26
© 2006 Cisco Systems, Inc. All rights reserved. Cisco IOS Threat Defense Features

Cisco IOS Threat Defense Features

  • Upload
    colton

  • View
    67

  • Download
    9

Embed Size (px)

DESCRIPTION

Cisco IOS Threat Defense Features. Lesson 1 - Introducing the Cisco IOS Firewall. Objectives. Explain the purpose of the Demilitarized Zone (DMZ). Describe various DMZ topologies and design options . Describe firewall operations and implementation technologies. - PowerPoint PPT Presentation

Citation preview

Page 1: Cisco IOS Threat Defense Features

© 2006 Cisco Systems, Inc. All rights reserved.

Cisco IOS Threat Defense Features

Page 2: Cisco IOS Threat Defense Features

© 2006 Cisco Systems, Inc. All rights reserved.

Lesson 1 - Introducing the Cisco IOS Firewall

Page 3: Cisco IOS Threat Defense Features

© 2006 Cisco Systems, Inc. All rights reserved.

Objectives Explain the purpose of the Demilitarized Zone (DMZ).

Describe various DMZ topologies and design options.

Describe firewall operations and implementation technologies.

Compare and contrast various firewall implementation options.

Describe the security features available in the Cisco Firewall Feature Set IOS.

Page 4: Cisco IOS Threat Defense Features

© 2006 Cisco Systems, Inc. All rights reserved.

DMZ

A DMZ is established between security zones.

DMZs are buffer networks that are neither the Inside nor the Outside network.

Page 5: Cisco IOS Threat Defense Features

© 2006 Cisco Systems, Inc. All rights reserved.

Layered Defense Features Access control is enforced on traffic entering and

exiting the buffer network to all security zones by:Classic routers

Dedicated firewalls

DMZs are used to host services:Exposed public services are served on dedicated hosts inside the buffer network.

The DMZ may host an application gateway for outbound connectivity.

A DMZ blocks and contains an attacker in the case of a break-in.

Page 6: Cisco IOS Threat Defense Features

© 2006 Cisco Systems, Inc. All rights reserved.

Multiple DMZs

Multiple DMZs provide better separation and access control:

Each service can be hosted in a separate DMZ.

Damage is limited and attackers contained if a service is compromised.

Three Separate DMZsMultiple DMZs

Page 7: Cisco IOS Threat Defense Features

© 2006 Cisco Systems, Inc. All rights reserved.

Modern DMZ Design

Various systems (a stateful packet filter or proxy server) can filter traffic.

Proper configuration of the filtering device is critical.

Page 8: Cisco IOS Threat Defense Features

© 2006 Cisco Systems, Inc. All rights reserved.

Private VLAN

Traffic flows on private VLANs:

• RED and YELLOW can communicate with BLUE

• RED and YELLOW cannot communicate with each other

Secondary VLANsPrimary VLANs

Page 9: Cisco IOS Threat Defense Features

© 2006 Cisco Systems, Inc. All rights reserved.

Promiscuous Port

Promiscuous Port

Secondary VLAN Ports

Host 1 (FTP)

Host 2 (HTTP)

Host 3 (Admin)

Page 10: Cisco IOS Threat Defense Features

© 2006 Cisco Systems, Inc. All rights reserved.

Firewall Technologies Firewalls use three technologies:

Packet filtering

Application layer gateway (ALG)

Stateful packet filtering

Page 11: Cisco IOS Threat Defense Features

© 2006 Cisco Systems, Inc. All rights reserved.

Packet Filtering

Packet filtering limits traffic into a network based on the destination and source addresses, ports, and other flags that you compile in an ACL.

Page 12: Cisco IOS Threat Defense Features

© 2006 Cisco Systems, Inc. All rights reserved.

Packet Filtering Example

Router(config)# access-list 100 permit tcp any 16.1.1.0 0.0.0.255 establishedRouter(config)# access-list 100 deny ip any any logRouter(config)# interface Serial0/0Router(config-if)# ip access-group 100 inRouter(config-if)# end

Page 13: Cisco IOS Threat Defense Features

© 2006 Cisco Systems, Inc. All rights reserved.

Application Layer Gateway

The ALG intercepts and establishes connections to the Internet hosts on behalf of the client.

Page 14: Cisco IOS Threat Defense Features

© 2006 Cisco Systems, Inc. All rights reserved.

Stateful Packet Filtering

Stateless ACLs filter traffic based on source and destination IP addresses, TCP and UDP port numbers, TCP flags, and ICMP types and codes.

Stateful inspection then remembers certain details, or “state” of that request.

Page 15: Cisco IOS Threat Defense Features

© 2006 Cisco Systems, Inc. All rights reserved.

The Cisco IOS Firewall Feature Set The Cisco IOS Firewall Feature Set contains these

features:Standard and extended ACLs

TCP intercept

Cisco IOS Firewall

Cisco IOS Firewall IPS

Authentication proxy

Port-to-Application Mapping (PAM)

NAT

IPsec network security

Event logging

User authentication and authorization

Page 16: Cisco IOS Threat Defense Features

© 2006 Cisco Systems, Inc. All rights reserved.

Cisco IOS Firewall

Packets are inspected when entering the Cisco IOS firewall if the packets are not specifically denied by an ACL.

Cisco IOS Firewall permits or denies specified TCP and UDP traffic through a firewall.

A state table is maintained with session information.

ACLs are dynamically created or deleted.

Cisco IOS Firewall protects against DoS attacks.

Page 17: Cisco IOS Threat Defense Features

© 2006 Cisco Systems, Inc. All rights reserved.

Cisco IOS Authentication Proxy

HTTP, HTTPS, FTP, and Telnet authentication

Provides dynamic, per-user authentication and authorization via TACACS+ and RADIUS protocols

Page 18: Cisco IOS Threat Defense Features

© 2006 Cisco Systems, Inc. All rights reserved.

Cisco IOS IPS

Acts as an inline intrusion prevention sensor—traffic goes through the sensor

When an attack is detected, the sensor can perform any of these actions:Alarm: Send an alarm to SDM or syslog server.

Drop: Drop the packet.

Reset: Send TCP resets to terminate the session.

Block: Block an attacker IP address or session for a specified time.

Identifies 700+ common attacks

Page 19: Cisco IOS Threat Defense Features

© 2006 Cisco Systems, Inc. All rights reserved.

Cisco IOS ACLs Revisited ACLs provide traffic filtering by these criteria:

Source and destination IP addresses

Source and destination ports

ACLs can be used to implement a filtering firewall leading to these security shortcomings:

Ports opened permanently to allow traffic, creating a security vulnerability.

The ACLs do not work with applications that negotiate ports dynamically.

Cisco IOS Firewall addresses these shortcomings of ACLs.

Page 20: Cisco IOS Threat Defense Features

© 2006 Cisco Systems, Inc. All rights reserved.

Cisco IOS Firewall TCP Handling

3-Way Handshake

Page 21: Cisco IOS Threat Defense Features

© 2006 Cisco Systems, Inc. All rights reserved.

Cisco IOS Firewall UDP Handling

Page 22: Cisco IOS Threat Defense Features

© 2006 Cisco Systems, Inc. All rights reserved.

How Cisco IOS Firewall Works

Page 23: Cisco IOS Threat Defense Features

© 2006 Cisco Systems, Inc. All rights reserved.

Cisco IOS Firewall Supported Protocols Regardless of the application layer protocol, Cisco IOS Firewall will inspect:

All TCP sessions

All UDP connections

Enhanced stateful inspection of application layer protocolsOutgoing requests to the Internet, and responses

from the Internet are allowed.

Page 24: Cisco IOS Threat Defense Features

© 2006 Cisco Systems, Inc. All rights reserved.

Alerts and Audit Trails Cisco IOS Firewall generates real-time alerts and audit trails.

Audit trail features use syslog to track all network transactions.

With Cisco IOS Firewall inspection rules, you can configure alerts and audit trail information on a per-application protocol basis.

Page 25: Cisco IOS Threat Defense Features

© 2006 Cisco Systems, Inc. All rights reserved.

Summary The Cisco IOS Firewall software offers a full set of security features that

can be implemented to provide security for a network.

The DMZ is an ideal place to host services to enable inside users to connect to the outside perimeter. The DMZ approach is the most popular and commonly used modern architecture.

Firewalls can be based on packet filtering, application layer gateways or stateful packet filtering.

The Cisco IOS Firewall Feature Set is a security-specific option for Cisco IOS software that is available in select security Cisco IOS images.

The Cisco IOS Firewall Feature Set integrates robust firewall functionality, authentication proxy, and intrusion prevention.

Page 26: Cisco IOS Threat Defense Features

© 2006 Cisco Systems, Inc. All rights reserved.