Deploying and Managing Firewalls

Similar documents
Fundamentals of Network Security v1.1 Scope and Sequence

Permitting PPTP Connections Through the PIX/ASA

Table of Contents. Cisco Enhanced Spoke to Client VPN Configuration Example for PIX Security Appliance Version 7.0

Inspection of Router-Generated Traffic

CISCO EXAM QUESTIONS & ANSWERS

co Configuring PIX to Router Dynamic to Static IPSec with

Table of Contents. Cisco PIX/ASA 7.x Enhanced Spoke to Spoke VPN Configuration Example

This document is intended to give guidance on how to read log entries from a Cisco PIX / ASA. The specific model in this case was a PIX 501.

ASA/PIX Security Appliance

I N D E X. Numerics. 3DES (triple Data Encryption Standard), 199

This chapter covers the following exam topics for the Secure PIX Firewall Advanced Exam (CSPFA 9E0-511): 5. User interface 6. Configuring the PIX

VPN Between Sonicwall Products and Cisco Security Appliance Configuration Example

Configure the ASA for Dual Internal Networks

Cisco Secure PIX Firewall Advanced (CSPFA)

ASACAMP - ASA Lab Camp (5316)

Three interface Router without NAT Cisco IOS Firewall Configuration

Table of Contents. Cisco IPSec Tunnel through a PIX Firewall (Version 7.0) with NAT Configuration Example

PASS4TEST. IT Certification Guaranteed, The Easy Way! We offer free update service for one year

CCNA Security 1.0 Student Packet Tracer Manual

PrepAwayExam. High-efficient Exam Materials are the best high pass-rate Exam Dumps

VRF Aware Cisco IOS Firewall

PIX/ASA: PPPoE Client Configuration Example

NAC Appliance (Cisco Clean Access) In Band Virtual Gateway for Remote Access VPN Configuration Example

Troubleshooting. Testing Your Configuration CHAPTER

Request for Proposal (RFP) for Supply and Implementation of Firewall for Internet Access (RFP Ref )

Configuration Examples

Troubleshooting the Security Appliance

Logging. About Logging. This chapter describes how to log system messages and use them for troubleshooting.

Deploying and Troubleshooting Network Address Translation

ipro-04n Security Configuration Guide

Chapter 10 Configure Clientless Remote Access SSL VPNs Using ASDM

Exam Name: Implementing Cisco Edge Network Security Solutions

Secure ACS Database Replication Configuration Example

Chapter 10 Configure AnyConnect Remote Access SSL VPN Using ASDM

CISCO EXAM QUESTIONS & ANSWERS

Sample Configurations

Numerics I N D E X. 3DES (Triple Data Encryption Standard), 48

Granular Protocol Inspection

ITdumpsFree. Get free valid exam dumps and pass your exam test with confidence

CCNA Security. Chapter Four Implementing Firewall Technologies Cisco Learning Institute.

Cisco CISCO Securing Networks with ASA Advanced. Practice Test. Version

Migrating to the Cisco ASA Services Module from the FWSM

Configuring Logging. Information About Logging CHAPTER

ASA Access Control. Section 3

Configuring the PIX Firewall and VPN Clients Using PPTP, MPPE and IPSec

Platform Settings for Firepower Threat Defense

AccessEnforcer Version 4.0 Features List

Network Security 1. Module 8 Configure Filtering on a Router

Firewalling Avid ISIS in a Cisco environment

IPSec tunnel for ER75i routers application guide

KillTest. 半年免费更新服务

CertifyMe. CertifyMe

CCNA Security PT Practice SBA

: Saved : : Serial Number: JMX1813Z0GJ : Hardware: ASA5505, 512 MB RAM, CPU Geode 500 MHz : Written by enable_15 at 09:21: UTC Thu Dec !

Applying Application Layer Protocol Inspection

CISCO EXAM QUESTIONS & ANSWERS

PIX/ASA 7.x ASDM: Restrict the Network Access of Remote Access VPN Users

Implementing Firewall Technologies

Securing CS-MARS C H A P T E R

Firewall Policy. Edit Firewall Policy/ACL CHAPTER7. Configure a Firewall Before Using the Firewall Policy Feature

Document ID: Contents. Introduction. Prerequisites. Requirements. Introduction. Prerequisites Requirements

Chapter 10 Configure Clientless Remote Access SSL VPNs Using ASDM

Firewall Stateful Inspection of ICMP

ASA/PIX: Remote VPN Server with Inbound NAT for VPN Client Traffic with CLI and ASDM Configuration Example

Monitoring Remote Access VPN Services

Lab 8: Firewalls ASA Firewall Device

CompTIA Network+ Study Guide Table of Contents

PIX Security Appliance Contexts, Failover, and Management

Lab Configure Cisco IOS Firewall CBAC on a Cisco Router

Cisco CCNP Security Exam

Cisco Exam Implementing Cisco Network Security Version: 12.0 [ Total Questions: 186 ]

This course prepares candidates for the CompTIA Network+ examination (2018 Objectives) N

Web server Access Control Server

Performance Monitor Administrative Options

shun through sysopt radius ignore-secret Commands

PIX/ASA Active/Standby Failover Configuration Example

UniNets CCNA Security LAB MANUAL UNiNets CCNA Cisco Certified Network Associate Security LAB MANUAL UniNets CCNA LAB MANUAL

SSL VPN Configuration of a Cisco ASA 8.0

VG422R. User s Manual. Rev , 5

ASA Cluster for the Firepower 9300 Chassis

Chapter 10 - Configure ASA Basic Settings and Firewall using ASDM

Barracuda Link Balancer

On completion of this chapter, you will be able to perform the following tasks: Describe the PIX Device Manager (PDM) and its capabilities.

ACADEMIA LOCAL CISCO UCV-MARACAY CONTENIDO DE CURSO CURRICULUM CCNA. SEGURIDAD SEGURIDAD EN REDES. NIVEL II. VERSION 2.0

Context Based Access Control (CBAC): Introduction and Configuration

Troubleshooting Firewalls

Switch and Wireless LAN Controller Configuration Required to Support Cisco ISE Functions

Cisco ASA 5500 LAB Guide

Identity Firewall. About the Identity Firewall

ASA Version 7.2(4)30! hostname vpn domain-name hollywood.com enable password BO5OGdtIUElAVJc7 encrypted passwd BO5OGdtIUElAVJc7 encrypted names name

Transparent or Routed Firewall Mode

Deploying Cisco ASA Firewall Solutions (FIREWALL v1.0)

Network Security. Thierry Sans

Logging. About Logging. This chapter describes how to log system messages and use them for troubleshooting.

Implementing Cisco Network Security (IINS) 3.0

FWSM: Multiple Context Configuration Example

Multiple Context Mode

This article explains how to configure NSRP-Lite for a NS50 firewall to a single WAN.

ActualTorrent. Professional company engaging Providing Valid Actual Torrent file for qualification exams.

Application Firewall-Instant Message Traffic Enforcement

Transcription:

1 Deploying and Managing Firewalls Session Copyright Printed in USA. 2

Agenda Introduction Design Considerations Deployment Scenarios New Firewall Functionality Managing Firewalls Summary and Resources 3 Introduction 4 Copyright Printed in USA.

New Firewall Concepts New types of Firewalls Firewall security appliances Integrated Firewalls Personal Firewalls Firewalls and default protection True value of zero rules 5 Firewall Security Appliances Combining functions: Firewalls and Authentication VPN Intrusion detection Making it work together Design decision is this the right location to deploy these features in the network? 6 Copyright Printed in USA.

Firewall Security Appliances Benefits All in one approach Fit in to network design Easier to use Single interface to configure, manage Challenges Making it all work together Many eggs in a basket problem 7 Integrated Firewalls Firewall technology embedded in Router Switch Other network device Benefits Design and ROI Throughput 8 Copyright Printed in USA.

Firewalls and Default Protection Some of the things that firewalls do that we sometimes take for granted Randomizing TCP Sequence numbers Fragment handling Packet re-assembly Protocol specific filters DNS Guard Active X/Java blocking What about NAT? Data hiding and security by obscurity 9 Firewalls and Data Traffic Key concepts in a stateful firewall Translations (xlates) IP address to IP address translation Inside to outside and outside to inside Connections (conns) IP sessions (TCP, UDP) Multiple connections can use one translation 10 Copyright Printed in USA.

Translation and Connections Translations Outside Inside Connections 11 Firewalls and Default Security Policies Adaptive security algorithm All state, all the time Key features Security levels ASA Fix-ups Content-based access control Maintain state when where needed Knows protocols Uses ACLs 12 Copyright Printed in USA.

PIX Security Levels nameif ethernet0 outside security0 Public Network PIX Firewall 0 50 DMZ 100 nameif ethernet1 inside security100 nameif ethernet2 DMZ security50 Private Network 13 ASA Default Rules Higher to Lower: PERMIT Lower to Higher: DENY Between Same: DENY Public Network 0 100 50 DMZ Private Network 14 Copyright Printed in USA.

Additional ASA Rules Allow TCP/UDP from inside Permit TCP/UDP return packets Drop and log connections from outside Drop and log source routed IP packets Deny ICMP packet Drop and log all other packets from outside Protects the firewall 15 PIX Firewall Fix-Ups pixfw#fixup protocol? fixup protocol ftp 21 fixup protocol h323 h225 1720 fixup protocol h323 ras 1718-1719 fixup protocol http 80 fixup protocol ils 389 fixup protocol rsh 514 fixup protocol rtsp 554 fixup protocol sip 5060 fixup protocol sip udp 5060 fixup protocol skinny 2000 fixup protocol smtp 25 fixup protocol sqlnet 1521 16 Copyright Printed in USA.

Context-Based Access Control CBAC adds stateful firewall to Cisco IOS Alternative to ACLs CBAC is protocol specific Protocol specific rules Adds audit capability Allows for tighter ACLs 17 How CBAC Works Cisco IOS Firewall Router User User E0 CBAC Creates Dynamic ACL to Allow Connections Initiated From Inside S0 ISP and Internet User ACL ACL All Connections Initiated From Outside Are Blocked by Static ACL 18 Copyright Printed in USA.

Personal Firewalls Inspect IP Traffic at the TCP/IP Protocol Stack Enforce a Local Security Policy Somewhere Else Protect against Known Threats Maintain PFW Program and Policies Via Central Server 19 Design Considerations 20 Copyright Printed in USA.

How Firewalls Pass Packets (1) 192.168.1.0/24 Outside 192.168.1.1 Inside 10.20.1.1 10.20.1.0/24 interface ethernet0 10baset interface ethernet1 100full nameif ethernet0 outside security0 nameif ethernet1 inside security100 hostname fw501 domain-name cisco.com ip address outside 192.168.1.1 255.255.255.0 ip address inside 10.20.1.1 255.255.255.0 nat (inside) 0 0.0.0.0 0.0.0.0 0 0 route (outside) 0.0.0.0 0.0.0.0 192.168.89.254 1 21 How Firewalls Pass Packets (2) 192.168.1.0/24 Outside 192.168.1.1 Inside 10.20.1.1 10.30.1.1 10.20.1.0/24 10.30.1.0/24 interface ethernet0 10baset interface ethernet1 100full nameif ethernet0 outside security0 nameif vlan20 intf2 security50 nameif vlan30 intf3 security60 nameif ethernet1 inside security100 hostname fw515 domain-name cisco.com ip address outside 192.168.1.1 255.255.255.0 ip address intf2 10.20.1.1 255.255.255.0 ip address intf3 10.30.1.1 255.255.255.0 ip address outside 192.168.1.1 255.255.255.0 nat (inside) 0 0.0.0.0 0.0.0.0 0 0 route (outside) 0.0.0.0 0.0.0.0 192.168.89.254 1 22 Copyright Printed in USA.

How Firewalls Pass Packets (3) WEB Catalyst Outside 6500 10.20.1.1 Slot 5 VLAN 20 10.20.1.0/24 Fa8/1 FWSM 10.30.1.1 Inside Fa8/2 VLAN 30 10.30.1.0/24 Native IOS 12.1(13)E Router#config t! vlan 20,30 firewall vlan-group 1 20,30 firewall module 5 vlan-group 1! int fa8/1 switchport access vlan 20 Int fa8/2 switchport access vlan 30 ----------------- Router#session slot 5 processor 1 Trying FW-5... Connected to FW-5. Escape character is '^]'. Password: ***** FWSM#conf t nameif 20 outside 0 nameif 30 inside 100 ip address outside 10.20.1.1/0 ip address inside 10.30.1.1/24 23 How Firewalls Pass Packets (4) 192.168.1.0/24 Outside 192.168.1.1 Inside 10.20.1.1 10.20.1.0/24 version 12.3! hostname 1700-fw! no ipsource-route no service tcp-small-servers! ip inspect name FW ftp! interface FastEthernet0 ip address 192.168.1.1 255.255.255.0 interface Ethernet0 ip address 192.168.185.129 255.255.255.192 ip nat inside ip inspect FW in 24 Copyright Printed in USA.

Firewalls and VLANs Manage switches like firewalls (securely) Use private VLANs where appropriate to further divide L2 networks Set all user ports to non trunking Deploy port-security where possible for user ports Disable all unused ports and put them in an unused VLAN 25 Firewalls and Addressing Using real IP addresses Network Address Translation (NAT) Port Address Translation (PAT) 26 Copyright Printed in USA.

Using Real IP Addresses Private Network Source Address Destination Address Source Port 53.68.89.45 71.168.1.10 2543 Destination Port 53 Public Network 53.68.89.45 71.168.1.10 2543 53 53.68.89.45 53 53 53 2543 71.168.1.10 53.68.89.45 71.168.1.10 53 2543 28 Using NAT Private Network Source Address Destination Address Source Port 10.0.0.3 176.26.0.100 2543 Destination Port 53 Public Network 71.68.4.51 176.26.0.100 2543 53 10.0.0.3 176.26.0.100 10.0.0.3 53 2543 176.26.0.100 176.26.0.100 71.68.4.50 53 2543 29 Copyright Printed in USA.

Using PAT Private Network Source Address Destination Address Source Port 10.0.0.3 176.26.0.100 2543 Destination Port 53 Public Network 71.68.4.51 176.26.0.100 2543 53 10.0.0.3 176.26.0.100 10.0.0.3 53 2543 176.26.0.100 176.26.0.100 71.68.4.50 53 2543 30 Deploying Firewalls 31 Copyright Printed in USA.

Deployment Examples Internet firewall Remote Internet firewall Internet firewall with DMZ Internet firewall with multiple DMZ Intranet screening router High availability Intranet firewall design Personal firewall deployment design 32 Internet Firewall Design Internet Firewall Represents Single Line of Defense and May Be Only Internetworking Device which Logs Externals Access To NAT or Not to NAT? Where Do the Rules Go? Design Requirements Do Not Include Internet Servers. Inbound Connections Would Be Blocked; Outbound Connections Would Be Firewalled Based on Policy Intranet or SOHO 33 Copyright Printed in USA.

Remote Internet Firewall Design Internet Firewall Deployed at a Remote Site; How to Bring Syslog and SNMP Back to the Management Station? How to Securely Access CLI? Use an IPSec Tunnel to Bring Syslog and SNMP Data back to Central Management Station: Authenticated SSH or IPSec for CLI Access Intranet Management Station http://www.cisco.com/en/us/products/hw/vpndevc/ps2030/ products_configuration_example09186a0080094469.shtml 34 Internet Firewall with DMZ Internet Multiple Policies? Routing? Internet Server DMZ A DMZ (De-militarized Zone) Is a Common Design Element Used to Add an Additional Interface to a Firewall; This Additional Interface Implements a Different Policy Than Found on the Intranet or SOHO Interface Intranet or SOHO 35 Copyright Printed in USA.

Internet Firewall with Multi DMZ Internet Server VPN Server Internet DMZ (Out) DMZ (In) Some Sites May Require More than One DMZ in Order to Enforce Different Policies for Different Services; in This Example Different Policies Are Needed for Inbound and Outbound DMZ Access Intranet or SOHO Logging and Management Even More Policies 36 Internet Screening Router Filter Private IPs Internet Filter Mail Connections (SPAM) Local Black Hole List Internet Router Don t Overlook the Potential Access Control (Filter) and Quality of Service (QoS) Capabilities of the Internet Screening Router 37 Copyright Printed in USA.

Dual Firewall Design Internet Be Careful to Limit Connections between DMZ and the Intranet Using Multiple Firewalls Creates the Opportunity to Spread the Enforcement of the Security over Multiple Devices; Let Each Perform the Tasks that They Do Best Intranet 38 High Availability Firewall Design Stateful Packet Filtering Basic Layer 7 Filtering Host DoS Mitigation Cisco IOS Router Public Web Servers SMTP Content Inspection Spoof Mitigation DDoS Rate-Limiting Basic Filtering To Edge Distribution Module From the Cisco SAFE White Paper Content Inspection Servers Inspect Outbound Traffic for Unauthorized URLs Cisco Secure PIX Firewall To ISP Module To VPN/Remote Access Module 39 Copyright Printed in USA.

Intranet Firewall Design VoIP Directory Server Human Resources Server Intranet Intranet Firewalls Typically Implement Policies that Control Access to Specialized Servers (Applications, Back Up, Directory Services, Voice, Etc.) within an Intranet Internet Also Consider Using a FWSM in 6500 Switch! 40 Personal Firewall Deployment Design Internet How Do We Protect Moving Assets? The Need Is Twofold #1 Protect the Asset (the PC) from Infection and Corruption Intranet Management Station #2 Protect the Networks that the Asset Plugs into 41 Copyright Printed in USA.

New Firewall Functionality Creating Firewall Rules SMTP Reducing Complexity with Network Objects Adding Resiliency LAN Failover 42 Creating Firewall Rules Allowing SMTP to mail server Blocking SMTP outbound Why block outbound? Why SMTP? NIMDA opens SMTP connection ESMTP Soon on PIX and Cisco IOS Firewall 43 Copyright Printed in USA.

Protecting an Internal SMTP Server Filter Private IPs Internet Filter Mail Connections (SPAM) Check SMTP Commands Intranet SMTP Server 44 SMTP Rule PIX hostname fw501 domain-name cisco.com fixup protocol smtp 25 names name 192.168.1.200 SMTP-server access-list outside_access_in permit tcp any host 192.168.123.200 eq smtp pdm location SMTP-server 255.255.255.255 inside 45 Copyright Printed in USA.

Creating a Rule with PDM 46 Cisco IOS FW IP Inspect SMTP Rule fw1710(config)#ip inspect name mailstop smtp? alert Turn on/off alert audit-trail Turn on/off audit trail timeout Specify the inactivity timeout time <cr> fw1710(config)#ip inspect name mailstop smtp audit-trail on fw1710(config)#ip inspect name mailstop smtp timeout 45 In the configuration you see: ip inspect name mailstop smtp audit-trail on timeout 45 47 Copyright Printed in USA.

SMTP Rule Cisco IOS Firewall Alternative is an ACL Filters SMTP commands Allows IETF RFC 821 Section 4.5 commands Detects Telnet access to SMTP server Spots ASCII character transfers Also see SMTP IDS signature Signature 3106 Mail Spam Configurable Spam threshold 48 Using Network Objects Traditionally ACLs Have Looked like This: access-list inside_access_out deny ip any host 130.127.31.127 access-list inside_access_out deny ip any host 211.181.197.222 access-list inside_access_out deny ip any host 202.32.207.201 access-list inside_access_out deny ip any host 131.128.32.83 We Now Have the Capability of Writing ACLs on PIX like This: access-list inside_access_out deny ip any object-group KickGroup 49 Copyright Printed in USA.

Defining Network Objects name 212.251.68.0 Kick1 name 61.42.65.0 Kick2 name 206.107.23.0 Kick3 name 219.176.146.0 Kick4 object-group network KickGroup description ISC Cited Restriction List network-object Kick1 255.255.255.0 network-object Kick2 255.255.255.0 network-object Kick3 255.255.255.0 network-object Kick4 255.255.255.0 access-list inside_access_in deny ip any object-group KickGroup 50 Failover Options Firewall-specific failover Serial cable LAN-based failover Stateful failover Other failover techniques HSRP Dynamic routing 52 Copyright Printed in USA.

LAN-Based Failover (PIX) No longer needs serial cable Uses Ethernet Overcomes serial distance limitation Failover device authentication and message encryption via pre-shared keys Stateful Failover Active Mode LAN Interface Dedicated Switch or Hub Standby Mode 53 LAN-Based Failover New subcommand pix(config)# failover lan? Usage: [no] failover [active] failover ip address <if_name> <ip_address> failover mac address <ifc_name> <act_mac> <stn_mac> failover reset failover link <if_name> failover poll <seconds> failover replication http failover lan unit primary secondary interface <lan_if_name> key <key_secret> enable show failover [lan [detail]] pix(config)# 55 Copyright Printed in USA.

LAN-Based Failover Example Primary failover (existing commands) Connect LAN interface cable no failover failover lan unit primary failover lan interface intf3 failover lan key 12345678 failover lan enable failover Standby Unit failover lan unit secondary failover lan interface intf3 failover lan key 12345678 failover lan enable failover wr mem Connect LAN interface cable reload 56 Failover in FWSM A Dedicated Logical Interface (VLAN Interface) Is Created for Failover Communications Uses Failover Protocol to Detect a Failure Cat6K Cat6K Cat6K FWSM FWSM FWSM FWSM 57 Copyright Printed in USA.

Configuration Issues Failover On the connected switch ports: Enable PortFast Turn off Trunking and Channeling Do not use auto negotiation PIX LAN Failover uses IP protocol 105. Be careful with No Failover LAN enable command Check configuration before reload Power failure detection takes more time to failover without serial F/O cable Stand alone secondary Boots if primary is detected Secondary will reboot after 24 hours 58 Security Device Manager (SDM) 59 Copyright Printed in USA.

Security Audit in SDM SDM Provides a Check List of Security Faults Found 60 PIX Device Manager (PDM) 61 Copyright Printed in USA.

Firewall Management 62 Managing Firewalls Managing the firewall as a network object is network management Network management is concerned with network availability Managing the firewall as a security policy enforcement point is security management Security management is concerned with policy enforcement 63 Copyright Printed in USA.

Securing Firewall Management Why a secure management connection is important? How you can secure the management connection: SSH IPSec Out of band 64 PIX SSH Configuration Example fw501(config)#hostname fw501 fw501(config)#domain-name cisco.com fw501(config)#ca zeroize rsa fw501(config)#ca generate rsa key 512 Keypair generation process begin..success. fw501(config)# fw501(config)#ca save all fw501(config)#ssh 192.168.1.0 255.255.255.0 inside fw501(config)#ssh timeout 15 fw501(config)# 65 Copyright Printed in USA.

SSH Access to the PIX [brian@fordnix brian]$ [brian@fordnix brian]$ ssh 192.168.1.1 l pix pix@192.168.1.1 s password: Warning: Remote host denied X11 forwarding Type help or? for a list of available commands fw501> fw501> en Password: ******** fw501# show ssh 192.168.1.1 255.255.255.0 inside fw501# fw501# The default username for SSH is pix The default password is cisco 66 Configure Logging 3 different Syslog destinations: Trap Syslog server Console serial console port Monitor Telnet sessions Log Host defines PIX interface, IP address, protocol and port for Syslog server Syslog standard protocol is UDP, port is 514 Note: PIX supports Syslog over TCP (port 514) Don t forget logging on to enable Syslog! Most common pilot error 67 Copyright Printed in USA.

Syslog Levels Log Level 0 1 2 3 4 5 6 7 Description Emergencies Alerts Critical Errors (Often Default) Warnings Notifications Informational Debugging 68 Interpreting a Syslog Message Message ID Protocol Source IP Address %PIX-4-106023: Deny icmp src outside:171.68.88.1 dst inside:171.68.89.147 (type 3, code 1) by access-group "outside_access_in" Access Control List Destination IP Address Type/Code of Message 69 Copyright Printed in USA.

Finding Clues in Firewall Logs Cut out connection build up/tear down from PIX log Explain: Time stamps Source/destination IP address Source destination ports PIX flags 70 Things to Look for in Logs Firewall startup message When did the Firewall reboot? Traffic directed at firewall What type of traffic? Where traffic is from? Most active firewall rules Are those rules working properly? Least active firewall rules Why are they there? 71 Copyright Printed in USA.

Log Farming Make Sure that You Collect Syslog Back to Reliable Server; Check that Server (Especially Connectivity and Disk Space) as Often as You Would the Firewall Use Tools that Allow You to Archive Syslog Messages to a File at Regular Intervals; Daily (Dated) Archives Are Good for Most Sunday Monday Tuesday Wednesday Thursday Friday Saturday Dated Archive Files 72 Syslog Analysis 101 On Tuesday Morning Take Monday s Syslog Archive and Analyze It Monday You should be looking at the following (at least): How many total messages were recorded? Is that more or less than the day before? What is the message break down by level? How does that compare with the day before? Were there any new messages? What are the top 5 denied IP addresses? 73 Copyright Printed in USA.

Building a Custom Syslog Level New PIX Firewall Command: Logging message <message_id> level <new_level> At the Command Line: bpfpix515e# config t bpfpix515e(config)# logging message 199002 level 0 bpfpix515e(config)# logging message 112001 level 0 bpfpix515e(config)# logging message 202001 level 0 bpfpix515e(config)# logging message 211001 level 0 bpfpix515e(config)# logging message 318001 level 0 bpfpix515e(config)# Use Syslog Level 0 to Catch Critical Events 74 Building a Custom Syslog Level In the PIX Configuration logging message 202001 level emergencies logging message 211001 level emergencies logging message 199002 level emergencies logging message 318001 level emergencies logging message 112001 level emergencies The PIX Produces a Log Message that Looks Like: 5-14-2003 00:44:45 Local0.Emergency 192.168.1.254 %PIX-0-199002: PIX startup completed. Beginning operation. Use Syslog Server or Log Reporting Tool Use to Create a Custom Alert (Example Send a Page when the Firewall Starts) 75 Copyright Printed in USA.

Managing Firewalls Image management Configuration management 76 Firewall Image Management Understand deployment release milestones General deployment Early deployment Limited deployment Regularly check with Cisco for security advisories 77 Copyright Printed in USA.

Configuration Management Backup the Firewall configuration BEFORE executing config term ALWAYS KNOW Where a backup copy of your firewall configuration is Keep a local copy of your firewall OS on a TFTP capable server What version of firewall code you are running 78 Testing Your Firewall Examples of scanning a firewall From the outside with no ACLs From the outside with protected server From the inside Scan the IP of the firewall and IP addresses behind firewall 79 Copyright Printed in USA.

When Your Network Is Attacked Make a backup of firewall logs To analyze looking for attackers inbound and outbound traffic Check your firewall logs Identify every attempt to log in at the firewall Look at all firewall configuration changes Look for differences and new things Consider implementing a more restrictive security policy Review security policy 80 Firewall Auditing Establish a check list used to make sure: The firewall system is operating properly, and that your network is secure The following are some things to check on a regular basis Suggestion would be to check these monthly or quarterly 81 Copyright Printed in USA.

Firewall Auditing Any changes to security policy? New users/groups New applications Changes? Is firewall software up to date? Rules updated for changes to network topology? Check IP addresses Any known vulnerabilities in firewall software? What are they? Do they affect your firewall? Recent backup of firewall configuration? Firewall and associated devices (router, switch) Check disk space on log server Migrate older log files off 82 Summary and Resources 83 Copyright Printed in USA.

New Challenges, New Firewalls Firewall feature functionality is evolving: Firewall support for VLANs Firewalls participating in routing 84 One Size Does Not fit all (at least it comes to firewalls) Match your choice of firewall to: What you need to protect (assets) Where you need to protect it (design) How you plan to protect it (policy) 85 Copyright Printed in USA.

Things to Consider Be careful adding services to your firewall Every new service is a potential new hole A firewall is one component of a security solution Recognize and use the other components available in your network Please look at your logs They provide an invaluable record of what happened only if you read them 86 Firewall Resources @ Cisco http://www.cisco.com/go/firewall http://www.cisco.com/go/pix http://www.cisco.com/go/pdm http://www.cisco.com/go/sdm http://www.cisco.com/go/safe 87 Copyright Printed in USA.

Firewalls @ Networkers 2002 SEC-1000, Intro to Security SEC-2006, Managing Security Technologies SEC-3020, Troubleshooting Firewalls 88 Cisco Documentation References PIX v6.2 Documentation http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_62/index.htm Cisco IOS v12.2 Security Configuration Guide http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122cgcr/fs ecur_c/index.htm Cisco Cross-Platform Security Features Documentation http://www.cisco.com/univercd/cc/td/doc/product/iaabu/newsecf/index.htm 89 Copyright Printed in USA.

Questions 91 Thank You 92 Copyright Printed in USA.

Recommended Reading CCSP Cisco Secure PIX Firewall Advanced Exam Certification Guide ISBN: 1587200678 Managing Cisco Network Security ISBN: 1578701031 CCIE Security Exam Certification Guide ISBN: 1587200651 Available on-site at the Cisco Company Store 93 Recommended Reading CCIE Practical Studies: Security ISBN: 1587050740 Network Security Principles and Practices ISBN: 1587050250 Available on-site at the Cisco Company Store 94 Copyright Printed in USA.

Cisco Advanced Services-Delivered Course: Building Enhanced Cisco Security Networks Course Outline Detailed Security Policy Creation IPSec Overview Configuring Split Tunneling Implementing Dynamic Multipoint VPN (DMVPN) Deploying IPSec-High Availability (IPSec-HA) Configuring Cisco Secure VPN Concentrators and Cisco Secure PIX Firewalls for User Management Securing Cisco Network Management Deploying Identity-Based Networking Services (IBNS) for a Wireless Network Active Network Attacks 4210 Sensor Network Management and VMS Remote Office Core Network WAP 3005 3002-8 WEB/RADIUS PC with VPN CA Access Edge client and Router wireless Edge DMVPN Router DMZ Host Redundant H Server with VPN 3005s HIDS System PIX 515E HSRP IPSec Routers Route Injector PIX 515E WEB CAT 6K w/ids Intranet Contact: aeskt_registration@cisco.com OR http://www.cisco.com/en/us/products/svcs/ps11/ps2696/serv_group_home.html 95 Visit the World of Solutions Learn more about products and services surrounding the technologies covered in this session in the World of Solutions. The World of Solutions is open: Tuesday: Wednesday: 11:00am? 2:00pm 5:00pm? 8:00pm 11:00am? 2:00pm 5:00pm? 7:00pm 96 Copyright Printed in USA.

Deploying and Managing Firewalls Session 97 Please Complete Your Evaluation Form Session Copyright Printed in USA. 98

99 Copyright Printed in USA.

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback