02- FWSM Services Module

8/3/2019 02- FWSM Services Module

1/17


2/17

FW Services ModuleAttack Prevention DNS Guard

FWSM

Identifies an outbound DNS resolve request, and only allows a single DNS response. A host may

query several servers for a response (in the case that the first server is slow in responding), but

only the first answer to the specific question will be allowed. All the additional answers from other

servers will be dropped -NO CONFIGURATION NECESSARY

DNSServer Pool

DNS Reply

DNS Reply

DNS Reply

DNS Request DNS Request


3/17

FW Services ModuleAttack Prevention Flood Defender

Protects inside systems from TCP SYN flood attacks. Enable bysetting the maximum connections option to the NAT and staticcommands. Allows servers within the inside network to be

protected from one style of denial of service attack

TCP SYN Flood

Server

Pool

SYN

FLOOD

Reduced SYN Request rate


4/17

FW Services ModuleFlood Defender Configuration

TCP SYN Flood SYN

FLO

OD

Reduced SYN Request rate

Flood Defender enabled by default


5/17

FW Services ModuleAttack Prevention TCP Intercept

When the optional embryonic connection limit is reached, anduntil the embryonic connection count falls below this threshold,

every SYN bound for the affected server is intercepted.

Server Pool

Limit reached


6/17

FW Services ModuleTCP Intercept Configuration Server Pool

Limit reached

TCP Intercept kicks in when embryonic session limit reached

An embryonic connection is a connection that someone attempted

but has not completed and has not yet seen data

Every connection is embryonic until it sets up

Embryonic limit specified as part of NAT configuration

nat [(if_name)] nat_id local_ip [netmask [max_conns [em_limit]]][norandomseq]


7/17

FW Services ModuleAttack Prevention Unicast RPF

Also known as "reverse route lookups" prevents IP spoofing in the IP protocol.

Provides ingress and egress filtering. Checks inbound packets for IP source

address integrity, and verifies that packets destined for

hosts outside the managed domain have IP source addresses verifiable by

routes in the enforcing entities local routing table.

Kill user session

Spoof user sessionFirewall denies attempted access


8/17

FW Services ModuleAttack Prevention Unicast RPF

FWSM(config)# ip verify reverse-path interface interface_name

Kill user session

Spoof user sessionFirewall denies attempted access


9/17

FW Services ModuleAttack Prevention FRAG Guard

IP fragment protection that performs full-reassembly of all ICMPerror messages and virtual-reassembly of the remaining IPfragments that are routed through the FWSM

Frag4 Frag3 Frag2 Frag1 Frag4 Frag3 Frag2 Frag1

Frag4 Frag3 Frag2 Frag1

2. Reassemblepacket

3. Check packetfor threat

1. Receive fragmentedpackets

4. Send fragmentedpackets if no threat


10/17

FW Services ModuleAttack Prevention Mail Guard

Allows mail servers to be deployed within the internal networkwithout them being exposed to known security problems withsome SMTP server implementations.

SMTP Servers

SMTPAttacker


11/17

FW Services ModuleMail Guard Configuration

SMTPAttacker

Mail Guard is enabled in the FWSM using the inspect command

FWSM(config)#policy-map global_policyFWSM(config-pmap)# class inspection_defaultFWSM(config-pmap-c)# inspect smtp


12/17

FW Services ModuleAddress Translation NAT

Provides a way to translate an inside secure address to a publicdomain address hiding the source address from outside usersand allowing the inside network to utilise private addresses

Data DataOutsideWorld

Source=A Dest=X Data Source=B Dest=X Data


13/17

FW Services ModuleAddress Translation PAT

Port re-mapping allows a single valid IP address to be translatedto 64,000 active XLATE objects. PAT minimizes the number ofglobally valid IP addresses required to support private or invalid

internal addressing schemes.

Source=A Dest=X Data

Source=B Dest=X Data

Source=CDest=X Data

Port=80

Port=80

Source=CDest=X

Port=2001

Port=2002 Data

Note Source address is the same port number uniquely identifies flow


14/17

FW Services ModuleNAT/PAT Configuration

Source=A Dest=X Data Source=B Dest=X Data

FWSM(config)# nat (inside) 1 10.1.1.0 255.255.255.0FWSM(config)# global (outside) 1 195.1.1.1-195.1.1.254 255.255.255.0

Defines addresses from 10.1.1.0 will be translated

FWSM(config)# access-list no-nat permit ip host 10.1.1.15 host

10.2.1.3FWSM(config)# nat (inside) 0 access-list no-nat

Defines host 10.1.1.15 to bypass NAT

FWSM(config)# nat (inside) 1 10.1.1.0 255.255.255.0FWSM(config)# global (outside) 1 195.1.1.1-195.1.1.1 255.255.255.0

Defines PAT Translation


15/17

FW Services ModuleProtocol Support NETBIOS over IP

IP HDR

Problem: NETBIOS incorporates the IP address in its datagram,..so whenNAT is applied to a NETBIOS packet that has to be routed, NAT willtranslate the IP Header but not the IP Address in the datagram,..BZZZZ!!!This causes issue for destination host

NETBIOS IP IP HDR NETBIOS IP

NAT Changes this

address

NOT this one

NETBIOS over IP support in the FWSM recognises NETBIOS packet andtranslates both IP Header and IP Address in datagram

No Configuration

Necessary


16/17

FW Services ModuleSyslog

Provides means to view network events and assist

with troubleshooting

0

1

2

3

4

56

7

Emergencies

Alerts

Critical

Errors

Warnings

NotificationsInformational

Debugging

System Unusable Messages

Take immediate action

Critical condition

Error messages

Warning message

Normal but significant conditionInformational message

Debug and log messages

Syslog Message Types

FWSM(config)# logging bufferedlevel


17/17

FW Services ModuleSyslog sending messages to a server

SYSLOG messages can be sent to a syslog server

FWSM(config)# logging host dmz_1 192.168.1.1FWSM(config)# logging trap debugging

FWSM(config)# logging on

%FWSM-5-304001: user 192.168.69.71 Accessed URL 10.133.219.25 : www.example.com

Identify the syslog host

Set logging level

Turn logging on

02- FWSM Services Module

Documents

Transcript of 02- FWSM Services Module