02- FWSM Services Module
-
Upload
luis-badilla -
Category
Documents
-
view
226 -
download
0
Transcript of 02- FWSM Services Module
-
8/3/2019 02- FWSM Services Module
1/17
-
8/3/2019 02- FWSM Services Module
2/17
FW Services ModuleAttack Prevention DNS Guard
FWSM
Identifies an outbound DNS resolve request, and only allows a single DNS response. A host may
query several servers for a response (in the case that the first server is slow in responding), but
only the first answer to the specific question will be allowed. All the additional answers from other
servers will be dropped -NO CONFIGURATION NECESSARY
DNSServer Pool
DNS Reply
DNS Reply
DNS Reply
DNS Request DNS Request
-
8/3/2019 02- FWSM Services Module
3/17
FW Services ModuleAttack Prevention Flood Defender
Protects inside systems from TCP SYN flood attacks. Enable bysetting the maximum connections option to the NAT and staticcommands. Allows servers within the inside network to be
protected from one style of denial of service attack
TCP SYN Flood
Server
Pool
SYN
FLOOD
Reduced SYN Request rate
-
8/3/2019 02- FWSM Services Module
4/17
FW Services ModuleFlood Defender Configuration
TCP SYN Flood SYN
FLO
OD
Reduced SYN Request rate
Flood Defender enabled by default
-
8/3/2019 02- FWSM Services Module
5/17
FW Services ModuleAttack Prevention TCP Intercept
When the optional embryonic connection limit is reached, anduntil the embryonic connection count falls below this threshold,
every SYN bound for the affected server is intercepted.
Server Pool
Limit reached
-
8/3/2019 02- FWSM Services Module
6/17
FW Services ModuleTCP Intercept Configuration Server Pool
Limit reached
TCP Intercept kicks in when embryonic session limit reached
An embryonic connection is a connection that someone attempted
but has not completed and has not yet seen data
Every connection is embryonic until it sets up
Embryonic limit specified as part of NAT configuration
nat [(if_name)] nat_id local_ip [netmask [max_conns [em_limit]]][norandomseq]
-
8/3/2019 02- FWSM Services Module
7/17
FW Services ModuleAttack Prevention Unicast RPF
Also known as "reverse route lookups" prevents IP spoofing in the IP protocol.
Provides ingress and egress filtering. Checks inbound packets for IP source
address integrity, and verifies that packets destined for
hosts outside the managed domain have IP source addresses verifiable by
routes in the enforcing entities local routing table.
Kill user session
Spoof user sessionFirewall denies attempted access
-
8/3/2019 02- FWSM Services Module
8/17
FW Services ModuleAttack Prevention Unicast RPF
FWSM(config)# ip verify reverse-path interface interface_name
Kill user session
Spoof user sessionFirewall denies attempted access
-
8/3/2019 02- FWSM Services Module
9/17
FW Services ModuleAttack Prevention FRAG Guard
IP fragment protection that performs full-reassembly of all ICMPerror messages and virtual-reassembly of the remaining IPfragments that are routed through the FWSM
Frag4 Frag3 Frag2 Frag1 Frag4 Frag3 Frag2 Frag1
Frag4 Frag3 Frag2 Frag1
2. Reassemblepacket
3. Check packetfor threat
1. Receive fragmentedpackets
4. Send fragmentedpackets if no threat
-
8/3/2019 02- FWSM Services Module
10/17
FW Services ModuleAttack Prevention Mail Guard
Allows mail servers to be deployed within the internal networkwithout them being exposed to known security problems withsome SMTP server implementations.
SMTP Servers
SMTPAttacker
-
8/3/2019 02- FWSM Services Module
11/17
FW Services ModuleMail Guard Configuration
SMTPAttacker
Mail Guard is enabled in the FWSM using the inspect command
FWSM(config)#policy-map global_policyFWSM(config-pmap)# class inspection_defaultFWSM(config-pmap-c)# inspect smtp
-
8/3/2019 02- FWSM Services Module
12/17
FW Services ModuleAddress Translation NAT
Provides a way to translate an inside secure address to a publicdomain address hiding the source address from outside usersand allowing the inside network to utilise private addresses
Data DataOutsideWorld
Source=A Dest=X Data Source=B Dest=X Data
-
8/3/2019 02- FWSM Services Module
13/17
FW Services ModuleAddress Translation PAT
Port re-mapping allows a single valid IP address to be translatedto 64,000 active XLATE objects. PAT minimizes the number ofglobally valid IP addresses required to support private or invalid
internal addressing schemes.
Source=A Dest=X Data
Source=B Dest=X Data
Source=CDest=X Data
Port=80
Port=80
Source=CDest=X
Port=2001
Port=2002 Data
Note Source address is the same port number uniquely identifies flow
-
8/3/2019 02- FWSM Services Module
14/17
FW Services ModuleNAT/PAT Configuration
Source=A Dest=X Data Source=B Dest=X Data
FWSM(config)# nat (inside) 1 10.1.1.0 255.255.255.0FWSM(config)# global (outside) 1 195.1.1.1-195.1.1.254 255.255.255.0
Defines addresses from 10.1.1.0 will be translated
FWSM(config)# access-list no-nat permit ip host 10.1.1.15 host
10.2.1.3FWSM(config)# nat (inside) 0 access-list no-nat
Defines host 10.1.1.15 to bypass NAT
FWSM(config)# nat (inside) 1 10.1.1.0 255.255.255.0FWSM(config)# global (outside) 1 195.1.1.1-195.1.1.1 255.255.255.0
Defines PAT Translation
-
8/3/2019 02- FWSM Services Module
15/17
FW Services ModuleProtocol Support NETBIOS over IP
IP HDR
Problem: NETBIOS incorporates the IP address in its datagram,..so whenNAT is applied to a NETBIOS packet that has to be routed, NAT willtranslate the IP Header but not the IP Address in the datagram,..BZZZZ!!!This causes issue for destination host
NETBIOS IP IP HDR NETBIOS IP
NAT Changes this
address
NOT this one
NETBIOS over IP support in the FWSM recognises NETBIOS packet andtranslates both IP Header and IP Address in datagram
No Configuration
Necessary
-
8/3/2019 02- FWSM Services Module
16/17
FW Services ModuleSyslog
Provides means to view network events and assist
with troubleshooting
0
1
2
3
4
56
7
Emergencies
Alerts
Critical
Errors
Warnings
NotificationsInformational
Debugging
System Unusable Messages
Take immediate action
Critical condition
Error messages
Warning message
Normal but significant conditionInformational message
Debug and log messages
Syslog Message Types
FWSM(config)# logging bufferedlevel
-
8/3/2019 02- FWSM Services Module
17/17
FW Services ModuleSyslog sending messages to a server
SYSLOG messages can be sent to a syslog server
FWSM(config)# logging host dmz_1 192.168.1.1FWSM(config)# logging trap debugging
FWSM(config)# logging on
%FWSM-5-304001: user 192.168.69.71 Accessed URL 10.133.219.25 : www.example.com
Identify the syslog host
Set logging level
Turn logging on