Document Sample
PIX-ASA-Firewalls Powered By Docstoc
					                  ASA 5500 series
             adaptive security appliances
• Has replaced Cisco’s PIX firewalls since 2008
• Security services

     –application-aware firewall
     –SSL and IPsec VPN
     –IPS with global correlation and guaranteed coverage
     –web filtering services
T. A. Yang                                     Network Security                                                    1
     Cisco’s Firewall Service Module
     – a high-speed, integrated
       firewall module for Cisco
       Catalyst 6500 switches and
       Cisco 7600 Series routers
     – provides the fastest firewall
       data rates in the industry
             • 5-Gbps throughput,
             • 100,000 CPS (connections per
             • 1M concurrent connections
T. A. Yang                      Network Security   2
                      Firewall Modes
1. Routed mode
     –       The device is considered a router hop in the network
     –       Requires an IP address for each interface
     –       The default mode
2. Transparent mode (aka stealth firewalls)
     –       The device operates in a secure bridging mode
     –       Same subnet on its inside and outside interfaces
     –       Has an IP address assigned to the entire device
     –       The appliance continues to perform stateful
             application-aware inspection and other firewall
     Benefits: hide its presence from the attackers/intruders
T. A. Yang                    Network Security                  3
              Stealth mode example

• Default gateway for PCs in
  VLAN 10 is (the
  upstream router).

 T. A. Yang              Network Security   4
 Example 2
• Source:
• The default gateway of Host A
  is not the Internet router
  ( but the internal
  router (

• Scenario: an inside user visits
  an inside Web server - Host A
   ( sends the request
   packet to the Internet router (since it is
   a default gateway) through the ASA
   from the inside to the outside. Then
   the packet is redirected to the web
   server ( through ASA (outside
   to inside) and the internal router.

T. A. Yang                              Network Security   5
    Adaptive Security Algorithm (ASA)
•         An algorithm that defines how traffic passing
          through the firewall are examined.
•         Basic concepts:
      -      Keep track of the connections being formed from
             the networks behind the PIX to the public network
      -      Based on info about these connections, ASA
             allows packets to come back into the private
             network through the firewall.
      -      All other traffic destined for the private network is
             blocked by the firewall (unless specifically
T. A. Yang                     Network Security                      6
               ASA Operations
• Three basic operations
     1. ACLs
     2. Connections: xlate and conn tables
     3. Inspection engines (per RFC standards)

• Figure 6-5: a scenario where an external host
  requested a connection to an internal server

T. A. Yang               Network Security         7
   •         ASA defines how the state and other information is
             used to track the sessions passing through the PIX.
   •         ASA keeps track of the following information:
         –     Source and destination info of IP packets
         –     TCP Sequence numbers and TCP flags
         –     UDP packet flow and timers

T. A. Yang                       Network Security                  8
                         ASA and TCP
   •         TCP is connection-oriented, and provides most of
             the information the firewall needs.
   •         The firewall keeps track of each session being
             formed, utilized, and terminated.
   •         ASA only allows for the packets confirming to the
             state of a session to go through. All other packets
             are dropped.

   •         However, TCP has inherent weakness, which
             requires ASA to perform additional work managing
             the sessions  SYN flood, session hijacking

T. A. Yang                     Network Security                    9
                           ASA and TCP

   •         SYN flooding
         –    “The SYN flood attack sends TCP connections
              requests faster than a machine can process
              (Internet Security Systems,

         –    Illustration: next

T. A. Yang                          Network Security                                10
                           Syn Flood
• A: the initiator; B: the destination
• TCP connection multi-step
   – A: SYN to initiate
   – B: SYN+ACK to respond
   – C: ACK gets agreement

• Sequence numbers then
  incremented for future messages
   – Ensures message order
   – Retransmit if lost
   – Verifies party really initiated

T. A. Yang                     Network Security   11
                                 Syn Flood

• Implementation:
   A, the attacker; B: the victim
             •   Receives SYN
             •   Allocate connection
             •   Acknowledge
             •   Wait for response
• See the problem?
  –What if no response
  –And many SYNs
• All space for connections
  –None left for legitimate ones

T. A. Yang                             Network Security     12
                       ASA vs Syn Flood
   •         (Beginning in version 5.2 and later)
         –      When the number of incomplete connections
                through the PIX reaches a pre-configured limit
                (the limit on embryonic connections), ASA turns
                the PIX into a proxy for connection attempts
                (SYNs) to servers or other resources sitting
                behind it.
               •   PIX responds to SYN requests with SYN ACKs and
                   continues proxying the connection until the three-way
                   TCP handshake is complete.
               •   Only when the three-way handshake is complete would
                   the PIX allow the connection through to the server or
                   resource on the private or DMZ network.
         –      Benefit: Limits the exposure of the servers
                behind the PIX to SYN floods
T. A. Yang                         Network Security                    13
                     PIX: Basic Features

   •         ASA’s stateful inspection of traffic
   •         Assigning varying security levels to interfaces
   •         ACL
   •         Extensive logging
   •         Basic routing capability (including RIP)
   •         Failover and redundancy
   •         Traffic authentication

T. A. Yang                     Network Security                14
                     PIX: Basic Features
                   - ASA’s stateful inspection of traffic

   •         PIX uses a basic set of rules to control traffic flow:
         –      No packets can traverse the PIX w/o a translation,
                connection, and state.
         –      Outbound connections are allowed, except those
                specifically denied by the ACLs.
         –      Inbound connections are denied, except for those
                specifically allowed.
         –      All ICMP packets are denied unless specifically permitted.
         –      All attempts to circumvent the rules are dropped, and a
                message is sent to syslog.

   •         To tighten or relax some of these default rules: next
             few slides

T. A. Yang                        Network Security                           15
                      PIX: Basic Features
   •         Assigning varying security levels to interfaces
         –     PIX allows varying security levels to be assigned to its
               various interfaces, creating the so called security zones.
         –     A PIX may have 2 to 10 interfaces.
         –     Each i/f can be assigned a level from 0 (least secure,
               usually the Internet) to 100 (most secure, usually the
               internal private network).
         –     Default rules:
               o   Traffic from a higher security zone can enter a lower security
                   zone.  PIX keeps track of the connections for this traffic
                   and allows the return traffic through.
               o   Traffic from a lower security zone is not allowed to enter a
                   higher security zone, unless explicitly permitted (such as
                   using ACLs).

T. A. Yang                         Network Security                                 16
                    PIX: Basic Features
   •         ACL
         –    Mainly used to allow traffic from a less-secure portion of
              the network to enter a more-secure portion of the network.
         –    Information used in ACLs:
              Source address
              Destination address
              Protocol numbers
              Port numbers
         –    Examples:
              To allow connections to be made to web or mail servers sitting on
                  the DMZ of the PIX from the public network
              To allow a machine on a DMZ network to access the private
                  network behind the DMZ
         –    Use of ACLs must be governed by the network security

T. A. Yang                          Network Security                              17
                           PIX: Basic Features
•         Failover and redundancy
      –          The failover capability allows a standby PIX to take over the
                 functionality of the primary PIX, as soon as it fails.
      –          Stateful failover : The connection info stored on the failing PIX is
                 transferred to the PIX taking over.
      –          The standby PIX assumes the IP and MAC addresses of the
                 failed PIX.
      –          Terminology related to failover :                           Primary   Secondary
             •       Active unit vs Standby unit                   Active
             •       Primary unit vs Secondary unit                standby
                     Question: relationships between
                        active/standby and primary/secondary ?

             •       System IP vs Failover IP
                     –   System IP: the address of the primary
                         unit upon bootup
                     –   Failover IP: that of the secondary unit

T. A. Yang                                   Network Security                                 18
                     PIX: Basic Features
                       - Failover and redundancy
   •         How does failover work?
         –     A failover cable (RS-232 serial) connects the primary unit
               and the secondary unit, allowing the secondary unit to
               detect the primary unit’s power status, and failover
               communication in between.
         –     (In the case of stateful failover) The state info is
               transferred via an Ethernet cable connecting the primary
               unit and the secondary unit.
         –     Every 15 seconds, special failover hello packets are sent
               in between the two units for synchronization.
         –     Requirements: The h/w, s/w, and configurations on the
               two PIXes must be identical.

T. A. Yang                       Network Security                           19
                   PIX: Basic Features
                     - Failover and redundancy

   •         Limitations of CISCO PIX failover ?
         –     Some info are not replicated between the two units:
               •   User authentication table
               •   ISAKMP and IPsec SA table
               •   ARP table
               •   Routing info

         –     The secondary unit must rebuild the info to perform the
               functions of the failed unit.

T. A. Yang                       Network Security                        20
                      PIX: Basic Features
   •         Traffic authentication on PIX:
         –     Cut-through proxy authentication
               •   Only when the authentication occurring during the
                   establishment of a given connection succeeds would PIX
                   allows the data flow to be established through it.
               •   A successfully authenticated connection is entered the ASA
                   as a valid state.
               •   As soon as an authenticated connection is established, PIX
                   lets the rest of the packets belonging to that connection go
                   through without further authentication.
         –     PIX supports both TACACS+ and Radius as the AAA

T. A. Yang                         Network Security                               21
 ASA and TCP: TCP session hijacking attack
•      Problem with the ISN: The initial sequence number (ISN) of
       TCP is not really random!
       possible TCP session hijacking attack
       Case study: Kevin Metnick’s attack on Tsutomu Shimomura’s
          computers in 1994-1995
       Six steps :
       1. an initial reconnaissance attack: gather info about the victim
       2. a SYN flood attack: disable the login server; a DOS attack
       3. A reconnaissance attack: determine how one of the x-term
           generated its TCP sequence numbers
       4. Spoof the server’s identity, and establish a session with the
           x-term (using the sequence number the x-term must have
           sent)  result: a one-way connection to the x-term
       5. modify the x-term’s .rhosts file to trust every host
       6. Gain root access to the x-term
T. A. Yang                      Network Security                           22
             TCP session hijacking attack (cont.)

         ASA’s solution  “proxy” the sequence number in
            an outgoing packet
         a. create a new, more random sequence number;
         b. use the new number as the sequence number in
            the outgoing packet, and store the difference
            between the new and the original number;
         c. When return traffic for that packet is received,
            ASA restores the sequence number before
            forwarding the packet to the destination on the
            inside network.

T. A. Yang                 Network Security                    23
                  Source: Malik, Network Security Principles and Practices, 2003.


     T. A. Yang                         Network Security                            24
                 Security Contexts
• Software version 7.0 and up
• Multiple security contexts (aka virtual firewalls) can be
  created within a single PIX or ASA firewall.
• Each virtual firewall is an independent device
     – Has its own set of security policies, logical interfaces, and admin
• Interfaces can be shared btwn contexts (routed mode

• Limitations:
     – Features such as VPN and dynamic routing protocols are not
T. A. Yang                     Network Security                         25
    Security Contexts: two modes
• Routed Mode
     – Figure 6-6
     – A physical firewall is configured with three contexts (Admin, Dept
       1, Dept 2).
     – Each virtual firewall has one Inside, one Outside, and one
       Shared interface.
     – Each context has its own private segment.
     – Resources to be shared among the three contexts are placed in
       the Shared segment, accessible through a shared intreface.

• Transparent Mode

T. A. Yang                     Network Security                        26
    Security Contexts: two modes
• Transparent Mode
     – Each context is in the transparent mode.
     – A transparent firewall has only one Inside and one Outside
       interfaces, both of which belong to the same subnet.
     – Transparent mode does not allow shared interfaces (unlike the
       routed mode).

     – Example: Figure 6-7

T. A. Yang                   Network Security                          27

Shared By: