Presentation is loading. Please wait.

Presentation is loading. Please wait.

ASA 5500 series adaptive security appliances Has replaced Cisco’s PIX firewalls since 2008 Security services Source:

Published byKristian McGee Modified over 8 years ago

Similar presentations

Presentation on theme: "ASA 5500 series adaptive security appliances Has replaced Cisco’s PIX firewalls since 2008 Security services Source:"— Presentation transcript:

1 ASA 5500 series adaptive security appliances Has replaced Cisco’s PIX firewalls since 2008 Security services Source: http://www.cisco.com/en/US/prod/collateral/vpndevc/ps6032/ps6094/ps6120/product_data_sheet0900aecd802930c5.html http://www.cisco.com/en/US/prod/collateral/vpndevc/ps6032/ps6094/ps6120/product_data_sheet0900aecd802930c5.html –application-aware firewall –SSL and IPsec VPN –IPS with global correlation and guaranteed coverage –Antivirus –Antispam –Antiphishing –web filtering services Network Security1T. A. Yang

2 Cisco’s Firewall Service Module (FWSM) Network Security2 http://www.cisco.com/en/US/products/h w/modules/ps2706/ps4452/index.htmlhttp://www.cisco.com/en/US/products/h w/modules/ps2706/ps4452/index.html –a high-speed, integrated firewall module for Cisco Catalyst 6500 switches and Cisco 7600 Series routers –provides the fastest firewall data rates in the industry 5-Gbps throughput, 100,000 CPS (connections per second) 1M concurrent connections T. A. Yang

3 Firewall Modes 1.Routed mode –The device is considered a router hop in the network –Requires an IP address for each interface –The default mode 2.Transparent mode (aka stealth firewalls) –The device operates in a secure bridging mode –Same subnet on its inside and outside interfaces –Has an IP address assigned to the entire device –The appliance continues to perform stateful application-aware inspection and other firewall functions Benefits: hide its presence from the attackers/intruders Network Security3T. A. Yang

4 Stealth mode example Network Security4 Default gateway for PCs in VLAN 10 is 10.1.1.1 (the upstream router). T. A. Yang

5 Example 2 Network Security5T. A. Yang Source: http://www.cisco.com/en/US/products/hw/vp ndevc/ps2030/products_configuration_exam ple09186a008089f467.shtml#backinfo http://www.cisco.com/en/US/products/hw/vp ndevc/ps2030/products_configuration_exam ple09186a008089f467.shtml#backinfo The default gateway of Host A is not the Internet router (192.168.1.2) but the internal router (192.168.1.3). Scenario: an inside user visits an inside Web server - Host A (192.168.1.5) sends the request packet to the Internet router (since it is a default gateway) through the ASA from the inside to the outside. Then the packet is redirected to the web server (10.1.1.1) through ASA (outside to inside) and the internal router.

6 Network Security6 Adaptive Security Algorithm (ASA) An algorithm that defines how traffic passing through the firewall are examined. Basic concepts: -Keep track of the connections being formed from the networks behind the PIX to the public network -Based on info about these connections, ASA allows packets to come back into the private network through the firewall. -All other traffic destined for the private network is blocked by the firewall (unless specifically allowed). T. A. Yang

7 ASA Operations Three basic operations 1.ACLs 2.Connections: xlate and conn tables 3.Inspection engines (per RFC standards) Figure 6-5: a scenario where an external host requested a connection to an internal server T. A. YangNetwork Security7

8 8 ASA ASA defines how the state and other information is used to track the sessions passing through the PIX. ASA keeps track of the following information: –Source and destination info of IP packets –TCP Sequence numbers and TCP flags –UDP packet flow and timers T. A. Yang

9 Network Security9 ASA and TCP TCP is connection-oriented, and provides most of the information the firewall needs. The firewall keeps track of each session being formed, utilized, and terminated. ASA only allows for the packets confirming to the state of a session to go through. All other packets are dropped. However, TCP has inherent weakness, which requires ASA to perform additional work managing the sessions  SYN flood, session hijacking T. A. Yang

10 Network Security10 ASA and TCP SYN flooding –“The SYN flood attack sends TCP connections requests faster than a machine can process them.” (Internet Security Systems, http://www.iss.net/security_center/advice/Exploits/TCP/SYN_flood/de fault.htm ) http://www.iss.net/security_center/advice/Exploits/TCP/SYN_flood/de fault.htm –Illustration: next T. A. Yang

11 Network Security11 Syn Flood A: the initiator; B: the destination TCP connection multi-step –A: SYN to initiate –B: SYN+ACK to respond –C: ACK gets agreement Sequence numbers then incremented for future messages –Ensures message order –Retransmit if lost –Verifies party really initiated connection T. A. Yang

12 Network Security12 Syn Flood Implementation: A, the attacker; B: the victim –B Receives SYN Allocate connection Acknowledge Wait for response See the problem? –What if no response –And many SYNs All space for connections allocated –None left for legitimate ones Time? T. A. Yang

13 Network Security13 ASA vs Syn Flood (Beginning in version 5.2 and later) –When the number of incomplete connections through the PIX reaches a pre-configured limit (the limit on embryonic connections), ASA turns the PIX into a proxy for connection attempts (SYNs) to servers or other resources sitting behind it. PIX responds to SYN requests with SYN ACKs and continues proxying the connection until the three-way TCP handshake is complete. Only when the three-way handshake is complete would the PIX allow the connection through to the server or resource on the private or DMZ network. –Benefit: Limits the exposure of the servers behind the PIX to SYN floods T. A. Yang

14 Network Security14 PIX: Basic Features ASA’s stateful inspection of traffic Assigning varying security levels to interfaces ACL Extensive logging Basic routing capability (including RIP) Failover and redundancy Traffic authentication T. A. Yang

15 Network Security15 PIX: Basic Features - ASA’s stateful inspection of traffic PIX uses a basic set of rules to control traffic flow: –No packets can traverse the PIX w/o a translation, connection, and state. –Outbound connections are allowed, except those specifically denied by the ACLs. –Inbound connections are denied, except for those specifically allowed. –All ICMP packets are denied unless specifically permitted. –All attempts to circumvent the rules are dropped, and a message is sent to syslog. To tighten or relax some of these default rules: next few slides T. A. Yang

16 Network Security16 PIX: Basic Features Assigning varying security levels to interfaces –PIX allows varying security levels to be assigned to its various interfaces, creating the so called security zones. –A PIX may have 2 to 10 interfaces. –Each i/f can be assigned a level from 0 (least secure, usually the Internet) to 100 (most secure, usually the internal private network). –Default rules: oTraffic from a higher security zone can enter a lower security zone.  PIX keeps track of the connections for this traffic and allows the return traffic through. oTraffic from a lower security zone is not allowed to enter a higher security zone, unless explicitly permitted (such as using ACLs). T. A. Yang

17 Network Security17 PIX: Basic Features ACL –Mainly used to allow traffic from a less-secure portion of the network to enter a more-secure portion of the network. –Information used in ACLs: Source address Destination address Protocol numbers Port numbers –Examples: To allow connections to be made to web or mail servers sitting on the DMZ of the PIX from the public network To allow a machine on a DMZ network to access the private network behind the DMZ –Use of ACLs must be governed by the network security policy. T. A. Yang

18 Network Security18 PIX: Basic Features –Terminology related to failover : Active unit vs Standby unit Primary unit vs Secondary unit Question: relationships between active/standby and primary/secondary ? System IP vs Failover IP –System IP: the address of the primary unit upon bootup –Failover IP: that of the secondary unit PrimarySecondary Active standby Failover and redundancy –The failover capability allows a standby PIX to take over the functionality of the primary PIX, as soon as it fails. –Stateful failover : The connection info stored on the failing PIX is transferred to the PIX taking over. –The standby PIX assumes the IP and MAC addresses of the failed PIX. T. A. Yang

19 Network Security19 PIX: Basic Features - Failover and redundancy How does failover work? –A failover cable (RS-232 serial) connects the primary unit and the secondary unit, allowing the secondary unit to detect the primary unit’s power status, and failover communication in between. –(In the case of stateful failover) The state info is transferred via an Ethernet cable connecting the primary unit and the secondary unit. –Every 15 seconds, special failover hello packets are sent in between the two units for synchronization. –Requirements: The h/w, s/w, and configurations on the two PIXes must be identical. T. A. Yang

20 Network Security20 PIX: Basic Features - Failover and redundancy Limitations of CISCO PIX failover ? –Some info are not replicated between the two units: User authentication table ISAKMP and IPsec SA table ARP table Routing info –The secondary unit must rebuild the info to perform the functions of the failed unit. T. A. Yang

21 Network Security21 PIX: Basic Features Traffic authentication on PIX: –Cut-through proxy authentication Only when the authentication occurring during the establishment of a given connection succeeds would PIX allows the data flow to be established through it. A successfully authenticated connection is entered the ASA as a valid state. As soon as an authenticated connection is established, PIX lets the rest of the packets belonging to that connection go through without further authentication. –PIX supports both TACACS+ and Radius as the AAA servers. T. A. Yang

22 Network Security22 ASA and TCP: TCP session hijacking attack Problem with the ISN: The initial sequence number (ISN) of TCP is not really random!  possible TCP session hijacking attack Case study: Kevin Metnick’s attack on Tsutomu Shimomura’s computers in 1994-1995 Six steps : 1.an initial reconnaissance attack: gather info about the victim 2.a SYN flood attack: disable the login server; a DOS attack 3.A reconnaissance attack: determine how one of the x-term generated its TCP sequence numbers 4.Spoof the server’s identity, and establish a session with the x-term (using the sequence number the x-term must have sent)  result: a one-way connection to the x-term 5.modify the x-term’s.rhosts file to trust every host 6.Gain root access to the x-term T. A. Yang

23 Network Security23 ASA’s solution  “proxy” the sequence number in an outgoing packet a.create a new, more random sequence number; b.use the new number as the sequence number in the outgoing packet, and store the difference between the new and the original number; c.When return traffic for that packet is received, ASA restores the sequence number before forwarding the packet to the destination on the inside network. T. A. Yang TCP session hijacking attack (cont.)

24 Network Security24 initiator T. A. Yang Source: Malik, Network Security Principles and Practices, 2003.

25 Security Contexts Software version 7.0 and up Multiple security contexts (aka virtual firewalls) can be created within a single PIX or ASA firewall. Each virtual firewall is an independent device –Has its own set of security policies, logical interfaces, and admin domain Interfaces can be shared btwn contexts (routed mode only) Limitations: –Features such as VPN and dynamic routing protocols are not supported. T. A. YangNetwork Security25

26 Security Contexts: two modes Routed Mode –Figure 6-6 –A physical firewall is configured with three contexts (Admin, Dept 1, Dept 2). –Each virtual firewall has one Inside, one Outside, and one Shared interface. –Each context has its own private segment. –Resources to be shared among the three contexts are placed in the Shared segment, accessible through a shared intreface. Transparent Mode T. A. YangNetwork Security26

27 Security Contexts: two modes Transparent Mode –Each context is in the transparent mode. –A transparent firewall has only one Inside and one Outside interfaces, both of which belong to the same subnet. –Transparent mode does not allow shared interfaces (unlike the routed mode). –Example: Figure 6-7 T. A. YangNetwork Security27

Download ppt "ASA 5500 series adaptive security appliances Has replaced Cisco’s PIX firewalls since 2008 Security services Source:"

Similar presentations

Fred P. Baker CCIE, CCIP(security), CCSA, MCSE+I, MCSE(2000)

Fred P. Baker CCIE, CCIP(security), CCSA, MCSE+I, MCSE(2000)
Firewalls By Tahaei Fall 2012. What is a firewall? a choke point of control and monitoring interconnects networks with differing trust imposes restrictions.

Firewalls By Tahaei Fall What is a firewall? a choke point of control and monitoring interconnects networks with differing trust imposes restrictions.
IUT– Network Security Course 1 Network Security Firewalls.

IUT– Network Security Course 1 Network Security Firewalls.
FIREWALLS Chapter 11.

FIREWALLS Chapter 11.
1 Topic 2 – Lesson 4 Packet Filtering Part I. 2 Basic Questions What is packet filtering? What is packet filtering? What elements are inside an IP header?

1 Topic 2 – Lesson 4 Packet Filtering Part I. 2 Basic Questions What is packet filtering? What is packet filtering? What elements are inside an IP header?
Computer Security and Penetration Testing

Computer Security and Penetration Testing
CCNA – Network Fundamentals

CCNA – Network Fundamentals
CISCO NETWORKING ACADEMY PROGRAM (CNAP)

CISCO NETWORKING ACADEMY PROGRAM (CNAP)
Cosc 4765 Network Security: Routers, Firewall, filtering, NAT, and VPN.

Cosc 4765 Network Security: Routers, Firewall, filtering, NAT, and VPN.
Principles of Information Security, 2nd Edition1 Firewalls and VPNs.

Principles of Information Security, 2nd Edition1 Firewalls and VPNs.
Firewalls and Intrusion Detection Systems

Firewalls and Intrusion Detection Systems
K. Salah 1 Chapter 31 Security in the Internet. K. Salah 2 Figure 31.5 Position of TLS Transport Layer Security (TLS) was designed to provide security.

K. Salah 1 Chapter 31 Security in the Internet. K. Salah 2 Figure 31.5 Position of TLS Transport Layer Security (TLS) was designed to provide security.
Security Awareness: Applying Practical Security in Your World, Second Edition Chapter 5 Network Security.

Security Awareness: Applying Practical Security in Your World, Second Edition Chapter 5 Network Security.
PIX Firewall. Stateful Packet Filter Runs on its own Operating System Assigning varying security levels to interfaces (0 – 100) Access Control Lists Extensive.

PIX Firewall. Stateful Packet Filter Runs on its own Operating System Assigning varying security levels to interfaces (0 – 100) Access Control Lists Extensive.
1 CCNA 2 v3.1 Module 10. 2 Intermediate TCP/IP CCNA 2 Module 10.

1 CCNA 2 v3.1 Module Intermediate TCP/IP CCNA 2 Module 10.
FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 6 Packet Filtering By Whitman, Mattord, & Austin© 2008 Course Technology.

FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 6 Packet Filtering By Whitman, Mattord, & Austin© 2008 Course Technology.
1 Lecture 20: Firewalls motivation ingredients –packet filters –application gateways –bastion hosts and DMZ example firewall design using firewalls – virtual.

1 Lecture 20: Firewalls motivation ingredients –packet filters –application gateways –bastion hosts and DMZ example firewall design using firewalls – virtual.
© 2006 Cisco Systems, Inc. All rights reserved. Implementing Secure Converged Wide Area Networks (ISCW) Module 6: Cisco IOS Threat Defense Features.

© 2006 Cisco Systems, Inc. All rights reserved. Implementing Secure Converged Wide Area Networks (ISCW) Module 6: Cisco IOS Threat Defense Features.
Network Security1 – Chapter 3 – Device Security (B) Security of major devices: How to protect the device against attacks aimed at compromising the device.

Network Security1 – Chapter 3 – Device Security (B) Security of major devices: How to protect the device against attacks aimed at compromising the device.
FIREWALL TECHNOLOGIES Tahani al jehani. Firewall benefits  A firewall functions as a choke point – all traffic in and out must pass through this single.

FIREWALL TECHNOLOGIES Tahani al jehani. Firewall benefits  A firewall functions as a choke point – all traffic in and out must pass through this single.

Similar presentations

Ads by Google