Upload
kodokngorek
View
20
Download
0
Embed Size (px)
DESCRIPTION
Cisco Security ALL
Citation preview
7/13/2019 Cisco Security ALL
1/95
1999, Cisco Systems, Inc.www.cisco.com
Module 11:Security Basics
7/13/2019 Cisco Security ALL
2/95
11-2CSE: Networking FundamentalsSecurity 1999, Cisco Systems, Inc.www.cisco.com
Agenda
Why Security?
Security Technology
Identity
Integrity
Active Audit
7/13/2019 Cisco Security ALL
3/95
11-3CSE: Networking FundamentalsSecurity 1999, Cisco Systems, Inc.www.cisco.com
All Networks Need Security
No matter the companysize, security is important
Internet connection is tobusiness in the late 1990swhat telephones were tobusiness in the late 1940s
Even small company sitesare cracked
7/13/2019 Cisco Security ALL
4/95
11-4CSE: Networking FundamentalsSecurity 1999, Cisco Systems, Inc.www.cisco.com
Why Security?
Three primary reasons
Policy vulnerabilities
Configuration vulnerabilitiesTechnology vulnerabilities
And People Eager to TakeAdvantage of the Vulnerabilities
7/13/2019 Cisco Security ALL
5/95
11-5CSE: Networking FundamentalsSecurity 1999, Cisco Systems, Inc.www.cisco.com
Denial of Service Loss of Integrity
BankCustomer
Deposit $1000 Deposit $ 100
Security Threats
Loss of Privacy
m-y-p-a-s-s-w-o-r-d d-a-n
telnet company.orgusername: danpassword:
Impersonation
Im Bob.Send Me All Corporate
Correspondencewith Cisco.
Bob
CPU
7/13/2019 Cisco Security ALL
6/95
11-6CSE: Networking FundamentalsSecurity 1999, Cisco Systems, Inc.www.cisco.com
Security Objective: BalanceBusiness Needs with Risks
Access Security
Authentication
AuthorizationAccounting
Assurance
Confidentiality
Data Integrity
Policy Management
Connectivity
PerformanceEase of Use
Manageability
Availability
7/13/2019 Cisco Security ALL
7/9511-7CSE: Networking FundamentalsSecurity 1999, Cisco Systems, Inc.www.cisco.com
Doors, locks, &guards
Keys & badgesSurveillancecameras &
motion sensors
Firewalls &access controls
AuthenticationIntrusiondetection system
Complementary mechanisms thattogether provide in-depth defense
Network Security Components:Physical Security Analogy
7/13/2019 Cisco Security ALL
8/95 1999, Cisco Systems, Inc.www.cisco.com
Security Technology
3-8CSE-SecurityBasics 1999, Cisco Systems, Inc.www.cisco.com
7/13/2019 Cisco Security ALL
9/9511-9CSE: Networking FundamentalsSecurity 1999, Cisco Systems, Inc.www.cisco.com
Policy
Identity
Accurately identify users
Determine what users are allowed to do
Integrity Ensure network availability
Provide perimeter security
Ensure privacy
Active audit Recognize network weak spots
Detect and react to intruders
Elements of Security
7/13/2019 Cisco Security ALL
10/95 1999, Cisco Systems, Inc.www.cisco.com
Security Technology
Identity
3-10CSE-SecurityBasics 1999, Cisco Systems, Inc.www.cisco.com
7/13/2019 Cisco Security ALL
11/9511-11CSE: Networking FundamentalsSecurity 1999, Cisco Systems, Inc.www.cisco.com
Identity
Uniquely and accuratelyidentify users,applications, services,and resources
Username/password,PAP, CHAP, AAAserver, one-timepassword, RADIUS,TACACS+, Kerberos,MS-login, digitalcertificates, directoryservices, NetworkAddress Translation
7/13/2019 Cisco Security ALL
12/9511-12CSE: Networking FundamentalsSecurity 1999, Cisco Systems, Inc.www.cisco.com
AAAServer
Dial-In User NetworkAccess Server
CampusPPP
PAP
Password
ID/PasswordID/PasswordID/Password
Public
Network
Username/Password
User dials in with password to NAS
NAS sends ID/password to AAA server
AAA server authenticates user ID/passwordand tells NAS to accept (or reject)
NAS accepts (or rejects) call
7/13/2019 Cisco Security ALL
13/9511-13CSE: Networking FundamentalsSecurity 1999, Cisco Systems, Inc.www.cisco.com
NetworkAccess Server
PPPPAP or CHAP
PublicNetwork
PAP and CHAP Authentication
Password Authentication Protocol (PAP)
Authenticates caller only
Passes password in clear text
Challenge Handshake AuthenticationProtocol (CHAP)
Authenticates both sides
Password is encrypted
7/13/2019 Cisco Security ALL
14/9511-14CSE: Networking FundamentalsSecurity 1999, Cisco Systems, Inc.www.cisco.com
Campus
AAAServer
Token orS-Key Server Token card Soft token S-Key ID/One-Time Password
ID/One-Time PasswordID/One-Time Password
One-TimePassword
Dial-In User NetworkAccessServer
Public
Network
One-Time Password
Additional level of security, guards against passwordguessing and cracking Prevents spoofing, replay attacks
Single-use password is generated by tokencard or in software
Synchronized central server authenticates user
7/13/2019 Cisco Security ALL
15/9511-15CSE: Networking FundamentalsSecurity 1999, Cisco Systems, Inc.www.cisco.com
1 2 34 5 67
098
1 2 34 5 67
098
Authentication, Authorization, andAccounting (AAA)
Tool for enforcingsecurity policy
Authentication Verifies identity
Who are you?
Authorization Configures integrity
What are you permittedto do?
Accounting Assists with audit
What did you do?
7/13/2019 Cisco Security ALL
16/9511-16CSE: Networking FundamentalsSecurity 1999, Cisco Systems, Inc.www.cisco.com
AAA Services
Centralized security database High availability
Same policy across many access points
Per-user access control
Single network login
Support for: TACACS+, RADIUS (IETF), Kerberos, one-time password
TACACS+
RADIUS
ID/UserProfileID/UserProfileID/UserProfile
AAAServer
Dial-InUser
NetworkAccess Server
Campus
Internet UserGatewayRouter Firewall
InterceptConnections
PublicNetwork
Internet
7/13/2019 Cisco Security ALL
17/9511-17CSE: Networking FundamentalsSecurity 1999, Cisco Systems, Inc.www.cisco.com
Lock-and-Key Security
Dynamically assigns access control lists on a per-user basis
Allows a remote host to access a local host via the Internet
Allows local hosts to access a host on a remote network
Authorized User
Corporate Site
Non-Authorized User
Internet
7/13/2019 Cisco Security ALL
18/9511-18CSE: Networking FundamentalsSecurity 1999, Cisco Systems, Inc.www.cisco.com
Calling Line Identification
1234
Call Setup Messagewith Local ISDNNumbers
Station ISDNNumber
A 1234
Compare with Known Numbers
Accept Call
PPP CHAPAuthentication
(Optional)
Station A
ISDN
7/13/2019 Cisco Security ALL
19/95
11-19CSE: Networking FundamentalsSecurity 1999, Cisco Systems, Inc.www.cisco.com
User Authentication with Kerberos
Authenticates users and the network
services they use Uses tickets or credentials issued
by a trusted Kerberos server Limited life span; can be used in place of
standard user/password mechanism
?
Remote User(Kerberos Principal)
KerberosCredential
(Ticket)
Encrypted ServiceCredential
KerberizedRouter
Kerberos Server
MailServer
7/13/2019 Cisco Security ALL
20/95
11-20CSE: Networking FundamentalsSecurity 1999, Cisco Systems, Inc.www.cisco.com
DES
Public Key
Private Key
Public Key
Private Key
WAN
How Public Key Works
By exchanging public keys, two devices candetermine a new unique key (the secret key)known only to them
7/13/2019 Cisco Security ALL
21/95
11-21CSE: Networking FundamentalsSecurity 1999, Cisco Systems, Inc.www.cisco.com
If verification is successful,
document has not been altered
BobsDocument
Hash
MessageHash
BobsPrivate Key
EncryptDigital
Signature
BobsPublic Key
BobsDocument
MessageHash
Same?
Decrypt
Hash
Digital Signatures
7/13/2019 Cisco Security ALL
22/95
11-22CSE: Networking FundamentalsSecurity 1999, Cisco Systems, Inc.www.cisco.com
Certificate Authority
Certificate Authority (CA) verifies identity
CA signs digital certificate containing
devices public key Certificate equivalent to an ID card
Partners include Verisign, Entrust,Netscape, and Baltimore Technologies
?B A N K
CA CAInternet
7/13/2019 Cisco Security ALL
23/95
11-23CSE: Networking FundamentalsSecurity 1999, Cisco Systems, Inc.www.cisco.com
Network Address Translation
Provides dynamic or static translation of private addresses toregistered IP addresses
Eliminates readdressing overheadLarge admin. cost benefit
Conserves addressesHosts can share a single registered IPaddress for all external communications via port-level multiplexing
Permits use of a single IP address range in multiple intranets
Hides internal addresses
Augmented by EasyIP DHCP host function
10.0.0.1
SA 10.0.0.1
Inside LocalIP Address
Inside GlobalIP Address
10.0.0.1
10.0.0.2
171.69.58.80
171.69.58.81
SA 171.69.58.8
Internet
7/13/2019 Cisco Security ALL
24/95
1999, Cisco Systems, Inc.www.cisco.com
Security Technology
Integrity
3-24CSE-SecurityBasics 1999, Cisco Systems, Inc.www.cisco.com
7/13/2019 Cisco Security ALL
25/95
11-25CSE: Networking FundamentalsSecurity 1999, Cisco Systems, Inc.www.cisco.com
IntegrityNetwork Availability
Ensure the networkinfrastructureremains available
TCP Intercept, route
authentication
7/13/2019 Cisco Security ALL
26/95
11-26CSE: Networking FundamentalsSecurity 1999, Cisco Systems, Inc.www.cisco.com
TCP Intercept
Connection Transferred
ConnectionEstablished
RequestIntercepted
Protects networks against denial of service attacks
TCP SYN flooding can overwhelm server and cause it to denyservice, exhaust memory, or waste processor cycles
TCP Intercept protects network by intercepting TCPconnection requests and replying on behalf of the destination
Can be configured to passively monitor TCP connectionrequests and respond if connection fails to be establishedin a configurable interval
7/13/2019 Cisco Security ALL
27/95
11-27CSE: Networking FundamentalsSecurity 1999, Cisco Systems, Inc.www.cisco.com
Route Authentication
Home Gateway
Internet
Enables routers to identify one another andverify each others legitimacy before
accepting route updates
Ensures that routers receive legitimateupdate information from a trusted source
Trusted Source
7/13/2019 Cisco Security ALL
28/95
11-28CSE: Networking FundamentalsSecurity 1999, Cisco Systems, Inc.www.cisco.com
IntegrityPerimeter Security
Control access to
critical networkapplications, data,and services
Access control lists,
firewall technologies,content filtering,CBAC, authentication
7/13/2019 Cisco Security ALL
29/95
11-29CSE: Networking FundamentalsSecurity 1999, Cisco Systems, Inc.www.cisco.com
Access Lists
Standard
Filter source address only
Permit/deny entireprotocol suite
Extended
Filter source,destination addresses
Inbound or outbound
Port number Permit/deny specific
protocols
Reflexive
Time-based
P li E f t U i
7/13/2019 Cisco Security ALL
30/95
11-30CSE: Networking FundamentalsSecurity 1999, Cisco Systems, Inc.www.cisco.com
Inbound Telnet
Stopped Here
Home Gateway
Internet
Policy Enforcement UsingAccess Control Lists
Ability to stop or reroute traffic based onpacket characteristics
Access control on incoming or outgoing interfaces
Works together with NetFlow to provide high-speedenforcement on network access points
Violation logging provides useful informationto network managers
7/13/2019 Cisco Security ALL
31/95
11-31CSE: Networking FundamentalsSecurity 1999, Cisco Systems, Inc.www.cisco.com
Importance of Firewalls
Permit secureaccess to resources
Protect networksfrom:
Unauthorizedintrusion from both
external and internalsources
Denial of service(DOS) attacks
7/13/2019 Cisco Security ALL
32/95
11-32CSE: Networking FundamentalsSecurity 1999, Cisco Systems, Inc.www.cisco.com
What Is a Firewall?
Alltraffic from inside to outside and viceversa must pass through the firewall
Only authorizedtraffic, as defined by the localsecurity policy, is allowed in or out
The firewall itself is immune to penetration
7/13/2019 Cisco Security ALL
33/95
11-33CSE: Networking FundamentalsSecurity 1999, Cisco Systems, Inc.www.cisco.com
Router with ACLs
Users
Users
ProtectedNetwork
E-mailServer
MicroWebserver
zip 100
Micro Webserver
Web Server PublicAccess
ISP andInternet
Packet-Filtering Routers
7/13/2019 Cisco Security ALL
34/95
11-34CSE: Networking FundamentalsSecurity 1999, Cisco Systems, Inc.www.cisco.com
Provides user-level security
Most effective when usedwith packet filtering
Internal Network
ProxyServer
Internet/Intranet
Proxy Service
7/13/2019 Cisco Security ALL
35/95
11-35CSE: Networking FundamentalsSecurity 1999, Cisco Systems, Inc.www.cisco.com
FirewallMail
ServerWWWServer
Internet
Stateful Sessions
Highest performance security
Maintains complete session state
Connection oriented Tracks complete connection
Establishment and termination
Strong audit capability
Easy to add new applications
7/13/2019 Cisco Security ALL
36/95
11-36CSE: Networking FundamentalsSecurity 1999, Cisco Systems, Inc.www.cisco.com
Company Network
.5
1
5 1020
40Meg
Per/Sec
Video Audio
Private link Web commerce
Internet
Performance Requirements
7/13/2019 Cisco Security ALL
37/95
11-37CSE: Networking FundamentalsSecurity 1999, Cisco Systems, Inc.www.cisco.com
IntegrityPrivacy
Provide authenticated
private communicationon demand
VPNs, IPSec, IKE,encryption, DES, 3DES,
digital certificates,CET, CEP
7/13/2019 Cisco Security ALL
38/95
11-38CSE: Networking FundamentalsSecurity 1999, Cisco Systems, Inc.www.cisco.com
Encryption and Decryption
Clear Text Clear Text
Cipher Text
DecryptionEncryption
7/13/2019 Cisco Security ALL
39/95
11-39CSE: Networking FundamentalsSecurity 1999, Cisco Systems, Inc.www.cisco.com
What Is IPSec?
Network-layer encryption and authentication
Open standards for ensuring secureprivate communications over any IPnetwork, including the Internet
Provides a necessary componentof a standards-based, flexible solutionfor deploying a network-wide security policy
Data protected with network encryption,digital certification, and device authentication
Implemented transparently in network infrastructure
Includes routers, firewalls, PCs, and servers
Scales from small to very large networks
7/13/2019 Cisco Security ALL
40/95
11-40CSE: Networking FundamentalsSecurity 1999, Cisco Systems, Inc.www.cisco.com
Router to Router
Router to Firewall
PC to Router
PC to Server
PC to Firewall
IPSec Everywhere!
7/13/2019 Cisco Security ALL
41/95
11-41CSE: Networking FundamentalsSecurity 1999, Cisco Systems, Inc.www.cisco.com
Automatically negotiates policy to protectcommunication
Authenticated Diffie-Hellman key exchange
Negotiates (possibly multiple) security associationsfor IPSec
3DES, MD5, and RSA Signatures,OR
IDEA, SHA, and DSS Signatures,OR
Blowfish, SHA, and RSA Encryption IDEA, SHA, and DSS Signatures
IKE Policy Tunnel
IKEInternet Key Exchange
7/13/2019 Cisco Security ALL
42/95
11-42CSE: Networking FundamentalsSecurity 1999, Cisco Systems, Inc.www.cisco.com
Router A Router B
1. Outbound packet fromAlice to BobNo IPSecsecurity association yet
2. Router As IKE beginsnegotiation withrouter Bs IKE
3. Negotiation complete;router A and router B now havecomplete IPSec SAs in place
IKE IKE
4. Packet is sent from Alice toBob protected by IPSec SA
IKE Tunnel
Router A Router B
How IPSec Uses IKE
7/13/2019 Cisco Security ALL
43/95
11-43CSE: Networking FundamentalsSecurity 1999, Cisco Systems, Inc.www.cisco.com
EncryptionDES and 3DES
Widely adopted standard
Encrypts plain text, whichbecomes cyphertext
DES performs 16 rounds
Triple DES (3DES)
The 56-bit DES algorithm runs three times
112-bit triple DES includes two keys 168-bit triple DES includes three keys
Accomplished on a VPN client,server, router, or firewall
7/13/2019 Cisco Security ALL
44/95
11-44CSE: Networking FundamentalsSecurity 1999, Cisco Systems, Inc.www.cisco.com
Exhaustive search is the only way to breakDES keys (so far)
Would take hundreds of years on fastest generalpurpose computers (56-bit DES)
Specialized computer would cost $1,000,000 but could crackkeys in 35 minutes (Source: M.J. Wiener)
Internet enables multiple computers to worksimultaneously
Electronic Frontier Foundation and distributed.netcracked a 56-bit DES challenge in 22 hours and 15minutes
Consensus of the cryptographic community is that 56-bitDES, if not currently insecure, will soon be insecure
Breaking DES Keys
7/13/2019 Cisco Security ALL
45/95
1999, Cisco Systems, Inc.www.cisco.com
Security Technology
Active Audit
3-45CSE-SecurityBasics 1999, Cisco Systems, Inc.www.cisco.com
7/13/2019 Cisco Security ALL
46/95
11-46CSE: Networking FundamentalsSecurity 1999, Cisco Systems, Inc.www.cisco.com
Firewalls, authorization, and encryption do not provideVISIBILITYinto these problems
Why Active Audit?
The hacker might be an employee or trusted partner Up to 80% of security breaches come from the
inside (Source: FBI)
Your defense might be ineffective
One out of every three intrusions occur where a firewallis in place (Source: Computer Security Institute)
Your employees might make mistakes
Misconfigured firewalls, servers, etc.
Your network will grow and change Each change introduces new security risks
7/13/2019 Cisco Security ALL
47/95
11-47CSE: Networking FundamentalsSecurity 1999, Cisco Systems, Inc.www.cisco.com
Why Active Audit?
Network security requires a layereddefense
Point security PLUS active systems to measure
vulnerabilities and monitor for misuse Network perimeter and the intranet
Security is an ongoing, operational
process Must be constantly measured, monitored, and
improved
Active Audit Network
7/13/2019 Cisco Security ALL
48/95
11-48CSE: Networking FundamentalsSecurity 1999, Cisco Systems, Inc.www.cisco.com
Active AuditNetworkVulnerability Assessment
Assess and report onthe security status ofnetwork components
Scanning (active,passive), vulnerability
database
Active Audit Intrusion Detection
7/13/2019 Cisco Security ALL
49/95
11-49CSE: Networking FundamentalsSecurity 1999, Cisco Systems, Inc.www.cisco.com
Active AuditIntrusion DetectionSystem
Identify and react toknown or suspectednetwork intrusion oranomalies Passive promiscuous
monitoring
Database of threats orsuspect behavior
Communicationinfrastructure or accesscontrol changes
7/13/2019 Cisco Security ALL
50/95
11-50CSE: Networking FundamentalsSecurity 1999, Cisco Systems, Inc.www.cisco.com
IDS Attack Detection
Context:(Header)
Content:(Data)
AtomicSingle Packet
CompositeMultiple Packets
Ping of Death
Land Attack
Port Sweep
SYN Attack
TCP Hijacking
MS IE Attack
DNS Attacks
Telnet Attacks
Character Mode
Attacks
7/13/2019 Cisco Security ALL
51/95
11-51CSE: Networking FundamentalsSecurity 1999, Cisco Systems, Inc.www.cisco.com
Actively audit and
verify policy Detect intrusion
and anomalies
Report
Active Audit
UNIVERSALPASSPORT
KjkjkjdgdkkjdkjfdkIkdfjkdj
IkejkejKkdkdfdKKjkdjd
KjkdjfkdKjkdKjdkfjkdj Kjdk
USA
************************
************************
Kdkfldkaloeekjfkjajjakjkjkjkajkjfiejijgkd
kdjfkdkdkdkddfkdjfkdjkdkdkfjdkkdjkfd
kfjdkfjdkjkdjkdjkajkjfdkjfkdjkfjkjajjajdjfla
kjdfkjeiieiefkeieooei
UNIVERSALPASSPORT
7/13/2019 Cisco Security ALL
52/95
11-52CSE: Networking FundamentalsSecurity 1999, Cisco Systems, Inc.www.cisco.com
Security is a mission-criticalbusiness requirement for all
networks Security requires a global,
corporate-wide policy
Security requires amultilayered implementation
Summary
7/13/2019 Cisco Security ALL
53/95
11-53CSE: Networking FundamentalsSecurity 1999, Cisco Systems, Inc.www.cisco.com
Basic Security and
Traffic Managementwith Access Lists
7/13/2019 Cisco Security ALL
54/95
11-54CSE: Networking FundamentalsSecurity 1999, Cisco Systems, Inc.www.cisco.com
Why Use Access Lists?
Deny traffic you do not want based on packet tests
(for example, addressing or traffic type)
TokenRing
FDDI
172.16.0.0 Internet
172.17.0.0
7/13/2019 Cisco Security ALL
55/95
11-55CSE: Networking FundamentalsSecurity 1999, Cisco Systems, Inc.www.cisco.com
What are Access Lists?
Standard
Simpler address specifications
Generally permits or denies entire protocol suite
Extended
More complex address specifications
Generally permits or denies specific protocols
Access List Processes
E0
Incoming
Packet
Sourceand
Destination
Permit?
OutgoingPacket
E0
Optional
Dialer
7/13/2019 Cisco Security ALL
56/95
11-56CSE: Networking FundamentalsSecurity 1999, Cisco Systems, Inc.www.cisco.com
Access List CommandOverview
Router (config-if) #
access-list access-list-number{permit|deny} {test conditions}
{protocol} access-group access-list-number
Access lists are numbered (for IP, numbered or named)
Router (config) #
Step 1: Set parameter for this access list test statement
(which can be done one of several statements)
Step 2: Enable an interface to become part of the group
that uses the specified access list
H t Id tif A Li t
7/13/2019 Cisco Security ALL
57/95
11-57CSE: Networking FundamentalsSecurity 1999, Cisco Systems, Inc.www.cisco.com
How to Identify Access Lists
Access List Type Number Range/IdentifierIP Standard
Extended
1-99
100-199
Named (Cisco IOS 11.2 and later)
IPX Standard
SAP filters
800-899
1000-1099
AppleTalk 600-699
Number identifies the protocol and type
Other number ranges for most protocols
7/13/2019 Cisco Security ALL
58/95
11-58CSE: Networking FundamentalsSecurity 1999, Cisco Systems, Inc.www.cisco.com
TCP/IP Access Lists
7/13/2019 Cisco Security ALL
59/95
11-59CSE: Networking FundamentalsSecurity 1999, Cisco Systems, Inc.www.cisco.com
Testing Packets with AccessLists
Frame
Header
(for example,
HDLC)
Packet
(IP header)
Segment(for example,
TCP header)
Data
Port number
Protocol
Source Address
Destination Address
PermitDeny
Use
access
list statements
1-99 or 100-199 to
test thepacket
7/13/2019 Cisco Security ALL
60/95
11-60CSE: Networking FundamentalsSecurity 1999, Cisco Systems, Inc.www.cisco.com
Key Concept for IP Access Lists
Standard lists (1 to 99) test conditions of all IPpackets from source addresses
Extended lists (100 to 199) can test conditions of
Source and destination addresses
Specific TCP/IP-suite protocols
Destination ports
Wildcard bits indicate how to check the
corresponding address bits (0=check, 1=ignore)
H t U Wild d M k
7/13/2019 Cisco Security ALL
61/95
11-61CSE: Networking FundamentalsSecurity 1999, Cisco Systems, Inc.www.cisco.com
How to Use Wildcard MaskBits
128 64 32 16 8 4 2 1
0
0
0
1
1
0
0
1
1
0 0 0 0 0 0 0
0
1 1
1 11
1 1
0
1
1
1
1
1
1
1
1
1
0
1
1
1
0
1
=
=
=
=
=
check all address bits(match all)
ignore last 6 address bits
ignore last 4 address bits
check last 2 address bits
do not check address(ignore bits in octet)
0 means check corresponding bit value
1 means ignore value of corresponding bit
H U h Wild d
7/13/2019 Cisco Security ALL
62/95
11-62CSE: Networking FundamentalsSecurity 1999, Cisco Systems, Inc.www.cisco.com
How to Use the Wildcard any
Accept any address: 0.0.0.0 255.255.255.255;
abbreviate the expression using the keyword any
Any IP address
0.0.0.0
Test conditions: Ignore all the address bits (match any)
Wildcard mask: 255.255.255.255
(ignore all)
H t U th Wild d h t
7/13/2019 Cisco Security ALL
63/95
11-63CSE: Networking FundamentalsSecurity 1999, Cisco Systems, Inc.www.cisco.com
How to Use the Wildcard host
Test conditions: Check all the address bits (match all)
Example 172.30.16.29 0.0.0.0 checks all the address bitsAbbreviate the wildcard using the IP address followed by
the keyword host. For example, 172.30.16.29 host
An IP host address, for example:
170.3.16.29
Wildcard mask: 0.0.0.0
(check all bits)
7/13/2019 Cisco Security ALL
64/95
11-64CSE: Networking FundamentalsSecurity 1999, Cisco Systems, Inc.www.cisco.com
IP Standard AccessList Configuration
Router (config-if) #
access-list access-list-number{permit|deny}
source [source-mask]
Sets parameters for this list entry
IP standard access lists use 1 to 99
ip access-group access-list-number {in|out}
Activates the list on an interface
Router (config) #
Standard Access List Example 1
7/13/2019 Cisco Security ALL
65/95
11-65CSE: Networking FundamentalsSecurity 1999, Cisco Systems, Inc.www.cisco.com
Standard Access List Example 1
172.16.3.0 172.16.4.0
172.16.4.13
E0 E1
S0
Non-
172.16.0.0
access-list 1 permit 172.16.0.0 0.0.255.255
(implicit deny all-not visible in the list)
(access-list 1 deny 0.0.0.0 255.255.255.255)
interface ethernet 0
ip access-group 1 out
interface ethernet 1
ip access-group 1 out
Permit my network only
Standard Access List Example 2
7/13/2019 Cisco Security ALL
66/95
11-66CSE: Networking FundamentalsSecurity 1999, Cisco Systems, Inc.www.cisco.com
Standard Access List Example 2
172.16.3.0 172.16.4.0
172.16.4.13
E0 E1
S0
Non-
172.16.0.0
access-list 1 deny 172.16.4.13 host
access-list 1 permit 0.0.0.0 255.255.255.255
(implicit deny all)
(access-list 1 deny 0.0.0.0 255.255.255.255)
interface ethernet 0
ip access-group 1
Deny a specific host
Standard Access List Example 3
7/13/2019 Cisco Security ALL
67/95
11-67CSE: Networking FundamentalsSecurity 1999, Cisco Systems, Inc.www.cisco.com
Standard Access List Example 3
172.16.3.0 172.16.4.0
172.16.4.13
E0 E1
S0
Non-
172.16.0.0
access-list 1 deny 172.16.4.0 0.0.0.255
access-list 1 permit any
(implicit deny all)
(access-list 1 deny 0.0.0.0 255.255.255.255)
interface ethernet 0
ip access-group 1
Deny a specific subnet
7/13/2019 Cisco Security ALL
68/95
11-68CSE: Networking FundamentalsSecurity 1999, Cisco Systems, Inc.www.cisco.com
Extended IP Access Lists
Allow more precise filtering conditions
Check source and destination IP address
Specify an optional IP protocol port number
Use access list number range 100 to 199
E t d d A Li t C fi ti
7/13/2019 Cisco Security ALL
69/95
11-69CSE: Networking FundamentalsSecurity 1999, Cisco Systems, Inc.www.cisco.com
Extended Access List Configuration
access-list access-list-number{permit|deny}
protocolsource source-mask destination
destination-mask [operator operand][established]
Sets parameters for this list entry
IP uses a list number in range 100 to 199
ip access-group access-list-number {in|out}
Activates the extended list on an interface
Router (config) #
E t d d A Li t
7/13/2019 Cisco Security ALL
70/95
11-70CSE: Networking FundamentalsSecurity 1999, Cisco Systems, Inc.www.cisco.com
Extended Access ListExample172.16.3.0 172.16.4.0
172.16.4.13
E0 E1
S0
Non-
172.16.0.0
access-list 101 deny tcp 172.16.4.0 0.0.0.255 172.16.3.0 0.0.0.255 eq 21
access-list 101 deny tcp 172.16.4.0 0.0.0.255 172.16.3.0 0.0.0.255 eq 20
access-list 101 permit ip 172.16.4.0 0.0.0.255 0.0.0.0 255.255.255.255
(implicit deny all)
(access-list 101 deny ip 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255)
interface ethernet 0
ip access-group 101
Deny FTP for E0
Where to Place IP Access Lists
7/13/2019 Cisco Security ALL
71/95
11-71CSE: Networking FundamentalsSecurity 1999, Cisco Systems, Inc.www.cisco.com
Where to Place IP Access Lists
Token
Ring
To0
E0
E0
S0
S1
S0
S1
E0E0
E1
A
B
D
C
Place standard access lists close to the destination
Place extended access lists close to the source
Monitoring Access Lists
7/13/2019 Cisco Security ALL
72/95
11-72CSE: Networking FundamentalsSecurity 1999, Cisco Systems, Inc.www.cisco.com
Monitoring Access Lists
Router# show ip interface
Ethernet0 is up, line protocol is up
Internet address is 192.54.222.2, subnet mask is 255.255.255.0
Broadcast address is 255.255.255.255
Address determined by non-volatile memory
MTU is 1500 bytes
Helper address is 192.52.71.4
Secondary address 131.192.115.2, subnet mask 255.255.255.0
Outgoing access list 10 is set
Inbound access list is not set
Proxy ARP is enabled
Security level is default
Split horizon is enabled
ICMP redirects are always sent
ICMP unreachable are always sent
ICMP mask replies are never sent
IP fast switching is enabled
Gateway Discovery is disabled
IP accounting is disabledTCP/IP header compression is disabled
Probe proxy name replies are disabled
Router#
Monitoring Access List
7/13/2019 Cisco Security ALL
73/95
11-73CSE: Networking FundamentalsSecurity 1999, Cisco Systems, Inc.www.cisco.com
Monitoring Access ListStatements
Router> show access-lists
Standard IP access list 19
permit 172.16.19.0
deny 0.0.0.0, wildcard bits 255.255.255.255
Standard IP access list 49
permit 172.16.31.0, wildcard bits 0.0.0.255
permit 172.16.194.0, wildcard bits 0.0.0.255
permit 172.16.195.0, wildcard bits 0.0.0.255
permit 172.16.196.0, wildcard bits 0.0.0.255
permit 172.16.197.0, wildcard bits 0.0.0.255
Extended IP access list 101
permit tcp 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255 eq 23
Type code access list 201
permit 0x6001 0x0000
Type code access list 202
permit 0x6004 0x0000deny 0x0000 0xFFFF
Router>
Summary
7/13/2019 Cisco Security ALL
74/95
11-74CSE: Networking FundamentalsSecurity 1999, Cisco Systems, Inc.www.cisco.com
SummaryAccess lists perform several functions
within a Cisco router, including:Implement security/access procedures
Determine whether packets need dialerfor WAN links
Act as a protocol firewall
Extended access lists allow filtering onaddress, protocol, and application
parameterUse access lists to limit broadcast trafficfrom protocol overhead packets
7/13/2019 Cisco Security ALL
75/95
11-75CSE: Networking FundamentalsSecurity 1999, Cisco Systems, Inc.www.cisco.com
Cisco
PIX Firewall
Configuration
Guidelines
C i G i i
7/13/2019 Cisco Security ALL
76/95
11-76CSE: Networking FundamentalsSecurity 1999, Cisco Systems, Inc.www.cisco.com
Command Line Guidelines
Information that you will need before you startconfiguring PIX firewall :
- Access mode
- Backup- Default configuration
- Help information
- Ip addresses
- Masks
A d
7/13/2019 Cisco Security ALL
77/95
11-77CSE: Networking FundamentalsSecurity 1999, Cisco Systems, Inc.www.cisco.com
Access modes
The pix firewall contains a command set base on cisco IOS technologies, which
provides three administrative access mode.
* Unprivilaged mode is available when you first access the firewall and display
> prompt.
*privilaged mode display the # prompt and let you change the current
settings. any unprivilaged command also work in previllage mode .use the enable command to start the privilage mode and the disable, exit or quit
commad to exit.
*configuration mode displays the (config)# prompt to lets you change system
configurations. all privilage, unprivilage, and configuration commands work in
this mode. Using the configure terminal to start configuring mode and the exit
and quit commands to exit.
B k
7/13/2019 Cisco Security ALL
78/95
11-78CSE: Networking FundamentalsSecurity 1999, Cisco Systems, Inc.www.cisco.com
Backups
you should back up your configuration in at least one of the following ways.
* store the configuration in flash memory with the write memorycommand. Should
need arise, you can restore a configuration from flash memory using the configure
memory command.
* use the write terminalcommand to list configuration. Then cut and paste the
configuration into a text file. The archive the text file. You can restore a
configuration from a text file using the write terminal command and pasting the
configuration either line by line or as a whole.
* store the configuration on another system using the tftp-server command to initialy
specify a host and write netcommand to store the configuration.
D f lt fi ti
7/13/2019 Cisco Security ALL
79/95
11-79CSE: Networking FundamentalsSecurity 1999, Cisco Systems, Inc.www.cisco.com
The default configuration command is :
* nameif: identifies the interface name and specifies its security level. if you have
more than two interface, you need to add a nameifcommand to the configuration
for each interface.
* enable password:list the encrypted privilaged mode password
* passwd: list the encrypted password for telnet access to PIX firewall console.
* hostname: set the pix firewall system name topixfirewall. You can change this
name or leave as default.
* names: let you rename IP address with names from your native language to add
clarity to your configuration. It is best to ignore this command until you have
established network connectifity.
Default configuration
7/13/2019 Cisco Security ALL
80/95
11-80CSE: Networking FundamentalsSecurity 1999, Cisco Systems, Inc.www.cisco.com
* interfacescommands: identifies the speed of interface or whetherthe network
inteface card can automaticly sence itspeed and duplex. All interfaces are disabledby default. Before you can use an interface you need to enable it by entering the
interface command without shutdown option.
example: interface ethernet 0 outside auto
interface ethernet 1 inside auto
The auto command option to the interface command is not recommanded. For bestperformance is by specify the speed of interface such as 10base, 10full, 100baseTx,
100full, 1000basesx, 1000sxfull, 4mbps or 16 mbps for the token ring interface.
*mtucommands : set maximun paket size to 1500 bytes for ethernet or to appropriate
size for tokenring interface.
* ip addresscommands: identifies the ip address for each interface.
H l I f ti
7/13/2019 Cisco Security ALL
81/95
11-81CSE: Networking FundamentalsSecurity 1999, Cisco Systems, Inc.www.cisco.com
Help Information
* help information is avaiable from the pix firewall command line by entering help ora question mark to list all commands. The number of command is listed when you
use the question mark or help command differs by access mode so that
unprivilaged mode offers the least commands and configuration mode. In addition,
you can enter any command by itself on the command line and press enter to view
the command syntax.
IP Addresses
7/13/2019 Cisco Security ALL
82/95
11-82CSE: Networking FundamentalsSecurity 1999, Cisco Systems, Inc.www.cisco.com
* PIX firewall requires that ip addresses in the ip adresses, static, global, failover, and
virtual commands be unique. these ip address cannot be same as your ip address.
* IP addresses are primarily one of this values:
- local_ip: An untranslated ip addrss on the internal, protected network. In an
outbound connection originated from local_ip, the local_ipis translated to global_ip.
- Global_ip: A translated global ip address in the pool or those address declared withthe global or static commands.
- Foreign_ip:An untranslated ip address on an external network. foreign_ipis an
adresses for host on the external network.
IP Addresses
Mask
7/13/2019 Cisco Security ALL
83/95
11-83CSE: Networking FundamentalsSecurity 1999, Cisco Systems, Inc.www.cisco.com
Mask- For the PIX firewall commands that accept network masks. Specify the correct mask
for a network address. For hosts use 255.255.255.255. However, for the ip address
command, use a network mask, and for the global command, use a network addressfor both PAT (Port Address Translation) addresses and when specifying a pool of
global addresses.
Examples :
ip address inside 10.1.1.1 255.255.255.0ip address outside 209.165.201.1 255.255.255.224
nat (inside) 1 10.1.1.0 255.255.255.0
global (outside) 1 209.165.201.2 netmask 255.255.255.224
static (inside,outside) 209.165.201.3 10.1.1.3 netmask 255.255.255.255
access-list acl-out permit tcp any host 209.165.201.3 eq www
route outside 0 0 209.165.201.4 1
telnet 10.1.1.2 255.255.255.255
7/13/2019 Cisco Security ALL
84/95
11-84CSE: Networking FundamentalsSecurity 1999, Cisco Systems, Inc.www.cisco.com
-The ip addresscommands is specify addreses for inside and outside network
interfaces.
-The natcommand is to let users start connection from inside.
-The globalcommand provide the PAT (Port Address Translation) address to handle
the translated connectio from inside
-The staticcommand is map an inside host to a global address for access by outside
user. Host mask are always specofied as 255.255.255.255
-The access-listcommand permit any outside host to access the global address
specified by the static command.
-The routestatement spesifies the address to the default router. the 0 0 entry
indicates any host and it respective mask.
-The telnetcommand specifies a host that can access the PIX firewall units console
using telnet.
Using the command at the Network
7/13/2019 Cisco Security ALL
85/95
11-85CSE: Networking FundamentalsSecurity 1999, Cisco Systems, Inc.www.cisco.com
1. Without Nat
Local Host
202.100.100.1
255.255.255.248
Two Interface Without Nat
Inside
Internet
Outside
202.100.100.22552.55.255.248
202.100.100.9255.255.255.248
202.100.100.10255.255.255.248
202.100.100.11255.255.255.248
202.100.100.12255.255.255.248
202.100.100.13255.255.255.248
202.100.100.14255.255.255.248
- transparant ip from outbound connection to inbound connection
- using filtering with access-list connection from outbound to inbound
Mail ServerWeb Server
- enable all inbound connection to outbound or internet
g
configuration.
Command Configuration without Nat
7/13/2019 Cisco Security ALL
86/95
11-86CSE: Networking FundamentalsSecurity 1999, Cisco Systems, Inc.www.cisco.com
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password 2KFQnbNIdI.2KYOU encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
hostname pixfirewall
access-list acl-out permit tcp any host 200.100.100.13 eq www
access-list acl-out permit tcp any host 200.100.100.14 eq pop3
access-list acl-out permit tcp any host 200.100.100.14 eq smtp
access-list acl-in permit ip any any
interface ethernet0 auto
interface ethernet1 auto
Command Configuration without Nat
Command Configuration without Nat
7/13/2019 Cisco Security ALL
87/95
11-87CSE: Networking FundamentalsSecurity 1999, Cisco Systems, Inc.www.cisco.com
ip address outside 200.100.100.2 255.255.255.248
ip address inside 200.100.100.9 255.255.255.248
nat (inside) 0 0.0.0.0 0.0.0.0 0 0
static (inside,outside) 200.100.100.13 200.100.100.13 netmask
255.255.255.255 0 0
static (inside,outside) 200.100.100.14 200.100.100.14 netmask
255.255.255.255 0 0
access-group acl-in in interface inside
access-group acl-out in interface outside
rip inside default version 1
route outside 0.0.0.0 0.0.0.0 200.100.100.1 1
Command Configuration without Nat
Understanding Network Address Translation.
7/13/2019 Cisco Security ALL
88/95
11-88CSE: Networking FundamentalsSecurity 1999, Cisco Systems, Inc.www.cisco.com
2. With Dynamic NatTwo Interface With Nat
Internet
Dynamic Nat
Local Host
202.100.100.1
255.255.255.248
Inside
Outside
202.100.100.22552.55.255.248
202.100.100.9-14
255.255.255.248
100.100.100.6255.255.255.248
100.100.100.2255.255.255.248
100.100.100.3255.255.255.248
100.100.100.4255.255.255.248
100.100.100.5255.255.255.248
- using legal random ip to having the connection from inbound to outbound
- using filtering with access-list connection from outbound to inbound
- enable all inbound connection to outbound or internet
Dynamic Nat Range
100.100.100.1
255.255.255.248
Understanding Network Address Translation.
Command Configuration with Dynamic Nat
7/13/2019 Cisco Security ALL
89/95
11-89CSE: Networking FundamentalsSecurity 1999, Cisco Systems, Inc.www.cisco.com
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password 2KFQnbNIdI.2KYOU encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
hostname pixfirewall
access-list acl-out deny ip any any
access-list acl-in permit ip any any
interface ethernet0 auto
interface ethernet1 auto
Command Configuration with Dynamic Nat
Command Configuration with Dynamic Nat
7/13/2019 Cisco Security ALL
90/95
11-90CSE: Networking FundamentalsSecurity 1999, Cisco Systems, Inc.www.cisco.com
ip address outside 200.100.100.2 255.255.255.248
ip address inside 100.100.100.1 255.255.255.0
nat (inside) 1 100.100.100.0 255.255.255.0 0 0
global (outside) 1 200.100.100.9-200.100.100.14
access-group acl-in in interface inside
access-group acl-out in interface outside
rip inside default version 1
route outside 0.0.0.0 0.0.0.0 200.100.100.1 1
Command Configuration with Dynamic Nat
Understanding Network Address Translation.
7/13/2019 Cisco Security ALL
91/95
11-91CSE: Networking FundamentalsSecurity 1999, Cisco Systems, Inc.www.cisco.com
3. With Static Nat
202.100.100.1255.255.255.252
Inside
Internet
Outside202.100.100.2
2552.55.255.252
- using the port adress translation ip from inbound connection to internet or outboun
- using privat ip to connect from all inbound connection to dmz
Tree Interface With Nat
202.100.100.5,6255.255.255.252
Static Nat
Port Address Translation 202.100.100.9255.255.255.248
90.90.90.2255.0.0.0
202.100.100.10255.255.255.248
90.90.90.3255.0.0.0
Web Serv er Mail Serv er
Dmz
100.100.100.3255.255.255.0
90.90.90.1255.0.0.0
100.100.100.2255.255.255.0
100.100.100.1255.255.255.0
- using legal ip connection from Dmz to outbound or internet
- enable all internet to connection (Dmz mailserver&webserver)
- filtering all port except web & mail and other application port if used from internet
Understanding Network Address Translation.
Command Configuration with Static Nat
7/13/2019 Cisco Security ALL
92/95
11-92CSE: Networking FundamentalsSecurity 1999, Cisco Systems, Inc.www.cisco.com
nameif ethernet0 outside security0
nameif ethernet1 dmz security50
nameif ethernet2 inside security100
enable password 2KFQnbNIdI.2KYOU encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
hostname pixfirewall
access-list acl-out permit tcp any host 202.100.100.9 eq www
access-list acl-out permit tcp any host 202.100.100.10 eq pop3
access-list acl-out permit tcp any host 202.100.100.10 eq smtp
access-list acl-in permit ip any any
C C g S N
Command Configuration with Static Nat
7/13/2019 Cisco Security ALL
93/95
11-93CSE: Networking FundamentalsSecurity 1999, Cisco Systems, Inc.www.cisco.com
interface ethernet0 auto
interface ethernet1 auto
interface ethernet2 auto
ip address outside 202.100.100.2 255.255.255.252
ip address dmz 90.90.90.1 255.255.255.0
ip address inside 100.100.100.1 255.255.255.0
nat (inside) 1 100.100.100.0 255.255.255.0 0 0
global (outside) 1 202.100.100.5
global (outside) 1 202.100.100.6
g
Command Configuration with Static Nat
7/13/2019 Cisco Security ALL
94/95
11-94CSE: Networking FundamentalsSecurity 1999, Cisco Systems, Inc.www.cisco.com
static (dmz,outside) 202.100.100.9 90.90.90.2 netmask 255.255.255.255 0 0
static (dmz,outside) 202.100.100.10 90.90.90.3 netmask 255.255.255.255 0 0
static (inside,dmz) 90.90.90.2 90.90.90.2 netmask 255.255.255.255 0 0
static (inside,dmz) 90.90.90.3 90.90.90.3 netmask 255.255.255.255 0 0
access-group acl-in in interface inside
access-group acl-in in interface dmz
access-group acl-out in interface outside
rip inside default version 1
route outside 0.0.0.0 0.0.0.0 202.100.100.1 1
g
How To configure If your Network like this ???
7/13/2019 Cisco Security ALL
95/95
g y
Inside
INTERNET
ISDN
Frame Relay
CISCO
1720
CISCO
2509 CISCO PIX
DialUp Users
NAT Server
3COM
3C892A
Web Server
&
Mail Server192.1.1.1/252
192.1.1.2/252
192.237.117.214/240
192.237.117.209/240
192.168.1.1/24 206.182.235.225/248
206.182.235.230/248
206.182.235.228/248
DNS
Server 1
206.182.235.229/248
192.168.1.2/24
Proxy
Server
192.168.1.3/24
IP untuk PCs:192.168.1.20/24
s/d
192.168.1.254/24IP untuk PCs:
192.168.11.20/24
s/d
192.168.11.254/24
192.168.1.19/24
IP Un-numbered
IP untuk PCs:
192.168.1.5/24
s/d
192.168.1.15/24
192.168.11.99/24
206.182.235.227/248
Nb : nat inside to internet with ip
206.182.235.238
Nb : nat inside to dmz with ip
206.182.235.226
DMZ
Internet
outside
Web Server&
Mail Server
DNS
Server 2