Cisco IOS FireWall - Seminar Report

Abstract

The Cisco IOS (Internet Operating System) FireWall is a commercial FireWall Product that comes as a security specific option with the Cisco IOS Software. Unlike other FireWalls a dedicated appliance is not needed for this FireWall. It could be installed on the router itself. Since most of the routers in the Web employ Cisco IOS software for security purposes(such as authentication ,encryption etc)addition of Cisco IOS FireWall to the set yields better results.

It integrates robust firewall functionality and intrusion detection for every network perimeter and enriches existing Cisco IOS security capabilities. It adds greater depth and flexibility to existing Cisco IOS security solutions—such as authentication, encryption, and failover—by delivering state-of-the-art security features such as stateful, application-based filtering; dynamic per-user authentication and authorization; defense against network attacks; Java blocking; and real-time alerts.

Introduction

The Cisco IOS Firewall, provides robust, integrated firewall and intrusion detection functionality for every perimeter of the network. Available for a wide range of Cisco IOS software-based routers, the Cisco IOS Firewall offers sophisticated security and policy enforcement for connections within an organization (intranet) and between partner networks (extranets), as well as for securing Internet connectivity for remote and branch offices.

A security-specific, value-add option for Cisco IOS Software, the Cisco IOS Firewall enhances existing Cisco IOS security capabilities, such as authentication, encryption, and failover, with state-of-the-art security features, such as stateful, application-based filtering (context-based access control), defense against network attacks, per user authentication and authorization, and real-time alerts.

The Cisco IOS Firewall is configurable via Cisco ConfigMaker software, an easy-to-use Microsoft Windows 95, 98, NT 4.0 based software tool.

Firewall Basics

A FireWall is a network security device that ensures that all communications attempting to cross it meet an organization’s security policy.FireWalls track and control communications deciding whether to allow ,reject or encrypt communications.

FireWalls are used to connect a corporate’s local network to the Internet and also within networks.In otherwords they stand in between the trusted network and the untrusted network.

Design and Implementation issues

Basic Design Decisions in a FireWall

The first and most important decision reflects the policy of how your company or organization wants to operate the system. Is the firewall in place to explicitly deny all services except those critical to the mission of connecting to the net, or is the firewall is in place to provide a metered and audited method of ‘Queuing’ access in a non-threatening manner. The second is what level of monitoring, reducing and control do you want? Having established the acceptable risk level you can form a checklist of what should be monitored,  permitted and denied. The third issue is financial.

Implementation methods

Two basic methods to implement a firewall are

1.As a Screening Router:

A screening router is a special computer or an electronic device that screens (filters out) specific packets based on the criteria that is defined. Almost all current screening routers operate in the following manner.

a. Packet Filter criteria must be stored for the ports of the packet filter device. The packet filter criteria are called packet filter ruler.

b. When the packets arrive at the port, the packet header is parsed. Most packet filters examine the fields in only the IP, TCP and UDP headers.

c. The packet filter rules are stored in a specific order. Each rule is applied to the packet in the order in which the packet filter is stored.

d. If the rule blocks the transmission or reception of a packet the packet is not allowed.

e. If the rule allows the transmission or reception of a packet the packet is allowed.

f. If a packet does not satisfy any rule it is blocked.

2. As a Proxy Server:

A Proxy Server is an application that mediates traffic between a protected network and the Internet. Proxies are often used instead of router-based traffic controls, to prevent traffic from passing directly between networks. Proxy servers are application specific. In order to support a new protocol via a proxy, a proxy must be developed for it. Here there is no direct connection between the local network and the untrusted network. The  Proxy Server transfers an isolated copy of each approved packet from one network to the other network. No information about the local network is available to untrusted networks.

Realization of FireWall

1. Buying an off-the shell firewall product:

A commercial firewall product is brought and configured to meet an organization’s security policy. Some products are available as free ,others may cost up to $100000.

2.Building a custom firewall:

Organizations that have programming talent and financial resources often prefer to use a ‘roll your own’ approach. This involves building custom firewall solution to protect the organizations network. If implemented properly this is the most effective approach.      

Cisco IOS Firewall

As network security becomes increasingly critical to securing business transactions, businesses must integrate security into the network design and infrastructure itself. Security policy enforcement is most effective when it is an inherent component of the network.

The Cisco IOS Firewall is a security-specific option for Cisco IOS Software. It integrates robust firewall functionality and intrusion detection for every network perimeter. It adds greater depth and flexibility to existing Cisco IOS security solutions (i.e., authentication, encryption, and failover), by delivering state-of-the-art security features: stateful, application-based filtering; dynamic per-user authentication and authorization; URL Filtering and others. When combined with Cisco IOS IPSec and Cisco IOS Technologies such as L2TP tunneling and Quality of Service (QoS), Cisco IOS Firewall provides a complete, integrated virtual private network (VPN) solution.

Router-Based Firewall Functionality

Cisco IOS Firewall is available on a wide range of Cisco IOS Software releases. It offers sophisticated security and policy enforcement for connections within an organization (intranet) and between partner networks (extranets), as well as for securing Internet connectivity for remote and branch offices.The Cisco IOS Firewall is the best choice for integrating multiprotocol routing with security policy enforcement and enabling managers to configure a Cisco router as a firewall. It scales to allow customers to choose a router platform based on bandwidth, LAN/WAN density, and multiservice requirements; simultaneously, it benefits from advanced security.

Key Benefits

The Cisco IOS Firewall interoperates seamlessly with Cisco IOS Software, providing outstanding value and benefits:

Flexibility—Installed on a Cisco router, Cisco IOS Firewall is an all-in-one, scalable solution that performs multiprotocol routing, perimeter security, intrusion detection, VPN functionality, and per-user authentication and authorization.

Investment protection—Integrating firewall functionality into a multiprotocol router leverages an existing router investment, without the cost and learning curve associated with a new platform.

VPN support—Deploying Cisco IOS Firewall with Cisco IOS encryption and QoS VPN features enables secure, low-cost transmissions over public networks. It ensures that mission-critical application traffic receives high-priority delivery.

Scalable deployment— Cisco IOS Firewall is available for a wide variety of router platforms. It scales to meet the bandwidth and performance requirements of any network.

Easier provisioning—Combining the Cisco IE2100 and the Cisco IOS XML application enables a network administrator to drop ship any Cisco router with little or no pre-configuration to a given destination. The router pulls the most current Cisco IOS Software release router configuration and its security policy configuration for the Firewall when it is connected to the Internet.

Cisco IOS Firewall is supported on a majority of Cisco routers platforms, thus delivering important benefits that include multiservice integration (data/voice/video/dial), advanced security for dialup connections. On the Cisco 7100, 7200 and 7400 Series Routers, additional benefits include integrated routing and security at the Internet gateway for large enterprises and service provider customer premise equipment (CPE).

Cisco IOS Firewall Highlights

Stateful IOS Firewall inspection engine—provides internal users with secure, per-application-based access control for all traffic across perimeters, such as perimeters between private enterprise networks and the Internet. Also known as Context-Based Access Control (CBAC).

Intrusion Detection—Inline deep packet inspection service that provides real-time monitoring, interception, and response to network misuse with a broad set of the most common attack and information-gathering intrusion detection signatures. Now supports 102 signatures!

Firewall Voice Traversal—Provided by application-level intelligence of the protocol as to the call flow and associated channels that are opened. Voice protocols that are currently supported are H.323v2 and SIP (Q1CY03).

ICMP Inspection—Allow responses to ICMP packets (i.e., ping and traceroute) originating from inside the Firewall, while still denying other ICMP traffic. Available in Q1 of 2003.

Authentication Proxy—Enables dynamic, per-user authentication and authorization for LAN-based, http and dial-in communications; authenticates users against industry-standard. Support of SSL secured userid and passwords for http (HTTPS) provides greater confidentiality. TACACS+ and RADIUS authentication protocols enable network administrators to set individual, per-user security policies. HTTPS (SSL secured http) will be supported in Q1 of 2003.

Destination URL Policy Management—Several mechanisms that support local caching of previous requests, predetermined static URL permission and denial tables, as well as use of external server databases provided by Websense Inc. and N2H2 Inc. This is better known as URL Filtering. This will be available on all platforms after Q1 of 2003.

Per User Firewalls—Enables Service Providers to provide a managed Firewall solution in the broadband market by downloading unique Firewall, ACLs, and other settings on a per user basis, using the AAA server profile storage after authentication.

Cisco IOS Router and Firewall Provisioning—Zero (0) touch provisioning of the router, versioning and security policies such as Firewall rules.

Denial of Service Detection and Prevention—Defends and protects router resources against common attacks, checks packet headers, and drops suspicious packets.

Dynamic Port Mapping—Allows Firewall-supported applications on nonstandard ports.

Java Applet Blocking—Defends against unidentified, malicious Java applets.

VPNs, IPSec Encryption, and QoS Support—

 Operates with Cisco IOS Software encryption, tunneling, and QoS features to secure VPNs

 Provide scalable encrypted tunnels on the router while integrating strong perimeter security, advanced bandwidth management, intrusion detection, and service-level validation

Standards based for interoperability

Real-Time Alerts—Log alerts for denial-of-service attacks or other pre-configured conditions. This is now configurable on a per-application, per-feature basis.

Audit Trail—Details transactions, and records time stamp, source host, destination host, ports, duration and total number of bytes transmitted for detailed reporting. This is now configurable on a per-application, per-feature basis.

Integration with Cisco IOS Software—Interoperates with Cisco IOS Software features, integrating security policy enforcement into the network.

Basic and Advanced Traffic Filtering—

Standard and extended access control lists (ACLs)—apply access controls to specific network segments and define which traffic passes through a network segment.

Lock and Key—dynamic ACLs grant temporary access through firewalls upon user identification (username/password).

Policy-Based Multi-Interface Support—Provides ability to control user access by IP address and interface, as determined by the security policy.

Network Address Translation (NAT)—Hides internal network from the outside for enhanced security.

Time-Based Access Lists—Defines security policy based on the time of day and day of week.

Peer Router Authentication—Ensures that routers receive reliable routing information from trusted sources.

Cisco IOS FireWall Feature Set

New Firewall Features and Benefits

New Feature Description   

Context-based access control (CBAC) Provides internal users secure, per-application-based access control for all traffic across perimeters, e.g. between private enterprise networks and the Internet   

Java blocking Protects against unidentified, malicious Java applets   

Denial of Service detection/prevention Defends and protects router resources against common attacks; checks packet headers and drops suspicious packets   

Audit trail Details transactions; records time stamp, source host, destination host, ports, duration and total number of bytes transmitted   

RealTime alerts Logs alerts in case of denial-of-service attacks or other pre-configured conditions.   

ConfigMaker support A Win95/WinNT—Wizard based network configuration tool that offers step-by-step guidance through network design, addressing and Firewall feature set implementation.  

Previously released Cisco IOS firewall features are:

Basic and Advanced Traffic Filtering 

Standard and Extended Access Control Lists (ACLs): apply controls over access to specific network segments, and defines which traffic passes through a network segment 

Lock and Key—Dynamic ACLs: grant temporary access through firewalls upon user identification (username/password) 

Policy-based Multi-interface Support: provides ability to control user access by IP address and interface as determined by the security policy 

Network Address Translation (NAT): enhances network privacy by hiding internal addresses from public view; also reduces cost of Internet access by enabling conservation of registered IP addresses 

Peer Router Authentication: ensures that routers receive reliable routing information from trusted sources 

Event Logging: allows administrators to track potential security breaches or other nonstandard activities on a real-time basis by logging output from system error messages to a console terminal or syslog server, setting severity levels, and recording other parameters 

Virtual Private Networks (VPNs): provide secure data transfer over public lines (such as the Internet); reduce implementation and management costs for remote branch offices and extranets; enhance quality of service and reliability; standards-based for interoperability, using any of the following protocols: 

Generic Routing Encapsulation (GRE) Tunneling 

Layer 2 Forwarding (L2F) 

Layer 2 Tunneling Protocol (L2TP): when it becomes available 

Quality of Service (QoS) controls: prioritize applications and allocate network resources to ensure delivery of mission-critical application traffic 

Cisco encryption technology: a network-layer encryption capability that prevents eavesdropping or tampering with data across the network during transmission 

Application

1. Corporate Internet Perimeter

Corporations deploy Cisco IOS Firewall-enabled routers at the perimeter of their networks. The firewall is configured to protect against unauthorized access from the untrusted Internet to the corporation's private network, and to prevent unauthorized access from the internal private network to untrusted sites. As part of their business, many corporations need to administer their own Web, file transfer, mail, and DNS services, and to make those services available over the Internet. Because of the dangers of running servers inside private networks, a Demilitarized Zone (DMZ) network is deployed as part of the corporate network infrastructure to provide a safe, relatively neutral "drop area" for communication between inside and outside systems. A firewall policy is created to deny connections from the untrusted Internet to the private network. Internet users can connect to servers on the DMZ network to access public corporate information and all other services that the corporation wishes to offer to outside users. Outgoing connections from the DMZ network into the private network and the Internet are also prohibited by the firewall policy. This restriction prevents attackers from penetrating the DMZ server and using it as a tool to cause damage to internal services and to attack other public sites.

Authentication, Authorization, and Accounting

With the Cisco IOS Firewall authentication proxy feature, connections can be made based on the security policies configured for each user. A per-user policy is downloaded dynamically to the router from an authentication, authorization, and accounting (AAA) server when the user attempts to make a connection to the Internet, DMZ network, or the internal network. Access will be granted only when the user has the appropriate access privilege based on his or her individual security profile. Besides using the authentication proxy, the administrator of the corporate network can use the accounting capability of the AAA server for security, billing, resource allocation, and management of any users who use the authentication proxy service. See Figure 1 for an illustration of a corporate Internet perimeter deployment scenario.

Destination URL Policy Management

Corporations can also manage resources and avoid productivity drains with Destination URL Policy Management, a key feature of the Cisco IOS Firewall. With Destination URL Policy Management, system administrators of the corporate network decide the allowable URL categories, users that have access to content, as well as when that content can be accessed. The Cisco IOS Firewall-enabled router maintains a local list of URL policies to be managed, granting or denying permission to URL connection requests. For additional policies not available on the router, it forwards HTTP requests for a URL destination to the external policy management server in order to get permission. Currently, Cisco supports two URL Policy Management server implementations, WebSense Inc. and N2H2 Inc.

Event Monitoring and Logging

When suspicious activity is detected on the corporate network, real-time alerts send syslog error messages to the central management console, allowing administrators to track and respond to potential security breaches or other undesirable events in real time.

2.Corporate Intranet

A corporation typically has many departments that are each responsible for different pieces of mission-critical information. Employees working for various organizations within a corporation do not have equal access privileges to all corporate information and services. The corporate intranet deployment scenario offers protection of mission-critical servers such as human resource (HR), enterprise resource planning (ERP), customer relationship management (CRM), and accounting systems against security breaches from within the organization. It also effectively manages internal resources to help increase productivity.

The firewall policy for the corporate intranet is designed to restrict traffic and access to information between various departments within the corporation. Employees are subject to authentication and authorization before they are granted access to servers and services on the corporate network. Destination URL Policy Management also controls access to internal Web site and Web applications. In addition, suspicious activities are monitored by administrators with real-time alerts and log messages. See Figure 2 for an illustration.

3. Regional/Branch Office Perimeter

Regional or branch offices can also deploy a Cisco IOS Firewall-enabled router at the perimeter of their network. Data and voice traffic between the regional or branch office and the corporate headquarters is transported via the virtual private network (VPN) connection. A separate, direct connection to the Internet from the regional or branch location is also available for access to public servers and information available on the Web. With this firewall deployment scenario, the firewall policy created for the corporate internet perimeter deployment scenario works in conjunction with the firewall policy at the regional or branch office perimeter. No connections are permitted from the untrusted Internet to the regional or branch office network; instead, Internet users connect to servers on the corporate DMZ network to access public corporate information. The DMZ network provides all the services that the corporation wishes to offer to outside users.

To better manage individual access from the regional office location to the Internet and internal resources, AAA and URL Policy Management servers are deployed at the regional location. Access to services and resources will be granted to employees only when they have the appropriate access privilege based on their individual security profiles. A syslog server is also made available for the regional office administrator to track and respond to potential attacks and nonstandard activities. For smaller branch office locations without system administration resources, centralized firewall policy management can be provided remotely by the resources on the main corporate network.

4. Telecommuter/Home Office

Corporate telecommuters and home office workers similarly maintain a LAN network in the home with several computers connected to it (Figure 4). Both worker types subscribe to an ISP service that provides connectivity to the Internet. The home office worker, typically an independent contractor or an individual who runs a business out of a home, is always connected to an ISP. The home office worker relies on the ISP for services such as Web hosting, domain service, e-mail, and DNS. In a slightly different scenario, the telecommuter network is an extension of the corporate network. A telecommuter's access to work resources and shared information is subject to the corporate firewall security profile created for the individual. Similar to the branch office deployment scenario, a telecommuter is connected to the corporate network via a VPN tunnel for data and voice communication. The telecommuter can also directly access the Internet via an ISP. Business resources for the telecommuter such as e-mail, confidential information, server access, and more, reside on the corporate network.

Because business resources reside on a network external to home, the telecommuter and home office worker need not accept any incoming connections from the Internet to the home office LAN. The Cisco IOS Firewall enabled router at the perimeter of a telecommuter/home office permits only outgoing connections. The computers on the home LAN can connect to the Internet via the ISP network, but the firewall policy does not allow outside initiated sessions to the private LAN. The work-at-home individual can view Web pages, send e-mail, pick up incoming e-mail from a corporate network or ISP, retrieve software via FTP, connect remotely using Telnet, and join in multimedia conferences, all without exposing any services on his or her own LAN network.

Authentication proxy service and URL Policy management with the Cisco IOS Firewall are not necessary for a telecommuter or home office. Once again, the telecommuter, when on the corporate network, is subject to the firewall policy created for the individual. A syslog server can be deployed if the work-at-home individual is willing to act as the system administrator and be notified immediately when there is a potential intrusion of the private network.

5. Corporate Extranet

As corporations establish tighter relationships with their business partners, the need to share resources among companies increases. Sometimes, access to the partner's internal networks is necessary to improve productivity and efficiency. A Cisco IOS Firewall deployed at the perimeter of the corporate network and partner network can help to restrict confidential information access to the few privileged individuals. 

With authentication proxy, a user entering the corporate network and the partner network from the expected source network is authenticated before access is granted. A security policy for the individual is dynamically downloaded from the AAA server, allowing the user only the services permitted by the security profile. Syslog servers are maintained at both ends of the network to track alarming activities.

Conclusion

The Cisco IOS Firewall offers integrated network security through Cisco IOS software. A robust security policy entails more than perimeter control or firewall setup and management—security policy enforcement must be an inherent component of the network. Cisco IOS Software, with many advanced security features such as a firewall, firewall-IDS, IPSec/VPN, and quality of service (QoS) is an ideal vehicle for implementing a global security policy. Building an end-to-end Cisco solution allows managers to enforce security policies throughput the network as they grow.