Defensive Tools and Design– Cisco Security Tools
The network often provides the first—and sometimes the only— layer of defense for network-connected devices. This section explains stateful packet filtering, contextual packet filtering, the firewall, source address validation, and defensive layering.
Stateful and Contextual Packet Filtering
Network security’s “pointy end” is stateful and contextual packet filtering—the primary defensive network tool.
Stateful packet filtering forwards or drops packets based on the state of a connection. Figure 20-4 illustrates stateful packet filtering.
Figure 20-4 Stateful Packet Filtering
Firewall B allows only TCP packets for sessions with existing state from the outside to the inside network.
1. Host A sends a TCP SYN to open a session with server C. Firewall B notes this TCP SYN and opens a temporary “hole” in its local filters to allow the anticipated SYN-ACK from server C.
2. Server C receives A’s TCP SYN and responds with a SYN ACK. Firewall B allows this packet through because of the previously opened hole in its filters.
3. Host A sends an ACK to server C. This ACK completes the TCP connection setup. Firewall B configures its filters to allow TCP packets with the correct port number from server C to host A.
4. Host A and server B can now transmit and receive data through the firewall. If host D attempts to start a TCP session with A, it will begin by sending a TCP SYN (step 5 in the figure). Because the firewall does not have an existing TCP connection, Firewall B will drop the packets from host D, blocking D’s ability to connect to A.
A stateful packet filter is a sort of “one-way mirror,” allowing traffic flows originating from the inside network and blocking traffic flows originating from the outside network.
Contextual packet filtering forwards or drops packets based on their content. Figure 20-5 will be used to explain contextual packet filtering.
Figure 20-5 Contextual Packet Filtering
In Figure 20-5, host A and D communicate with the web server on server B. A web application firewall (WAF) is running on the server. Every packet transmitted to the web server must pass through the WAF after being received by server B before being forwarded (internally) to the web server.
Application firewalls (AFs) filter packets based on a deep knowledge of an application’s state. Each kind of application, including web servers, Domain Name System (DNS) servers, database servers, etc., can have a custom application firewall.
In Figure 20-5, host A sends a Hypertext Markup Language (HTML) to server B at (1). The WAF will check the packet format for errors, including
• The resource exists on the web server.
• The HTML packet does not contain an injection attack.
• The host is either sending a session initiation packet, or the packet is within an existing flow.
• The sequence numbers are correct.
WAF C will not forward the packet to the web server if these checks fail. For instance, if host D attempts to send a packet with poorly constructed HTML command could potentially cause the web server to crash at (2), WAF C will drop the packet.
A second kind of contextual packet filter is an intrusion detection system (IDS). Figure 20-6 illustrates an IDS.
Figure 20-6 Intrusion Detection System In Figure 20-6, IDS B has two databases:
• Malware database containing bit-level patterns of known malware apps
• Attack pattern database containing packet-level patterns of known and learned attacks
The IDS examines traffic forwarded from hosts A and D toward server C for any packets containing bits matching known malware or a pattern of packets indicating C is being attacked (such as some form of resource exhaustion attack). If B detects any of these conditions, it drops the relevant packets.
Intrusion detection systems (IDSs) filter packets based on knowledge of common attacks.
While stateful packet filtering, contextual packet filtering, and intrusion detection can be standalone services, they are often combined with other services in a firewall.
A firewall is a collection of network security services in a single appliance or virtual services. Firewalls often include stateful packet filtering and intrusion detection services. Firewalls may include Network Address Translation (NAT), contextual packet filtering, address- and port-based packet filtering, and other security-related functions.