Deploying and Managing Firewalls

Transcription

1 1 Deploying and Managing Firewalls Session Copyright Printed in USA. 2

2 Agenda Introduction Design Considerations Deployment Scenarios New Firewall Functionality Managing Firewalls Summary and Resources 3 Introduction 4 Copyright Printed in USA.

3 New Firewall Concepts New types of Firewalls Firewall security appliances Integrated Firewalls Personal Firewalls Firewalls and default protection True value of zero rules 5 Firewall Security Appliances Combining functions: Firewalls and Authentication VPN Intrusion detection Making it work together Design decision is this the right location to deploy these features in the network? 6 Copyright Printed in USA.

4 Firewall Security Appliances Benefits All in one approach Fit in to network design Easier to use Single interface to configure, manage Challenges Making it all work together Many eggs in a basket problem 7 Integrated Firewalls Firewall technology embedded in Router Switch Other network device Benefits Design and ROI Throughput 8 Copyright Printed in USA.

5 Firewalls and Default Protection Some of the things that firewalls do that we sometimes take for granted Randomizing TCP Sequence numbers Fragment handling Packet re-assembly Protocol specific filters DNS Guard Active X/Java blocking What about NAT? Data hiding and security by obscurity 9 Firewalls and Data Traffic Key concepts in a stateful firewall Translations (xlates) IP address to IP address translation Inside to outside and outside to inside Connections (conns) IP sessions (TCP, UDP) Multiple connections can use one translation 10 Copyright Printed in USA.

6 Translation and Connections Translations Outside Inside Connections 11 Firewalls and Default Security Policies Adaptive security algorithm All state, all the time Key features Security levels ASA Fix-ups Content-based access control Maintain state when where needed Knows protocols Uses ACLs 12 Copyright Printed in USA.

7 PIX Security Levels nameif ethernet0 outside security0 Public Network PIX Firewall 0 50 DMZ 100 nameif ethernet1 inside security100 nameif ethernet2 DMZ security50 Private Network 13 ASA Default Rules Higher to Lower: PERMIT Lower to Higher: DENY Between Same: DENY Public Network DMZ Private Network 14 Copyright Printed in USA.

8 Additional ASA Rules Allow TCP/UDP from inside Permit TCP/UDP return packets Drop and log connections from outside Drop and log source routed IP packets Deny ICMP packet Drop and log all other packets from outside Protects the firewall 15 PIX Firewall Fix-Ups pixfw#fixup protocol? fixup protocol ftp 21 fixup protocol h323 h fixup protocol h323 ras fixup protocol http 80 fixup protocol ils 389 fixup protocol rsh 514 fixup protocol rtsp 554 fixup protocol sip 5060 fixup protocol sip udp 5060 fixup protocol skinny 2000 fixup protocol smtp 25 fixup protocol sqlnet Copyright Printed in USA.

9 Context-Based Access Control CBAC adds stateful firewall to Cisco IOS Alternative to ACLs CBAC is protocol specific Protocol specific rules Adds audit capability Allows for tighter ACLs 17 How CBAC Works Cisco IOS Firewall Router User User E0 CBAC Creates Dynamic ACL to Allow Connections Initiated From Inside S0 ISP and Internet User ACL ACL All Connections Initiated From Outside Are Blocked by Static ACL 18 Copyright Printed in USA.

10 Personal Firewalls Inspect IP Traffic at the TCP/IP Protocol Stack Enforce a Local Security Policy Somewhere Else Protect against Known Threats Maintain PFW Program and Policies Via Central Server 19 Design Considerations 20 Copyright Printed in USA.

11 How Firewalls Pass Packets (1) /24 Outside Inside /24 interface ethernet0 10baset interface ethernet1 100full nameif ethernet0 outside security0 nameif ethernet1 inside security100 hostname fw501 domain-name cisco.com ip address outside ip address inside nat (inside) route (outside) How Firewalls Pass Packets (2) /24 Outside Inside / /24 interface ethernet0 10baset interface ethernet1 100full nameif ethernet0 outside security0 nameif vlan20 intf2 security50 nameif vlan30 intf3 security60 nameif ethernet1 inside security100 hostname fw515 domain-name cisco.com ip address outside ip address intf ip address intf ip address outside nat (inside) route (outside) Copyright Printed in USA.

12 How Firewalls Pass Packets (3) WEB Catalyst Outside Slot 5 VLAN /24 Fa8/1 FWSM Inside Fa8/2 VLAN /24 Native IOS 12.1(13)E Router#config t! vlan 20,30 firewall vlan-group 1 20,30 firewall module 5 vlan-group 1! int fa8/1 switchport access vlan 20 Int fa8/2 switchport access vlan Router#session slot 5 processor 1 Trying FW-5... Connected to FW-5. Escape character is '^]'. Password: ***** FWSM#conf t nameif 20 outside 0 nameif 30 inside 100 ip address outside /0 ip address inside /24 23 How Firewalls Pass Packets (4) /24 Outside Inside /24 version 12.3! hostname 1700-fw! no ipsource-route no service tcp-small-servers! ip inspect name FW ftp! interface FastEthernet0 ip address interface Ethernet0 ip address ip nat inside ip inspect FW in 24 Copyright Printed in USA.

13 Firewalls and VLANs Manage switches like firewalls (securely) Use private VLANs where appropriate to further divide L2 networks Set all user ports to non trunking Deploy port-security where possible for user ports Disable all unused ports and put them in an unused VLAN 25 Firewalls and Addressing Using real IP addresses Network Address Translation (NAT) Port Address Translation (PAT) 26 Copyright Printed in USA.

14 Using Real IP Addresses Private Network Source Address Destination Address Source Port Destination Port 53 Public Network Using NAT Private Network Source Address Destination Address Source Port Destination Port 53 Public Network Copyright Printed in USA.

15 Using PAT Private Network Source Address Destination Address Source Port Destination Port 53 Public Network Deploying Firewalls 31 Copyright Printed in USA.

16 Deployment Examples Internet firewall Remote Internet firewall Internet firewall with DMZ Internet firewall with multiple DMZ Intranet screening router High availability Intranet firewall design Personal firewall deployment design 32 Internet Firewall Design Internet Firewall Represents Single Line of Defense and May Be Only Internetworking Device which Logs Externals Access To NAT or Not to NAT? Where Do the Rules Go? Design Requirements Do Not Include Internet Servers. Inbound Connections Would Be Blocked; Outbound Connections Would Be Firewalled Based on Policy Intranet or SOHO 33 Copyright Printed in USA.

17 Remote Internet Firewall Design Internet Firewall Deployed at a Remote Site; How to Bring Syslog and SNMP Back to the Management Station? How to Securely Access CLI? Use an IPSec Tunnel to Bring Syslog and SNMP Data back to Central Management Station: Authenticated SSH or IPSec for CLI Access Intranet Management Station products_configuration_example09186a shtml 34 Internet Firewall with DMZ Internet Multiple Policies? Routing? Internet Server DMZ A DMZ (De-militarized Zone) Is a Common Design Element Used to Add an Additional Interface to a Firewall; This Additional Interface Implements a Different Policy Than Found on the Intranet or SOHO Interface Intranet or SOHO 35 Copyright Printed in USA.

18 Internet Firewall with Multi DMZ Internet Server VPN Server Internet DMZ (Out) DMZ (In) Some Sites May Require More than One DMZ in Order to Enforce Different Policies for Different Services; in This Example Different Policies Are Needed for Inbound and Outbound DMZ Access Intranet or SOHO Logging and Management Even More Policies 36 Internet Screening Router Filter Private IPs Internet Filter Mail Connections (SPAM) Local Black Hole List Internet Router Don t Overlook the Potential Access Control (Filter) and Quality of Service (QoS) Capabilities of the Internet Screening Router 37 Copyright Printed in USA.

19 Dual Firewall Design Internet Be Careful to Limit Connections between DMZ and the Intranet Using Multiple Firewalls Creates the Opportunity to Spread the Enforcement of the Security over Multiple Devices; Let Each Perform the Tasks that They Do Best Intranet 38 High Availability Firewall Design Stateful Packet Filtering Basic Layer 7 Filtering Host DoS Mitigation Cisco IOS Router Public Web Servers SMTP Content Inspection Spoof Mitigation DDoS Rate-Limiting Basic Filtering To Edge Distribution Module From the Cisco SAFE White Paper Content Inspection Servers Inspect Outbound Traffic for Unauthorized URLs Cisco Secure PIX Firewall To ISP Module To VPN/Remote Access Module 39 Copyright Printed in USA.

20 Intranet Firewall Design VoIP Directory Server Human Resources Server Intranet Intranet Firewalls Typically Implement Policies that Control Access to Specialized Servers (Applications, Back Up, Directory Services, Voice, Etc.) within an Intranet Internet Also Consider Using a FWSM in 6500 Switch! 40 Personal Firewall Deployment Design Internet How Do We Protect Moving Assets? The Need Is Twofold #1 Protect the Asset (the PC) from Infection and Corruption Intranet Management Station #2 Protect the Networks that the Asset Plugs into 41 Copyright Printed in USA.

21 New Firewall Functionality Creating Firewall Rules SMTP Reducing Complexity with Network Objects Adding Resiliency LAN Failover 42 Creating Firewall Rules Allowing SMTP to mail server Blocking SMTP outbound Why block outbound? Why SMTP? NIMDA opens SMTP connection ESMTP Soon on PIX and Cisco IOS Firewall 43 Copyright Printed in USA.

22 Protecting an Internal SMTP Server Filter Private IPs Internet Filter Mail Connections (SPAM) Check SMTP Commands Intranet SMTP Server 44 SMTP Rule PIX hostname fw501 domain-name cisco.com fixup protocol smtp 25 names name SMTP-server access-list outside_access_in permit tcp any host eq smtp pdm location SMTP-server inside 45 Copyright Printed in USA.

23 Creating a Rule with PDM 46 Cisco IOS FW IP Inspect SMTP Rule fw1710(config)#ip inspect name mailstop smtp? alert Turn on/off alert audit-trail Turn on/off audit trail timeout Specify the inactivity timeout time <cr> fw1710(config)#ip inspect name mailstop smtp audit-trail on fw1710(config)#ip inspect name mailstop smtp timeout 45 In the configuration you see: ip inspect name mailstop smtp audit-trail on timeout Copyright Printed in USA.

24 SMTP Rule Cisco IOS Firewall Alternative is an ACL Filters SMTP commands Allows IETF RFC 821 Section 4.5 commands Detects Telnet access to SMTP server Spots ASCII character transfers Also see SMTP IDS signature Signature 3106 Mail Spam Configurable Spam threshold 48 Using Network Objects Traditionally ACLs Have Looked like This: access-list inside_access_out deny ip any host access-list inside_access_out deny ip any host access-list inside_access_out deny ip any host access-list inside_access_out deny ip any host We Now Have the Capability of Writing ACLs on PIX like This: access-list inside_access_out deny ip any object-group KickGroup 49 Copyright Printed in USA.

25 Defining Network Objects name Kick1 name Kick2 name Kick3 name Kick4 object-group network KickGroup description ISC Cited Restriction List network-object Kick network-object Kick network-object Kick network-object Kick access-list inside_access_in deny ip any object-group KickGroup 50 Failover Options Firewall-specific failover Serial cable LAN-based failover Stateful failover Other failover techniques HSRP Dynamic routing 52 Copyright Printed in USA.

26 LAN-Based Failover (PIX) No longer needs serial cable Uses Ethernet Overcomes serial distance limitation Failover device authentication and message encryption via pre-shared keys Stateful Failover Active Mode LAN Interface Dedicated Switch or Hub Standby Mode 53 LAN-Based Failover New subcommand pix(config)# failover lan? Usage: [no] failover [active] failover ip address <if_name> <ip_address> failover mac address <ifc_name> <act_mac> <stn_mac> failover reset failover link <if_name> failover poll <seconds> failover replication http failover lan unit primary secondary interface <lan_if_name> key <key_secret> enable show failover [lan [detail]] pix(config)# 55 Copyright Printed in USA.

27 LAN-Based Failover Example Primary failover (existing commands) Connect LAN interface cable no failover failover lan unit primary failover lan interface intf3 failover lan key failover lan enable failover Standby Unit failover lan unit secondary failover lan interface intf3 failover lan key failover lan enable failover wr mem Connect LAN interface cable reload 56 Failover in FWSM A Dedicated Logical Interface (VLAN Interface) Is Created for Failover Communications Uses Failover Protocol to Detect a Failure Cat6K Cat6K Cat6K FWSM FWSM FWSM FWSM 57 Copyright Printed in USA.

28 Configuration Issues Failover On the connected switch ports: Enable PortFast Turn off Trunking and Channeling Do not use auto negotiation PIX LAN Failover uses IP protocol 105. Be careful with No Failover LAN enable command Check configuration before reload Power failure detection takes more time to failover without serial F/O cable Stand alone secondary Boots if primary is detected Secondary will reboot after 24 hours 58 Security Device Manager (SDM) 59 Copyright Printed in USA.

29 Security Audit in SDM SDM Provides a Check List of Security Faults Found 60 PIX Device Manager (PDM) 61 Copyright Printed in USA.

30 Firewall Management 62 Managing Firewalls Managing the firewall as a network object is network management Network management is concerned with network availability Managing the firewall as a security policy enforcement point is security management Security management is concerned with policy enforcement 63 Copyright Printed in USA.

31 Securing Firewall Management Why a secure management connection is important? How you can secure the management connection: SSH IPSec Out of band 64 PIX SSH Configuration Example fw501(config)#hostname fw501 fw501(config)#domain-name cisco.com fw501(config)#ca zeroize rsa fw501(config)#ca generate rsa key 512 Keypair generation process begin..success. fw501(config)# fw501(config)#ca save all fw501(config)#ssh inside fw501(config)#ssh timeout 15 fw501(config)# 65 Copyright Printed in USA.

32 SSH Access to the PIX brian]$ brian]$ ssh l pix pix@ s password: Warning: Remote host denied X11 forwarding Type help or? for a list of available commands fw501> fw501> en Password: ******** fw501# show ssh inside fw501# fw501# The default username for SSH is pix The default password is cisco 66 Configure Logging 3 different Syslog destinations: Trap Syslog server Console serial console port Monitor Telnet sessions Log Host defines PIX interface, IP address, protocol and port for Syslog server Syslog standard protocol is UDP, port is 514 Note: PIX supports Syslog over TCP (port 514) Don t forget logging on to enable Syslog! Most common pilot error 67 Copyright Printed in USA.

33 Syslog Levels Log Level Description Emergencies Alerts Critical Errors (Often Default) Warnings Notifications Informational Debugging 68 Interpreting a Syslog Message Message ID Protocol Source IP Address %PIX : Deny icmp src outside: dst inside: (type 3, code 1) by access-group "outside_access_in" Access Control List Destination IP Address Type/Code of Message 69 Copyright Printed in USA.

34 Finding Clues in Firewall Logs Cut out connection build up/tear down from PIX log Explain: Time stamps Source/destination IP address Source destination ports PIX flags 70 Things to Look for in Logs Firewall startup message When did the Firewall reboot? Traffic directed at firewall What type of traffic? Where traffic is from? Most active firewall rules Are those rules working properly? Least active firewall rules Why are they there? 71 Copyright Printed in USA.

35 Log Farming Make Sure that You Collect Syslog Back to Reliable Server; Check that Server (Especially Connectivity and Disk Space) as Often as You Would the Firewall Use Tools that Allow You to Archive Syslog Messages to a File at Regular Intervals; Daily (Dated) Archives Are Good for Most Sunday Monday Tuesday Wednesday Thursday Friday Saturday Dated Archive Files 72 Syslog Analysis 101 On Tuesday Morning Take Monday s Syslog Archive and Analyze It Monday You should be looking at the following (at least): How many total messages were recorded? Is that more or less than the day before? What is the message break down by level? How does that compare with the day before? Were there any new messages? What are the top 5 denied IP addresses? 73 Copyright Printed in USA.

36 Building a Custom Syslog Level New PIX Firewall Command: Logging message <message_id> level <new_level> At the Command Line: bpfpix515e# config t bpfpix515e(config)# logging message level 0 bpfpix515e(config)# logging message level 0 bpfpix515e(config)# logging message level 0 bpfpix515e(config)# logging message level 0 bpfpix515e(config)# logging message level 0 bpfpix515e(config)# Use Syslog Level 0 to Catch Critical Events 74 Building a Custom Syslog Level In the PIX Configuration logging message level emergencies logging message level emergencies logging message level emergencies logging message level emergencies logging message level emergencies The PIX Produces a Log Message that Looks Like: :44:45 Local0.Emergency %PIX : PIX startup completed. Beginning operation. Use Syslog Server or Log Reporting Tool Use to Create a Custom Alert (Example Send a Page when the Firewall Starts) 75 Copyright Printed in USA.

37 Managing Firewalls Image management Configuration management 76 Firewall Image Management Understand deployment release milestones General deployment Early deployment Limited deployment Regularly check with Cisco for security advisories 77 Copyright Printed in USA.

38 Configuration Management Backup the Firewall configuration BEFORE executing config term ALWAYS KNOW Where a backup copy of your firewall configuration is Keep a local copy of your firewall OS on a TFTP capable server What version of firewall code you are running 78 Testing Your Firewall Examples of scanning a firewall From the outside with no ACLs From the outside with protected server From the inside Scan the IP of the firewall and IP addresses behind firewall 79 Copyright Printed in USA.

39 When Your Network Is Attacked Make a backup of firewall logs To analyze looking for attackers inbound and outbound traffic Check your firewall logs Identify every attempt to log in at the firewall Look at all firewall configuration changes Look for differences and new things Consider implementing a more restrictive security policy Review security policy 80 Firewall Auditing Establish a check list used to make sure: The firewall system is operating properly, and that your network is secure The following are some things to check on a regular basis Suggestion would be to check these monthly or quarterly 81 Copyright Printed in USA.

40 Firewall Auditing Any changes to security policy? New users/groups New applications Changes? Is firewall software up to date? Rules updated for changes to network topology? Check IP addresses Any known vulnerabilities in firewall software? What are they? Do they affect your firewall? Recent backup of firewall configuration? Firewall and associated devices (router, switch) Check disk space on log server Migrate older log files off 82 Summary and Resources 83 Copyright Printed in USA.

41 New Challenges, New Firewalls Firewall feature functionality is evolving: Firewall support for VLANs Firewalls participating in routing 84 One Size Does Not fit all (at least it comes to firewalls) Match your choice of firewall to: What you need to protect (assets) Where you need to protect it (design) How you plan to protect it (policy) 85 Copyright Printed in USA.

42 Things to Consider Be careful adding services to your firewall Every new service is a potential new hole A firewall is one component of a security solution Recognize and use the other components available in your network Please look at your logs They provide an invaluable record of what happened only if you read them 86 Firewall Cisco Copyright Printed in USA.

43 Networkers 2002 SEC-1000, Intro to Security SEC-2006, Managing Security Technologies SEC-3020, Troubleshooting Firewalls 88 Cisco Documentation References PIX v6.2 Documentation Cisco IOS v12.2 Security Configuration Guide ecur_c/index.htm Cisco Cross-Platform Security Features Documentation 89 Copyright Printed in USA.

44 Questions 91 Thank You 92 Copyright Printed in USA.

45 Recommended Reading CCSP Cisco Secure PIX Firewall Advanced Exam Certification Guide ISBN: Managing Cisco Network Security ISBN: CCIE Security Exam Certification Guide ISBN: Available on-site at the Cisco Company Store 93 Recommended Reading CCIE Practical Studies: Security ISBN: Network Security Principles and Practices ISBN: Available on-site at the Cisco Company Store 94 Copyright Printed in USA.

46 Cisco Advanced Services-Delivered Course: Building Enhanced Cisco Security Networks Course Outline Detailed Security Policy Creation IPSec Overview Configuring Split Tunneling Implementing Dynamic Multipoint VPN (DMVPN) Deploying IPSec-High Availability (IPSec-HA) Configuring Cisco Secure VPN Concentrators and Cisco Secure PIX Firewalls for User Management Securing Cisco Network Management Deploying Identity-Based Networking Services (IBNS) for a Wireless Network Active Network Attacks 4210 Sensor Network Management and VMS Remote Office Core Network WAP WEB/RADIUS PC with VPN CA Access Edge client and Router wireless Edge DMVPN Router DMZ Host Redundant H Server with VPN 3005s HIDS System PIX 515E HSRP IPSec Routers Route Injector PIX 515E WEB CAT 6K w/ids Intranet Contact: aeskt_registration@cisco.com OR 95 Visit the World of Solutions Learn more about products and services surrounding the technologies covered in this session in the World of Solutions. The World of Solutions is open: Tuesday: Wednesday: 11:00am? 2:00pm 5:00pm? 8:00pm 11:00am? 2:00pm 5:00pm? 7:00pm 96 Copyright Printed in USA.

47 Deploying and Managing Firewalls Session 97 Please Complete Your Evaluation Form Session Copyright Printed in USA. 98

48 99 Copyright Printed in USA.