Scribd Logo
Upload

Welcome to Scribd!

  • 6 views

    IOS Firewalls

    Uploaded by

    Suraj Padhy

    Copyright:

    Attribution Non-Commercial (BY-NC)
    Download as PPT, PDF, TXT or read online from Scribd
    Flag for inappropriate content

    You might also like

    IOS Firewalls

    Uploaded by

    Suraj Padhy
    6 views8 pages

    Copyright

    © Attribution Non-Commercial (BY-NC)

    Available Formats

    PPT, PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document

    Copyright:

    Attribution Non-Commercial (BY-NC)
    Download as PPT, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    6 views8 pages

    IOS Firewalls

    Uploaded by

    Suraj Padhy

    Copyright:

    Attribution Non-Commercial (BY-NC)
    Download as PPT, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 8

    IOS Firewall

    • IOS: Cisco’s Internetwork Operating System (the


    primary system running on Cisco’s routers)
    • IOS Firewall: a stateful packet-filter firewall that
    runs on a router, providing firewall capabilities
    • CBAC: Context-Based Access Control (at the
    core of the IOS Firewall functionality
    Outline

    • CBAC
    • IOS Firewall Features
    • Case studies

    http://sce.uhcl.edu/yang/teaching/ 2
    .../IOS Firewalls.ppt
    CBAC
    (Context-Based Access Control)
    • Implement packet filtering on a Cisco router
    (similar to ASA on Cisco PIX)
    • Three basic functionalities:
    1. Dynamic modification of the extended access lists
    – To allow connections initiated from the inside
    2. Inspection of the application/transport level protocols
    ~= multimedia support in PIX
    3. Control of the number/length of sessions

    http://sce.uhcl.edu/yang/teaching/ 3
    .../IOS Firewalls.ppt
    CBAC Functionality

    1. Set up Access Control Lists to open holes for


    inbound access to inside servers
    2. Set up the router to inspect outbound packets,
    and
    3. Keep track of the associated sessions  i.e., a
    stateful packet filter

    http://sce.uhcl.edu/yang/teaching/ 4
    .../IOS Firewalls.ppt
    How does IOS maintain session state
    information?
    • State Information Structure (SIS)
    – A SIS is created for each logical session.
    – The SIS uniquely identifies a connection using the IP and the
    port#).
    – When necessary, other info such as TCP connection state,
    TCP sequence number, etc. are also maintained.
    – The SIS is deleted when the associated session/connection is
    terminated.

    http://sce.uhcl.edu/yang/teaching/ 5
    .../IOS Firewalls.ppt
    Other CBAC functionality
    • Out-of-sequence TCP packets are dropped.
    • TCP packets with invalid sequence numbers are dropped.
    • The reassembly of IP packets is not supported (as in PIX firewall).
    • Does not inspect packets originated by the IOS Firewall router.
    • ICMP packets are not inspected. (They are manually managed using
    static ACLs).
    • ICMP unreachable packets are ignored.
    • To protect against a flooding attack or unusual consumption of
    memory due to a large number of SISs:
    – when the number of SISs in the half-open state reaches a threshold, half-
    open SISs are deleted to accommodate a new session.
    – If the rate of new TCP connection requests is higher than a maximum
    value, half-open SISs are deleted for every new connection request.

    http://sce.uhcl.edu/yang/teaching/ 6
    .../IOS Firewalls.ppt
    Features of IOS Firewall
    • Transport Layer Inspection
    • Application Layer Inspection
    • Filtering for Invalid Commands
    • Java Blocking
    • Safeguarding against DOS attacks
    • Fragment handling

    http://sce.uhcl.edu/yang/teaching/ 7
    .../IOS Firewalls.ppt
    Case Study

    • CBAC on a router configured with NAT

    http://sce.uhcl.edu/yang/teaching/ 8
    .../IOS Firewalls.ppt

    You might also like