network firewalls 1

8/8/2019 Network Firewalls 1

http://slidepdf.com/reader/full/network-firewalls-1 1/12

Why Firewall Required:

As we all know, the universal presence of the Internet has completely changed networking as we

know it. Networks that were once completely isolated are now connected to the world. This universal

connectivity allows companies to achieve things never before imaginable. At the same time though, there is

a dark side. The Internet is a haven for cyber criminals who use the connectivity to launch an

unprecedented number of attacks against companies.

When the Internet first started to gain popularity, companies started to realize that they needed to

implement firewalls in an effort to prevent attacks against them. Firewalls work by blocking unused TCP

and UDP ports. Although firewalls are effective at blocking some types of attacks, they have one major

weakness: You simply can't close all of the ports. Some ports are necessary for things like HTTP, SMTP

and POP3 traffic. Ports corresponding to these common services must remain open in order for those

services to function properly.

Difference between IPS and IDS

The difference between IPS and IDS systems comes in their handling of alerts. Pure IDS systems

simply inform the administrator that suspicious activity took place. IPS systems, on the other hand, havethe ability to block the suspicious traffic from entering the network. In fact, the two technologies have

already converged for all intents and purposes. Most intrusion detection products have the ability to run in

either IPS or IDS mode depending upon the user's configuration

In other words, IDS cannot respond to an attack until it is already there, but IPS can stop it before

it happens. Like the police---they cannot stop a person from committing a crime until they actually commit

the crime.

Types of IDS and IPS SystemsCriteria Type Description

Approach

to

identify

malicioustraffic

Signature-based• Vendor provides a signature database.

• Signatures should be customized.

Policy-based• Policy definition and description is

created.

Anomaly-based•

‘Normal’ and ‘abnormal’ traffic isdefined.

Honeypot• Sacrificial host is set up to lure the

attacker.

Coverage

scope Network-based

• Network sensors scan traffic destined

to many hosts.



Host-based• Host agent monitors all operations

within an operating system.

Signature-Based IDS and IPS

1. Observe, and block or alarm if a known malicious event is detected.

2. Requires a database of known malicious patterns.

3. The database must be continuously updated.

Policy-Based IDS and IPS

• Observes, and blocks or alarms if an event outside the configured policy is detected

• Requires a policy database



• Observe, and block or alarm if an event outside known normal behavior is detected.

• Statistical versus nonstatistical anomaly detection

• Requires a definition of “normal”

Honeypot

Observe a special system, and alarm if any activity is directed at it.

• The special system is a trap for attackers and not used for anything else.

• The special system is well-isolated from its environment.

• Typically used as IDS, not IPS.

Network-Based and Host-Based IPS

NIPS: Sensor appliances are connected to network segments to monitor

many hosts.

HIPS: Centrally managed software agents are installed on each host.

– Cisco Security Agents (CSAs) defend the protected

hosts and report to the central management console.

– HIPS provides individual host detection and protection

– HIPS does not require special hardware.



Network-Based vs. Host-Based IPS

NIPS Features

• Sensors are network appliances tuned for intrusion detection analysis.

– The operating system is “hardened.”

– The hardware is dedicated to intrusion detection analysis.

• Sensors are connected to network segments. A single sensor can monitor many hosts.

• Growing networks are easily protected.

– New hosts and devices can be added without adding sensors.

– New sensors can be easily added to new networks.

• Application-level encryption protection

• Policy enhancement (resource control)

• Web application protection

• Buffer overflow

• Network attack and reconnaissance

prevention

• DoS Prevention



NIDS and NIPS Deployment

Exploit Signatures

OSI Layer Exploit Signatures

Application layer • DNS reconnaissance and DoS

• Worms, viruses, Trojan horses, adware, malware

Transport layer • Port sweeps

• TCP SYN attack

Network layer • Fragmentation attacks

• IP options

• ICMP reconnaissance and DoS



Cisco IOS IPS SDFs

• A Cisco IOS router acts as an in-line intrusion prevention sensor.

• Signature databases:

– Built-in (100 signatures embedded in Cisco IOS software)

– SDF files (can be downloaded from Cisco.com):

• Static (attack-drop.sdf)

• Dynamic (128MB.sdf, 256MB.sdf)—based on installed RAM

• Configuration flexibility:

– Load built-in signature database, SDF file, or even merge signatures to increase

coverage

– Tune or disable individual signatures

Firewall Technologies

Firewalls use three technologies:

• Packet filtering

• Application layer gateway

• Stateful packet filtering

Packet Filtering



• Packet filtering limits traffic into a network based on the destination and source addresses and ports

Application Layer Gateway

• The ALG intercepts and establishes connections to the Internet hosts on behalf of th

client.

ALG Firewall Device



Stateful Packet Filtering

• Stateless ACLs filter traffic based on source and destination IP addresses, TCP and UDP port numbers, TCP flags, ICMP types and codes.

• Stateful inspection then remembers certain details, or the state of that

request.

How Cisco IOS Firewall Design & Works



Cisco IOS Firewall TCP Handling

Cisco IOS Firewall UDP Handling



Access Lists and Their Application

As a network grows, it becomes more important to manage the increased traffic going

across the network. Access lists help limit traffic by filtering traffic based on packet

characteristics. Access lists define a set of rules used by routers to identify particular types otraffic. Access lists can be used to filter both incoming and outgoing traffic on a router’s

interface. An access list applied to a router specifies rules for only traffic going through the

router. Traffic originating from a router is not affected by that router’s access lists. (It is subject

to access lists within other routers as it passes through them.)

Packet Filtering

Access lists can be configured to permit or deny incoming and outgoing packets on an interface.

By following a set of conventions, the network administrator can exercise greater control overnetwork traffic by restricting network use by certain users or devices.

Application of an IP Access List

To establish an access list, you must define a sequential list of permit and deny conditions that

apply IP addresses or IP protocols. Access lists filter only traffic going through the router; they

do not filter traffic originated from the router. Access lists can also filter Telnet traffic in to or

out of the router’s vty ports.



Types of Access Lists

There are two general types of access lists:

Standard access lists check the source address of packets. Standard access lists

permit or deny output for an entire protocol suite based on the source

network/subnet/host IP address.

Extended IP access lists check both source and destination packet addresses.

Extended lists specify protocols, port numbers, and other parameters, giving

administrators more flexibility and control.



Example:

A(config)#access-list 101 deny tcp 192.168.14.0 0.0.0.255 any eq 80

A(config)#access-list 101 permit ip any any

a. At the FastEthernet 0 interface mode prompt type:

A(config-if)#ip access-group 101 in ------------- Deny incoming traffic of port 80

network firewalls 1

Documents