© 2003, Cisco Systems, Inc. All rights reserved. CSPFA 3.13-1 Chapter 3 Cisco PIX Firewall Technology and Features. - презентация

1 © 2003, Cisco Systems, Inc. All rights reserved. CSPFA Chapter 3 Cisco PIX Firewall Technology and Features

2 © 2003, Cisco Systems, Inc. All rights reserved. CSPFA Objectives

3 © 2003, Cisco Systems, Inc. All rights reserved. CSPFA Objectives Upon completion of this chapter, you will be able to perform the following tasks: Describe firewall technologies. Define the three types of firewalls used to secure todays computer networks. Describe PIX Firewall technology and features.

4 © 2003, Cisco Systems, Inc. All rights reserved. CSPFA Firewalls

5 © 2003, Cisco Systems, Inc. All rights reserved. CSPFA What Is a Firewall? A firewall is a system or group of systems that manages access between two networks.

6 © 2003, Cisco Systems, Inc. All rights reserved. CSPFA Firewall Technologies Firewall operations are based on one of three technologies: Packet filtering Proxy server Stateful packet filtering

7 © 2003, Cisco Systems, Inc. All rights reserved. CSPFA ACL Packet Filtering Limits information into a network based on the destination and source address.

8 © 2003, Cisco Systems, Inc. All rights reserved. CSPFA Proxy Server Requests connections between a client on the inside of the firewall and the Internet.

9 © 2003, Cisco Systems, Inc. All rights reserved. CSPFA Stateful Packet Filtering Limits information into a network based not only on the destination and source address, but also on the packet data content.

10 © 2003, Cisco Systems, Inc. All rights reserved. CSPFA PIX Firewall Overview

11 © 2003, Cisco Systems, Inc. All rights reserved. CSPFA PIX FirewallWhat Is it? The PIX Firewall is a stateful firewall with high security and fast performance. The following are its characteristics: Secure, real-time, embedded operating system no UNIX or NT security holes. ASA provides stateful security. Cut-through proxy eliminates application-layer bottlenecks.

12 © 2003, Cisco Systems, Inc. All rights reserved. CSPFA Finesse Operating System Eliminates the risks associated with general-purpose operating systems.

13 © 2003, Cisco Systems, Inc. All rights reserved. CSPFA Adaptive Security Algorithm (ASA) ASA provides stateful connection security: –It tracks source and destination ports and addresses, TCP sequence numbers, and additional TCP flags. –It randomizes initial TCP sequence numbers. By default, ASA allows connections originating from hosts on inside (higher security level) interfaces. By default, ASA drops connection attempts originating from hosts on outside (lower security level) interfaces. ASA supports authentication, authorization, and accounting.

14 © 2003, Cisco Systems, Inc. All rights reserved. CSPFA Cut-Through Proxy Operation Internal/ external user IS resource 1. The user makes a request to an IS resource. 2. The PIX Firewall intercepts the connection. 3. At the application layer, the PIX Firewall prompts the user for a username and password. It then authenticates the user against a RADIUS or TACACS+ server and checks the security policy. 5. The PIX Firewall directly connects the internal or external user to the IS resource via ASA. Communication then takes place at a lower level of the OSI model. 4. The PIX Firewall initiates a connection from the PIX Firewall to the destination IS resource. Cisco Secure PIX Firewall Username and Password Required Enter username for CCO at User Name: Password: OKCancel student 3.

15 © 2003, Cisco Systems, Inc. All rights reserved. CSPFA Failover P P.0 Student PC Web, FTP, or Cisco Secure ACS P.0 Web FTP Failover cable Primary PIX Firewall.1 Secondary PIX Firewall Remote: 10.1.P.11 Local: 10.0.P P.0 RTS Web and Cisco Secure ACS Web and FTP RBB

16 © 2003, Cisco Systems, Inc. All rights reserved. CSPFA Summary

17 © 2003, Cisco Systems, Inc. All rights reserved. CSPFA Summary There are three firewall technologies: packet filtering, proxy server, and stateful packet filtering. The PIX Firewall features include the following: Finesse operating system, ASA, cut-through proxy, stateful failover, and stateful packet filtering.