| 0 comments ]

Other Types of Firewalls

Add a note hereOver the years, variations of standards stateful firewalls have emerged. Some examples of those variations, which provide additional or restrictive features, are deep packet inspection (DPI) firewalls and Layer 2 firewalls.

Add a note hereApplication inspection firewalls ensure the security of applications and services. Some applications require special handling by the firewall application inspection function. Applications that require special application inspection functions are those that embed IP addressing information in the user data packet or that open secondary channels on dynamically assigned ports.

Add a note hereThe application inspection function works with NAT to help identify the location of the embedded addressing information. This arrangement allows NAT to translate embedded addresses and to update any checksum or other fields that are affected by the translation.

Add a note hereThe application inspection function also monitors sessions to determine the port numbers for secondary channels. Many protocols open secondary TCP or UDP ports. The initial session on a well-known port negotiates dynamically assigned port numbers. The application inspection function monitors these sessions, identifies the dynamic port assignments, and permits data exchange on these ports for the duration of the specific session.

Add a note hereAn application inspection firewall behaves in different ways according to each layer:

  • Add a note hereTransport layer mechanism: From a transport layer perspective, the application inspection firewall acts like a stateful firewall by examining information in the headers of Layer 3 packets and Layer 4 segments. For example, the application inspection firewall looks at the TCP header for SYN, RST, ACK, FIN, and other control codes to determine the state of the connection.

  • Add a note hereSession layer mechanism: From a session layer perspective, the application inspection firewall checks the conformity of commands within a known protocol. For example, when the application inspection firewall checks the SMTP message type, it allows only acceptable message types on Layer 5 (such as, DATA, HELO, MAIL, NOOP, QUIT, RCPT, RSET). In addition, the application inspection firewall checks whether the command attributes that are used (for example, length of a message type) conform to the internal rules. These rules often trust the RFC of a specific protocol.

  • Add a note hereApplication layer mechanism: From an application layer perspective, the application inspection firewall protocol is rarely supported. Sometimes application layer firewalls provide protocol support for HTTP, and the application inspection firewall can determine whether the content is really an HTML website or a tunneled application, such as Kazaa Media Desktop or eDonkey. In the case of a tunneled application, the application inspection firewall would block the content or terminate the connection. Future development will provide application inspection support for more protocols on an application inspection firewall.

Add a note hereThere are several advantages of an application inspection firewall:

  • Add a note hereApplication inspection firewalls are aware of the state of Layer 4 and Layer 5 connections. For example, the application inspection firewall knows that a Layer 5 SMTP MAIL FROM command always follows a HELO command.

  • Add a note hereApplication inspection firewalls check the conformity of application commands at Layer 5.

  • Add a note hereApplication inspection firewalls have the capability to check and affect Layer 7.

  • Add a note hereApplication inspection firewalls can prevent more kinds of attacks than stateful firewalls can. For example, application inspection firewalls can stop an attacker from trying to set up a virtual private network (VPN) tunnel (triggered from inside the network) through an application firewall by way of tunneled HTTP requests.

Add a note hereCisco PIX and Cisco ASA Adaptive Security Appliance Software Version 7.0 and Cisco Firewall Services Module Version 2.2 debut the capability to deploy a security appliance in a secure bridging mode as a Layer 2 device to provide rich Layer 2 through 7 security services for the protected network. This capability enables businesses to deploy security appliances into existing network environments without the need to readdress the network. Although the security appliance can be invisible to devices on both sides of a protected network, as shown in Figure 3-9, administrators can use an exposed IP address to manage the appliance.

Click to collapseImage from book
Add a note hereFigure 3-9: Layer 2 Firewall

Note

Add a note hereLayer 2 firewalls also known as transparent firewalls are sometimes referred to as bumps in the wire or as stealth firewalls.


Tip

Add a note hereAdditional training is available on transparent firewalls in the Cisco Secure ASA Adaptive Security Appliance courses that are offered by Cisco Learning Partners.


Cisco Family of Firewalls

Add a note hereCisco offers firewalls on different platforms:

Add a note hereThe sections that follow describe these platforms in greater detail.

Add a note hereCisco IOS Firewalls

Add a note hereA Cisco IOS Firewall is a specialized Cisco IOS feature that runs on Cisco routers. It is an enterprise-class firewall product that is rich with features for small and medium-sized businesses (SMB) and enterprise branch offices. The following are some of the main features of a Cisco IOS Firewall:

  • Add a note hereZone-based policy framework for intuitive policy management

  • Add a note hereApplication firewalling for web, email, and other traffic

  • Add a note hereInstant messenger and peer-to-peer application filtering

  • Add a note hereVoIP protocol firewalling

  • Add a note hereVirtual routing and forwarding (VRF) firewalling

  • Add a note hereWireless integration

  • Add a note hereStateful failover

  • Add a note hereLocal URL whitelist and blacklist support

Add a note hereAnother important feature of Cisco IOS Firewalls, deployed on specific models, is the assurance of its security standard known as FIPS 140.

Add a note hereThe Federal Information Processing Standard (FIPS) 140 is a U.S. government and Canadian government standard that specifies security requirements for cryptographic modules. FIPS 140 has four levels of assurance. Level 1 is the lowest level, and Level 4 is the most stringent. Each level builds upon the one below it, so a Level 2 certification means that a product meets the requirements for both Level 1 and Level 2.


Note

Add a note hereTo find out precisely the level of certification of different Cisco products, visit http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140val-all.htm.

Add a note hereAnother benefit of Cisco security platforms is their conformance to Common Criteria.

Add a note hereThe Common Criteria is an international standard for evaluating IT security. It was developed by a consortium of countries to replace a number of existing country-specific security assessment processes, and was intended to establish a single standard for international use. Currently, the Common Criteria is officially recognized by 14 countries, and evaluations can be conducted by any certified Common Criteria laboratory in a member country. To maintain the independent nature of the Common Criteria, evaluation results from a certified lab are submitted to the Common Criteria organization of the corresponding country for independent validation. This independent validation process, which distinguishes Common Criteria from some commercial certifications, ensures that the evaluation process is consistent across labs, and that it cannot be influenced by financial motives.

Add a note hereTable 3-1 illustrates for which security certifications the routers in the Cisco router family qualify.

Add a note hereTable 3-1: Cisco Security Routers Certifications
Open table as spreadsheet

Add a note hereFIPS

Add a note hereCommon Criteria

Add a note here140-2, Level 2

Add a note hereIPsec (EAL4)

Add a note hereFirewall (EAL4)

Add a note hereCisco 870 ISR

Add a note here

Add a note herePending

Add a note here

Add a note hereCisco 1800 ISR

Add a note here

Add a note herePending

Add a note here

Add a note hereCisco 2800 ISR

Add a note here

Add a note herePending

Add a note here

Add a note hereCisco 3800 ISR

Add a note here

Add a note herePending

Add a note here

Add a note hereCisco 7200 VAM2+

Add a note here

Add a note herePending

Add a note here

Add a note hereCisco 7200 VSA

Add a note here

Add a note herePending

Add a note hereN/A

Add a note hereCisco 7301 VAM2+

Add a note here

Add a note herePending

Add a note here

Add a note hereCisco 7600 IPsec VPN SPA

Add a note here

Add a note herePending

Add a note hereN/A

Add a note hereCatalyst 6500 IPsec VPN SPA

Add a note here

Add a note herePending

Add a note hereN/A

Add a note hereCisco 7600

Add a note here

Add a note herePending

Add a note here

Add a note hereCheck http://www.cisco.com for the latest certifications of Cisco hardware and software. You may also check the following:

Add a note hereFor FIPS 140: http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140val-all.htm

Add a note hereFor CVE: http://www.niap-ccevs.org/cc-scheme/


Note

Add a note hereBecause it is not possible to “prove” that a product is secure, the greater the number of tests, the greater the confidence (or assurance) in its quality. To achieve the top certifications takes a considerable number of years and expense.

Add a note hereCisco PIX 500 Series Security Appliances

Add a note hereThe Cisco PIX 500 series Security Appliance delivers robust user and application policy enforcement, multivector attack protection, and secure connectivity services in cost-effective, easy-to-deploy solutions. These purpose-built appliances provide multiple integrated security and networking services:

  • Add a note hereAdvanced application-aware firewall services

  • Add a note hereMarket-leading VoIP and multimedia security

  • Add a note hereRobust site-to-site and remote-access IPsec VPN connectivity

  • Add a note hereAward-winning resiliency

  • Add a note hereIntelligent networking services

  • Add a note hereFlexible management solutions

Add a note hereThe Cisco PIX 500 series Security Appliances scale to meet a range of requirements and network sizes. The Cisco PIX 500 series Security Appliances currently consists of five models: the PIX 501, 506E, 515E, 525, and 535. Figure 3-10 provides a visual reference of the PIX 500 family of products.

Click to collapseImage from book
Add a note hereFigure 3-10: Cisco PIX 500 Series Security Appliances

Note

Add a note hereIn January 2008, Cisco announced the End-of-Life for the PIX products. Cisco will still be supporting this product until July 2013.


Note

Add a note hereAdditional training is available for the Cisco PIX 500 series in the Cisco Secure ASA Adaptive Security Appliance courses that are offered by Cisco Learning Partners.

Add a note hereCisco ASA 5500 Series Adaptive Security Appliances

Add a note hereCisco ASA 5500 series Adaptive Security Appliances are easy-to-deploy solutions that integrate world-class firewall, Cisco Unified Communications (voice and video) security, Secure Sockets Layer (SSL) and IPsec VPN, IPS, and content security services in a flexible, modular product family. Designed as a key component of the Cisco Self-Defending Network, the ASA 5500 series appliances provide intelligent threat defense and secure communications services that stop attacks before they affect business continuity. Designed to protect networks of all sizes, the ASA 5500 series appliances enable organizations to lower their overall deployment and operations costs while delivering comprehensive multilayer security.

Add a note hereThe Cisco ASA scales to meet a range of requirements and network sizes, as shown in Figure 3-11. The Cisco ASA 5500 series appliances currently consist of five models: the Cisco ASA 5505, 5510, 5520, 5540, and 5550.

Click to collapseImage from book
Add a note hereFigure 3-11: Cisco ASA 5500 Series Adaptive Security Appliances

Note

Add a note hereAdditional training is available for the ASA 5500 series Security Appliances in the Cisco Secure ASA Adaptive Security Appliance courses that are offered by Cisco Learning Partners.

Add a note hereCisco Firewall Services Module

Add a note hereThe Cisco Firewall Services Module (FWSM) is a high-speed, integrated firewall module (commonly called a “blade”) for Cisco Catalyst 6500 switches and Cisco 7600 series routers and provides the fastest firewall data rates in the industry. Up to four FWSMs can be installed in a single switch chassis. Based on Cisco PIX Firewall technology, the Cisco FWSM offers large enterprises and service providers unmatched security, reliability, and performance.

Developing an Effective Firewall Policy

Add a note hereBest practice documents are a composite effort of security practitioners. This partial list is designed to be generic and serve only as a starting point for your own firewall security policy:

  • Add a note herePosition firewalls at key security boundaries.

  • Add a note hereFirewalls are the primary security device, but it is unwise to rely exclusively on a firewall for security.

  • Add a note hereDeny all traffic by default and permit only services that are needed.

  • Add a note hereEnsure that physical access to the firewall is controlled.

  • Add a note hereRegularly monitor firewall logs. Cisco Security Monitoring, Analysis, and Response System (MARS) is especially useful in monitoring firewall logs.

  • Add a note herePractice change management for firewall configuration changes.

  • Add a note hereRemember that firewalls primarily protect from technical attacks originating from the outside. Inside attacks tend to be nontechnical in nature, such as accidentally deleting a mission-critical data, or accidentally unplugging a device, thus creating a DoS attack, albeit an unintentional one.


Tip

Add a note hereFor more information about firewall best practices, visit the following sites:

  • Add a note herehttp://www.principlelogic.com/docs/Firewall_Best_Practices.pdf

  • Add a note herehttp://www.nsa.gov/snac/index.cfm?MenuID=scg10.3.1

  • Add a note herehttp://iase.disa.mil/stigs/stig/index.html

  • Add a note herehttp://cisecurity.org/bench.html

Add a note hereCreating Static Packet Filters Using ACLs

Add a note hereCisco provides basic traffic filtering capabilities with ACLs. You can configure ACLs for all routed network protocols to filter packets as the packets pass through a router or security appliance. There are many reasons to configure ACLs. For example, you can use ACLs to restrict the contents of routing updates or to provide traffic flow control. One of the most important reasons to configure ACLs is to provide security for your network.

Add a note hereThis section outlines the types of ACLs available and provides guidelines that help create ACLs to provide network security.

0 comments

Post a Comment