compartmentalization but increases the overall
costs of the solution.
Content 6.1
Introducing the Cisco IOS Firewall 6.1.2
Private VLAN Network designs must allow communication
between authorized hosts and deny communication between hosts
that have no valid requirement to connect. If hosts are in
different network segments, firewall or router ACLs block
unauthorized traffic at the network layer. However, when hosts
are on the same segment it is more difficult. Most DMZ
implementations use a common segment for all servers and do not
control traffic among those servers. Often the servers are in a
common VLAN. If an attacker compromises one server, other
servers in that segment are vulnerable to port or application
layer attack. Firewalls and packet filters only protect from
attacks from the outside and not against attacks originating
within the DMZ. Cisco's private VLAN implementation helps solve
these problems. The private VLAN feature allows access ports to
communicate only with certain designated router ports. This
allows you to isolate devices to prevent connectivity between
devices. Within a private VLAN, you can create communities to
allow connection between some devices and to prevent them from
communicating with others. Figure shows three private VLANs as
different pipes that connect routers and hosts. The pipe that
bundles all the others is the primary VLAN marked in blue, and
the traffic on VLAN blue flows from the routers to the hosts.
The pipes internal to the primary VLAN are the secondary VLANs
marked in yellow and red. Traffic traveling on those pipes
flows only from the hosts toward the router. In this topology,
the promiscuous port can forward both primary and secondary
VLANs. Traffic that comes to a switch from a promiscuous port
is able to go out on all the ports that belong to the same
primary VLAN. Traffic that comes to a switch from a port mapped
to a secondary VLAN (an isolated or a community VLAN) can be
forwarded to a promiscuous port or a port belonging to the same
community VLAN. Multiple ports mapped to the same isolated VLAN
cannot exchange any traffic. Figure shows the primary VLAN in
blue; the secondary VLANs are red and yellow. Host 1 is
connected to an isolated port of the switch that belongs to the
secondary VLAN red. Host 2 is connected to a community port of
the switch that belongs to the secondary VLAN yellow. Host 3,
the administrator, is attached to a promiscuous port. When a
host is transmitting, the secondary VLAN carries the traffic.
For example, when Host 2 transmits, its traffic goes on VLAN
yellow. When those hosts are receiving, the traffic comes from
the VLAN blue, which is the primary VLAN. Routers and firewalls
are connected to promiscuous ports because those ports can
forward traffic coming from every secondary VLAN defined in the
mapping as well as the primary VLAN. The ports connected to
each host can only forward the traffic coming from the primary
VLAN and the secondary VLAN configured on those ports.
Content 6.1 Introducing the Cisco IOS
Firewall 6.1.3 Firewall Technologies Figure
lists the three types of firewall technologies. Firewall
operations are based on one of these technologies: -
Packet filtering: Packet filtering limits the
information that enters a network based on static packet header
information. Layer 3 devices usually use packet filtering to
statically define access control lists (ACLs) that determine
which traffic to permit or deny. Packet filtering can examine
protocol header information up to the transport layer to permit
or deny certain traffic. Packet filtering sends permitted
packets to the requesting system and discards all other
packets.
- ALGs: ALGs work at the application
layer. An ALG is a special piece of software that is designed
to relay application-layer requests and responses between
endpoints. An ALG acts as an intermediary between an
application client for which the ALG acts as a virtual server,
and a server for which the ALG acts as a virtual client. The
client connects to the proxy server and submits an application
layer request. The application layer request includes the true
destination of the traffic and the data request itself. The
proxy server analyzes the request and may filter or change the
request contents and then opens a session to the destination
server. The destination server replies to the proxy server. The
proxy server passes the response, which may be filtered and
changed, back to the client.
- Stateful packet
filtering: Stateful packet filtering is the most widely
used firewall technology. Stateful packet filtering is an
application-aware method of packet filtering that works on the
connection, or flow, level. Stateful packet filtering maintains
a state table to keep track of all active sessions that cross
the firewall. A state table, which is part of the internal
structure of the firewall, tracks all sessions and inspects all
packets that pass through the firewall. If packets have the
expected properties that the state table predicts, the packets
are forwarded. The state table changes dynamically according to
the traffic flow.
Note
Each technology
has advantages and disadvantages and each one has a “best fit”
role to play, depending on the needs of the network security
policy. Packet Filtering
A packet filtering firewall
selectively routes or drops IP packets based on information in
the network (IP) and transport (TCP or User Datagram Protocol
[UDP]) headers. Figure shows this process. Packet filtering can
be implemented on routers or on dual-homed gateways. A packet
filter uses rules to accept or reject incoming packets based on
source and destination IP addresses, source and destination
port numbers, and packet type. These rules can also be used to
reject any packet from the outside that claims to come from an
address inside the network. Recall that each service relies on
specific ports. By restricting certain ports, you can restrict
those services. For example, blocking port 23 for all user
workstations prevents the users from using Telnet, which is an
insecure management protocol. Any device that uses ACLs can
perform packet filtering. ACLs are the most commonly used
objects in Cisco IOS router configuration. Not only are ACLs
used for packet filtering firewalls, but ACLs can also select
specified types of traffic to be analyzed, forwarded, or
influenced in some way. While packet filtering is effective and
transparent to users, there are some disadvantages to packet
filtering: - Packet filtering is susceptible to IP
spoofing. Arbitrary packets can be sent that fit ACL criteria
and pass through the filter.
- Packet filters do not
filter fragmented packets well. Because fragmented IP packets
carry the TCP header in the first fragment and packet filters
filter on TCP header information, all non-first fragments are
passed unconditionally. This process is based on the assumption
that the filter of the first fragment is accurately enforcing
the policy.
- Complex ACLs are difficult to implement
and maintain correctly.
Some services cannot be
filtered. For example, it is difficult to permit dynamically
negotiated sessions without opening up access to a whole range
of ports, which in itself might be dangerous. Packet
Filtering Example
Figure shows a simple packet filter
example using a Cisco IOS router. In most network topologies,
the Ethernet interface connecting to the internal (inside)
network needs to be protected. The serial interface connects to
the Internet. In this example, only one ACL is applied in the
inbound direction to the outside interface Serial 0/0. The ACL
permits packets from established TCP sessions that are destined
to the inside network 10.2.1.0/24 and drops all other traffic.
Packets that belong to established TCP flows are recognized by
the ACK flag that is set to 1 in the TCP header. The sessions
have been originated by the hosts in the trusted zone (inside
network). There is no ACL that blocks the initial flows from