Shulou(Shulou.com)06/01 Report--

Classification of firewall technology

There are three kinds of firewall technologies: packet filtering firewall, proxy firewall and stateful packet filtering.

1. Packet filtering firewall: use ACL to control incoming or outgoing network traffic. ACL can match the type of packet or other parameters (such as source IP address, destination ip address, port number, etc.). This type of firewall has the following shortcomings:

It is difficult to develop and maintain ACL.

You can use IP spoofing to easily bypass ACL

2. Proxy firewall: also known as proxy server. He examines the packet at the high level of the OSI and compares it with the established rules. If the content of the packet conforms to the rules and is allowed, the proxy server sends a request to the destination address instead of the source host, receives the request from the external host, and forwards it to the protected source request host. The disadvantage of the proxy firewall is the performance problem, because the proxy firewall will do in-depth inspection of every packet that passes through it, even if the packet has been checked before, so it has a great impact on the performance of the system and the network.

3, stateful packet filtering firewall: Cisco ASA is the state packet filtering firewall used, which maintains the state information of each session, which is written in the state table. The entries in the state table have source address, destination address, port number, TCP serial number information and other label information of each tcp or udp. All incoming or outgoing traffic is compared with the connection status in the status table, and traffic is allowed to pass only if the entries in the status table match. After receiving a traffic, the firewall first checks whether it already exists in the connection table. If it does not exist, it will see whether the connection conforms to the security policy. If it does, the connection will be written to the status table after processing. If it does not comply with the security policy, the packet will be discarded. The state table is also called Fast path, and the firewall only processes the first packet, and subsequent packets belonging to the connection are forwarded directly according to Fast Path, so there is a high performance improvement.

Firewall features and licenses:

The firewall comes with some basic functions when it comes out of the factory. If you need to add some additional functions, you need to purchase a license (license) to activate the corresponding functions. You can use the show version command to view a list of features currently available in the firewall:

The license types of firewalls are:

Unrestricted (UR)-an unlimited license turns on all the features that the firewall can support. Such as unlimited number of active connections, open all ports supported by the firewall, you can use the firewall's Failover (failover function), and so on.

Restricted (R)-Limited version, features that limit the number of active connections, make the firewall do not support Failover, limit the maximum number of interfaces supported by the firewall, etc.

Failover (FO)-this version allows firewalls to participate in Failover as Secondary devices (failover)

Failover-active/active (FO-AA)-this version allows firewalls to participate in active/active Failover as secondary devices, while also requiring another firewall to use the UR version.

Cisco ASA security algorithm

A secure algorithm for ASA to deal with TCP connections

The first IP packet of an internal host results in the generation of a conversion slot, this information is retained in memory, used to check future packets, do address translation, and then the firewall uses the relevant information in the TCP to establish a connection slot marked as "incomplete" is a half-open connection of a TCP. The firewall randomly generates an initial sequence number for the connection and forwards the packet to the external interface. In this step, the firewall expects to receive a synchronous acknowledgment packet (syn/ack) from the destination host, and then the firewall matches the received packet information according to the information stored in the connection slot, calculates the order of the information, and forwards the returned packets to the internal host. The internal host completes the connection establishment and 3-way handshake by sending an ACK. The connection slot on the firewall is marked connected or active-established. At this point, the data can be sent. The connected "incomplete" counter will also be reset.

These are the security algorithms for firewalls to handle TCP connections. ASA Security algorithm for handling UDP connections the firewall receives the first ip packet from the internal host, and after verifying the configured translation settings, the firewall will create a conversion slot that will store this information in memory to check for future packet flows. Then, the firewall uses the relevant information in the UDP to establish a UDP connection slot. The firewall will maintain this UDP connection slot during the user-configured UDP timeout time. However, when the idle time of the UDP connection slot exceeds the configured UDP timeout time, it is deleted from the connection table. During the timeout cycle of UDP, the firewall performs an adaptive security algorithm (ASA) for stateful inspection of UDP packets received from the destination host. If the returned UDP packet matches exactly and does not time out, the data will be passed back to the internal host.

Finally, note that all security policies of ASA are applied to stateful connections, so you need to generate a join table before comparing security policies and so on.

Some of the features of UDP UDP is an unreliable (connectionless) but efficient transport protocol, which is unreliable in that it does not provide confirmation of transmission. It is easy to forge UDP packets because it does not have a handshake and sequence mechanism. In the absence of a state mechanism, the initiator or current state of the transmission is often uncertain. UDP does not provide transmission guarantees for the establishment and termination of connections. UDP services that use UDP without congestion management and avoidance mechanisms are generally divided into two categories:

○ request-response, or ping-pong service. For example, Domain name Service (DNS)

○ streaming services such as video, VOIP, network file system (NFS)

Firewall basic configuration

Configure interface parameters:

Security level for asa/pix, each interface must have a security level, which is a number between 0 and 100. 0 represents a low security level and 100 represents a high security level. By default, all traffic from a high security level interface to a low security level interface is allowed, all traffic from a low security level interface to a high security level interface is denied, and ACL is required to allow the desired traffic; of course, the traffic from the high security level interface to the low security level interface can also be controlled through ACL. By default, communication between interfaces with the same security level is not allowed, and you can use the command

Hostname (config) # same-security-traffic permit inter-interface to allow interfaces of the same security level to communicate with each other

For any interface of the firewall, the following must be configured: NameIp addressSecurity level

Default access rules for multiple areas:

Inside can access outside.

Inside can access dmz

Dmz can access outside

Dmz cannot access inside

Outside cannot access inside

Outside cannot access dmz.

Configure static rout

In firewall mode, ASA supports static and default routes, while ASA only supports RIP and OSPF, so if your network is running other routing protocols, use static routes, which can save CPU load. ASA supports up to 3 equal-cost static routes on the same interface.

Hostname (config) # route interface name destination network segment mask next-hop address

Configure ACL

An ACL consists of multiple access control entries (Access Control Entries,ACE). An ACE indicates a permit or deny rule. An ACE can be defined according to the protocol, specified source and destination address, port number, ICMP type, and so on. The execution of ACE is executed sequentially. Once a matching ACE is found, it will not continue to match.

For TCP and UDP connections, you do not need to use ACL to allow returned traffic to enter, because the firewall's security algorithm generates a connection table to allow these traffic to return; for connectionless traffic, such as ICMP, you need to use ACL to explicitly allow returned traffic to enter the firewall, or you can turn on the ICMP review engine.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.