Introduction to Security and PIX Firewall Agenda Dag 20 Föreläsning LAB CR 2006
Cisco Secure PIX Firewall Models and Features Firewall Operations Basic PIX Firewall concepts CR 2006
What is a firewall? By conventional definition, a firewall is a partition made of fireproof material designed to prevent the spread of fire from one part of a building to another. It can also be used to isolate one compartment from another.
What is a firewall? When applying the term firewall to a computer network, a firewall is a system or group of systems that enforces an access control policy between two or more networks.
Firewall technologies Packet filtering. Proxy server. Stateful packet filtering. CR 2006
Firewall technologies Packet filtering Limits information into a network based on destination and source address. Static packet header information. A packet filter is a router with some intelligence. (ACL) CR 2006
Firewall technologies
Firewall technologies But there are problems with packet filtering: Arbitrary packets can be sent that fit the ACL criteria and, therefore, pass through the filter. Packets can pass through the filter by being fragmented. Complex ACLs are difficult to implement and maintain correctly. Some services cannot be filtered. CR 2006
Firewall technologies Proxy server (Application proxy ) Requests connections between a client on the inside of the firewall and the Internet. As their name implies, application proxy firewalls act as intermediaries in network sessions.the user s connection terminates at the proxy, and a corresponding separate connection is initiated from the proxy to the destination host. CR 2006
Firewall technologies Connections are analyzed all the way up to the application layer to determine if they are allowed. It is this characteristic that gives proxies a higher level of security than packet filters
Firewall technologies But there are problems with the proxy server because it Creates a single point of failure, which means that if the entrance to the network is compromised, then the entire network is compromised. Is difficult to add new services to the firewall. Performs slower under stress. CR 2006
Firewall technologies Stateful packet filtering Combines the best of packet filtering and proxy server technologies. Stateful packet filtering is the method used by the PIX Firewall. CR 2006
Stateful packet filtering This technology maintains complete session state. Each time a TCP/UDP connection is established for inbound or outbound connections, the information is logged in a stateful session flow table. CR 2006
Stateful packet filtering The stateful session flow table contains the source and destination addresses, port numbers, TCP sequencing information, and additional flags for each TCP/UDP connection associated with that particular session.
Stateful packet filtering This information creates a connection object and, consequently, all inbound and outbound packets are compared against session flows in the stateful session flow table. Data is permitted through the firewall only if an appropriate connection exists to validate its passage.
Stateful packet filtering This method is effective because it Works on packets and connections. Operates at a higher performance level than packet filtering or using a proxy server. CR 2006
Stateful packet filtering Records data in a table for every connection or connectionless transaction. This table serves as a reference point to determine if packets belong to an existing connection or are from an unauthorized source.
What is the PIX Firewall? PIX (Private Internet Exchange) Firewall is a key element in the overall Cisco end-to-end security solution.
What is the PIX Firewall? The PIX Firewall is a dedicated hardware/software security solution that delivers high-level security without impacting network performance. It is a hybrid system because it uses features from both the packet filtering and proxy server technologies.
What is the PIX Firewall? Unlike typical CPU-intensive, full-time proxy servers that perform extensive processing on each data packet at the application level, the PIX Firewall uses a proprietary operating system that is a secure, real-time, embedded system.
What is the PIX Firewall? The PIX Firewall provides the following benefits and features: Non-UNIX, non-windows NT, secure, real-time, embedded system. Eliminates the risks associated with the general-purpose operating systems. CR 2006
The PIX Firewall provides the following benefits and features: Adaptive Security Algorithm (ASA) Implements stateful connection control through the PIX Firewall.
The PIX Firewall provides the following benefits and features: The stateful, connection-oriented ASA design creates session flows based on source and destinations addresses. It randomizes TCP sequence numbers, port numbers, and additional TCP flags before completion of the connection.
The PIX Firewall provides the following benefits and features: This function is always in operation, monitoring return packets to ensure they are valid, and allows one-way (inside to outside) connections without an explicit configuration for each internal system and application.
The PIX Firewall provides the following benefits and features: The randomizing of the TCP sequence numbers is to minimize the risk of a TCP sequence number attack. Because of the ASA, the PIX Firewall is less complex and more robust than a packet filtering-designed firewall.
The PIX Firewall provides the following benefits and features: Cut-through proxy A user-based authentication method of both inbound and outbound connections, providing improved performance in comparison to that of a proxy server. CR 2006
Cut-through Proxy Operation Cisco Secure
The PIX Firewall provides the following benefits and features: Stateful failover/hot standby The PIX Firewall enables you to configure two PIX Firewall units in a fully redundant topology. The two units must be running the same version of software. Configuration replication will occur under the following circumstances: CR 2006
Stateful failover/hot standby When a secondary unit completes its initial bootup, the primary unit will replicate its entire configuration to the secondary unit. As commands are entered on the primary unit, they are sent across to the secondary unit. The commands are sent via failover cable. CR 2006
Stateful failover/hot standby Entering the write standby command on the primary unit forces the entire configuration to the secondary unit.
Stateful failover/hot standby Because configuration replication is automatic from the active unit to the standby unit, configuration should be modified only on the active unit. When failover occurs, syslog messages are generated indicating the cause of failure. Failover detection occurs within 30 to 45 seconds.
The PIX Firewall provides the following benefits and features: Stateful packet filtering A secure method of analyzing data packets that places extensive information about a data packet into a table. In order for a session to be established, information about the connection must match the information in the table.
The PIX Firewall provides the following benefits and features: The PIX Firewall is interoperable and scalable with Internet Protocol Security Encryption (IPSec), which includes an umbrella of security and authentication protocols such as Internet Key Exchange (IKE) and Public Key Infrastructure (PKI).
The PIX Firewall provides the following benefits and features: The PIX Firewall offers an IPSec-based virtual private network (VPN). Remote clients can securely access corporate networks through their Internet service providers (ISP).
PIX Firewall models http://www.cisco.com/en/us/products/hw/vpn devc/index.html