Firewall
A firewall is a device or set of
devices designed to permit or deny network transmissions based upon a set of
rules and is frequently used to protect networks from unauthorized access while
permitting legitimate communications to pass.
Many personal computer operating systems include software-based firewalls to protect against threats from
the public Internet. Many routers that pass data between networks contain firewall components and,
conversely, many firewalls can perform basic routing functions.
Packet
filtering : it filters each packet based only
on information contained in the packet itself (most commonly using a combination of the packet's source and
destination address, its protocol, and, for TCP and UDP traffic, the port number.
Packet filtering firewalls work mainly on the first three layers of the OSI
reference model, which means most of the work is done between the network and
physical layers, with a little bit of peeking into the transport layer to
figure out source and destination port numbers. When a packet originates from
the sender and filters through a firewall, the device checks for matches to any
of the packet filtering rules that are configured in the firewall and drops or
rejects the packet accordingly. When the packet passes through the firewall, it
filters the packet on a protocol/port number basis (GSS). For example, if a
rule in the firewall exists to block telnet access, then the firewall will
block the IP protocol for port number 23.
Application
Layer : The key benefit of application layer filtering is that it can "understand" certain applications and
protocols (such as File Transfer Protocol, DNS, or web browsing), An application firewall is much more secure and reliable
compared to packet filter firewalls because it works on all seven layers of the
OSI model,
from the application down to the physical Layer. This is similar to a packet
filter firewall but here we can also filter information on the basis of
content. Good examples of application firewalls are MS-ISA (Internet Security
and Acceleration) server, McAfee Firewall Enterprise firewalls.
An application firewall can filter
higher-layer protocols such as FTP, Telnet, DNS, DHCP, HTTP, TCP, UDP and TFTP
(GSS).
Stateful
Firewall : Third-generation firewalls, in
addition to what first- and second-generation look for, regard placement of
each individual packet within the packet series. This technology is generally
referred to as a stateful packet inspection as it maintains records of all connections passing through the firewall
and is able to determine whether a packet is the start of a new connection, a
part of an existing connection, or is an invalid packet.
Though there is still a set of static rules in such a firewall, the state of a
connection can itself be one of the criteria which trigger specific rules.
In computing, a stateful firewall (any firewall that performs stateful
packet inspection (SPI) or stateful inspection) is a firewall that keeps track of the state of network connections (such as TCP streams, UDP communication) travelling across it. The firewall is programmed
to distinguish legitimate packets for different types of connections. Only
packets matching a known active connection will be allowed by the firewall;
others will be rejected.
A drawback of pure packet filters is that they
are stateless; they have no memory of previous packets which makes them
vulnerable to spoofing attacks. Such a firewall has no way of knowing if any given packet is
part of an existing connection, is trying to establish a new connection, or is
just a rogue packet. Modern firewalls are connection-aware (or state-aware),
offering network administrators finer-grained control of network traffic.
The classic example of a network operation
that may fail with a stateless firewall is the File Transfer Protocol (FTP). By design, such protocols need to be able to open
connections to arbitrary high ports to function properly. Since a stateless
firewall has no way of knowing that the packet destined to the protected
network (to some host's destination port 4970, for example) is part of a
legitimate FTP session, it will drop the packet. Stateful firewalls solve this
problem by maintaining a table of open connections and intelligently
associating new connection requests with existing legitimate connections. The stateful firewall depends on the three-way handshake of the TCP protocol when
the protocol being used is TCP; when the protocol is UDP, the stateful firewall
does not depend on anything related to TCP. When a client initiates a new
connection, it sends a packet with the SYN bit set in the packet header. All packets with the SYN
bit set are considered by the firewall as NEW connections. If the service which
the client has requested is available on the server, the service will reply to
the SYN packet with a packet in which both the SYN and the ACK bit are set. The
client will then respond with a packet in which only the ACK bit is set, and
the connection will enter the ESTABLISHED state. Such a firewall will pass all
outgoing packets through but will only allow incoming packets if they are part
of an ESTABLISHED connection, ensuring that hackers
cannot start unsolicited connections with the protected machine
Cisco PIX firewall
Cisco PIX (Private
Internet eXchange) is a popular IP firewall and network address
translation (NAT) appliance. It was one of the first products in
this market segment.
In 2005, Cisco introduced the newer Adaptive
Security Appliance (ASA), that inherited much of PIX features, and in 2008
announced PIX end-of-sale
It is
classified as a network layer firewall with stateful inspection, although technically the PIX would more precisely be called a
Layer 4, or Transport Layer Firewall, as its access is not restricted to
Network Layer routing, but socket based connections (a port and an IP Address -
Port communications occur at Layer 4). By default it allows internal connections
out (outbound traffic), and only allows inbound traffic that is a response to a
valid request or is allowed by an Access Control List (ACL) or a conduit. The PIX can be configured to perform
many functions including network address translation (NAT) and port address translation (PAT), as well as being a virtual private network (VPN) endpoint appliance
The PIX was the first commercially available firewall
product to introduce protocol specific filtering with the introduction of the
"fixup" command. The PIX "fixup" capability allows the
Firewall to apply additional security policies to connections identified as
using specific protocols. Two protocols for which specific fixup behaviors were
developed are DNS and SMTP. The DNS fixup originally implemented a very simple
but effective security policy; it allowed just one DNS response from a DNS
server on the Internet (known as outside interface) for each DNS request
from a client on the protected (known as inside) interface.
"Fixup" has been superseded by "Inspect" on later versions
of PIX OS.
(The Cisco PIX was also one of the
first commercially available security appliances to incorporate IPSec VPN gateway functionality.
The PIX can be managed by a command line interface (CLI) or a graphical user interface (GUI). The CLI is accessible from the
serial console, telnet and SSH. GUI administration was introduced with
version 4.1, and it has been through several incarnations: PIX Firewall Manager
(PFM) for PIX OS versions 4.x and 5.x, which runs locally on a Windows NT
client; PIX Device Manager (PDM) for PIX OS version 6.x, which runs over https and requires Java; and Adaptive Security Device Manager
(ASDM) for PIX OS version 7 and greater, which can run locally on a client or
in reduced-functionality mode over HTTPS.)
PIX firewalls provide a wide range of security and networking services
including:
- Network Address Translation (NAT) or Port Address Translation (PAT)
- content filtering (Java/ActiveX)
- URL filtering
- IPsec VPN
- support for leading X.509 PKI solutions
- DHCP client/server
- PPPoE support
- advanced security services for multimedia applications and protocols including Voice over IP (VoIP), H.323, SIP, Skinny and Microsoft NetMeeting
- AAA (RADIUS/TACACS+) integration
PIX terminology: we generally refer to the user segment as the Inside
subnet. The interface connected to the Internet router is the outside subnet.
As shown, we probably have DMZ (De-Militarized Zone) subnet, the subnet where
we quarantine all servers that are accessible from the outside. We might also
have a separate management subnet and a subnet tying to a redundant PIX for
failover (if supported/licensed).
The PIX Command-Line Interface (CLI) is somewhat like the Cisco IOS
interface, but different. Use colon (":") for comments (which, as
usual, are not retained). Newer PIX OS uses ACL's, replacing the former
conduits
Commands
enable password myEnableSecret encrypted
|
Set
the enable password (displays encrypted). Displays in encrypted form, with
the word "encrypted" at the end. Note that when entering the
command leave off "encrypted" keyword or the PIX will
assume that the string you are putting in is the encryption of the actual
password.
|
name 10.3.3.22 FMSWEBSERVER
|
Map
address to name
|
nameif ethernet0 outside security0
|
Define
the name of ethernet 0 and security level.
|
nameif ethernet4 pix_failover security40
|
We've
connected ethernet4 to another failover-capable PIX. The name reflects this
|
interface ethernet0 100full
|
Identify
network interface speed and duplex. Activate the interface.
|
interface ethernet5 100full shutdown
|
Note
that this interface is shutdown.
|
ip address outside 1.1.1.1 255.255.255.0
|
Assign
IP address and subnet mask for the interface
|
ip address inside 10.1.1.1 255.255.255.0
|
After the PIX has been addressed, we need to think about what it is to
do with the addresses of other devices. Do we wish to use Network Address
Translation (NAT)? Network Address Translation (NAT) lets your network have any
IP addressing scheme and the firewall protects these addresses from visibility
on the external network. If we have global Internet addressing and do not wish
to re-address our computers, we can assign NAT ID 0 within the PIX to disable
NAT. Let's assume for our sample configuration that we do wish to perform NAT.
(Looking at the above diagram, we have to do NAT, network 10.0.0.0 /8 is
a private address range.
We generally put a global command on each lower security interface we want
our internal users to have access to, although statics can be preferable for
internal-internal access (see below). The main decision (other than addressing
design) is whether to use one or multiple NAT ID's. Using unique NAT ID's
limits access to specific interfaces. Using one NAT ID is simpler and assumes
the PIX will sort out which nat command (below) pairs up with which global command on
which interface.
We put nat commands on the higher security interfaces, allowing users to start
connections to lower security level interfaces with global commands on
them. The NAT ID ties the inside addresses in the nat command to
the pool of addresses in one or more global commands
with the same NAT ID.
Port Address Translation is where all inside addresses appear as one
outside address, with shifted ports. PAT has some restrictions, for example it
cannot support H.323 or caching nameserver use, so you may want to use it to
augment a range of global addresses rather than using it as your sole global
address.
Let's see what that looks like:
global (outside) 1 1.1.1.51-1.1.1.100
netmask 255.255.255.0
|
Defines
the routable addresses to be used for outbound connections. This pool defines
1.1.1.51 through .100 as being available on a first come first served basis.
As connections are torn down the addresses become available again for use.
These addresses are used before the PAT address specified below is used. The
number "1" is the NAT ID for this pool.
|
global (outside) 1 1.1.1.50
netmask 255.255.255.0
|
Defines
the port address translation (PAT) address to be used by outbound connections
after all one-to-one translation address (defined above) are exhausted. This
continues NAT ID (pool) 1.
|
nat (inside) 0 access-list 101
|
A
"NAT 0" means no NAT-ing is happening. This entry is used for the
IPsec connection defined in the configuration. The nat command with access
list lets you exempt traffic that is matched by the access-list command statements
from the NAT services. Access list 101 (not shown) specifies IPsec traffic.
This row may confuse users and if we are not going to touch IPsec now, I
would leave it out. We'll cover IPsec on the PIX in a future article.
|
nat (inside) 1 10.1.1.0 255.255.255.0
0 0
|
This
command connects the global pool 1 to the networks allowed to tap into that
pool. Subnet 10.1.1.0 on the inside interface will be allowed to use global
pool 1 for its outbound connections.The nat command lets you enable or
disable address translation for one or more internal addresses. The nat
command will disable nat for an inside network if that net is not explicitly
defined to use the pool. Address translation means that when a host starts an
outbound
connection, the IP addresses in the internal network are translated into
global addresses.
|
nat (management) 1 10.2.2.0 255.255.255.0 0 0
|
Subnet
10.2.2.0 on the management interface will be allowed to use global pool 1 for
its outbound connections.
|
Note that if acl 101 is undefined, no IPsec traffic
will match and no traffic will go through the IPsec tunnel. All traffic would
then be subjected to NAT.
If you've used NAT before, you'll recognize that servers on the inside
that need to be connected to from the outside will need static mappings. The static command
creates a permanent mapping (called a static translation slot or
"xlate") between a local IP address and a global IP address. Use the static and access-list commands when you are accessing an interface of a higher security level
from an interface of a lower security level. When NAT exists between two
interfaces the command takes the form of "static (high,low) low high" . Without address translation, the format of the static command
becomes different: "static
(high,low) high high".
static (dmz,outside) 1.1.1.22 10.3.3.22 netmask
255.255.255.255 0 0
|
You need
to specify the IP address users on the lower security interface's network
will use to access the server on the higher security level interface's
network. In this case, we make a DMZ web server at 10.3.3.22 accessible as
outside address 1.1.1.22.
|
static (inside,management) 10.1.1.13 10.1.1.13
netmask 255.255.255.255 0 0
|
This
static command allows traffic from inside interface (address 10.1.1.13) to
management subnet, or vice versa if an appropriate ACL exists for traffic
coming from the lower security interface. There is no NAT change to the address.
|
We also need some static routing, so the PIX knows which subnets are out
which interface. Like Cisco routers, the PIX does know how to route to
connected subnets, so you only have to specify subnets or address ranges behind
other routers. You can only have one default route for the PIX Firewall.
route outside 0.0.0.0 0.0.0.0 1.1.1.254 1
|
Specifies
a default route out the outside interface to a router at 1.1.1.254 which is 1
hop away.
|
route management 10.117.220.0 255.255.255.0
10.2.2.254
|
Specifies
a route to the 10.117.220.0 network via the management interface with the
next hop address set to 10.2.2.254 (assuming 10.117.220.0 is behind a router
on the management subnet).
|
*In the context of network security, a spoofing attack is a
situation in which one person or program successfully masquerades as another by
falsifying data and thereby gaining an illegitimate advantage. Another kind of
spoofing is "webpage spoofing," also known as phishing. In this attack, a legitimate web page such
as a bank's site is reproduced in "look and feel" on another server
under control of the attacker. The main intent is to fool the users into
thinking that they are connected to a trusted site, for instance to harvest
usernames and passwords.
*(TCP provides reliable, ordered delivery of a
stream of bytes from a program on one computer to another program on another
computer. TCP is the protocol that major Internet applications rely on,
applications such as the World Wide Web,
e-mail, and file transfer.
Other applications, which do not require reliable data stream service, may use
the User
Datagram Protocol (UDP) which provides a datagram
service that emphasizes reduced latency over
reliability
*The Internet Protocol (IP) is
the principal communications
protocol used for relaying datagrams
(packets) across an internetwork
using the Internet
Protocol Suite. Responsible for routing packets
across network boundaries, it is the primary protocol that establishes the Internet)
0 comments:
Post a Comment