Hardware Firewalls. Aki Nordlund S Security of Communication Protocols

Similar documents
- Introduction to PIX/ASA Firewalls -

How Cisco IT Uses Firewalls to Protect Cisco Internet Access Locations

Security Technology: Firewalls and VPNs

Firewalls and VPNs. Principles of Information Security, 5th Edition 1

Firewall Introduction Several Types of Firewall. Cisco PIX Firewall

We will give some overview of firewalls. Figure 1 explains the position of a firewall. Figure 1: A Firewall

FIREWALLS & CBAC. philip.heimer@hh.se

Securing Networks with PIX and ASA

INTRODUCTION TO FIREWALL SECURITY

A host-based firewall can be used in addition to a network-based firewall to provide multiple layers of protection.

Security+ Guide to Network Security Fundamentals, Fourth Edition. Chapter 6 Network Security

WATCHGUARD FIREBOX SOHO 6TC AND SOHO 6

Cisco PIX Firewall Series

21.4 Network Address Translation (NAT) NAT concept

FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. Chapter 5 Firewall Planning and Design

Chapter 9 Firewalls and Intrusion Prevention Systems

Cisco Certified Security Professional (CCSP) 50 Cragwood Rd, Suite 350 South Plainfield, NJ 07080

IPv6 Firewalls. ITU/APNIC/MICT IPv6 Security Workshop 23 rd 27 th May 2016 Bangkok. Last updated 17 th May 2016

Proxy Server, Network Address Translator, Firewall. Proxy Server

PowerLink Bandwidth Aggregation Redundant WAN Link and VPN Fail-Over Solutions

Security Threats VPNs and IPSec AAA and Security Servers PIX and IOS Router Firewalls. Intrusion Detection Systems

Case Study for Layer 3 Authentication and Encryption

Tech-Note Bridges Vs Routers Version /06/2009. Bridges Vs Routers

CS 356 Lecture 19 and 20 Firewalls and Intrusion Prevention. Spring 2013

Digi Connect WAN Application Helper NAT, GRE, ESP and TCP/UPD Forwarding and IP Filtering

Firewalls and Network Defence

Firewall Architecture

TechGuard Firewall Products Specs/Parts/Competitive Analysis

Firewalls. Chapter 3

Firewalls. Securing Networks. Chapter 3 Part 1 of 4 CA M S Mehta, FCA

Network Security Firewall

Cisco PIX vs. Checkpoint Firewall

TABLE OF CONTENTS NETWORK SECURITY 2...1

Implementing Network Address Translation and Port Redirection in epipe

Appendix A: Configuring Firewalls for a VPN Server Running Windows Server 2003

How To Build A Network Security Firewall

Secure your Informations efficiently. SECURITY: FIREWALL & VPN CLIENTS Trends Features Products and Solutions jfrancis@dlink.de

Classic IOS Firewall using CBACs Cisco and/or its affiliates. All rights reserved. 1

Firewall Security. Presented by: Daminda Perera

FWSM introduction Intro 5/1

Cisco Certified Security Professional (CCSP)

WATCHGUARD FIREBOX VCLASS

Cisco SR 520-T1 Secure Router

Introduction TELE 301. Routers. Firewalls

Cisco ASA, PIX, and FWSM Firewall Handbook

Cisco Secure PIX Firewall with Two Routers Configuration Example

Datasheet. Advanced Network Routers. Models: ERPro-8, ER-8, ERPoe-5, ERLite-3. Sophisticated Routing Features

ACL Compliance Director FAQ

ReadyNAS Remote White Paper. NETGEAR May 2010

How To Use The Cisco Wide Area Application Services (Waas) Network Module

Radware s Multi-homing Solutions

SOLUTION GUIDE. Radware & CyberGuard Complete Security Solutions offering Load Balancing, High Availability and Bandwidth Management.

Virtual private network. Network security protocols VPN VPN. Instead of a dedicated data link Packets securely sent over a shared network Internet VPN

IMPLEMENTATION OF INTELLIGENT FIREWALL TO CHECK INTERNET HACKERS THREAT

Configuring Tunnel Default Gateway on Cisco IOS EasyVPN/DMVPN Server to Route Tunneled Traffic

Network Defense Tools

Lecture 23: Firewalls

Cisco PIX Firewall Series

Topic 7 DHCP and NAT. Networking BAsics.

EdgeRouter Lite 3-Port Router. Datasheet. Model: ERLite-3. Sophisticated Routing Features. Advanced Security, Monitoring, and Management

Introduction of Intrusion Detection Systems

PIX/ASA 7.x with Syslog Configuration Example

VPN Only Connection Information and Sign up

What is a Firewall? Computer Security. Firewalls. What is a Firewall? What is a Firewall?

Chapter 7. Firewalls

VPN Lesson 2: VPN Implementation. Summary

Configuring Switch Ports and VLAN Interfaces for the Cisco ASA 5505 Adaptive Security Appliance

Troubleshooting the Firewall Services Module

Optimal Network Connectivity Reliable Network Access Flexible Network Management

Implementing Secured Converged Wide Area Networks (ISCW) Version 1.0

Securing E-Commerce. Agenda. The Security Problem IC Security: Key Elements Designing and Implementing _06_2000_c1_sec3

Chapter 3 Security and Firewall Protection

Ficha técnica de curso Código: IFCAD111

VPN. Date: 4/15/2004 By: Heena Patel

Network Security. Tampere Seminar 23rd October Overview Switch Security Firewalls Conclusion

SonicWALL Advantages Over WatchGuard

WAN Failover Scenarios Using Digi Wireless WAN Routers

CMPT 471 Networking II

BRC-W14VG-BT Wireless BitTorrent Download Router

Troubleshooting the Firewall Services Module

Chapter 7. Address Translation

Smart Tips. Enabling WAN Load Balancing. Key Features. Network Diagram. Overview. Featured Products. WAN Failover. Enabling WAN Load Balancing Page 1

Configuring Switch Ports and VLAN Interfaces for the Cisco ASA 5505 Adaptive Security Appliance

Security threats and network. Software firewall. Hardware firewall. Firewalls

Basics of Internet Security

Introduction. Technology background

TABLE OF CONTENTS NETWORK SECURITY 1...1

Securing Cisco Network Devices (SND)

Firewalls. Network Security. Firewalls Defined. Firewalls

PIX/ASA 7.x and above : Mail (SMTP) Server Access on Inside Network Configuration Example

Cisco Firewall Technology

Chapter 12 Supporting Network Address Translation (NAT)

CSCE 465 Computer & Network Security

Implementing Core Cisco ASA Security (SASAC)

Network Security Topologies. Chapter 11

PIX/ASA 7.x and above: Mail (SMTP) Server Access on the DMZ Configuration Example

Cisco PIX Firewall 500 Series

Firewalls. Ingress Filtering. Ingress Filtering. Network Security. Firewalls. Access lists Ingress filtering. Egress filtering NAT

Configuring the Transparent or Routed Firewall

Cisco VPN 3000 Concentrator Series

Transcription:

Hardware Firewalls Aki Nordlund aki.nordlund@hut.fi 1 1

Agenda Cisco PIX firewall product family PIX as a network component ASA (Adaptive Security Algorithm) Network topologies Other appliances 2 2

Cisco PIX Firewall 3 Cisco PIX 500 Series Firewalls are purpose-built security appliances that deliver unprecedented levels of security, performance and reliability. These platforms provide robust, enterprise-class security services including stateful inspection firewalling, standards-based IPsec Virtual Private Networking (VPN), intrusion protection and much more in effecective, easy to deploy solutions. Cisco PIX 500 Firewall Series consists of five models ranging from compact, plug-n-play desktop firewalls for small/home offices to carrier class gigabit firewalls for the most demanding enterprise and service provider environments. 3

Cisco PIX Product Family PIX 535 PIX 525 Price PIX 501 133 Mhz, 16+8 MB RAM 10-50 users 4-port 10/100-switch PIX 506-E 300 Mhz, 32MB RAM 2 10Base-T ports PIX 515-E 433 Mhz, 32-64MB RAM 2-6 10/100Base-T ports VPN Accelerator Card Failover (UR-model) 600 Mhz 128-256MB RAM 2-8 10/100Base-T ports 2-8 Gigabit ports VPN Accelerator Card Failover (UR) 1000 Mhz 512-1024MB RAM 2-10 10/100Base-T ports 2-10 Gigabit ports VPN Accelerator Card Failover (UR) SoHo SMB Corporate ISP 4 PIX 501 Rather cheap, about 700 PIX 501 is targeted for home users or very small offices. It s a good addon for an ADSL connection. The licensing is based on simultaneous IP addresses used on the protected inside network. PIX 506E Affordable, yet very compact packet with features. Based on PIX 515. Designed for small-and-medium-sized businesses and simple environments. It will only support environments having two security levels, the inside and outside. This means that a possible dmz-area has to be protected solely by a perimeter router. Limitations: -No failover -32 MB RAM -Only 10 Mbit/s Ethernet-ports 4

Cisco PIX 515E Operating principle - Adaptive Security Algorithm - Cut-through proxy High performance - Max. 100 000 simultaneous connections - Max. 3500 new connections/sec VPN Accelerator Card (VAC) Two licencing alternatives 5 PIX Firewalls operate using a principle called Adaptive Security Algorithm, ASA. It ensures high performance and secure transactions. PIX515 has also cut-through proxy quality for http and ftp. It will intercept connection attempts to authenticate users, but will cut-through the connection after authentication. This ensures higher throughput than continual proxying function. The 515E model supports up to 100000 simultaneous sessions through it and the rate of new sessions per second can be as high as 3500. PIX 515E comes with two licencing alternatives: -Restricted -Unrestricted, which supports morer RAM, more Ethernet ports, VAC and Failover The VPN accelerator card will triple the VPN tunneling perfomance 5

Hardware of a typical firewall on a corporate sized network PIX 515E-R / PIX 515E-UR* Processor: Memory: Ethernet: Flash: Performance: 433 MHz Intel Celeron 32MB SDRAM (max. 64 MB*) Min. 2, max. 6 * 10/100 Fast Ethernet 16 MB Max. 120000 simultaneous connections 180 Mbps (cleartext), 22 Mbps (3 DES), 63 Mbps (3 DES, VAC)* Processor: Memory: Ethernet: Other Media: Flash: Performance: PIX 525-R / PIX 525-UR* 600 MHz Intel Pentium III 128 MB SDRAM (max. 256 MB*) Min. 2, max. 8* 10/100 FastEthernet Gigabit Ethernet* 16 MB Max. 280000* simultaneous connections 370 Mbps (cleartext), 35 Mbps (3 DES), 63 Mbps (3 DES, VAC)* 6 6

Managing Firewalls PDM (PIX Device Manager) Monitoring protocols CLI (command-line interface) 7 Administrators can choose from a wide variety of solutions for remotely configuring, monitoring and troubleshooting PIX firewalls. These solutions range from an integrated, Web-based management interface (PIX Device Manager) to centralized, policy-based management tools to support for remote monitoring protocols such as Simple Network Management Protocol (SNMP) and syslog. Administrators can also manage PIX firewalls using a convenient command-line interface (CLI) through a variety of methods including Telnet, Secure Shell (SSH) and an out-ofband console port. 7

Adaptive Security Algorithm Makes PIX stateful Each incoming packet is checked for an entry in the connection table and ASA rules are applied to it 8 Adaptive Security Algorithm is the basis on which the PIX firewall operates. It s a statetul packet inspection engine that also implements an intuitive security rule system. Stateful firewall does as the name implies care about the state of the data connection. This means that it does not only look for source and destination IP addresses/port numbers but it also tries to understand, in what state the connection is in. Depending on the implementation, stateful firewall might look at state issues on OSI model layers three and four or include also layer 7 (application) information into the rule base. Generally, stateful firewalls work as follows: 1) A packet enters the firewall. 2) State table is consulted, trying to find a flow to which this packet belongs to. If a flow with a suitable state is found, packet is forwarded. 3) If state is not found, packet is examined against the rule base. If allow statement is found, state is created and packet is forwarded. If not, packet is thrown away. 4) State entries time out eventually, if nothing happens an the protocol state level. The ASA and connection tables ensure security. PIX will do the following for every incoming packet. A packet that has no matching entry in the connection table and no embryonic state to it, is automatically rejected. All outbound packets are permitted by default An outbound packet 8

ASA-NAT IP packet H TCP H IP packet H TCP H Source Address: 10.0.0.87 Source Port: 1763 Source Address: 194.100.0.10 Source Port: 2878 Destination Address: 200.150.50.111 Dest. Port: 80 Destination Address: 200.150.50.111 Dest. Port: 80 NAT is enabled by default IP address + Port address translation PIX is native translator, no overhead Also PAT and no NAT options 9 Extended translation means that in addition to the IP address translation, also the TCP/UDP port numbers are translated. The reason for this to happen is that the inside global address pool is so small that all the inside hosts cannot have an address of their own. Therefore, in order for the hosts to communicate to the outside world, they must use the same inside global address. And to separate the connetions (IP flows), the NAT device uses TCP/UDP port numbers as an identifier. In the example above, the leftmost network is again the inside network. Let s assume that a host there wants to speak with a host in the rightmost network. It sends a packet with the header field values as follows: IP source address 10.0.0.87, IP destination address 200.150.50.111 TCP source port 1763, TCP destination port 80 Now, if the NAT device is configured for NAPT (Network Address Port Translation), then it changes the IP addresses and port numbers. Again, what is actually changed might vary but at least the source address and TCP port will change. In example the administartor could also configure so that the destination address will change. The new parameters for the outgoing packet are: IP source address 194.100.0.10, IP destination address 200.150.50.111 TCP source port 2878, TCP destination port 80 As in the previous example the same will happen vice versa for the incoming packet. 9

ASA Security Levels Security Level 0 Interface Name = Outside Internet Outside segment Security Level 30 Interface Name = DMZ1 Security Level 40 Interface Name = DMZ2 DMZ-areas Security Level 100 Interface Name = Inside Inside segment The levels outside and inside are built-in. There has to be one full security level and one unsecure level. 10 ASA attaches a security value to each interface. If you look at an empty PIX s configuration, you ll notice that two interfaces have built-in security levels: In the 515E model ethernet0 has security level 0 ethernet1 interface has security level 100 These two levels are always required. In latest software one can assign other physical interfaces these levels, but the two levels have to present in a PIX. All other interfaces can have security values between 10 and 90. 10

Security Levels Inside, ethernet1 level100 Outside,ethernet0 level0 dmz1, ethernet2 dmz2, ethernet3 allowed direction level49 level48 11 Although the current PIX can have at max. 8 dmz interfaces whose security levels are between 10 and 90 any two interfaces cannot have the same security level. Security levels can be thought of as water hights. Water will flow from higher to lower level just like traffic through the PIX. Remember, that Adaptive Security Algorithm makes comparisons of fields in tcp/udp headers and ip headers of an incoming packet with two different tables. A match for a packet coming from a lower security level towards a higher security level has to exist in both the translation table and the connection table. Usually there are services that need to be accessible globally on the dmz, like www, mail, dns. By default, all new connections originating behind the outside interface are denied. For a packet to be able to go from lower to higher security level there needs to be an existing connection in the connection table and, of course, there can t be one since we re talking about a new connection. The way to circumvent ASA connection table is defining exceptions to ASA. This is done by using access-lists. Access-lists allow all specified traffic through the interface they are attached to, regardless of there being an existing connection in the connection table or not. The public hosts need to be visible to the public, have a global ip address, either statically defined by PIX or non-translated global ip addresses for the hosts. 11

Basic Topology This represent a generic method of connecting a firewall to a network Protected server Inside network Switch FW Outside network Router Internet Switch DMZ-verkko Protected host Extranet server WWW- and SMTPserver 12 The firewall needs to have a default gateway, just like any host. Firewall is not a router. In addition to having routing information, the perimeter router protects firewall itself from attacks and can weed out the most obvious attack attempts. If the public hosts would be on the inside, one would have to create holes in the security level rules. By default, nothing flows (uninitiated) from outside to inside, but putting www-servers or smtp-servers there would necessitate access directly to the protected network. If someone found a security vulnerability in those services and installed a root kit to gain control of those servers, he could attack the rest of the network. The firewall can t help anymore, since all the traffic would be inside the protected network. 12

Small office/home office SoHo Topology Firewall protects only inside network ISP router s access-list protect ADSL router Inside network IN PIX FW 501 / 506 OUT ADSL router Internet 13 13

MB Topology Medium- sized businesses Network is protected by the PIX ISP router acl:s provide basic protection E-commerce on the DMZ Inside network Inside network IN PIX FW 515 DMZ OUT IOS-router + ACLs Internet Internet Switch DMZ 14 14

CSPM Internal network Inside network More Secure Topology Maximizing security (IDS sensor + CSPM) For large/critical sites E-commerce on the DMZ Separate IDS Sensor for detecting intruders CSPM program for managing the segments and handling the attack signatures PIX FW 525/535 IN OUT DMZ Internet Switch DMZ IDS Sensor 15 CSPM is short for Cisco Secure Policy Manager. It contains a database of typical attack signatures against which all captured packets are evaluated. It also contains script generators for generating configurations for routers and PIX firewalls, so its also a Manager. 15

Redundancy with load sharing Highest availability and throughput Redundancy makes a high-availability network Separate firewalls, both active load sharing content switches distribute load intelligently E-commerce on the DMZ CSPM IN PIX FW 5x5 OUT Internal network Content switch IN DMZ DMZ OUT Content switch Internet Switch DMZ IDS Sensor 16 WITHOUT content switches and load-sharing one firewall is active and the other is backup. If active firewall fails, stateful failover happens. Stateful failover means that the backup firewall maintains the same connection and translation table as the primary one. When and if the primary fails, the failover unit has enough information to just keep on relaying traffic. 16

Other Appliances NetScreen NetScreen FW has totally own operating system, ScreenOS PIX- like stateful packet inspection NetScreen ASIC Own GigaScreen ASIC circuits take care of traffic inspection Virtual Systems (VSYS) VPN- like virtual system inside corporate network 17 NetScreen security appliances offer first a solution that integrates firewall, IPSec VPN, and traffic management functionality on NetScreen s custom operating system, ScreenOS. To accelerate this, the NetScreen takes advantage of NetScreen s GigaScreen ASIC for hardware-based acceleration. 17

Nokia IP/Check Point Nokia IP platform with Check Point software license Two different solution with own management Complex and expencive SonicWALL Other Appliances SonicWALL offers a wide range of low- end products Designed to increase security by reducing complexity 18 18

Thank you! Hauskaa Wappua!! 19 19

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information