CCSP Cisco Secure PIX Firewall Advanced Exam Certification Guide, Second Edition [Electronic resources] نسخه متنی

Foundation Topics

Firewall Technologies

To understand the different firewall technologies, you first need to have a good understanding of the Open System Interconnection (OSI) reference model. The seven-layer OSI reference model is the standard for network communication and is the foundation upon which each firewall technology was built. The lower four layers of the OSI reference model are generally considered to be the layers that deal with networking, whereas the upper three layers deal more with application functions.

Firewalls are the primary components required to perform network perimeter security. The function of a firewall is to permit or to deny traffic that attempts to pass through it, based on specific predefined rules. All firewalls perform the function of examining network traffic and directing that traffic based on the rule set; however, the methods that the various firewalls use may differ. The following are the three different types of firewall technologies, each of which is discussed in more detail in the following sections:

• Packet filtering

• Proxy

• Stateful inspection

Packet Filtering

Packet-filtering firewalls are the oldest and most commonly used firewall technologies. A packet-filtering firewall simply inspects incoming traffic for items that occur at the network and transport layers of the OSI reference model. The packet-filtering firewall analyzes IP packets and compares them to a set of established rules called an access control list (ACL). Packet filtering inspects the packet for only the following elements:

• Source IP address

• Source port

• Destination IP address

• Destination port

• Protocol (listed by name or IP protocol number)

Note

In addition to the elements just listed, some packet-filtering firewalls check for header information to determine if the packet is from a new connection or an existing connection.

Figure 2-1 depicts how traffic passes through a packet-filtering firewall from the source to the destination as compared to the OSI reference model. Traffic is depicted as passing between the network and transport layers because some network layer items are checked (source and destination addresses) and some transport layer items are checked (the transport protocol, such as TCP or UDP). The items listed in the previous paragraph are verified against the ACL (rule set) to determine if the packets are permitted or denied.

The advantage to using packet filters is that they tend to be very fast because they do not concern themselves with upper-layer data. Some of the disadvantages of packet filtering are as follows:

• ACLs may be very complex and difficult to manage.

• A packet-filtering firewall may be tricked into permitting access to an unauthorized user who is falsely representing himself (spoofing) with an IP address that is authorized by the ACL.

• Many new applications (such as multimedia applications) create multiple connections on random ports with no way to determine which ports will be used until the connection is established. Because access lists are manually configured, it is very difficult to provide support for these applications without reducing the security of the device.

Packet filtering is a feature that is commonly used on routers. Chapter 7, "Configuring Access," discusses ACLs as applied to the Cisco PIX Firewall in greater detail.

Proxy

New Webster''''s Dictionary of the English Language defines proxy as "the agency of a person who acts as a substitute for another person; authority to act for another." Although this definition does not define a proxy firewall, the function is very similar.

A proxy firewall, commonly called a proxy server, acts on behalf of hosts on the protected network segments. The protected hosts never actually make any connections with the outside world. Hosts on the protected network send their requests to the proxy server, where they are compared to the rulebase. If the request matches a rule within the rulebase and is allowed, the proxy server sends a request on behalf of the requesting host to the external host and forwards the reply to the requesting host.

Proxies run at the upper layers of the OSI reference model. Once again, the connections are established between the network and transport layers; however, the application proxy then examines the request at the upper layers while verifying the request against the rule set. If the traffic meets the requirements of the upper-layer inspection and is verified against the rule set, the proxy firewall creates a new connection to the destination.

Figure 2-2 depicts, using the OSI reference model, how traffic passes through a proxy firewall from the source to the destination.

Most proxy firewalls are designed to cache commonly used information to expedite the response time to the requesting host. Application proxies tend to be very secure because the packets are inspected at all layers, but performance can suffer for the same reason. The processing workload required to perform proxy services is significant and increases with the number of requesting hosts.

Large networks usually implement several proxy servers, to avoid problems with throughput. The number of applications that a requesting host can access via a proxy is limited. By design, proxy firewalls support only specific applications and protocols. The major disadvantage of proxy servers is that they are applications that run on top of operating systems. A device can be only as secure as the operating system it is running on. If the operating system is compromised, the unauthorized user may be able to take control of the proxy firewall and gain access to the entire protected network.

Stateful Inspection

Stateful inspection, also called stateful packet filtering, provides the best combination of security and performance because connections are not only applied to an ACL but also logged in to a small database known as the state table. After a connection is established, all session data is compared to the state table. If the session data does not match the state table information for that connection, the connection is dropped.

Figure 2-3 depicts, using the OSI reference model, how traffic passes through a stateful inspection firewall from the source to the destination. Note that the traffic enters between the network and transport layers, and is verified against the state table and the rule set, while basic protocol compliance is checked at the upper layers.

Chapter 3, "Cisco PIX Firewall," covers stateful inspection in further detail.

Stateful packet filtering is the method that is used by the Cisco PIX Firewall.

Cisco PIX Firewall

Four major characteristics of the Cisco Secure PIX Firewall design make it a leading-edge, high-performance security solution:

• Secure real-time embedded system

• Adaptive Security Algorithm

• Cut-through proxy

• Redundancy

Secure Real-Time Embedded System

Unlike most firewalls, the Cisco PIX Firewall runs on a single, proprietary, embedded system. Whereas most firewalls run a firewall application over a general-purpose operating system, the PIX Firewall has a single system that is responsible for operating the device. This single system is beneficial for the following reasons:

• Better security The PIX Firewall operating environment is a single system that was designed with functionality and security in mind. Because there is no separation between the operating system and the firewall application, there are no known vulnerabilities to exploit.

• Better functionality The combined operating environment requires fewer steps when you configure the system. For example, if multiple IP addresses are bound to the external interface of an application firewall that runs over a general operating system, you must configure the networking portions (that is, Address Resolution Protocol [Proxy ARP] entries and routing) on the operating system and then apply the ACLs or rules in the firewall application. On the Cisco PIX Firewall, all these functions are combined into a single system. As soon as an IP address is bound to an interface, the PIX Firewall automatically replies to ARP requests for that address without it having to be specifically configured.

• Better performance Because the operating environment is a single unit, it allows for streamlined processing and much greater performance. The Cisco PIX 535 Firewall can handle 500,000 concurrent connections while maintaining stateful inspection of all connections.

Adaptive Security Algorithm

The Adaptive Security Algorithm (ASA) is the key to stateful connection control on the Cisco PIX Firewall. The ASA creates a stateful session flow table (also called the state table). Source and destination addresses and other connection information are logged in to the state table. By using the ASA, the Cisco PIX Firewall can perform stateful filtering on the connections in addition to filtering packets. Additionally, the ASA generates random TCP sequence numbers for outbound traffic by making it look like a response to an outbound request is unlikely to succeed.

Cut-Through Proxy

Cut-through proxy is a method of transparently performing authentication and authorization of inbound and outbound connections at the firewall. Cut-through proxy requires very little overhead because it occurs as the session is being established and provides a significant performance advantage over application proxy firewalls. Cut-through proxy is discussed in greater detail in Chapter 3.

Redundancy

Chapter 10, "Cisco PIX Firewall Failover."