This chapter explains the operations of the different types of firewall technologies and the role they play in network access control and security architectures. It also describes guidelines for firewall rule set creation. The chapter then describes the function and building blocks of Network Address Translation.
Firewall Fundamentals and Network Address Translation © 2012 Cisco and/or its affiliates All rights reserved Ethics • The information security profession has a number of formalized codes: – International Information Systems Security Certification Consortium, Inc (ISC)2 Code of Ethics – Computer Ethics Institute (CEI) – Internet Activities Board (IAB) – Generally Accepted System Security Principles (GASSP) © 2012 Cisco and/or its affiliates All rights reserved Contents This chapter teaches firewall concepts, technologies, and design principles At the end of this chapter, you will be able to the following: • Explain the operations of the different types of firewall technologies • Describe firewall technologies that historically have played, and still play, a role in network access control and security architectures • Introduce and describe the function and building blocks of Network Address Translation • List design considerations for firewall deployment Describe guidelines for firewall ruleset creation â 2012 Cisco and/or its affiliates All rights reserved Introducing Firewall Technologies • A firewall protects network devices from intentional, hostile intrusions that could threaten information assurance (availability, confidentiality, and integrity) or lead to a denial-of-service (DoS) attack • A firewall can protect a hardware device or a software program running on a secure host computer • This chapter introduces the firewall technologies that Cisco uses in routers and security appliances © 2012 Cisco and/or its affiliates All rights reserved Firewall Fundamentals A firewall is a pair of mechanisms that perform these two separate functions, which are set by policies: • One mechanism blocks bad traffic • The second mechanism permits good traffic Firewall: Enforcing Access Control © 2012 Cisco and/or its affiliates All rights reserved Common properties • Must be resistant to attacks • Must be the only transit point between networks • Enforces the access control policy of an organization Protective measure against the following : • Exposure of sensitive hosts and applications to untrusted users • Exploitation of protocol flaws • Malicious data © 2012 Cisco and/or its affiliates All rights reserved Firewalls in a Layered Defense Strategy © 2012 Cisco and/or its affiliates All rights reserved Static Packet-Filtering Firewalls How Static Packet Filters Map to the OSI Model © 2012 Cisco and/or its affiliates All rights reserved Static Packet Filter in Action © 2012 Cisco and/or its affiliates All rights reserved Application Layer Gateways © 2012 Cisco and/or its affiliates All rights reserved 10 Advanced Stateful packet-filtering firewalls are good to use for the following applications: • As a primary means of defense • As an intelligent first line of defense • As a means of strengthening packet filtering • To improve routing performance • As a defense against spoofing and DoS attacks © 2012 Cisco and/or its affiliates All rights reserved 15 Limited Stateful firewalls have the following limitations: • Stateful firewalls cannot prevent application layer attacks • Not all protocols have a state • Some applications open multiple connections • Stateful firewalls not authenticate users by default © 2012 Cisco and/or its affiliates All rights reserved 16 Other Types of Firewalls • Application Inspection Firewalls, aka Deep Packet Inspection • An application inspection firewall behaves in different ways according to each layer: • Transport layer mechanism • Application layer mechanism There are several advantages of an application inspection firewall: • Application inspection firewalls are aware of the state of Layer and Layer connections • Application inspection firewalls check the conformity of application commands • Application inspection firewalls have the capability to check and affect Layer • Application inspection firewalls can prevent more kinds of attacks than stateful firewalls can © 2012 Cisco and/or its affiliates All rights reserved 17 Transparent Firewalls (Layer Firewalls) Transparent Firewalling: Firewall Interfaces All in the Same Subnet • Cisco IOS routers, Cisco ASA Adaptive Security Appliance Software, Cisco Firewall Services Module, and Cisco ASA Services Module offer the capability to deploy a security appliance in a secure bridging mode as a Layer device to provide rich Layer through security services for the protected network © 2012 Cisco and/or its affiliates All rights reserved 18 NAT Fundamentals Example of Network Address Translation © 2012 Cisco and/or its affiliates All rights reserved 19 NAT table Cisco defines the following list of NAT terms: • Inside local address • Inside global address • Outside local address • Outside global address © 2012 Cisco and/or its affiliates All rights reserved 20 Example of Port Address Translation (aka NAT Overload) on Cisco IOS Router © 2012 Cisco and/or its affiliates All rights reserved 21 Translating Inside Source Address © 2012 Cisco and/or its affiliates All rights reserved 22 Static Translation © 2012 Cisco and/or its affiliates All rights reserved 23 NAT Deployment Choices The deployment modes in NAT operations are as follows: • Static NAT • Dynamic NAT • Dynamic PAT (NAT overload) Policy NAT Static PAT â 2012 Cisco and/or its affiliates All rights reserved 24 Firewall Designs Best practices documents are a composite effort of security practitioners This partial list of best practices is generic and serves only as a starting point for your own firewall security policy: • Position firewalls at key security boundaries, separating security domains with different levels of trust • Firewalls are the primary security device, but it is unwise to rely exclusively on a firewall for security • Deny all traffic by default and permit only services that are needed • Implement various firewall technologies, matching your application mix and security policy requirements • Ensure that physical access to the firewall is controlled • Regularly monitor firewall logs Cisco Security Manager and other Cisco management tools are available for this purpose • Practice change management for firewall configuration changes © 2012 Cisco and/or its affiliates All rights reserved 25 Firewall Policies in a Layered Defense Strategy When defining access rules, multiple criteria can be used as a starting point: • Rules based on service control • Rules based on direction control • Rules based on user control • Rules based on behavior control Firewall Access Rule Structure: Top-Down Process © 2012 Cisco and/or its affiliates All rights reserved 26 Firewall rules • Promiscuous rules • Redundant rules • Shadowed rules • Orphaned rules © 2012 Cisco and/or its affiliates All rights reserved 27 References For additional information, refer to these resources: Cisco Systems, Inc “Configuring Network Address Translation: Getting Started,” http://www.cisco.com/en/US/tech/tk648/tk361/technologies_tech_note09186a0 Mason, Andrew Cisco Firewall Technology (Cisco Press, 2007) © 2012 Cisco and/or its affiliates All rights reserved 28 © 2012 Cisco and/or its affiliates All rights reserved 29 ... types of firewall technologies • Describe firewall technologies that historically have played, and still play, a role in network access control and security architectures • Introduce and describe... the function and building blocks of Network Address Translation • List design considerations for firewall deployment • Describe guidelines for firewall ruleset creation © 2012 Cisco and/ or its... point for your own firewall security policy: • Position firewalls at key security boundaries, separating security domains with different levels of trust • Firewalls are the primary security device,