Introducing the Cisco IOS Firewall参考.ppt

Cisco IOS Threat Defense Features Introducing the Cisco IOS Firewall DMZ A DMZ is established between security zones—DMZ‘s are buffer networks which are neither inside nor outside.DMZ建立于安全区域之间-DMZ是一个缓冲的网络其不属于内部网络也不属于外部网络. Layered Defense Features Access control is enforced on traffic entering and exiting the buffer network to all security zones by:访问控制强制的应用在流量进入和离开缓冲网络到达所有安全区域: Classic routers 第一线路由器(即边界路由器) Dedicated firewalls 专用的防火墙 DMZs are used to host services:DMZs用于主机服务: Exposed public services are served on dedicated hosts inside the buffer network.将提供公共服务的专用主机放置于缓冲区域. The DMZ may host an application gateway for outbound connectivity.DMZ的主机可以提供应用程序网关用于外出的连接. Layered Defense Features (Cont.) A DMZ contains an attacker in the case of a break-in. DMZ可以容忍攻击者的攻击. A DMZ is the most useful and common modern architecture.DMZ是一个非常有用和通用的流行架构. Multiple DMZs Multiple DMZs provide better separation and access control:多重DMZ提供了最佳的独立的和访问控制: Each service can be hosted in its own DMZ.每一个提供服务的主机拥有自己的DMZ Damage is limited and attackers contained if a service is compromised.如果某一个服务受到攻击其仅仅会限制在受到攻击的服务,而不影响其它. Modern DMZ Design Various systems (stateful packet filter, proxy server) can filter traffic. Proper configuration of the filtering device is critical. Firewall Technologies Firewalls use three technologies: Packet filtering包过滤 Application layer gateway应用层网关 Stateful packet filtering状态包过滤 Packet Filtering Packet filtering limits traffic into a network based on the destination and source addresses, ports, and other flags compiled in an ACL.在ACL中使用基于目标和源地址及端口号和其它标记包过滤受限制的流量进入网络. Packet Filtering Example Application Layer Gateway The ALG intercepts and establishes connections to the Internet hosts on behalf of the client.ALG通过截取客户端数据包以客户端的身份与Internet主机建立连接 ALG Firewall Device Stateful Packet Filtering Stateless ACLs filter traffic based on source and destination IP addresses, TCP and UDP port numbers, TCP flags, ICMP types and codes. 无状态ACL过滤流量基于源与目标地址,TCP和UDP的端口号