Firewalls - Controlling Network Access

Controlling Network Access

Contents

How the Firewall Works
Adaptive Security Algorithm
Multiple Interfaces and Security Levels
Translation Slots (xlates)
Translation of Internal Addresses
Cut-Through Proxy

How the Firewall Works

The firewall protects an inside network from unauthorized access by users on an outside network, such as the public Internet. Most firewall models can optionally protect one or more perimeter networks, also known as demilitarized zones (DMZs) . Access to the perimeter network is typically less restricted than access to the outside network, but more restricted than access to the inside network. Connections between the inside, outside, and perimeter networks are controlled by the firewall.
To effectively use a firewall in the organization, you need a security policy to ensure that all traffic from the protected networks passes only through the firewall to the unprotected network. You can then control who may access the networks with which services, and how to implement the security policy using the features that the firewall provides.
Within this architecture, the firewall forms the boundary between the protected networks and the unprotected networks. All traffic between the protected and unprotected networks flows through the firewall to maintain security. The unprotected network is typically accessible to the Internet. The firewall lets you locate servers such as those for Web access, SNMP, and SMTP in the protected network, and control who on the outside can access these servers.
Alternatively, for all firewall models except the PIX 506 and PIX 501, server systems can be located on a perimeter network, and access to the server systems can be controlled and monitored by the firewall. The PIX 506 and PIX 501 each have two network interfaces, so all systems need to be located either on the inside or the outside interfaces.
The firewall also lets you implement the security policies for connection to and from the inside network.
Typically, the inside network is an organization's own internal network, or intranet, and the outside network is the Internet, but the firewall can also be used within an intranet to isolate or protect one group of internal computing systems and users from another.
The perimeter network can be configured to be as secure as the inside network or with varying security levels. Security levels are assigned numeric values from 0, the least secure, to 100, the most secure. The outside interface is always 0 and the inside interface is always 100. The perimeter interfaces can be any security level from 1 to 99.
Both the inside and perimeter networks are protected with the firewall's Adaptive Security Algorithm (ASA). The inside, perimeter, and outside interfaces can listen to RIP routing updates, and all interfaces can broadcast a default route if required.

Adaptive Security Algorithm

The Adaptive Security Algorithm (ASA) is a stateful approach to security. Every inbound packet is checked against the Adaptive Security Algorithm and against connection state information in memory. This stateful approach to security is regarded in the industry as being far more secure than a stateless packet screening approach.
ASA allows one way (inside to outside) connections without an explicit configuration for each internal system and application. ASA is always in operation, monitoring return packets to ensure they are valid. It actively randomizes TCP sequence numbers to minimize the risk of TCP sequence number attack.
ASA applies to the dynamic translation slots and static translation slots. You create static translation slots with the static command and dynamic translation slots with the global command. Collectively, both types of translation slots are referred to as "xlates." ASA follows these rules:
No packets can traverse the firewall without a connection and state.
Outbound connections or states are allowed, except those specifically denied by access control lists. An outbound connection is one where the originator or client is on a higher security interface than the receiver or server. The highest security interface is always the inside interface and the lowest is the outside interface. Any perimeter interfaces can have security levels between the inside and outside values.
Inbound connections or states are denied, except those specifically allowed. An inbound connection or state is one where the originator or client is on a lower security interface/network than the receiver or server. You can apply multiple exceptions to a single xlate (translation). This lets you permit access from an arbitrary machine, network, or any host on the Internet to the host defined by the xlate.
All ICMP packets are denied unless specifically permitted.
All attempts to circumvent the previous rules are dropped and a message is sent to syslog.

The firewall handles UDP data transfers in a manner similar to TCP. Special handling allows DNS, Archie, StreamWorks, H.323 and RealAudio to work securely. The firewall creates UDP "connection" state information when a UDP packet is sent from the inside network. Response packets resulting from this traffic are accepted if they match the connection state information. The connection state information is deleted after a short period of inactivity.

Multiple Interfaces and Security Levels

The first two interfaces on a firewall are called outside and inside. Outside interfaces typically connecte to the internet, whie the inside interface is connected to a LAN.
Any additional interfaces are used to create perimeter networks, also called bastion networks or (demilitarized zones). A perimeter network is more secure than an outside interface but less secure than an inside interface. Typically they are used for mail and web servers that need to be accessed by users on the public Internet.

Interface Security

Outside 0

Inside 100

Perimeter 1-99

Translation Slots (xlates)

When an outbound packet arrives at a higher security level interface, the firewall checks to see if the packet is valid based on the ASA, and then whether or not previous packets have come from that host. If not, then the packet is for a new connection, and firewall creates a translation slot in its state table for the connection.
The information that firewall stores in the translation slot includes the inside IP address and a globally unique IP address assigned by Network Address Translation (NAT), Port Address Translation (PAT), or Identity (which uses the inside address as the outside address). The firewall then changes the packets source IP address to the globally unique address, modifies the checksum and other fields as required, and forwards the packet to the lower security level interface.
When an inbound packet arrives at an external interface such as the outside interface, it first passes the firewall Adaptive Security criteria. If the packet passes the security tests, the firewall removes the destination IP address, and the internal IP address is inserted in its place. The packet is forwarded to the protected interface.
Use the xlate command to show and clear translation slots.

Translation of Internal Addresses

The Network Address Translation ( NAT) feature works by substituting, or translating, host addresses on an internal interface with a "global address" associated with an outside interface. This protects internal host addresses from being exposed on other network interfaces. To understand whether you want to use NAT decide if you want to expose internal addresses on other network interfaces connected to the firewall. If you choose to protect internal host addresses using NAT you identify the pool of addresses you want to use for translation.
If the addresses that you want to protect access only other networks within the organization, you can use any set of "private" addresses for the pool of translation addresses. For example, if you want to protect the host addresses on the Finance Department's network (connected to the inside interface on the firewall) from exposure when connecting to the Sales Department network (connected to the perimeter interface on the firewall), you can set up translation using any available set of addresses on the Sales network. The effect is that hosts on the Finance network appear as local addresses on the Sales network.
If the addresses that you want to protect require Internet access, you use only NIC-registered addresses (official Internet addresses registered with the Network Information Center for the organization) for the pool of translation addresses. For example, if you want to protect host addresses on the Sales network (connected to a perimeter interface of the firewall) from exposure when making connections to the Internet (accessible through the outside interface of the firewall), you can set up translation using a pool of registered addresses on the outside interface. The effect is that hosts on the Internet see the only the Internet addresses for the Sales network, not the addresses on the perimeter interface.
If you are installing the firewall in an established network that has host- or network-registered addresses, you might not want to do translation for those hosts or networks because that would require using another registered address for the translation.
When considering NAT it is also important to consider whether you have an equal number of addresses for internal hosts. If not, some internal hosts might not get network access when making a connection. In this case you can either apply for additional NIC-registered addresses or use Port Address Translation ( PAT). PAT uses a single external address to manage up to 64,000 concurrent connections.
For inside systems, NAT translates the source IP address of outgoing packets (defined in RFC 1631). It supports both dynamic and static translation. NAT allows inside systems to be assigned private addresses (defined in RFC 1918), or to retain existing invalid addresses. NAT also provides additional security by hiding the real network identity of internal systems from the outside network.
PAT uses port remapping, which allows a single valid IP address to support source IP address translation for up to 64,000 active xlate objects. PAT minimizes the number of globally valid IP addresses required tosupport> private or invalid internal addressing schemes. PAT does not work with multimedia applications that have an inbound data stream different from the outgoing control path. PAT provides additional security by hiding the real network identity of internal systems from the outside network.
Another class of address translation on the firewall is static translation. Static translation allows you to substitute a fixed external IP address for an internal address. This is useful for servers that require fixed IP addresses for access from the public Internet.
The firewall Identify feature allows address translation to be disabled. If existing internal systems have valid globally unique addresses, the Identity feature allows NAT and PAT to be selectively disabled for these systems. This feature makes internal network addresses visible to the outside network.

Cut-Through Proxy

Cut-through proxy is a feature unique to firewall that allows user-based authentication of inbound or outbound connections. Unlike a proxy server that analyzes every packet at layer seven of the OSI model, a time- and processing-intensive function, the firewall first queries an authentication server, and when the connection is approved, establishes a data flow. All traffic thereafter flows directly and quickly between the two parties.
This feature allows security policies to be enforced on a per-user ID basis. Connections have to be authenticated with a user ID and password before they can be established. Supports authentication and authorization. The user ID and password are entered via an initial HTTP, Telnet, or FTP connection.
Cut-through proxy allows a much finer level of administrative control over connections compared to checking source IP addresses. When providing inbound authentication, appropriate controls need to be applied to the user ID and passwords used by external users (one-time passwords are recommended in this instance).

AAA Integration

The firewall provides integration with AAA (Authentication, Accounting, and Authorization) services. AAA services are provided by TACACS+ or RADIUS servers.
The firewall lets you define separate groups of TACACS+ or RADIUS servers for specifying different types of traffic; such as, a TACACS+ server for inbound traffic and another for outbound traffic.
AAA server groups are defined by a tag name that directs different types of traffic to each authentication server. If accounting is in effect, the accounting information goes to the active server.
The firewall allows a RADIUS server to send user group attributes to the firewall in the RADIUS authentication response message. The firewall then matches an access list to the attribute and determines RADIUS authorization from the access list. After the firewall authenticates a user, it uses the CiscoSecure ACL attribute returned by the authentication server to identify an access list for a given user group.

Access Lists

The firewall uses access lists to control connections between inside and outside networks. Access lists are implemented with the access-list and access-group commands.
These comands are replacing the conduit and outbound commands, which are maintained in current versions only for backward compatibility.
You can use access lists to control connections based on source address, destination address, or protocol. To configure access lists carefully to allow the minimum access required. When possible, make access lists more restrictive by specifying a remote source address, local destination address, and protocol. The access-list and access-group command statements take precedence over the conduit and outbound command statements in the configuration.

Conduits

Prior to version 5.3, firewall used the conduit and outbound commands to control connections between external and internal networks. With firewall version 6.0 and later, these commands continue to be supported for backward compatibility, but the access-list and access-group commands are now the preferred method of implementing this functionality.
Each conduit is a potential hole through the firewall and hence their use should be limited as the security policy and business needs require. When possible, make conduit more restrictive by specifying a remote source address, local destination address, and protocol.