Module 12

Module 12 Firewalls Distributed Wireless Protection

Objectives • Identify the fundamental aspects of firewalls • Identify and describe the available Firewall Polices • Describe all aspects of Stateful Packet Inspection • Explain the use of Firewall Roles • Describe the use of ACL Assignments & Traffic Paths • Identify key considerations and best practices

Introduction

Introduction • WiNG5 provides enhanced stateful inspection firewall which is now distributed on all Motorola WLAN devices: • Wireless Controllers • Access Points • The integrated firewall provides: • L2 / L3 Stateful Packet Inspection • Dynamic ACL Assignments (Roles) • DoS Detection • Storm Control • ARP Spoofing Protection • DHCP Offer Conversion • Application Layer Gateways IP ACLs Role Policy MAC ACLs Device WLAN Profile DoS Detection Firewall Policy ALGs Storm Control DHCP Offer Conversion IP/MAC Conflict Detection

Firewall Policies

Firewall Policies – Introduction Profiles • Firewall policies enable and disable firewall services and configure the firewall features on Wireless Controllers and Access Points • Firewall policies control: • Layer 2 Firewall State • Application Layer Gateways • DoS Detection • DHCP Offer Conversion • Firewall Flow Timeouts • IP/MAC Conflict Detection • Proxy ARP • Storm Controls • A default firewall policy is assigned to all Wireless Controllers and Access Points by default • Only one default or user defined Firewall policy can be assigned per Wireless Controller or Access Point using profiles or device overrides DoS Detection DHCP Offer Conversion Storm Control Firewall Policy Proxy ARP IP/MAC Conflict Detection ALGs Devices

DoS Detection • Each Firewall policy can detect 24 different DoS violations • Each violation can be individually enabled or disabled, supports and action that can drop and/or log traffic and provides a user defined log level • All events are enabled by default in the default and user defined firewall policies with default log level defined

Storm Controls • Storm Controls provides as mechanism to protect the network infrastructure from flooding attacks or high-rates of traffic forwarded though Wireless Controllers and Access Points • Storm Controls are defined in firewall policies and may limit: • Broadcast packets / second forwarded through ports and WLANs • Multicast packets / second forwarded through ports and WLANs • Unknown Unicast packets / second forwarded through ports and WLANs • ARP packets / second forwarded through ports and WLANs • Traffic that exceeds the defined threshold will be dropped by the Wireless Controllers and Access Points and an event log message will be generated • Storm Controls are disabled by default in the default firewall policy or user defined firewall policies

DHCP Offer Conversion • DHCP offer conversion allows the Access Points to convert broadcast DHCP offers and ACKs to unicast reducing the number of Wireless Clients that have to receive and process the DHCP frame • Only applicable when the DHCP server is on the same VLAN as the Wireless Client • Disabled by default in the default user defined firewall policies Broadcast DHCP Offers & ACKs Unicast DHCP Offers & ACKs DHCP Server MAC: 1111.1111.1111 IP: 192.168.10.5/24 DHCP Server MAC: 1111.1111.1111 IP: 192.168.10.5/24 VLAN 10 VLAN 10 VLAN 10 VLAN 10 VLAN 10 VLAN 10 VLAN 10 VLAN 10 Ethernet (IP) Ethernet (IP) Ethernet (IP) Ethernet (IP) Ethernet (IP) Ethernet (IP) Ethernet (IP) Ethernet (IP) S S S S S S S S 2222.2222.2222 0.0.0.0 2222.2222.2222 0.0.0.0 2222.2222.2222 0.0.0.0 1111.1111.1111 0.0.0.0 2222.2222.2222 0.0.0.0 1111.1111.1111 0.0.0.0 1111.1111.1111 192.168.10.5 1111.1111.1111 192.168.10.5 D D D D D D D D ffff.ffff.ffff.ffff 0.0.0.0 ffff.ffff.ffff.ffff 0.0.0.0 ffff.ffff.ffff.ffff 0.0.0.0 2222.2222.2222 0.0.0.0 ffff.ffff.ffff.ffff 0.0.0.0 ffff.ffff.ffff.ffff 0.0.0.0 ffff.ffff.ffff.ffff 0.0.0.0 2222.2222.2222 0.0.0.0 DHCP Discover DHCP Offer DHCP Discover DHCP Request DHCP ACK DHCP Request DHCP Offer DHCP ACK Station 1 MAC: 2222.2222.2222 IP: (DHCP) Station 1 MAC: 2222.2222.2222 IP: (DHCP)

Proxy ARP • Proxy ARP allows Wireless Controllers and Access Points to generate ARP responses on behalf of Wireless Clients • Reduces the need for Wireless Clients to wake up and respond to ARP replies • Enabled by default in the default and user defined firewall policies Proxy ARP Access Point MAC: 1111.1111.1111 IP: 192.168.10.1/24 Station 1 MAC: 2222.2222.2222 IP: 192.168.10.100/24 VLAN 10 VLAN 10 VLAN 10 VLAN 10 Ethernet (IP) Ethernet (IP) Ethernet (IP) S S S 1111.1111.1111 192.168.10.100 2222.2222.2222 192.168.10.101 1111.1111.1111 192.168.10.100 With Proxy ARP the infrastructure device responds to the ARP request on behalf of the Wireless Client D D D ffff.ffff.ffff.ffff 0.0.0.0 ffff.ffff.ffff.ffff 0.0.0.0 ffff.ffff.ffff.ffff 0.0.0.0 Without Proxy ARP the ARP request is flooded to all Wireless Clients on VLAN 10 192.168.10.101 is at 3333.3333.3333 192.168.10.101 is at 3333.3333.3333 Who has 192.168.10.101? Tell 192.168.10.100 VLAN 10 VLAN 10 Station 2 MAC: 3333.3333.3333 IP: 192.168.10.101/24 DFG: 192.168.10.1 Station 3 MAC: 4444.4444.4444 IP: 192.168.10.102/24 DFG: 192.168.10.1

IP / MAC Conflict Detection • IP / MAC Conflict Detection allows Wireless Controllers and Access Points to intercept and log packets with IP / MAC bindings • Can detect and prevent man-in-the-middle ARP spoofing attacks • Can detect and prevent devices attempting to steal IP addresses • Can detect and prevent rogue DHCP servers • Valid IP / MAC bindings are learned by snooping DHCP offers and ACKs and building a IP / MAC binding table • The binding table includes the IP Addresses and MAC address for all DHCP servers, routers, and Virtual IP interfaces • Requires Wireless Clients to use DHCP and does not function with Wireless Clients with static IP addresses • Disabled by default in the default and user defined firewall policies Example DHCP Snooping Table ------------------------------------------------------------------------------- Snoop Binding <192.168.10.1, 00-12-83-93-B0-40, Vlan 10> Type router, Touched 3 seconds ago ------------------------------------------------------------------------------- Snoop Binding <192.168.10.14, 00-15-70-81-7B-0D, Vlan 10> Type switch-SVI, Touched 9 seconds ago ------------------------------------------------------------------------------- Snoop Binding <192.168.10.6, 00-E0-81-2F-DC-BC, Vlan 10> Type dhcp-server, Touched 57 seconds ago ------------------------------------------------------------------------------- Snoop Binding <192.168.10.101, 00-12-79-DE-38-40, Vlan 10> Type dhcp-client, Touched 7175 seconds ago router ip #1 - 192.168.10.1 dnsip #1 - 192.168.10.6 netmask = /24 Lease Time = 691200 seconds ------------------------------------------------------------------------------- Snoop Binding <192.168.10.102, 00-13-02-2E-78-82, Vlan 10> Type dhcp-client, Touched 2229 seconds ago Mint ID: 70.e6.98.1c router ip #1 - 192.168.10.1 dnsip #1 - 192.168.10.6 netmask = /24 Lease Time = 691200 seconds -------------------------------------------------------------------------------

IP / MAC Conflict Detection Trusts • Each physical port and WLAN can be configured to trust or un-trust ARP and DHCP packets and drop suspicious packets • ARP Un-trusted – Wireless Controllers and Access Points will inspect and provide ARP spoofing protection on a port or WLAN • ARP Trusted – Wireless Controllers and Access Points will trust and not inspect ARP traffic on a port or WLAN • DHCP Un-trusted – Implies no valid DHCP server is attached to the port or WLAN and will block DHCP offers and ACKs received on the port or WLAN • DHCP Trusted – Implies a valid DHCP server is attached to the port or WLAN and will forward DHCP offers and ACKs received on the port or WLAN

Stateful Packet Inspection

Introduction • Stateful inspection for all IPv4 flows • Switched (L2) or Routed (L3) • On Controllers and APs • Layer 2 inspection disabled by default • Stateless packet filtering for non IPv4 flows • AppleTalk, IPX and IPv6 • Inspects all 802.11 flows typically not visible to wired firewall appliances including: • Wired to Wired Traffic • Wired to WLAN Traffic • WLAN to WLAN Traffic • Maintains state of TCP, UDP and ICMP flows as they traverse the Wireless Controller or Access Points • Once an IPv4 flow is established, bidirectional communications between hosts can occur (no reverse permit rule is required) • All flows are migrated as Wireless Clients roam

Application Layer Gateways (ALGs) • Each firewall policy can individually enable one or more ALGs that can inspect and verify application payloads and dynamically open additional ports required for the protocols to function • WiNG5 supports ALGs for: • FTP • SIP • TFTP • ALGs require the protocols to be permitted for the ALG to function • For example the SIP ALG would require UDP port 5060 to be permitted and FTP would requite TCP port 21 to be permitted

Elements Ports Virtual IP Interfaces • Each MAC or IP ACLs contains one or more • Traffic match conditions (rules), • Actions • Logging • ACLs can be assigned to • Ports • Virtual IP Interfaces • WLANs • Wireless Clients • Each ACL must contain one or more permit rules for traffic to be forwarded: • Each rule is inspected in order of preference • The first rule to match the flow is used • Each ACL includes implicit “deny any any” rule at the end • Empty ACL is equivalent to “allow any any” Profile WLANs Device IP ACL MAC ACL Rules Rules

IP ACLs • IP ACLs can be assigned to traffic paths to permit, deny or mark IPv4 flows • Each ACL must be assigned a unique name • IP ACLs can be assigned to WLANs, Physical Ports and Virtual IP Interfaces: • WLANs: One IP ACL may be assigned per WLAN for inbound and outbound traffic • Virtual IP Interfaces: One IP ACL may be assigned to each Virtual IP Interface for inbound traffic • Physical Ports: One IP ACL may be assigned per Port for inbound traffic • IP ACL can be assigned to Physical Ports or Virtual IP Interfaces on individual devices or multiple devices using profiles • IP ACLs assigned to individual devices will override IP ACLs inherited from a profile

IP ACL Rule Elements • Each IP ACL can contain up to 500 entries (rules) which support the following:

MAC ACLs • MAC ACLs can be assigned to traffic paths to permit, deny or mark IPv4 and non-IPv4 flows • MAC ACLs matching IPv4 traffic are stateful • MAC ACLs matching non IPv4 traffic are stateless • MAC ACLs can be assigned to WLANs, Physical Ports and Virtual IP Interfaces: • WLANs: One MAC ACL may be assigned per WLAN for inbound and outbound traffic • Virtual IP Interfaces: One MAC ACL may be assigned to each Virtual IP Interface for inbound traffic • Physical Ports: One MAC ACL may be assigned per Port for inbound traffic • MAC ACLs can be assigned to Physical Ports or Virtual IP Interfaces on individual devices or multiple devices using profiles • MAC ACLs assigned to individual devices will override MAC ACLs inherited from a profile

MAC ACL Rule Elements • Each MAC ACL can contain up to 500 entries which support the following:

Wireless Client Denies • Each WLAN allows administrators to define a threshold for the number of denied packets that are permitted from a Wireless Client before the Wireless Client is mitigated: • Allows the WLAN system to automatically disassociate malicious users attempting to discover vulnerabilities or break through the firewall • After the defined number of Firewall denies / second is exceeded, the user will be dissociated

Roles

Introduction • Roles allow IP and MAC ACLs to be dynamically assigned to Wireless Clients based on one or more user defined match conditions that include: • Location – AP or Group of APs the Wireless Client is connected to • Authentication Type – The authentication method used • Encryption Type – The encryption type used • Group Membership – The local Group the Wireless Client is assigned obtained from AAA • Hotspot Authentication State – Hotspot Authentication State • MAC Address – MAC address (or range) of the Wireless Client(s) • SSID – The SSID the Wireless Client is associated to • Match conditions strings are flexible and support Any, Exact, Contains, Not Contains operators • When multiple Roles match, the Role with the lowest precedence is assigned to the Wireless Client • Requires an Advanced Security License on each Wireless Controller managing Access Points where Roles are being assigned to Wireless Clients

Elements Device Profile • Roles consist of the following elements: • Role Policy: Contains one or more user defined Roles which maybe assigned to Wireless Clients • Roles: One or more unique names that defines a role name, match conditions and the inbound / outbound IP/MAC ACLs to assign • Defaults: Defines default inbound and outbound IP/MAC ACLs to be assigned when no Roles have been defined, are matched or no Advanced Security License has been installed • One Role policy can be assigned per AP Role Policy Role Inbound MAC / IP ACL Outbound MAC / IP ACL Match Conditions

Assignments • Roles are assigned to Wireless Clients during association: • The Access Point evaluates the context of the Wireless Client against the defined Roles in the Role Profile and selects the appropriate role to assign • The Access Point applies the IP and MAC ACLs to the Wireless Client • Roles are re-evaluated if: • The Wireless Client roams to a different Access Point • The Wireless Client associates to a different SSID • IP flows are maintained during roaming as flow keys are migrated between Access Points: • Traffic flows are re-evaluated with no disruption to the ongoing traffic, if the ACLs assigned to the Role still permits the existing traffic • If the new Role is assigned that denies the traffic, existing flows will be deleted and packets will be dropped

Use Cases • Roles can be useful for multiple applications including: • NAP/NAC deployments when network permissions need to be dynamically changed based on the Wireless Clients NAP/NAC compliance state • Captive Portal applications when different classes of users share the same WLAN but each require a level of network permission levels (i.e. Guests vs. Contractors) • Corporate applications when network permissions needs to be dynamically changed based on the corporate users department or location • Wireless deployments that require a common set of default network permissions for un-identified Wireless Clients

Deployment Example • Role: Voice • Precedence = 1 • SSID (Exact) = Voice • Encryption (Exact) = CCMP • Auth (Exact) = None • IP ACL (in) = Voice • Role: Guests • Precedence = 1 • SSID (Exact) = Guest • Encryption (Exact) = None • Auth (Exact) = None • Hotspot-Auth = Post-Login • Group (Exact) = Guests • IP ACL (in) = Guests • Role: Sales • Precedence = 1 • SSID (Exact) = Corp • Encryption (Exact) = CCMP • Auth (Exact) = EAP • Group (Exact) = Sales • IP ACL (in) = Sales • Role: Marketing • Precedence = 1 • SSID (Exact) = Corp • Encryption (Exact) = CCMP • Auth (Exact) = EAP • Group (Exact) = Marketing • IP ACL (in) = Marketing • Role: Contractors • Precedence = 1 • SSID (Exact) = Guest • Encryption (Exact) = None • Auth (Exact) = None • Hotspot-Auth = Post-Login • Group (Exact) = Contractors • IP ACL (in) = Contractors • Role: Engineering • Precedence = 1 • SSID (Exact) = Corp • Encryption (Exact) = CCMP • Auth (Exact) = EAP • Group (Exact) = Engineering • IP ACL (in) = Engineering

ACL Assignments & Traffic Paths

ACL Assignments & Traffic Paths Roles Wireless Client Wireless Client Inbound Outbound Inbound Outbound WLANs Radio Radio Inbound Outbound Inbound Outbound WLAN 1 x MAC ACL 2 x MAC ACLs 2 x MAC ACLs 1 x MAC ACL 1 x MAC ACL 2 x MAC ACLs 1 x MAC ACL 1 x MAC ACL 1 x MAC ACL 2 x MAC ACLs 1 x MAC ACL 1 x MAC ACL WLAN 1 x IP ACL 1 x IP ACL 1 x IP ACL 2 x IP ACLs 1 x IP ACL 1 x IP ACL 1 x IP ACL 1 x IP ACL 2 x IP ACLs 2 x IP ACLs 2 x IP ACLs 1 x IP ACL Inbound Inbound Virtual IP Interfaces VLAN 1 192.168.1.1/24 VLAN 2 192.168.2.1/24 Inbound Inbound Physical Ports GE Ports GE Ports Inbound Inbound

Best Practices • Enable firewall services for any WLAN connected to a public network • Limit inbound traffic from a public network to approved hosts or services • Enable firewall services for WLANs and wired ports that transmit credit card payment data • Enable firewall services for hotspot WLANs and associated IP interfaces • Enable firewall services for WLANs that use weak encryption methods • When a device is directly connected to the Internet, deny unwanted inbound traffic on the uplinkor public IP interface

Considerations 1 Each Wireless Controller and Access Point is assigned to a default Firewall Policy which is enabled Dynamic ACL assignments requires an Advanced Security License to be installed on the Wireless Controller 2 Each IP and MAC ACL includes an implied deny and requires one or more permit rules for traffic to be permitted 3 All ARP traffic is considered un-trusted by default 4 All DHCP traffic is un-trusted by default except through physical ports Wireless Clients can be automatically disassociated if they exceed a specified number of firewall denies per second Before enabling storm controls an evaluation of network should be performed to obtain a baseline of Multicast, ARP and Unknown Unicast traffic 5 6 7

LAB: Firewall LAB 08: Create and apply IP ACLs Test and optimize ACLs Configure and test Role-Based Firewall

Identify the fundamental aspects of firewalls • Identify and describe the available Firewall Polices • Describe all aspects of Stateful Packet Inspection • Explain the use of Firewall Roles • Describe the use of ACL Assignments & Traffic Paths • Identify key considerations and best practices • Module Summary

Module 12

Module 12

Presentation Transcript

Module 12

Module 11 - 12

Module 12

Module 12

Module 12

Module 12

MODULE 12

Module 12

Module #12: Summations

Module 12

Module 12

Module 12

Module 12

MODULE 12

Module 12

Module 12

Module 12

Module 12

Module 12.

Module 12