1303 0955_05F9_c2
1
© 1999, Cisco Systems, Inc.
Update on Firewall Technologies Session 1303
1303 0955_05F9_c2
© 19...
27 downloads
674 Views
982KB Size
Report
This content was uploaded by our users and we assume good faith they have the permission to share this book. If you own the copyright to this book and it is wrongfully on our website, we offer a simple DMCA procedure to remove your content from our site. Start by pressing the button below!
Report copyright / DMCA form
1303 0955_05F9_c2
1
© 1999, Cisco Systems, Inc.
Update on Firewall Technologies Session 1303
1303 0955_05F9_c2
© 1999, Cisco Systems, Inc.
Copyright © 1998, Cisco Systems, Inc. All rights reserved. Printed in USA. 0955_05F9_c2.scr
2
1
Agenda
• Introduction Definition and Deployment
• Product Updates Cisco IOS ® Firewall Cisco PIX™ Firewall Cisco VPN Client 1303 0955_05F9_c2
3
© 1999, Cisco Systems, Inc.
Introduction
1303 0955_05F9_c2
© 1999, Cisco Systems, Inc.
Copyright © 1998, Cisco Systems, Inc. All rights reserved. Printed in USA. 0955_05F9_c2.scr
4
2
What Is a Firewall?
• All traffic from inside to outside and vice-versa must pass through the firewall • Only authorized traffic, as defined by the local security policy, will be allowed in • The firewall itself is immune to penetration* * Bellovin and Cheswick “Firewalls and Internet Security, Repelling the Wily Hacker” 1303 0955_05F9_c2
© 1999, Cisco Systems, Inc.
5
Network Security Elements • Cisco security technologies provide: Perimeter security and access control Identification and user authentication Denial of Service (DoS) protection Virtual private networking Auditing 1303 0955_05F9_c2
© 1999, Cisco Systems, Inc.
Copyright © 1998, Cisco Systems, Inc. All rights reserved. Printed in USA. 0955_05F9_c2.scr
6
3
Existing Cisco IOS Security Technologies • Access control lists Reflexive access lists
• Policy-based multiinterface support
Time-based access lists
• Event logging
• Network Address Translation (NAT)
• TACACS+/RADIUS authentication
• VPN technologies IPSec encryption Tunneling (GRE, L2F, L2TP) 1303 0955_05F9_c2
7
© 1999, Cisco Systems, Inc.
Firewall Solutions • Cisco IOS firewall Integrated firewall solution for Cisco IOS software which combines advanced firewalling and intrusion detection with full routing and WAN access capabilities
• PIX firewall Dedicated firewalling in a high-performance, scalable and fault-tolerant dedicated security appliance, with the most advanced features and application support 1303 0955_05F9_c2
© 1999, Cisco Systems, Inc.
Copyright © 1998, Cisco Systems, Inc. All rights reserved. Printed in USA. 0955_05F9_c2.scr
8
4
Product Updates
1303 0955_05F9_c2
9
© 1999, Cisco Systems, Inc.
Cisco IOS Firewall • Integrated solution Combines firewall and routing into one platform—easy add on for existing network administrators
• No new hardware required— one device to manage Support for Cisco 1600, 1700, 2500, 2600, 3600, and 7200 routers
• Full routing functionality • ICSA certified 1303 0955_05F9_c2
© 1999, Cisco Systems, Inc.
Copyright © 1998, Cisco Systems, Inc. All rights reserved. Printed in USA. 0955_05F9_c2.scr
10
5
Cisco IOS Firewall New Features New Release—12.0(5)T—June 1999 • Per user authentication and authorization (“authentication proxy”) • Intrusion detection technology • IP fragmentation defense • Dynamic per-application port mapping • Configurable alerts and audit trail • SMTP-specific attack detection • New CBAC application support MS-Networking, MS Netshow 1303 0955_05F9_c2
© 1999, Cisco Systems, Inc.
11
Authentication Proxy • HTTP-initiated authentication • Valid for all types of application traffic • Provides dynamic, per user authentication and authorization via TACACS+ and RADIUS protocols • Works on any interface type for inbound or outbound traffic 1303 0955_05F9_c2
© 1999, Cisco Systems, Inc.
Copyright © 1998, Cisco Systems, Inc. All rights reserved. Printed in USA. 0955_05F9_c2.scr
12
6
Authentication Proxy Highlights • Overcomes lock and key limitations Requires telnet to the router Wworks with single ACL only
• No special client required • Supports RADIUS and TACACS+ servers CiscoSecure Ascend and Livingston RADIUS servers
• HTTP only, for now • Independent software component • For traffic passing through the router only 1303 0955_05F9_c2
13
© 1999, Cisco Systems, Inc.
Intrusion Detection • In-line Intrusion Detection Sensor (51 signatures) If packets match signature IDS can Send alarm Drop packets Reset the TCP connection Combined with Cisco IOS firewall for Cisco 1720, 2600, 3600 and 7200 router platforms 1303 0955_05F9_c2
© 1999, Cisco Systems, Inc.
Copyright © 1998, Cisco Systems, Inc. All rights reserved. Printed in USA. 0955_05F9_c2.scr
14
7
Intrusion Detection • Ideal for deployment anywhere you want to create additional visibility into network misuse Extranet connections Branch offices
• Value-add for current NetRanger™ customers that require additional “lightweight” packet auditing devices on additional connections 1303 0955_05F9_c2
15
© 1999, Cisco Systems, Inc.
Cisco PIX Firewall • Dedicated firewall Integrated hardware/ software appliance Hardened OS
• Strong security Adaptive Security Algorithm (ASA) Cut-through proxy IPSec VPN option (8/99)
• Highest performance Up to more than 256,000 simultaneous sessions Over 170 Mbps throughput 1303 0955_05F9_c2
Over 6,500 connections per second © 1999, Cisco Systems, Inc.
Copyright © 1998, Cisco Systems, Inc. All rights reserved. Printed in USA. 0955_05F9_c2.scr
16
8
Cisco PIX Firewall 520 • Enterprise chassis design Up to 128MB RAM for over 256,000 simultaneous sessions Most flexible configuration options Designed for enterprise environments 1303 0955_05F9_c2
17
© 1999, Cisco Systems, Inc.
Cisco PIX Firewall 515 • Low-profile chassis design
May ’ 99
Up to 64MB RAM for over 128,000 simultaneous sessions Two configuration options Designed for a variety of environments 1303 0955_05F9_c2
© 1999, Cisco Systems, Inc.
Copyright © 1998, Cisco Systems, Inc. All rights reserved. Printed in USA. 0955_05F9_c2.scr
18
9
Cisco PIX Firewall 515 • Low, fixed cost No session-based license
• Low-profile chassis Single rack unit height Up to six integrated 10/100 Ethernet ports Designed for small office or simple application environments
• Network configurable No need for floppy drive
PIX 515-R • 32 MB RAM • No failover • Two 10/100 ports PIX 515-UR • 64 MB RAM • Two to six 10/100 ports
• Software version 4.4 1303 0955_05F9_c2
19
© 1999, Cisco Systems, Inc.
Remote Access VPN IPSec VPN Client
Main Office
Internet/ Internet ? IP VPN
Cisco 7100
1000s of Remote Workers
• Cost-effectively connect remote workers, customers, and partners • Create a remote access VPN using an IPSec VPN client Available soon from Cisco IPSec in Cisco IOS software fully compatible with Windows 2000 and IPSec built into common versions of UNIX 1303 0955_05F9_c2
© 1999, Cisco Systems, Inc.
Copyright © 1998, Cisco Systems, Inc. All rights reserved. Printed in USA. 0955_05F9_c2.scr
20
10
IPSec VPN Client Highlights Platforms
Interoperability
• • •
• IPSec and IKE with DES and 3DES
Windows 95 Windows 98 Windows NT 4.0
Features • • •
Simple to use policy editor Transparent to end user Dynamic addressing
• Interoperable with IPSec in Cisco IOS software
IPSec VPN Client
• AAA support through Cisco IOS Firewall feature set authentication proxy • Digital certificate support from VeriSign, Netscape and Entrust with Certificate Enrollment Protocol (CEP) 1303 0955_05F9_c2
Policy/Management • Centrally configurable policy • Can prevent end-users from changing policy • Optionally prevent direct Internet access when IPSec tunnel is active 21
© 1999, Cisco Systems, Inc.
Using the VPN Client
ates rtific e C ith 7100 ion w ticat n e Sec h t P I u A E by 2. IK cted ion mat rote P ed P nfor T I T ovid n H 4. s Pr catio s i t e r n the Add s Au 3. IP nter E r se 5. U
1. User Launches Web Browser
1303 0955_05F9_c2
© 1999, Cisco Systems, Inc.
Copyright © 1998, Cisco Systems, Inc. All rights reserved. Printed in USA. 0955_05F9_c2.scr
Workstation Running: • DHCP • Cisco Secure • CA Server 22
11
Using the VPN Client 7. Open ACL for Connection
s icate ertif C h t wi 7100 tion c ntica e h t IPSe u A y E db n 2. IK n ecte atio atioed Prot orm f P n T I nPtircovoid T n e n H o h i t 4. u s ati cat AdA enti drethsoriz AA u .. A Auth P A 6 I s r d 3 an Ente r e s 5. U
1. User Launches Web Browser
1303 0955_05F9_c2
Workstation Running: • DHCP • Cisco Secure • CA Server 23
© 1999, Cisco Systems, Inc.
Using the VPN Client 7. Open ACL for Connection
ates rtific e C ith 7100 ion w ticat n e Sec h t P I u A y E tecd b 2. IK ion on IPteSce mat ro P cati ed P nfor T I T n enPtirotvioid n H o h i t t 4. u a s rethsoriza ntic AdA e d A h t A Au 63.. IPnAd Au ters a r En e s 5. U
1. User Launches Web Browser
1303 0955_05F9_c2
IPSec Tunnel Created and User Authorized to Access Enterprise Network
© 1999, Cisco Systems, Inc.
Copyright © 1998, Cisco Systems, Inc. All rights reserved. Printed in USA. 0955_05F9_c2.scr
24
12
Summary
1303 0955_05F9_c2
25
© 1999, Cisco Systems, Inc.
When to Buy What Firewall?
PIX Firewall • Dedicated device Multilevel security policy enforcement
Cisco IOS Firewall • Integrated solution Cost effective
• Highly scalable
• High-volume Internet sites 256K connections
• Specific application requirements
Home office to enterprise
• Intranet protection • Familiar Cisco IOS configuration
URL filtering Unique NAT applications 1303 0955_05F9_c2
© 1999, Cisco Systems, Inc.
Copyright © 1998, Cisco Systems, Inc. All rights reserved. Printed in USA. 0955_05F9_c2.scr
26
13
Things to Remember
• Firewalls are one element in securing your network • Defense in depth— not one device alone • Actively audit to monitor for misuse or intrusion • Cisco offers end-to-end network security solutions 1303 0955_05F9_c2
27
© 1999, Cisco Systems, Inc.
Thank You Kurt Kruger Security Product Marketing 1303 0955_05F9_c2
© 1999, Cisco Systems, Inc.
Copyright © 1998, Cisco Systems, Inc. All rights reserved. Printed in USA. 0955_05F9_c2.scr
28
14
Please Complete Your Evaluation Form Session 1303
1303 0955_05F9_c2
© 1999, Cisco Systems, Inc.
29
1303 0955_05F9_c2
© 1999, Cisco Systems, Inc.
30
Copyright © 1998, Cisco Systems, Inc. All rights reserved. Printed in USA. 0955_05F9_c2.scr
15