1 / 8

IOS Firewall

IOS Firewall. IOS: Cisco’s Internetwork Operating System (the primary system running on Cisco’s routers) IOS Firewall: a stateful packet-filter firewall that runs on a router, providing firewall capabilities

vea
Télécharger la présentation

IOS Firewall

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. IOS Firewall • IOS: Cisco’s Internetwork Operating System (the primary system running on Cisco’s routers) • IOS Firewall: a stateful packet-filter firewall that runs on a router, providing firewall capabilities • CBAC: Context-Based Access Control (at the core of the IOS Firewall functionality

  2. Outline • CBAC • IOS Firewall Features • Case studies http://sce.uhcl.edu/yang/teaching/.../IOS Firewalls.ppt

  3. CBAC (Context-Based Access Control) • Implement packet filtering on a Cisco router (similar to ASA on Cisco PIX) • Three basic functionalities: • Dynamic modification of the extended access lists • To allow connections initiated from the inside • Inspection of the application/transport level protocols ~= multimedia support in PIX • Control of the number/length of sessions http://sce.uhcl.edu/yang/teaching/.../IOS Firewalls.ppt

  4. CBAC Functionality • Set up Access Control Lists to open holes for inbound access to inside servers • Set up the router to inspect outbound packets, and • Keep track of the associated sessions  i.e., a stateful packet filter http://sce.uhcl.edu/yang/teaching/.../IOS Firewalls.ppt

  5. How does IOS maintain session state information? • State Information Structure (SIS) • A SIS is created for each logical session. • The SIS uniquely identifies a connection using the IP and the port#). • When necessary, other info such as TCP connection state, TCP sequence number, etc. are also maintained. • The SIS is deleted when the associated session/connection is terminated. http://sce.uhcl.edu/yang/teaching/.../IOS Firewalls.ppt

  6. Other CBAC functionality • Out-of-sequence TCP packets are dropped. • TCP packets with invalid sequence numbers are dropped. • The reassembly of IP packets is not supported (as in PIX firewall). • Does not inspect packets originated by the IOS Firewall router. • ICMP packets are not inspected. (They are manually managed using static ACLs). • ICMP unreachable packets are ignored. • To protect against a flooding attack or unusual consumption of memory due to a large number of SISs: • when the number of SISs in the half-open state reaches a threshold, half-open SISs are deleted to accommodate a new session. • If the rate of new TCP connection requests is higher than a maximum value, half-open SISs are deleted for every new connection request. http://sce.uhcl.edu/yang/teaching/.../IOS Firewalls.ppt

  7. Features of IOS Firewall • Transport Layer Inspection • Application Layer Inspection • Filtering for Invalid Commands • Java Blocking • Safeguarding against DOS attacks • Fragment handling http://sce.uhcl.edu/yang/teaching/.../IOS Firewalls.ppt

  8. Case Study • CBAC on a router configured with NAT http://sce.uhcl.edu/yang/teaching/.../IOS Firewalls.ppt

More Related