PIX console or a Telnet session screen. –3 rd party s/w (e.g., Private Eye) may be used to generate extensive reporting from the syslog messages. –Info in the syslog may be used by PIX to help intrusion detection.

Firewalls.ppt 16 PIX: Basic Features Basic routing capability –PIX supports some basic routing, including the use of default routes, static routes, and Routing Information Protocol (RIP) –However, routing functionality in PIX is limited.

Firewalls.ppt 17 PIX: Basic Features NAT –PIX can perform NAT for packets traversing any two of its interfaces. –By default, NAT must be set up for a connection state to be created. –Examples: The most common use of NAT is sit between the private network behind the PIX (using an RFC 1918 space) and the Internet  translate and keep track of the addresses NAT may also be used between two interfaces on the PIX, neither of which is on the public network. –dynamic NAT vs static NAT: next

Firewalls.ppt 18 PIX: Basic Features static NAT –A type of NAT in which a private IP address is mapped to a public IP address, where the public address is always the same IP address (i.e., it has a static address). This allows an internal host, such as a Web server, to have an unregistered (private) IP address and still be reachable over the Internet.NATIP addressIPstatichostWeb serverInternet dynamic NAT –A type of NAT in which a private IP address is mapped to a public IP address drawing from a pool of registered (public) IP addresses. Typically, the NAT router in a network will keep a table of registered IP addresses, and when a private IP address requests access to the Internet, the router chooses an IP address from the table that is not at the time being used by another private IP address.NATIP addressIProuternetworkaccess Internetrouter Configuring NAT in PIX: –With dynamic NAT, translations do not exist in the NAT table until the router receives traffic that requires translation. Dynamic translations have a timeout period after which they are purged from the translation table. –With static NAT, translations exist in the NAT translation table as soon as you configure static NAT command(s), and they remain in the translation table until you delete the static NAT command(s).

Firewalls.ppt 19 PIX: Basic Features –Terminology related to failover : Active unit vs Standby unit Primary unit vs Secondary unit Question: relationships between active/standby and primary/secondary ? System IP vs Failover IP –System IP: the address of the primary unit upon bootup –Failover IP: that of the secondary unit PrimarySecondary Active standby Failover and redundancy –The failover capability allows a standby PIX to take over the functionality of the primary PIX, as soon as it fails. –Stateful failover : The connection info stored on the failing PIX is transferred to the PIX taking over. –The standby PIX assumes the IP and MAC addresses of the failed PIX.

Firewalls.ppt 20 PIX: Basic Features - Failover and redundancy How does failover work? –A failover cable (RS-232 serial) connects the primary unit and the secondary unit, allowing the secondary unit to detect the primary unit’s power status, and failover communication in between. –(In the case of stateful failover) The state info is transferred via an Ethernet cable connecting the primary unit and the secondary unit. –Every 15 seconds, special failover hello packets are sent in between the two units for synchronization. –Requirements: The h/w, s/w, and configurations on the two PIXes must be identical.

Firewalls.ppt 21 PIX: Basic Features - Failover and redundancy Limitations of CISCO PIX failover ? –Some info are not replicated between the two units: User authentication table ISAKMP and IPsec SA table ARP table Routing info –The secondary unit must rebuild the info to perform the functions of the failed unit.

Firewalls.ppt 22 PIX: Basic Features Traffic authentication on PIX: –Cut-through proxy authentication Only when the authentication occurring during the establishment of a given connection succeeds would PIX allows the data flow to be established through it. A successfully authenticated connection is entered the ASA as a valid state. As soon as an authenticated connection is established, PIX lets the rest of the packets belong to that connection go through without further authentication. –PIX supports both TACACS+ and Radius as the AAA servers.

Firewalls.ppt 23 Advanced Features of PIX Aliasing –NAT on the destination addresses –“DNS doctoring (modification)” of a DNS server’s address x Guards –flood guard, frag guard, mail guard, & DNS guard Advanced filtering Multimedia support Spoof detection (via URPF) Protocol fixup sysopt commands Multicast support Fragment handling

Firewalls.ppt 24 Case studies PIX with 3 interfaces, running a web server on the DMZ PIX setup for failover to a secondary device PIX setup to use the alias command for a server sitting on the DMZ (a case of NAT on the destination address) PIX setup for cut-through proxy authentication and authorization Scaling PIX configurations using object groups and turbo ACLs