Overview
This chapter teaches you how to configure firewall features, including access control lists (ACL) and Cisco IOS zone-based policy firewalls, to perform basic security operations on a network. At the end of this chapter, you will be able to do the following:
-
Explain the operations of the different types of firewall technologies and describe the firewall technologies that are embedded in Cisco routers and Cisco security appliances
-
Create static packet filters using access control lists
-
Configure a Cisco IOS zone-based policy firewall on your network using the Cisco SDM Wizard
Implementing networkwide security can be a daunting task depending on the size and business of the company. Organizations must balance the cost in staff and equipment to implement a network security policy against the costs and possibility of network security breaches.
Cisco provides several router-based solutions for implementing firewall features—basic traffic filtering capabilities using access control lists (ACL), Cisco IOS Firewalls, and Cisco IOS zone-based policy firewalls. This chapter compares these three solutions.
Introducing Firewall Technologies
A firewall protects network devices from intentional hostile intrusion that could threaten information assurance (that is, availability, confidentiality, and integrity) or lead to a denial-of-service (DoS) attack. A firewall can protect a hardware device or a software program running on a secure host computer. This lesson introduces the firewall technologies that Cisco uses in routers and security appliances.
Firewall Fundamentals
The term firewall is a metaphor. By segmenting a network into different physical subnetworks, firewalls can limit the damage that can spread from one subnet to another, just as the fire doors and firewalls that are used in a building limit the spread of fire, heat, and structural collapse. In network security terms, a firewall is a software or hardware barrier between an internal (trusted) network and an external (untrusted) network. In this sense, a firewall is a set of related programs that enforce an access control policy between two or more networks.
In principle, as shown in Figure 3-1, a firewall is a pair of mechanisms that perform these two separate functions, which are set by policies:
A firewall can be defined as follows:
A system or group of systems that enforces an access control policy between two networks. Because this definition is very generic, almost anything can be considered a firewall. Many network access technologies can be used to build a firewall:
Firewalls mean different things to different organizations, and each organization has unique requirements. Nevertheless, all firewalls usually share some common properties:
-
Must be resistant to attacks: The compromise of the firewall system should be very unlikely, because it would enable an attacker to disable the firewall or change its access rules.
-
Must be the only transit point between networks: All traffic between networks must flow through the firewall. This requirement prevents a hacker from using a backdoor connection to bypass the firewall and violate the network access policy.
-
Enforces the access control policy of an organization: The access control policy should define what the firewall permits or denies.
Today, firewalls are such a mainstream technology that they are often considered a panacea for many security issues. While you should be aware of the benefits of the firewall model, you should also be aware of the many limitations that firewalls have and how to mitigate some of these limitations.
By performing network access control, you can use a firewall as a protective measure against the following:
-
Exposure of sensitive hosts and applications to untrusted users: A firewall hides most of the functionality of a host and permits only the minimum required connectivity to a host. Complexity is thus reduced, and many possible vulnerabilities are not exposed.
-
Exploitation of protocol flaws: You can program a firewall to inspect protocol messages and verify their compliance with the protocol, whether it is Layer 3, Layer 4, or a higher-layer protocol. The firewall limits what attackers can send to their target, preventing the delivery of malformed packets that are used in an attempt either to crash a system or to gain access to an application.
-
Malicious data: A firewall can detect and block malicious data sent to clients or servers inside the application stream, thereby stopping it from infecting the server or the client. Because firewalls are located on critical interconnection points of the network, enforcing the network access policies is simple, scalable, and robust. Sometimes a small number of firewalls can handle most of the network access control needs of an organization.
Firewalls are often misunderstood, and false assumptions can be made about their capabilities. Although it is true that firewalls would not be necessary if host and application security could be made extremely robust, many organizations use firewalls as a replacement for host or application security. Such an attitude is extremely dangerous because it can completely ignore host and application security even in extreme cases, such as connecting a sensitive server inside an Internet firewall.
In general, firewalls have the following limitations:
-
Because firewalls are used in critical points of the network, their misconfiguration can have disastrous consequences. Firewalls are often a single point of failure when it comes to security; a single mistake in a configuration rule or firewall code can compromise the network access policy.
-
Many of the modern applications are firewall unfriendly because they are difficult to properly inspect. Compromises in rule design and inspection depth have to be made to support such applications, which might violate the policy of an organization. A typical example is a new application that opens dynamic sessions from the outside to the inside after the initial client request that was initiated from the inside to the outside. Multimedia applications such as those found with audio streaming and videoconferencing are examples of applications where the user opens one session from the inside to the outside requesting the feed. To support the streaming, however, additional sessions are opened from the outside to the inside, and by default the firewall will reject those new incoming requests. Once firewall vendors have a chance to study the new protocol, they can create a rule that will force the firewall to peek in the payload of the original outgoing packet to gain information about the additional sessions that will be created and to prepare for those new incoming sessions.
-
End users, when faced with a restrictive firewall, might find their own methods of bypassing it. For example, inside users can dial out of the protected network to an Internet service provider (ISP) and create a backdoor connection to the protected network.
-
Firewalls are placed at chokepoints, and can significantly affect performance if they inspect all the traffic.
-
Tunneling unauthorized data over authorized connections (covert channels) is simple and generally impossible to detect. This activity usually requires the help of someone on the trusted side of the firewall.
Firewalls in a Layered Defense Strategy
In a layered defense scenario, firewalls provide perimeter security of the entire network and of internal network segments in the core. For example, system administrators can use a firewall to separate the human resources or financial networks of an organization from other networks or network segments within the organization.
A layered defense uses different types of firewalls that are combined in layers to add depth to the information defense of an organization, as shown in Figure 3-2. For example, traffic that comes in from the untrusted network first encounters a packet filter on the outer router. The traffic goes to the screened host firewall or bastion host system that applies more rules to the traffic and discards suspect packets. The traffic now goes to an interior screening router. The traffic moves to the internal destination host only after this routing. This type of demilitarized zone (DMZ) setup is called a screened subnet configuration.
| Key Topic | Bastion host: A bastion host is a computer that is expected to be attacked and therefore is hardened. An example of a bastion host is firewall software installed on a workstation that is already running a commonly available operating system. The workstation would need to be hardened to protect against the potential vulnerability that the operating system has before the firewall being put in production. Packet filter: An example of a packet filter is a router on which you have configured access lists to filter unwanted traffic. |
The common misconception is that a layered firewall topology is all that you need to declare your internal network to be safe. This myth is probably encouraged by the booming firewall business; however, you need to consider the following factors when building a complete defense-in-depth environment:
-
A significant number of intrusions come from hosts within the network. For example, firewalls often do little to protect against viruses downloaded through email.
-
Firewalls do not protect against rogue modem or rogue wireless access point installations. In addition, and most important, a firewall is not a substitute for informed administrators and users.
-
Firewalls do not replace backup and disaster recovery mechanisms resulting from attack or hardware failure. An in-depth defense also includes offsite storage and redundant hardware topologies.
| Key Topic | Defense in depth and diversity of defense are related topics. Defense in depth calls for multiple levels of defense, and diversity of defense calls for using different types of technologies in that defense. An example of diversity of defense and defense in depth is using a perimeter router as a packet filter and using a stateful firewall to segment the unprotected segment from the protected segment. |
Static Packet-Filtering Firewalls
Packet-filtering firewalls work primarily at the network layer of the Open Systems Interconnection (OSI) model, or the IP layer of TCP/IP, as shown in Figure 3-3. Packet-filtering firewalls are generally considered Layer 3 devices, but they typically have the capability to permit or deny traffic based on Layer 4 information, such as protocol, and source and destination port numbers, in addition to the Layer 3 source and destination IP address. Packet filtering uses rules and ACLs to determine whether to permit or deny traffic based on source and destination IP addresses, protocol, source and destination port numbers, and packet type. Packet-filtering firewalls are usually part of a router firewall.
Recall that services rely on specific ports to function, for example, Simple Mail Transfer Protocol (SMTP) servers listen to port 25 by default. Because packet-filtering firewalls filter traffic according to static packet header information, they are sometimes referred to as static filters. By restricting certain ports, you can restrict the services that rely on certain ports. For example, blocking port 25 on a specific workstation prevents an infected workstation from broadcasting email viruses across the Internet.
Packet-filtering firewalls are similar to packet-filtering routers but with some differences in implementation. Packet filters are very scalable, application independent, and have high performance standards; however, they do not offer the complete range of security solutions that are required in modern networks. For example, packet filter does not have the capability to understand dynamic protocols upon which a client request requires additional incoming connections to be initiated from the outside, toward the inside client.
Any device that uses ACLs can perform packet filtering. Cisco IOS router configurations commonly use ACLs, not only as packet-filtering firewalls but also to select specified types of traffic that is to be analyzed, forwarded, or influenced in some way. Later in this chapter, you will see examples of both ingress and egress filtering done with ACLs.
| Note | Egress: Traffic leaving the network Ingress: Traffic entering the network |
Figure 3-4 shows a simple packet-filtering example using a Cisco router.
In most network topologies, you need to protect the Ethernet interface connecting to the internal (inside) network, while the serial interface that connects to the Internet (outside) is unprotected. In Figure 3-4, the internal addresses that the firewall must protect are in the 10.1.1.0/24 subnet (on the Ethernet interface). The IP address of the Ethernet 0 interface is 10.1.1.1/24.
The particular network security policy shown in Figure 3-4 (ACL 101) allows all users from the inside to access Internet services on the outside. Therefore, all outgoing connections are accepted. The router checks only packets coming from the Internet (security policy ACL 102). In this case, the ACL allows Domain Name System (DNS), SMTP, FTP services, and the return of traffic initiated from the inside. ACL 102 denies access to all other services.
Packet-filter firewalls (or packet filters) use a simple policy table lookup that permits or denies traffic based on the following possible criteria:
The firewalls are extremely fast because they do little computation. The rules are extremely easy to implement because they require little security expertise. Router manufacturers easily embed packet-filtering logic in silicon and, consequently, packet filtering is a feature of most routers. Packet-filtering firewalls are relatively inexpensive. Even if other firewalls are used, implementing packet filtering at the router level affords an initial degree of security at the network and transport layers.
Packet filters do not represent a complete firewall solution. However, they are a key element of a secure architecture.
The following are disadvantages of packet filters:
-
Packet filtering is susceptible to IP spoofing. Hackers send arbitrary packets that fit ACL criteria and pass through the filter.
-
Packet filters do not filter fragmented packets well. Because fragmented IP packets carry the TCP header in the first fragment and packet filters filter on TCP header information, all fragments after the first fragment are passed unconditionally. Decisions to use packet filters assume that the filter of the first fragment accurately enforces the policy.
-
Complex ACLs are difficult to implement and maintain correctly.
-
Packet filters cannot dynamically filter certain services. For example, sessions that use dynamic port negotiations are difficult to filter without opening access to a whole range of ports.
-
Packet filters are stateless. They examine each packet individually rather than in the context of the state of a connection.
No comments:
Post a Comment