Firewall Fundamentals and Network
Address Translation
© 2012 Cisco and/or its affiliates. All rights reserved.
1
Ethics
• The information security profession has a number of formalized codes:
–
International Information Systems Security Certification Consortium, Inc
(ISC)2 Code of Ethics
–
Computer Ethics Institute (CEI)
–
Internet Activities Board (IAB)
–
Generally Accepted System Security Principles (GASSP)
© 2012 Cisco and/or its affiliates. All rights reserved.
2
Contents
This chapter teaches firewall concepts, technologies, and design
principles. At the end of this chapter, you will be able to do the following:
• Explain the operations of the different types of firewall technologies
• Describe firewall technologies that historically have played, and still play,
a role in network access control and security architectures
• Introduce and describe the function and building blocks of Network
Address Translation
• List design considerations for firewall deployment
• Describe guidelines for firewall ruleset creation
© 2012 Cisco and/or its affiliates. All rights reserved.
3
Introducing Firewall Technologies
• A firewall protects network devices from intentional, hostile intrusions
that could threaten information assurance (availability, confidentiality,
and integrity) or lead to a denial-of-service (DoS) attack.
• A firewall can protect a hardware device or a software program running
on a secure host computer.
• This chapter introduces the firewall technologies that Cisco uses in
routers and security appliances.
© 2012 Cisco and/or its affiliates. All rights reserved.
4
Firewall Fundamentals
A firewall is a pair of mechanisms that perform these two separate
functions, which are set by policies:
• One mechanism blocks bad traffic.
• The second mechanism permits good traffic.
Firewall: Enforcing Access Control
© 2012 Cisco and/or its affiliates. All rights reserved.
5
Common properties
• Must be resistant to attacks
• Must be the only transit point between networks
• Enforces the access control policy of an organization
Protective measure against the following :
• Exposure of sensitive hosts and applications to untrusted users
• Exploitation of protocol flaws
• Malicious data
© 2012 Cisco and/or its affiliates. All rights reserved.
6
Firewalls in a Layered Defense Strategy
© 2012 Cisco and/or its affiliates. All rights reserved.
7
Static Packet-Filtering Firewalls
How Static Packet Filters Map to the OSI Model
© 2012 Cisco and/or its affiliates. All rights reserved.
8
Static Packet Filter in Action
© 2012 Cisco and/or its affiliates. All rights reserved.
9
Application Layer Gateways
© 2012 Cisco and/or its affiliates. All rights reserved.
10
Application layer firewalls
Application layer firewalls provide several advantages:
• Application layer firewalls authenticate individuals, not devices
• Application layer firewalls make it is harder for hackers to spoof and
implement DoS attacks
• Application layer firewalls can monitor and filter application data
• Application layer firewalls can provide detailed logging
© 2012 Cisco and/or its affiliates. All rights reserved.
11
Proxy Server Communication Process
© 2012 Cisco and/or its affiliates. All rights reserved.
12
Dynamic or Stateful Packet-Filtering
Firewalls
© 2012 Cisco and/or its affiliates. All rights reserved.
13
Stateful Packet Filtering
© 2012 Cisco and/or its affiliates. All rights reserved.
14
Advanced
Stateful packet-filtering firewalls are good to use for the following
applications:
• As a primary means of defense
• As an intelligent first line of defense
• As a means of strengthening packet filtering
• To improve routing performance
• As a defense against spoofing and DoS attacks
© 2012 Cisco and/or its affiliates. All rights reserved.
15
Limited
Stateful firewalls have the following limitations:
• Stateful firewalls cannot prevent application layer attacks
• Not all protocols have a state
• Some applications open multiple connections
• Stateful firewalls do not authenticate users by default
© 2012 Cisco and/or its affiliates. All rights reserved.
16
Other Types of Firewalls
• Application Inspection Firewalls, aka Deep Packet Inspection
• An application inspection firewall behaves in different ways according to
each layer:
• Transport layer mechanism
• Application layer mechanism
There are several advantages of an application inspection firewall:
• Application inspection firewalls are aware of the state of Layer 4 and
Layer 5 connections.
• Application inspection firewalls check the conformity of application
commands.
• Application inspection firewalls have the capability to check and affect
Layer 7.
• Application inspection firewalls can prevent more kinds of attacks than
stateful firewalls can.
© 2012 Cisco and/or its affiliates. All rights reserved.
17
Transparent Firewalls (Layer 2 Firewalls)
Transparent Firewalling:
Firewall Interfaces All in
the Same Subnet
• Cisco IOS routers, Cisco ASA Adaptive Security Appliance Software,
Cisco Firewall Services Module, and Cisco ASA Services Module offer
the capability to deploy a security appliance in a secure bridging mode
as a Layer 2 device to provide rich Layer 2 through 7 security services
for the protected network
© 2012 Cisco and/or its affiliates. All rights reserved.
18
NAT Fundamentals
Example of Network Address Translation
© 2012 Cisco and/or its affiliates. All rights reserved.
19
NAT table
Cisco defines the following list of NAT terms:
• Inside local address
• Inside global address
• Outside local address
• Outside global address
© 2012 Cisco and/or its affiliates. All rights reserved.
20
Example of Port Address Translation
(aka NAT Overload) on Cisco IOS Router
© 2012 Cisco and/or its affiliates. All rights reserved.
21
Translating Inside Source Address
© 2012 Cisco and/or its affiliates. All rights reserved.
22
Static Translation
© 2012 Cisco and/or its affiliates. All rights reserved.
23
NAT Deployment Choices
The deployment modes in NAT operations are as follows:
• Static NAT
• Dynamic NAT
• Dynamic PAT (NAT overload)
• Policy NAT
• Static PAT
© 2012 Cisco and/or its affiliates. All rights reserved.
24
Firewall Designs
Best practices documents are a composite effort of security practitioners.
This partial list of best practices is generic and serves only as a starting
point for your own firewall security policy:
• Position firewalls at key security boundaries, separating security domains
with different levels of trust.
• Firewalls are the primary security device, but it is unwise to rely
exclusively on a firewall for security.
• Deny all traffic by default and permit only services that are needed.
• Implement various firewall technologies, matching your application mix
and security policy requirements.
• Ensure that physical access to the firewall is controlled.
• Regularly monitor firewall logs. Cisco Security Manager and other Cisco
management tools are available for this purpose.
• Practice change management for firewall configuration changes.
© 2012 Cisco and/or its affiliates. All rights reserved.
25