Content Overview The security
challenges that face today’s network administrators cannot be
successfully managed by any single application. However, the
Cisco IOS Firewall software offers a full set of security
features that can be implemented to provide security for a
network. In this module, you will learn about the Cisco IOS
Firewall and Cisco IOS intrusion prevention system (IPS)
functionality. The module explains various firewall
technologies, such as packet filters, stateful firewalls, and
proxy servers, and discusses each technology’s filtering
capabilities and features. Furthermore, the module describes
how to design effective firewall topologies and how to
configure Cisco IOS Firewall functionality on Cisco IOS
routers. The module covers the two configuration methods for
Cisco IOS Firewall: using the command-line interface (CLI) and
the Security Device Manager (SDM). The module also explains the
intrusion detection system (IDS) and IPS technologies,
describes types of IDS and IPS systems, compares host-based and
network-based approaches, describes the placement of IPS
systems, lists signature categories, and discusses possible
actions that an IOS router can take when an attack is detected.
Cisco IOS IPS can, just like the Cisco IOS Firewall, be
configured using the CLI and SDM, and this module covers both
methods. Web Links Cisco IOS Security Configuration
Guide, Release 12.4
http://www.cisco.com/en/US/products/ps6350/produ
cts
_configuration_guide_book09186a008043360a.html
Content 6.1 Introducing the Cisco IOS
Firewall 6.1.1 Layered Defense Strategy
Firewalls enforce access control between networks, which can be
of different types and levels of trust. A common name for a
group of networks that can be reached over a single firewall
network interface is a security zone. A security zone is an
administratively separate domain to or from which a firewall
can filter incoming or outgoing traffic. The most notable
security zones are inside and outside networks
that are connected to firewalls over inside or
outside interfaces, respectively. To provide a layered
defense, security designers developed the concept of the
screened subnet based on creating a buffer network that is
located between security zones. This small network, often
called the Demilitarized Zone (DMZ), is neither an inside nor
an outside network. The DMZ actually represents a miniature
zone itself. Figure illustrates the concept of the DMZ. The DMZ
acts as a “no-man’s land,” and access to the DMZ is permitted
from both the inside and outside networks. Typically,
administrators do not allow any traffic to pass directly across
the DMZ. Other names for the DMZ are “buffer network” and
“screened subnet.” Filtering points that are set up on DMZ
edges connect the DMZ to the inside and the outside networks
and enforce access control for traffic that is entering or
exiting the DMZ. These filtering points usually use classic or
stateful packet filters. Another type of filtering device is a
proxy server, also known as an application layer gateway (ALG).
An ALG establishes two application sessions—one with the client
and the other with the application server. The ALG acts as a
server to the client and as a client to the server and provides
security by sanitizing the data flow. Layered Defense
Features
The DMZ is an ideal place to host
services—public services, exposed servers that untrusted users
connect to, or proxy servers such as ALGs—to enable inside
users to connect to the outside perimeter. Because of the DMZ’s
ability to contain an attack and limit damage in the case of a
break-in, the DMZ approach is the most popular and commonly
used modern architecture. Figure summarizes how a DMZ supports
a layered defense solution. The multiple layers of security
that a DMZ offers are distributed between services and
filtering points: - The filtering points initially
protect the services and, if the services are compromised,
limit the ability of an attacker to proceed further into the
system. Both entering and exiting traffic is filtered, either
by classic routers or dedicated firewalls.
- Public
servers that are located in the DMZ require proper security
measures. The services are hardened, making it difficult for an
attacker to compromise services.
- ALGs, (proxy
servers) located in the DMZ sanitize the data exchange within
the application flow. This service is especially recommended
for outbound connectivity.
- An attacker who manages to
break into the DMZ may not be able to launch attacks against
the trusted inside network because the filtering points provide
additional defense. Implementing additional features such as
private VLAN will help mitigate such attacks.
Multiple DMZs
The DMZ is a single network that is
nested between the inside and outside security zones. The
concept of multiple DMZs is an alternative to the single
network setup. When you use a single DMZ zone, no access
control is available between the different hosts inside the
DMZ. If a host is broken into, the attacker can likely
compromise other hosts in the same DMZ if the host operating
systems and applications are not properly hardened. For
security reasons, modern applications are often multitiered,
with the web server separated from the application server, as
well as the database server. A robust system requires these
separations. A solution to the vulnerability of a single DMZ is
multiple DMZ networks in which each DMZ hosts a particular
service. Figure illustrates an implementation of a multiple DMZ
in which each new DMZ creates a new security zone with
filtering points in each single DMZ that controls traffic that
enters and exits the zone. A web server can now be isolated
from an application server. A compromise of one server will
leave an attacker in an extremely restricted environment with
only a few carefully chosen services available, in accordance
with the least-privilege philosophy. Modern DMZ
Design
Figure shows a simplified version of the
multi-DMZ configuration. This DMZ design allows various systems
to filter traffic but also highlights the critical need for the
correct configuration of the filtering device. A modern
firewall device with multiple interfaces creates multiple DMZs,
each “leg network” being separated from other networks via a
single filtering device. The single device substitutes
“outside” and “inside” routers of a classic DMZ, providing the
same level of ingress and egress filtering. Such a setup has
the benefit of being simple, manageable, and cost-effective.
The topology at the top of the slide illustrates a stateful
firewall, also known as a stateful packet filter. This is a
firewall device that keeps track of the state of network
connections (such as TCP streams and UDP communication) that
travel across it. In the example, six network interfaces are
attached to the firewall. Two interfaces connect to both the
inside and outside networks. The remaining interfaces connect
to the four DMZs. The second topology (in the middle of the
screen) is identical to the first topology except that an ALG
is used as the filtering device instead of a stateful
firewall. The third topology also identifies four DMZs, but two
stateful firewalls provide the connectivity structure instead
of one firewall. This topology provides better performance
because the filtering tasks are divided between two devices.
Using two devices provides more security through