IOS%20Firewall - PowerPoint PPT Presentation

About This Presentation
Title:

IOS%20Firewall

Description:

Title: Web Security Author: Andrew Yang Last modified by: Yang, Andrew Created Date: 8/25/2005 3:09:39 AM Document presentation format: On-screen Show – PowerPoint PPT presentation

Number of Views:201
Avg rating:3.0/5.0
Slides: 9
Provided by: Andrew687
Learn more at: http://nas.uhcl.edu
Category:

less

Transcript and Presenter's Notes

Title: IOS%20Firewall


1
IOS Firewall
  • IOS Ciscos Internetwork Operating System (the
    primary system running on Ciscos routers)
  • IOS Firewall a stateful packet-filter firewall
    that runs on a router, providing firewall
    capabilities
  • CBAC Context-Based Access Control (at the core
    of the IOS Firewall functionality

2
Outline
  • CBAC
  • IOS Firewall Features
  • Case studies

3
CBAC (Context-Based Access Control)
  • Implement packet filtering on a Cisco router
    (similar to ASA on Cisco PIX)
  • Three basic functionalities
  • Dynamic modification of the extended access lists
  • To allow connections initiated from the inside
  • Inspection of the application/transport level
    protocols multimedia support in PIX
  • Control of the number/length of sessions

4
CBAC Functionality
  • Set up Access Control Lists to open holes for
    inbound access to inside servers
  • Set up the router to inspect outbound packets,
    and
  • Keep track of the associated sessions ? i.e., a
    stateful packet filter

5
How does IOS maintain session state information?
  • State Information Structure (SIS)
  • A SIS is created for each logical session.
  • The SIS uniquely identifies a connection using
    the IP and the port).
  • When necessary, other info such as TCP connection
    state, TCP sequence number, etc. are also
    maintained.
  • The SIS is deleted when the associated
    session/connection is terminated.

6
Other CBAC functionality
  • Out-of-sequence TCP packets are dropped.
  • TCP packets with invalid sequence numbers are
    dropped.
  • The reassembly of IP packets is not supported (as
    in PIX firewall).
  • Does not inspect packets originated by the IOS
    Firewall router.
  • ICMP packets are not inspected. (They are
    manually managed using static ACLs).
  • ICMP unreachable packets are ignored.
  • To protect against a flooding attack or unusual
    consumption of memory due to a large number of
    SISs
  • when the number of SISs in the half-open state
    reaches a threshold, half-open SISs are deleted
    to accommodate a new session.
  • If the rate of new TCP connection requests is
    higher than a maximum value, half-open SISs are
    deleted for every new connection request.

7
Features of IOS Firewall
  • Transport Layer Inspection
  • Application Layer Inspection
  • Filtering for Invalid Commands
  • Java Blocking
  • Safeguarding against DOS attacks
  • Fragment handling

8
Case Study
  • CBAC on a router configured with NAT
Write a Comment
User Comments (0)
About PowerShow.com