Bài giảng CCNA Security - Chapter 4: AImplementing Firewall Technologies

Website: www.bkacad.com CBAC Example Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com CBAC Operation • When an attack is detected, the firewall can take several actions: – Generate alert messages – Protect system resources that could impede performance – Block packets from suspected attackers • Cisco IOS Firewall provides three thresholds against TCP-based DoS attacks: – Total number of half-opened TCP sessions – Number of half-opened sessions in a time interval – Number of half-opened TCP sessions per host • If a threshold for the number of half-opened TCP sessions is exceeded, the firewall has two options: – It sends a reset message to the endpoints of the oldest half-opened session, making resources available to service newly arriving SYN packets. – It blocks all SYN packets temporarily for the duration that the threshold value is configured. When the router blocks a SYN packet, the TCP three-way handshake is never initiated, which prevents the router from using memory and processing resources that valid connections need. Configuring CBAC Four Steps to Configure • Step 1: Pick an Interface- internal or external • Step 2: Configure IP ACLs at the Interface • Step 3: Define Inspection Rules • Step 4: Apply an Inspection Rule to an Interface Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com Step 1: Pick an Interface Two-Interface Three-Interface Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com Step 2: Configure IP ACLs at the Interface Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com Step 3: Define Inspection Rules – Router(config)# ip inspect name inspection_name protocol [alert {on | off}] [audit-trail {on | off}] [timeout seconds] Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com Step 4: Apply an Inspection Rule to an Interface Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com Verification and Troubleshooting of CBAC • Alerts and Audits • show ip inspect Parameters • debug ip inspect Parameters Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com Alerts and Audits *note: Alerts are enabled by default and automatically display on the console line of the router. If alerts have been disabled using the ip inspect alert-off command, the no form of that command, as seen above, is required to re-enable alerts. Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com Alerts and Audits Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com show ip inspect Parameters Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com debug ip inspect Parameters Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com Zone-Based Policy Firewall Characteristics Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com Zone-Based Policy Firewall Characteristics • The zone-based policy firewall (ZPF or ZBF or ZFW) inspection interface supports previous firewall features, including stateful packet inspection, application inspection, URL filtering, and DoS mitigation. • Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com Firewall policies are configured using the Cisco Common Classification Policy Language (C3PL), which uses a hierarchical structure to define network protocol inspection and allows hosts to be grouped under one inspection policy. Zone-Based Policy Firewall Characteristics • CBAC has these limitations: 1. Multiple inspection policies and ACLs on several interfaces on a router make it difficult to correlate the policies for traffic between multiple interfaces. 2. Policies cannot be tied to a host group or subnet with an ACL. All traffic through a given interface is subject to the same inspection. 3. The process relies too heavily on ACLs. Benefits Two Zones • Zone-based policy firewall is not dependent on ACLs • The router security posture is now “block unless explicitly allowed” • C3PL (Cisco Common Classification Policy Language) makes policies easy to read and troubleshoot • One policy affects any given traffic, instead of needing multiple ACLs and inspection actions. Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com CBAC or Zones ? • Important note: • Both configuration models can be enabled concurrently on a router. • The models cannot be combined on a single interface. • For example, an interface cannot be configured as a security zone member and configured for IP inspection simultaneously. The Design Process 1. Determine the Zones: – Internetworking infrastructure under consideration is split into well- documented separate zones with various security levels 2. Establish policies between zones: – For each pair of source-destination zones, the sessions that clients in source zones are allowed to open to servers in destination zones are defined. For traffic that is not based on the concept of sessions (for example, IPsec Encapsulating Security Payload [ESP]), the administrator must define unidirectional traffic flows from source to destination and vice versa. 3. Design the physical infrastructure: – The administrator must design the physical infrastructure, taking into account security and availability requirements. 4. Identify subset within zones and merge traffic requirements: – For each firewall device in the design, the administrator must identify zone subsets connected to its interfaces and merge the traffic requirements for those zones, resulting in a device-specific interzone policy. Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com Common Designs LAN-to-Internet Public Servers Redundant Firewalls Complex Firewall Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com Zones Simplify Complex Firewall Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com Actions when configured using CCP Inspect – This action configures Cisco IOS stateful packet inspection Drop – This action is analogous to deny in an ACL Pass – This action is analogous to permit in an ACL Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com Rules for Application Traffic *zone-pair must have different zone as source and destination Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com Rules for Router Traffic Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com Configuring a Zone-Based Policy Firewall with CLI 1. Create the zones for the firewall with the zone security command 2. Define traffic classes with the class-map type inspect command 3. Specify firewall policies with the policy-map type inspect command 4. Apply firewall policies to pairs of source and destination zones with zone-pair security 5. Assign router interfaces to zones using the zone-member security interface command Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com Step 1: Create the Zones FW(config)# zone security Inside FW(config-sec-zone)# description Inside network FW(config)# zone security Outside FW(config-sec-zone)# description Outside network Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com Step 2: Define Traffic Classes FW(config)# class-map type inspect FOREXAMPLE FW(config-cmap)# match access-group 101 FW(config-cmap)# match protocol tcp FW(config-cmap)# match protocol udp FW(config-cmap)# match protocol icmp FW(config-cmap)# exit FW(config)# access-list 101 permit ip 10.0.0.0 0.0.0.255 any Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com Step 3: Define Firewall Policies FW(config)# policy-map type inspect InsideToOutside FW(config-pmap)# class type inspect FOREXAMPLE FW(config-pmap-c)# inspect Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com Step 4: Assign Policy Maps to Zone Pairs and Assign Router Interfaces to Zones FW(config)# zone-pair security InsideToOutside source Inside destination Outside FW(config-sec-zone-pair)# description Internet Access FW(config-sec-zone-pair)# service-policy type inspect InsideToOutside FW(config-sec-zone-pair)# interface F0/0 FW(config-if)# zone-member security Inside FW(config-if)# interface S0/0/0.100 point-to-point FW(config-if)# zone-member security Outside Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com Final ZPF Configuration • policy-map type inspect InsideToOutside class class-default inspect • ! • zone security Inside description Inside network • zone security Outside description Outside network • zone-pair security InsideToOutside source Inside destination Outside • service-policy type inspect InsideToOutside • ! • interface FastEthernet0/0 zone-member security Inside • ! • interface Serial0/0/0.100 point-to-point zone- member security Outside Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com Configuring a Zone-Based Policy Firewall with CCP Wizard • Refer to 4.4.4 Configuring a Zone-Based Policy Firewall Manually with CCP • Refer to 4.4.5 CLI Generated Output • class-map type inspect match-any iinsprotocols • match protocol http • match protocol smtp • match protocol ftp ! • policy-map type inspect iinspolicy • class type inspect iinsprotocols • inspect • ! • zone security private List of services defined in the firewall policy Apply action (inspect = stateful inspection) Zones created • zone security internet • ! • interface fastethernet 0/0 • zone-member security private • ! • interface serial 0/0/0 • zone-member security internet • ! • zone-pair security priv-to-internet source private destination internet • service-policy type inspect iinspolicy • ! Interfaces assigned to zones Inspection applied from private to public zones Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com Troubleshooting Zone-Based Policy Firewall • Refer to 4.4.6 Troubleshooting Zone-Based Policy Firewall • Refer to 4.4.6 Summary • Standard and extended IP ACLs are the fundamental tools for basic network traffic filtering. • How standard and extended IP ACLs are created and applied depends on the type of traffic and where the source and destination of the traffic lies. • ACLs are linked to the flow of network traffic. The network topology determines how ACLs are cerated and applied • ACLs can be created and applied with SDM • The TCP established option and reflexive ACLs extend the function of ACLs to take into account the tow-way nature of the network traffic. Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com Summary • Firewalls provide perimeter security defining the inside and outside of a network. • There are many different types of firewall , with stateful firewall providing the greatest security. • Today, network design must take into account the selection of the type of firewall and its proper placement. • CBAC enables sophisticate stateful filtering of most forms of modern application traffic. • The operation of CBAC is quite complex, bulding and tearing down state entries for traffic flows. • CBAC configuration is very complex, relying on ACLs and inspection rules applied on appropriate interfaces. • CLI and SDM can be used to verify and troubleshoot CBAC Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com Summary • Zone-Based Policy Firewall (ZPF) , introduced in 2006, is the state of the art in modern firewalling. • ZPF operation centers around the creation of zones associated with various security levels. • Implementing ZPF with CLI is much more structured and easier to understand than CBAC . ZPF utilizes class maps and policy maps enabled by C3PL. • An SDM wizard for ZPF is avaiable. • Either CLI or SDM can be used to verify and troubleshoot ZPF. Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com