Describe numbered and named, standard and extended IP
ACLs.
• Configure IP ACLs with IOS CLI and CCP.
• Describe TCP established ACL functionality.
• Describe and configure reflexive ACLs.
• Describe and configure dynamic ACLs.
• Describe and configure time-based ACLs.
• Describe attack mitigation with ACLs.
• Describe the major types of firewalls.
• Describe and configure CBAC (IOS Staful Packet Inspection)
with CLI.
• Descr
132 trang |
Chia sẻ: phuongt97 | Lượt xem: 535 | Lượt tải: 1
Bạn đang xem trước 20 trang nội dung tài liệu Bài giảng CCNA Security - Chapter 4: AImplementing Firewall Technologies, để xem tài liệu hoàn chỉnh bạn click vào nút DOWNLOAD ở trên
Website: www.bkacad.com
CBAC Example
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
CBAC Operation
• When an attack is detected, the firewall can take several actions:
– Generate alert messages
– Protect system resources that could impede performance
– Block packets from suspected attackers
• Cisco IOS Firewall provides three thresholds against TCP-based DoS attacks:
– Total number of half-opened TCP sessions
– Number of half-opened sessions in a time interval
– Number of half-opened TCP sessions per host
• If a threshold for the number of half-opened TCP sessions is exceeded, the
firewall has two options:
– It sends a reset message to the endpoints of the oldest half-opened
session, making resources available to service newly arriving SYN
packets.
– It blocks all SYN packets temporarily for the duration that the
threshold value is configured. When the router blocks a SYN packet,
the TCP three-way handshake is never initiated, which prevents the
router from using memory and processing resources that valid
connections need.
Configuring CBAC
Four Steps to Configure
• Step 1: Pick an Interface- internal or external
• Step 2: Configure IP ACLs at the Interface
• Step 3: Define Inspection Rules
• Step 4: Apply an Inspection Rule to an
Interface
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
Step 1: Pick an Interface
Two-Interface
Three-Interface
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
Step 2: Configure IP ACLs at the Interface
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
Step 3: Define Inspection Rules
– Router(config)#
ip inspect name inspection_name protocol [alert {on | off}] [audit-trail
{on | off}] [timeout seconds]
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
Step 4: Apply an Inspection Rule to an Interface
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
Verification and Troubleshooting of CBAC
• Alerts and Audits
• show ip inspect Parameters
• debug ip inspect Parameters
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
Alerts and Audits
*note: Alerts are enabled by default and automatically display on the
console line of the router. If alerts have been disabled using the ip
inspect alert-off command, the no form of that command, as
seen above, is required to re-enable alerts.
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
Alerts and Audits
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
show ip inspect Parameters
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
debug ip inspect Parameters
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
Zone-Based Policy Firewall Characteristics
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
Zone-Based Policy Firewall Characteristics
• The zone-based policy firewall (ZPF or ZBF or
ZFW) inspection interface supports previous
firewall features, including stateful packet
inspection, application inspection, URL
filtering, and DoS mitigation.
•
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
Firewall policies are configured using the Cisco
Common Classification Policy Language
(C3PL), which uses a hierarchical structure to
define network protocol inspection and allows
hosts to be grouped under one inspection policy.
Zone-Based Policy Firewall Characteristics
• CBAC has these limitations:
1. Multiple inspection policies and ACLs on several interfaces on a
router make it difficult to correlate the policies for traffic
between multiple interfaces.
2. Policies cannot be tied to a host group or subnet with an ACL.
All traffic through a given interface is subject to the same
inspection.
3. The process relies too heavily on ACLs.
Benefits
Two Zones
• Zone-based policy firewall is not dependent on ACLs
• The router security posture is now “block unless explicitly
allowed”
• C3PL (Cisco Common Classification Policy Language) makes
policies easy to read and troubleshoot
• One policy affects any given traffic, instead of needing multiple
ACLs and inspection actions.
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
CBAC or Zones ?
• Important note:
• Both configuration models can be enabled
concurrently on a router.
• The models cannot be combined on a single interface.
• For example, an interface cannot be configured as a
security zone member and configured for IP inspection
simultaneously.
The Design Process
1. Determine the Zones:
– Internetworking infrastructure under consideration is split into well-
documented separate zones with various security levels
2. Establish policies between zones:
– For each pair of source-destination zones, the sessions that clients in
source zones are allowed to open to servers in destination zones are
defined. For traffic that is not based on the concept of sessions (for
example, IPsec Encapsulating Security Payload [ESP]), the administrator
must define unidirectional traffic flows from source to destination and vice
versa.
3. Design the physical infrastructure:
– The administrator must design the physical infrastructure, taking into
account security and availability requirements.
4. Identify subset within zones and merge traffic requirements:
– For each firewall device in the design, the administrator must identify zone
subsets connected to its interfaces and merge the traffic requirements for
those zones, resulting in a device-specific interzone policy.
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
Common Designs
LAN-to-Internet Public Servers
Redundant Firewalls Complex Firewall
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
Zones Simplify Complex Firewall
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
Actions when configured using CCP
Inspect – This
action configures
Cisco IOS stateful
packet inspection
Drop – This action is
analogous to deny in
an ACL
Pass – This action is
analogous to permit
in an ACL
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
Rules for Application Traffic
*zone-pair must have different zone as source and destination
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
Rules for Router Traffic
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
Configuring a Zone-Based Policy Firewall with CLI
1. Create the zones for the firewall
with the zone security
command
2. Define traffic classes with the
class-map type inspect
command
3. Specify firewall policies with
the policy-map type
inspect command
4. Apply firewall policies to pairs of
source and destination zones with
zone-pair security
5. Assign router interfaces to zones using the zone-member security
interface command
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
Step 1: Create the Zones
FW(config)# zone security Inside
FW(config-sec-zone)# description Inside network
FW(config)# zone security Outside
FW(config-sec-zone)# description Outside network
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
Step 2: Define Traffic Classes
FW(config)# class-map type inspect FOREXAMPLE
FW(config-cmap)# match access-group 101
FW(config-cmap)# match protocol tcp
FW(config-cmap)# match protocol udp
FW(config-cmap)# match protocol icmp
FW(config-cmap)# exit
FW(config)# access-list 101 permit ip 10.0.0.0
0.0.0.255 any
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
Step 3: Define Firewall Policies
FW(config)# policy-map type inspect InsideToOutside
FW(config-pmap)# class type inspect FOREXAMPLE
FW(config-pmap-c)# inspect
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
Step 4: Assign Policy Maps to Zone Pairs and Assign Router Interfaces to
Zones
FW(config)# zone-pair security InsideToOutside source
Inside destination Outside
FW(config-sec-zone-pair)# description Internet Access
FW(config-sec-zone-pair)# service-policy type inspect
InsideToOutside
FW(config-sec-zone-pair)# interface F0/0
FW(config-if)# zone-member security Inside
FW(config-if)# interface S0/0/0.100 point-to-point
FW(config-if)# zone-member security Outside
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
Final ZPF Configuration
• policy-map type inspect InsideToOutside class
class-default inspect
• !
• zone security Inside description Inside network
• zone security Outside description Outside
network
• zone-pair security InsideToOutside source Inside
destination Outside
• service-policy type inspect InsideToOutside
• !
• interface FastEthernet0/0 zone-member security
Inside
• !
• interface Serial0/0/0.100 point-to-point zone-
member security Outside
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
Configuring a Zone-Based Policy Firewall with CCP Wizard
• Refer to 4.4.4
Configuring a Zone-Based Policy Firewall Manually with CCP
• Refer to 4.4.5
CLI Generated Output
• class-map type inspect match-any iinsprotocols
• match protocol http
• match protocol smtp
• match protocol ftp
!
• policy-map type inspect iinspolicy
• class type inspect iinsprotocols
• inspect
• !
• zone security private
List of services
defined in the
firewall policy
Apply action (inspect =
stateful inspection)
Zones created
• zone security internet
• !
• interface fastethernet 0/0
• zone-member security private
• !
• interface serial 0/0/0
• zone-member security internet
• !
• zone-pair security priv-to-internet source private destination internet
• service-policy type inspect iinspolicy
• !
Interfaces assigned to
zones
Inspection applied
from private to public
zones
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
Troubleshooting Zone-Based Policy Firewall
• Refer to 4.4.6
Troubleshooting Zone-Based Policy Firewall
• Refer to 4.4.6
Summary
• Standard and extended IP ACLs are the fundamental tools
for basic network traffic filtering.
• How standard and extended IP ACLs are created and
applied depends on the type of traffic and where the
source and destination of the traffic lies.
• ACLs are linked to the flow of network traffic. The network
topology determines how ACLs are cerated and applied
• ACLs can be created and applied with SDM
• The TCP established option and reflexive ACLs extend the
function of ACLs to take into account the tow-way nature of
the network traffic.
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
Summary
• Firewalls provide perimeter security defining the inside and
outside of a network.
• There are many different types of firewall , with stateful
firewall providing the greatest security.
• Today, network design must take into account the selection
of the type of firewall and its proper placement.
• CBAC enables sophisticate stateful filtering of most forms
of modern application traffic.
• The operation of CBAC is quite complex, bulding and
tearing down state entries for traffic flows.
• CBAC configuration is very complex, relying on ACLs and
inspection rules applied on appropriate interfaces.
• CLI and SDM can be used to verify and troubleshoot
CBAC
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
Summary
• Zone-Based Policy Firewall (ZPF) , introduced in 2006, is
the state of the art in modern firewalling.
• ZPF operation centers around the creation of zones
associated with various security levels.
• Implementing ZPF with CLI is much more structured and
easier to understand than CBAC . ZPF utilizes class maps
and policy maps enabled by C3PL.
• An SDM wizard for ZPF is avaiable.
• Either CLI or SDM can be used to verify and troubleshoot
ZPF.
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
Các file đính kèm theo tài liệu này:
- bai_giang_ccna_security_chapter_4_aimplementing_firewall_tec.pdf