Why Firewall Required:

As we all know, the universal presence of the Internet has completely changed networking as we
know it. Networks that were once completely isolated are now connected to the world. This universal
connectivity allows companies to achieve things never before imaginable. At the same time though, there is
a dark side. The Internet is a haven for cyber criminals who use the connectivity to launch an
unprecedented number of attacks against companies.

When the Internet first started to gain popularity, companies started to realize that they needed to
implement firewalls in an effort to prevent attacks against them. Firewalls work by blocking unused TCP
and UDP ports. Although firewalls are effective at blocking some types of attacks, they have one major
weakness: You simply can't close all of the ports. Some ports are necessary for things like HTTP, SMTP
and POP3 traffic. Ports corresponding to these common services must remain open in order for those
services to function properly.

Difference between IPS and IDS

The difference between IPS and IDS systems comes in their handling of alerts. Pure IDS systems
simply inform the administrator that suspicious activity took place. IPS systems, on the other hand, have
the ability to block the suspicious traffic from entering the network. In fact, the two technologies have
already converged for all intents and purposes. Most intrusion detection products have the ability to run in
either IPS or IDS mode depending upon the user's configuration

In other words, IDS cannot respond to an attack until it is already there, but IPS can stop it before
it happens. Like the police---they cannot stop a person from committing a crime until they actually commit
the crime.

Types of IDS and IPS Systems

Criteria Type Description
• Vendor provides a signature database.
Signature-based • Signatures should be customized.

• Policy definition and description is

Approach
Policy-based created.
to
identify
malicious • ‘Normal’ and ‘abnormal’ traffic is
Anomaly-based defined.
traffic

• Sacrificial host is set up to lure the

Honeypot attacker.

• Network sensors scan traffic destined

Coverage
Network-based to many hosts.
scope
 • Host agent monitors all operations
Host-based within an operating system.

Signature-Based IDS and IPS

1. Observe, and block or alarm if a known malicious event is detected.

2. Requires a database of known malicious patterns.

3. The database must be continuously updated.

Policy-Based IDS and IPS

• Observes, and blocks or alarms if an event outside the configured policy is detected

• Requires a policy database

 • Observe, and block or alarm if an event outside known normal behavior is detected.

• Statistical versus nonstatistical anomaly detection

• Requires a definition of “normal”

Honeypot

Observe a special system, and alarm if any activity is directed at it.

• The special system is a trap for attackers and not used for anything else.

• The special system is well-isolated from its environment.

• Typically used as IDS, not IPS.

Network-Based and Host-Based IPS

NIPS: Sensor appliances are connected to network segments to monitor

many hosts.

HIPS: Centrally managed software agents are installed on each host.

– Cisco Security Agents (CSAs) defend the protected

hosts and report to the central management console.

– HIPS provides individual host detection and protection.

– HIPS does not require special hardware.

Network-Based vs. Host-Based IPS

• Application-level encryption protection

• Policy enhancement (resource control)

• Web application protection

• Buffer overflow

• Network attack and reconnaissance

prevention

• DoS Prevention

NIPS Features
• Sensors are network appliances tuned for intrusion detection analysis.

– The operating system is “hardened.”

– The hardware is dedicated to intrusion detection analysis.

• Sensors are connected to network segments. A single sensor can monitor many hosts.

• Growing networks are easily protected.

– New hosts and devices can be added without adding sensors.

– New sensors can be easily added to new networks.

NIDS and NIPS Deployment

Exploit Signatures

OSI Layer Exploit Signatures

Application layer • DNS reconnaissance and DoS

• Worms, viruses, Trojan horses, adware, malware

Transport layer • Port sweeps

• TCP SYN attack

Network layer • Fragmentation attacks

• IP options

• ICMP reconnaissance and DoS

Cisco IOS IPS SDFs

• A Cisco IOS router acts as an in-line intrusion prevention sensor.

• Signature databases:

– Built-in (100 signatures embedded in Cisco IOS software)

– SDF files (can be downloaded from Cisco.com):

• Static (attack-drop.sdf)

• Dynamic (128MB.sdf, 256MB.sdf)—based on installed RAM

• Configuration flexibility:

– Load built-in signature database, SDF file, or even merge signatures to increase
coverage

– Tune or disable individual signatures

Firewall Technologies

Firewalls use three technologies:

• Packet filtering

• Application layer gateway

• Stateful packet filtering

Packet Filtering
 • Packet filtering limits traffic into a network based on the destination and source addresses and ports

Application Layer Gateway

• The ALG intercepts and establishes connections to the Internet hosts on behalf of the
client.

ALG Firewall Device

Stateful Packet Filtering

• Stateless ACLs filter traffic based on source and destination IP addresses,

TCP and UDP port numbers, TCP flags, ICMP types and codes.
• Stateful inspection then remembers certain details, or the state of that
request.
How Cisco IOS Firewall Design & Works
Cisco IOS Firewall TCP Handling

Cisco IOS Firewall UDP Handling

  

Access Lists and Their Application

As a network grows, it becomes more important to manage the increased traffic going
across the network. Access lists help limit traffic by filtering traffic based on packet
characteristics. Access lists define a set of rules used by routers to identify particular types of
traffic. Access lists can be used to filter both incoming and outgoing traffic on a router’s
interface. An access list applied to a router specifies rules for only traffic going through the
router. Traffic originating from a router is not affected by that router’s access lists. (It is subject
to access lists within other routers as it passes through them.)

Packet Filtering

Access lists can be configured to permit or deny incoming and outgoing packets on an interface.
By following a set of conventions, the network administrator can exercise greater control over
network traffic by restricting network use by certain users or devices.

Application of an IP Access List

To establish an access list, you must define a sequential list of permit and deny conditions that
apply IP addresses or IP protocols. Access lists filter only traffic going through the router; they
do not filter traffic originated from the router. Access lists can also filter Telnet traffic in to or
out of the router’s vty ports.
  

Types of Access Lists

There are two general types of access lists:

Standard access lists check the source address of packets. Standard access lists
permit or deny output for an entire protocol suite based on the source
network/subnet/host IP address.

Extended IP access lists check both source and destination packet addresses.
Extended lists specify protocols, port numbers, and other parameters, giving
administrators more flexibility and control.

 
Example:

A(config)#access-list 101 deny tcp 192.168.14.0 0.0.0.255 any eq 80

A(config)#access-list 101 permit ip any any
a. At the FastEthernet 0 interface mode prompt type:
A(config-if)#ip access-group 101 in -------------Æ Deny incoming traffic of port 80