This chapter explains the operations of the different types of firewall technologies and the role they play in network access control and security architectures. It also describes guidelines for firewall rule set creation. The chapter then describes the function and building blocks of Network Address Translation.
Trang 1© 2012 Cisco and/or its affiliates All rights reserved 1
Firewall Fundamentals and Network
Address Translation
Trang 2• The information security profession has a number of formalized codes:
(ISC)2 Code of Ethics
Ethics
Trang 3© 2012 Cisco and/or its affiliates All rights reserved 3
This chapter teaches firewall concepts, technologies, and design
principles At the end of this chapter, you will be able to do the following:
• Explain the operations of the different types of firewall technologies
• Describe firewall technologies that historically have played, and still play,
a role in network access control and security architectures
• Introduce and describe the function and building blocks of Network
Address Translation
• List design considerations for firewall deployment
• Describe guidelines for firewall ruleset creation
Contents
Trang 4• A firewall protects network devices from intentional, hostile intrusions
that could threaten information assurance (availability, confidentiality,
and integrity) or lead to a denial-of-service (DoS) attack
• A firewall can protect a hardware device or a software program running
on a secure host computer
• This chapter introduces the firewall technologies that Cisco uses in
routers and security appliances
Introducing Firewall Technologies
Trang 5© 2012 Cisco and/or its affiliates All rights reserved 5
A firewall is a pair of mechanisms that perform these two separate
functions, which are set by policies:
• One mechanism blocks bad traffic
• The second mechanism permits good traffic
Firewall Fundamentals
Firewall: Enforcing Access Control
Trang 6• Must be resistant to attacks
• Must be the only transit point between networks
• Enforces the access control policy of an organization
Protective measure against the following :
• Exposure of sensitive hosts and applications to untrusted users
• Exploitation of protocol flaws
• Malicious data
Common properties
Trang 7© 2012 Cisco and/or its affiliates All rights reserved 7
Firewalls in a Layered Defense Strategy
Trang 8Static Packet-Filtering Firewalls
How Static Packet Filters Map to the OSI Model
Trang 9© 2012 Cisco and/or its affiliates All rights reserved 9
Static Packet Filter in Action
Trang 10Application Layer Gateways
Trang 11© 2012 Cisco and/or its affiliates All rights reserved 11
Application layer firewalls provide several advantages:
• Application layer firewalls authenticate individuals, not devices
• Application layer firewalls make it is harder for hackers to spoof and
implement DoS attacks
• Application layer firewalls can monitor and filter application data
• Application layer firewalls can provide detailed logging
Application layer firewalls
Trang 12Proxy Server Communication Process
Trang 13© 2012 Cisco and/or its affiliates All rights reserved 13
Dynamic or Stateful Packet-Filtering
Firewalls
Trang 14Stateful Packet Filtering
Trang 15© 2012 Cisco and/or its affiliates All rights reserved 15
Stateful packet-filtering firewalls are good to use for the following
applications:
• As a primary means of defense
• As an intelligent first line of defense
• As a means of strengthening packet filtering
• To improve routing performance
• As a defense against spoofing and DoS attacks
Advanced
Trang 16Stateful firewalls have the following limitations:
• Stateful firewalls cannot prevent application layer attacks
• Not all protocols have a state
• Some applications open multiple connections
• Stateful firewalls do not authenticate users by default
Limited
Trang 17© 2012 Cisco and/or its affiliates All rights reserved 17
• Application Inspection Firewalls, aka Deep Packet Inspection
• An application inspection firewall behaves in different ways according to each layer:
• Transport layer mechanism
• Application layer mechanism
There are several advantages of an application inspection firewall:
• Application inspection firewalls are aware of the state of Layer 4 and
• Application inspection firewalls can prevent more kinds of attacks than
stateful firewalls can
Other Types of Firewalls
Trang 18• Cisco IOS routers, Cisco ASA Adaptive Security Appliance Software,
Cisco Firewall Services Module, and Cisco ASA Services Module offer
the capability to deploy a security appliance in a secure bridging mode
Transparent Firewalls (Layer 2 Firewalls)
Transparent Firewalling:
Firewall Interfaces All in the Same Subnet
Trang 19© 2012 Cisco and/or its affiliates All rights reserved 19
Example of Network Address Translation
NAT Fundamentals
Trang 20Cisco defines the following list of NAT terms:
• Inside local address
• Inside global address
• Outside local address
• Outside global address
NAT table
Trang 21© 2012 Cisco and/or its affiliates All rights reserved 21
Example of Port Address Translation
(aka NAT Overload) on Cisco IOS Router
Trang 22Translating Inside Source Address
Trang 23© 2012 Cisco and/or its affiliates All rights reserved 23
Static Translation
Trang 24The deployment modes in NAT operations are as follows:
Trang 25© 2012 Cisco and/or its affiliates All rights reserved 25
Best practices documents are a composite effort of security practitioners This partial list of best practices is generic and serves only as a starting
point for your own firewall security policy:
• Position firewalls at key security boundaries, separating security domains with different levels of trust
• Firewalls are the primary security device, but it is unwise to rely
exclusively on a firewall for security
• Deny all traffic by default and permit only services that are needed
• Implement various firewall technologies, matching your application mix
and security policy requirements
• Ensure that physical access to the firewall is controlled
• Regularly monitor firewall logs Cisco Security Manager and other Cisco management tools are available for this purpose
• Practice change management for firewall configuration changes
Firewall Designs
Trang 26When defining access rules, multiple criteria can be used as a starting
point:
• Rules based on service control
• Rules based on direction control
• Rules based on user control
• Rules based on behavior control
Firewall Policies in a Layered Defense
Strategy
Firewall Access Rule Structure: Top-Down Process
Trang 27© 2012 Cisco and/or its affiliates All rights reserved 27
Trang 28For additional information, refer to these resources:
Cisco Systems, Inc “Configuring Network Address Translation: Getting
Started,”
http://www.cisco.com/en/US/tech/tk648/tk361/technologies_tech_note09186a0080094e77.shtml
Mason, Andrew Cisco Firewall Technology (Cisco Press, 2007)
References
Trang 29© 2012 Cisco and/or its affiliates All rights reserved.
© 2012 Cisco and/or its affiliates All rights reserved.