Scribd Logo
Hochladen

Willkommen bei Scribd!

  • Lecture Slides - 1 Slide Per Page - Landscape PDF

    Hochgeladen von

    Si War Cherni
    9 Ansichten29 Seiten

    Originaltitel

    Lecture Slides - 1 Slide per page - Landscape.pdf

    Copyright

    © © All Rights Reserved

    Verfügbare Formate

    PDF, TXT oder online auf Scribd lesen

    Stufen Sie dieses Dokument als nützlich ein?

    Sind diese Inhalte unangemessen?

    Dieses Dokument melden

    Copyright:

    © All Rights Reserved
    Als PDF, TXT herunterladen oder online auf Scribd lesen
    Markieren Sie unangemessene Inhalte
    9 Ansichten29 Seiten

    Lecture Slides - 1 Slide Per Page - Landscape PDF

    Hochgeladen von

    Si War Cherni

    Copyright:

    © All Rights Reserved
    Als PDF, TXT herunterladen oder online auf Scribd lesen
    Markieren Sie unangemessene Inhalte
    von 29

    Partial preparation for

    CCNA Security Exam – 640-554 IINS

    1
    • Firewall Primer
    • NAT
    • Lab Examples

    2
    • Firewalls can be implemented as:
    – Single device
    – Group of devices
    – Software
    • Basic job is to deny unwanted traffic
    – Router with ACL
    – Switch with two separate VLANs
    – Host firewall

    3
    • Resistant to attacks
    • Traffic between networks must transit the
    firewall
    • Enforces the access control policy of the
    organisation

    4
    • Exposure of sensitive information to
    untrusted parties
    • Exploitation of protocol vulnerabilities
    • Unauthorized users
    • Malicious data

    5
    • Configuration errors
    • Will break some applications
    • Facilitates “creative” thinking
    • Added latency

    6
    • Static packet filtering (ACLs)
    • Proxy server (ALG)
    • Stateful packet filtering
    • Application inspection
    • Transparent firewall

    7
    • Covered in detail last week

    8
    • Pros
    – Very tight control, difficult to attack, detailed
    logging, can use common hardware
    • Cons
    – CPU heavy, application support, special
    client SW, RAM & HDD heavy

    9
    • Pros
    – Good primary defence, IOS support, dynamic in
    nature, DoS protection
    • Cons
    – L7 attacks, not all protocols contain tight state
    information (UDP/ICMP), some applications use
    dynamic ports, does not support user
    authentication on its own

    10
    • Extra Pros over Stateful
    – Can view deep into the packets, awareness
    of L7, protect against more attacks than
    stateful on its own

    11
    • More to do with where the firewall sits
    rather than the actual technologies used
    to filter

    12
    • IPv4 shortage of addresses
    • RFC1918 Private IPs
    – Are not public addresses
    – Must use NAT to route to the Internet
    • Translates b/w private and public addresses
    • Hides the specific private IP
    – Security by obscurity – queue heated debate!
    • “Not required” with IPv6…let’s wait and see.

    13
    • Static Nat
    – One-to-one translation b/w two addresses or
    b/w a port one on address to the same port on
    another address
    • Dynamic NAT
    – Uses a pool of global addresses to dynamically
    translate outbound traffic
    • NAT Overload/PAT
    – Translates OB traffic to unique ports from a
    single global address

    14
    • Inside Local
    – Specific IP address assigned to an inside host
    • Inside Global
    – Address that identifies an inside host on the
    outside
    • Outside Global
    – Specific IP address assigned to an outside host
    • Outside Local
    – Address that identifies an outside host on the
    inside

    15
    • Consider traffic from Host A to Host B
    – Inside Local – 10.1.1.10
    – Inside Global – 55.1.1.1
    – Outside Global – 99.1.1.2
    – Outside Local – 99.1.1.2

    16
    • Identify the inside and outside interfaces
    int fa0/0
    ip nat inside
    int atm0/0
    ip nat outside
    • Map public to private addresses
    ip nat inside source static 172.16.1.1
    203.193.205.50

    17
    • Identify the inside and outside interfaces
    • Create a pool of global addresses
    ip nat pool <POOLNAME> 203.193.193.1 203.193.193.50 netmask 255.255.255.0

    • Identify which addresses to NAT using


    ACL
    access-list 10 permit 172.16.1.0 0.0.0.255

    • Apply ACL to NAT pool


    ip nat inside source list 10 pool <POOLNAME>

    18
    • Identify the inside and outside interfaces

    • Identify which addresses to NAT using


    ACL
    access-list 10 permit 172.16.1.0 0.0.0.255

    • Apply ACL to overload interface


    ip nat inside source list 10 pool interface atm0/0 overload

    19
    • Useful basic commands
    – show ip nat statistics
    – debug ip nat
    • Be careful on heavily used NAT routers!
    – show ip nat translation
    – clear ip nat translation

    20
    • Design considerations
    • Access rules
    • Design Guidelines

    21
    • Features
    – Stateful inspection
    – Application inspection
    – Packet filtering
    – URL filtering
    – Transparent
    – Support for VRFs
    – No need for ACLs!

    22
    23
    • Class maps
    – Identifies traffic
    • Policy maps
    – Actions to take
    • Service policies
    – Apply the policies

    24
    • Inspect
    • Pass
    • Drop
    • Log

    25
    Ingress int member Egress int member Zone Pair & Policy What Happens to
    of zone? of zone? exist traffic?
    No No Irrelevant Forwarded
    No Yes (any zone) Irrelevant Dropped
    Yes (Zone 1) Yes (Zone 1) Irrelevant Forwarded
    Yes (Zone 1) Yes (Zone 2) No Dropped
    Yes (Zone 1) Yes (Zone 2) Yes Depends on policy
    actions

    26
    • Packet Tracer labs up on Moodle

    27
    • Various articles on NAT Firewalls
    • PDF version of slides
    • Video

    28
    • IDS Technologies
    • Same time, same place…

    • Thanks for attending and good night.

    29

    Das könnte Ihnen auch gefallen