IOS Firewall
description
Transcript of IOS Firewall
IOS Firewall• IOS: Cisco’s Internetwork Operating System (the primary system running on Cisco’s routers)
• IOS Firewall: a stateful packet-filter firewall that runs on a router, providing firewall capabilities
• CBAC: Context-Based Access Control (at the core of the IOS Firewall functionality
Network Security 2
IOS Firewall Features
• Major subsystems:– SPI: Stateful Packet Inspection– CBAC: Context-Based Access Control– IOS IPS: Intrusion Prevention System– User-level authentication– PAM: Port-to-Application Mapping– NAT– ZFW: Zone-Based Policy Firewall
• Other security features:– IPsec, AAA support, ACLs, …
T. A. Yang
Network Security 3
CBAC (Context-Based Access Control)• Replaced by ZFW (Zone-based Policy
Firewall)• Implement packet filtering on a Cisco
router (similar to ASA on Cisco PIX)
• Three basic functionalities:1. Dynamic modification of the extended
access lists– To allow connections initiated from the inside
2. Inspection of the application/transport level protocols ~= multimedia support in PIX
3. Control of the number/length of sessionsT. A. Yang
Network Security 4
CBAC Functions
1. Dynamic traffic filtering (based on upper-layer protocols)
– In principle, only traffic that originates from the trusted network and goes out to the untrusted network are allowed.
– Set up ACLs to open holes for inbound access to inside servers
– Set up the router to inspect outbound packets
T. A. Yang
Network Security 5
CBAC Functions
T. A. Yang
2. Application-aware traffic inspection– Keep track of the associated sessions i.e., a
stateful packet filter
• Maintains TCP and UDP connections, which provide necessary info to perform deep packet inspection in the payload for malicious activities
Network Security 6
CBAC Functions3. Alerts and audit trails
– Real-time event alerts • SYSLOG notification messages
– Enhanced audit trails • for all the session information maintained in the state
table• Uses SYSLOG to track all network transactions• Record information such as source/destination host
addresses, ports used, the total number of transmitted bytes with time stamps, etc.
• Good for session-based reporting, anomaly identification, …
T. A. Yang
Network Security 7
How does IOS maintain session state information?
• State Information Structure (SIS)– A SIS is created for each logical session.– The SIS uniquely identifies a connection
using the IP and the port#.– When necessary, other info such as TCP
connection state, TCP sequence number, etc. are also maintained.
– The SIS is deleted when the associated session/connection is terminated.
T. A. Yang
CBAC Mechanisms, 1/4
• Packet inspection– Per-protocol inspection– ACL filtering (inbound, outbound) is performed first
before CBAC inspection– Track sequence numbers in all TCP packets
• Timeout and threshold values– determine when to drop sessions that do not become
fully established (aka embryonic sessions)1. # of half-open TCP or UDP sessions
2. # of half-open sessions based on time
3. # of per-host half-open TCP sessions
T. A. Yang Network Security 8
CBAC Mechanisms, 2/4
• The session state table maintains SIS entries– Sample SIS entry: Session 25A4E53 (10.1.1.1:11006) => (20.1.1.1:23) tcp SIS_OPEN
– Return traffic are permitted back through the firewall only if an entry in the state table indicates that the packet belongs to a permissible session.
• UDP connections– Examine the UDP packet and determine whether it is similar to
the UDP packet exited earlier– Returning UDP packets are checked within the idle timeout
period to ensure they have the corresponding source/destination IP addresses and port numbers
T. A. Yang Network Security 9
CBAC Mechanisms, 3/4
• Dynamic ACL entries– Dynamically adds and removes ACL entries at the firewall
interfaces– For traffic originated inside, an ACL entry is temporarily added
(so returned traffic for that session may be inspected)
• Embryonic (half-open) sessions– Monitors the total number of half-open connections and the rate
of session establishment attempts for both TCP and UDP– Controlling the number of embryonic connections helps prevent
DoS attacks– When the number of embryonic connections exceeds the specific
threshold, CBAC will delete subsequent half-open sessions as required to accommodate new incoming connections
T. A. Yang Network Security 10
CBAC Mechanisms, 4/4
• Per-Host DoS Prevention– For TCP traffic only– When the number of half-open TCP connections
exceeds the threshold, CBAC blocks all subsequent connections to that host for the specified block-time
prevent SYNC flood
T. A. Yang Network Security 11
Two modes of inspections
• Single-channel, or generic, TCP/UDP inspection– The return traffic must have the same
source/destination IP address and port numbers– Must be within the sequence number window
• Application-specific inspection– Takes precedence over the generic inspection– Many application-layer protocols are supported (CU-
SeeMe, FTP, H.323, HTTP, ICMP, …)
T. A. Yang Network Security 12
Network Security 13
Other CBAC functionality
• Out-of-sequence TCP packets are dropped.• TCP packets with invalid sequence numbers
are dropped.• The reassembly of IP packets is not supported
(as in PIX firewall).• Does not inspect packets originated by the IOS
Firewall router.• ICMP packets are not inspected. (They are
manually managed using static ACLs).• ICMP unreachable packets are ignored.
T. A. Yang
Zone-Based Policy Firewall (ZFW)• After IOS release 12.4(6)T• Switched from the interface-based inspection model (as
in CBAC) to a zone-based inspection model
• Changes– Traffic passing through an interface do not need to be inspected
the same way (as in interface-based model)– Interfaces are assigned to zones– Policy inspection is applied to traffic moving btwn zones
• Benefits– Higher granularity– Flexibility– scalability
T. A. Yang Network Security 14
Network Security 15
Features of IOS Firewall
• Transport Layer Inspection• Application Layer Inspection• Filtering for Invalid Commands• Java Blocking• Safeguarding against DoS attacks• Fragment handling
T. A. Yang