DPS Designing Perimeter Security Version 1.0 Student Guide Copyright  2003, Cisco Systems, Inc All rights reserved Cisco Systems has more than 200 offices in the following countries and regions Addresses, phone numbers, and fax numbers are listed on the Cisco Web site at www.cisco.com/go/offices Argentina • Australia • Austria • Belgium • Brazil • Bulgaria • Canada • Chile • China PRC • Colombia • Costa Rica Croatia • Czech Republic • Denmark • Dubai, UAE • Finland • France • Germany • Greece • Hong Kong SAR • Hungary India • Indonesia • Ireland • Israel • Italy • Japan • Korea • Luxembourg • Malaysia • Mexico • The Netherlands New Zealand • Norway • Peru • Philippines • Poland • Portugal • Puerto Rico • Romania • Russia • Saudi Arabia Scotland • Singapore • Slovakia • Slovenia • South Africa • Spain • Sweden • Switzerland • Taiwan • Thailand • Turkey Ukraine • United Kingdom • United States • Venezuela • Vietnam • Zimbabwe Copyright  2003, Cisco Systems, Inc All rights reserved CCIP, the Cisco Powered Network mark, the Cisco Systems Verified logo, Cisco Unity, Follow Me Browsing, FormShare, Internet Quotient, iQ Breakthrough, iQ Expertise, iQ FastTrack, the iQ logo, iQ Net Readiness Scorecard, Networking Academy, ScriptShare, SMARTnet, TransPath, and Voice LAN are trademarks of Cisco Systems, Inc.; Changing the Way We Work, Live, Play, and Learn, Discover All That’s Possible, The Fastest Way to Increase Your Internet Quotient, and iQuick Study are service marks of Cisco Systems, Inc.; and Aironet, ASIST, BPX, Catalyst, CCDA, CCDP, CCIE, CCNA, CCNP, Cisco, the Cisco Certified Internetwork Expert logo, Cisco IOS, the Cisco IOS logo, Cisco Press, Cisco Systems, Cisco Systems Capital, the Cisco Systems logo, Empowering the Internet Generation, Enterprise/Solver, EtherChannel, EtherSwitch, Fast Step, GigaStack, IOS, IP/TV, LightStream, MGX, MICA, the Networkers logo, Network Registrar, Packet, PIX, Post-Routing, Pre-Routing, RateMUX, Registrar, SlideCast, StrataView Plus, Stratm, SwitchProbe, TeleRouter, and VCO are registered trademarks of Cisco Systems, Inc and/or its affiliates in the U.S and certain other countries All other trademarks mentioned in this document or Web site are the property of their respective owners The use of the word partner does not imply a partnership relationship between Cisco and any other company (0203R) Printed in the USA Table of Contents COURSE INTRODUCTION 1-1-1 Overview Course Objectives 1-1-1 1-1-2 DESIGN ANALYSIS 1-2-1 Overview Overview Researching an Organization’s Requirements Identifying an Organization’s Existing Situation Example Scenarios Summary Quiz: Design Analysis 1-2-1 1-2-3 1-2-5 1-2-9 1-2-20 1-2-22 1-2-23 NAT OVERVIEW 2-1-1 Overview Addressing Scenarios NAT Technologies and Implementation NAT Protocol Compatibility NAT Security Evaluation Summary Quiz: NAT Overview 2-1-1 2-1-3 2-1-13 2-1-30 2-1-45 2-1-47 2-1-48 DESIGN USING A NAT/PAT SOLUTION 2-2-1 Overview Bidirectional NAT Configuring Bidirectional NAT Using Cisco IOS Software Configuring Bidirectional NAT Using Cisco Secure PIX Firewall Multihoming Summary Quiz: Design Using a NAT/PAT Solution FIREWALL FUNCTION 3-1-1 Overview Firewall Definition and Purpose Firewalls and Security Policies Copyright  2003, Cisco Systems, Inc 2-2-1 2-2-3 2-2-13 2-2-17 2-2-27 2-2-42 2-2-43 3-1-1 3-1-3 3-1-8 Table of Contents v Firewall Features and Limitations Summary Quiz: Firewall Function 3-1-10 3-1-18 3-1-19 FIREWALL TECHNOLOGIES 3-2-1 Overview Overview Packet Filters Application Gateways Stateful Packet Filters Alternative Firewalls Summary Quiz: Firewall Technologies 3-2-1 3-2-3 3-2-5 3-2-19 3-2-30 3-2-42 3-2-47 3-2-48 FIREWALL ARCHITECTURES 3-3-1 Overview Perimeter Concepts Screening Router Firewall Architecture Screened Host Firewall Architecture Dual-Homed Host Firewall Architecture Screened Subnet Firewall Architecture Virtual Firewalls Summary Quiz: Firewall Architectures 3-3-1 3-3-3 3-3-6 3-3-13 3-3-17 3-3-21 3-3-30 3-3-33 3-3-34 PROTOCOL HANDLING IN FIREWALLS 3-4-1 Overview Network Control Protocols Name Resolution Protocols Remote Procedure Call Protocols File Transfer Protocols Web Protocols Messaging Protocols Database Access Protocols Voice and Multimedia Protocols Remote Terminal and Display Access Protocols VPN Protocols Management Protocols Summary Quiz: Firewall Handling of Protocols vi Designing Perimeter Security 1.0 3-4-1 3-4-3 3-4-15 3-4-30 3-4-40 3-4-54 3-4-66 3-4-85 3-4-93 3-4-105 3-4-115 3-4-122 3-4-130 3-4-131 Copyright  2003, Cisco Systems, Inc FIREWALL DESIGN GENERAL GUIDELINES 4-1-1 Overview Overview Compartmentalization Running Applications Over Firewalls Choosing Inspection Layers Firewall Rule Design Defense-In-Depth Example Scenarios Summary Quiz: Firewall Design 4-1-1 4-1-3 4-1-5 4-1-18 4-1-33 4-1-37 4-1-44 4-1-58 4-1-69 4-1-70 HIGH AVAILABILITY AND HIGH PERFORMANCE FIREWALLS Overview Local Firewall High Availability Long Distance Firewall High Availability High Performance Firewalls Local Firewall Load Balancing Remote Firewall Load Balancing Summary Quiz: High Availability and High Performance Firewalls 4-2-1 4-2-3 4-2-9 4-2-21 4-2-24 4-2-40 4-2-42 4-2-43 UNDERSTANDING PIX FIREWALL NAT 5-1-1 Overview PIX Firewall Products PIX Security Levels in Detail Understanding PIX NAT Translations Understanding PIX One-to-One NAT Translations Understanding PIX Many-to-One NAT Translations Understanding PIX Identity NAT Understanding PIX NAT Limitations Using NAT for Defense-in-Depth Summary Quiz: Understanding PIX Firewall NAT 5-1-1 5-1-3 5-1-4 5-1-6 5-1-13 5-1-17 5-1-21 5-1-31 5-1-34 5-1-42 5-1-43 UNDERSTANDING PIX FIREWALL SECURITY 5-2-1 Overview Overview PIX Adaptive Security Algorithm In Detail PIX Advanced Access Control Features PIX Rule Scalability Features PIX Access Control Limitations PIX Advanced Cut-Thru Proxy Features Copyright  2003, Cisco Systems, Inc 4-2-1 5-2-1 5-2-3 5-2-4 5-2-22 5-2-37 5-2-44 5-2-46 Table of Contents vii PIX Device Manager PIX Deployment Example Scenario Summary Quiz: Understanding PIX Firewall Security CISCO IOS SOFTWARE ACCESS CONTROL FEATURES 5-3-1 Overview Overview Advanced IOS ACLs Example Scenario IOS Reflexive ACLs Example Scenario Advanced IOS CBAC Configuration Example Scenario IOS Advanced Access Controls IOS Protection Against Denial-of-Service Summary Quiz: Cisco IOS Software Access Control Features 5-3-1 5-3-3 5-3-4 5-3-15 5-3-20 5-3-24 5-3-29 5-3-38 5-3-43 5-3-49 5-3-57 5-3-58 CONTENT ENGINES Overview Content Engines Security Positioning Reverse Proxying Application Access Control Firewall Integration Content Engine Limitations Summary Quiz: Content Engines FIREWALL DESIGN Objective Detailed Instructions 5-4-1 5-4-1 5-4-3 5-4-5 5-4-7 5-4-11 5-4-19 5-4-21 5-4-22 4-1-1 4-1-1 4-1-2 FIREWALL DESIGN SOLUTIONS 4-1-1 Objective Solutions 4-1-1 4-1-2 FIREWALL HIGH AVAILABILITY 4-2-1 Objective Detailed Instructions viii 5-2-69 5-2-70 5-2-82 5-2-83 Designing Perimeter Security 1.0 4-2-1 4-2-2 Copyright  2003, Cisco Systems, Inc FIREWALL HIGH AVAILABILITY SOLUTIONS 4-2-1 Objective Solutions 4-2-1 4-2-2 UNDERSTANDING PIX FIREWALL NAT 5-1-1 Objective Detailed Instructions 5-1-1 5-1-2 UNDERSTANDING PIX FIREWALL NAT SOLUTIONS 5-1-1 Objective Solutions Copyright  2003, Cisco Systems, Inc 5-1-1 5-1-2 Table of Contents ix x Designing Perimeter Security 1.0 Copyright  2003, Cisco Systems, Inc Course Introduction Overview This chapter includes the following topics: Course objectives Course agenda Participant responsibilities General administration Graphic symbols Participant introductions Cisco security career certifications Course Objectives This section introduces the course and the course objectives Course Objectives Upon completion of this course, you will be able to perform the following tasks: • Identify an organization’s requirements and current implementation of perimeter security • Suggest improvements to an organization’s perimeter security • Design a new solution based on an organization’s requirements • Identify and compare NAT technologies • Select an appropriate NAT technology for an organization’s requirements • Design advanced NAT solutions for some common enterprise connectivity scenarios • Explain the function of a firewall and to identify its benefits and limitations © 2003, Cisco Systems, Inc All rights reserved DPS 1.0—-1-1-3 Course Objectives (cont.) • Compare several common firewall technologies with respect to access control and identify their features, benefits, and limitations • Compare different basic firewall architectures and to select the proper architecture for an organization’s requirements • Select an appropriate firewall technology for an organization’s application needs • Design an abstract firewall system, enforcing a defined security policy, and using best practice design methods • Design a firewall system supporting high-availability and high levels of performance • Identify advanced NAT features and identify NAT limitations of the Cisco Secure PIX Firewall product when using it in a firewall system design © 2003, Cisco Systems, Inc All rights reserved 1-1-2 Designing Perimeter Security 1.0 DPS 1.0—-1-1-4 Copyright © 2003, Cisco Systems, Inc 4-1-6 Designing Perimeter Security 1.0 Copyright © 2003, Cisco Systems, Inc DPS Firewall High Availability Objective In its disaster recovery plans, a company needs to provide long-distance firewall failover over a WAN network The central site has a PIX Firewall installed, and the remote disaster recovery site also has a PIX Firewall system As there is no LAN connection between sites, LAN-based failover cannot be used Detailed Instructions Complete the following to finish this laboratory exercise Designing NAT in Active-Active Load-Balancing Using Routing Protocols Using two PIX Firewalls in active-active setup, using routing protocols to load-balance traffic can a simple and effective method of balancing However, symmetric traffic flow must be guaranteed at all times, to enable each PIX Firewall to see all packets of a session You were called in to assist in firewall design, where such a load-balancing setup is required The following picture shows the current implementation of the firewall system Figure 1: Load sharing/load balancing with dual NAT The organization has attempted to implement such load balancing, but ran into problems when symmetric flow of traffic was required Obviously, a clever use of NAT will be required to provide symmetric flow Step Provide configuration guidelines on how to configure NAT to provide symmetric flow of traffic over the active-active PIX Firewall pair Change the basic design of the firewall system, if necessary Write your proposed NAT rules in the space below _ _ _ _ _ 4-2-2 Designing Perimeter Security 1.0 Copyright © 2003, Cisco Systems, Inc Step Consider the following situations: What if the customer decided to implement your solution for a disaster-recovery center, which is 100 miles from the central site? What would you change in your design? What would be the inter-site connectivity options for the most cost-effective option, and the most robust (quickest failover) option? Verification Step Discuss your proposed solution with other groups and the instructor Copyright © 2003, Cisco Systems, Inc Firewall High Availability 4-2-3 NOTES 4-2-4 Designing Perimeter Security 1.0 Copyright © 2003, Cisco Systems, Inc NOTES Copyright © 2003, Cisco Systems, Inc Firewall High Availability 4-2-5 4-2-6 Designing Perimeter Security 1.0 Copyright © 2003, Cisco Systems, Inc DPS Firewall High Availability Solutions Objective In its disaster recovery plans, a company needs to provide long-distance firewall failover over a WAN network The central site has a PIX Firewall installed, and the remote disaster recovery site also has a PIX Firewall system As there is no LAN connection between sites, LAN-based failover cannot be used Solutions Designing NAT in Active-Active Load-Balancing Using Routing Protocols Step Provide configuration guidelines on how to configure NAT to provide symmetric flow of traffic over the active-active PIX Firewall pair Change the basic design of the firewall system, if necessary Answer: NAT should be configured to provide the translation of client addresses: inside users for outbound connections, and outside users for inbound connections The two firewalls must use different NAT global pools, which are routed to respective firewalls BGP should be able to detect failures of firewall elements or external (BGP-enabled) connections The best firewall is chosen based on preferences inside BGP (local-preference, weights, AS-paths,…) BGP peering needs to be configured between all routers adjacent to the firewall filters Step Consider the following situations: What if the customer decided to implement your solution for a disaster-recovery center, which is 100 miles from the central site? What would you change in your design? What would be the inter-site connectivity options for the most cost-effective option, and the most robust (quickest failover) option? Answer: The best option would be to use BGP routing over the firewall, with timers set low to detect failed connections quickly NAT can still be used to ensure symmetric flow 4-2-2 Designing Perimeter Security 1.0 Copyright © 2003, Cisco Systems, Inc DPS Understanding PIX Firewall NAT Objective In this lab exercise, you will analyze various aspects of the PIX Firewall NAT engine to provide connectivity and access control functionality Detailed Instructions Complete the following to finish this laboratory exercise Design Example Scenario An organization has a more complex firewall, which connects it to the Internet, over which a intranet VPN is set up, as well to some WAN connections, over which the organization connects to its business partners This environment has some specific addressing needs: The sites reachable over the VPN (in the 10.254.0.0/16 range) should always be visible with their real (internal) IP addresses Some business partners (see picture) have address spaces overlapping with the company address space Translate your 10.0.1.0/24 subnet to them as 192.168.254.0/24, and their networks into your network as subnets of 172.16.0.0/12 All connectivity to the Internet is through a HTTP proxy server (192.168.1.1) in a DMZ There is no direct Internet connectivity allowed Figure 1: Example topology Step Describe the required translation rules in the picture and space below _ _ _ 5-1-2 Designing Perimeter Security 1.0 Copyright © 2003, Cisco Systems, Inc Additional Questions If this were a centralized firewall, how would you enable Internet connectivity for all remote (VPN) locations? If the company decides to abandon the proxy server and have direct connectivity to the Internet, how would this change your design? Verification Discuss your proposed solution with other groups and the instructor Copyright © 2003, Cisco Systems, Inc Understanding PIX Firewall NAT 5-1-3 5-1-4 Designing Perimeter Security 1.0 Copyright © 2003, Cisco Systems, Inc DPS Understanding PIX Firewall NAT Solutions Objective In this lab exercise, you will analyze various aspects of the PIX Firewall NAT engine to provide connectivity and access control functionality Solutions Design Example Scenario Step Describe the required translation rules in the picture and space below # inside-to-VPN connectivity access-list NO-NAT permit ip 10.0.0.0 255.0.0.0 10.254.0.0 255.255.0.0 nat (inside) access-list NO-NAT # business partners connection # translate ourselves out as 192.168.254.0/24 static (inside,outside) 192.168.254.0 10.0.1.0 netmask 255.255.255.0 # translate them in as parts of 172.16.0.0/12 static (outside,inside) 172.16.0.0 10.1.0.0 netmask 255.255.0.0 dns static (outside,inside) 172.17.0.0 10.5.0.0 netmask 255.255.0.0 dns static (outside,inside) 172.18.1.0 10.0.5.0 netmask 255.255.255.0 dns # inside access to proxy, proxy access to Internet static (inside,proxy) 10.0.0.0 10.0.0.0 netmask 255.0.0.0 static (proxy,outside) 200.1.1.1 192.168.1.1 Review Questions If this is a centralized firewall, how would you enable Internet connectivity for all remote (VPN) locations? If the firewall is centralized, then the Internet traffic has to run over the VPN (using IPsec or GRE, as no confidentiality is required for Internet traffic), and terminate inside the central firewall You must not terminate IPsec tunnels on the PIX Firewall outside interface in this case, as traffic cannot exit the PIX Firewall through same interface as it has entered on If the company decides to abandon the proxy server and have direct connectivity to the Internet, how would this change your design? Inside clients then need to be translated out to the Internet (using “nat” and “global” commands) 5-1-2 Designing Perimeter Security 1.0 Copyright © 2003, Cisco Systems, Inc ... CCDA, CCDP, CCIE, CCNA, CCNP, Cisco, the Cisco Certified Internetwork Expert logo, Cisco IOS, the Cisco IOS logo, Cisco Press, Cisco Systems, Cisco Systems Capital, the Cisco Systems logo, Empowering... history • Objective © 2003, Cisco Systems, Inc All rights reserved 1-1-6 Designing Perimeter Security 1.0 DPS 1.0—-1-1-12 Copyright © 2003, Cisco Systems, Inc Cisco Security Career Certifications... Scenarios â 2003, Cisco Systems, Inc All rights reserved 1-2-2 Designing Perimeter Security 1.0 ESAP DPS 1.0—-1-2-2 2.0—5-1-4 Copyright © 2003, Cisco Systems, Inc Overview Overview • Perimeter design