ISCW10S06L01IOS防火墙基础.pptVIP

Cisco IOS Threat Defense Features Introducing the Cisco IOS Firewall DMZ A DMZ is established between security zones—DMZs are buffer networks which are neither inside nor outside. Layered Defense Features Access control is enforced on traffic entering and exiting the buffer network to all security zones by: Classic routers Dedicated firewalls DMZs are used to host services: Exposed public services are served on dedicated hosts inside the buffer network. The DMZ may host an application gateway for outbound connectivity. A DMZ contains an attacker in the case of a break-in. A DMZ is the most useful and common modern architecture. Multiple DMZs Multiple DMZs provide better separation and access control: Each service can be hosted in its own DMZ. Damage is limited and attackers contained if a service is compromised. Modern DMZ Design Various systems (stateful packet filter, proxy server) can filter traffic. Proper configuration of the filtering device is critical. Firewall Technologies Firewalls use three technologies: Packet filtering Application layer gateway Stateful packet filtering Packet Filtering Packet filtering limits traffic into a network based on the destination and source addresses, ports, and other flags compiled in an ACL. Packet Filtering Example Application Layer Gateway The ALG intercepts and establishes connections to the Internet hosts on behalf of the client. ALG Firewall Device Stateful Packet Filtering Stateless ACLs filter traffic based on source and destination IP addresses, TCP and UDP port numbers, TCP flags, ICMP types and codes. Stateful inspection then remembers certain details, or the state of that request. Stateful Firewalls Also called “Stateful packet filters” and “Application-aware packet filters.” Stateful firewalls have two main improvements over packet filters: They maintain a session table (state table), where they track all connections. They recognize dynamic applications and know which additional connections will be initiated b