Tải bản đầy đủ - 0 (trang)
Chapter 4. Exploring Security Technologies and Network Infrastructure Designs

Chapter 4. Exploring Security Technologies and Network Infrastructure Designs

Tải bản đầy đủ - 0trang

DesigningEnterpriseEdge(orDataCenter)NetworksThedatacenterfor

yourorganizationcontainsthedemarcationbetweenthepublicandprivate

networkdomains.

DesigningHeadquarterswithRemoteOfficeNetworksRemoteofficeusers

accesscorporateresources,theInternet,andothersatelliteofficesthroughthe

corporateheadquarters.

DesigningInternetContentDeliveryNetworksThird-partycontentdelivery

networksprovideedgecontentreplicationservicesforenterprises.



Informationsecurityisamajorconcernfororganizationswith

anyamountofcriticalbusinesscontentintheirnetworks.

Withinthecontextofcontentnetworking,fourfundamental

techniquesareavailableforyoutouseforsecuringcontent:

ApplicationLayerEncryption

PacketFiltering

TCPenhancements

ApplicationLayerInspection

Youwilllearncontentencryptionusingthepublickey

infrastructure(PKI)inChapter8,"ExploringtheApplication

Layer,"alongwithPKIoffloadingtechnologies.







FilteringPacketswithAccessControlLists

Youcanuseaccesscontrollists(ACL)topermitordeny

requeststoservicesthatareavailablewithinyournetwork.You

canapplyACLstopacketsenteringorleavingafirewall

interface.Twoformsoffiltersexist:statelessandstateful

sessionACLs.FirewallsthatyouenablewithstatelessACLs

treateachpacketasanindividualentity.Becausestateless

ACLsdonottracktransportconnectioninformation,routers

applytheACLtoeverypacketregardlessofthetransportflow

thepacketispartof.Conversely,statefulsessionACLstrack

flowstoensurethatpacketsbelongtoavalidflowbefore

filteringtakesplace.



Note

FirewallscantrackTCPflowsbyinspectingtheTCP

flagsandsequencenumbersintheTCPsegment

header.AlthoughUDPisconnectionless,firewalls

approximateUDP"connections"byexaminingtheIP

addressesandportsintheUDPsegmentand

matchingpacketswiththesameUDPpacket

information.Thefirewallorrouterconsiderspackets

tobepartofthesameUDPconnectionifitreceives

UDPpacketswiththesameIPaddressesandUDP

portswithinthesameapproximatetimeframe.



StatefulsessionACLsareusefulforfilteringthatisbasedon

TCP/IPwhenyouneedtoknowthedirectionthatthe

connectionoriginatesfrom.Forexample,yourinternalusers

mayrequireaccesstoanFTPsiteontheInternet,butyou

shouldblockincomingFTPaccesstoyourinternalnetworkfrom



theInternet.Youcannotachievethistypeofaccesscontrol

usingstatelessACLs.Instead,youcanusebasicACLs,reflexive

ACLs,context-basedaccesscontrol(CBAC),orCiscoPIX

firewalls,becausetheseprotocolsusestatefulinspection.

Withstatefulinspection,whenyourworkstationsendsan

outgoingTCPSYNsegmenttoanexternalresource,thefirewall

createsatemporaryincomingACLentryforyourreturntraffic.

TheentrycontainsthesameIPaddressesandTCPport

numbersasyouroutgoingrequestbutwiththesourceand

destinationvaluesswapped.Figure4-1illustrateshowfirewalls

implementstatefulACLs.Inthisexample,thefirewallis

performingstaticsourceNetworkAddressTranslation(NAT),

translatingyourclientprivateIP10.1.1.5totheregisteredIP

209.165.200.225.WhentheserverrespondstoyourTCPSYN

segment,itusestheregisteredIPinitsTCPSYN-ACKresponse.

Thisexampleconfiguresthefirewalltoblockallincomingtraffic

oninterfaceEthernet0.However,theoutgoingconnectionin

thisexamplecreatesatemporaryincomingruletopermit

returntraffictotheinsideuser.



Figure4-1.StatefulACLOperation



[Viewfullsizeimage]



Note

TemporaryACLsapproximatestatefulinspection

usingatemporaryincomingACLentry.Toperform

truestatefulinspection,Ciscodevicesmaintain

entriesforindividualflowsinstatetables.Youwill

learnaboutstatemaintenancewithsessionfiltering

laterinthissection.



CiscosupportsthreetypesofstatefulACLs:

BasicAccessListsBasicACLsdonotautomaticallycreate

temporaryincomingentriesforyourreturntraffic.Youmust

manuallyconfigurebasicACLsonyourCiscoIOSfirewallto

approximatestatefulsessionfilteringbyusingthe

establishedkeywordwithinpermitACLentries.The

establishedkeywordpermitsincomingTCPsegmentswith

theirACKorRSTflagsetsegmentswiththeseflagsset

indicatethattheyarenotthefirstpacketinthesession.For

example,theextendedACLentryaccess-list101permit

10.1.1.00.0.0.255anyestablished,whenappliedto

incomingpacketsontheoutsideinterfaceofthefirewallin

Figure4-1,permitsreturnpacketsofestablishedTCP

connectionstoyourinsidenetworkinthesubnet

10.1.1.0/24

IPSessionFiltering(ReflexiveACLs)IPsessionfilters

createtemporaryACLentriesforincomingTCPtraffic.

Example4-1illustrateshowyoucanconfigureIPsession

filters.TheoutgoingnamedACLoutsessiondefinesthe



entrytotriggerthetemporaryincomingrule.Youmustgive

anametoyourreflexiveACLentry;thisexamplecallsit

tcpreflect.TheincomingruleinsessiondefinestheACL

thatdeniesallincomingtrafficinthisexample.Youcanadd

specificentriestothisruleifyouwouldliketopermitother

typesoftrafficintoyournetwork(forexample,youmay

wanttoallowincomingFTPaccesstoyournetwork).Use

theevaluatestatementtopermitreturntrafficfrom

establishedconnectionsintoyournetwork.Usethe

commandipreflexive-listtimeouttosettheamountof

timeduringwhichtemporaryentrieswillremainactive

withoutanytrafficactivityfromtheTCPsession.



Example4-1.ConfiguringIPSessionFilters



interfaceFastEthernet0/1

ipaccess-groupinsessionin

ipaccess-groupoutsessionout

!

ipreflexive-listtimeout120

!

ipaccess-listextendedoutsession

permittcpanyanyreflecttcpreflect

!

ipaccess-listextendedinsession

denyipanyany

evaluatetcpreflect



TemporaryACLentriesstore5-Tuples(thatis,protocol,

sourceport,sourceIPaddress,destinationport,and

destinationIPaddress)inRAMbutdonotstoreTCP

connectionstateinformationincludingTCPflagsand

sequencenumbersinRAM.UsetheCiscoIOSContext

BasedAccessControl(CBAC)firewallfeatureorPIXFirewall

ACLsifyouneedyoursessionsstoredinRAM.

CiscoIOSContextBasedAccessControl(CBAC)



firewallfeatureandPIXFirewallACLsYoucanuse

CBACorPIXfirewallstoperformtruestatefulsession

filtering.Whenyourusersinitiatenewconnectionsfromthe

inside,thefirewallfirstcreatesasessionentryinitsstate

table.Therouterthencreatesatemporaryentryforreturn

traffic.Thebenefitofmaintainingtheconnectionstatein

RAMisthatthefirewallisabletolookfurtherintothe

contentwithintheconnectionusingapplicationlayer

inspection.Thedrawbackisthatyourfirewallsrequiremuch

morememorytostorethestatetable.



Note

Firewallloadbalancingisavailabletoyouasa

contentnetworkingsecurityservice.SeeChapter11,

"SwitchingSecuredContent,"formoreinformation

onfirewallloadbalancing.



ApplicationLayerInspection

InterestingTCPenhancementsthatfall"inbetween"packet

filteringandapplicationinspectionareTCPnormalizationand

SYN-cookies.CiscoSecurityAppliancesuseTCPnormalization

todroppacketsthatdonotappearnormal.Additionally,SYN

cookiesareinitialTCPsequencenumbersthatencodea

sender'sIPaddresstoenablethereceivertoknowwhich

packetsarefromvalidsendersduringaSYN-flood.TheseTCP

enhancementsprovetobebeneficialforsecuringmost

applications.SYN-cookiesarediscussedinChapter11.

ApplicationlayerinspectionisavailablewiththeCiscoPIX

Firewall,CiscoSecurityAppliance,andtheCBACIOSfirewall

feature.Inordertoensurethecorrectbehaviorofknown

applications,CiscoPIXFirewallandtheCBACIOSfirewall

featurestoreapplicationlayersessioninformationalongwith

thetransportlayerconnectioninformationinthestatetable.

Thefirewallwilldroptheapplicationlayersessionifbehaviorof

theapplicationisnotRFC-compliant,evenwhentheapplication

sessionspansmultipleTCPconnections.ExamplesofRFCcomplianceare

Usersattemptvalidapplicationcommandsoverthe

connection.

Commandsoccurinthecorrectsequenceduringthe

connection.Forexample,anHTTPresponsewithoutan

HTTPrequestviolatestheRFC2626definitionoftheHTTP

request-responsesequence.

ToenableapplicationinspectiononthePIXfirewall,usetheip

protocolfixupcommandforeachoftheprotocolsthatyou

wouldliketoinspect.ThePIXfirewallwillensurethatthe



protocolyouconfigureobeysthecommonoperationofthe

applicationprotocol.



Note

ThePIXfirewallalsosupportsHTTPmethodandURL

filtering.Additionally,theCiscoApplicationVelocity

System(AVS)platformsupportsHTTP-specific

applicationsecurityfeatures,suchascookie

encryption,resourcecloaking,andfilteringbasedon

HTTPencodingtypes.



ToconfigureCBAC,youconfiguretheapplicationsyouwantto

inspectusingtheipinspectglobalconfigurationcommand.In

Example4-2,theCBAClist"inspectapps"givestheapplications

thattheIOSfirewallwillinspect.



Example4-2.ConfiguringCBAC



ipinspectnameinspectappsrtsptimeout30

ipinspectnameinspectappsftptimeout30

ipinspectnameinspectappsrealaudiotimeout30

interfaceFastEthernet0/1

ipaccess-groupinsessionin

ipinspectinspectappsout

!

ipaccess-listextendedinsession

denyipanyany



CommonapplicationsthatyoucaninspectusingCBACorthe

PIXfirewallare:



HTTP

Real-TimeSessionProtocol(RTSP)

H.323

FTP

InternetControlManagementProtocol(ICMP)

SimpleMailTransferProtocol(SMTP)

TFTP



Note

NetworkBasedApplicationRecognition(NBAR)also

inspectsapplicationtraffictoclassifypacketsforQoS

policies.TolearnmoreaboutNBAR,seeChapter6,

"EnsuringContentDeliverywithQualityofService."



AlthoughCBACandthePIXprovideapplicationlayerinspection

inadditiontopacketfilteringcapabilities,intrusionprevention

systems(IPS)weredevelopedbyCiscospecificallytoprovide

applicationlayerinspection.IPSsarestandaloneappliancesthat

protectyournetworkbydetecting,classifying,andblocking

spyware,worms,adware,networkviruses,andapplication

abusebyinspectinginformationatLayers27.IPSsevolved

fromtheintrusiondetectionsystems(IDS)toincludeamore

robustsetofthreatidentificationmethodstominimizefalsepositivealerts,suchas:



PatternrecognitionDetectscodevulnerabilitiesby

matchingagainsttextpatterns(or"signatures")inthe

applicationpayload,andtherebyprotectsagainstInternet

wormssuchasCodeRedandNimbda.

ProtocolanalysisInspectsknownapplicationsfor

deviationsfromRFC-compliantbehavior.

Traffic-levelanomalydetectionNoticesabnormal

changesinapplicationtrafficlevels.Forexample,anIPS

detectsICMPfloodsifthenumberofICMPpacketsexceeds

athresholdoveragivenamountoftime.



Note

TheCiscoTrafficAnomalyDetectordeviceisalso

availablefordistributeddenialofservice(DDoS)

anomalydetection(viatechnologyobtainedfromthe

Riverheadacquisition).







DesigningEnterpriseCampuses

Intypicalcampusdesigns,individualbuildingsconnecttoa

centralbuildingbywayofphysicallayeruplinks.Youcancreate

uplinksusingopticalwavelengths,wherenumerous

wavelengthsoflightcreateseparatelogicalchannelsonsingle

modefiber.Opticaltechnologiesincludingdensewavelength

divisionmultiplexing(DWDM)andCiscocoarsewavelength

divisionmultiplexing(CWDM)havemajorbandwidthbenefits

betweenbuildingsbutatamuchhighercostthanmore

traditionalcampuscablingdesigns.Apossiblereasonforthe

highercostofusingDWDMorCWDMisthatyourequire

dedicatedphysicallayeropticalnetworkinggeartomultiplex

thewavelengthsontothesinglemodefiber.Traditionalphysical

layeruplinksincludedarkfiber,coppercabling,orwireless

connectivitybetweenthebuildings.

Youshouldcentralizeyouruser'saccesstocorporateservices,

WANconnectivitytobranchoffices,andInternetaccessinthe

maincampusbuilding.Youruserscanconnectthroughaccess

switchesatLayer2or3byroutingorswitchingtraffictothe

centralbuildingthroughdistributionswitcheslocatedinthe

individualcampusbuildings.Toprovideresiliencyforuser

accesstocentralizedcorporateresources,youcanuse

SpanningTreeProtocol(STP),Etherchannel,orredundant

routedlinksbetweenthecampusbackboneanddistribution

switches.Figure4-2givesafullyredundantcampusnetwork

design.



Figure4-2.ATypicalCore/Distribution/Access

LayerCampusNetworkDesign



[Viewfullsizeimage]



Tài liệu bạn tìm kiếm đã sẵn sàng tải về

Chapter 4. Exploring Security Technologies and Network Infrastructure Designs

Tải bản đầy đủ ngay(0 tr)

×